As many tasks as programmers can direct a computer to accomplish, we must always remember IT systems are developed for people to use. Whether they are an IT professional or a receptionist at the front desk, every person who comes into contact with the network has an inherent responsibility to protect it and the data it contains. Passwords and virus protection are some obvious areas where the IT professional and the user must constantly interact, and may require some moderate negotiations. Media control, disaster recovery, and environmental effects are often times subjects that require some significant training for the user to ensure they properly do their part in maintaining network security. Maintaining a high level of training and ensuring the users and the IT staff are each aware of the others concerns is a difficult task, but one that must be done. A combination of management accountability and implementation of an information security team is just as important as the best software available to sniff out and disconnect prying hackers. Like any effective security protocol, the human element of the network must be constantly analyzed, shortcomings must be identified, and practices must change to meet these chinks in our virtual armor.
Additionally, we must offer these human resources the technical resources to accomplish these tasks. No password is 100% safe. With this in mind, we have to spend the money to put in place the software and hardware required to identify breeches in security. Just as a bank would not place a tin lock on the door o their vault, we to must place adequate security at every port into our information management systems. Remote access and e-mail are the two major areas of concern. Virus scan software must make it as simple as possible for users to maintain accurate and up to date virus profiles. By planning for both portions of the security strategy, we can better see weaknesses in one area and attempt to compensate through the other. This strategy must be a living document. In addition to human and technical resources, it is imperative that we receive executive sponsorship and support in its development and implementation.
The most prominent and ongoing feud between users and IT professionals is the selection and use of passwords. The IT staff is content to use 14 characters in a combination of alpha numeric special character sets, compounded by upper and lower case letters. Users prefer to use “password” in lower case. A happy medium must be found that suits the needs of the user while still maintaining a high level of impenetrability for the System Administrator. The password format mentioned provides great security from a cracking program. Passwords that are constantly forgotten and requiring changing put the network at risk by allowing would be intruders to search easily obtained user names with a “password” password that is set waiting for a new login to occur. Allowing a user to list his cocker spaniel’s names is not the solution either. Listed below is a list of good practices to follow by both camps when selecting good passwords 1. With these in mind, we can move towards the single sign in for all users.
Don’t Use Passwords:
· That include your name, or the name of your pet, or family member in any fashion
· Made up of numbers or names easily obtained about you such as a SSN, license plate, or street address.
· That include all numbers, all letters, or all characters.
1 David A. Curry,
“Improving the security of Your UNIX System”
Information and Telecommunications Sciences and Technology
Division ITSTD-721-FR-90-21
· That include words from English or foreign dictionaries.
· With less than 6 characters.
Do Use Passwords:
· That contain 3 of the four parameters; upper case, lower case, numbers, and special characters
· That are easy to remember (So you don’t make a note and place it under your keyboard.)
· That are easy to type so you can type it quickly and protect it from compromise when typed.
Some Additional Thoughts:
· Computer-generated passwords, no matter how random they may seem, are generated by an algorithm. When that algorithm is broken, most of the passwords on that system can be identified in a short amount of time.
· Pick a password that you can tell a story in your mind. For instance, a password of: m2danSaS could represent this story about your two dogs: My 2 dogs are named Spot and Sam. Note how the password fits the three character type protocol, is eight characters long, and appears to have no correlation to any names or numbers that may make it easy to guess. The names are capitalized to add the third character type.
For the System Administrator:
· Don’t allow your users to get away with flopping back and forth between two passwords. If a user is hacked and you direct new passwords, users that flop back and forth between passwords are a risk. Make them select four consecutive new passwords before they can reuse an old one.
· Do not use the word “PASSWORD” when resetting passwords. It is better to set the password to expire then set it to password. In the event of a lost password, call the user with a new password they can use to gain access one time, and then reset it to a password that fits the parameters mentioned above.
· Instruct new users on the method to develop effective passwords.
Most users think of elaborate software, firewalls, and algorithmic encryption when they think of computer and information security. There are many tools that a user can implement to protect their data that don’t even require a computer. How we manage printed information, store our media, and keep our offices can all effect the security of our company’s information. Users are encouraged to develop new tools to protect data as best they can. Read the quiz in figure 1 after reviewing the tools below. They are a minimum standard for all computer users, regardless of their access to the network.
· The Clean Desk Rule. This policy states that all paper and storage media must be cleared from your desk and stored in a locked repository. This can be a desk drawer or file cabinet.
· Empty Printer. In a networked environment, it is easy to leave several print jobs in the printer until they are all complete. This places the printed information at risk. In an area where maintenance personnel, vendors, and contractors are in the area, this policy must be enforced to prevent information from falling into the wrong hands.
· If you must store your password, store it in your wallet and keep it with you. Do not write it under the keyboard, or on your monitor, or in any other area around your workstation.
· Users will not share their password with anyone. Any user may log in at any workstation. Managers will ensure they can access all local files of their employees. If a user feels their password is compromised, they will notify their Departmental Information security Supervisor (DISS ) who will request the IT staff to set the old password as expired and require the user to enter a new one.
· System Administrators will not use guest accounts. Any outside personnel requiring access will be issued an account with a specific username and password.
· Use the lock out feature to lockout would be crackers.
Figure 1
Demonstrates several examples of security violations.
Software can accomplish many tasks, especially on a shared network. It can produce, save, and print graphics and documents and remind us to go to meetings. Other good things software does for us include telling us when someone is trying to view our data, or warn us of the presence of malicious software. System Administrator’s must install and configure firewall software to prevent unauthorized users from accessing sensitive data. The main software concern for users is ensuring they update and use their Antivirus programs. Users, managers, and IT professionals all have a key role in properly employing software in a manner that it best protects the network while still allowing the right people to see the right data.
Virus Protection
We have elected to use Norton Antivirus2000 for our Antivirus software. It offers superior protection and the live update feature greatly enhances the chance that users will update and subsequently run this software. Our intent is to also place this software on the OpenMail Server. Most viruses are transported via e-mail attachments. By reviewing each attachment for viruses, we greatly reduce our chances of contracting and spreading this malicious software. Figure 2 demonstrates how the exchange server catches viruses coming from our users as well as users outside of our network.
Figure 2
Demonstrates
how Antivirus Software can catch a virus coming from a user to the serer as
well as a file coming to the mail server from outside the network.
Although we are confident this technique will catch most of the viruses introduced to the network, it cannot catch them all. Everyone must do their part. Users must ensure they update and run their virus scan software every week and every time they open an e-mail attachment or place a piece of removable data into their machine. The IT staff can make sure the live updates are placed on the shared drive to facilitate updates. E-mailing links to the update files will helpful. Managers must ensure this interaction takes place and that everyone is doing their part.
Firewalls and Other
Monitors.
Many users and members of management often think that a firewall is designed only to keep unauthorized users out. A firewall, just like any wall keeps outside entities out while keeping inside entities in. In short, we need firewalls that prevent unauthorized outside access, while overseeing who does what with our data from inside the network. An unauthorized user accessing our network can delete, corrupt, or steal data. They must however spend a great deal of time reviewing each file for something of worth. An employee, perhaps upset over a missed promotion, may know exactly where the valuable data lies and make an effort to deny our use of it in some way. Another situation that may occur is an employee may attempt to view sensitive data for which they have no authorization to view. They may want this to “steal” to try and use data for an ongoing project and claim it as their own, or they may want it for other reasons such as salary lists and bonuses. Regardless of the intent, none of these types of attacks on our data can go undetected. Consequently, we need a monitoring suite that provides the following features:
· A means of reviewing our system for vulnerabilities and recommending corrective actions.
· A means of monitoring packets to ensure that only authorized users may access the network.
· The software must be able to identify users on the inside of the network that are attempting to access data they are not authorized to view. This includes opening, copying, deleting, or files.
· There must also be some active prevention measures such as breaking the connection with the offending station or client and a means of notifying the System Administrator of the intrusion.
Trust and
loyalty must be felt by both the employees and management for any business to
prosper. Many of our employees handle
vast sums of cash everyday. Each bill has a dollar amount that they count so
they know the exact value of the money with which they are charged. Unfortunately, information does not share
this face value, so we will take a slightly different approach. Like the vault, not all employees will have
access to all of the information on the network. Salaries, performance appraisals, and marketing strategies are a
few examples of the data this network will house. The value of this data is hard to determine, so we must protect
it with every weapon possible. In
addition to the monitoring software; management, users, and the IT staff will
all have their part in this effort.
Establishing
Data Sensitivity
By ranking
information with a level of importance or degree of sensitivity, we give it
value and make it easier to decide how to best protect it. Three levels of data sensitivity exist to
decide these values. As the importance
of the data is heightened, so will the level of protection on that data. Descriptions of these levels are provided
below as well as examples of each.
Open
information may be shared freely with anyone in the company, clients, and
vendors. Examples include customer
service information, products and services information that are currently in
effect, and administrative information about branches and company officers.
Company Sensitive
information is to be viewed by employees only and will be saved only on shared
drives designated for this level of information. This includes information one products and services, stock option
information, and any information on benefits provided to our employees.
Management
Only information is to be viewed only by direct reports to the
Regional Managers. Password protection
and other safeguards will be used to ensure the integrity of this
information. Possible instances include
strategic guidelines for increasing industry market share or intelligence of
competitors gathered through significant research and analysis.
Departmental
Information Security Supervisor (DISS)
In an effort to
bridge the gap between the IT staff and the end users, each department will
assign a computer literate department member to serve as the DISS. The DISS will receive formal training from
the company and receive an annual increase in salary by 8% for performing these
duties. Duties of the DISS include, but
are not limited to the following:
· Training their colleagues on sound computer and information security practices and techniques. This includes developing effective passwords.
· Develop standardized information security practices and procedures for the rest of the department to follow.
· Assist users with back up procedures, virus protection updates and scans, and password selection. (NOTE: The DISS will provide the techniques mentioned earlier, but WILL NOT maintain passwords for users.)
· Inspect the users’ computers in their department to ensure that there is no pirated or unauthorized software, the virus scan is up to date and is active, and that an accurate list of all computer equipment, software, and peripherals.
· In conjunction with the department manager, notify the IT staff of any new software or hardware requirements as well as any new staff members requiring accounts, or current users leaving the company.
· Serve as an ad hoc help desk representative.
Management Oversight
Managers must ensure that their staff accomplishes the tasks assigned to his department. Another equally important task is to enforce company policy. They are responsible for ensuring their employees handle information in accordance with its level of sensitivity. Some additional management tasks include:
· Informing the IT staff of any new hardware configurations that may effect security. An example would be the addition of remote access software or a modem.
· Appointing and supporting the DISS.
· Labeling information appropriately according to its sensitivity.
· Establishing their own policies that support good information security practices. An example would be the clean desk policy. This helps to eliminate the chance of data being stolen while left on a desk at night when contractors or maintenance personnel may have uncontrolled access. Another good policy is the empty printer policy. Do not leave documents in the printer, especially if they have an elevated level of sensitivity.
Dial-up security for establishing a data
communication link has long been subject to risk and compromise of the target
host computing system. Early implementations attempted to provide some degree
of security by incorporating a method called "Dial-back;" in essence
programming the host computing system to call a pre-defined number, only after
the authorized user entered a static password. As telephone systems matured,
and the shortcomings of analog telephone lines became more known, dial-back as
a security mechanism diminished greatly.
The following risks are associated with dial-back, and are well
documented by the hacker/cracker community:
- Glare - An intruder
repeatedly calls the outbound modem, in hopes of connecting to it just as
it is going "off-hook" in hopes of making a data connection when
it is dialing back an authorized user.
- Spoofing - An authorized
user, re-routing a user's calls to the hacker's telephone line, through
some form of call-forwarding, a common feature of today's telephone
systems.
- Static Password
Identification - Using the same password again and again for
authenticating a user, which subjects the authentication to
"replay" attacks, by replaying the password against the system
to gain access.
Corporate
policy does not support the use of dial-back as a means of establishing a
remote access connection.
Appropriate protection mechanisms shall
be used to authenticate the user's identity. Remote access requires a dynamic,
higher level of authentication of the user and Corporate Information Protection
approved encryption standards to be used based on sensitivity of information,
classes of data/information, and the degree of risk to the ITBN. Two-factor user authentication is an
authentication method that requires two of three accepted factors in order to
confirm the identity of a user attempting to access a host. The factors are
based on:
- Something you have (e.g., a
SecurID card that provides challenge/response or time synchronous token
codes),
- something you know (Personal
Identification Number), and
- something you are (e.g.,
fingerprint, retina scan image).
Account/UserID sponsoring or applicable
management is responsible for ensuring immediate retrieval of the token card and
termination of the remote access associated with the token card upon change in
job function or termination of the individual who is assigned the token card.
The token cards are to be returned to the authorizing entity. The loss of a token device is to be
immediately reported to Information Security Operations. Only token cards (hard tokens) are approved
as the token authentication tool. The use of a soft token software requires
approval of Corporate Information Protection prior to implementation.
Remote access to the ITBN, including those connections initiated
by OMSC networked information and computing resources, shall be controlled by
means of network security systems that have been approved by Corporate
Information Protection. OMSC has sole responsibility for the establishment and
maintenance of all standard authentication servers and shall determine and/or
approve any implementation of additional authentication servers as required to
support remote access dial-in authentication.
Only standard anti-virus protection
software with no TCP/IP stacks (such as those that come with major operating
systems like Apple or Microsoft) is required when accessing the ITBN via remote
connectivity. VPN access shall
interface with the ITBN only through Corporate Information Protection approved
Internet gateways maintained by the I.T. department.
Approved
network security systems shall include at least the following control
mechanisms:
- Two factor user
authentication
- Authorization and
administration
- Audit tools that create
detailed records/logs for traceability of accidental or intentional access
attempts, such as CallerID records, which may be used to create such
record logs.
- VPN or an encrypted line
when remotely accessing the ITBN over un-trusted networks.
Remote access communications devices
other than those approved and identified in Table 1 below may be used
only if the devices provide the same functionality/capability. Non-standard
remote access communication devices require the approval of I.T.
Token
devices are not required where full session encryption (channel encryption) is
the remote access mechanism and corporate encryption standards are met. Token
devices are required when using VPN or an encrypted line.
VPN
software provides secure remote access to the ITBN across the commercial
Internet or other external networks via line encryption. Additionally, VPN can
provide restricted access to ITBN resources, as required.
Transmitting
sensitive information from a remote or external source to the ITBN when using a
public switched telephone network, or any un-trusted networks requires the use
of VPN in conjunction with Corporate Information Protection approved remote
access communications devices and token device to ensure authentication and minimization
of risk to sensitive information. Where an encrypted line or encrypted software
is used for all inbound and outbound transmissions, VPN may not be required.
Remote
access communications for suppliers to perform maintenance support on
applications, hardware or operating systems programs may be established
provided the following conditions are met:
- A written agreement between
the supplier and the business unit is established stating the conditions
under which the connection is established and controlled.
- Any password(s) required to
access the application or systems program are given to the supplier only
when the connectivity is established and immediately changed after each
communication.
- All connectivity is
established only on an as-needed basis and only with the express one-time
approval of authorized management.
- All activity is monitored
and/or controlled by the applicable systems programmer or information
protection administrator while the activity is taking place.
A
Remote Access Web Site has been implemented to provide access to information
and resources required to successfully establish and maintain reliable dial-up
access from any remote location to the OMSCNetwork.
Connecting
remotely to the ITBN utilizing certain technologies such as cable modem or xDSL
increases the risks to the information residing on the ITBN and the local
computing systems. It is the responsibility of the employee using remote access
to inform Information Security Operations of the type of connectivity being used.
Technology,
such as cable modems and xDSL, require additional protection mechanisms such
as, but not limited to:
- No multiple active external
connections (i.e. an Internet Service Provider (ISP) and ITBN connectivity
simultaneously) may be established.
- Print and file sharing
abilities must be restricted from external source accessibility.
NOTE:
Split tunneling is strictly prohibited.
Information
Security Operations shall administer limitations on individual access or certain
persons/entities (i.e., non-employees, suppliers, contractors, foreign persons,
etc.) at ITBN VPN entry points.
The Director, OMSC reserves the right to validate any computing device connected to the ITBN through the use of active or passive programs for compliance with Corporate Information Protection remote access requirements. Such activity may result in further action in those instances where it is determined that information protection requirements are not being met.
TABLE
1 - REMOTE ACCESS AUTHENTICATION STANDARD
The standard for Remote Access authentication for the OMSC is a combination of the Shiva family of communication products and the RSA Security, Inc. ACE Server used in conjunction with the RSA Security, Inc. SecurID user authentication card, and the standard VPN software is Nortel Extranet for encrypted tunnels/network encryption.
|
PRODUCT |
SERVICE/CONFIGURATION |
|
Shiva LanRover
Communication Server & Access Switch |
Configuration must be
linked to the RSA Security, Inc. ACE Authentication Server on a per user
basis |
|
CISCO AS5xxx Series
ComServers |
Configuration must be
linked to the RSA Security, Inc. ACE Authentication Server on a per user
basis |
|
RSA Security, Inc. ACE
Authentication Server |
Repository for the user's
authorized for external access to OMSC networked computing resources |
|
RSA Security, Inc. SecurID |
Token card |
Technology can alert us to intrusion, monitor who does what to certain files, and prevent us from accessing data we have no authorization to use. Of all of the tasks a network can accomplish for us, it cannot protect itself from weather or unpredictable utility spikes. For a network to serve us properly, we, the users, IT professionals, and management must do our part to ensure our valuable data is available for those who need to use it and protected from those that might do it harm. We must also take a step further and not only use protection tools, we must use them properly. Like an unloaded gun, an inefficient password does little more that hinder a hacker’s entrance for a few minutes at most. When used properly, these tools can provide a formidable gauntlet that may convince a would-be hacker or disgruntled employee that their attempts to deface our data are futile. People and networks appreciate a mutually supportive environment as long as each is configured and trained to perform its task properly.