570 likes | 692 Views
Computer Security For Managers & Executives. Marc Apter IEEE Vice President Regional Activities. Computer Security For Managers & Executives. Marc Apter Senior Information Assurance Specialist EG&G Technical Services. Topics To Be Covered. Your Organization & Management Your Data
E N D
Computer Security For Managers & Executives Marc Apter IEEE Vice President Regional Activities
Computer Security For Managers & Executives Marc Apter Senior Information Assurance Specialist EG&G Technical Services
Topics To Be Covered • Your Organization & Management • Your Data • Security Tools • Applications • Training
Security Policies • Policy – Your rules and requirements for operations, and your contingency plans • Standards – The particulars of the systems, including specific security technologies and methods for protecting information • Guidelines - Written recommendations and best practices • Procedures – They detail how to implement the security policy, standards, and guidelines
Policies • Policies must both protect and support an organization • You can’t write policies if you don’t understand your organization does
Management Support • What level? • What do they really care about? • Do they care about security? • Identify The Senior Management Champion for Information Assurance
Risk Management • "Risk is the likelihood of a given threat source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization." • Technique whereby an organization identifies, analyzes, controls, and monitors risks to its assets or objectives • Key elements of risk • Uncertain outcome • Possibility of loss • A formal process, taking into account threats to your organization’s situation, and lets you tailor your security program to its needs. • Someone must be designated to be in charge of risk management
Corporate Classification Levels • Public – information explicitly approved for release to the public • Sensitive – unauthorized disclosure is against policy, but won’t impact the company • Private – intended for use within the company, could impact the company • Confidential – unauthorized disclosure could seriously and adversely impact the company
What Do You Have To Protect? • Privacy • Business Sensitive • Legal
Who Are You Protecting It From? • Specific Competitors • General Public • Insiders (Need to know)
How Accurate must your data be? • The difference between protecting data from someone seeing it, and protecting data from someone changing it! • All data must be identified as to which of the various shades of the above it is in.
Backups • How often do you backup? • How many hours of work can you afford to lose? For each group of data you have? • How long does it take to recover? • Backup Security?
Anti-Virus/Anti-Spyware Software • How will you update workstations? • Do you trust your users to keep the software/signature files updated? • How are you going to handle tele-workers (including travelers)? • How about PDAs/Blackberries?
Firewall(s) • Is there a Firewall? If not, who made that decision and what was the justification? • If you use them, have a policy (What is allowed, everything else is forbidden) • Consider Host Firewalls if you use windows, especially for mobile workers/travelers
Passwords • How many User IDs and Passwords can you remember? • Lets write them down in a little book you always carry! • Physical device
Warning Banner • So users/employees know they are subject to be monitored • Why Monitor? • Bandwidth • Embarrassment • Secrets
Continuity Of Operations Plan (COOP) • Backup – Frequency • What to do in case of an incident (natural or manmade) • Any Alternate Site’s security should be the same as normal computer center
E-Mail • Usage policies, monitoring • OOPs – Procedures • Use of IM Policy
Question: Does your organization need an IM/Chat capability?
WEB • Are there separate public and private sites and servers? • Warning Banner, Consent to Monitor • Public release of information policies • Usage policies for surfing • Monitoring
Web Application Security • SSL only protects data during transmission • Protect your information and data (in or connected to your web application) • Setting up a web application is an invitation to someone to try and get your information and data • Web application security should depend on a positive security model that allows input that is expected and is within expected boundaries
Security Awareness Training ·Initial Security Training ·Annual Security Refresher Training To be most effective, a security-awareness program should address the following risk areas: • Social engineering • Passwords • Insider threats • Ethical computing (Performing inappropriate computer tasks and accessing inappropriate sites)
Physical Security vs Computer Security • No Computer Security without Physical Security • Administrative Procedures/Policies • Who certifies physical security? • Computer Security without Physical Security is as useful as a screen door on a submarine
Five Easy Security Fixes ·Turn off unneeded services in boxes attached to the Internet. ·Never use a Web server for anything else. ·Regularly apply security patches to critical machines. ·Block all executable attachments at the gateway. ·Use screen saver lockouts.
Security Recommendation/Configuration Guides • www.nsa.gov/snac/ • www.iatf.net/protection_profiles/profiles.cfm • www.cisecurity.org/ • www.sans.org/score/ • www.sans.org/top20/
IM/Chat Encryption Concerns • Harder to detect chat transmissions through firewalls • Chat clients can contain exploitable interfaces • Rogue chat clients can act as zombie listeners • Users may “enhance” chat clients with third-party add-on’s with no assurance of good behavior • Chat may be monitored encrypted by applications which store and forward traffic to eavesdroppers
Web Services Security • HTTPS • HTML (Hyper Text Markup Language) • XML (eXtensible Markup Language) • SOAP (Simple Object Access Protocol) • SAML (Security Assertion Markup Language) • WSDL (Web Service Description Language) • UDDI (Universal Discovery and Integration) • XACML (eXtensible Access Control Markup Language) • XKMS (XML Key Management System) • WS-Security • WSS Encryption • WSS Digital Signature
Servers ·How Many Servers? ·Where located and physically secured/protected? ·Operating system of server(s)? ·Auditing – specifics, including list of servers with auditing enabled and what is being audited ·Administrator Remote Access – all machines used should have as a minimum a software firewall; All should be using strong passwords or better yet tokens • Backups/Storage (including remote storage)
Security Questions ·What's your password policy? (Number of characters, complexity, aging, account lockout) ·Is there a procedure for identifying users before resetting passwords? ·Is there a method of authorizing new accounts and getting rid of old accounts? ·Is there a process to limit access based on job function and/or roles? ·How often do you review your access-control lists? ·Do you give individuals only enough access to do their jobs? ·Is there a firewall? ·What type of connectivity do you have to the Internet or to outside partners? Are these connections protected? ·Do you use antivirus products? If so, are they updated regularly? ·Do you use laptops? If so, are users trained on how to properly protect them both physically and electronically? ·Do you allow remote connectivity? If so, do you use strong authentication for remote access into your network? • Is your voice-mail system secured with passwords?
Security Training Checklist • Get top management on board. • Tie the training to the mission of the organization. • Develop a comprehensive program. A good security program should involve a mix of computer-based training and classroom instruction, as well as ongoing awareness efforts such as posters, flyers, and regular e-mail messages. • Teach the “whys” as well as the “hows” of security. Employees are much more likely to follow security rules if they understand the consequences of not following them. • Offer role-based training. Beyond the fundamentals, managers and Web developers need more in-depth security training then clerks and human resources personnel. • Account for the different types of employment environments, including in the home, in the field, and in foreign countries, as well as at contractors’ locations. • Make the training dynamic. Training needs should be constantly monitored and content refreshed on a regular basis. • Train individuals as needed. If new employees arrive after a security-awareness course has been held, don’t wait until next year’s course to bring them up-to-date. • Always follow up. Employee practices must be monitored using audits or system controls, and their awareness of security measures should be reinforced on a regular basis.
BEST PRACTICES ·Create an up-to-date security policy. The policy should explicitly state the rules for password control, data access, what is expected of security software and who has responsibility for security. Some agencies may need to dust off their policies, modernize them and then monitor them constantly to keep them current. ·Identify critical systems and date. Program managers and information technology specialists must rate the importance of their computer systems in the areas of confidentiality, integrity and availability. Agencies will assign vastly different priorities to these three areas. For example, the Weather Service’s top priority is availability, followed by integrity, while the CIA’s is confidentiality, then integrity. The ratings should allow agencies to identity which data and systems are most critical to agency operations and require the highest level of protection. ·Identify the risks associated with those systems and data. Agencies must identify what would happen if critical data were compromised, systems were brought down, or information made public. Agencies should seek to match the appropriate management and technical controls to the level of risk they discover. ·Identify security weaknesses. Hackers exploit known vulnerabilities in software programs. Agencies can go a long way toward closing these back doors by testing their software for vulnerabilities and by plugging openings using patches from software vendors. ·Install affordable security technology. Firewalls and intrusion detection systems can mitigate risks. However, agencies must be sure to maintain their security systems so they don’t provide hackers entryways to sensitive data. They must allocate funds for upkeep and constant monitoring of security software. ·Conduct constant vulnerability testing. Don’t let down your guard after having a third party probe your network, computers, software and web sites for security weaknesses. Overworked systems administrators often ignore the results of these audits. Test constantly to discover new openings that hackers and others can exploit. ·Assign employees dedicated to computer security. When security is handled as an adjunct issue, IT staffers spend their time putting out fires rather than conducting rigorous security testing and maintenance.
Ten Steps to Better Security Where’s the weakest link in your security chain? Maybe it’s you. Ten things to think about: 1. You’d be surprised how many employees write their passwords on sticky notes, and put them on their monitors. The security-conscious stick the notes under their mouse pads. 2. Companies throw out sensitive material without shredding it. If a thief can raid your trash for a print-out from your database, why bother hacking? 3. How much physical security do you have? In many places, anyone with a pizza box can walk in, get what’s needed and walk out. 4. Almost no one does a background check on programmers. Even fewer ask about the people working for the nighttime cleaning service. 5. Firewalls and other forms of security software can be hard to configure. One wrong turn, and there’s an open door to your network. 6. Every operating system has default passwords set by manufacturers, so administrators can get in for the first time. That means everyone knows them. Did you change yours yet? 7. Outsiders can access your network if you allow dial-up modems at employees’ desks. All they need is the phone number. And don’t put too much confidence in passwords: there are cracking programs that find passwords through brute computing force and a knowledge of tricks, like substituting the number 1 for the letter I, that users think keep them safe. 8. Some computers are more valuable then others –like servers, for example. Are yours behind locked doors? 9. Your system management tools have security logs and both network and host security-monitoring programs. If you don’t review them daily, you’ll miss evidence that can warn you of a current attack. Some monitoring software will also send alerts. 10. Train your employees on procedures that might keep intruders out. For example, don’t let employees set their e-mail to automatically open attachments, which might carry viruses or Trojan horses.
Mobile PC Lock Down • Mobile PC security is divided into three critical parts. First, always, is physical access to the device, whether this means fastening down your notebook PC in a hotel, using a secure carrying case in a vehicle or preventing access to the operating system via a biometric or password-based utility. Next in the hierarchy of parts is access to the actual data on the mobile device; this usually means encryption or even software that can automatically wipe the hard drive in the case of unauthorized access attempts. The third piece is related to the rapidly expanding use of wireless networks, including public access networks that, although extremely tempting to use because of their convenience, can promobile security vide easy access to mobile data. But in a very real sense, all mobile-security worries boil down to just one overriding concern—loss of control over users and data once they leave the office. Mobile-security requirements are far more difficult to meet than those for a workstation or network. Mobile equipment is vulnerable to all the same threats networked workstations are, plus they have additional weak spots unique to handheld hardware. For example, there are viruses and Trojans that target personal digital assistants and cell phones, just as there are for PCs. But on top of that, there are the security vulnerabilities of wireless connectivity as well as the problem of loss or theft. As weak as some network security is, once you take a data storage or processing device of any sort outside the relative safety of the network umbrella, you are treading on thin ice. Vulnerable security schemesUser policies regarding access controls, as well as what data can be stored on a mobile device, must be codified and strictly enforced. No matter how good a password, biometric or encryption scheme is, you must strictly forbid users from putting certain information on a PDA, notebook or cell phone. That’s because all such security schemes have a finite probability of being broken by a clever hacker or rendered vulnerable by an undetected flaw in the security tools. Certainly, confidential agency contacts, log-in information and agency credit card numbers must be forbidden, as well as such simple data as phone numbers and e-mail addresses of supervisors or colleagues. Of course, this is exactly the sort of information many of us would like to store on a mobile device. The hardware, software and other tools—such as a security case—included in this guide can help a lot, but they should be part of an overall security strategy. As a matter of policy, it’s better to be safe than sorry. A good mobile-security policy must include rules for: • Keeping vital data off the device • Securing or disabling any wireless connectivity features • Installing and maintaining data encryption tools • Enforcing mandatory encryption of all data at all times • Installing and maintaining anti-malware tools • Assigning physical responsibility for the device to one person • Maintaining good records of who has possession of the device. • A policy also must have rules for: • Maintaining current, secure records of what software and data are on each device • Using strong authentication and access controls, including passwords and biometric tools • Attaching alarms or tracking devices where practical • Performing secure, periodic data backups, even while on the road • Imposing restrictions on personal use of a device. • Critical to any mobile-device security policy is your ability to enforce the policy. But in addition to that, you have to instill a security-conscious culture. For example, some users may view their mobile devices as personal property, putting their own data and even games on them. They may also feel a certain amount of freedom from centralized management as they walk out the door with a mobile device. Drawing the lineYou must emphasize to users that mobile devices are even more difficult to secure than their desktop computers and that they will be held responsible for losses of data or devices. Moreover, data will have to be considered compromised if they lose physical control over a device even for a few minutes. Of course, users may already have lost wireless control even if they retain physical control, but that is why you need good electronic protection. Cloning software is the ideal method to ensure that devices conform to a consistent standard as they are handed out to users. It can also provide users a way of quickly restoring data and software onto their devices, even when in the field. Knowing that all data can be easily recovered will make it much more likely that a user will simply reset hardware when there is any possibility of data compromise.
Mobile PC Lock Down • Mobile PC security is divided into three critical parts. First, always, is physical access to the device, whether this means fastening down your notebook PC in a hotel, using a secure carrying case in a vehicle or preventing access to the operating system via a biometric or password-based utility. Next in the hierarchy of parts is access to the actual data on the mobile device; this usually means encryption or even software that can automatically wipe the hard drive in the case of unauthorized access attempts. The third piece is related to the rapidly expanding use of wireless networks, including public access networks that, although extremely tempting to use because of their convenience, can promobile security vide easy access to mobile data. But in a very real sense, all mobile-security worries boil down to just one overriding concern—loss of control over users and data once they leave the office. Mobile-security requirements are far more difficult to meet than those for a workstation or network. Mobile equipment is vulnerable to all the same threats networked workstations are, plus they have additional weak spots unique to handheld hardware. For example, there are viruses and Trojans that target personal digital assistants and cell phones, just as there are for PCs. But on top of that, there are the security vulnerabilities of wireless connectivity as well as the problem of loss or theft. As weak as some network security is, once you take a data storage or processing device of any sort outside the relative safety of the network umbrella, you are treading on thin ice. Vulnerable security schemesUser policies regarding access controls, as well as what data can be stored on a mobile device, must be codified and strictly enforced. No matter how good a password, biometric or encryption scheme is, you must strictly forbid users from putting certain information on a PDA, notebook or cell phone. That’s because all such security schemes have a finite probability of being broken by a clever hacker or rendered vulnerable by an undetected flaw in the security tools. Certainly, confidential agency contacts, log-in information and agency credit card numbers must be forbidden, as well as such simple data as phone numbers and e-mail addresses of supervisors or colleagues. Of course, this is exactly the sort of information many of us would like to store on a mobile device. The hardware, software and other tools—such as a security case—included in this guide can help a lot, but they should be part of an overall security strategy. As a matter of policy, it’s better to be safe than sorry. A good mobile-security policy must include rules for: • Keeping vital data off the device • Securing or disabling any wireless connectivity features • Installing and maintaining data encryption tools • Enforcing mandatory encryption of all data at all times • Installing and maintaining anti-malware tools • Assigning physical responsibility for the device to one person • Maintaining good records of who has possession of the device. • A policy also must have rules for: • Maintaining current, secure records of what software and data are on each device • Using strong authentication and access controls, including passwords and biometric tools • Attaching alarms or tracking devices where practical • Performing secure, periodic data backups, even while on the road • Imposing restrictions on personal use of a device. • Critical to any mobile-device security policy is your ability to enforce the policy. But in addition to that, you have to instill a security-conscious culture. For example, some users may view their mobile devices as personal property, putting their own data and even games on them. They may also feel a certain amount of freedom from centralized management as they walk out the door with a mobile device. Drawing the lineYou must emphasize to users that mobile devices are even more difficult to secure than their desktop computers and that they will be held responsible for losses of data or devices. Moreover, data will have to be considered compromised if they lose physical control over a device even for a few minutes. Of course, users may already have lost wireless control even if they retain physical control, but that is why you need good electronic protection. Cloning software is the ideal method to ensure that devices conform to a consistent standard as they are handed out to users. It can also provide users a way of quickly restoring data and software onto their devices, even when in the field. Knowing that all data can be easily recovered will make it much more likely that a user will simply reset hardware when there is any possibility of data compromise.
Ten Steps To Secure Networking • Moving your defence beyond firewalls and other point solutions. • Secure networking ensures that the network is available to perform its appointed task by protecting it from attacks originating inside and outside the organisation. • Traditional thinking equates this to a handful of specific requirements, including user authentication, user device protection and point solutions. However, the move to convergence, together with greater workforce mobility, exposes networks to new vulnerabilities, as any connected user can potentially attack the network. • Application traffic must be securely delivered across the network, avoiding threats such as theft of intellectual property or private data. In addition, the underlying infrastructure must be protected against service disruption (in which the network is not available for its intended use) and service theft (in which an unauthorised user accesses network bandwidth, or an authorised user accesses unauthorised services). • While most organisations focus on securing the application traffic, few put sufficient infrastructure focus beyond point solutions such as firewalls. To protect the total network, security must be incorporated in all layers and the complete networking lifecycle. • Secure networking layersSecure networking involves securing the application traffic as it traverses the network. It should encompass these areas: • Perimeter security protects the network applications from outside attack, through technologies such as firewall and intrusion detection. • Communications security provides data confidentiality, integrity and non-repudiation, typically through the use of Secure Sockets Layer or IPsec virtual private networks (VPN). • Secure networking extends this by protecting the underlying infrastructure from attack. • Platform security ensures that each device is available to perform its intended function and doesn't become the network's single point of failure. The network security plan should include antivirus checking and host-based intrusion detection, along with endpoint compliance, to ensure that security policies check user devices for required security software. • Access security ensures that each user has access to only those network elements and applications required to perform his job. • Physical security protects the network from physical harm or modification, and underlies all security practices. The most obvious forms of physical security include locked doors and alarm systems. • Secure networking lifecycle Providing a secure network is not a one-time event, but rather a lifecycle that must be continually reviewed, updated and communicated. There are three distinct stages to be considered: • How can security breaches be prevented? Along with hardening of operating systems and antivirus software, prevention includes processes to regularly review the network's security posture, which is particularly important as new convergence and mobility solutions or new technologies and platforms are added to the network. • How can security breaches be detected? Although some breaches are obvious, others are much more subtle. Detection techniques include product-level and network-wide intrusion-detection systems, system checks and logs for misconfigurations or other suspicious activity. • What is the appropriate response to a security breach? A range of preparations must be made to respond to a successful breach, some of which may include the removal of infected devices or large-scale disaster recovery. • Standards for secure networking To ensure a consistent set of requirements, lower training costs and speed the introduction of new security capabilities, IT managers should use these 10 security techniques across their networks. • 1. Use a layered defence. Employ multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure. • 2. Incorporate people and processes in network security planning. Employing effective processes, such as security policies, security awareness training and policy enforcement, makes your programme stronger. Having the people who use the network (employees, partners and even customers) understand and adhere to these security policies is critical. • 3. Clearly define security zones and user roles. Use firewall, filter and access control capabilities to enforce network access policies between these zones using the least privileged concept. Require strong passwords to prevent guessing and/or machine cracking attacks, as well as other strong forms of authentication. • 4. Maintain the integrity of your network, servers and clients. The operating system of every network device and element management system should be hardened against attack by disabling unused services. Patches should be applied as soon as they become available, and system software should be regularly tested for viruses, worms and spyware. • 5. Control device network admission through endpoint compliance. Account for all user device types, wired and wireless. Don't forget devices such as smart phones and handhelds, which can store significant intellectual property and are easier for employees to misplace or have stolen. • 6. Protect the network management information. Ensure that virtual LANs (VLAN) and other security mechanisms (IPsec, SNMPv3, SSH, TLS) are used to protect network devices and element management systems so only authorised personnel have access. Establish a backup process for device configurations, and implement a change management process for tracking. • 7. Protect user information. WLAN/Wi-Fi or Wireless Mesh communications should use VPNs or 802.11i with Temporal Key Integrity Protocol for security purposes. VLANs should separate traffic between departments within the same network and separate regular users from guests. • 8. Gain awareness of your network traffic, threats and vulnerabilities for each security zone, presuming both internal and external threats. Use antispoofing, bogon blocking and denial-of-service prevention capabilities at security zone perimeters to block invalid traffic. • 9. Use security tools to protect from threats and guarantee performance of critical applications. Ensure firewalls support new multimedia applications and protocols, including SIP and H.323. • 10. Log, correlate and manage security and audit event information. Aggregate and standardise security event information to provide a high-level consolidated view of security events on your network. This allows correlation of distributed attacks and a network-wide awareness of security status and threat activity. • The International Telecommunication Union and Alliance for Telecommunications Industry Solutions provide standards that enterprises can use in their vendor selection process. However, no single set of technologies is appropriate for all organisations. Regardless of the size of the organisation or the depth of the capabilities required, secure networking must be an inherent capability, designed into the DNA of every product. By following the steps described above, companies will have the right approach for securing their increasingly mobile, converged networks.
Ten Steps To Secure Networking • Moving your defence beyond firewalls and other point solutions. • Secure networking ensures that the network is available to perform its appointed task by protecting it from attacks originating inside and outside the organisation. • Traditional thinking equates this to a handful of specific requirements, including user authentication, user device protection and point solutions. However, the move to convergence, together with greater workforce mobility, exposes networks to new vulnerabilities, as any connected user can potentially attack the network. • Application traffic must be securely delivered across the network, avoiding threats such as theft of intellectual property or private data. In addition, the underlying infrastructure must be protected against service disruption (in which the network is not available for its intended use) and service theft (in which an unauthorised user accesses network bandwidth, or an authorised user accesses unauthorised services). • While most organisations focus on securing the application traffic, few put sufficient infrastructure focus beyond point solutions such as firewalls. To protect the total network, security must be incorporated in all layers and the complete networking lifecycle. • Secure networking layersSecure networking involves securing the application traffic as it traverses the network. It should encompass these areas: • Perimeter security protects the network applications from outside attack, through technologies such as firewall and intrusion detection. • Communications security provides data confidentiality, integrity and non-repudiation, typically through the use of Secure Sockets Layer or IPsec virtual private networks (VPN). • Secure networking extends this by protecting the underlying infrastructure from attack. • Platform security ensures that each device is available to perform its intended function and doesn't become the network's single point of failure. The network security plan should include antivirus checking and host-based intrusion detection, along with endpoint compliance, to ensure that security policies check user devices for required security software. • Access security ensures that each user has access to only those network elements and applications required to perform his job. • Physical security protects the network from physical harm or modification, and underlies all security practices. The most obvious forms of physical security include locked doors and alarm systems. • Secure networking lifecycle Providing a secure network is not a one-time event, but rather a lifecycle that must be continually reviewed, updated and communicated. There are three distinct stages to be considered: • How can security breaches be prevented? Along with hardening of operating systems and antivirus software, prevention includes processes to regularly review the network's security posture, which is particularly important as new convergence and mobility solutions or new technologies and platforms are added to the network. • How can security breaches be detected? Although some breaches are obvious, others are much more subtle. Detection techniques include product-level and network-wide intrusion-detection systems, system checks and logs for misconfigurations or other suspicious activity. • What is the appropriate response to a security breach? A range of preparations must be made to respond to a successful breach, some of which may include the removal of infected devices or large-scale disaster recovery. • Standards for secure networking To ensure a consistent set of requirements, lower training costs and speed the introduction of new security capabilities, IT managers should use these 10 security techniques across their networks. • 1. Use a layered defence. Employ multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure. • 2. Incorporate people and processes in network security planning. Employing effective processes, such as security policies, security awareness training and policy enforcement, makes your programme stronger. Having the people who use the network (employees, partners and even customers) understand and adhere to these security policies is critical. • 3. Clearly define security zones and user roles. Use firewall, filter and access control capabilities to enforce network access policies between these zones using the least privileged concept. Require strong passwords to prevent guessing and/or machine cracking attacks, as well as other strong forms of authentication. • 4. Maintain the integrity of your network, servers and clients. The operating system of every network device and element management system should be hardened against attack by disabling unused services. Patches should be applied as soon as they become available, and system software should be regularly tested for viruses, worms and spyware. • 5. Control device network admission through endpoint compliance. Account for all user device types, wired and wireless. Don't forget devices such as smart phones and handhelds, which can store significant intellectual property and are easier for employees to misplace or have stolen. • 6. Protect the network management information. Ensure that virtual LANs (VLAN) and other security mechanisms (IPsec, SNMPv3, SSH, TLS) are used to protect network devices and element management systems so only authorised personnel have access. Establish a backup process for device configurations, and implement a change management process for tracking. • 7. Protect user information. WLAN/Wi-Fi or Wireless Mesh communications should use VPNs or 802.11i with Temporal Key Integrity Protocol for security purposes. VLANs should separate traffic between departments within the same network and separate regular users from guests. • 8. Gain awareness of your network traffic, threats and vulnerabilities for each security zone, presuming both internal and external threats. Use antispoofing, bogon blocking and denial-of-service prevention capabilities at security zone perimeters to block invalid traffic. • 9. Use security tools to protect from threats and guarantee performance of critical applications. Ensure firewalls support new multimedia applications and protocols, including SIP and H.323. • 10. Log, correlate and manage security and audit event information. Aggregate and standardise security event information to provide a high-level consolidated view of security events on your network. This allows correlation of distributed attacks and a network-wide awareness of security status and threat activity. • The International Telecommunication Union and Alliance for Telecommunications Industry Solutions provide standards that enterprises can use in their vendor selection process. However, no single set of technologies is appropriate for all organisations. Regardless of the size of the organisation or the depth of the capabilities required, secure networking must be an inherent capability, designed into the DNA of every product. By following the steps described above, companies will have the right approach for securing their increasingly mobile, converged networks.
How ‘Good’ is Your Security Policy? • If asked the following question, “How good is your Security Policy?” what would the response be from your organisation? Chances are that most respondents would initially reply in a positive manner. But what does ‘good’ really mean in the context of a security policy? Does it mean the policy effectively meets the business requirement? Is it meant to imply that it has been updated recently to include the latest piece of legislation? Does ‘good’ mean it’s clearly written and easy to understand by all your staff, or does it simply mean that it now includes a section dealing with mobile devices such as PDAs and USB sticks? In reality, to be considered ‘good’, your security policy should address all of these issues and more besides. The primary aim of your information security policy must be to enable your organisation and all of your employees to operate in a safe and secure manner. An appropriate policy, effectively applied, should minimise the potential for security breaches, adhere to the latest standards and ensure your organisation remains legally compliant. A well-constructed policy provides you with the basis for consistent understanding and enforcement across your organisation. It provides your security staff with specific rules and guidelines for carrying out their duties. It also should include clear guidance regarding how much and what kinds of security measures are necessary to achieve an agreed and acceptable level of risk. Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation. Your security policy is, by its very nature, a dynamic document that must be updated regularly so as to keep pace with changes in organisational structure, revised security standards, evolving technology and communications infrastructure, and legislative requirements. It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on. Although, the size and nature of the business, its network infrastructure and its security requirements may well have changed considerably since these documents were introduced, often some or all of them have not been reviewed or updated for some considerable time – if ever! Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. It is highly likely that your own policy may need to be reviewed and updated to ensure it not only meets your current security requirements, but also that your organisation remains compliant with all applicable UK and European law. Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many, however, fail to appreciate the impact that legislative changes can have on their organisations. Serious repercussions, including adverse financial consequences, can occur if organisations do not make the necessary changes to the way they operate. Furthermore, many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses and in how they interact with, for example, business partners and customers. Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly. Security standards in the UK are based on a recognised industry standard - British Standard BS-7799. Part 1 of BS-7799 is an International standard - ISO 17799. The standard provides an approved framework from within which businesses can operate securely. Wherever possible, therefore, organisations should strive to ensure their security policy complies with it. Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant. In order to ascertain if your organisation’s security policy could benefit from an update, consider the following: • Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices? • Does your organisation have a policy to control the use of USB memory sticks? • Do you monitor staff use of e-mail and the Internet? • Does your organisation use CCTV and, if so, do you comply with the relevant guidelines for its use? • Do any of your personnel work remotely or on the move and, if so, are they connecting securely? • Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications? • Does the Civil Contingencies Bill (which came into force last year) apply to your organisation? If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating. Only by doing so will you ensure that your organisation continues to meet both its legal requirements and its security objectives.
How ‘Good’ is Your Security Policy? • If asked the following question, “How good is your Security Policy?” what would the response be from your organisation? Chances are that most respondents would initially reply in a positive manner. But what does ‘good’ really mean in the context of a security policy? Does it mean the policy effectively meets the business requirement? Is it meant to imply that it has been updated recently to include the latest piece of legislation? Does ‘good’ mean it’s clearly written and easy to understand by all your staff, or does it simply mean that it now includes a section dealing with mobile devices such as PDAs and USB sticks? In reality, to be considered ‘good’, your security policy should address all of these issues and more besides. The primary aim of your information security policy must be to enable your organisation and all of your employees to operate in a safe and secure manner. An appropriate policy, effectively applied, should minimise the potential for security breaches, adhere to the latest standards and ensure your organisation remains legally compliant. A well-constructed policy provides you with the basis for consistent understanding and enforcement across your organisation. It provides your security staff with specific rules and guidelines for carrying out their duties. It also should include clear guidance regarding how much and what kinds of security measures are necessary to achieve an agreed and acceptable level of risk. Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation. Your security policy is, by its very nature, a dynamic document that must be updated regularly so as to keep pace with changes in organisational structure, revised security standards, evolving technology and communications infrastructure, and legislative requirements. It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on. Although, the size and nature of the business, its network infrastructure and its security requirements may well have changed considerably since these documents were introduced, often some or all of them have not been reviewed or updated for some considerable time – if ever! Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. It is highly likely that your own policy may need to be reviewed and updated to ensure it not only meets your current security requirements, but also that your organisation remains compliant with all applicable UK and European law. Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many, however, fail to appreciate the impact that legislative changes can have on their organisations. Serious repercussions, including adverse financial consequences, can occur if organisations do not make the necessary changes to the way they operate. Furthermore, many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses and in how they interact with, for example, business partners and customers. Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly. Security standards in the UK are based on a recognised industry standard - British Standard BS-7799. Part 1 of BS-7799 is an International standard - ISO 17799. The standard provides an approved framework from within which businesses can operate securely. Wherever possible, therefore, organisations should strive to ensure their security policy complies with it. Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant. In order to ascertain if your organisation’s security policy could benefit from an update, consider the following: • Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices? • Does your organisation have a policy to control the use of USB memory sticks? • Do you monitor staff use of e-mail and the Internet? • Does your organisation use CCTV and, if so, do you comply with the relevant guidelines for its use? • Do any of your personnel work remotely or on the move and, if so, are they connecting securely? • Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications? • Does the Civil Contingencies Bill (which came into force last year) apply to your organisation? If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating. Only by doing so will you ensure that your organisation continues to meet both its legal requirements and its security objectives.
10 Tips For Securing Wireless Devices • The best defense for companies using wireless technology is a strategy that secures everything from the front-end to the back-end. Yet “end-to-end security” can mean many different things to different enterprises. • That's why the first step before investing in firewalls, encryption, virus detection, spam blockers or any other such hardware or software, is to define end-to-end security. • The trouble is, says Craig Matthias, founder of Farpoint Group, a wireless technology consultancy, is that there is no such thing as “absolute security.” • Security Strategies Still Emerging • Security for wireless devices is still in its infancy, and luckily so are hacker attacks against the devices. But security must become a priority as enterprises become increasingly mobile, with executives and employees alike relying on wireless laptops, PDAs, BlackBerries and high-end cell phones to access enterprise networks. These devices boast multiple platforms and a variety of inherent security issues. • Though there has been some concern about “cross-pollination” of computing viruses--a virus from a cell phone infecting a computer and vice versa, the underlying technologies, at least at the present time, are still too different for this to occur, Hopen says. As the technologies continue to merge, however, it could become an issue. • Among the most common mistakes with wireless technology security, surprisingly enough, is not having any security at all, Matthais explains. • “What you need to do is secure your network to the point that the professional information thief will give up on his attempts to obtain [the company’s information],” Matthias says. • Here are 10 tips to get started on a good security strategy: • 1) Establish an overall security policy. This, says Alexander Doll, CFO and VP of business development for security software vendor PGP Corp., based in Palo Alto, Calif., should include not only what end-to-end security means for the company, but also lists out the responsibilities for security upgrades, permissions for accessing the network with wireless devices, building security, account access, etc. The security policy should also cover how the enterprise deals with an actual or attempted security compromise, notes Chris Hopen, CTO at Aventail, a VPN vendor based in Seattle, Wash. • 2) Encrypt anything of value on the network. This includes customer data, company information or anything else that could hurt the company directly or indirectly if it gets into the wrong hands. That way, if a salesman loses a laptop or it is stolen, the customer contact information or other intellectual property has no value to the finder/thief. Don’t expend resources encrypting everything, however. A 128-bit encryption key is considered unbreakable, though shorter keys may be acceptable for less critical data. There’s no need to encrypt the company’s cafeteria menu, for example. • 3) The VPN need. Use virtual private networks with Secure Sockets Layer (SSL) for communication with remote devices. This enables anyone to access the company’s Web site, which doesn’t require SSL, but limits access to applications to those with proper authorization. • 4) Limit access to files. While a salesman might have need for historical customer information (name, address, previous purchases from the company), they likely have no need for the credit card number, which may be the responsibility of the accounting/billing department. So the salesman shouldn’t be able to access those files or databases. A technician may need to access hardware information to service an installation, but may have no need for customer relationship management details. • 5) Use endpoint scanning technology. This identifies what wireless and wired devices are accessing the network and determines whether they have the authorization as well as proper security (e.g., updated Windows patches, no known viruses). More security threats can come from unprotected remote devices (e.g., laptops), which pick up viruses while used remotely then access the network, than from outside hackers. As a user, rather than the enterprise, often owns the devices the company doesn’t automatically perform security updates. A related major security mistake that many businesses and individuals make is allowing anyone to have access to a wireless device, says Matthias. So every wireless device should include some type of “challenge,” like a PIN and password to allow access, and should include automatic timeouts after a specific period of time of non-usage. • 6) Employ WPA or 802.1x technology in WLANs. This technology requires a user to use an authentication key to access the wireless LAN. The newer 802.1x technology is designed to be used in enterprise environments where both wired and wireless networks might be present. • 7) Test, test, test. Testing is mandatory to ensure that security works as expected. This includes having trusted people (or third parties) attempt to hack into the system with a remote device and ensuring that authorized people can continue to access the network as desired. • 8) Employ two-step authentication. For the best protection, this means more than a PIN and password. Typically, it's a combination of something a person knows (password) with something he has, like a token. Some 60 percent of Aventail installations include security tokens, Hopen says. If a company is small and has only a few people who need authorization, then it might want to consider using pre-shared keys. Larger enterprises should rely on tokens that change the keys on a predetermined basis. Hopen, for example, carries a token on a key chain that changes the key every 60 seconds. • 9) Audit/monitor results. This is important not only from a security standpoint, but also for Sarbanes-Oxley compliance, Hopen points out. • 10) Understand security is an continual process. IT leaders and all staff must realize that security is an ongoing process, not a one-time event. As Matthais notes, “You’re never done” when it comes to network security.
10 Tips For Securing Wireless Devices • The best defense for companies using wireless technology is a strategy that secures everything from the front-end to the back-end. Yet “end-to-end security” can mean many different things to different enterprises. • That's why the first step before investing in firewalls, encryption, virus detection, spam blockers or any other such hardware or software, is to define end-to-end security. • The trouble is, says Craig Matthias, founder of Farpoint Group, a wireless technology consultancy, is that there is no such thing as “absolute security.” • Security Strategies Still Emerging • Security for wireless devices is still in its infancy, and luckily so are hacker attacks against the devices. But security must become a priority as enterprises become increasingly mobile, with executives and employees alike relying on wireless laptops, PDAs, BlackBerries and high-end cell phones to access enterprise networks. These devices boast multiple platforms and a variety of inherent security issues. • Though there has been some concern about “cross-pollination” of computing viruses--a virus from a cell phone infecting a computer and vice versa, the underlying technologies, at least at the present time, are still too different for this to occur, Hopen says. As the technologies continue to merge, however, it could become an issue. • Among the most common mistakes with wireless technology security, surprisingly enough, is not having any security at all, Matthais explains. • “What you need to do is secure your network to the point that the professional information thief will give up on his attempts to obtain [the company’s information],” Matthias says. • Here are 10 tips to get started on a good security strategy: • 1) Establish an overall security policy. This, says Alexander Doll, CFO and VP of business development for security software vendor PGP Corp., based in Palo Alto, Calif., should include not only what end-to-end security means for the company, but also lists out the responsibilities for security upgrades, permissions for accessing the network with wireless devices, building security, account access, etc. The security policy should also cover how the enterprise deals with an actual or attempted security compromise, notes Chris Hopen, CTO at Aventail, a VPN vendor based in Seattle, Wash. • 2) Encrypt anything of value on the network. This includes customer data, company information or anything else that could hurt the company directly or indirectly if it gets into the wrong hands. That way, if a salesman loses a laptop or it is stolen, the customer contact information or other intellectual property has no value to the finder/thief. Don’t expend resources encrypting everything, however. A 128-bit encryption key is considered unbreakable, though shorter keys may be acceptable for less critical data. There’s no need to encrypt the company’s cafeteria menu, for example. • 3) The VPN need. Use virtual private networks with Secure Sockets Layer (SSL) for communication with remote devices. This enables anyone to access the company’s Web site, which doesn’t require SSL, but limits access to applications to those with proper authorization. • 4) Limit access to files. While a salesman might have need for historical customer information (name, address, previous purchases from the company), they likely have no need for the credit card number, which may be the responsibility of the accounting/billing department. So the salesman shouldn’t be able to access those files or databases. A technician may need to access hardware information to service an installation, but may have no need for customer relationship management details. • 5) Use endpoint scanning technology. This identifies what wireless and wired devices are accessing the network and determines whether they have the authorization as well as proper security (e.g., updated Windows patches, no known viruses). More security threats can come from unprotected remote devices (e.g., laptops), which pick up viruses while used remotely then access the network, than from outside hackers. As a user, rather than the enterprise, often owns the devices the company doesn’t automatically perform security updates. A related major security mistake that many businesses and individuals make is allowing anyone to have access to a wireless device, says Matthias. So every wireless device should include some type of “challenge,” like a PIN and password to allow access, and should include automatic timeouts after a specific period of time of non-usage. • 6) Employ WPA or 802.1x technology in WLANs. This technology requires a user to use an authentication key to access the wireless LAN. The newer 802.1x technology is designed to be used in enterprise environments where both wired and wireless networks might be present. • 7) Test, test, test. Testing is mandatory to ensure that security works as expected. This includes having trusted people (or third parties) attempt to hack into the system with a remote device and ensuring that authorized people can continue to access the network as desired. • 8) Employ two-step authentication. For the best protection, this means more than a PIN and password. Typically, it's a combination of something a person knows (password) with something he has, like a token. Some 60 percent of Aventail installations include security tokens, Hopen says. If a company is small and has only a few people who need authorization, then it might want to consider using pre-shared keys. Larger enterprises should rely on tokens that change the keys on a predetermined basis. Hopen, for example, carries a token on a key chain that changes the key every 60 seconds. • 9) Audit/monitor results. This is important not only from a security standpoint, but also for Sarbanes-Oxley compliance, Hopen points out. • 10) Understand security is an continual process. IT leaders and all staff must realize that security is an ongoing process, not a one-time event. As Matthais notes, “You’re never done” when it comes to network security.
NAC Will Fill a Big IT Security Gap • Opinion: Some form of network access control needs to be at least in the works for any large network, and administrators should insist on standards compliance.When Zotob and other worms attacked a Windows vulnerability in August, some (yeah, that's me) were surprised that large companies were affected. After all, even a simple firewall should have blocked the attack. The problem was that many large corporate networks aren't as controlled as you'd think. The most common explanation is of remote users and notebooks taken out of the office, infected outside the corporate LAN, and then brought back in either physically or through a VPN, there to dirty-up everyone else. Everyone knows a lot of this goes on, but you'll also find rogue access points and other policy cheats that end up compromising security.Let's take the dirty notebook example: Let's face it, that notebook just shouldn't be allowed on the network unless it's properly protected. For this reason, numerous big names in security have been developing and pushing systems to check systems as the attach to the network, checking to see if they meet certain policy requirements, such as service pack and patch levels, personal anti-virus and firewall, and signatures up-to-date. If they do meet these standards, they are allowed on the network. If not, they are placed in a quarantined segment from which they can do little other than remediate their problems, for instance by updating their anti-virus. Some call this generic approach NAC (network access control), as distinguished from Cisco's specific implementation, Network Access Control program.I'm bullish on NAC, the general approach. Systems like this enforce rules that everyone knows are necessary. I don't know of any studies in this regard, but I would think they tend to reduce support calls, which is another good thing. Thus, I was excited to read that Juniper Networks is buying Funk Software for their network access security products. One of the really encouraging parts of this story is Juniper's interest in the TCG (Trusted Computing Group)'s Trusted Network Connect specification for NAC. NAC is exactly the sort of feature that could benefit from open standards. Juniper wants to use these standards to build products with best-of-breed components and not be locked into a whole stack from one vendor. Customers should expect no less. Proprietary NAC implementations, even if their specifications are open, are a mistake. There needs to be one set of standards to follow so that agent management can be easy and so that ISVs can provide easier support for the system. I actually think that some day ISPs might offer such a service, although it would be difficult. It should be possible to offer Internet service protected by many of the more advanced security techniques available to corporate networks, and some customers might be willing to pay more for an Internet access service that is demonstrably safer. There are definitely problems with such a scheme, begriming with the fact that corporate users aren't usually allowed, as consumers are, to install whatever they please on their systems, and there probably won't be the option of IT coming to your home for network support. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub. Part of the answer could be NAC with policies more restrictive than consumers are used to. If the teenagers try to install Grokster, the system may lose its connection to the network. I bet there are lots of parents who would not object to restrictive policies and opening up their systems to remote management. They might even pay more for it. If you're shuddering at this vision of an "unfree" future, then take your business elsewhere when your ISP turns this switch, which is not likely and years away, even if it were to happen. Most people would view it as a solution to a real problem, though.Yes, a world where NAC is standard and ubiquitous is one where we have less freedom to run whatever we want on the network. But it's not 1984, and a network where anyone can do what they want is a Hobbesian state of nature that repels all normal people. A good NAC system is a protection against anarchy.
Anomaly Detection • Examines patterns of network use and the information that comes from those patterns. The data then is compared to expected norms to identify unusual or unauthorized activity. • The idea is to use technology to bring different data sources together and determine what’s anomalous behavior-not because any one source is telling you that, but because there were multiple events that seem to be related, and when you draw rules against them or do some statistical analysis against them, they appear to out of the norm. • Anomaly detection is best used when a large amount of traffic must be examined. • It ties together security and operations so you have the big picture and can determine what’s normal behavior on your network. That way, you can observe behavior that’s abnormal.
Routers As Network Security Auditing devices • Router logs are a treasure trove od security intelligence that, with proper analysis, can help you be proactive and measure your network’s security posture. • Compare what arrives at your enterprise’s front door with what actually gets through. • Scripts can automate the retrieval of router logs and parse them on a regular schedule. • By aggressively monitoring the logs, you can detect and correct errors and misconfigurations before they are exploited. • By monitoring router logs, you can fine-tune an IDS’s configuration to reduce false positives and refine the IDS’s intelligence by verifying attacks and identifying their sources. • Router logs can reveal attempted attacks against VPN devices; since VPN logs typically record only successful transactions, they won’t yield the same information. • Routers can be more than just traffic cops: They’re investigators, auditors, and enforcers. While they’re not robust as a security solution, they can augment and enhance the security provided by core network security devices.