| 2. |
If the facility exists, set the boot/BIOS password as soon as possible. Remember there may be a manufacturer's default that could override it! A power-on password will also prevent a computer from auto-rebooting. |
|
| 3. |
Set user passwords, as soon as possible. Lock-down and remove any "guest" accounts unless you really need them. |
|
| 4. |
If you don't use it don't install-it! The key to having a secure system, is understanding what has been installed, knowing what it does, and why. Most software vendors tend to enable all possible features because "Their software is their shop-window". Therefore when you install a new program, there tends to be lots of features that you will never need or use, and possibly don't even know they exist. This ignorance is probably the best weapon in the attacker's armoury because if you don't know that a feature of backdoor exists, you are unlikely to try to close it. This is why that most firewalls tend to use the technique of "deny everything unless you specifically enable it", which then protects you from the unknown. |
|
| 5. |
After building a system, patch and strengthen it as much as you possibly can, before attaching it to a public network. This includes any anti-virus or firewall software. There are some patches that can only be installed directly from the Internet (e.g. Microsoft Windows Update) but some can be downloaded from corporate sites, or be obtained from patch CDROMS. A good source of these patches is the CD's provided with computer magazines. If you do use a magazine CDROM ,don't forget to scan it with your own up-to-date anti-virus software, because, whilst magazine authors do their utmost, things do sometimes slip through. Most Internet download sites tend to provide a checksum or fingerprint that can be used to check that the program has not been corrupted or tampered with. This is not foolproof but does cut down the chance of attack. |
|
| 6. |
Take care when naming your system(s). Do NOT use names such as "Accounts" which identify what the system does, or reveal that it may hold data that is of special interest to an attacker. A popular alternative is to use something easy to remember e.g. capital cities of the world, or characters in Star-Trek, etc.
Use this same rule when creating account names because once an attacker knows the username, they only need the password. Therefore if you create a naming scheme such as a user's initials plus some characters/numbers (that cannot obviously be guessed or derived). A good example is a machine called "Voyager" with a user "aco723". |
|
| 7. |
Research your software by regularly visiting the manufacturer's website, and security news sites. |
|
| 8. |
Some operating systems are easier to harden than others as they publish their source-code and work with members of the security community to improve their code. Unfortunately Microsoft and some others don't share this view, and jealously guard their code. Obviously if the code is kept private then anti-virus and other security manufacturers cannot develop such effective protection. |
|
| 9. |
Once you have built and patched your system, edit the login messages to remove any messages that could identify the particular version, and manufacturer of the operating system, and any suggestion of an "invitation" to use the system. Replace it with a legal warning E.G.
Welcome to Linux should become This is a private system operated by XXX, any unauthorised access is prohibited. If you are not an authorised user, or do not agree to abide by the terms and conditions laid down by the owners, then disconnect immediately.
Removing information about the operating system and version makes life harder for an attacker, as they may be trying to trying exploit a particular weakness. Any reference to "welcome" must not appear in your sign-on message for legal reasons. Hackers have successfully used this as a legal defence saying that they were effectively invited to enter the system. If your welcome message clearly states that this is a private system, then the argument that an attacker logged-in accidentally is also foiled. NB. You may not want to identify your company directly in this message, if it could be seen as an incentive to attack (e.g. British Nuclear Fuels or The Israeli State Department). |
|
| 11. |
All operating systems have several points of entry e.g. ftp, mail, etc. and all must be considered. |
|
| 12. |
After building a system, read your software documentation and check for any default usernames and passwords that may have been created. May sure that you either delete/disable them or, change the password. This also applies to modem, routers, and other hardware such as a PC's BIOS. |
|
| 13. |
If your machine has a locking case, or security strap ensure that you use it. Remember that most BIOS passwords can be reset, by moving a jumper, or removing the battery from the motherboard. |
|
| 14. |
An unlocked system cabinet may also allow an attacker to steal a hard disk or other component. A modern disk drive is small and could easily be hidden in a bag or under clothes. |
|
| 15. |
Change the BIOS so that boot from any removable device such as a floppy or CDROM should prevent anyone from bypassing your systems security. |
|
| 16. |
Create a procedure for destroying failed or replaced disk drives as they may contain confidential data. |
|
| 17. |
Always ensure that any changes made during a security pen-test are correctly backed-out. |
|
 |