Policies and Procedures

To have security practices that make sense, you must first define ”for yourself and the users of the network resources ”a security policy that spells out exactly what can and cannot be done on the network. Intruders who might penetrate the network and compromise data or programs do so in many ways. One of those is to exploit "friendly users" who are on the network. Referred to as social engineering , this is perhaps one of the most overlooked but most often used method for getting access to a network. Most employees who simply use a desktop computer for word processing and other office activities are especially prone to this kind of security breach.

A good security policy that is enforced ”in some cases through means of technological enforcement ”can go a long way toward keeping naive users from disclosing information to those who might do harm to your network. If you don't think your users are vulnerable, just ask someone to call up and say they're calling from the help desk and need to know the user 's password. You'd be surprised how many times this tactic will succeed.

At the same time, you also should establish procedures to follow for routine tasks that are performed on a periodic basis, such as backups , restores , creating user accounts, and the like. When a task is described by a procedure that must be followed, there is less of a chance that something out of the ordinary will be done that can compromise security.

Depending on your site, there are several documents you can use to make users aware of the policies in place for computer and network security. Typically, the human resources department is responsible for having new employees review documents and having them sign the documents to show that they have read and understood them. Documents you might find useful for your site include the following:

• Network connection policy

• Acceptable use statement

• Usage guidelines

• Escalation procedures

Network Connection Policy

This type of document should define the type of system that can be connected to the network. It should set forth the security requirements, such as operating-system features to be used, and a person responsible for approving the attachment of new devices to the network. When configuring a new computer, a switch, or even a router, you should have explicit guidelines as to what is permissible and what is not. For firewalls (see Chapter 49, "Firewalls"), you should have a separate network connection policy that dictates what type of network traffic is allowed through the firewall, in both directions. If allowing users to connect using a Virtual Private Network (VPN), you should also have specific documents detailing how the laptop or other computers they use are configured. Allowing someone to work from home using their own computer is about the worst decision you can make. If the computer is used for personal as well as business work, you open yourself up to all sorts of programs that can infiltrate the computer and attempt to compromise your network, whether or not you use a VPN link.

If the business unit of your company (and not the IT department) decides that certain remote work is confidential, a policy should be put in place that requires a separate computer (such as a laptop, to include mobile users) to be used. By using a company-configured laptop, and not allowing users to make use of the laptop for personal access to the Internet, and disallowing a configuration change, you can make your network more secure. Just keep in mind that if the user is entering your network with his own computer, you will probably have little say over what is downloaded. By giving the user a company computer, and preventing (through a company policy) the use of the computer for personal usage, you can further protect your network.

The use of security programs, such as virus monitoring software, should always be required in today's Internet-centric environment. Any procedures that must be used to obtain a computer account, along with the types of rights and privileges that can be granted to an account, also should be documented here, as well as what network addresses can be used and how they are controlled. Finally, you should explicitly set forth in this document that no connections are to be made to the network without following the procedures in this document, and without notifications made to the proper persons.

It cannot be emphasized enough that you have strict guidelines on how your computers are configured and that users must obtain permission through a written request for any deviances from the established policy. If a program is not supported by your central help desk, it should not be allowed unless a business requirement makes it a necessity. When that becomes the case, you should add the program to your allowable network connection policy documents and educate the help-desk staff on its use. In no situation should you allow users to download software from the Internet and install it on their work computers, on computers that are used in a mobile environment, or on home computers that are used to connect to your corporate environment.

Acceptable Use Statement and Usage Guidelines

A computer is a flexible device. It can be used for many things beyond the tasks that are needed by the ordinary worker during a normal workday . Although some might be concerned with the time that can be lost due to a user accessing a computer for non “work- related tasks, there are far more important factors to consider.

As mentioned in the preceding section, one of the most important things you should include is an acceptable use statement. This should state that all computer programs are to be supplied by the company and that unauthorized programs, such as those brought from home, are not to be used on the computer or network. Software piracy is not a victimless crime, as many people seem to think. It is a crime that is punishable by stiff fines and jail sentences. It is important that you make sure that users understand this and that you protect your company from possible litigation by showing that you have made an effort to prevent unauthorized programs from being placed on computers at the site.

Piracy is only half the issue when it comes to unauthorized programs. Computer viruses can easily make their way from one computer to another through floppy disks or by being downloaded from the Internet. Unfortunately, it is usually only after more than one system has become infected that a virus is found or reported . If all software that is used on the company network is first examined, approved, and distributed by a central source, you will have better control over this problem.

Of course, you also should state that users cannot make copies of software or data that is owned by the company and take it home or otherwise use it in an unauthorized manner.

In this statement, point out to users that they are required to report any suspicious activity or misuse of network resources. They also should be made responsible for taking necessary measures for protecting data and programs within their scope. This includes not leaving a workstation logged in when they are away from it for extended periods ”they should use a password-locked screen saver when away from the computer. Another avenue of infiltration is leaving reports or other output containing sensitive information lying around, and the like. Just because you trust one employee does not mean you trust all employees. For example, if a printout of payroll information is left lying around, do you really think that someone is not going to look at it? If you do not put the rules in a policy statement, users might not realize that these things are a problem.

If dial-up access is granted to users, they should certainly understand that they cannot give information used for this access to anyone else, either inside or outside the company. Many times it has been shown that hackers penetrated a network not through repetitive password cracking techniques, but simply because a user left a password lying around or used one that was so obvious that it could not be considered secure.

All, and I mean all, access to your network should be done through a VPN or a dial-up mechanism that uses a firewall. Although your network policies may absolutely prohibit employees from using company computers for home work (or for mobile users on the road), I can guarantee that you will never be able to enforce this policy. Users will check their own personal email, read the latest news site, and, at worst, download software that may seem innocent, such as programs to play back MP3 files, or others. These things should not be tolerated in a secure network environment. A firewall can only do so much.

Indeed, there is an application on the Internet that can make use of "unused" fields in the IP packet to send one or more characters at a time using otherwise normal IP packets that your firewall will let through. When you consider that several thousand IP packets can be used in a single transmission, you'll see that any hacker intercepting these can gain a lot of information from someone inside your company who appears to be a model employee.

The things you can put into an acceptable use policy are extensive . You must examine the specific types of resources you are trying to protect and think up ways to include them in the statement. Some other items you might want to consider are listed here:

• Harassment of other users . What might seem like harmless horseplay in a typical office environment can constitute harassment when it's done over a long period.

• Threats . Statements that can be construed as an intention to perform some kind of harmful act should always be treated with the utmost importance and severity.

• Removal of hardware (or software) from the premises without written authorization . This includes such things as authorization codes used to activate copies of software that is downloadable from the Internet, as well as copied software. You should not provide "CD burners" for employees who do not have an absolute need for them. Your typical backup procedures for networked disk drive share should be enough to ensure that data is not lost.

• Using company email for personal use . This may seem to be a small matter, but as recent events have shown, just opening an attachment to an email can launch a virus on a computer. In addition, the content of a person's email can sometimes be offensive, especially if the user has gotten onto a "spam" list. Lastly, do you want to pay employees to spend an hour or so each day reviewing their own personal email?

• Bringing hardware into the premises without authorization, such as laptop computers . This is a policy that especially should be applied to vendors and contractors. If they need to perform functions (such as software installation or troubleshooting), then you should, if possible, provide the computer access they need, and be careful to supervise their access.

• Attempting to access data not relevant to the user's job, sometimes referred to as "probing" the network . This is, in my opinion, an offense that you should consider as a reason for firing an employee. There is never a need to go exploring the network. If the user wants to know where data or applications are stored, they should discuss it with management or your help desk.

Employees

Any document that outlines guidelines for using the network should point out to employees that they are to behave ethically on the network. Help-desk personnel, for example, often must access data owned by another person when helping them with a problem. Disclosing information to a third party that is obtained during this type of work is unethical. Administrators and operations personnel often have elevated rights and privileges on the workstations and servers that are distributed throughout the network. They should be made to understand that these privileges include a responsibility to professionally carry out their work without causing problems.

One of the main problems I've encountered with help-desk employees is that they are paid very little compared to others who manage the network. Yet they are a very vulnerable link in the chain. Only constant training and discussions about security can solve this problem because most corporations view the help desk as a minor department, where turnover is frequent because most employees here learn enough to go on to higher-paying jobs.

Vendors and Outside Connections

Another area often overlooked is when outside persons are allowed to access the network. If you have contractors who are brought in to do work that cannot be done by in-house persons, be sure that you have a usage guidelines document for them to review and sign. It should specifically include the fact that information on the network is of a proprietary nature and cannot be disclosed to any outside party, or to any employee in the company who does not have a need to know.

Additionally, the policy document should state that the contractor cannot discuss with others the type of information to which they have access. A little information can go a long way when given to the wrong person.

When hardware repair needs to be done, it is sometimes done by a third-party maintenance organization, or perhaps by the vendor who manufactures the equipment. Diagnosing some problems may require that the repairman have access to a logon account. If you maintain a user account just for this purpose, be sure that it is one that can be enabled and disabled so that it is available only when it is needed. For example, the OpenVMS operating system has, by default, a FIELD account that is meant to be used by field service when it needs access to the computer. This account is disabled when it is created and must be enabled by the administrator before it can be used. Because OpenVMS is a widely used operating system, there are a lot of hackers who are aware of this account and also know that many times you will set an easy password for it. Don't make the mistake of leaving this kind of back door open to your network. Disable or remove accounts such as these when they are not needed.

Escalation Procedures

Having a plan of action that should be followed in response to a specific event is a good idea. There should be a specific person or persons in the company who are designated to be responsible for and investigate matters relating to security. A document that sets forth the procedures to be followed for particular security violations will also show users that security is important for the network and that actions will be taken.

A document covering escalation procedures should indicate the kinds of things that are considered a security breach. These can include the following:

• Theft of hardware or software

• Password discovery or disclosure

• Improper disposal of media, including tapes, floppy disks, and printed reports

• Sharing of logon accounts or disclosure of usernames and passwords

• Probing the network to look where one is not authorized

• Interfering with another user's data or account

• Suspected network break-in from outside sources

• Computer viruses

• Physical access violations

Some of these probably seem very obvious when you look at them. To think that you will know how to handle these kinds of problems without a written procedure, though, is a little naive. For example, it is very common for users to allow others to use their account. It's a lot simpler to let another employee use your workstation, when theirs is out of service, than it is to get the appropriate permissions from upper-level management. However, it often happens that when you give someone a password to use on one occasion, it also gets used on another.

When you suspect that the network has been infiltrated from an outside source, what do you do? Shut down the routers? Change all the passwords? Think about this ahead of time and document a list of steps to follow. These steps should include methods used to determine the source of the break-in, as well as procedures to be followed to punish the intruder and reassert ownership of any pilfered information. For example, if information that is confidential has been compromised, what steps do you take to notify the person to whom the information relates ? Are there legal matters you need to be aware of that pertain to the data that resides on your network?

Perhaps one of the hardest things a manager has to do is to fire an employee. When someone leaves the company voluntarily and is on friendly terms with management, it is a simple matter to deactivate the user's account and be sure that all access doors are closed. When an unfriendly termination happens, though, you need to have in place steps to follow to be sure you are aware of all access methods that were available to the unfriendly employee. In the case of an employee who is terminated for actions that caused deliberate damage to the network, how do you determine whether any other "time bombs " have been planted? What steps do you take to isolate the resources that were available to this employee until further analysis can be done? Do you need to change passwords on accounts other than the user's ”for example, any test accounts or local system accounts to which the user may have had access?

As you can see, network security has far-reaching implications. Knowing what to do in the event of a specific security event will make things easier for you when they happen.

What a Security Policy Should Include

When writing a security policy, you should first perform an inventory of the resources you want to protect. Identify the users who need to access each resource, and determine the most likely place a threat to the resource might come from. With this information, you then can begin to construct a security policy that users will have to follow.

The security policy should not be something that is simply generally understood by everyone. It should be an actual written document. To remind users about the importance of security, you might want to post copies of it around the office so that they will see it on a regular basis.

A good security policy will be composed of several elements, including these:

• Risk assessment ” What are you trying to protect and from whom? Identify your network assets and possible sources of problems.

• Responsibilities ” Describe who in the company is responsible for handling specific matters relating to security. This can include who is authorized to approve a new user account up to items such as who will conduct investigations into security breaches.

• Proper use of network resources ” State in the policy that users are not to misuse information, use the network for personal use, or intentionally cause damage to the network or information that resides on it.

• Legal ramifications ” Be sure to get advice from the proper sources about any legal matters that apply to the information you store or generate on your network. Include statements to this effect in the security policy documents.

• Procedures to remedy security problems ” State what procedures will be followed when a security event occurs and what actions will be taken against those who perpetrate them.

Request for Comments (RFC) 1244 ("Site Security Handbook") is a good document to read before designing a security policy. This RFC gives a list of resources found in most networks that are vulnerable to potential security threats. You can download this RFC, along with others, from the Web site www.rfc-editor.org/. These are the five classes of vulnerability vectors:

• Hardware ” This includes workstations and servers, printers, disk drives, network wiring, and disk drives . This also includes internetworking devices such as bridges, routers, and switches.

• Software ” Every piece of software you run on any computer in the network is a potential security problem. This includes programs purchased from outside vendors and software created in-house by your own programming staff. Operating systems frequently have to be patched as new bugs are discovered that give an intruder an easy way to infiltrate.

• Data ” The most important asset on your network is probably the data that is generated or used by your business. You can replace software programs and operating systems. When important data, such as customer lists, sales information, or proprietary trade secrets, is compromised, this can have a significant impact on business.

• People ” Users, operators, and anyone else who interacts with your network or any device attached to it is a potential security risk.

• Paperwork ” Often overlooked by many, this is a very valuable resource to hackers. Passwords are written down. Reports are generated that have confidential information contained in them. Often this resource is simply thrown in a dumpster when it is no longer needed. A better approach is to shred or otherwise make it unusable before getting rid of it.

A good security policy that is understood by users will go a long way toward preventing some of the problems you can potentially encounter. Make it a point to review the policy with users periodically, such as at quarterly meetings, and be sure that users understand the responsibilities that go along with having access to the company network.