Since dial-in connections can allow access to the internal network of an organization just as a permanent connection can, some form of two-factor authentication should be used.. ■ Deskto
Trang 1Vulnerability Assessment
Security departments should perform vulnerability assessments (or scans) of the organiza-tion’s systems on a regular basis The department should plan monthly assessments of all systems within an organization If the number of systems is large, the systems should be grouped appropriately and portions of the total scanned each week Plans should also be in place for follow-up with system administrators to make sure that corrective action is taken
Audit
The security department should have plans to conduct audits of policy compliance Such audits may focus on system configurations, on backup policy compliance, or on the pro-tection of information in physical form Since audits are manpower-intensive, small por-tions of the organization should be targeted for each audit When conducting audits of system configurations, a representative sample of systems can be chosen If significant non-compliance issues are found, a larger audit can be scheduled for the offending de-partment or facility
Training
Awareness training plans should be created in conjunction with the human resources de-partment These plans should include schedules for awareness training classes and detailed publicity campaign plans When planning classes, the schedules should take into account that every employee should take an awareness class every two years
Policy Evaluation
Every organization policy should have built-in review dates The security department should have plans to begin the review and evaluation of the policy as the review date ap-proaches Generally, this will require two policies to be reviewed each year
TECHNICAL SECURITY
Technical security measures are concerned with the implementation of security controls
on computer and network systems These controls are the manifestation of the organiza-tion’s policies and procedures
Network Connectivity
The movement of information between organizations has resulted in a growing connec-tivity between the networks of different organizations Connecconnec-tivity to the Internet is also increasing as organizations seek to utilize the Net for communication, marketing, re-search, and, increasingly, for business To protect an organization from unwanted intru-sions, the following items are recommended as best practices
Trang 2Permanent Connections
Network connections to other organizations or to the Internet should be protected by a
firewall A firewall acts in the same manner as a firewall between two rooms in a
build-ing: It separates the area into different compartments so that a fire in one room will not
spread to another Likewise, firewalls separate an organization’s networks from the
Internet or from the networks of other organizations so that damage in one network
can-not spread Firewalls may be filtering routers, packet filtering firewalls, or application
layer firewalls, depending on the needs of the organization (see Chapter 9)
Dial-in Connections
Dial-in connections can be targeted to gain unauthorized access to organizations and
therefore should be protected Since dial-in connections can allow access to the internal
network of an organization just as a permanent connection can, some form of two-factor
authentication should be used Two-factor authentication mechanisms that are
appropri-ate include
▼ Dial-Back Modems Dial-back modems used in conjunction with an
authentication mechanism may be sufficient In this case, the dial-back modems
must be configured with a number to call prior to the dial-in connection being
attempted The user attempting to connect should not be able to change the
number Dial-back modems are not appropriate for mobile users
■ Dynamic Passwords Dynamic passwords are appropriate to use as an
authentication mechanism as long as the dynamic password must be
combined with something known by the user
▲ Encryption Devices Portable encryption devices are appropriate to use as
an authentication mechanism as long as they are combined with something
known by the user The encryption device should be pre-loaded with
appropriate encryption keys so that it constitutes something the user has
Any of these mechanisms are appropriate for authenticating users over dial-in
con-nections Note that these mechanisms might also be appropriate for VPN concon-nections
Virus Protection
Computer viruses are one of the most prevalent threats to organization information The
number and sophistication of viruses continue to increase and the susceptibility of
cur-rent desktop application software to misuse by viruses also continues Viruses enter
or-ganizations through three primary ways:
▼ Files shared between home computers and work computers
■ Files downloaded from Internet sites
▲ Files that come into an organization as e-mail attachments
Trang 3To manage this risk, best practices recommend that a strong anti-virus program be created for the organization A strong anti-virus program controls viruses at three points:
▼ Servers Anti-virus software is installed on all file servers and is configured
to periodically run complete virus checks on all files
■ Desktops Anti-virus software is installed on all desktop systems and is
configured to periodically run complete virus checks on all files In addition, the anti-virus software is configured to check each file as it is opened
▲ E-mail Systems Anti-virus software is installed either on the primary mail
server or in the path that inbound e-mail takes to the organization It is configured to check each file attachment prior to delivery to the end user The installation and configuration of the anti-virus software is only half of the solu-tion to the virus problem To be complete, an anti-virus program must also allow for fre-quent virus signature updates and the delivery of the updates to the servers, desktops, and e-mail systems Updates should be received based on the software manufacturer’s recommendations This should be no less frequently than monthly
Authentication
The authentication of authorized users prevents unauthorized users from gaining access
to corporate information systems The use of authentication mechanisms can also pre-vent authorized users from accessing information that they are not authorized to view Currently, passwords remain the primary authentication mechanism for internal system access If passwords are to be used, the following are recommended as best practices:
▼ Password Length Passwords should be a minimum of eight characters
in length
■ Password Change Frequency Passwords should not be more than
60 days old In addition, passwords should not be changed for one day after a password change
■ Password History The last ten passwords should not be reused.
▲ Password Content Passwords should not be made up of only letters but
instead should include letters, numbers, and special punctuation characters The system should enforce these restrictions when the passwords are changed Passwords should always be stored in encrypted form and the encrypted passwords should not be accessible to normal users
For extremely sensitive systems or information, passwords may not provide suffi-cient protection In these cases, dynamic passwords or some form of two-factor authenti-cation should be used
All organization systems should be configured to start a screen saver to remove information from the screen and require re-authentication if the user is away from the
Trang 4computer for longer than ten minutes If an employee were to leave a computer logged
into the network and unattended, an intruder would be able to use that computer as if he
was the employee unless some form of re-authentication were required
Audit
Auditing is a mechanism that records actions that occur on a computer system The audit
log or file will contain information as to what events (logins, logouts, file access, and so
on) took place, who performed the action, when the action was performed, and whether
it was successful or not An audit log is an after-the-fact, investigative resource The audit
log may hold information as to how a computer system was penetrated and which
infor-mation was compromised or changed The following events should be recorded:
▼ Logins/logoffs
■ Failed login attempts
■ Network connection attempts
■ Dial-in connection attempts
■ Supervisor/administrator/root login
■ Supervisor/administrator/root privileged functions
▲ Sensitive file access
Ideally, these events are recorded in a file that is located on a secured system In this
way, an intruder will not be able to erase the evidence of her actions
To be effective, audit logs must be reviewed on a regular basis Unfortunately, audit
logs are among the most tedious files to review by hand Humans are just not good at
re-viewing huge audit logs looking for a few entries that may indicate some event of
inter-est Therefore, organizations should use automated tools to review audit logs The tools
may be as simple as scripts that work through the log files looking for pre-configured
strings of text It is recommended that audit logs be reviewed on a weekly basis
Encryption
Sensitive information may be put at risk if it is transmitted through unsecured means
such as Internet electronic mail or phone lines Sensitive information may also be put at
risk if it is stored in an unprotected portable computer Encryption provides a means of
protecting this information
If the sensitivity level of the information warrants it, information should be encrypted
when transmitted over unsecured lines or electronic mail The algorithm used should
have a level of assurance that matches the sensitivity of the information being protected
Link encryption should be used for transmission lines between organization facilities If
virtual private network links are used between facilities, the VPN should use a strong
form of encryption on all information sent between the two sites
Trang 5If electronic mail is used to transmit sensitive information within an organization, it may not be necessary to encrypt the messages However, if electronic mail is used to transmit sensitive information outside of the organization’s internal network, the mes-sages should be encrypted If the message is being sent to another organization, proce-dures should be established beforehand to allow for the encryption of the message Sensitive information should be encrypted when kept on portable computers The al-gorithm used should have a level of assurance that matches the sensitivity of the informa-tion being protected The system used for portable computers should require the user to authenticate himself prior to gaining access to the information Ideally, the system used will allow the organization to gain access to the information if the user is unavailable The encryption algorithms used for any encryption should be well known and well tested (see Chapter 12 for more information on encryption algorithms)
Backup and Recovery
As stated in the “Administrative Security” section, backup and recovery are integral parts of a company’s ability to restore operations after a failure The more current the backups, the easier it is for the organization to restore operations Information on server systems should be backed up daily Once per week, a full backup should be performed Backups on the other six days should be incremental
All backups should be periodically verified to determine if the backup successfully copied the important files Regular schedules of tests should be established so that all me-dia are tested periodically
Backups of desktop and portable systems can be problems for any organization One problem is the sheer volume of data A second problem is the need to perform these back-ups across networks Generally, backback-ups of desktop and portable computers should only
be performed if the information is too sensitive to be stored on a network file server In this case, the backup system should be co-located with the computer system
As important as making the backups is the storage of the backups once they are suc-cessfully made Backups are made so that the organization can recover the information if
a failure occurs The failures may range from a user mistakenly deleting an important file
to a site-destroying disaster The need to restore from both types of events creates con-flicting requirements for the storage of backups To restore important user files, the back-ups need to be close and available so that the restore can be done quickly To protect against disasters, the backups should be stored off-site for protection
Best practices recommend that backups be stored off-site to maximize the protection
of the information Arrangements should be made to have backups brought back to the organization’s facility in a timely manner if they are needed to restore certain files Backups should be moved off-site within 24 hours of being made
Trang 6Physical Security
Physical security must be used with other technical and administrative security for full
protection No amount of technical security can protect sensitive information if physical
access to computer servers is not controlled Likewise, power and climate conditions may
affect the availability of information systems Best practices recommend that physical
se-curity be used to protect information systems in four areas:
▼ Physical access
■ Climate
■ Fire suppression
▲ Electrical power
Physical Access
All sensitive computer systems should be protected from unauthorized access
Normally, this is done by concentrating the systems in a data center Access to the data
center is controlled by an access list Badge access or combination lock access is used to
re-strict the employees who can enter the data center
The walls of the data center should be true-floor-to-true-ceiling walls that do not
al-low access to the data center by going through a false ceiling
Climate
Computer systems are sensitive to high temperatures Computer systems also generate
significant amounts of heat The climate control units for the data center should be
capa-ble of maintaining constant temperature and humidity and should be sized correctly for
the room and heat put out by the expected number of computer systems The climate
con-trol units should be configured to notify administrators if a failure occurs or if the
temper-ature goes out of the normal range Water condenses around air conditioning units This
water must be removed from the data center
Fire Suppression
Water fire-suppression systems are not appropriate for data centers as a discharge will
damage computer systems Only non-water fire-suppression systems should be used in
data centers The fire-suppression system should be configured so that a fire in an
adjoin-ing space does not set off the system in the data center
NOTE: Many fire regulations require that all spaces in a building have sprinkler systems installed
re-gardless of other fire-suppression systems If this is the case, the non-water fire-suppression system
should be configured to go off before the sprinkler system
Trang 7Electrical Power
Computer systems require electrical power to operate In many locations, spikes and short interruptions occur in the electric power supply Such interruptions can cause com-puter systems to fail and result in the loss of data All sensitive comcom-puter systems should
be protected from short outages
Battery backups best accomplish this Battery backups should be sized to provide suf-ficient power to gracefully shut down the computer systems To protect systems from longer outages, emergency generators should be used In either case, alarms should be configured to notify the administrators that a power outage has occurred
TE AM
FL Y
Team-Fly®
Trang 8PART III
Practical Solutions
131
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use