Posted by: mongy1951 | July 3, 2010

Basic Network Security

Had an interesting conversation the other day; I was asked what I would do in order to begin tightening up security in an organization where computer security has been lax.

It’s hard for me to believe there are still organizations out there who don’t have a very well designed and implemented security program in place.  However, I suppose that some people have been living in very well secured facilities, have no internet connectivity enabled and don’t allow people to either take their laptop home nor do they allow anyone to bring in CDs.

However, the question was “what would you do?”

I suppose that you’d start with passwords.  Would be the easiest thing to begin with.  You’d need to implement some form or centralized security hub, like LDAP or AD.  Set up mandatory password controls (include a plan to age passwords with mandatory changes at periodic intervals).

A note on the quality of passwords here:  They need to be complex.  Can’t have any one using “drowssap” or their name spelled backwards.

A few years ago I used a hacking tool to go through the AD and list out users whose passwords were “simple”  Out of 350 users, the software flagged more than half  of the accounts for simple passwords.  Among those on the list were the CFO, the HR Director, the Accounts Payable Manager and all of the payroll clerks.  Not a good thing.

Oh, and I’d walk through the office and look at monitors.  You’d be surprised at the number of times I’ve found account information taped to the monitor.