A consulting client recently asked for a review of their network security.
The senior admin at the site assured me that they were fully protected
against all attacks. “How would you know?” I asked. “Oh we log
everything,” I was told. Well, the log was over 600MB in size and had not
been checked in over two years. Their FTP server had indeed been
compromised and they were completely unaware of the fact!
The surest way to guarantee that your computers are impenetrable is to
unplug them from all networks. Install them in a locked room and guard
them using only people with secret government clearances. This is exactly
what the government does to protect its most sensitive security data.
Given that you are not the CIA and you do want to connect to the Internet,
this approach seems a bit draconian and not terribly practical. So, what
CAN you do to protect your computers? Plenty. Practice good security
hygiene, and you will minimize your risk of attack. More importantly, if
you are attacked, you will be able to contain and secure the problem
quickly.
Best Practices
“A company needs to protect itself by using best security practices. At
the very minimum, implement a good layer 7 firewall,” says Dee Liebenstein,
Senior Product Manager, Symantec Security Response Team. Bob Webber,
senior systems administrator at Channing Labs, Harvard Medical School
agrees, “If you don’t want a full firewall you should at least have a choke
router that checks for sanity of addresses. Local addresses will not be on
the Internet for example.”
There are several components to computer systems security or vulnerability
management, the firewall, anti-virus and content filtering, intrusion
detection and a strong security policy. All are important but securing
your systems should be first priority, particularly in a smaller company
where there is less staff to monitor attacks. There are five basic best
practices to securing a computer infrastructure: installing a firewall,
maintaining automated virus protection on all systems, maintaining systems
security patches, ensuring strong passwords, and turning off network
services.
Employ a layer 7, full inspection firewall – You have three firewall
choices: application, appliance, or managed firewall services. The
application firewalls are more popular in larger enterprises where they
have the resources to install and maintain them. The smaller companies
tend to use firewall appliances and managed services because the service
provider or the vendor has the specialized knowledge to maintain the system
properly. “The advantage of a managed firewall service is that everything
taken care of by the service provider, but it can be expensive. The
decision to go with a managed service is strategic not technical,” says
Liebenstein.
“Firewalls are a key component for modern site security but they are by no
means sufficient in themselves. You are still vulnerable to insider
attacks, which include viruses running on inside hosts and peer-to-peer
file sharing. There is no good way that a firewall can stop peer-to-peer
links to port 80 (web services) on remote servers. The companies involved
in peer to peer will take your money for protection, but this seems like a
poor choice,” comments Webber.
Use automatically updated anti-virus at gateway, server, and client –
Second, install auto-updating anti-virus software on all server, gateway,
and client machines. “Viruses can intrude in many ways, so you need
protection at all possible entry points,” notes Liebenstein. Her group at
Symantec is constantly researching the latest security threats, and they
share information with law enforcement agencies.
Ensure system security patches are up to date – Another essential security
component is current patches on all systems and applications. This can be
very challenging to implement in a complex environment. Currently the
Microsoft and Linux environments are targeted more than the Macintosh and
other UNIX systems by the hackers, but it pays to be vigilant for all your
computers.
Ensure passwords are strong – Many systems administrators consider user
passwords the most challenging IT support issue. Change them regularly,
and use passwords that contain numbers and characters rather than easy to
guess names and words. Use readily available utilities, like Cracker, that
will identify all insecure passwords quickly and easily. Wouldn’t you
rather find bad passwords than an intruder?
Turn off unnecessary systems network services – Do not run FTP on a system
unless it is an FTP server; you are just asking for trouble. Hackers
regularly scan for systems with open service vulnerabilities. The CERT and
SANS websites are both good resources for tools to identify known system
holes.
Security policies
So, what constitutes a good security policy? You need to create a process
to manage security policy and report incidents. After you have installed
all the protection, remember to check the logs regularly. Report anything
unusual. Just because you are paranoid does not mean that there are not
people out to get you. Top management support and awareness training are
essential for successful implementation. If top management is ignoring the
policy, how likely is the staff to follow it?
“The biggest component for good security is good management and information
to employees. A good example is when a building’s fire doors are blocked
open, people’s safety is compromised but they just know it is much easier
to get to their cars. Engineers are trained to solve problems, if they
view security as a problem they will solve it. You might not like how,”
says Webber.
Industry trends
“Data and transaction security is of paramount importance in this age of
rapidly expanding commercial and government computer networks and the
emerging Internet economy.” Quote from the Microsoft Enterprise Security
website.
“It is good to hear that the major systems companies are seeing the IT
community take security seriously. Building security right into the
products makes the administrator’s job much easier in the long run,”
observes Liebenstein. “The reason you have security is to save the company
money from productivity losses. To do it for any other reason is probably
a waste of time,” sighs Webber.
Resources
- www.sans.org – lots of information and classes on computer security
- www.cert.org – The CERT Coordination Center (CERT/CC) is a center of
Internet security expertise, at the Software Engineering Institute, a
federally funded research and development center operated by Carnegie
Mellon University. Comprehensive site with current information on viruses,
and vulnerabilities of many operating systems. -
www.symantec.com – Company website for Symantec, makers of Norton
AntiVirus, a popular antivirus package. - www.viruslist.com – Company website for Kaspersky Software makers of multilanguage
virus protection.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting
practice specializing in IT infrastructure for smaller companies. She has
been in the trenches supporting company IT infrastructure for over 20 years
in a number of different fields including architecture, construction,
engineering, software, telecommunications, and research. She is currently
writing a book about IT for the small enterprise and pursuing an
Information Age MBA from Bentley College.
