C3 Security Consulting LLC
Confidentiality
Integrety
Availability		 company banner
HomeSecurityServicesVistaInformationCompany
  
floating layer default test box
Information
Basics
Checklists
CIA
Glossary & Acronyms
References and
Acknowledgments
Windows 98
Windows NT4
Windows XP
On this page:
Areas of Focus
Checklists
Related Links
Sysinternals Security Freeware (now owned by MS)
A great range of freeware tools for the beginner and expert alike.
Linux Devices
To see a range of devices that run on Linux look at www.linuxdevices.com.
Information Week
News, events and security articles.
Micrsoft Midsize Business: Security
Use the resources below to find security solutions geared toward midsize businesses with 25 — 500 PCS.
NIST
NIST, Computer Security Resource Center.

Areas of Focus

Print view

One approach is to split up your IT environment into subsections, consider them separately, and then look at integrating them once you have a better understanding of what you need.

Physical:

Physical theft of equipment is a common “gross” breakdown of security. How are your severs and workstations secured? Do you have a secure working environment with restricted access? What is your procedure for moving equipment on and off site? Give these considerations some thought and you will go a long way to preventing someone just walking out the door with your latest and greatest piece of hardware.

Node:

The term “node” in this instance refers to any intelligent device on your network. The majority of these will be workstations and servers, but they may also include routers, wireless access points, and even PDAs. A common element to these devises is an operating system. This is a frequent area of attack, particularly for computers and servers. The relevant questions to ask are; do they need virus protection? Does the operating system require periodic updates? How do the virus and operating system updates get distributed to the device? What monitoring is natively available and who should check it?

Although it is ideal to automate many of these tasks, monitoring is of no use if the logs are not reviewed on a regular basis.

Network:

The computer network will have components from all the sections listed here, but for now just consider the electronic traffic on the lines. It is almost certain that at some time confidential information will be transferred over your computer network. The main concerns are of data being intercepted and recorded, and also being altered and retransmitted. Two ways of combating this are hardware devices and encryption, although not necessarily together. The use of a network switch will prevent the interception of data by confining the traffic to a direct link between the sender and recipient, which significantly reduces the effectiveness of a sniffer capturing the information. Encryption will usually protect the data from both being read and tampered with.

Applications:

Almost all application software will have security flaws. Even generic word-processing software can fall victim to macro viruses. Unfortunately, each application will need to be considered separately for weaknesses and remediation. Although most mainstream anti-virus software will focus on detecting the existence, and sometimes the ingress, of viruses, it is not responsible for plugging the holes. Web servers are particularly susceptible to attack due to their public exposure on the internet. The manufacturers web sites must be regularly monitored for updates and patches to combat new software exploits.

People:

People can be a weak link through criminal intent, carelessness, or by social engineering. Some of the more widespread social engineering methods are:

  • Phone calls pretending to be someone of authority asking for personal information (such as a network administrator asking for a user's password).
  • E-mails with promises or threats.
  • Social conditioning, for example; holding a door open for someone with their arms full.
  • Phising, where a rogue web site looks like a commercial web site with the intent of obtaining personal information, such as credit card details.

Leaving aside criminal intent, carelessness and social engineering can be mitigated through a policy of continual user education.

Checklists

Everybody likes checklists. The simplicity of the instruction. The satisfaction of marking off the checkbox for a task completed. However, things are rarely that easy, and security is no exception. The simplest, one line, checklist is “think”, but that’s not very helpful so here are some checkpoints (there will be some overlap between sections), to think about:

Anti-virus
  • Automate updates on both workstations and servers.
  • Assign the task of regularly monitoring the logs for successful updates.
  • Develop a process and assign responsibility for cleaning an infected machine.
  • Configure the detection to automatically generate a notification, such as an E-mail or page.
Operating System patches
  • Centralize computer patch management.
  • Disable automatic updates by machines from manufactures web sites.
  • Assign a frequency for updates.
  • Assign the responsibility for testing and updating machines with new patches.
Network
  • Implement a firewall.
  • Encrypt all wireless traffic.
  • Use directory/centrally managed user accounts and disable local accounts.
  • Implement a complex password policy.
  • Remove personal modems from the network and install a remote access solution.
  • Restrict network administrator access to a few key staff.
  • Where appropriate, remove local administrator access to workstations.
  • Secure backup media — this means not giving it to a tech to take home at the weekend as an "off site storage facility". Remember your backup tapes are all your data in a conveniently transportable medium — no hacking required.
Laptops
  • Ensure all owners have a physical device for securing the machine, e.g. a steel cable and padlock that connects securely to the machine.
  • Implement power-on passwords. Use a standard, such as employee ID, and you automatically create a recovery process.
  • Provide an automated backup solution. Something as simple as off-line folders will keep a copy of a users' documents directory on the network where it can be included as part of a nightly scheduled company backup.
  • If your staff is carrying sensitive information consider encrypted file systems. If implemented as part of an Active Directory (AD) initiative, it can be nearly transparent to the user but still manageable. Alternatively, if AD is not present, the contents of the My Documents directory can still be encrypted by a right mouse click on the directory, selecting Properties, the General tab, and Advanced attributes. Check the box to Encrypt contents to secure disk. Click OK. Now, even if the laptop is booted with a different operating system the files will still be secure.
Procedural
  • Information security policy document.
  • Management commitment.
  • Coordination and enforcement authority.
  • Confidentiality agreements.
  • Identify external influences.
  • Define service level agreements with customers and suppliers.
  • Inventory of assets.
  • Acceptable Use policy.
  • Define audit and monitoring approach.
  • Define access control/rights management policy.
  • Define telecommuter policy and qualification criteria.
  • Escalation process for security events.
  • Business continuity plan.
▲Top of page
Did you know?
Live CD
If you want to test a new/different version of Linux, there are many "live CD" distributions that allow you to boot into the operating system without needing to install it on the hard drive.
Many wireless access points, public and private, are open.
In a study of 2600 around Indianapolis, researchers from the University of Cambridge found 46% running with no encryption, and many were still using default settings.
Scrolling system messages.
To view Linux system log messages in real-time, open a terminal window, su to root, and type tail –f /var/log/messages. You will see the system messages scroll up the screen as they occur.
Folder views.
If you want all your files and folders to be listed the same way in Explorer, display the format you want in the right pane, e.g. details view, sorted by file type. Then Tools>Folder Options and the Views tab. Hit the Apply to All Folders button and the next time you traverse to a folder it will be in your "standard " display format.
The easiest way to get someone's password - ask.
Make sure you have adequately trained you employees to expect and recognize "social engineering" attacks.
Trademarks© Copyright (2006) C3 Security Consulting LLC, Washington DC. (+1 866 799 2969) - Hosted by Webmasters.com