• Choose a category
• All
• Classic-Fiction

■ Never grant access to a secured area to anyone who is not specifically authorized to be in that area, including your family and friends.

■ Don’t help strangers if it involves violating company security procedures; it could be a social engineering attack attempt.

■ Regularly check the inspection tags on fire extinguishers, detectors, and sprinkler systems, and report any expired tags.

■ Never install equipment or computer hardware, especially wireless devices, without specific written authorization.

■ Watch for roof leaks, window leaks, or bathroom overflows and report them.

■ Avoid touching computer equipment or electronic devices until you have grounded yourself; static electricity can build up in any low-humidity environment, not just during the winter.

■ Don’t run any device that might overheat and start a fire.

■ Never store or place combustible materials near electronic equipment, especially near electrical distribution points or heat exhaust fans.

Reporting actual malicious activity will be rewarded and encouraged. However, if you become the squeaky wheel and most of your reports turn out to be false positives, you may get a reprimand or a strong encouragement to mind your own business. So, be sure that what you are reporting is worth reporting and that you’re not just being a nosy neighbor.

Securing the Infrastructure

Defense in depth should always be the guiding principle when designing the security of an entire LAN. Start with the location of your most important, valuable, and essential assets. From that location, design multiple overlapping layers of security. Each layer should provide some aspect of deterrence, denial, detection, and delay as appropriate for the value of the assets being protected.

Here are some good ideas for developing and deploying a solid and secure network infrastructure:

■ Every inbound or outbound communication stream should be monitored and filtered by a firewall.

■ Firewalls should be deployed between different departments, security levels, and geographically distant subnets.

■ Firewalls should be configured with a basic deny by default and allow by explicit necessary exception.

■ When possible, deploy firewalls with packet filtering, application filtering, session filtering, and stateful inspection filtering capabilities.

■ Firewalls should be deployed as stand-alone network appliances.

■ Software firewalls should be deployed on all internal systems, clients, and servers.

■ All internal user interaction with the Internet should be controlled through a proxy server.

■ All internal clients should be assigned an RFC 1918 IP address and their access to the Internet supported through a NAT system.

■ The proxy server should automatically block known malicious sites.

■ The proxy server should cache often-accessed sites to improve performance.

■ Routers should be configured to prevent unauthorized modifications to routing tables.

■ All network devices should be stored/located in locked rooms or cabinets to prevent nonauthorized physical interaction.

■ Hubs should be replaced with switches.

■ Switches should be configured to watch for ARP and MAC flooding attacks.

■ Switches should be used to block sniffing attacks.

■ Switch configuration should be protected.

■ Wireless networks should be avoided.

■ Infrared and Bluetooth should be avoided; wires are always more secure and more reliable, and they have greater throughput.

■ Modem-based remote access should be avoided.

■ Remote access should be properly secured (see the discussion in the section “Communications Security” earlier in this chapter).

■ Standard telephone systems should be replaced with a securable PBX or Voice over IP (VoIP) system.

■ Audit phone usage.

■ VPN usage should be limited.

■ VPNs should always have the strongest authentication and data encryption available.

■ Network IDSs should be deployed throughout the environment.

■ Host-based IDSs should be deployed on mission-critical systems or identified common attack targets.