In today’s connected world, hacking is a 24/7 business. Whether approaching it as a job or a hobby, hackers don’t punch a clock.
While many companies don’t have the budget for 24/7 security managers, that doesn’t mean you should just give up on security. If your security staff, or your one security staff member, is on a 9-to-5 schedule, your network can still remain secure in the 16 hours in-between — you just need to focus activities to provide maximum coverage for the network.
Develop a methodical, comprehensive task list that provides the most efficient means of securing your network. To jump-start your planning, here are eight simple tasks you should make sure to check off every day.
In the morning
After arriving at work, get some coffee, check your e-mail, and do the following:
1. Verify the current connections: There’s nothing like catching malicious behaviour while it’s occurring. Inspect all the connections going through your firewall — both in and out. Look for anomalies and investigate them; this could include outbound FTP or inbound Telnet/SSH sessions. You’re looking for things that aren’t normal.
2. Look at network traffic statistics: How much activity took place while you weren’t there? What type of traffic was it, and what was the destination and source?
3. Look at your antivirus logs: Did a virus hit your e-mail system last night? Are the antivirus signatures up to date?
4. Read the security logs on your domain servers: Did the system lock out any accounts last night? Pay special attention to any accounts with administrator access. Verify that lockouts were human error — and not part of a breach attempt.
5. Check for new security patches: Determine whether any of your vendors released patches for any software in your baseline. (If you don’t have a baseline, I highly recommend developing one.) If a new patch is available, read the release notes thoroughly. Then, make a decision or recommendation whether to implement it now or wait for scheduled system downtime.
In the afternoon
When you arrive back from lunch, there’s still a lot left to do:
1. Meet and brief: Managers like to know what’s going on, so don’t wait for them to ask — tell them. Meet and brief on anything that occurred during the evening and the actions you’ve taken so far. This is also a good time to pitch new ideas; such as tools that could help you defend the network or staff training.
2. Check more logs: Take an in-depth look at IDS and firewall logs. Who on the Internet is knocking on your door? What are they looking for? Who on the inside of your network is doing something they shouldn’t be?. If you find unauthorised and/or illegal activity, report it immediately, and take action to stop it.
3. Turn knowledge into action: Now that you know what went on while you weren’t there, develop an action plan to prevent the behaviour in the future. Do you need to adjust your firewall rules? Is your IDS catching and reporting the proper events? Do you need to archive logs to save space on your servers? Do you need to give a final briefing on any actions that occurred during the last 24 hours?
A lot of companies don’t run 24/7 security operations, and sometimes you might find yourself as the only person providing security for a network. While it’s easy to get caught up in events and miss important items on your security checklist, you’ll never know what you’re missing if you don’t create a list in the first place. Network security shouldn’t be reactionary — don’t wait for events to drive you into action.
The above list isn’t complete, but it’s a starting point. Create your own security to-do list that’s specific to your organisation’s needs, and keep your security on track.