Companies that are good at computer security don't install Java on every desktop and server. When it is installed, it's patched on a monthly basis. In most companies, application compatibility prevents Java from being patched in a timely manner. In highly secure companies, application compatibility is second, at least when it comes to Java. Java users know this and accept that frequent updates might break a program. Either that or they run unpatched Java on computers not hooked to the network.
3. Admin passwords that are not shared
Not sharing passwords is the single best measure enterprises can take to slow down attackers once they gain a foothold on the network. Most companies use the same password across every local Administrator or root account on every managed computer. Attackers love this because once they have compromised one computer, they can dump the local passwords (or hashes) and begin using them to move easily throughout the environment.
Successful companies know this and enforce a separate, unique password for every local admin account. They either accomplish this manually (pure grunt effort) or use an automated password management tool made for just that. If you have a shared admin password across all your computers, change it now.
4. Outstanding monitoring and alerting
As Verizon's Data Breach Investigations Report reveals each year, the vast majority of attackers were documented in log files, but the companies did not bother to look. Secure companies take event logging and monitoring seriously. They create plans, buy the right tools, and alert upon suspicious activity. Every alert is immediately investigated by someone from the incident response team and investigated until it is proved to have been either a false positive or a security incident.
This "investigate everything" approach can be particularly powerful when combined with having very few -- or zero -- permanent members in admin groups. If someone's account gets added without appropriate justification, it's probably a good event to investigate.
Good event log monitoring is an art. Find someone who can create useful alerts and decisions from all the noise that's filling those logs every minute of every day. These people are worth their weight in gold. Pay them appropriately.
5. Segmentation of weaknesses
Almost every company I audit has tons of insecurable legacy systems that should have been removed from the network a decade ago. That's life. Sometimes operations requires that we support very old things. Successful companies segment their old and insecure systems.
Segmentation can be done in myriad ways, including:
- Separate Active Directory forest
- Make all computers standalone (not networked)
- Firewalls, routers, VLANs
The idea is to prevent easy movement of attackers (and configuration badness) between your weakest and strongest environments. Tell management you'll keep those systems around, but as a trade-off, you must be able to keep them separate from your normal assets. If that becomes too difficult, maybe they will get rid of them or upgrade them, as they should have years ago.
When I share these "secrets," I'm often told that the company will refuse to accept it. All such critics see is inconvenience and limited freedom. I'm here to tell you that the employees of companies who have implemented these common-sense measures are happier than most employees I see in other companies. The restrictions result in less compromise, less downtime, less rebuilding, and less blame.
If your organization is getting tired of being hacked all time, consider the lessons you can learn from companies that have done it right.
This story, "5 lessons from companies that get computer security right," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.