For new network administrators and DBAs, there are a few security tricks that can keep your infrastructure safe from attacks and malicious behavior. Below are tips and recommendations from industry experts who know the importance of securing your network from internal and external intrusions.
Create Unique Infrastructure Passwords
"One of the most common mistakes made in network security is to implement a shared password across all routers, switches, and infrastructure devices. The compromise of one device or leakage of the password can lead to a compromise of every device - not only by an insider, but also by malware that targets these devices. As a best practice security recommendation, each device should have a unique password in order to limit the liability of the device being leveraged against its peers."
Use Scheduled and Event Based Password Changes
"While the management of network passwords has become commonplace with a variety password management tools, the changing of passwords on a large scale generally requires a dedicated 'password safe' tool. Manually changing passwords for hundreds or thousands of devices is labor intensive and generally avoided by organizations because of time constraints, unless a dedicated tool is procured. As per regulatory compliance initiatives and security best practices, passwords should always be rotated on a periodic basis, making this exercise rather problematic. In addition, based on events, ad-hoc changes may need to occur to passwords based on employment changes and events like contractor access.
"Therefore, it is recommended to use a schedule to change all of your network passwords on a regular basis, or have a process to change them ad-hoc if needed, and if the time required to make these changes is excessive, consider a solution to automate the process."
Harden the Devices from Default Settings
"Almost every device has default settings and passwords when it is first installed. It is up to the end user to change account names, passwords, secure ports, and harden the device from malicious activity.
"As a best practice for network security, it is recommended to change all these settings, and to also use a tool to assess whether the devices are properly hardened, do not contain default passwords for things like SNMP, and are running the latest firmware to vet out any vulnerabilities and missing security patches. Unfortunately, many organizations install devices and do not actively place them into a device management life cycle for patching, configuration, and maintenance to keep them secure like servers or workstations."
Set Up a Dedicated Network for Business-Critical servers
"Segregating business critical servers and systems to their own network or subnetwork can often be very beneficial. By placing these systems in their own network you maximize their connection quality and decrease their network latency by limiting the amount of non-critical traffic near them. Additionally, you gain the security of logically separating the packets around your most important systems allowing you to better monitor and shape the network traffic."
Always Log and Study Suspicious Activity
"Deny all outbound network traffic not specifically allowed and log it. Then look at it. The log data will provide an enormous amount of information about what is happening, both good and bad, on your network."
Be Picky About Your Traffic
"Only allow specific, required traffic both inbound and outbound on your network. If an application and/or associated port is not needed, block it. This takes some time and tuning but is well worth the effort."
Block IP Ranges From Suspicious Foreign Bodies
Unless you do business in China, Russia, North Korea, etc. block their IP ranges. It will not stop the those that are really interested in getting to your facilities but it will stop a lot of “browsing around” to see what you have.
Never Use Default Security Settings On Internet Devices
"Make sure you have hardened any internet facing device and change the Admin username and password to something fairly hard to crack!"
Break the Addiction
"Assume your user base is compromised and break your addiction to big data analytics in your security program. Today, most security strategies focus on protecting everything - including the user host. This creates volumes of data that burdens artificial intelligence.
Assume your user base is compromised and focus your security efforts in anomaly detection between users, applications and the database. Some may dispute that this is possible, but the banking industry has achieved this with their customer base. Enterprises can mirror this approach with success."
Flip the Business Script
"Your cyber security problem may actually be a flawed business process that was never engineered for automation or security. Case in point: how we process credit card payments. For the most part, this process remains based on the same principles used when we required physical paper-based card swiping that would be sent through card-processing chain.
"Examine your business processes and identify game-changing controls that will have a huge return on investment. When gas stations began requiring ZIP codes at the pump, point-of-sale fraud dropped drastically. In fact, I know of one gas station chain where this change reduced credit card fraud by 94 percent."
Elevate & Control
"Implement permission access management (PAM) controls that only authorize elevated privileged access for a short time. Most APTs are successful because they obtain elevated privileges, which they keep indefinitely. This allows threat actors to holster their arsenal of malicious tools and “live off the land” as an authorized user with elevated privileges.
"There are many PAM solutions that allow organizations to manage elevated, time-based privileges. Some may even be mapped back to a trouble ticket. This breaks the cyber kill chain for threat actors and stops them from being persistent."