Knowledge Base

25 Best-Practices Tips for Security and Administration for the SMB

August 28th, 2017

Running the entire IT Operation for even the smallest business can be a tremendous challenge. Between keeping up with new technologies and threats that emerge on almost a daily basis, to handling licensing and budgeting, to squeezing extra life out of stubborn aging equipment, to handling an end-user community that may be “less than computer-savvy,” one wonders where the hours in the day for sleep can be found. And, in our experience, this is frequently not the only job the “Computer Person” has at their organization! Many people in a solo support role have ended up there simply through taking on various technology-related tasks. As their company grew over time, their responsibilities increased to the point where they are doing at least two full-time jobs.

CIS has worked with the small and medium sized business community throughout the company’s 22-year history.  The organization provides both monthly managed IT services as well as IT support blocks, both of which lead to directly working with many individuals who are that sole “IT Person” for their organization. Through this experience we’ve come to recognize certain common challenges and things left undone from client to client. Typically these are issues that a larger staff, or a support organization, can handle as priority items. For the small and medium sized IT person, they can typically be found on the “if I had more time” list.

The following suggestions are 25 quick recommendations we’ve provided to countless Small and Medium Sized Businesses to improve Security, Policy, Administration, and Stability.  CIS can provide direct support for any or all of these efforts, and many more, with an ongoing managed services agreement, or can provide staff augmentation and consultative services for clients that prefer to handle things mostly internally.

General Recommendations

To get us warmed up, here are a few easy logical IT practices that everyone should follow

  1. Consider implementing a unified security management platform, such as Alien Vault

Unified Security Management provides a “single pane of glass” view into your organization’s network security, asset inventory, vulnerability, intrusion detection, behavior monitoring, SIEM, and log management, dramatically reducing time-consuming tasks such as log reviews, and condensing everything into easily understood reports that can be immediately acted upon.

  1. Change all passwords at least yearly, including SANs, switches, wireless, DNS etc. Never let only one person have access to the passwords.

This may seem obvious, but the vast majority of devices end up in “set and forget” mode, leaving them vulnerable to brute-force and phishing attacks, as well as breach from a current or former employee. Where applicable, have passwords that are a phrase, the more complex but memorable the better.

  1. Think of security in layers. Protect every layer. Think like a hacker.

A thought straight from the oft-quoted The Art of War, if you don’t understand your “enemy” – in this case hackers of all types as well as, unfortunately, internal threats – you cannot hope to defeat them. If you approach your layering of network security not from an internal place of comfort, but from an external place of seeking access, you will be on your way to thinking like the enemy.

  1. If you don’t know something well that is very complicated, pull in resources that are experts and work as a team. It can save time and money and ultimately be in your best interest. Google can help a lot, but having someone that knows exactly what to google is significant.

Nobody knows everything, not even our team, but sometimes the hardest thing to do can be to ask for help. We’ll just leave this here:  Contact a CIS Rep Today

  1. Have documentation of your environments.

A well-documented environment is a well-protected environment. This is a crucial but often forgotten step in the disaster recovery planning process. Backups and the ability to spin up virtual or even physical servers are great, but good documentation is the roadmap on how to get from hopelessly lost back to functionality.

  1. Have a DR plan, even if it’s only a few informal thoughts.

What would happen if your primary production server crashed? What would happen if the office lost power for a week? If you can answer basic questions like these, you’re on the way toward disaster readiness.

  1. Which reminds us: “A backup can get you out of any jam.” Always have a backup.

Have a backup. Use your backup. TEST your backup. Sending your data offsite is a great start, but how long does it take to bring it back, stand up a new server, and get everything running? Know your Recovery Point Objective (RPO) and Recovery Time Objective (RTO), the point in time to which your business must recover, and the time it can tolerate it taking to get there. Be sure that you have full image based backups. If there is anything important, have a backup. Have at least one backup offsite.

  1. Write every email with the expectation it could become public. If you aren’t expecting an email, assume it’s a scam. Have processes in place to verify requests like wire transfers over email.

As Harold Melvin and the Blue Notes sang, “If you don’t know me by now…”.  We could list endless examples of company breaches based on one user clicking a bogus link in an unknown email, corporate messages landing in the News, or payments being sent to phony vendors based on invoices that “looked real to me.” Educating yourself and your end users about the looming threat posed by everyday email is critical.

 

Network:

  1. Run network and security scans on a regular basis

CIS recommends running a network vulnerability assessment on at least a yearly basis, if not quarterly. Our team’s offers NVAs that are geared toward the Small and Medium Sized Business, designed specifically for affordability and effectiveness. Additional security can be gained by running more regular reports with tools such as Network Detective or Nessus. Management reviews of security reports should be undertaken on at least an annual basis, to provide visibility for issues potentially impacting compliance and finances.

  1. Make sure firewalls are up to date on firmware

A wall with a hole in it is not a wall at all.

  1. Make sure all VPNs, both site to site and client based use better encryption settings such as AES256

Stronger encryption standards yield more secure communications. If you can use the same encryption as a federal agency, why wouldn’t you?

  1. Check on firewall WAN to LAN rules; ensure only what needs to be allowed through is.  If all traffic outgoing is allowed, consider limiting it.

Limiting traffic is a great way to manage bandwidth as well as security, only allow business-related traffic to flow.

  1. If services like SSH are enabled, consider limiting who can connect, and putting it behind a VPN.

Exposing the network to remote access and control can be a dangerous proposition, unless it is well implemented. Restrict access to only those who absolutely need these services. Putting SSH behind a VPN provides an additional layer of security.

  1. Look at logs for login failures, brute force attacks on public IPs are rampant. 

Hackers are knocking on the virtual door every day, it’s best to keep an eye on them and monitor any suspicious traffic. If patterns emerge, it’s best to consider if attempts are random or targeted and more nefarious.


 Administration & Policy

  1. End of life operating systems, applications and hardware need to be replaced.

This is the easiest path into any environment. If someone looking to breach your environment finds an end of life OS, it’s Game Over. End of Life systems receive no security patches, no updates, and no support from vendors, leaving the business at risk. Even a system as recent as Windows 7 is already in “extended support” and should be updated.

  1. Patch and have patch policies and reports for all operating systems, but also for 3rd party apps. Also have patch cycles for additional equipment, like printers, wireless access points, switches etc.

Patching is so simple and so frequent that it has become a mundane part of the routine, one that’s easy to ignore or postpone for something more interesting. Unfortunately, patching is the one surefire way to stay up to date with known vulnerabilities. CIS strongly recommends monthly patch review and deployment; systems that were patched on even a quarterly basis were impacted by WannaCry. Any device that has an IP address on the network is vulnerable; maintain the latest patches and updates to stay a step ahead.

  1. Change standard user names like administrator or admin to something nonstandard.

You’re not President Skroob, the password for your network – or your luggage – should not be 1-2-3-4-5! Don’t make it easy on someone looking to breach your environment, as a standard practice and written policy, change standard or default usernames and passwords to something non-standard. The frequency with which we see “admin/admin” credentials is astounding.

  1. Look at domain security policies and group policies.  Ensure basics like passwords must be changed every 90 days and machines lock out after 15 minutes of inactivity are in place.

Basic security administration can be accomplished with simple policies such as these. If an employee is leaving their workstation for 30 seconds for coffee refill, typically, it is fine to leave their computer unlocked, but if they’re gone for 15 minutes? An open computer leaves both data and privilege open to anyone who happens to pass by. Rotating passwords, no matter how much users may grumble, is simply basic entry-level security.

  1. SSL with web servers and services should be a standard, http should be phased out.  Older versions of SSL like v1 should be disallowed, and new SSL certificates with stronger encryption settings should be standardized.

SSL, or Secure Sockets Layer, is the current standard for secure access between web browsers and web servers. Http is antiquated and no longer secure, it must be replaced.

  1. Database information should be encrypted at rest and in transit.

Typically database information is considered critical company data, it is where you store information about clients, projects, and vendors. Most organizations protect database information while it is at rest by deploying encryption, however as the workforce changes, more users access database information remotely. If a user’s application exists outside of the server on which the database resides, the data will be in transit while it travels to the user. It is critical that this communication maintain the same level of encryption as when the database is at rest.

  1. Review AD groups like administrators, domain administrators, enterprise administrators periodically. Limit what accounts have that level of access as much as possible. Review local admin accounts regularly.

The best approach to access is to provide a Least Privilege model, giving users only the access they need to do their jobs, and nothing more. No user should have access to systems they have no need for, and no users should have access in overlapping systems such as accounts payable and accounts receivable. Separation of Duties reviews should be conducted on a regular basis and enforced via policy and automation.

  1. Make a list of all workflows and servers.  Consider moving more workloads to cloud services at least when existing hardware goes end of life or support, such as old SANs.

Tracking what workflows reside on what servers is critical in supporting an environment. A proper assessment of the risk to any critical business application must include thoughts about the hardware or server environment in which it resides. As hardware goes end of life, tremendous benefits can be reaped from migrating its applications to cloud-based virtual servers.

  1. For all admin and service accounts, maintain an access control list of where those are used.  That will making changing those passwords regularly much easier.

Documenting things makes process easier to implement. Any documentation of passwords should be stored safely.

  1. Check AD health regularly.

Active Directory is the backbone of your network environment, it should be kept up to date and healthy. CIS recommends a Active Directory management utilities such as DRA from Micro Focus, to help with regular AD administration.

  1. Have alerts and monitors in place for critical services, servers, network equipment and monitor them.

Monitoring server thresholds and utilization, network equipment online status and access attempts, and many more things going on in any environment is a key component of successful management. Without monitoring and the associated alerts, we would constantly be putting out fires, rather than handling things proactively.