I don't fancy myself as one of the greats in the IT world. I know I'm a lowly rookie IT professional just starting out, but I do think my daily security checklist is worth sharing. If you don't have a security checklist you go through each day you might want to create one (heck, steal mine I don't care) just so you will be able to catch things in time and for peace of mind. If I'm able, I go through this checklist first thing before I do anything else unless there's urgent work waiting for me as soon as I step through the double doors (we have a set of double doors at our building - nothing fancy, but it's kind of cool to walk through them all bad and stuff). This checklist is tailored for our network, so I'll be using the names of hardware and software we have. If you don't have the same hardware and software, replace the name for your configuration, e.g. replace Sonicwall with Cisco, Juniper, etc.
Checking the border - Firewall and DNS
Our border firewall is a Sonicwall TZ 210. This bad boy is perfect for our environment: small in physical size, priced just right, excellent security, small learning curve, and boasts a lot of tools for the admin. I check the Sonicwall logs first thing because that is the point between us and the "external." I check the following logs: attacks, anti-spam service, and networking. I then move over to the current connections under the firewall tab. After that, I check out the current data from the security dashboard. I'm not familiar with other hardware/border firewalls, Sonicwall is my area, but I would think Cisco and Juniper have similar types of logs and such. I think it's important to check the logs first thing and the current connections in and out of your network. After a while, you'll notice the "everyday" stuff. Even though it's tempting to not check these things after a week or so of clean data don't do it. Resist!
This step might not be a necessary step depending on your configuration. I check our OpenDNS records after the border firewall check because next in line is our DNS security, so that's the logic I follow (maybe it sucks, but it works for me - haha). Anyway, I login to our OpenDNS dashboard and check the logs. It's important to see what network users are accessing and trying to access. I notice a lot of adware and malware blocked by OpenDNS. The cool thing about OpenDNS is their alert system. If OpenDNS has detected malware, you see the alert in big red letters on your dashboard. The only problem is that OpenDNS can't give you the internal IP address, but it's because it's border protection. So, not only is OpenDNS good for web service, but it's security system is nice as well.
Checking the Inside: Network Monitor, Server, and Antivirus
I then move on to internal checks. Network monitoring tools come in handy here, e.g. LANsweeper and Spiceworks, checking vulnerabilities on PCs and non-PCs. LANsweeper has an excellent dashboard view giving you information like the following: pcs not up-to-date, infections, low disk space, recent changes and other cool stuff for non-PC devices. Most network monitoring software does this. I check the necessary reports then move on.
Next, I check the Windows Server 2008 R2 logs in the server manager. If you don't use Server Manager I recommend it for the simplicity. Everything you need for quick checks is there: roles, functions, and event viewer. I check the high priority events then move on to antivirus. We use Kaspersky Small Office Security. I check the scans of all the PCs in the network to make sure there weren't any infections detected and I also check to make sure all of the PCs were updated.
That is my security checklist. I follow the outside to inside approach because it makes sense to me. Usually the biggest threats will come from the outside (threats users don't notice) and the smaller threats are on the inside. If you have any suggestions feel free to comment on this post. I'm usually on the lookout to improve my checklist.