While many companies have a 9-to-5 security staff, hackers don't punch a clock. However, your network can still remain secure in the 16 hours in-between—you just need to focus activities to provide maximum coverage for the network.

In today's connected world, hacking is a 24/7 business. Whether approaching it as a job or a hobby, hackers don't punch a clock.

While many companies don't have the budget for 24/7 security managers, that doesn't mean you should just give up on security. If your security staff, or your one security staff member, is on a 9-to-5 schedule, your network can still remain secure in the 16 hours in-between -- you just need to focus activities to provide maximum coverage for the network.

Develop a methodical, comprehensive task list that provides the most efficient means of securing your network. To jump-start your planning, here are eight simple tasks you should make sure to check off every day.

In the morning

After arriving at work, get some coffee, check your e-mail, and do the following:

1. Verify the current connections: There's nothing like catching malicious behavior while it's occurring. Inspect all the connections going through your firewall -- both in and out. Look for anomalies and investigate them; this could include outbound FTP or inbound Telnet/SSH sessions. You're looking for things that aren't normal.
2. Look at network traffic statistics: How much activity took place while you weren't there? What type of traffic was it, and what was the destination and source?
3. Look at your antivirus logs: Did a virus hit your e-mail system last night? Are the antivirus signatures up to date?
4. Read the security logs on your domain servers: Did the system lock out any accounts last night? Pay special attention to any accounts with administrator access. Verify that lockouts were human error -- and not part of a breach attempt.
5. Check for new security patches: Determine whether any of your vendors released patches for any software in your baseline. (If you don't have a baseline, I highly recommend developing one.) If a new patch is available, read the release notes thoroughly. Then, make a decision or recommendation whether to implement it now or wait for scheduled system downtime.

In the afternoon

When you arrive back from lunch, there's still a lot left to do:

1. Meet and brief: Managers like to know what's going on, so don't wait for them to ask -- tell them. Meet and brief on anything that occurred during the evening and the actions you've taken so far. This is also a good time to pitch new ideas; such as tools that could help you defend the network or staff training.
2. Check more logs: Take an in-depth look at IDS and firewall logs. Who on the Internet is knocking on your door? What are they looking for? Who on the inside of your network is doing something they shouldn't be?. If you find unauthorised and/or illegal activity, report it immediately, and take action to stop it.
3. Turn knowledge into action: Now that you know what went on while you weren't there, develop an action plan to prevent the behavior in the future. Do you need to adjust your firewall rules? Is your IDS catching and reporting the proper events? Do you need to archive logs to save space on your servers? Do you need to give a final briefing on any actions that occurred during the last 24 hours?

Final thoughts

A lot of companies don't run 24/7 security operations, and sometimes you might find yourself as the only person providing security for a network. While it's easy to get caught up in events and miss important items on your security checklist, you'll never know what you're missing if you don't create a list in the first place. Network security shouldn't be reactionary -- don't wait for events to drive you into action.

The above list isn't complete, but it's a starting point. Create your own security to-do list that's specific to your organisation's needs, and keep your security on track.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Serverside This was published in Serverside, check every Tuesday for more stories

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?