Houses get locks. High-rises get security guards. It only makes sense that data centers should employ all feasible and prudent means possible to keep their contents safe from prying eyes. The ins and outs of enterprise security could fill volumes, but in speaking with industry experts, a handful of tips emerged as being particularly valuable for—and often overlooked by—today’s IT managers.

Less Is More

Good IT managers are always searching for ways to optimize their systems in order to improve performance and efficiency. Fortunately, the market is full of tools to enable this. Unfortunately, they don’t always work as planned. Production servers are not experimental lab rats. They shouldn’t be the subjects of demonstration or test software—experiments belong on a test bench, not in production.

Similarly, just as untried and unnecessary applications can damage security, so can unnecessary system services. Excess operating system services can act like windows in a building—they look pretty, but they’re also another point of entry for malicious outsiders. Disable such services and, in general, reduce your “attack surface area” as much as possible. This also means restricting what users can do with the systems.

“Users or the accounts associated with applications should be limited to access only what they need and nothing more,” says Andrew Plato, president of Anitian Enterprise Security (www.anitian.com). “Avoid discretionary access, both on servers and on the network. Firewalls should be set up and restrict traffic to only what is absolutely necessary. Where possible, require authentication for browsing the Internet. This can stop automated bots and spyware from leaking out of your environment.”

Seal The Cracks

Leaks, the little cracks between major pieces of system infrastructure, are much of what insecurity thrives on. In guarding against network vulnerabilities, one of the top priorities should be to identify and seal as many of these leaks as possible.

“Intruders look for holes,” says Rob Enderle, principal analyst at Enderle Group. “The most common are the gaps between physical and electronic security tools. If both the physical and the electronic methods have to agree, then simple intrusions (use of an employee password or ID card) become vastly more difficult. Come up-to-speed on TCG’s IF-MAP and use it, or something similar, to close this gap.”

The Trusted Computing Group’s (www.trustedcomputinggroup.org) IF-MAP protocol specifies a metadata database about all users on the organization’s network. Applications and systems can coordinate with this database in order to unify security efforts. This way, an intruder can’t exploit differences in user identity and credential information across multiple platforms or systems.

Prevention Pays

A major component of a solid vulnerability protection plan should be education. A surprising number of IT professionals fail to keep up on their security training and awareness, despite the fact that threats multiply and evolve on a daily basis. Blake McConnell, senior director of product management for SME security solutions at Symantec (www.symantec.com), notes that his company and many others publish reports that help define the threat landscape for small and medium-sized enterprises. This is a great way to stay informed about the current threat landscape and understand what your organization is up against.

Another form of threat prevention lies with hardware appliances, particularly IPS (intrusion prevention system) appliances. These devices are a more aggressive form of traditional intrusion detection systems and provide deep inspection of network traffic and system behavior for malicious activity.

“A good IPS can provide a valuable layer of defense that firewalls and antivirus software cannot,” says Anitian’s Plato. “Moreover, an IPS can alert you to when attacks are taking place, letting you know if your systems are or have already been compromised. IPSes can also provide a very valuable protection window between when a new exploit hits the Internet and the manufacturer provides a patch or service pack update. While patching systems is important, organizations should never rely exclusively on patches to protect systems, since patches are often released after an exploit has been in use.”

Social Services

The reality is that most organizations now employ strong enough systems security to make hacking a cumbersome, difficult task for even seasoned hackers. The easiest attack vector is now people—the everyday users who can unwittingly provide valuable access information to intruders. Why go through the trouble of hacking a password when it’s easier to have a user voluntarily give it away? The best way to guard against “social hacking” is with training and participation.

“Users remain the biggest exposure to any security environment,” says Enderle. “If they aren’t made part of the solution, they will be the major part of the problem. Users should be trained, and training should be enforced with regard to both physical and electronic security policies.”

Of course, no amount of training can ever wholly eliminate human error and gullibility. This is why Symantec’s McConnell urges companies not only to develop and enforce IT policies but also to automate their compliance processes. By prioritizing risks and defining policies that span across every location, companies can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

“In addition, there are a number of routine physical security tactics employees can use to help strengthen a company’s security defenses,” notes McConnell. “These include using the screen-locking feature when away from the computer, shutting the computer off at the end of the day, locking laptops with a cable, not leaving passwords written down, and being mindful of physical security of PDAs and handheld devices, which are a popular target of thieves. Also be sure to implement strong passwords and change them every 45 to 60 days to make it more difficult for intruders to access your data. Finally, make sure employees enable the security settings on Web browsers and disable file sharing.”

by William Van Winkle