Forget expensive IDSes, host-based IDSes, and unified threat management appliances. Here’s how to really get the best security bang for your buck:
1. Prevent the installation or execution of unauthorized software or content. Learn what is running on your computers and why. If you don’t know what’s on your systems, you can’t protect them adequately.
2. Don’t let non-admin users be logged in as administrators or root.
3. Secure your e-mail. Convert all incoming HTML content to plain text and block all file extensions by default, except the handful or two you want to allow.
4. Secure your passwords. Require long passwords, 10 characters or longer for normal users, 15 characters or longer for admin accounts. Implement account lockout, if even with only a one-minute lockout. On Windows, disable LM password hashes. On Unix/Linux, use the newer crypt(3) hashes, MD5 style hashes, or even better, bcrypt hashes if your OS supports it.
5. Practice deny-by-default and least-privilege whenever possible. When developing least-privilege security policies, use role-based security. Instead of one “IT security group,” you should have a group for each IT role.
6. Define and enforce security domains. Who needs access to what? What types of traffic are legitimate? Answer these questions and then design perimeter defenses. Take baselines and note abnormal traffic.
7. Encrypt all confidential data whenever possible, especially on portable computers and media. There’s no excuse for not doing this -- the bad PR you’ll get from lost data (see AT&T, U.S. Department of Veteran Affairs, Bank of America) should be reaspm enough.
8. Update patch management for OSes and all applications. Have you patched Macromedia Flash, Real Player, and Adobe Acrobat lately?
9. Implement anti-virus, anti-spam, and anti-spyware tools on the gateway and/or at the host-level.
10. Embrace security by obscurity. Rename your admin and root accounts to something else. Don’t have an account called ExchangeAdmin. Don’t give your file servers names such as FS1, Exchange1, or GatewaySrv1. Put services on non-default ports when you can: You can move SSH to 30456, RDP to 30389, and HTTP to 30080 for internal use and business partners.
11. Scan for and investigate unexpected listening TCP or UDP ports on your network.
12. Track where everyone browses on the Internet and for how long. Post the findings on a real-time online report that is accessible by anyone. This recommendation tends to make users’ Internet surfing habits self-policing. (I bet it will also lead to a sudden increase in productivity.)
13. Automate security. If you don’t automate it, you won’t do it consistently.
14. Educate staff and employees about security risks and create appropriate policies and procedures. Practice change and configuration management. Enforce penalties for non-compliance.
I know I left out lots of other things, such as physical security, but this is a better-than-good start. Pick one recommendation and focus on implementing it from beginning to end. Then start on the next. Skip the ones you can’t implement and zero in on what you can do. And if you absolutely must have that pricey IDS, go get it -- but not until you’re done covering these basics.