http://www.computerworld.com/securitytopics/security/story/0,10801,86628,00.html Advice by Peter H. Gregory OCTOBER 30, 2003 COMPUTERWORLD Blaster, Nachi and SQL Slammer are modern plagues that strike wired businesses with increasing regularity. But even if these cataclysms have failed to bring in more budget dollars, you, the security professional, are still expected to keep company networks and assets protected. Here are four steps you can take, using zero capital dollars, that will visibly reduce risks and improve your security program. 1. Update and publish your security policy. The weakest link in many organizations' security perimeter is employees. Therefore, it's important that workers be aware of what they're permitted—and not permitted—to do with their workstations. Security policies address this issue head-on by defining the boundaries of acceptable behavior. Part of an organization's security policy should be its Internet acceptable-use policy. Here are some of the main points that should be included: * Don't open e-mail messages from unknown or suspicious persons, or suspicious e-mail messages from known persons. Many viruses have been known to spread because of their enticing subject lines. * Don't share access to computers or applications with other employees, and don't use other employees' access: Get your own. Anyone who requires additional access to computers or applications should make a formal request to the person or group that administers access. * Use locking screen savers and lock your workstation when you leave your desk. * Don't use the Internet at work for non-business-related purposes. This includes personal e-mail or Web surfing. Most organizations permit occasional exceptions. * Don't install programs that are not approved by the IT department. Unsupported programs can not only jeopardize the stability of one's PC, but they also introduce undesirable programs such as spyware into the business network. * Don't allow personally owned computers to connect to the business network, even via an approved VPN program. Personally owned computers often lack up-to-date antivirus software and other protections. Make sure employees are keenly aware of these rules. Here are a few ideas for ensuring that the word gets out: * Hold mandatory security-awareness training classes. * Get senior management's support for these policies, and have the CEO or chief operating officer send out e-mail(s) drawing employees' attention to these policies. * Include a rule that states that failure to comply with policies will result in disciplinary action up to and including termination of employment. 2. Protect the entire perimeter, including laptops. If your organization has users with laptops, you can bet that some of them are connecting to the Internet via broadband connections (DSL, cable, satellite) lacking firewalls. This is exposing your laptops to the full force of still-active worms such as Blaster, Nachi, Slammer, Nimda and Code Red. A laptop whose antivirus signatures are not up to date and is connected to a broadband connection for any appreciable length of time will become infected with one of these worms. Then, if the user connects the laptop to the corporate network—whether via VPN, RAS or on the premises—the laptop will begin scanning the network for more victims. Even if the rest of your systems' antivirus software is up to date (and who in a large organization can claim 100%?), the effects from the scanning traffic alone is often enough to take down business-critical applications. Don't permit contractors, temps, consultants or vendors to connect their laptops and other TCP/IP-enabled devices without approval from IT. You would be surprised by how many people - especially consultants and temps - still don't have any antivirus software on their laptops. Don't have a process? Make one, and quickly, that looks something like this: 1. User or manager calls IT help desk with a request that IT examine a third-party device that he wants to connect to the network. 2. IT sends a PC technician to examine the device for up-to-date antivirus software and signatures. 3. If the device has working antivirus software, it will be permitted to connect to the network. If not, the device's owner will be required to acquire and install antivirus software. Back to Step 1. Later, if a third-party laptop or other device is suspected of being infected with a worm or virus, IT can check its records to see if the person or department responsible made a request to have the device examined before connecting it to the network. If the device was connected without IT's approval, the responsible party should be taken behind the woodshed and taught a lesson. 3. Block risky attachments on e-mail servers and gateways. A significant portion of Trojans and viruses are transported via e-mail. Even if your mail server has antivirus software, it would be prudent to strip certain attachment types from incoming e-mail messages, including .exe, .bat, .reg, .vb, .vbs, .com and .pif. For a list of selected attachment types to block, see [1] the report "E-mail Attachment Safety" from Great White North Technologies, or refer to information available from most antivirus software vendors. You would be considered a good Netizen if you also blocked these attachment types in outbound messages, thereby halting the spread of a Trojan or virus. There is, by the way, a growing legal basis for preventing malicious code such as Trojans, viruses and worms from leaving your organization: You could be sued for damages related to your organization's permitting malicious code to penetrate your network and then spread to another. 4. Develop a security architecture, standards and requirements. Assemble a team of senior technologists to develop long-range objectives. First, take a look at your organization's current enterprise architecture and standards. Underneath all of this you should be able to develop a security architecture that provides common authentication services, as well as other "public utilities" such as central audit and event logging, and encryption of network traffic between servers. When you get an idea of what your security architecture is going to look like, you can then take a shot at developing product and protocol standards. In each category of need, specify which product or protocol will be used. For instance, you might state that each desktop system will use Norton AntiVirus software and no other. For encryption of application and administrative traffic between systems, you could use IPsec. Do this for each area where a product, protocol or method is needed to fulfill a particular purpose. Develop a boilerplate requirements document that will be given to all software and hardware vendors, and also to internal systems developers and integrators. These requirements define how information systems must behave and what protocols and standards they must support. This will streamline the adoption of new products into your infrastructure by make them more consistent with what you already have. These measures will save your organization money in the long run by reducing implementation and operating costs. A more consistent infrastructure is less expensive to maintain. Epilogue I have always been a proponent of the phrase, "More than just technology, security requires people and processes, too." In the spending frenzy of the 1990s, many organizations overspent on hardware and software. In information security, you can use capital budget droughts to your advantage by shoring up policies, processes and knowledge for your staff and your users. Postscript If your company lacks the basics—antivirus software, firewalls and other basics—then your organization is in serious trouble. The only way you can survive in this situation is if you are not connected to the outside world at all. If you are in this unfortunate situation and can't convince your senior management of the extreme danger of this position, then I'd suggest you polish your resume, hone your skills and start packing. [1] http://www.novatone.net/mag/mailsec.htm - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 04:58:39 PST