Draft
This document is a work in progress.
Summary
It may not be possible to implement every security control right away. It is important to target the controls which mitigate the highest risk. Use the following list to prioritize your security plan.
| Contents |
|---|
| |
Inventory of Authorized and Unauthorized Devices
An accurate and up-to-date inventory, controlled by active monitoring and configuration management, can reduce the chance of attackers finding unauthorized and unprotected systems to exploit.
The inventory should include every system that has an Internet protocol (IP) address on the network, including, but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, voiceover-IP telephones, etc.
Inventory must contain, at minimum:
- network addresses
- machine name(s)
- purpose of each system
- type of system (server, workstation, printer, network equipment, etc.)
- is the device portable?
- an asset owner responsible for each device
- the department associated with each device.
Quick win: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the network.
Inventory of Authorized and Unauthorized Software
Inventory must contain, at minimum:
- operating systems
- applications
- version number
- patch level
Consider:
- list of unapproved / known insecure software
Virtual machines and/or air-gapped systems should also be used to isolate and run applications that are required but based on higher risk and that should not be installed within a networked environment.
Quick win: Devise a list of authorized software that is required in the environment for each type of system, including servers, workstations, and laptops of various kinds and uses.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Quick win: Where possible, create standard images.
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Quick win: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization.
Boundary Defense
Network segmentation
Firewall / IDS
DMZ
Quick win: Move highest risk resources to a separate network segment.
Maintenance, Monitoring, and Analysis of Security Audit Logs
Local systems should have logging should be activated, with logs sent to centralized logging servers. Firewalls, proxies, and remote access systems (VPN, dial-up, etc.) should all be configured for verbose logging, storing all the information available for logging in the event a follow-up investigation is required. Furthermore, operating systems, especially those of servers, should be configured to create access control logs when a user attempts to access resources without the appropriate privileges.
Application Software Security
Internally developed and third-party application software must be carefully tested to find security flaws. For third-party application software, verify that vendors have conducted detailed security testing of their products. For in-house developed applications, conduct testing to validate.
Controlled Use of Administrative Privileges
Must:
- Each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive
- Before deploying any new devices in a networked environment, organizations should change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.
- Configure all administrative-level accounts to require regular password changes on a frequent interval.
- Ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis, as is done for traditional user and administrator passwords, at a frequent interval.
- Passwords for all systems should be stored in a well-hashed or encrypted format, with weaker formats such as Windows LANMAN hashes eliminated from the environment. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with superuser privileges.
- Use automated scripts to ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet. Web browsers and e-mail clients especially must be configured to never run as administrator
- Each person requiring administrative access should be given his/her own separate account.
- Different passwords for their administrator and non-administrative accounts
- All administrative access, including domain administrative access, must use two-factor authentication.
- Configure systems so that passwords cannot be re-used within a certain timeframe, such as six months.
Consider:
- Organizations should segregate administrator accounts based on defined roles within the organization. For example, "Workstation admin" accounts should only be allowed administrative access of workstations, laptops, etc.