There's a growing list of basic tasks users must perform. Many are recommended by Symantec Security Response:
- Turn on virus protection software, and be vigilant about installing patches for it.
- Use complex passwords that include numbers and mixed characters. Uncommon passwords can be easier to remember, if users commit to it. Change passwords every three to six months.
- Install firewalls, then monitor them to check on who accesses the network and what software they use. Deny incoming connections, and only allow services they explicitly want to offer to the outside world.
- Disable unnecessary ports and components, so users and devices use only the applications appropriate to what they need to do their jobs. Make sure that programs and people use the lowest-level privileges necessary to complete a task.
- Restrict PCs as much as possible. An HMI should run only programs needed to operate, and interact only with appropriate devices. Delete programs like Internet Explorer. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Disable AutoPlay to prevent automatic launching of executable files on the network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode option, if available.
- Turn off file sharing. If it's required, use ACLs and passwords to limit access. Disable anonymous access.
- Turn off/remove unnecessary services. Many operating systems install non-critical auxiliary services that are avenues for attack.
- If a threat exploits one or more network services, disable or block access to those services until a patch is applied.
- Keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall.
- Configure email servers to block or remove email that contains file attachments that are commonly used to spread threats.
- Isolate compromised computers quickly. Perform a forensic analysis and restore the computers using trusted media.
- Educate and retrain staff to follow security policies and not work around them.
- If you require Bluetooth for mobile devices, ensure that the device's visibility is set to Hidden so that it can't be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to. Unauthorized, requiring authorization for each connection request.
- Finally, for resources from the main government and other organizations that deal with cybersecurity, coordinated responses across many industries, and help to draft network security standards, visit www.industrialnetworking.net/security.
This article is a sidebar of February 2012's cover story "Security Prevents Unauthorized Access."