Industry Standard Security Best Practices
Network security is a must in any network, but when it comes to a business network, there are a number of security standards and best practices that ensure you have control over your network.
Businesses in certain industries secure. Many different companies require different security standards; one organization for instance is the PCI (Payment Card Industry). The payment card industry has very a strict network security standard.
The below practices are fairly strict and will offer you a great deal of control and protection against data theft and network intrusion.
Modem
We will start from the outside edge of your connection of your network and work our way in from your modem on into client workstations.
The modem is probably the simplest device on the network - you can’t really secure it (beyond performing regular updates), but some ISP’s feature a built in firewall in the modem. This can be turned on or off to work in conjunction with your company’s firewall.
Firewall
The next item to take a look at is your router/firewall. Generally you would have a router that offers several ports you can connect to via a direct Ethernet connection as well as WiFi access.
This firewall will add another layer of protection for when your network connects to the Internet. When configured properly, you would block all unauthorized network connections. As far as protecting the WiFi goes you are best to enable MAC filtering.
Each piece of network hardware has a unique identifying numerical code, called a MAC address. Filtering by MAC lets you set up WiFi so that only devices you explicitly define are allowed to connect to your network.
Once you have MAC filtering in place, you can also encrypt network traffic and use a long secure password. Since the clients on the network will not need to type this password in all the time, it is best to make a complex password containing both capital and lower case letters, numbers, and symbols.
Another option to further increase security when it comes to WiFi connections is to set the access point to not broadcast it’s SSID. This will make it look to the normal person as if there is no wireless connection available.
Server
There are a lot of features that can be enabled at the server to further improve network security. The first item to review is the group policy. Group policy is part of the server operating systems that allows you to centrally manage what your client workstations have access to and how.
Group policies can be created to allow or deny access to various locations on your users’ desktops. You can get as granular as defining a group policy that sets standards on user passwords.
By default, Windows Server 2008’s password policy requires users to have passwords with a minimum of 6 characters and meet certain complexity requirements.
While these settings are the defaults, generally 8-10 characters is recommended as well as mixing upper and lower case letters, numbers, and special symbols. An example of a complex password might be @fF1n!ty (Affinity). This password would meet all complexity requirements and is fairly easy to remember. Passwords should also be forced to reset every so many days. A good time period is roughly 30 days.
One other possible option is to have firewall software installed on the server itself to regulate traffic in and out of the server.
The nice thing about having a firewall on the server itself is that you have the ability to log failed connections to the server itself as well as what that connections is and where it was coming from.
This feature alone gives you a lot more control over the network. For example if you noticed in the firewall logs on the server that a connection you didn’t want getting through was making it to the server you can go back and edit policies on the router/firewall to attempt to further lock down your network from that point as well as blocking it at the server.
One final quick thought on server security is physical security.
Generally it is a good practice to have the server physically locked in a room that only specific people have access to. If you really wanted more control as well you can have the server locked using a system that logs who comes in and out of a room via a digital keypad and their own passwords.
When it comes to your workstations, employees should only be logging into the workstation via their domain login and not using the local admin login.
This will allow you to centrally control via group policy what they can access like stated above. You can also configure roaming profiles so that if someone was to steal a physical workstation they would not have access to any company information as it would all be stored on the server and not that workstation - which is another great reason to have your server locked up.
Employee logins to workstations should also have account lockout policies in place so that if a user attempts to login too many times with an incorrect password, the server would lock them out on that workstation for a time period set by the administrator. One other item you could have in place for various employees is specific time periods their credentials will allow them to log into the systems.
One final step in network security is having good antivirus software installed on your workstations and your server. A compromised machine can be giving your passwords and information away to hackers making it possible for them to waltz right into your network undetected.
You are best protected by having as many of the above security steps configured and working properly on your network.
Determine what your network needs, evaluate the practice after it has been in place for a month and make the proper adjustments to ensure your network is safe. You should also preform regular security audits.
If you would like to see how secure or unsecure your network is give us a call and we can perform a network security audit for you and let you know where you stand!
Featured Article Written By:
Frank Wright
Internet Security: What Are They Surfing At Work?
Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company. |
A recent survey of business owners and IT managers found that employees are using company computers, Internet access, e-mail, and other resources to conduct hours of non-work related activities. And the problem is on the rise.
Some of these activities simply waste time, like day trading and monitoring eBay bids. However, some of the activities are malicious and can cause serious issues with a company’s server and network.
Here are a few incidents that were reported by the IT managers that were surveyed:
• One employee was caught running a gambling website and acting as a bookie for his co-workers.
• To bypass the company’s web filter, one employee was caught using his desktop computer as an FTP server for the other employees. He had downloaded and saved over 300GB of material, all on his work computer, using his company’s Internet connection and undoubtedly slowing down their systems.
• One employee was caught giving away confidential information such as price lists, contracts, and software code for application development.
• Another employee had a pretty lucrative side business stealing and selling company inventory on eBay.
• One woman was caught running an online “outcall” service from her desk.
• One employee was caught renting the corporate IP address to hacker friends to attack other company’s computers and networks.
While these scenarios seem outrageous, they are not uncommon. Of the 300 companies surveyed, almost one-third have fired an employee in the last 12 months for violating e-mail policies, and 52 percent of companies said they have disciplined an employee for violating e-mail rules in the past year.
Educating your employees through an acceptable use policy is simply not enough. If the requirements are not enforced, employees will accidentally or intentionally violate your rules.
That’s why every company needs to invest in good e-mail and web filtering software. Just having it in place will act as a deterrent for such activities. If something really is going on - like an employee leaking confidential information to a competitor or sending racial or sexist jokes through your company’s e-mail - you’ll be able to catch it and resolve the issue proactively, instead of reacting to it after the fact.
Additionally, a good web filter will prevent employees from accessing inappropriate material online, wasting time on non-work activities, downloading viruses and spyware, and using up company bandwidth to download photos and music.
Strong Passwords Keep Your Personal Information Secure
A recent ZoneAlarm survey revealed that 79 percent of consumers use risky password construction practices, such as including personal information and words.
The survey also revealed that 26 percent of respondents reuse the same password for important accounts such as e-mail, banking or shopping and social networking sites.
In addition, nearly 8 percent admit to copying an entire password found online in a listing of “good” passwords.
Given these numbers, it’s no wonder that 29 percent of respondents had their own e-mail or social network account hacked, and that over half (52 percent) know someone who has had a similar problem.
The first step a hacker will take when attempting to break into a computer or secure account is try to guess the victim’s password.
Automated programs are available to repeatedly guess passwords from a database of common words and other information.
Once a hacker gains access to one account, almost 30 percent of the time that information can be used to access other sites that contain financial data such as bank account numbers and credit card information. To ensure you stay safe online, here are a few tips for creating a strong password.
Use Unique Passwords For Each Account
Choose different and unique passwords for each account.
Passwords Should Be Eight To Ten Characters Long
Choose a password that is at least eight to 10 characters long. This should be long enough to prevent brute force attacks, which consist of trying every possible combination of a password until the right one is found.
Avoid Using Personal Information
Make sure your password is difficult for someone to guess. Do not use names of any kind, including your login name, family member’s name or a pet’s name. Also avoid using personal information such as a phone number, birthday or place of birth.
Avoid Words In The Dictionary
Avoid words that can be found in the dictionary. With the availability of online dictionaries, it is easy for someone to write a program to test all of the words until they find the right one.
Avoid Repeating Characters Or Sequences
Stay away from repeated characters or easy to guess sequences. For example: 77777, 12345, or abcde.
Use Numbers, Letters And Special Characters
Choose a password that is a mixture of numbers, letters and special characters. The more complex and random it is, the harder it will be to crack.
Use Word Fragments
Use fragments of words that will not be found in a dictionary. Break the word in half and put a special character in the middle.
Frequently Change Your Passwords
Change your passwords often. Even if someone cracks the system password file, the password they obtain is not likely to last long.
Cyber crime is on the rise. Taking the time to actively choose secure passwords will protect your identity, banking information and personal information. And remember, writing your password on a sticky note on your monitor isn’t secure!
Online Banking: Five Steps To Protect Yourself
Ryan Seymour is a PC hardware specialist and the Tech Experts Service Manager. |
I was reading the Wall Street Journal website recently, and came across an interesting article about online bank fraud. The article was about a a small business owner in California had over $100,000 stolen from his bank account.
He only recovered about $50,000 of it back. The other $50,000 went to a bank in Europe, where mules (someone who receives the stolen money) started to withdraw the money from the bank account.
How did this happen? The business owner had spyware on his computer that transferred his banking username and password to the hackers. I always shake my head when I read an article like this, because I know it could have been easily avoided.
Anti-virus and anti-spyware
The first step in protecting yourself is to make sure your computer has anti-virus and anti-spyware installed.
If you’re doing online banking, make sure that you’re using commercial quality protection - not something you download from the Internet for free.
The stronger your first layer of protection, the safer you are online.
We see computers every day that don’t have this simplest of protection installed; or, worse, the business owner has installed protection software, but then fails to keep it updated or renewed.
Unified threat management
The next step is to invest in a unified threat management (UTM) firewall. A UTM firewall is miles ahead of the simple DSL or cable routers you’d pick up at the office supply store.
They offer solid protection against viruses, hackers, spyware, and the host of other Internet dangers.
The device scans all Internet traffic in real time, and can protect you even before the anti-virus and antispyware vendors have updated their software for new attacks.
UTM firewalls can also implement web filtering and prevent the computer from reaching the intended attacker.
Web filtering can block access to websites that contain malware and spyware; it can also protect employees from going places they shouldn’t be.
Fortinet is our preferred vendor that makes firewall appliances that do what I describe above. A dedicated firewall and UTM appliance is very effective in helping prevent an attack such as this.
Block SPAM at the source
One of the sneakiest ways hackers can compromise your computer is through email, so you’ll want to look for a rock-solid spam filtering solution. Numerous cloud based (hosted) solutions exist that are very inexpensive. A good spam filter will keep viruses, phishing and other attacks from hitting your email. Reflexion is our favorite cloud based email filtering solution. The product is easy to use, well supported and extremely effective.
With online banking, phishing attacks are very common. Someone creates an email that looks like your bank in an attempt to collect information, you click on the link, and next thing you know, the hackers have your login and password.
Personally, I never open emails from my bank. Most banks will not contact you for important account information with email.
Perform regular maintenance
The fourth step to keeping your computers safe is patch management. Microsoft releases security updates for Windows nearly very week. Having a trained IT professional ensure patches are applied correctly - and quickly - will protect you from any security holes in the software that you’re running.
Most small businesses should look at one of our managed service plans, which provides you with “whatever it takes” service at a low fixed monthly cost.
Pay attention
The final step is a matter of common sense. Most people will go to potentially hazardous websites or click on something they shouldn’t have. My suggestion is if you are doing Internet banking, it should be on a computer that is used the least.
If you are going to go to questionable websites, don’t do it on the computer where you do your banking.
Do You Keep Critical Passwords On A Sticky Note Next To Your PC?
We constantly struggle to get our clients to stop writing down their passwords on sticky notes by the computers. Obviously this is a security risk. Another bad habit is choosing really easy-toremember passwords such as “password.”
But admittedly, it CAN be hard remembering all of those passwords that are always changing. To solve this little dilemma, we’re suggesting to our clients to stop using passwords and use “pass-phrases.”
What is a “pass-phrase” you ask? They are letters and numbers put together in an easy-toremember phrase such as “!YEAHGoBlue!”
These are MUCH easier to remember than a random cluster of letters and numbers, which means you won’t have to write them down on a post-it note anymore! Plus, they’re much more secure than using a birthday or child’s name.
Pass-phrases can be built from anything, such as favorite quotes, lines from movies, sports team names, a favorite athlete’s name and jersey number, kids’ names and birthdates, pets, and so on.
Here’s some other examples that would be easy for you to remember, but hard for a hacker or criminal to guess:
ILike!ceTea
T&lkingOnTh3Phone
d3tro1tHockey
goneWithth3w!nd
Git-r-don3!!
Detroit-R3D-Wings
All you need to do is be a little creative to get numbers, letters and punctuation into the phrase. All of the normal suggestions remain the same - don’t make a password exclusively a birthday or child’s name, and always include special letters and punctuation.
Since introducing this to our clients, we’ve found (believe it or not) they actually have fun doing this, and at the same time, are making their networks more secure.!