Network Security Management | Process Street Network Security Management – Process Street

Introduction:

Network security management can be one of the most imposing tasks to set your mind to; how exactly do you go about ensuring the functionality, security and general health of an entire network?

"Over 70% of organisations report having been compromised by a successful cyber attack in the last 12 months" - David Shephard at NetIQ

Not only does the task cover a huge base of potential entry points for the aspiring hacker, but the field on which your battles are fought is constantly changing.

Routine system updates can sometimes prove just as dangerous as dubious software installs from unverified vendors, and given enough time, vulnerabilities in your system security will be uncovered.

However, by running this network security management checklist regularly (we recommend once every fortnight), you can protect your system and prepare for the worst.

From locking down potential access points to backing up important data, read on to cover your network with the security it needs.

Preparation:

Record some preliminary details

First things first; you need to record some important information such as the date this checklist was run and the technician who is carrying it out.

This is primarily to ensure that you have a running record of when your network security management checklist was last run and who by.

In the event of a breach, you will be able to look into these records and assess who was not thorough enough as well as the window of opportunity when the vulnerability must have appeared.

User security:

Check that two-factor authentication is enabled for new users

Two-factor authentication should be set up for every single one of your users already, and should also be enforced for new user sign-ups, but new applications recently installed system-wide may need setting up.

If you're using Google Apps, you'll be able to see exactly who has 2FA enabled from within the admin control panel.

Follow the sub-checklist below to check whether there are users who aren't 2FA activated yet.

  • 1
    Sign in to your Google Admin console
  • 2
    Click "Reports"
  • 3
    Click "Security"

Here you will see the "2-Step Verification Enrolment" tab, and the users not yet set up with 2FA will be marked as "Not Enrolled". Record your findings below.

Send reminder email about 2FA to new users

It's possible that some of your new users may have slipped through the cracks and won't have 2FA enabled yet. In that case, you should send them a friendly reminder email about how and why they should enable 2FA.

Lucky for you, this checklist contains a pre-formatted email for issuing a 2FA reminder, auto-filled with the relevant details to make your life easier. 

Before you send anything, set the deadline date for 2FA activation.

Now all you need to do is fill out the emails of the users who need to be reminded, then once everything looks good, hit "Send".

Test your email filters

Whatever email filter system you are using, you should test that it is working correctly. Within your filtration settings, you should have control over a number of parameters, including the ability to block certain domains and file types.

Follow the sub-checklists below to test that your email filters are working as they should be.

  • 1
    Block a specific domain with your email filter
  • 2
    Send a test email to the blocked domain to see if it is rejected

Next, perform the same test, but this time for a specific file type.

  • 1
    Block a specific file type with your email filter
  • 2
    Send a test email with the blocked file type attachment to see if it is rejected
  • 3
    Update your email filters to reflect the results of this test

Disable old or obsolete accounts

Old, inactive accounts pose a security threat and should be disabled in a timely manner. 

You can check which user accounts haven't been logged on within the past 90 days by running a simple command in the Linux terminal whilst logged into a server machine as admin:

lastlog -b 90

Check that everything in this list looks right, and then run the following command to both print the output to a text file and disable all the user accounts listed:

lastlog -b 90 | tail -n+2 | grep -v 'Never log' | awk '{print $1}' | tee -a ~/usermod-L.log | xargs -I{} usermod -L {}

Review remote access logs

Remote access audit logs can be a major flag for unauthorized access to your network, and so they must be reviewed.

You should keep an eye out for any users logging on under suspicious circumstances, such as in the middle of the night, or signing into the system despite already being in the office working.

  • 1
    Review audit logs for signs of suspicious activity

Follow up with suspicious log activity

Suspicious logins should be flagged and followed up by contacting the account owner to enquire as to their reasoning. If they refuse knowledge of the log-in, check for any sensitive data that was accessed during the logged on period and take measures to ensure the account's security (eg; change passwords or even temporarily suspend the account).

  • 1
    Flag any suspicious log-ins
  • 2
    Record who was involved, what happened and when it happened
  • 3
    Check for any sensitive data that as accessed during the logged on period
  • 4
    Preventative action taken to ensure data/account security

Data security:

Check and backup system data

You need to make backups, for everything, regularly. Ideally, it should be automated

Your job is to be the custodian of the backups. Best practice backup processes rely on real people checking that the automated processes are running properly, and testing that the backups are actually working.

  • 1
    Ensure server machines are fully backed up
  • 2
    Ensure workstation machines are fully backed up

Checking that backups are happening is a must - but it's also crucial that you make sure those backups are working. Take a random sample from the most recent backup and try loading it onto a machine to see if it works. Three backups should be tested to get a more reliable result. 

  • 1
    Take three backup images made in the last week
  • 2
    Load them all onto the same configuration as their parent system
  • 3
    Check they are all working as expected

Evaluate backup process

If there are problems with the test images, then you should perform extensive testing to get to the route of the problem.

This may include re-making and re-testing system-wide backup images or switching the backup process that's currently in use to a new one.

  • 1
    Perform backup process troubleshooting
  • 2
    Test three more random backup samples
  • 3
    Evaluate your current backup process
  • 4
    Consider switching to a new backup process

Network security:

Check and update computer itinerary

For all systems, both server and workstation, a comprehensive list should be maintained and appended as and when new systems are integrated into the network.

Open up your database and add the details of new server and workstation computers.

  • 1
    Make sure server itinerary is up to date
  • 2
    Make sure workstation itinerary is up to date

Check out our guide to IT naming conventions for some best practice tips on how to organize your itinerary database.

Check and install latest security patches

Security patch management is one of the largest points of failure in any computer network, and often holes appear as a result of bad processes for systems maintenance.

Whilst building a complete security patch management process is out of the scope of this checklist, check off the sub-tasks below to keep on top of the latest updates and employ best practice for computer and software inventory management:

  • 1
    Maintain and update your software inventory
  • 2
    Maintain and update your list of server and workstation computers
  • 3
    Apply network-wide security and software patches

Check Seqrite event log monitoring

Each device in your network should be able to produce comprehensive event logs that can be reviewed and filtered to help gain insight on emergent issues and security threats. 

Part of your routine network security protocol should include a check of these logs to make sure that they're being recorded as expected, and also to make sure nothing unusual has been detected.

  • 1
    Log on to the Seqrite Endpoint Security Web console
  • 2
    Click on "Reports"
  • 3
    Click on "File Activity Monitor"
  • 4
    Check for event log monitoring alerts
  • 5
    (If applicable) resolve monitoring alert accordingly

Check Seqrite End Point Security reports

No doubt you already have a system in place to ensure all your endpoints are secure - but every good network security protocol will incorporate regular checks like this to make sure all existing systems are foolproof.

Seqrite offers a web-based graphical interface with comprehensive reports of the health of all system endpoints. Endpoint threats such as virus infection, urgent security patches and more have alerts enabled for immediate action.

To see the reports for Seqrite's EPS tools, follow these steps:

  • 1
    Log on to the Seqrite Endpoint Security Web console
  • 2
    Click on "Reports"
  • 3
    Click on "Client"
  • 4
    Check for EPS monitoring alerts
  • 5
    (If applicable) resolve monitoring alert accordingly

Test your firewall security

Firewall security should be checked regularly, and there are a few things you can do to test out just how secure your system actually is.

Before you start, you should take the following measures to be sure your testing does not compromise the network:

  • 1
    Disconnect the system you're using from the rest of the network
  • 2
    Make sure the system has no identifying of sensitive information stored on it

The first method involves using a service like openphish to test out whether your firewall blocks that page as a threat.

  • 1
    Go to the openphish URL above
  • 2
    Check list of known maliciou URLs
  • 3
    Make sure your firewall blocks listed pages as a threat

Now try entering a botnet command from this public list to see if your firewall catches it.

  • 1
    Open the console
  • 2
    Run a botnet command from the list above

Finally, you should check to see which ports are open/forwarded and perform a port scan with Nmap. 

  • 1
    Check which ports are forwarded
  • 2
    Perform a port scan with Nmap

Evaluate firewall configuration

If the firewall security test did not perform as expected, then you should evaluate your firewall configuration.

This essentially involves looking at the different settings available and tightening the security a bit more. If one of the tests from the previous task failed, it's likely the result of a certain filter not being active, or a certain parameter being disabled. 

Review the sub-checklist below and consider what might have caused the firewall security test to fail.

  • 1
    Check anti-spoofing filters
  • 2
    Check user permit rules
  • 3
    Check system administrator alert settings
  • 4
    Check system traffic log analysis

Test and run antivirus software

Fire up your antivirus weapon of choice and run a routine virus and malware test.

Antivirus is a preventative measure, not a perfect solution to every problem. It's hard to know if your antivirus is even doing its job sometimes.

You can test out the resilience of your antivirus software by downloading an EICAR file designed to simulate a virus or malware infection. This is completely safe and will indicate whether or not your antivirus is doing its job.

The full process is outlined in the sub-checklist below.

  • 1
    Download the EICAR file
  • 2
    Run an isolated scan on the EICAR file

Your antivirus should flag the EICAR file and quarantine it accordingly. If this is not the case, you should seriously consider switching to another antivirus software.

Following the EICAR test, you are set up for a full system scan:

  • 1
    Launch your antivirus software control panel
  • 2
    Perform a full system scan
  • 3
    Isolate and quarantine threats detected

Hardware checks:

Perform routine network maintenance

For the most streamlined experience for both user and administrator, regular server and workstation maintenance needs to be carried out. 

As with any electronic system, poor care can lead to a degradation of part quality, and ultimately, performance.

You've updated your list of each and every computer active in your network, so now all you need to do is put each and every one through routine maintenance.

We've got you covered - check out both our Server Maintenance Checklist as well as the Computer Maintenance Guide for the full maintenance process.

Following these steps, you'll have everything you need to ensure tight network security. Just check off the sub-tasks below:

  • 1
    All server computers have had routine maintenance checks
  • 2
    All workstation computers have had routine maintenance checks

Sources: