CONSIDERING SECURITY
How is a network manager supposed to instruct and influence the users on their network about security risks, especially if they are young, college graduates, with little experience? This is a difficult position to be in, but since the company hired you, someone has confidence that you will do the job well. It helps if you are certified and have a degree. As you settle in to your new job, you need to document, document, document, everything. Find out what the current policies are, find out how to implement new policies, and back up your documentation with several valid sources. If you present a strong case with good arguments the management is more likely to take you seriously and support your new security policy ideas.
There are a plethora of security holes in any network, in almost any setting. If only network managers did not have to deal with users, the risks would be minor. Unfortunately, networks are set up for users to “use” and the more users, the more security risks there are. Risks come from many different areas, the Internet, instant messaging and email applications, wireless networks, and removable media.
There are resources, both online and in books, that will help a network administrator conduct a risk analysis; Cisco is one of these resources. Once the risks have been identified, the more obvious ones should be shared with the entire company, not just kept within the IT department. I believe a network manager should explain in relatively simple terms why people needed to protect the network, the users would be more willing to co-operate with security measures. Videos and animated presentations can help educate users, while quizzes and surveys can provide feedback to the IT department about knowledge and compliance. This information can be used to judge the success of the security training program.
Create usage policy statements so the users are aware of the IT department’s mission to keep the network secure and how they are going to implement those security measures. According to Cisco’s Best Practices White Paper On Network Security Policy, “[They] recommend a statement that outlines users' roles and responsibilities with regard to security”. I agree with Cisco that the users need to understand network, computer, and personal security risks. The actions of the user that could result in punitive or disciplinary action should be included in the employment package. These expectations should be reviewed yearly. If possible, the executives and leadership of the company should also be educated about the necessity of security to protect their information, computers, and employees. A network manager cannot expect security policies to be enforced unless the management is aware of the risks and benefits.
Using passwords is the most common way to manage user accounts, limit accessibility, and track user activity. Until we use biometric logons passwords is all network administrators have to work with. Depending on the sensitivity of the data or the service the user is accessing, the more important it is to have a secure password. The passwords need to be designed with “ease of remembrance” in mind. A password written on a post-it-note, on the monitor has defeated the purpose of a password. The best passwords are not “words” from the dictionary, but acronyms, such as “to be or not to be” can be “2BRnot2B”. Try using random words in a non-sense sentence. “I ate kiwis in 1987” can be “i8ki19wis87”. Passwords can be administrated in several different ways. If the operating system is UNIX/Linux, this can be done with PAM. This is a special file that has parameters for security settings. These include password strength, a password expiration date, and the ability to keep users from changing their password to something too simple to protect the network.
Always run your workstations with non-administrative users. This technique provides a sort of insurance by limiting any damage that could result from a security breach. If a person or program is attempting to gain access to a machine would have access to many of the files, but would probably not be able to install malware on the computer, nor would not be able to compromise the operating system or the network.
A wireless environment should be properly secured, at home, at work, and on the road. Change any wireless router's default password and to use WPA encryption. Do not allow routers to be administered over the Internet and consider creating a closed network and limiting access by mac address. Keep logs to see who is trying to access the fire wall and watch out for rogue access points. NetStumbler can detect wireless access points and it supports the use of a GPS card, which allows it to create a map showing the locations of wireless access points. Wireless access to a network creates a huge security risk. If employees really want a wireless network, it is better to set one up for them with some security in place instead of allowing people to randomly connect to the network.
A SHORT LIST OF SECURITY SUGGESTIONS:
Keep all of your software updated
Run anti-virus and anti-malware software
Use permissions, preferences, and group policies to limit user’s ability to install software
Implement a good backup policy; consider storing periodic backup off site
Avoid unsafe behavior, such as, opening email attachments or file sharing.
Block unsigned ActiveX scripts
Do not allow remote access except by the IT department
Establish logs for user logons and logoffs, consider a centralized logging server for easy access to logs
Research the latest security risks, Phishing was an unheard of threat a few years ago, there seem to always be new threats
Use firewalls
Have a disaster recovery plan documented
Reference sites:
Apple Product Security
http://www.apple.com/support/security/
CERT® Coordination Center - The United States Computer Emergency Readiness Team (US-CERT)
Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.htmlCisco Systems, Inc.
Copyright © 2006−2007
http://www.cisco.com/warp/public/126/secpol.pdfMandriva Security Advisories
http://www.mandriva.com/security/advisoriesMicrosoft TechNet Microsoft Windows XP Baseline Security Checklist
http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspxRedHat Security and Errata
http://www.redhat.com/apps/support/errata/Slackware Security Advisories
http://www.slackware.com/security/SUSE Security (US/Canada)
http://www.novell.com/linux/security/securitysupport.htmlTech Republic
Stop rogue access points from showing up on your network
http://articles.techrepublic.com.com/5100-10878_11-5053779.htmlUbuntu Security notices
http://www.ubuntu.com/usn/University of Indiana Information Technology Services, Knowledge Base, Computer Security
Copyright 2005-2007, The Trustees of Indiana University
http://kb.iu.edu/data/hack.html
