Risk Mitigation Policies You'll want to establish clear, written policies in partnership with your organization's management team. This partnership can't be emphasized enough a policy without teeth might as well never have been written. You'll want to Establish good physical security for all infrastructure no matter how "insignificant" a piece of infrastructure might seem. Get management to build some level of concern for network security into the hiring process. Explicitly forbid bypassing security checkpoints (such as firewalls, remote access servers, and so on) in your AUP. Establish desktop management policies as they relate to virus/trojan protection and levels of workstation lockdown. Encourage small teams of administrators to collaborate. If there's more than one administrator watching the henhouse, it's less attractive to act the fox. Employ intrusion-detection systems (see Chapter 12, "Intrusion Detection Systems (IDS)" ), being careful to employ those that can handle high-bandwidth internal networks. Audit your systems and procedures periodically. (See Chapter 11, "Vulnerability Assessment Tools (Scanners)," and Chapter 13, "Logging and Auditing Tools." ) Maintain current levels of OSes and applications. (Vendors usually patch script kiddie exploits rather quickly.) (See Part VI, "Platforms and Security," for more information on maintaining current levels.) Physical Security It's actually pretty easy to practice due diligence with physical security. You've just got to be meticulous and consistent, and take it seriously. Pretend that someone could burglarize you personally if you're not careful. It might help to pretend that you live in New York. In all seriousness, physical security is where the battle can easily be lost although it can't be totally won with just physical safeguards. Little things like the ability to reboot a server from a floppy, or finding an unused username on a printout or even finding a tape with a copy of a security database on it make an intruder's job easier. Let's make it hard. Here are some "DOs" and "DON'Ts" that will make your job a little easier, an intruder's life a little harder, and your data a little more secure: DOs DO lock every wiring closet and keep them locked. DO use switches rather than hubs, especially for LAN segments that have administrative users on them. (They still must be physically secure to ensure that someone can't access the switch and packet sniff via port mirroring.) DO change locks or door passcodes immediately when employees leave. DO erase hard drives, flash, and so on, when you take them out of service. Nobody's going to remember to do it before the surplus auction, and all sorts of passwords and/or sensitive data might be on them. DO erase old backup tapes before disposing of them. DO write nonsense data to magnetic media when you are erasing it. Dropping a partition table is NOT good enough. (Degaussing is okay, though.) DO use a paper shredder. Don't laugh. Dumpster diving is more common than you think. DO lock your server cabinets when you're not using them. DO restrict or forbid the use of modems on desktops; they are the number one method of bypassing your organization's security checkpoints. DO make sure that any "road" laptop or PDA has appropriate data protection software and hardware installed before deployment. DO consider whether user access to floppy disks or other removable media make sense for your environment; they constitute a possible bypass of your security checkpoints. DO consider the use of smart cards/token-based security devices rather than passwords for administrative users or sensitive systems. Many operating systems now support token-based authentication in addition to passwords. DO remember that your phone PBXs also must be secured. DON'Ts DON'T send off-site backups to unsecured locations. DON'T give keys to vendors. Let them in to do their work, and then politely wave bye-bye when they leave. DON'T allow anyone other than key personnel ad hoc access to the data center. DON'T share wire closets with user-oriented peripherals such as printers. DON'T put servers into unsecured areas. DON'T leave server keys attached to the back of a server. Believe it or not, other people will think of this, too. DON'T let cleaning people or other untrusted service people into secured areas without an escort. DON'T store any sensitive data on user hard drives if you must, think about hard drive encryption products. DON'T discuss passwords or other sensitive information over unsecured channels such as cell phones, 800Mhz radios, or instant messaging. DON'T put consoles, keypads, or administrative workstations near windows. The Hiring Process Naturally, J. Random Hacker isn't going to show up and reveal his otherworldly activities at a job interview. And even doing background checks can turn into nothing more than lip service, depending upon who's doing the checks and whether the individual has been caught in the past. Still, there are things you can do to minimize your risks during the employment process. Start out by doing a "due diligence" background check particularly for employees that will be involved in any level of IT. Do your homework and use a reputable agency to do your background checks as with anything else in computing, "Garbage in, garbage out." If you are using an internal HR check or some other check that you don't get invoiced for, communication is the key. Don't assume that silence from your background check folks means "Everything is OK." Lack of "NACK" (Negative ACKnowledgement) does not mean "ACK." It might simply mean that your request form got thrown out with lunch's pizza box. See http://www.nwc.com/1201/1201colfeldman.html for more discussion of the hiring process. After you've worked with management to establish an Acceptable Use Policy, your next step is to work with HR to integrate it as part of the employment process for any employee. You want it integrated for two reasons: First, because it sends a message, and might dissuade an employee from snooping or fiddling where he or she doesn't belong. Second, if termination or disciplinary action is necessary because of AUP violation, it's definitely a lot easier to do if you have an "I-have-read-and-understood-this" AUP to back you up. Establishing Desktop Lockdown Lockdown, in the desktop management context, means that you've managed to apply the straps to your users in such a way that they can't hurt themselves or your network. In the best case, this is done in such a way that the users don't feel constricted or stifled. Having a heart-to-heart with management about the level of lockdown can be only a good thing. Users get extremely irrational about losing any amount of autonomy, and you will definitely want management to buy into any lockdown that you need to enact. It should be pointed out that desktop management any desktop management that resides on a local workstation can be bypassed by a clever user unless there is serious physical security in place (no floppies, an "unpickable" case lock, and so forth). This, of course, is the type of security that you must have if you have public information terminals, kiosks, and so on. The point is that any workstation that isn't physically secured can usually be booted from alternative media, and then the local OS can be modified to a malicious user's heart's content. Still, desktop management and lockdown for nonpublic users are important due-diligence measures, and definitely should not be skipped. The important thing here is to prevent either well-meaning or scofflaw users from hurting themselves and others. Defeating a truly noncasual and malicious user isn't the primary purpose of desktop management. As far as manual procedures go, you can see some sample system lockdown checklists at http://www.nswc.navy.mil/ISSEC/Form/index.html Virus protection, of course, is a mandatory component to desktop management. Virus protection is (or should be) such second nature to today's IT staff that we mention it here simply to ask one question: Can the user turn off virus protection? Some virus protection suites let the user do this; others password-protect the entire control panel. You should certainly password-protect the control panel if possible, but you should also enact desktop management policies that check and reinstall virus protection if the workstation's otherwise permissive operating system allows its removal. Good desktop management tools enable you to not only "force" certain applications, but they can also Force applications to be configured in a certain way (notably browsers) Restrict users from running anything but a certain set of applications Restrict use of removable media Prevent users from modifying system configuration Restricting Content It used to be that IT managers were only worried about what users were able to download; that is, folks were concerned about employee abuse of the Internet. At the time, there wasn't technology to check what the actual downloaded content was so managers contented themselves with blocking sites based upon where the user tried to surf. Certain software manufacturers also became service organizations (notably Cyber Patrol; see "Products: Content Management," ) that maintained a list of URLs in certain categories: adult-oriented, comedy, shopping, news, and so on. As a manager, you could then block various categories with a perimeter device that had access to these lists. This strategy, however, wasn't complete in and of itself. Objectionable sites surface overnight, and the list didn't always reflect reality. And, filtering outbound URLS does nothing to fight questionable content that leaves your site. Because one of the risks to your organization is the unauthorized disclosure of content (customer lists, intellectual property, and so on), one of the hottest topics in corporate security today is that of content management (also called content filtering, content services, and content restriction). Content management works in conjunction with your perimeter security devices. The software can perform lexical analysis, pattern matching even image recognition. (Yes, those images.) Another risk faced by your organization is the transmission of inappropriate content (pornographic, libelous, or otherwise offensive data) or dangerous content (such as Trojans and viruses) to business partners. You'd have to be nuts to think that any tool could totally eliminate the possibility of inappropriate content making it through your checkpoints. But content management tools can limit the possibility. Virus gateway protection software is one example of specialized content management. Some vendors label their products as content filters, when in fact they are site filters or URL filters. Again, rather than checking the data stream for objectionable content, they check the Web address against a categorized list of known Web sites. Site filtering has merit. It can defi nitely decrease the amount of daytrading/time-wasting/non work-related surfing at your organization but it's not content filtering. It is only as effective as the folks who update the lists are. And, site management doesn't do anything for your intranet. That said, content management tools fall into two categories: those that offer generic content-checking services to the network, and those that operate solely on a specific application. Those that offer generic content services tend to do it via CheckPoint Software's CVP (Content Vectoring Protocol). CVP accepts a connection from a client, proxies the request to the server, scans the content, and either modifies or denies the request when content does not pass muster. There is not yet an RFC-based content restriction protocol that has been widely implemented. If you're not using Firewall-1 or another firewall that supports CVP, you might have to purchase individual products that separately monitor Web content (HTTP), email (SMTP), news (NNTP), and FTP. You'll also probably have to put up with some degree of false positives yet another thing to administrate. For example, content filters commonly block Network Computing's "Centerfold," a showcase of innovative companies'networks. Still, content filters can be worthwhile, if you target and configure them correctly. See the section "Products," later in the chapter for a sampling of content-filtering tools. Look for content management to change and grow in the next couple of years; hit the Web or magazines like Network Computing for the latest scoop. Administrative Collaboration At first, administrative collaboration doesn't seem like much of a security practice. How can teamwork make your internal network a safer place? First, consider that any illegal or unethical action involving partners automatically means that there are witnesses and possible leads to an investigation. As Benjamin Franklin said, "Three can keep a secret if two of them are dead." Secondly, take the case where there is no explicit partnership during a questionable activity. The fact that there is another administrator who has responsibility for the system involved means that the system itself is under scrutiny. The fact that there is third-party scrutiny of the system might discourage the perpetrator in the best case, or at least lead to discovery of the questionable activity. You should be careful, however, to avoid assigning too many hands to any given pot. Not only can this lead to system chaos, but it also can make unethical activity harder to trace either during an incident or an audit. You definitely want a limited pool of individuals accountable for a given system. |