Good security in recessionary times

A rough economy can be a good opportunity for your company to pay attention to the basics of IT security. Getting the essentials right today means your network can help your company succeed when the economy improves

If you've had any money in the stock market, it's been a bloodbath the last few weeks. It's hard to remember that any 10-year period in stock market history has always ended up with better returns than any other investment. As financial analysts argue over whether we are already in or just headed into a deep global recession, we are facing a rough, contracting period. People with good jobs are holding on to them tighter than ever.

And despite one well-sourced report to the contrary, most experts are predicting that IT spending is on the way down. In the period of falling revenues and expenses, each of us will be asked to do more with less. The heroes of this time will be those who save our companies money while improving security.

Regular readers are probably tired of me preaching to the converted, but I will posit my main security recommendation again: Spend more time on doing the basic things better instead of wasting money on unproven, guaranteed-to-fail, advanced security defenses. Here are some of the basics:

Inventory the hardware and software you have. I'm still surprised by how many companies do not have accurate inventories. How can you protect what you aren't even sure exists? If you know about all the hardware, do you have a list of all the installed software and services?

Remove unneeded software and services. Each installed software program and service is another potential attack vector. If it is not needed, disable or remove it. Simply not using it is not enough as rogue malware can often launch and manipulate it.

Once you've got a minimized list of software, patch your software. All of it. This means operating system files, big applications, browser add-ons, utilities, and firmware. On the last point, security appliances, such as firewalls and anti-spam devices, often go unpatched for years. Appliances as well as the applications you purchased them for have underlying operating systems to patch. If your appliance -- or copy machine or multifunction printer -- can be contacted using an HTML browser, it means it is running a Web server, which also needs to be patched.

Review active user accounts and remove those that are no longer needed. Make sure all remaining users have least privileged access necessary and secure passwords. Run a program to enumerate all the permissions to existing resources. You'll find people who have elevated accesses they shouldn't have. Secure passwords are long (10 or more characters longer) and are changed on a regular basis (maximum of every 90 days). Disable weak password hashes (such as LM, Crypt, and so on) and move to stronger hashes (NTLM and BCrypt, for example).

A neat new free tool with promise is Depant. It allows you to check for enabled default passwords for various appliances and devices around your network. It uses Nmap, Hydra, and the Internet's most popular default password list to find passwords that need to be changed. It's one of those ideas that is so simple I'm surprised it wasn't thought of before. Thanks, Midnight Research Labs.

Secure your wireless networks. In today's world, there are few valid excuses for not using WPA2, 802.11i, or 802.1x to secure them. Even "guest" networks. Secure them. Turn off the ability for your clients to connect to ad hoc networks. Use security management tools and scripts to enforce security policy across as many computers as you can. Work smarter, not harder.

Another useful, cheap utility is Wireless Autoswitch. It allows you to force laptops with wireless connections to a wired connection when available.

Finally, aggregate security logs and use intelligent analysis to bring the critical events you really need to know about to your attention. Several studies have shown that many costly security intrusions were noted in active security logs that did not receive enough attention.

Every computer security administrator I've ever met, working for companies large and small, know where the weak links are in their company's defenses. Now is the time to plug those holes so that when the economy improves, your company is in the best position to succeed.

Related: