Ten Practical Security Steps
for Resource Limited IT Staffs

Or how-to achieve reasonable computer and network security with limited effort, covers security basics and essentials. This is not a step by step tutorial, because computer security is so platform specific, but rather a review of steps generally applicable across platforms. For those really pressed for time the one line versions follow:

1. Make frequent backups, stored securely, and test them.
2. Have IT staff follow good password procedures.
3. Use a modern firewall with a tight custom rule set.
4. Protect files with appropriate access permissions.
5. Turn off all unneeded services.
6. Prevent Internet access to shared file systems.
7. Prevent single login, remote administrative access.
8. Automatically audit systems for signs of intrusion.
9. Apply security updates to your systems.
10. Don't install anything you don't expect to use.

• Summary

Introduction

This is intended for IT departments at small sites with limited resources. By small I mean ten or fewer information technology staff. It's also aimed at any organization where the IT staff is typically in a reactive mode and don't have time to do all the things they should or where the things that the IT staff know they should do, get pushed aside by user demands. There may be small IT shops that aren't like this but I'm not familiar with any.

The emphasis is on the basics and getting the biggest security improvement for the resources expended. In the kinds of environments this is intended for, there is a good chance that nothing will change until after the first break-in. Anyone that actually does all ten will be more secure than any place I've ever worked, including some government agencies that really had no excuse for their poor security.

Some security related suggestions are annoying. I recently read that a system administrator should know every file on the systems he or she is responsible for. In 2001 my personal workstation full backup included over 70,000 files and I had 7 other systems with 3 different operating systems. In early 2014 my desktop PC has way over 3 million files. There is no question I have files I don't use and don't need but I don't have time to find them or deal with the side effects of attempting to uninstall products that I think are not needed. A basic OpenBSD (the most compact operating system I know) install with development tools includes over 15,000 files. Some products come with hundreds of files and a few with thousands. Though product use may be documented it's rare for the included files to be documented. It's irritating to be told by those who are supposed to know more than you, that you should do things you know to be entirely impractical.

There are two security suggestions that I see regularly. One is to apply security fixes as they become available. Though I believe security administrators have an obligation to rapidly fix vulnerabilities where their systems may be used as a launch point for attacks against other systems, there may be problems with applying all security fixes as they become available.

My preferred systems are those that are doing exactly what they're supposed to and haven't had a problem in months. Changing a stable system's configuration may make it unstable, particularly with Microsoft Windows (any version) and Macintosh. Applying patches is a form of changing the system's configuration.

Though problems where your systems could be used to attack others require rapid attention, other security issues should be approached with more caution. If you don't have test systems similar to your production machines and the time to install and test new "fixes", you may do more harm than good following this advice. Many fixes have their own bugs. A system crashed or with essential functions rendered inoperable by a buggy or incompatible fix is as dead or useless as one brought down by a Denial Of Service (DOS) attack. The difference is that you, the person responsible for protecting the system, are the one who brought it down.

My favorite bad recommendation seems to appear in nearly every security recommendation list with variations. It is to use good passwords, preferably containing upper and lower case letters, one or more digits and one or more special characters. These should be different on every machine and for every account and changed regularly. Finally they should never be written down.

Humans don't have EPROM memory that never forgets anything until it's reprogrammed. A system that can't be reconfigured or recovered because of a lost administrator password is likely to be just as useless as one brought down by a DOS attack and likely to take much longer to get back.

Nothing of value comes for free and all of my suggestions will involve time and or expense. These suggestions emphasize the most security improvement for the least resources and try to avoid permanent increases in the number of ongoing manual administrative tasks. There's no pretense these are best practices or that more couldn't or shouldn't be done.

The listed order is somewhat but not entirely in order of importance. Backups are the foundation on which all other security rests. Good passwords, firewalls and access permissions are the basics of securing systems. The next three are related to these three but more specific. Number 8 is a check that the preceding are working and number 9 is to keep a reasonably secure system that way. Failure to practice 10 makes other security related tasks more difficult.

Regarding costs, firewalls, appropriate access permissions, turning off unneeded services and automatically detecting unexpected system changes are resource intensive up-front. Maintaining tight access permissions will also require ongoing administration. Good passwords for IT staff should be very low cost; users are a very different matter. Not allowing Internet access to shared file systems and forcing two level, remote administrative logins are trivial if good firewalls and access permissions are in place. Backups may be resource intensive but may trade up front investment for ongoing costs. Periodic security updates require some ongoing resources. Not installing unneeded software is cost free going forward but attempting to remove unneeded software from existing systems may be resource intensive and cause more harm than good.

1. Make frequent backups, stored securely, and test them.
2. Have IT staff follow good password procedures.
3. Use a modern firewall with a tight custom rule set.
4. Protect files with appropriate access permissions.
5. Turn off all unneeded services.
6. Prevent Internet access to shared file systems.
7. Prevent single login, remote administrative access.
8. Automatically audit systems for signs of intrusion.
9. Apply security updates to your systems.
10. Don't install anything you don't expect to use.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in https://geodsoft.com/terms.htm (or https://geodsoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of https://geodsoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.