Administrative checklist for security

1. Are all administrators using named accounts?
2. Place the password for the main administrative account in a sealed envelope in a fireproof safe (with a duplicate off site copy). If this account is used, the password is changed and the process duplicated.
3. Do you use jump servers?
4. Check the change schedule. Do you notice operational activities that are not on the schedule? Treat these with suspicion.
5. Check the software inventory of all administrator's workstations. Is there software installed that does not fit the job description?
6. Review all SOPs. Are the administrative tasks clearly defined.
7. Create administrator logon trending. What time of the day, week, month are the logons occurring. Start reporting on exceptions to the trends.
8. Set a strong administrative password or passphrase.
9. Visually differentiate the administrator accounts from limited user accounts.
10. Physically secure computers and label them appropriately.
11. Lock down the system BIOS.
12. Download and install all critical updates for the operating systems.
13. Audit physical network security (Eyeball). Visually inspect computers for signs of tampering. Audit physical network security. Make sure no unidentified computers of devices are attached to your network or can be easily attached to your network. Packet sniffers and rogue servers can be used to penetrate your network, compromising your computers and your data.
14. Use desktop firewalls
15. Install antivirus/antispyware software.
16. Install and configure Web filtering software (or use OpenDNS as an alternative).
17. Change administrator passwords regularly.
18. Check for updates to Windows and other installed software
19. Maintain antivirus/antispyware updates (or automate the process)
20. Perform regular inspections. After a user finishes using a computer, inspect the computer and peripherals for any signs of tampering. Some monitoring devices attach to a parallel port, USB port, or in line with a keyboard cable.
21. Create and maintain a security policy: All members of the enterprise need to be aware of their liabilities. The information security team is required to report separately from IT to maintain its independence and freedom from conflicts of interest. Appoint Information Security Officer (ISO) reporting to board with defined roles and responsibilities, Established a comprehensive information security policy and auditing process covering all areas of information management. Institute regular reviews of this policy. Train new business unit users on security policies and procedures and institute awareness training for current users. Create awareness of disciplinary measures. Testing process to validate training, Established a security auditing process using third party auditors & service providers, All Business Unit users have access to a copy of the security policies and procedures and have demonstrated their acceptance of these as a part of their employment. These policies are accessed via web pages on the enterprise Intranet, All business associations, partners, contractors or customers that have access to the enterprise's information systems are made aware of the security policies and procedures. Agreement is required to abide by these protocols in order to retain access, Security policies needs to address both internal and external access to the network for each technological device & requires integration with Change Management, Policy management software utilised that manages identified threats & vulnerabilities, maps the threat to the intellectual property of the enterprise, tracks regulatory compliance & established a enterprise specific risk profile, Align security program with overall business objectives. Security considerations a routine part of normal business processes, systems design & implementation, Framework where the success of security objectives is measured. Benchmark that is communicated throughout the enterprise, including partners, vendors and Business Unit users. Identify, measure, monitor and control electronic security risks through technology risk assessment processes and ensure that adequate safeguarding controls exist over networks and customer data, Responsibility assigned for keeping records of cyber intrusions, costs of remediation, response time, and documenting procedures and processes.
22. Encryption: Encrypt stored data accessible from the Internet, Encrypt data sent across networks, Restrict access to data by business "need to know", SSL encryption level of 128 BIT or higher & RSA level of encryption at least 1024 bits, Established policy regarding the sharing of public keys with others and how they share theirs. Policy for cross-certification with external parties, Keys stored in a secure location. Protection against theft, disclosure, and alteration. Secure means by which keys are issued, replaced & destroyed. Secret keys are unlocked securely & use of root keys tightly controlled, Encryption keys managed, including key retirement/replacement when team members leave the enterprise, Encrypted keys contain expiration dates, Certificates properly validated against hostnames/users. CRL (Certificate Revocation Lists) maintained on a real-time basis, Contingency plan that can recover data in the event of an encrypted key being lost.
23. Bulletproof Windows: Regularly address the Top20 Windows vulnerabilities, Disable or rename the Administrator account. Use a strong password of > 24 characters, Windows XP installed on workstations (installed with SP2), Provide file-level security on shared files and folders, Centralize security settings for workstations, Resolve conflicting group policies for workstations, Deploy software (or hardware) firewalls on workstations, Restrict TCP/IP ports on individual workstations & servers. Disable DCOM if not required, Encrypt emails & confidential data files on workstations, Control & monitor what Business Unit users on their workstations.
24. Malicious code: Standardised deployment of Anti-virus on desktops, servers, mail servers and entry points into the enterprise network, Anti-virus signatures updated on a regular basis, Documentation of the procedures and actions taken when a virus is discovered, eradicated, compromised files scrubbed, analysis of resultant damage and future contamination limited, Minimize the risks of virus propagation by using disk quotas and restrict/scrub software downloads/uploads, Run automatic and routine virus scans, Anti-spyware & adware detection software installed.
25. Bulletproof UNIX: Regularly address the Top20 UNIX vulnerabilities, Implement the UNIX security checklist.
26. Technology and automation: Intrusion detection appliance, Integrated security monitoring, Netflow, Cisco SAA, Sniffers, Centralised logging.
27. Incident Response Plan (IRP): Provide guidance on what to do if there is an attack and identify team members to manage contingency plans, Escalation procedure for reporting attack including key points of contact and communication channels (law enforcement, regulatory agencies, public relations, internal communications). Determine if a crime has been committed. Interact with external vendors of hardware & software, Attempt to trace the source of the attack and identify the servers from which intruder data was sent and what are the downstream victim sites, Forensics: Logs and images of the compromised server are taken and computer forensic tool/services used, Integrate IRP with Patch Management when incidents occur due to unpatched systems, Repair compromised systems, Integrate with Business Continuity Plans. Disaster recovery facilities allow continued operations in the event of a regional disaster, Insurance coverage for cyber-risks or fraud due to the internal and/or external hackers, System back-ups and redundant servers in place in the event of a system failure or attack. Redundant servers use facilities with different power and telecommunications. Secondary systems undergo thorough security maintenance, including abiding by all security policies and procedures, Procedures and processes for securely switching to and from business continuity systems, including expiring or short-term access privileges.
28. Secure RAS: Remote users are required to utilise VPN & firewall software, VPN settings are centralised. System administrators identify unusual access or instances of remote users. Regularly review all VPN log files, system log files, firewall logs, IDS logs, etc., Employ standardised equipment and access, Restrict access from a remote user to a single nominated computer, Business Unit user is held accountable for the actions of their computer, Limit access to sensitive or confidential information for remote users, Utilise at least at a two-factor authentication system.
29. Access value and risk: Create an inventory of each ingress point to the network (e.g. every connected device, wireless, remote, etc.), both inside and outside of the firewall, in order to identify potential points of vulnerability, Create an asset based threat profile, Perform risk assessments for each control area once a year, Configure systems correctly according to the enterprise architecture, Procedures and controls for purchasing and eliminating software and hardware,Information Technology management authorises all hardware & software acquisitions.
30. Protect all types of data: Before deploying new technology, a security peer review criteria is published & subsequently reviewed, Short timetables mandated for the test & installation of software patches that fix security flaws, Daily audits of network logs conducted, Default software settings changed to ensue a secure configuration, Use of SNMP, telnetd, ftpd, mail, rpc, rservices, or other unencrypted protocols for managing systems prohibited, Instant Messaging functionality is restricted, Prohibit passwords assignments over the telephone, Instant Messaging, or other unsecured transmission mechanisms, Passwords encrypted during both transmission & storage, Administrative accounts changed each three months with very strong passwords, Reset passwords cannot use a password that has been used before.
31. Share information: Conduct cyber intelligence gathering. Report on malicious code, geopolitical threats, known and unknown vulnerabilities & predictive analysis related to emerging cyber threats, Distribute intelligence reports around the enterprise, Conduct 24x7 monitoring and intrusion detection.
32. Bulletproof the network: Locate IDS on strategic access grids & paths (choke points) on the network in a load sharing & redundant manner, Outsource monitoring of IDS to service provider & escalate via SMS or email, Process for maintaining and configuring the rule sets and routing controls, IDS configured for system anomalies, file and data problems, and aberrant usage, IDS updated on a regular schedule, Conduct frequent vulnerability testing against the IDS systems & firewalls. Conduct test attacks to observe whether system responds correctly, Use of open source IDS software, Subscribe to alerts on the latest threats and vulnerabilities, System clocks set to the exact same time, Monitor for rogue tunnels & Trojans.
33. Patch management: Process for verifying the integrity (will not negatively affect or alter system configurations), and testing the proper functioning of the patch applied to correct system vulnerabilities, Patches tested on test beds before being released into the network, Backup of systems done before applying patches, Conduct another vulnerability test after patch is applied, System changes and updates are logged, Patches prioritized, Patch update information disseminate to all enterprise systems administrators, Timetables created to patch potential vulnerabilities, External partners required to patch critical patches to servers and clients within 48 hours and all non-critical patches within 30 days.
34. Physical security and environment: Security policies restrict physical access to network systems facilities, Physical facilities access-controlled through via smart cards to prevent unauthorized access with regular checking of audit trails, Backup copies of software stored in safe containers, Facilities securely locked at all times & ceilings reinforced in sensitive areas e.g. server room. Facilities are equipped with alarms to notify of suspicious intrusions, Network facilities have monitoring or surveillance systems to track abnormal activity with camera being placed near sensitive areas, All unused "ports" disabled, Fully automatic fire suppression system that activates automatically when it detects heat, smoke, or particles, Automatic humidity controls to prevent potentially harmful levels of humidity from ruining equipment, Utilise automatic voltage control to protect IT assets.
35. Bulletproof web service: Configure systems to filter hostile Active X, JavaScript, RPCs, PBS, BIND, SNMP & JVM, Configure systems to mitigate email vulnerabilities (SMTP & POP3), Implement standardised web configurations & software, Check the lengths of all input & if greater than the maximum length, stop processing and return as failure, User names and passwords not transmitted in plaintext, Restrict user access to system-level resources, Limit session lifetimes, Encrypt sensitive cookie states.
36. Social engineering: Insiders: Roles & responsibilities of internal security team members clearly stated & documented, Insiders: Conduct background checks on all team members, including full and part-time Business Unit , temps, outsourced vendors, and contractors? Insiders: Establish proper usage policies for Business Unit users concerning E-mail, Internet, Instant Messaging, laptops, cellular phones, and remote access. Business Unit users are held accountable for Internet activity associated with their accounts. Business Unit users are regularly tested & reviewed on their knowledge of the policies, Outsiders: Established policies & standards to restrict, control, or monitor systems access by vendors, contractors, and other outsourced personnel. Regular review & update of these policies conducted. These standards & policies should address physical access, due diligence, operational readiness, adequacy of insurance, privacy, business continuity & change management, Outsiders: Outsourced personnel sign non-disclosure agreements & consequences for non-compliance with security policies clearly documented & enforced, Outsiders: Security controls remain under direct authority of internal enterprise team, Outsiders: Procedure to determine the security impact of linking new/external systems to the enterprise's infrastructure, Outsiders: Agreements with outsourced, network service providers contain proper incentives and financial repercussions for instances of service outages.
37. Security event management: Create process models of systems, Create flow diagrams of how data flows through systems & show logical sequence of associations & activities, Active surveillance of the network resources undertaken looking for unauthorized intrusion. Ensure network resources are not the targets of malicious traffic attacks & are not amplifiers or "bounce" sites of malicious traffic attacks on other targets.
38. Standards, templates and architecture compliances: Defined standards for security appliances, Defined standards for security applications, Adoption of formal security framework, Documented security compliance activities
39. Firewalls: Use certified firewalls, Comprehensive documented list of what should be allowed/disallowed through the firewall, All critical, financial & transactional systems are firewalled. Firewalls placed at boundaries where policies differ between the connecting networks, Prevent entry or exit through any network port or protocol that is not required by the enterprise. Use ingress and egress filtering. Explicitly configure network to restrict access for everything that does not need to enter your firewall. Routers properly configured for enterprise requirements, Rule sets backed up and tested regularly. Firewalls updated at regular intervals, Firewalls configured such that servers that should accept only inbound connections and prohibited from making outbound connections, Test patches & new configurations on a test firewall, Employ rate-limiting filters, Access restricted to either a virtual private network (VPN) or an encrypted software session from the Internet, Access to the management interfaces of routers, firewalls and other network appliances secured. Firewall administration limited to authorized team members.
40. Wireless: Disseminate enterprise-wide wireless policy to all business unit users, Pre-requisite for all wireless connections to register including home use. Wireless units to be secured physically (Kensington locks), All unnecessary services and applications on desktop client and server are disabled, Default settings, including passwords, changed. Power-on password mandatory. Mirroring and replication software password protected, Prevent coverage further than building windows & use bi-directional antennas for wireless devices, VPN endpoints installed inside a wireless DMZ and wireless firewall gateways used, VPN tunneling deployed between the network firewall and the wireless devices, Two-factor authentication installed and traffic encryption utilised, Intrusion detection system operational on the wireless network, Routine checks to find rogue access points & manually review wireless logs at least once a week.
41. Establish security baseline: Vulnerability testing conducted on a three-month cycle, Results of testing are actioned for correction and timetable created, Penetration tests conducted on a six-month cycle. Tests should describe threats, establish threat class, determine business impact of threat compromise, & prioritise exposure rating based on severity of threat, Penetration tests assess both the external and insider threats, Tests include performing a network survey, port scan, application and code review, router, firewall, IDS, trusted system and password cracking, Deploy network sniffers to evaluate network protocols along with the source and destination of various protocols for stealth port scanning and hacking activity, Penetration tests conducted upon hosting provider systems and existing partner systems before connecting them to the organization's network, Vulnerability/penetration testing results shared with all appropriate security and network administrators, Penetration tests include social engineering.
42. Authentication and logical access control: Accounting: Centralised logging of security events & transactions, Authentication: Two-factor authentication utilised for large value payments, Access control: Policies & procedures documented that are used for both establishing and termination of access for consultants & Business Unit users, Access control: Business Unit users required to use robust passwords (long in length; mix of letters, numbers, and symbols). Provide automated enforcement for changing passwords. User IDs and passwords unique to each individual with no sharing, Access control: Periodically war-dial enterprise telephone number range to check for new devices and detect war-dialing attempts, Access control: Controls in place to detect modem-scanning attempts on your systems.