Monday, July 22, 2019

Give your computer a new lease of life with SSD


As the title suggests, replacing the boot drive with SSD is always a recommended approach for some times and becoming a norm these days with new computers where you can get older SATA III (6 Gbps – gigabits per second) drives or newer PCIe NVMe (32 GBps - gigabytes per second) drives. The devil’s in the detail when the time comes to replace your old drive, whether to install fresh operating system or clone the existing drive over to the new drive. There are various routes to choose for successful upgrade depending on the support from the SSD vendors’ tool or third party software. Although installing a new OS usually provides better results, this may not always be the case if you have plenty of software and files to transfer, leaving with the only choice to clone.

Let’s dig in. It all started when I first considered replacing my backup Windows laptop hard disk in 2013. Back then, the upgrade was from 5400rpm 500GB HDD to 128GB SSD (Samsung 840 Pro) and I chose to install new OS, moved data manually afterwards thus no cloning was involved. That laptop was about 1 year old at the time of SSD replacement and I had enjoyed the speed improvement.

Second time was when I upgraded 7200rpm 750GB HDD from my main Windows laptop to 500GB SSD (Samsung 840 EVO @ USD 265) in 2014. This round I decided to clone (rather migrate) since I have gathered sufficient technical know-how to get myself out of a jam should things has gone sideways. Here, Samsung Data Migration software did all the heavy lifting; especially the source was obviously bigger than the target and the whole experience couldn’t be smoother than that. Well, those were easier times compared to what’s about to follow.

From this point on, things can get little complicated due to encryption; yes, all kinds full disk encryption like Microsoft BitLocker, McAfee Drive Encryption, Symantec Endpoint Encryption (PGP), etc. Apparently, most SSD vendor tools will not support encrypted drive (HDD or SSD). That is, end of story? Luckily, there are some viable methods and they can be found on the Internet with detailed procedure. AOMEI Partition Assistant and EaseUS Partition Master have the lead in this category and they will get you across half the journey. This is true literally with limitations such as source must be smaller than target and the target capacity will become the same as source. Wait, what? The bigger target drive becomes same capacity as smaller source drive. It is a bummer. Again, this is something SSD manufacturers’ tool can assist by removing (unconfigure/unset) Over Provisioning to reclaim full capacity. As usual, Samsung Magician software can save the day, if you use Samsung or Crucial Storage Executive software for Crucial SSDs. It was 2015 and I was rocking a 256GB SSD (Samsung 850 Pro @ USD 160) for encrypted drive.

Fast forward to 2019, it was time to go through hardware refresh again and my main laptop was to get 1TB SSD (Crucial MX500) upgrade from 500GB of 2014. Simple enough, EaseUS was used for migration and everything was fine. This was accompanied by downstream upgrade wherever applicable and 256GB SSD was replaced with 500GB SSD and suddenly I had an available 256GB SSD that could be used in the customized Linux server which is also a router. You might have guessed; its boot drive was the 750GB HDD, repurposed from the main laptop. I didn’t want to install new OS and transfer the data so the struggle began.

Start with old HDD running on Linux. It was in UEFI mode, had 3 partitions: EFI, root and swap and remember it’s a 750GB drive. As the target had only 256GB and source was Linux, Samsung Data Migration software was out of question. Next to go was EaseUS running off Windows and connected to source Linux HDD and target SSD via USB3.0 external enclosures. EaseUS just gave up showing Destination disk too small message despite its website claims this method is a possible solution. Just by sheer luck, the actual data usage on source disk was less than 100GB so it was the opportunity to take less charted route with GParted. I downloaded the GParted Live ISO and used Rufus to create a bootable USB drive.

I started up the Linux server with GParted and let it map all disks attached. After that, I reduced the root partition size to 200GB that made the total formatted capacity of HDD to below 256GB of target SSD. Thing to note here is GParted can take quite long time to resize the partitions. Once resize operation completed, I was ready to give EaseUS another try for cloning and (un)surprisingly it did not complain about the destination disk size, but not without another scarier message that the cloned disk may not be bootable. Now what? As stubborn as I could be, I proceeded the cloning and waited.
And it’s done. I connected the new drive to the server, checked in BIOS that UEFI was detected successfully and continued with boot up process… 10 seconds too long or I’d say ‘only 10 seconds’ I saw the login screen instead of usual 40 to 60 seconds boot up. Everything works as it should be and just faster. So what were the assumed advantages of doing this way, at least to me?

  1. No need to install OS and apply updates
  2. All services and settings intact
  3. Avoid some mundane tasks like copying files (cp or rsync without messing up permissions), editing fstab to match new drive/partition UUIDs
  4. No need to reinstall GRUB to EFI partition
  5. Above all, I knew exactly what to expect if I followed usual way so I had to venture the new method
That’s it. Hope you have some ideas to try next time when you get a newer bigger SSD. As I published this post, Samsung 860 EVO 4TB is USD 580 on Amazon right now which is the lowest price since its launch.

Wednesday, October 10, 2018

Fast Track Guide for Smart Guardians of Connected Homes


Finally, I’m back. Hard to believe it’s been 5 years since I published my last post in October 2013. Many things have changed within half a decade at the speed that we had not foreseen; artificial intelligence, blockchain, smart devices, Internet of Things (IoT), but hey, we still have not used up IPv4 addresses yet. Last but not least, the General Data Protection Regulation (GDPR) has come into enforcement and lastly, DDoS attacks and ransomware have never been more prevalent and Sundays are no longer the quietest day for incident responders.

In my return, I will be sharing some suggestions to better secure ourselves in increasingly vulnerable and hyper-connected world we live in today. This month also coincides with National Cyber Security Awareness Month (NCSAM) in the States and CyberSecMonth in the EU. I have chosen to start with smart home as home is still a place where we spend most of our time and we tend to let our guard down regardless of our occupation while at home. The suggestions may largely depend on the location, service availability, budget and technical know-how to set up hence your mileage and effectiveness will vary considerably. Let’s start!

Connectivity

Traditionally, we have been connecting all our gadgets (computers, smartphones, tablets, network attached storage) to a single internet router/access point (AP) from the service provider, wired or wirelessly, which I will refer them as primary devices. Then we gradually add other smart devices (speakers, refrigerators, TV, media players, watches, CCTVs, baby monitors, etc. – I will refer them as secondary devices) to the same network as primary devices. It may not be so obvious that these new IoT devices were given little to no security protection throughout their lifecycle, from supply chain to software development when compared to primary devices, their lack of rigorous quality assurance makes them easy target for exploitation. In order to defend IoT security, it is forecasted that US$ 3.1B will be spent globally in 2021 which is about 350% growth from 2016. How does it translate to consumers, rather than organizations? Consumers will have to make informed decisions with available resources at their disposal. Following options will be ordered in terms of difficulties/cost to achieve, 1 being easiest/cheapest to 3 most difficult/expensive. You can, of course, mix and match any option to your liking.

Option 1 – Set up dedicated networks (SSID) for secondary devices

With assumption of most secondary devices are Wi-Fi enabled, this involves creating new network ID on the existing router/AP only for those devices. In most cases, those devices operate on 2.4GHz rather than 5GHz which most primary devices support so separating them into different bands would improve your overall wireless experience.

Option 2 – Set up tiered network with multiple routers/APs

This option requires additional AP which will be connected to the main router where it will do different NAT than existing router.

With this configuration, several protocols that would normally expose to Internet (e.g. UPnP, DLNA, web services) can be controlled.

Option 3 – Subscribe dual internet services and connect primary and secondary devices separately

This particular option is really meant for the residents of Singapore where houses have fibre terminating points with 2 available connections. In Singapore, it is up to the users to get both ports activated and enjoy 1-10Gbps broadband speed from same or different ISP. The connection would be as below diagram.

Encryption

Devil’s in the detail when it comes to encryption and there is continuum of debates between privacy advocates and government legislators to find a right balance to protect netizens while deterring criminals from abusing technology. As described for connectivity, you have different options here too.

Option 1 – Use commercial VPN services

Every device connected to your home network will go through ISP and you can only imagine what kind of monitoring and agreements they would have with big brother. Be it as a concern of net neutrality or to maintain privacy rights, you should consider using VPN services to encrypt your internet traffic. There are plenty of fast and reliable services which not only cover your home internet but also your mobile devices while you are on the road so choose wisely.

Option 2 – Use encrypted messaging whenever possible

When combined usage with VPN, Tor could attract unwanted surveillance in certain countries and make you a target for enhanced spying access. There have been many high profile cases of the use of PGP; it is simply not a good tool for present and future privacy protection. We have been introduced WhatsApp and Signal in recent years and they prove to be more popular every day with their coveted end-to-end encryption delivery mechanism.

Option 3 – Build your own VPN and encryption endpoints

Worry about logs VPN service providers keep on you regardless of their claim that they don’t. Fret not, you can build your own VPN in the country that you want with any cloud provider. You are in control of your budget and it is flexible to set up and maintain your own VPN servers. Algo, IPsec VPN may be your first step in securing your internet traffic on Windows, Android, Apple and Linux devices which supports all major cloud services, DigitalOcean, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway and DreamCompute or an OpenStack based cloud hosting. Alternatively, OpenVPN is a solid choice if you want more speed out of VPN connection with UDP tunnel.

Smart-home ready security appliances

Not all of us have same amount of time and technical knowledge to build secure internet gateway or monitor firmware update for every devices regularly. There comes a time when we bring in the big guns, based on their reputation or at least their strengths in the market. Here is the tricky part about “market”. Most device vendors only provide support or subscription in the US and some in the UK, with little presence in other markets so that is the most limiting factor from truly achieving their values.

Option 1 – Buy off the shelf devices and pay for service subscription

In this certain use case, Norton Core earns a worthy spot by incorporating latest Wi-Fi, enterprise level Global Intelligence Network (mostly known as GIN in security circles). It has all standard features of consumer grade routers which will sits between broadband modem and your devices, wired or wireless. Of course, Norton isn’t the only player in the segment so you can choose from Bitdefender BOX, CUJO or F-Secure SENSE.

Whether you have Windows, Apple or Android devices at home, you should consider installing anti-malware software on them, be it from single vendor or pick one for each platform. Additionally, you will have to be vigilant about ransomware that threaten your invaluable memories and lifework. Don’t forget to backup too.

Option 2 – You can do one better with open source security distros

Nowadays, you can get inexpensive barebone PCs with dual or triple network interfaces which can be used to build your own router, firewall, or both depending on the operating system that it is loaded. One of the all-time favourite and well-known images is from pfSense based on highly stable FreeBSD, which has been leading this category for long time with ample features including VPN, firewall, dynamic DNS, wireless access point and traffic shaping. Again here, you have other options such as IPFire, OPNsense, Sophos XG Firewall and if you want paid versions, there is Untangle NG Firewall.

Option 3 – Configure custom Linux box with minimum packages

Being option 3 of this topic, you may get the idea this will not be the easiest of the pack but it will give you the highest flexibility in terms of control you need to set up your own router or firewall. You can even use Raspberry Pi if you wish, at least as a wireless access point/router for connection up to 100Mbps. Next stop, if you need high performance network bandwidth to fully utilize fibre broadband i.e. 100Mbps to 1-10Gbps, you will need to spend more on the hardware. I’d suggest nothing could go wrong with mini-ITX (mITX) motherboards with PCI-E slots to seat 10G NICs. From that, you can add specific packages to meet your requirements, DNS, DHCP, proxy, content filtering, and so on. In my opinion, with decreasing price of 10G switches and NASes, investing on 10G native router/firewall is worth the trouble in future-proofing your network.

Authentication

If anything to attract the most attention, that will definitely be authentication. We have lost over 517 million passwords from various data breaches and it will only keep on increasing. We have been acknowledging passwords are dead apparently it is not the case. Despite embracing multiple methods of authentication, inherited from corporate realm of token for VPN connection to soft-tokens embedded in modern banking apps. Personally, I was never a big fan of SMS OTP and that is not going to change anytime soon especially after SIM-swaps and inconvenience while travelling or it could have been used for other purposes more than receiving OTP.

So what is going to replace passwords? Luckily for us, there are upcoming standards, technologies and alliances which will bring password-less ecosystems to the mass. As any new technology adoption, there will be wide ranging hindrance to implement end to end secure authentication on devices, browsers, and applications. You can start the transformation journey by getting familiar with security tokens like U2F smart keys, like these from Yubico, Google or Kensington. If you haven’t enabled 2 factor authentication by now, this should be your next action!

Option 1 – Use a good password manager

How else we are supposed to remember “secure” passwords and entering them in the websites or applications, and I am not going to propose sticky notes under the keyboard here. Pick either free or paid version of password managers, like KeePass, 1Password, LastPass and check out their compatibility for your requirements. Some can use U2F keys to unlock as an added protection.

Option 2 – Switch to soft-tokens

While this is not something you can develop yourself and it is entirely dependent on the companies we have relationship with. This may be offered by banks, social networks, enterprise applications so when you receive notification to sign up for this service, do enroll it immediately. At minimum, this will save you from carrying hardware tokens or paying for roaming charges to receive SMS. Authy and Google Authenticator are by far most commonly used in consumer space.

Option 3 – Get yourself a security key and forget about passwords

Seriously, a good sensible choice you could make is to ditch password and use U2F MFA. For example, Yubikey now supports more than 100 services that links to almost every activity in our daily life, from Facebook to Dropbox, Windows to cryptocurrencies, and might have saved the US election. You can find out if the service provider supports OTP or U2F from DongleAuth.

I guess I have touched on sufficient basic security awareness materials with this post from securing smart homes to protecting digital identities. I must borrow a line from flight safety announcements: Save yourself before saving others; in digital world, secure yourself before protecting others.

And hopefully, it will not take another 5 years for a new post. Till next time.

Sunday, October 20, 2013

"If it ain't broke, don't fix it" - A fundamental downfall why defense-in-depth isn't always effective

Yes. I know it is sound too familiar to most security professionals when they propose a new or better way of doing things to their colleagues, sometimes management level with a variety of facial and body language responses.

This is especially true on occasions you are telling them to update something that you know vulnerable to external/internal exploitations. Here are most common feedback you will get in no particular order.
  • Systems are not accessible from outside, only authorized personnel can use within office
  • Certain bespoke LOB software is tied to particular version of OS, framework, application and vendor cannot guarantee to work with newer versions
  • SLA is too demanding that they can't afford to have any downtime
  • No allocated budget
As much buy-in as you need to implement those updates, your first and foremost task is to convince them which can be easier said than done. Let's take on one feedback at a time.
  1. Systems aren't accessible from outside. Really, really? It's time to re-think which business systems are exposed to external world, like websites, emails, attendance systems, ERP systems, and better yet, SSH access for mission-critical infrastructure devices. Unless these services are protected behind VPN, each of them are waiting to be probed and attacked. There are plenty of reports like Internet Census 2012 reveals how many of service ports are visible on public internet. With a right tool like SHODAN, sky is the limit of which you can or cannot access. Based on Akami's State of the Internet report for Q2 2013, ports 80 and 443 had topped previous leader port 445 over 41% vs 15% as most commonly targeted ports.
  2. Customized CRM, for example, can't be updated as it may have several dependencies to OS, framework and application versions. Isn't it the reason why we pay a great deal of money to application vendor for maintenance? Well, sometimes it is truly confusing to understand what really was in the agreement. Off-the-shelf software scores a point in this area as they are continually updated and checked for compatibility.
  3. Every business has its own commitment to its users which we understand as SLA. This is one good example by Google Apps. Given that, even organizations with highest SLA level could have downtime inevitably. But we do have necessary measures to minimize downtime. All critical changes are required to go through development, UAT then production environments so that most possible problems will be taken into account for business continuity.
  4. After considering above facts, it shouldn't take too long to get financial backing. The way we see it, most updates come free and most BCP are in place so there won't be much requiring special budget.
So, why do I give this title and what motivated me? I can understand there are already so many things on system/network administrators' plate to handle day in and day out. Any new changes could take additional time on their busy schedule. So think of other way around. All those miscreants are trying to break what administrators try to keep in working order and they will find one way or another to do just that. So why don't we preempt by implementing known fixes in advance? Should anything happens, we have backups to rollback and try with other methods. If anyone were to break the our systems, it would have been better to be by us than some random hackers creating headlines.

Tuesday, May 28, 2013

B&B for Personal Computer - Baseline vs. Benchmark - Security and Performance

It comes up naturally that someone asks you how to keep the computer fast and secure, be it as part of conversation or knowing that you are considered a geek to them. In order to answer their question, you may shoot a response something like 'Do you know how many applications and how often do you use them?' As simple as it seems, most of the people I know begin to mumble once I ask this.

When we talk about enterprise security and performance, we all accept the fundamentals of keeping inventory of software and hardware to gauge application response at a given time using various monitoring tools.

But do we really (really) apply this knowledge to our home computers, let alone casual users in question?

The honest answer: No, we don't.

Now, let me share how I've been keeping tracks of these things. Back in the days, we've used mechanical disks as our primary storage and there were plethora of applications we installed on our systems. At the time, I usually rated my computers' performance by how fast I could start using after powered on and I did compensate some time to the factor due to mechanical disks; the average was 90-120 seconds. I had about 40-60 installed applications, 15-20 start-up programs and 25-35 auto-start services. I was literally very patient person back then.

When I jumped on the SSD bandwagon last year, I was still skeptical to whether I should adjust my previous computer benchmark just because of the speedy SSD and 1600MHz DDR3 which I standardized across the board. Finally I decided to set a new benchmark: 40-60 seconds with similar number of applications, start-up programs and services. I became a not-so-patient person after all.

So what am I trying to say here? Only two things: what do you really need to use and how fast do you want them to perform.

Baseline:
  • Never install software that you may never use. Even if you pay for the software, install only when you need to use them. Leaving unused software on the computers not only take up storage but also affect system performance. For example, Java. Keeping them could only do you harm with never-ending vulnerabilities and lagging timely fixes. 
  • Check your software vendors' EULA how they track software usage for you to have the flexibility of install/uninstall choices.
Benchmark:
  • We can easily check any start-up programs and services using Windows tools or other readily available tools like CCleaner, Sysinternals, and remove any unnecessary programs to prevent loading at start up.
  • You may have a number in mind, say 30 seconds to start using the computer. Make sure the number is reasonable based on your system components' specification and be mindful of compromises you may have to accept.
By now, you should see where this leads. Having a baseline of application and benchmark can help you achieve higher security and better performance. Think about the time you would save to update those applications in addition to normal Windows updates. With less software installed, you can finish patching faster and maintain a shorter list of auto-start program/service.

Sunday, December 16, 2012

How to DIY the Zik/UE 9000/MDR-1RBT killer using Sennheiser HD 380 Pro

By now, most audiophiles would agree that Parrot Zik ($399.95), Sony MDR-1RBT ($399.99) and Logitech UE 9000 ($399.99) are the best and most advanced noise-cancelling wireless headsets one can buy in the market. They offer excellent sound compared to other wireless headsets like Creative WP-450 or conventional wired headsets like Bose AE2i and OE2i by far. But to some pure music lovers, those wireless headsets carry too much compromise to accept to please their ears. In my case, I would not choose those super-smart piece of hardware over a proper, carefully tuned wired headphone although I was very tempted to do so.

To be honest, my choice of headphones is always biased towards Sennheiser as they never let me down for picking them so as my choice of computers always being Dell. Whenever I'm looking for something new, I'd give them my first thought. So, there was no exception when I bought a Sennheiser HD 380 Pro to use during my daily commute and occasional trips. These closed cans give me the most pleasing music I could ever want from a headphone as well as passive noise cancelling as a bonus due to its well-designed earpads. Oh, did I mention that it comes with 2 year international warranty which provides better assurance than other standard local one year warranty?


Nothing's perfect and this is no surprise that HD 380 Pro isn't without some shortcomings. For starters, its 3.2-foot coiled cable is terrible. If you are in stationary position such as using with a receiver or with a laptop, the cable won't be too much of burden but if you are on the move, using the heavy headphone with coiled cable, this is unimaginably miserable having the cable hanging around or sticking out of your pocket.

So, I've got to do something about this otherwise it might just be used at home like its older brother, HD 202 accompanying TX-NR515. But one good thing about 380 is the cable is detachable and it uses standard 2.5mm plug on left earcup and 3.5mm plug to other sources. Now I have to find a shorter cable, preferably around 1m, any longer than this would give me same trouble again. I was lucky to find one such cable at local shop which cost me about five bucks and it does the job.
The straight 2.5mm end of this cable connects directly to the headphone without any modification.

At the beginning of this post, I mentioned the collection of wireless (Bluetooth) headsets which will set you back for $400 and even knowing this month is very good for shopping, $400 would make huge dent in my wallet. After I replaced the cable as necessary, I wanted to extra miles to transform this wonderful headphone to a "smart" headset. I happened to have a Sony MW600 as a gift when I purchased my last handset. This lovely Hi-Fi wireless headset can do everything that those $400 except NFC gimmick but has more practical FM radio. In simple way, this can be used as a Bluetooth receiver, remote control and inline mic.
What makes it more suitable for my little transformation project, it takes 3.5mm jack. Yes, marvelous it is, indeed. The end result is by connecting the new cable's 2.5mm end to headphone and 3.5mm end to the wireless control. Once I paired it with my handset, I instantly got a full-blown killer headset that can outperform any of those (super)pricey headsets. As a contingency plan, if the receiver's battery runs flat, I could still connect the headphone directly to all sources I want.

In the end, I've got a very nice sounding headphone converted to wireless headset. There are few things to note though. 380 Pro is a monster for MW600, reason being it is designed to drive 32Ω earphones now re-purposed to use with 54Ω. Also, 380 carries 500mW load rating so I'll be expecting shorter battery life than 8.5 hours from MW600, which is still more than enough for normal usage.

Monday, December 10, 2012

Manageable Network, Critical Security Controls and NIST SP 800

Now it is the time we are so close to leave 2012 and count down to the new year, I think this is the time when I might sum up what we've seen so far in NIST Special Publications, be it as final, revised or draft release (latest count at 25). As all security practitioners would agree, SP 800s are the definitive guidelines in order to achieve all perspectives of GRC no matter what IT, financial and legal obligations the corporations need to adhere to, such as SOX, HIPAA, PCI-DSS.

Before we get to the details of those documents, let's start from the very foundation: the enterprise network. Over the years as a network and security professional, one thing I always do on any network I have managed is the "documentation". You may have the state-of-the-art installation in top-notch data center, but without the proper and updated documentation, you are just a sitting duck. To be clear, documentation "is not" the thick user manuals you received from the vendors or other documents to serve the same purpose.

The IT network documentation should be one or more of the following documents.
  • System configuration and procedure
  • Asset inventory
  • BC and DR
  • Security policies and procedures
More granular list can be found here. So what is my point of bring up the issue of not having appropriate documentation? These are my answers to that.

  1. You can't scale your infrastructure according to data growth
  2. You can't protect your network if you don't know what you have
  3. You can't sustain working environment if you don't have contingency plans
Having said that, implementing a successful documentation is not a mundane task if you follow a structured approach like this one published by NSA. The document (currently at version 2.2, published on 5 April 2012) itself is aptly named as The Manageable Network Plan and the page worthy of all your attention is at 3. You will see there are several milestones for you to counter.
  1. Prepare to document
  2. Map your network
  3. Protect your network
  4. Reach your network
  5. Control your network
  6. Manage your network, Patch Management
  7. Manage your network, Baseline Management
  8. Document your network
Now we can assign certain NIST SPs to each of the milestone to accomplish. These will also align with SANS 20 Critical Security Controls Version 4.0 in respective criteria.

CSIS: 20 Critical Security Controls - Version 4.0

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability
  9. Security Skills Assessment and Appropriate Training to Fill Gaps
  10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  11. Limitation and Control of Network Ports, Protocols, and Services
  12. Controlled Use of Administrative Privileges
  13. Boundary Defense
  14. Maintenance, Monitoring, and Analysis of Audit Logs
  15. Controlled Access Based on the Need to Know
  16. Account Monitoring and Control
  17. Data Loss Prevention
  18. Incident Response and Management
  19. Secure Network Engineering
  20. Penetration Tests and Red Team Exercises

The following mapping is to help you get your milestones in organized manner.

MilestoneSecurity ControlSP 800
Prepare to document
Map network153
Protect network5,13,1953,94,153
Reach network117
Control network12,14,1653
Patch management453,40,137
Baseline management2,3,6,1053,121,124,147,164
Document network
Note - Mainly focused on documents released in 2012. Other related publications should be consulted too.

Voilà. Now you are on better side of the network management and you can move forward with optimizing what you have in hand. Let's split the tasks into 3 types of management:
  1. Risk Management
  2. Security Management
  3. Governance
For each management, we can map them in same way as above milestones.
Risk Management


Milestone
Security Control
SP 800
Backup strategy
8

Incident response and disaster recovery plans
18
Training
9

Security Management


Milestone
Security Control
SP 800
Virus scanners and HIPS
5

BYOD/BYON
5,17
Data-at-rest protection
17

NAP/NAC
1,5

SIEM
14
Perimeter defence
11,13
Policies and procedures


App whitelist/blacklist
2

Remote access security
7

Governance


Milestone
Security Control
SP 800
Configuration and Change Management
3,10
Audit strategy


Once you arm yourself with these milestones and controls, you could tackle not only today's network-related issues but also future expansion, effectively and efficiently. You will be ready for upcoming Bring-Your-Own-Device or Bring-Your-Own-Network in Generation Z workplace with flexible and comprehensive procedures while keeping your shields up without falling victims of hacktivism.

Here we are. Merry Christmas and Happy New Year !!!