Krypsys experts offer advice on a daily basis to network administrators so that they can better secure their companies’ networks against attacks, malware and unwanted spam. Here are 10 recommendations that crop up time and again.
1. Correct User Rights
Administrator rights should be granted with caution. Users who have administrator rights can potentially do things that could be seriously damaging. They can, and do, unintentionally make changes that decrease the level of network security. They can also be tricked into running malware, which would run with the user’s administrator privileges.
If they are careless about protecting their authentication details, their user-name and password may be stolen. This may allow unauthorised third parties to log in and carry out damaging actions, intentionally or accidentally. For better security, make sure that users have a privilege level which is appropriate for the tasks they carry out and minimise the number of users that have administrator privileges.
2. Only Download from Trusted Websites
You should determine who has a genuine business need to download files and applications from a website. Use web filtering to restrict this to people with a genuine requirement and ensure that the select few are educated in how to download files safely. Files can often be downloaded from multiple locations on the Internet, but not all locations are equally secure. Make sure that your users can only download from trusted sites, such as primary source websites rather than file-sharing or generic websites.
3. Review Network Shares
Carry out an audit of network shares. Users should only have access to files and folders that they need as part of their day-to-day work. You should also be aware that a lot of malware can spread via networks. This is typically due to there being little or no security on network shares. Remove access to unnecessary shares and secure the others and their contents to limit network-aware malware from spreading.
4. Restrict Network Connections
When a computer connects to a network, it can adopt that network’s security settings for that specific session. If the network is outside the administrator’s control, the security settings may be weak and put the computer at risk. Restrict users from connecting computers to unapproved networks. In most instances users only need to connect to the main company network.
5. Change Your Default IP Range
Networks typically use standard IP ranges, like 10.1.x.x or 192.168.x.x. This standard approach means machines configured to look for this range could accidentally connect to a network outside your control. Change the default IP range so that computers are less likely to find a similar range. You should also consider adding firewall rules, which allows only approved users to connect.
6. Review Open Ports
You should periodically audit the open ports on your network and block all unused ones. If you leave them open for long periods of time without surveying them, you increase the chance of letting in intruders. If ports are left open, Trojans and Worms may use them to communicate with unauthorised third-parties.
7. Audit the Entry Points to Your Network
Networks undergo frequent change, so it is very important to review all the routes into your organisation’s infrastructure on a regular basis. For each means of entry, consider how to best secure the routes to stop unwanted files and applications entering undetected or sensitive information leaking out.
8. Network Segmentation
There are a number of advantages to segmenting your network.
Improved security comes from the fact that broadcasts will be contained to local network and internal network structure will not be visible from outside. If an attacker gains unauthorised access to a network, segmentation or “zoning” can provide effective controls to limit further movement across the network.
Improved performance can be achieved, because on a segmented network there are fewer hosts per subnetwork, thus minimising local traffic. It can also help to containing network problems, limiting the effect of local failures on other parts of network.
When business critical systems are affected, they can slow business processes significantly. To help protect them, consider having them on a different network from the one used for day-to-day activities.
9. Resist the Temptation to Live Test
Although most software developers are good people and rigorously test their software before releasing it, they are unlikely to have your infrastructure’s exact configuration and setup. To ensure that a new software version or update does not cause problems, test it on a virtual system and check its effects before deploying to the real live network.
10. Block Unused USB Ports
Many devices, when connected to a USB port, can be automatically detected and mounted as a drive. USB ports may also allow attached devices to auto-run stored software. Users are often unaware that even the safest and most trusted devices can potentially introduce malware onto their computer. To prevent any accidents, it is much safer to disable all unused ports.