Most environments I encounter in my everyday job had one common issue i.e. they are difficult to secure ,they are complex, heterogeneous, lack of inventory management, have a great number of dependencies, & are decentralized etc.....etc.
These are some of the steps one can follow to create a secure environment. Consider the possibility to create a new parallel environment and migrate into it, it´s sometimes the only way if you really wants to succeed!
Steps to a secure IT-environment:
Standardise, centralize and modernize your environment.
-A Standardized and centralised environment is a lot easier to manage and monitor, therefore easier to secure. Modern hardware, operating systems and application are often more secure and easier to manage. A good time to initiate this project could be when you move to Windows Server 2008/Windows Vista platforms/Windows7.
Segment and harden the perimeter. (Layer 3 is not enough!)
Consider application inspection and monitoring. White listing whenever possible (As oppose to blacklisting). Segment the perimeter (Why should a compromised DNS-server on the DMZ be able to make direct connections to a Mail-server on the DMZ?)
Segment and harden the network layer
Implement internal segmentation and isolation. Why should an ordinary client be able to connect to back-end SQL-servers? (Most internal networks are not "trusted", think of it as internet, only expose front-end-services). Why should a client be able to connect directly to another client? (This is a vector for hacker-attacks and worms, enforce local firewall rules to prevent this) A combination of IPSEC, VLAN segmentation/ Internal ISA-Server Segementation/ Local Firewalling can be used for network layer hardening
Role-base and harden servers, clients, services and applications
-If you role base Clients, servers, services and applications they will become easier to manage, harden, monitor and delegate administration to. Use hardening according to the corresponding security guides, Use local firewalls.
Enforce a restrictive software deployment&execution policy.
Vulnerable or trojaned applications can lead to system compromise. Make sure that you only use quality applications in your environment. Use a centralized process so that you can keep inventory.
Patch everything!
Since you are enforcing a good software deployment process it´s easy to implement a good patch management process, where you make sure that you are able to patch/mitigate all known threats to your installed software. Remember that network appliances and similar also have software installed, Patch EVERYTHING!
Implement strong authentication on exposed services
Easy-to-guess passwords, weak network authentication protocols etc. are common reasons for system/application compromise. PKI-based smartcards/OTP etc. are stronger alternatives to ordinary passwords. Legacy applications can be terminalized, virtualzed, proxified or tunneled in IPSEC/VPN to make use of stronger authentication.
Delegate administration and data access according to least privilege
If an account gets compromised the attacker will be able to do everything that account has rights and permissions to do. Enforce least privileges everywhere, avoid unnecessary dependencies and remember that a users credentials are always exposed on the system he is logged on to.
Audit and monitor critical computers, users and services
You want to know if your systems are attacked, you want to be able to analyse logs if a system has been compromized. Real-time logging to a non-dependent, secure system is always a good thing. (Separation of duties ensures that a hacker cannot alter logs)
Encrypt hard drives on exposed computers
-If a computer is ever left unattended and potentially exposed to someone untrusted it should use strong hard drive encryption and be turned off at the time of exposure.
Educate users
If the users practice restrictive interaction with untrusted websites, application, devices and people you will decrease the attack surface drastically.
Implement understandable and accessible policies and processes
Almost nobody will read a 200 page it-security policy document that is not even possible to enforce in the real-world. Implement a easy to read policy that presents relevant information to easch role in the company, And limit the pages that every role gets to a minimum. (May be the receptionist needs 2 pages while the it-support guy needs 6 pages..)
Of cource there are more things that could be done, Consider this a simple "draft" Feel free to comment this post, we can all complete the list together. :)