In the security business, we spend a lot of time looking at tactical perimeter defense tools to help secure networks. But sometimes, we get so caught up in these tools that we forget some basics of security; we can't see the forest for the trees.
Remember that perimeter defenses are only there for one reason: to protect devices that are poorly protected. In other words, if a system, device, application or service wasn't vulnerable to attack, then there would be no need for a firewall, much less an IPS or other tool.
Many times we let the presence of perimeter defenses distract us from a fundamental requirement: The systems should be secure all on their own, without any additional edge devices. We can get sloppy because we know there's a firewall, and therefore we practice poor security within our corporate networks. Midmarket businesses, with small IT budgets and "Jack-of-All-Trades" technical staff, have an even more difficult problem with security because there's never enough time to sit down and really study the problem -- only enough time to run to the next fire that needs extinguishing.
First and foremost, the most important part of security is keeping the desktop (and the servers, of course) secure. That's a difficult job, and lots of IT staff members have thrown up their hands in frustration -- relying on secondary defenses, such as perimeter firewalls, for protection. But that's not a good approach. Even if it seems a nearly impossible task, you have to concentrate on endpoint security management to have a truly solid security foundation.
Here are some tips that will help you refocus your efforts on the weakest point in network security: the endpoint.
- It's not enough to install a desktop security package on every system; you have to take the extra time and effort to also put in an enterprise console. Why? Without that overarching management tool you won't be able to control the desktop tools, and more importantly, you won't have any idea which systems are compliant with your security policy. All of the major players in desktop security offer a centralized management console, and these consoles are often free when you go for the professional or commercial version of the tool. Yes, handling desktop security this way is going to be more expensive than caving into the crapware subscription demands of the preloaded software that came on your laptops and desktops. But you'll have a consistent view, consistent software, and a way of managing desktop security. Together, these three will help close the biggest hole in your network -- and help you keep it closed.
- Group Policy Objects (GPOs): A strange name for a simple idea, but one you should be using. GPOs are the building blocks of Group Policies; a feature built into Windows Active Directory domains. With GPOs, you can manage many aspects of security across all systems in your network from a single place. Make a change to a GPO, for example, to change the IP addresses of your DNS servers. Apply the GPO to your entire Windows domain, and you've changed the DNS servers on 100,1000 or even more computers without touching any of them. There are nearly 1,700 GPO settings you can adjust. The key benefit here is the ability to standardize configuration on every system joined to the domain, which lets you roll out security and other changes with a minimum of fuss. There are plentiful resources, both from Microsoft and other sources, on how you can use this free feature to simplify your desktop configurations and reduce the amount of time you spend on non-productive tasks like reconfiguring desktop systems. Use GPOs -- you'll be glad you did.
- Don't forget why they call them "viruses." You get them by having contact with someone who's infected. Yes, the Internet threat is a significant one, but you also need to worry about the virus that waltzes in your front door attached to the laptop, MP3 player or USB thumb drive of your own employees. Employ the approach popularized by Soviet Russia during the Cold War by creating a buffer zone around your own network you can exert control over. You may think your budgets are tight and your staff is overworked, but a little bit of free antivirus software and a touch of technical support for the laptops and home computers of your own staff can go a long way towards keeping malware out of your building. You don't want to be the IT support for everyone's home computer, but helping people -- and their families, sometimes -- practice "safe computing" will pay off with fewer problems and less self-inflicted damage. Combine training, some technical support, antimalware software guidance, and a tiny bit of lecture on being responsible, and you'll have a low-risk and high-value way to keep those desktops more secure. You might even help IT get a better reputation in the organization!
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
Send comments on this technical tip email@example.com.
This was first published in June 2009