Security threats Toolkit

Daily tasks that keep your network secure

Tags:
Security,
Network,
Hackers

Michael Mullins CCNA, MCP Tech Republic

Published: 14 Nov 2006 15:39 GMT

In today's connected world, hacking is a 24/7 business. Whether approaching it as a job or a hobby, hackers don't clock on and off.

While many companies don't have the budget for 24/7 security managers, that doesn't mean they should give up on security. If your security staff, or your one security staff member, is on a 9-to-5 schedule, your network can still remain secure in the 16 hours in between — you just need to focus activities to provide maximum coverage for the network.

Develop a methodical, comprehensive task list that provides the most efficient means of securing your network. To jump-start your planning, here are eight simple tasks you should tick off every day.

In the morning
After arriving at work, get some coffee, check your email, and do the following:

1. Verify the current connections: There's nothing like catching malicious behavior while it's occurring. Inspect all the connections going through your firewall—both in and out. Look for anomalies and investigate them; this could include outbound FTP or inbound Telnet/SSH sessions. You're looking for things that aren't normal.

2. Look at network traffic statistics: How much activity took place while you weren't there? What type of traffic was it, and what was the destination and source?

3. Look at your antivirus logs: Did a virus hit your email system last night? Are the antivirus signatures up to date?

4. Read the security logs on your domain servers: Did the system lock out any accounts last night? Pay special attention to any accounts with administrator access. Verify that lockouts were human error—and not part of a breach attempt.

5. Check for new security patches: Determine whether any of your vendors released patches for any software in your baseline. (If you don't have a baseline, I highly recommend developing one.) If a new patch is available, read the release notes thoroughly. Then, make a decision or recommendation whether to implement it now or wait for scheduled system downtime.

In the afternoon
When you arrive back from lunch, there's still a lot left to do:

1. Meet and brief: Managers like to know what's going on, so don't wait for them to ask — tell them. Meet and brief on anything that occurred during the evening and the actions you've taken so far. This is also a good time to pitch new ideas; such as staff training or tools that could help defend the network.

2. Check more logs: Take an in-depth look at IDS and firewall logs. Who on the internet is knocking on your door? What are they looking for? Who on the inside of your network is doing something they shouldn't be doing? If you find unauthorised and/or illegal activity, report it immediately, and take action to stop it.

3. Turn knowledge into action: Now you know what went on while you weren't there, develop an action plan to prevent this behaviour in the future. Do you need to adjust your firewall rules? Is your IDS catching and reporting the proper events? Do you need to archive logs to save space on your servers? Do you need to give a final briefing on any actions that occurred during the last 24 hours?

Final thoughts
A lot of companies don't run 24/7 security operations, and sometimes you might find you are the only person providing security for a network. While it's easy to get caught up in events and miss important items on your security checklist, you'll never know what you're missing if you don't create a list in the first place. Network security shouldn't be reactionary — don't wait for events to drive you into action.

The above list isn't complete, but it's a starting point. Create your own security to-do list that's specific to your organisation's needs, and keep your security on track.

Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.