How about make it secure and not break anything?
A couple of my friends had just started new jobs and we'd been talking about the huge task in front of them. It's pretty scary and can be overwhelming. These were some of the suggestions to get started and cover your own butt at the same time. Though they might be worth sharing.
Let’s say you start your new job as the head (or only) network/security guru, you’ve got good network and OS skills and you’re keen to make your mark running by cleaning up this Wild West network and kick off using those newly acquired security skills.
Where do you start?
Patching, inventory, mapping the devices on the network, risk analysis, vulnerability assessments, checking the firewall, VPN, wireless access points, installing anti virus, log correlation, validating the backups works (or even exist!), DRP/BCP, upgrading the hardware, software, firmware or removing Quake off the accounts pc?
The sentence above is enough work to keep you busy for at least six months and that’s without dealing with customer requests for help with printing, using word or finding their lost files.
Let’s say that you have you’re boss’s support, a basic IT/security policy and they have a budget to do work, as long as you can justify why you need to spend it.
When you’re securing a network it’s all about having the basics done right and verified first before tackling the more exciting stuff.
Start by making notes and documenting everything you do. Get a bound A4 book and use it as a journal. IT folks often get blasted for bad documentation skills. Writing down your actions and processes stops you from trying to do too many things at once. It also makes you think what you’re doing and how you’re try to achieve it. Thinking and planning stops those nasty moments where you ask yourself “Did I mean to make that change?”
A nice, simple but great place to start technically is the backups. Old, boring and very unexciting but working backups and being able to validate they can be restored are key to making sure that if a disaster happen tomorrow, you come out looking like a hero.
Knowing what, how and why you have to backup systems and configurations can give you a solid understanding of the company you’re protecting, what their needs are and what’s important to them.
While you working out the backups, start making a full network inventory.
That’s make, model serial number of the hardware, type & version of firmware and software, then licensing, configuration & owner of the system’s and software.
Finding out the owner of a system or software is very important so you can ask questions or get help from with working it out how it works or should work and what it does.
Get this out of the way and you’re safe to move on to the more fun and challenging parts.
You’ve got the management backing, backups are good and a solid network layout, so it’s on to the firewall.
The firewall should be the main portal to the network and control all traffic in (ingress) and out (egress) bound.
Review the rules, ask why they're there and what they actually do. I’ve seen some crazy rules put in place that no-one knows why, but are terrified to remove them in case it breaks something. Take a backup of the configuration and slowly comment out the odd or old rules one at a time, checking the nothing important stops working!
Firewalls should be a default block everything policy and only allow traffic has been understood, documented, agreed and signed off.
The outbound rules are just as important as the inbound one and are more useful to see if trouble is on your internal network.
How can that be?
As you build and document the firewall rules, set up a rule for any failed packets and ip addresses of systems trying to go outbound should be logged. The firewall outbound logs (also know as drop logs) should be always empty, as you’ve spent time make sure all the firewall rules are in place for all the system you want to go outbound are specifically allowed.
If they start filling up, this immediately tells you that some is wrong on the network. It might be a mis-configured pc, someone has plugged in a laptop from home or a new virus is trying to scan other computers out side your network. This gives you the starting point to investigate this problem. Again, write up each of these events in the logs as they help make your case in the future .
With these basic steps you’ve now got a clear, documented picture of the network, its systems and its general health.
If fact you’ve done your first documented audit and risk assessment!
Having hard, clear documented notes on the problems and suggestions on how they can be addressed, management tend to listen. You can use the documented created to show management weakness, like old software/hardware or out of date unsafe systems.
From here you can then target the most important steps to secure the rest of the network.
Remember - If you don't understand what's makes up and happening on the network, how can you know what's right or wrong, what's normal or abnormal?
Spend the time to get the basics done well, then go off and save the world :-)