Security — an issue that should concern you (Part 2 of 3)

By T. Rose Rovelto, CPA
Boomer Consulting

This article will concentrate on the particular threats and enemies that exist in the different levels of network access: local and wide area networks, remote access and the Internet.

LAN / WAN: Enemies and threats

Standard network policies and procedures need to be followed in any networking environment. The following is a list of each of the threats to your network and the solutions to the issue.

Hardware Failure:To insure your hardware against loss, we must look at both the workstation and the server level. Each workstation needs a surge protector and each user needs to practice proper installation and shut down procedures. Each server also needs a surge protector, but should also be equipped with an uninterrupted power supply. Some form of redundancy and fault tolerance potentially through a RAID array is necessary. A backup tape drive is also a "must" for data protection.
Physical theft prevention: We are looking at normal business security for your property when we talk about physically securing the server and workstations. Adequate locks on the building and server room, security systems and employee integrity (including the maintenance staff).
User authentication: The use of proper password protection is key in securing your LAN/WAN. Proper log-on procedures that incorporate using unique passwords (with at least six characters and a combo of letters and numbers), changing passwords periodically, and immediately eliminating passwords for terminated employees will assist in assuring that only authorized users gain access to your network.

In addition, proper user habits are particularly important to protect against a data breach. Do all of your employees properly log-off their machines at the end of the day? What about over the lunch hour or when you're away from your desk for any length of time? The key is to be aware of the security issue, assess your situation and log-off if in doubt.

One other issue is the ability to "save" your password. Never let your computer save your password. It is more convenient, but it completely negates the benefits of a password if someone gains access to your computer.

System and application access control: A system should allow every authorized user easy access to the resources and information available. This includes allowing internal users of your network quick and easy access to all the network resources to which the administrator has provided access. Management must first decide what resources each level of personnel needs. Then the network administrator should follow the plan and assign access to resources and applications accordingly.
Virus protection: The risk of virus infection in your LAN/WAN is focused on the floppy drive in your workstation computers. It is important to have virus protection software installed to allow your users to check diskettes for viruses. It is also important to establish a virus protection policy to ensure that all diskettes are scanned for viruses.

Remote access

When providing users with laptops and remote access capabilities, security risks elevate. Let's look at our five risk categories in a remote access environment:

Hardware failure: To guard against the failure of the laptop hardware, use a strong battery as well as a surge protector. User habits are still very important and emphasizing proper installation, shut down procedures and power management can reduce the risk of hardware problems.
Physical theft prevention: The most important question in a remote access environment is, "Where is your computer?" Where is it when you go to lunch, go home for the day, when staying in a hotel or getting out of your car?

Notebook computers are much smaller than they use to be, but they are still a pain to pack up and carry over the lunch hour. As this machine has very sensitive information on it, it should be treated as a client file. If you leave it at any time unattended, it should be locked up.
User authentication: The trade-off of "ease-of-use" vs. "security" is very clear in a remote access environment. You should assume that some unauthorized user has control of your notebook. Will he find an icon for a dial-up connection to your network? If so, will there be an automatically cached password in the dial-up connection wizard? If so, you have just provided a back door for a thief to enter your network!

Users like these features because they are convenient. But the trade-off in security is too high.

System and application access control: Even if your machine is in the possession of an unauthorized user, there are applications available that monitor and restrict access. Programs such as Norton's, For Your Eyes Only, is one application that protects against unauthorized persons from accessing the current systems and provides file encryption and access control to the notebook itself.
Virus protection: The virus infection risks are similar to that of your LAN/WAN. Virus protection software is crucial for your remote users.

Internet

When you put a door to your network that leads to the public Internet, there are a variety of additional security issues to address. The number of individuals that you need to keep out of your network just increased exponentially. Let's look at the security measures available to you in an Internet environment.

Hardware failure: The question to ask here is, "How critical is 100 percent Internet uptime?" If you are providing application services to your clients over the Internet, the cost of a temporary hardware failure just went off the scale. Redundancy and fault tolerance remains important, but the ability to quickly react and repair is crucial.

If you are not providing these services, your hardware failure risks are similar to those of your LAN/WAN and remote access environment.
User authentication: The use of the Internet and the ease of hacking passwords today encourages the use of unique authentication methods. The fundamental ways by which a computer can recognize a person are by:
something the person knows (i.e. password);
something the person has (i.e. a physical key or card);
something the person is (i.e. a signature or fingerprint);
or somewhere the person is (i.e. a particular terminal or location).
Again, there is a trade-off. A simple password is the easiest and cheapest security method to install. But will it be good enough? Probably. But when Security Software Technologies provides L0phtcrack (http://www.securitysoftwaretech.com/l0phtcrack/), a program that will crack 90 percent of passwords in fewer than 48 hours, it makes me wonder how much longer will it be "good enough." (L0phtcrack can be used as a free trial for 14 days and purchased for $100.)

Virtual Private Networking (VPN) is a popular method of securing the privacy of your connections. With the use of protocols (communication rules) such as PPTP (Point-To-Point Tunneling Protocol) or IPsec (Internet Protocol Security), you can utilize the public Internet for private communication much like the phone company uses the public lines to allow private conversations between two users. If you are into e-commerce, there are some additional security issues facing you. An additional protocol, Secured Socket Layer (SSL), is significant in securing sensitive information (i.e. credit cards) over the Internet.

Another method for ensuring that only authorized users are able to read information sent over the Internet is through the use of encryption. Encryption has been in existence in one way, shape or form since old wartime days with the use of Morse code. Although a simplistic example, the idea is the same: Getting the message across without using plain, easy-to-read text. And then having to, in a sense, decode the dots and dashes to words. Today, there are a good number of sophisticated applications available to users that will provide encryption without having to establish a point-to-point private connection.
System and application acces control: A significant defensive measure to enhance access control is through the use of a firewall. A firewall separates and protects your network from outside intrusion by the use of related programs that require the use of secure log-on procedures and authentication certificates. A firewall should be located on a separate piece of hardware that sits between your network and the outside world to act as your main perimeter defense and restrict access to authorized users. In addition to access control, firewalls provide intrusion detection, concentrated security, enhanced privacy and even a certain level of virus protection.

It is also important to remember that a firewall can only control traffic that travels through it. Therefore, if you have a remote access line that does not go through the firewall, you have a potential back door to your network. Finally, firewalls provide little protection from inside attacks. May sound obvious, but it is often overlooked.
Virus protection: It has become clear over the last few years with the Melissa and, most recently, the ILOVEU e-mail virus that viruses can cause major problems and downtime in your organization. Users should remain suspect of all attachments regardless of the sender and should be informed to scrutinize any with a .vbs or .exe extension. Virus protection is mostly an awareness issue. Constant communication to increase awareness is critical.

Conclusion

Obviously, none of these security measures will do a bit of good if they are not established, communicated and applied.

This content has not yet been Rated.

To Rate content, please Login.