A consulting client recently asked for a review of their network security. The senior admin at the site assured me that they were fully protected against all attacks. "How would you know?" I asked. "Oh we log everything," I was told. Well, the log was over 600MB in size and had not been checked in over two years. Their FTP server had indeed been compromised and they were completely unaware of the fact!
The surest way to guarantee that your computers are impenetrable is to unplug them from all networks. Install them in a locked room and guard them using only people with secret government clearances. This is exactly what the government does to protect its most sensitive security data. Given that you are not the CIA and you do want to connect to the Internet, this approach seems a bit draconian and not terribly practical. So, what CAN you do to protect your computers? Plenty. Practice good security hygiene, and you will minimize your risk of attack. More importantly, if you are attacked, you will be able to contain and secure the problem quickly.
"A company needs to protect itself by using best security practices. At the very minimum, implement a good layer 7 firewall," says Dee Liebenstein, Senior Product Manager, Symantec Security Response Team. Bob Webber, senior systems administrator at Channing Labs, Harvard Medical School agrees, "If you don't want a full firewall you should at least have a choke router that checks for sanity of addresses. Local addresses will not be on the Internet for example."
There are several components to computer systems security or vulnerability management, the firewall, anti-virus and content filtering, intrusion detection and a strong security policy. All are important but securing your systems should be first priority, particularly in a smaller company where there is less staff to monitor attacks. There are five basic best practices to securing a computer infrastructure: installing a firewall, maintaining automated virus protection on all systems, maintaining systems security patches, ensuring strong passwords, and turning off network services.
Employ a layer 7, full inspection firewall - You have three firewall choices: application, appliance, or managed firewall services. The application firewalls are more popular in larger enterprises where they have the resources to install and maintain them. The smaller companies tend to use firewall appliances and managed services because the service provider or the vendor has the specialized knowledge to maintain the system properly. "The advantage of a managed firewall service is that everything taken care of by the service provider, but it can be expensive. The decision to go with a managed service is strategic not technical," says Liebenstein.
"Firewalls are a key component for modern site security but they are by no means sufficient in themselves. You are still vulnerable to insider attacks, which include viruses running on inside hosts and peer-to-peer file sharing. There is no good way that a firewall can stop peer-to-peer links to port 80 (web services) on remote servers. The companies involved in peer to peer will take your money for protection, but this seems like a poor choice," comments Webber.
Use automatically updated anti-virus at gateway, server, and client - Second, install auto-updating anti-virus software on all server, gateway, and client machines. "Viruses can intrude in many ways, so you need protection at all possible entry points," notes Liebenstein. Her group at Symantec is constantly researching the latest security threats, and they share information with law enforcement agencies.
Ensure system security patches are up to date - Another essential security component is current patches on all systems and applications. This can be very challenging to implement in a complex environment. Currently the Microsoft and Linux environments are targeted more than the Macintosh and other UNIX systems by the hackers, but it pays to be vigilant for all your computers.
Ensure passwords are strong - Many systems administrators consider user passwords the most challenging IT support issue. Change them regularly, and use passwords that contain numbers and characters rather than easy to guess names and words. Use readily available utilities, like Cracker, that will identify all insecure passwords quickly and easily. Wouldn't you rather find bad passwords than an intruder?
Turn off unnecessary systems network services - Do not run FTP on a system unless it is an FTP server; you are just asking for trouble. Hackers regularly scan for systems with open service vulnerabilities. The CERT and SANS websites are both good resources for tools to identify known system holes.
So, what constitutes a good security policy? You need to create a process to manage security policy and report incidents. After you have installed all the protection, remember to check the logs regularly. Report anything unusual. Just because you are paranoid does not mean that there are not people out to get you. Top management support and awareness training are essential for successful implementation. If top management is ignoring the policy, how likely is the staff to follow it?
"The biggest component for good security is good management and information to employees. A good example is when a building's fire doors are blocked open, people's safety is compromised but they just know it is much easier to get to their cars. Engineers are trained to solve problems, if they view security as a problem they will solve it. You might not like how," says Webber.
"Data and transaction security is of paramount importance in this age of rapidly expanding commercial and government computer networks and the emerging Internet economy." Quote from the Microsoft Enterprise Security website.
"It is good to hear that the major systems companies are seeing the IT community take security seriously. Building security right into the products makes the administrator's job much easier in the long run," observes Liebenstein. "The reason you have security is to save the company money from productivity losses. To do it for any other reason is probably a waste of time," sighs Webber.
- www.sans.org - lots of information and classes on computer security
- www.cert.org - The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. Comprehensive site with current information on viruses, and vulnerabilities of many operating systems.
- www.symantec.com - Company website for Symantec, makers of Norton AntiVirus, a popular antivirus package.
- www.viruslist.com - Company website for Kaspersky Software makers of multilanguage virus protection.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.