Not auditors but real hackers ...

Best Practices

  • Make sure you have a security policy in place -- The security policy is the formal statement of rules on how security will be implemented in your organization. A security policy should define the level of security and the roles and responsibilities of users, administrators and managers.

  • Make sure all of your operating systems and applications are patched with the latest service packs and hotfixes -- Keeping your systems patched will close vulnerabilities that can be exploited by hackers.

  • Keep an inventory of your network devices -- Develop and maintain a list of all hardware/software components, and understand which default software installations provide weak security configurations.

  • Scan TCP/UDP services -- Turn off or remove unnecessary services. Unneeded services can be the entry point attackers use to gain control of your system.

  • Establish a strong password policy -- Weak passwords could mean a compromised user account.

  • Don't trust code from non-trusted sources.

  • Block certain e-mail attachment types -- This list includes .bas, .bat, .exe and .vbs.

  • Don't provide more rights to system resources than necessary -- Implement the concept of "least privilege".

  • Perform your own network security testing -- Find the holes before the attackers do!

  • Implement "defense-in-depth" -- Don't rely on just one control or system to provide all the security you need.

You can find the full guide Here.

SANS Top-20

Top Ten Network Security Tips

Wondering what the "best practices" are for securing your network? There is a very informative document called "The 60 Minute Network Security Guide" on the National Security Agency Web site ( Here's a brief summary ...