1. Begin by establishing corporate security policies. These should include policies on employee use of so-called personal storage devices, such as MP3 players and USB memory sticks, which can house unauthorized executables.
2. Be particularly clear on the consequences of failing to heed your enterprise’s security policies, then stick to those policies.
3. Send at least one member of your IT staff to a security industry training program from a vendor-neutral source. There are a bevy of professional organizations from the SANS Institute to the Information Systems Security Association (ISSA) that offer courses and conferences.
4. Establish a corporate culture that understands the seriousness of security concerns and the increasing threat the internet poses to data security and the security of personal information. John Loyd, vp and director of IT at Patton Harris Rust & Associates (PHR&A), says he sends out emails “every few months and after large-scale attacks educating our people, who after three years are much more savvy to what IT is doing and what they need to do” to keep their systems secure.
5. Develop an emergency plan for responding to future attacks in a timely manner. This plan should include four key elements: a learning phase to determine what systems were compromised, a triage phase to contain the damage, an eradication phase to eliminate the infection, and a recovery phase to re-evaluate your security policies.
6. Target vulnerability assessment efforts to your own environment. For instance, if you have a Linux or Unix shop, do not worry about Windows exploits. “It doesn’t make sense to remediate a thousand devices when only a hundred are vulnerable,” explains Andre Gold, director of information security for Continental Airlines.
7. Run regular and in-depth vulnerability assessment tests to try to penetrate your own systems. “All kinds of things fail under a broad category of penetration tests,” says Paul Padgett, ceo of Core Security. “You have to figure out ways external or internal attackers can get access to your resources. Once you have that mentality, you’ll develop proactive ways to build out your security.”
8. Correlate IDS/IDS attack data with the results of a vulnerability-assessment report to determine exactly where the attack came from.
9. Become aggressive in keeping your enterprise’s desktop and laptop PC software up-to-date, especially Microsoft-related software. Utilize Microsoft’s Update Server to control when and what is patches within your environment.
10. Prohibit end users from installing hardware or software or moving their own PCs without IT department support.