Network Security Checklist
We have compiled a network security checklist for SMBs providing actions that should be taken to secure your business network against internal and external threats.
A Network Security Checklist for SMBs
Attacks can come from all angles and as your network grows and you add more devices, increase the number of users, and use new applications, the threat surface rapidly grows, and your network becomes more complicated to defend. The purpose of this network security checklist is to provide you with tips on the key areas of network security you should be focusing on.
Develop Policies that Dictate What is and is Not Allowed
The best place to start is to develop a series of policies that describe the actions that are permitted and not permitted by your employees. If you do not explain how systems must be used and train users on best practices, risky behaviors are likely to continue that will undermine the hard work you put into defending your network.
You should develop an acceptable use policy covering all systems, an internet access policy stating how the internet can be used and the websites and content that should not be accessed. Policies are required for email stating how email must be used and data that is not permitted to be sent via mail. You will no doubt have some workers who access your network remotely. A policy is required covering secure remote access and the use of VPNs. If you allow the use of personal devices, a BYOD policy is a must. You should clearly state the sanctions for violating policies and must ensure that policies are enforced, ideally using automated technical measures.
Secure Servers and Workstations
All servers and workstations must be properly secured. Create a checklist for deploying new servers and workstations to ensure that each is properly secured before being used.
- Create a list of all servers and workstations on the network including their name, purpose, IP address, service dates and tag, location, and person responsible for each.
- Ensure all devices are running the latest software and are patched as soon as patches are released. Antivirus software should be used on all devices.
- Ensure a firewall is used to prevent unauthorized external access and make sure the default username and password are changed and a strong unique password is set. Use Deny All for internal and external access and ensure all rules added to the firewall are fully documented. Disable any permissive firewall rules. Consider also using internal/software/application firewall for added security.
- Decide on a remote access solution and only use one.
- Purchase a UPS for your servers and ensure the agent on the UPS will safely shut down servers in the event of a power outage.
- Monitor server logs for unauthorized access and suspicious activity
- Ensure servers are routinely backed up
Secure Network Equipment and Devices
You must ensure your network is secured, along with any devices allowed to connect to the network.
- You should only purchase network equipment from authorized resellers and should implement physical security controls to prevent unauthorized access to network equipment.
- Ensure all firmware is kept up to date and firmware upgrades are only downloaded from official sources.
- Maintain a network hardware list detailing the device name and type, location, serial number, service tag, and party responsible for the device.
- For ease of management and consistency, use standard configurations for each network device
- Configure networking equipment to use the most secure configuration possible. Ensure wireless devices are using WPA2, use SSH version 2 and disable telnet and SSH1
- Make sure very strong passwords are set for remote access.
- Disable all inactive ports to prevent external devices from accessing your internal network. Also set up a guest network to ensure visitors cannot access your internal resources.
- Use network segmentation to allow parts of the network to be isolated in the event of an attack and to hamper lateral movement attempts.
- Use a remote management solution to allow the authentication of authorized users.
- If you need to use SNMP, use SNMPv3. Change default community strings and set authorized management stations. If you are not using SNMP then ensure it is switched off.
User Account Management
You should adopt the principle of least privilege and only give access rights to users that need to access resources for routine, legitimate purposes. Restrict the use of admin credentials as far as is possible. Admin accounts should only be used for admin purposes. Log out of admin accounts when administration tasks have been performed and use a different account with lower privileges for routine work.
Ensure that each user has a unique account and password and make sure accounts are deprovisioned promptly when employees leave the company. Create a password policy and enforce the use of strong passwords. Consider using a password manager to help your employees remember their secure passwords.
Vulnerability Scanning and Patch Management
You should be regularly scanning for vulnerabilities using a vulnerability scanning application, which should be configured to scan once a week, with internal scans scheduled to be conducted monthly. Internal scans will help you identify any rogue devices or unmanned network devices and ensure that all software is up to date.
Patches are regularly released for all software solutions and operating systems. Microsoft releases its patches on the second Tuesday of every month. Patches are released to address known vulnerabilities, some of which are under active exploitation. Patches should be applied as soon as they are released (after testing). Once software reaches end of life and is no longer supported, it must be upgraded or uninstalled.
All endpoints should have antivirus software installed, including mobile devices. The antivirus software should be configured to update automatically, and regular scans should be performed. The AV software should be configured to scan files, but also provide protection against malware downloads from the internet and scans should be performed on all removable drives, if you choose not to lockdown your USB ports.
Email is the most common attack vector used to gain access to business networks. Phishing is used in 90% of cyberattacks and email is a common source of malware infections. You should use an email security solution that scans inbound and outbound email to protect your network from attack and avoid reputation damage should email accounts be compromised and used to attack your business contacts.
Your email security solution should provide protection against the full range of email threats, including email impersonation attacks, phishing/spear phishing, and malware and ransomware. The solution should also be configured to prevent directory harvesting attempts.
The internet is a common source of malware infections and phishing attacks usually have a web-based component. You should implement a web filtering solution such as a DNS filter to provide secure internet access, which should protect users on and off the network. Your filtering solution should be capable of decrypting, scanning, and re-encrypting HTTPS traffic, should scan for malware including file downloads, streaming media, and malicious scripts on web pages. Use port blocking to block unauthorized outbound traffic and attempts to bypass your internet controls.
In the event of a ransomware attack, hardware failure, or other catastrophic data destruction event, your data must be recoverable. You must regularly backup your data and create multiple backup copies. A good approach to adopt is the 3:2:1 strategy. Make three backups, store them on two different media, and keep one copy off site.
Backups should be encrypted for additional security, especially any that are stored off-site. Backups are useless if they cannot be used to recover data so ensure that backups are tested to make sure data recovery is possible. Once backup media has reached end of life, ensure the media is securely destroyed.
Allowing remote access to network resources introduces considerable risk. If remote access is not required, ensure that remote desktop access is blocked. If employees need to access systems remotely, make sure training is provided and only approved channels are used. Tunnel all remote traffic through a VPN and set strong policies to lock accounts after a set number of failed login attempts to prevent brute force attacks. Perform regular reviews of remote access logs to identify suspicious activity such as unusual access times and ensure that multi-factor authentication is enabled.
Traffic and Log Monitoring
You should be regularly reviewing access and traffic logs to identify suspicious activity that could indicate an attack in progress. Make sure logging is enabled and logs are regularly reviewed. If you only have a handful of servers you could do this manually, but ideally you should have a security information and event management (SIEM) solution to provide a real time analysis of security alerts generated by your end points and network equipment.
Implement Multifactor Authentication on Accounts
Multifactor authentication requires a second factor to be provided in addition to a password before account access is permitted. It is the single most important step other than setting a password to prevent unauthorized account access. Multifactor authentication will block 99.9% of unauthorized account access attempts, according to Microsoft.
Data Loss Prevention
A data loss prevention solution will ensure that your data is protected in the event of a breach and will identify any attempts by malicious insiders to steal intellectual property and sensitive data. Many email security solutions also incorporate DLP measures to block attempts to send sensitive data via email. Make sure those functions are enabled and configured.
You should keep up to date on the latest threats and tactics, techniques, and procedures (TTPs) being used by adversaries to gain access to networks. Threat intelligence is widely available. Sign up for alerts with the CERT team in your country and consider subscribing to multiple threat intelligence feeds. The feeds and alerts will advise you of new attack methods, as well as vulnerabilities that are currently being exploited to allow you to take proactive steps to prevent attacks.
Security Awareness Training
If you follow this network security checklist and implement all of the above protections, your network will be well secured, but even robust network security defenses can be undone if your employees engage in risky behaviors and are not aware of security best practices. Employees should be provided with security awareness training to teach cybersecurity best practices and how to identify threats such as phishing. Security awareness training should be provided regularly, and you should keep employees up to date on the latest threats.