[ISN] Security, Disaster Recovery Issues After Sept. 11

From: InfoSec News (isnat_private)
Date: Thu Apr 18 2002 - 00:24:35 PDT

  • Next message: InfoSec News: "[ISN] Last chance for early registration FIRST 2002"

    [I just love this fellow's password policy, I wonder how often he 
    changes his toothbrush?  - WK]
    James Carlini 
    CHICAGO - Since September 11, many organizations have taken a second
    look at their readiness for a disaster. They've realized that they
    just aren't prepared for a major catastrophe or they have
    underestimated what they really need. Are you and your organization
    Since the aftermath, some are also uncovering that they could do a
    better job at both network and physical security. Many have found that
    security needs to have a greater budget as well as a higher authority
    within the organization. This hasn't taken on the magnitude of Y2K
    issues, but some are focusing on this heavily.
    Currently, the problem with some organizations is that they have not
    improved their basic security to a point where they should be. The
    ones that have have had senior management pushing the issue due to all
    of the press and raised "sensitivity" to the security issue. Others
    have yet to review the wide gaps in their security as well as their
    awareness to weaknesses in their network or application design. The
    "that can't happen to us" attitude is taking hold in the minds of some
    At one company, each person had the same rights assigned to them as
    the systems administrator so they could "get around the system
    easily". This goes against any recommendation from any network
    software maker or security consultant that clearly points out you
    should limit or restrict file access based on a "need-to-know" basis.
    At another in the financial industry, each user has open access to
    trades and other sensitive materials. What happens if the trades get
    changed? Who is liable?
    Are Any Platforms Safer?
    Many other companies have serious access capabilities for users that
    are overlooked by systems administrators who are more worried about
    having an "easy system" to work on.
    Many managers think that certain types of operating systems and/or
    software are going to make them invincible to outside hacker attacks.  
    The truth is, all of them have their vulnerabilities and none are
    100-percent bulletproof. Some managers are finding this out the hard
    Some problems do not originate from the type of operating system you
    use. The real problems stem from lazy or poorly trained systems
    administrators. Many organizations can step up their security by
    making sure their systems administrators are doing a better job.
    Another area is poor password enforcement. Easy passwords make for
    easy access. "TOM" or "LEXUS" is a lot easier to figure out than
    "JH2?$aL" or "$Ee!DFj6". Again, the systems administrator needs to do
    a more effective job and be given the support of upper management.
    Protecting Your Assets
    No one is ever going to have 100-percent protection from any type of
    disaster or intrusion that is possible. There will always be some
    contingency that was not planned for. However, by doing some
    fundamental things, you can avoid or at least minimize problems.
    You can make systems harder to penetrate by doing several things.  
    First, limit outside access to your system by turning off or shutting
    down different ports. (There are many books and guides on how to do
    this.) This helps reduce the "opportunities" for hackers to get into
    your system. This is not done enough and many systems administrators
    do not maximize this safeguard.
    Second, limit rights, privileges or access to all of the files on the
    system. This sounds so basic, yet there are several current examples
    that I have just run across where organizations have left their
    systems wide open for their internal people to use. While one could
    say it's easier to use, it's also easier to create a major disaster.  
    Employees as well as outside hackers that "get into their user IDs"  
    can cause a lot of damage.
    Third, get the systems administrator to start looking at the logs that
    are generated by the system. These logs provide a wealth of
    information as to who logged in, when they did, for how much time, and
    how many "attempts" were tried to access the system via a user ID. You
    can pinpoint invalid and excessive attempts and shut that user ID
    down. You can also often tell where the access is originating. Many
    systems administrators either don't bother to look or have no ideas
    where to look.
    Fourth, have password enforcement stepped up to include users changing
    their passwords every 50 to 90 days. All in all, some of these easy
    "fixes" will create a lot of stronger intrusion detection and
    James Carlini is president of Carlini & Associates, a management
    consulting firm focusing on developing marketing strategies and
    applications of strategic integrated information, as well as
    litigation support. He is also an adjunct professor in the
    Communications Systems Program, Executive Masters Program at
    Northwestern University. He can be reached at carliniat_private
    or (773) 370-1888.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 04:01:11 PDT