Let s Not Go There...

Previous page
Table of content
Next page

Let's Not Go There...

Roles and responsibilities are one key to the success of any security program. The major problem in this scenario was that none of the support groups at Global Chips would take responsibility for writing and maintaining the policies and procedures for the firewall. That approach left their entire network open just waiting for a hacker to walk in. Here's what Global Chips should have done instead.

Define Roles and Responsibilities

Clearly define the security roles and responsibilities for your company. If you have security support responsibilities that cross organizational boundaries (for example, system administrators, security administrators, firewall administrators), make sure that all the players know which roles they are expected to play.

Develop Firewall Policies and Procedures

Operating a firewall without policies is like driving in the dark without your headlights on. Sooner or later, you're going to crash. People need to know what is allowed and what is not allowed. Don't let your firewall administrator fool you by letting him keep all that information. When that firewall administrator leaves your company, so will the policies and procedures for maintaining your firewall.

Put the policies and procedures in writing and make sure that they're kept up-to-date. Ideally, assign someone to "own" the task. Even better, make it someone's yearly goal to complete it.

Feed Your Firewall

Firewalls typically consist of more than one machine. Some companies refer to an entire complex as a firewall, which could mean a combination of host machines, networks, and routers. Firewalls must be fed. To maintain a healthy firewall, provide a professional firewall administrator with routine upgrades, current patches, and training. Don't let the lock on your firewall get rusty, as Global Chips did.

Read Your Audit Logs

It doesn't do a whole lot of good if a firewall maintains a bunch of logs that you never look at. Even though Global Chips was broken into so many times, they were lucky, because they had good auditing tools enabled that informed them when a hacker broke into the system.

When was the last time a hacker pounded on your door? Did he get in? Who knows? You should. If you don't, you're not paying attention. Make sure that you're using the proper logging and auditing tools.

Use Detection Software

Detection software won't find an intruder 100 percent of the time, but it's a truly good start. Detection software can also give you a much better feel for the scope of the threat you face. During the year 2000, the Pentagon discovered 245 successful cyberattacks. Because they've implemented good detection mechanisms, Pentagon officials know that there were over 24,000 failed attacks as well. Knowing about those failed attacks provides a much clearer picture of the real risk.

Your data may not be as juicy as that maintained by the DOD, but don't count on it. And, if you're connected to the Net, it's probably not any safer. In his December 1996 survey, Dan Farmer (noted security guru and coauthor of such programs as SATAN), found use of detection software to be alarmingly low. Dan did an unauthorized study to gauge the security status of commercial Web sites. Of the 2,000+ sites that he probed without notice, only three site owners contacted him to ask what he was doing! Makes you wonder if your site was part of his survey, doesn't it?

Have things improved since then? Not by nearly as much as I'd expected (or hoped). Experts like security provider Spectrum Systems still estimate that only 1 percent of successful or attempted computer attacks are even detected. The major change is that there are now a lot more commercial targets on line and more of them are using their Web sites to exchange funds as well as information. The data from your local hardware store may not seem very tempting, but their online customer's credit cards most surely are.

Respond Quickly!

At Global Chips, the firewall administrator and security administrator responded quickly to break-ins because there were so many break-ins that their response had become routine. Let's hope that you never find yourself in that situation.

Ideally, an emergency response procedure is something that you need to develop and practice offline, not use daily. And, it's important that you develop that response and get it down pat before you actually need it. The roles and responsibilities of each person required to respond to a break-in must be clearly spelled out before a break-in occurs. With a lot of luck, you may never need to use that procedure. But don't count on it!

Require Proof of Security

In his Computerworld Special Report on Security, Paul Strassman explains that "Retrofitting security into a system designed on the presumption of innocence and honesty is often too expensive or too late to be worth doing." To avoid that situation, don't assume that everything is running smoothly.

Global Chips was lucky because the CIO was informed when break-ins occurred. After a slew of break-ins, she demanded to know what was going on. Your company might not be so lucky unless you have good escalation procedures and are in touch with the security results in your environment. Do you have any idea what kind of shape your firewall is in? How old is it? Who supports it? Do you have policies and procedures? If you're an executive-level manager, demand proof of security (an executive-level summary).

Conduct Audits

Don't just install a firewall and assume that all's well with the world. The truth is that firewalls have limited effectiveness. A firewall can't protect you against the devastating effects of poorly defined roles and responsibilities or employees with devil-may-care attitudes toward security or uncontrolled remote access, poor training, and the like. As the father of firewalls, Marcus Ranum, has pointed out, "Another thing a firewall can't really protect you against...idiots inside your network." To keep your data safe, keep everyone well trained and well versed in their roles and responsibilities.

And, keep the security audits coming. Routine audits are an important part of finding security problems before a hacker does. You should consider testing your firewall from both the intranet and Internet. Run a penetration test to prove how effectively your firewall repels unwanted guests. If you don't prove the effectiveness of your firewall, you can't be sure that it really works.

Get Educated

The firewall administrator is not the only one who needs to understand the firewall. Managers must also understand the risks associated with supporting an Internet firewall; other wise, their choices may jeopardize the company's reputation, proprietary information, and financial results.

I'm not saying that you need to know every little detail, but managers should understand what security measures they're using, what's available, and what's missing.

Checklist

Use this checklist to determine whether your company has adequately defined security roles and responsibilities. Can you mark a "Yes" beside each item?

___ Are security roles and responsibilities clearly defined?

___ Has someone been assigned to audit the firewall on a regular basis?

___ Has someone been assigned to upgrade the firewall when necessary?

___ Do all managers understand both their own security roles and responsibilities and those of the people who report to them?

___ Do support personnel have specific preventive procedures to follow? (Make sure they're not just running in react mode.)

___ Is someone assigned to regularly conduct firewall penetration tests from the Internet? (A new test is required after each major change or upgrade to the firewall.)

___ Is firewall administration adequately funded?

___ Are firewall upgrades and routine maintenance adequately funded?

___ Is intrusion-detection software installed on networks and systems?

___ Is auditing software installed on mission-critical systems?

___ Are emergency response roles and responsibilities clearly and formally defined?

___ Are lessons learned from break-ins shared and used to build better processes? (Don't tolerate information hoarders on your staff!)

___ Is virus protection installed at every entry point?


Previous page
Table of content
Next page
IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73
Authors: Linda McCarthy
BUY ON AMAZON
Beginning Cryptography with Java
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Information Dashboard Design: The Effective Visual Communication of Data
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Java All-In-One Desk Reference For Dummies
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy