http://eprairie.com/news/viewnews.asp?newsletterID=3585 [I just love this fellow's password policy, I wonder how often he changes his toothbrush? - WK] James Carlini 4/16/2002 CHICAGO - Since September 11, many organizations have taken a second look at their readiness for a disaster. They've realized that they just aren't prepared for a major catastrophe or they have underestimated what they really need. Are you and your organization prepared? Since the aftermath, some are also uncovering that they could do a better job at both network and physical security. Many have found that security needs to have a greater budget as well as a higher authority within the organization. This hasn't taken on the magnitude of Y2K issues, but some are focusing on this heavily. Currently, the problem with some organizations is that they have not improved their basic security to a point where they should be. The ones that have have had senior management pushing the issue due to all of the press and raised "sensitivity" to the security issue. Others have yet to review the wide gaps in their security as well as their awareness to weaknesses in their network or application design. The "that can't happen to us" attitude is taking hold in the minds of some executives. At one company, each person had the same rights assigned to them as the systems administrator so they could "get around the system easily". This goes against any recommendation from any network software maker or security consultant that clearly points out you should limit or restrict file access based on a "need-to-know" basis. At another in the financial industry, each user has open access to trades and other sensitive materials. What happens if the trades get changed? Who is liable? Are Any Platforms Safer? Many other companies have serious access capabilities for users that are overlooked by systems administrators who are more worried about having an "easy system" to work on. Many managers think that certain types of operating systems and/or software are going to make them invincible to outside hacker attacks. The truth is, all of them have their vulnerabilities and none are 100-percent bulletproof. Some managers are finding this out the hard way. Some problems do not originate from the type of operating system you use. The real problems stem from lazy or poorly trained systems administrators. Many organizations can step up their security by making sure their systems administrators are doing a better job. Another area is poor password enforcement. Easy passwords make for easy access. "TOM" or "LEXUS" is a lot easier to figure out than "JH2?$aL" or "$Ee!DFj6". Again, the systems administrator needs to do a more effective job and be given the support of upper management. Protecting Your Assets No one is ever going to have 100-percent protection from any type of disaster or intrusion that is possible. There will always be some contingency that was not planned for. However, by doing some fundamental things, you can avoid or at least minimize problems. You can make systems harder to penetrate by doing several things. First, limit outside access to your system by turning off or shutting down different ports. (There are many books and guides on how to do this.) This helps reduce the "opportunities" for hackers to get into your system. This is not done enough and many systems administrators do not maximize this safeguard. Second, limit rights, privileges or access to all of the files on the system. This sounds so basic, yet there are several current examples that I have just run across where organizations have left their systems wide open for their internal people to use. While one could say it's easier to use, it's also easier to create a major disaster. Employees as well as outside hackers that "get into their user IDs" can cause a lot of damage. Third, get the systems administrator to start looking at the logs that are generated by the system. These logs provide a wealth of information as to who logged in, when they did, for how much time, and how many "attempts" were tried to access the system via a user ID. You can pinpoint invalid and excessive attempts and shut that user ID down. You can also often tell where the access is originating. Many systems administrators either don't bother to look or have no ideas where to look. Fourth, have password enforcement stepped up to include users changing their passwords every 50 to 90 days. All in all, some of these easy "fixes" will create a lot of stronger intrusion detection and prevention. ------------------------------------------------------------------- James Carlini is president of Carlini & Associates, a management consulting firm focusing on developing marketing strategies and applications of strategic integrated information, as well as litigation support. He is also an adjunct professor in the Communications Systems Program, Executive Masters Program at Northwestern University. He can be reached at carliniat_private or (773) 370-1888. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 04:01:11 PDT