The “Secure Configuration” baseline control specifically relates to ensuring network devices are set up optimally in terms of security. While this concept is easy to understand, implementing it involves mapping out all the devices in your network and ensuring that each one is configured to the highest security standards – a task that is easier said than done.
Don’t assume that default will do!
Default setting usually enable maximum usability, not maximum security! New devices often come pre-loaded with a range of nice-to-have, but ultimately unnecessary programs. User accounts may be pre-configured with administrator-level permissions and occasionally software programs feature default ‘admin’ passwords that can be looked up online. To ensure maximum security all of the above will have to be comprehensively reconfigured with security ‘best practice‘ in mind.
What might happen if I don’t configure my network securely?
While it’s no easy feat, configuring devices software and operating systems for maximum security is essential to avoid the pitfalls of a carelessly configured system. Failing to do so can result in:
Unexpected/unauthorised changes. Poorly managed permissions could lead to file loss, unexplained file edits and system changes. Changes could result from human error or they could be carried out with malicious intent, leading to the loss of high value, sensitive data or intellectual property.
A route of entry for malware. Poor maintenance will leave security vulnerabilities in software open for hackers to exploit.
Cybercriminals gaining ‘front door’ access to your network. A weakly configured network could give the cyber ‘bad guys’ freedom to inflict maximum damage.
A compromised account could give a hacker access to highly sensitive information if no additional access conditions are implemented.
A hacker could reconfigure network settings and set up a ‘back door’ for future attacks if user privileges are overly generous.
Removable media could be used to introduce malware if ‘Autorun’ is enabled.
9 considerations for secure system configuration
Only use vendor-supported software
It’s important to ensure all the software and operating systems you used are ‘supported.’ This means the vendor continuously releases security fixes (patches) as well as regular updates that address issues affecting functionality. Using unsupported versions of software means security vulnerabilities aren’t being addressed, leaving the door open for cybercriminals to enter and steal your important data. At the beginning of this year, Microsoft stopped supporting Windows 7, prompting many businesses to make the transition to Windows 10 for security reasons.
Create a patch management policy
It’s important to install security-critical updates in a timely manner in order to keep the ‘window of opportunity’ for cybercriminals as short as possible. Set target timeframes for the deployment of patches so that network administrators understand the importance of installing new updates quickly to minimise cyber risk.
Maintain an inventory of all hardware and software
It’s important to have an overview of all the network components (both hardware and software) so that potential security vulnerabilities don’t go overlooked. It can also be useful to record extra information such as location, purpose, version and patch status for the purpose of system maintenance.
Establish ‘base guidelines’ for software configuration
It can be useful to set down rules for the secure use of software to ensure good practice is maintained across all platforms.
Use vulnerability scanning tools
Regularly running vulnerability scanning tools is a good way to shine a light on vulnerable areas of your network including applications that might be presenting security risks. Ensure vulnerabilities exposed by these scans are remedied by setting target timescales.
Remove unnecessary peripherals and discourage removable media
With the move towards cloud storage, removable devices such as flash drives are fast becoming a thing of the past. Encourage staff as much as possible to keep data ‘in the cloud’ by disabling ports and limit the use of flash drives, which can be a route of entry for malware. Similarly, consider disabling or removing unnecessary or underused peripherals and remove corresponding device driver software.
Draw up a list of approved applications
Establish a list of permitted applications – secure programs required for business-critical functions. Review this list regularly and remove applications from it when your business no longer requires them. Furthermore, deploy ‘execution controls’ to block the running of unauthorised software.
Assign user privileges sparingly
The ability to alter security settings, install and remove software and configure security-critical component (such as firewalls) should be restricted to as few employees as is practically possible.
Restrict the functionality of admin accounts
Access to an administrator account can give hackers unrestricted, network-wide access which could result in a catastrophic data breach. Reduce the opportunities for hackers to hijack such accounts by stripping back functionality to the bare essentials – consider going as far as disabling internet access altogether.
Securely configuring every aspect of your network from the ground up can be a time consuming, the somewhat tiresome process however a well-configured network is an essential base on which to build more sophisticated cyber defences.