Top 10 IT Security Tasks To Complete Before You Die

top10A popular subject in recent books and articles has been the “top x things to do before you die” topic. In that vein, I’ve put together the “Top 10 IT Security Tasks To Complete Before You Die” (you may not want to wait that long though).

1. Have a Security Program

This can be the most difficult one to implement simply because of the planning required, but it can have the biggest long term payoff. The program should include regular contact with users to educate about current threats, social engineering tactics, etc. It should address security policies and procedures, threat escalation and incident response. The program should also include a DR plan. There are many other considerations that need to be taken into account, but the bottom line is that not having a formal security program is a huge mistake.

2. Encrypt Critical Data

There was a time when a company could get away with not encrypting important data. In today’s environment of security breaches, corporate espionage, stolen consumer information, and ubiquitous online transactions, that time is gone. So what should you encrypt? If public exposure would embarrass or be detrimental to your business, encrypt it. Credit card data, consumer PII (personally identifiable information), trade secrets, health care data, internal memos, etc. And laptops and backups. It does no good to encrypt valuable information only to have it stolen outside of the office on a laptop or backup tape. This level of data protection will soon be moving from a “should do” to a “must do”, as evident by recent legislation like 201 CMR 17.00 in Massachusetts.

3. Understand & Control Information Leakage

One of the first things a potential attacker will likely attempt is information gathering for details about your environment and network. Information leakage from areas like Internet email headers, web services banners, carelessly configured DNS, and document metadata makes that task easy for them. This isn’t a super critical subject that needs immediate attention, but it is something that should be addressed to contribute to a good security posture. Take on the role of an external attacker and see what sort of information could be gathered, then get rid of the low hanging fruit. A good example is this 2002 Internet-based Counter-Intelligence study that Matta Security did against the CIA.

4. Harden Authentication

There are organizations that claim to take security seriously, yet still have clear text credentials going over their wires, or easily cracked authentication methods. The biggest offender is a web site with unencrypted authentication, but it’s also not uncommon to find LM Hashes needlessly enabled, critical routers being remotely managed with telnet, FTP access tied to AD credentials, or any number of similar offenses. This subject is much too in-depth to fully address here, the point is to make sure you have a grasp on how authentication is handled in your environment and that it is secured.

5. Monitor Logs

This one is obvious, but still doesn’t always get the attention it deserves. Besides an all out denial of service, log files are typically your first indication of a problem. Keeping up with event logs can be a dull and time consuming process, but there are many excellent solutions available for central monitoring and alerting.

6. Monitor Traffic

While monitoring log files is important, it doesn’t always give a full picture of what is happening on your network. This is where a good traffic monitoring solution comes into play. If you currently have nothing, even something basic that will show deviations from normal patterns (like traffic spikes) is an improvement. Better would be a full fledged IDS solution such as Snort or something comparable. Being able to monitor traffic in real time and alert on suspicious traffic is key to a secure environment. Related to this, making sure you know how to interpret packet captures is a key skill for incident investigation.

7. Implement Checks and Balances

What would be the impact on your business if email was down? How about Active Directory / DNS, your public website, primary storage, routers? The IT infrastructure in most organizations is taken for granted; the fact is that if all or a portion of it were down, business operations might cease. Almost all organizations suffer from the fact that a single person has the capability to cause severe damage to operations (remember the San Francisco Admin?). This can never completely be overcome, but where possible, roles should be separated, strong authentication & access control implemented, and actions audited. Measures such as these help protect not only against malicious intent but also accidental.

8. Implement Fundamental Wireless Security

Most companies have some form of wireless connectivity available. Besides being a convenience, it is often integral to business function. It also can be the entry point for potential attacks. If you have a wireless access point on your network, the only thing keeping the bits and bytes from an attackers computer in the parking lot away from your data in the server room is what you hope is good access control. The best way to combat potential threats is to keep up to date with wireless standards. No one should use WEP, and WPA with TKIP is on the way out. The current recommendation is WPA2 with AES encryption, but the day will come when that is found to be vulnerable too. Address the developments as they come. One of the better implementations for corporate wireless is to keep access points physically separate from the internal network, allowing only Internet access after authenticating, and requiring VPN to then access internal resources.

9. Stay On Top Of Emerging Threats

One of the things that keeps the field of information security so interesting is that it changes rapidly. That fact also contributes to its complexity. New threats arise constantly, and while keeping up with every one of them is not necessary, keeping an “ear to the street” is. You should remain on alert for new zero day exploits, vulnerabilities, or tactics that may be a threat to your particular environment. If, for example, you run an e-commerce site, you should pay attention to SQL injection and XSS vulnerabilities. Host virtual machines with VMWare? Alerts such as this one should be on your radar. This is also where having a good patching strategy comes into play. An excellent way to keep up with emerging threats is to subscribe to a reputable notification list. My personal favorite is the @Risk Consensus Security Alert from the SANS Institute.

10. Pen Test

Penetration testing is still considered by some to be a “hacker” pastime, but the reality is that it is vital for rooting out potential vulnerabilities on your network. Pen testing is also a compliance requirement for certain standards like PCI-DSS. It’s always better to find and resolve holes before some external party finds them for you. There are plenty of consulting companies that will take your money for a good pen test, and for truly comprehensive results you should bring in a professional. However, basic pen testing is also something internal IT staff can do with adequate research. Remember, just because a developer or a large software company says it’s secure, doesn’t mean it is. Trust, but verify.

There you have it, my thoughts on 10 important areas that will contribute to your organization’s overall security. As with any good top 10 list, this one is incomplete and completely subjective.  There are a number of other important information security tactics not mentioned here. Leave a comment and tell me what I left out or what you think does not belong in this list.

This post originated at


One Response

  1. Nice post. Thanks for sharing these tips.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: