Most security administrators are familiar with the estimate that 90% of successful Web server penetrations could have been prevented by simple administrative safeguards, such as monitoring security bulletins and maintaining an adequate patch level. Indeed, you've probably read numerous articles and tips like this one offering you ideas on how to increase your security posture. But how often do you put these ideas into practice?
Fortunately, there are a number of wonderful resources out there for administrators seeking to quickly ramp up the security posture of their protected systems. If you simply commit to spending a few hours each week tackling a few of the most common vulnerabilities, you'll quickly make great strides towards improving your network security. Let's take a look at some of the more useful security benchmarks available today:
- Microsoft's Security Checklists offer operating system and application-specific advice in an easy-to-understand manner. Their site includes almost 20 different checklists and resource guides designed for various Microsoft products.
- One of the best sources around for security benchmarks is the Center for Internet Security. They offer baseline configurations for operating systems, applications and network devices and also provide benchmark assessment tools. These automated tools check various Windows/Unix operating systems for known vulnerabilities and provide you with a security "score."
- The SANS Top 20 Most Critical Internet Security Vulnerabilities list is continuously updated by SANS and the FBI to include what they judge to be the greatest threats out there. If you only have time to fix a few things, this should be your shopping list.
- If you're running Unix systems on your network, you'll probably want to read the CERT UNIX Security Checklist. It provides four detailed sections offering advice on securing the basic Unix operating system, major Unix services, specific versions of Unix and basic patching.
- Application developers should check out the Web Application Security Checklist on Enterprise IT Planet. This checklist provides a decent template for incorporating security into Web applications.
All of these benchmarks and checklists offer you a great starting point for enhancing the security of your environment. However, keep in mind that security is more than just checking a bunch of boxes -- it's a state of mind!
About the Author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.