RE: "It's ok we're behind a firewall"

[Ben Schorr <bms () hawaiilawyer com>]

> 1. Still a large majority of computer crime (data theft, 
> damage etc) is caused by people who have access to internal 
> systems ... is there anywhere that I can get facts and 
> figures to support this?

Check with the FBI.
 
> 2. In an average company it's not so difficult to gain 
> physical access - how closely are the staff vetted let alone 
> third-party contractors. Stick a boiler suit on and carry a 
> big toolkit and many people will hold a door open for you!

It's an old axiom that if you carry a clipboard and act like you know where
you're going you can get into a lot of places without any questions being
asked.

> 3. Firewalls can be breached or misconfigured ... 

Indeed.
 
> I'm keen to apply a greater level of security to internal systems.
> 1. Caution against moving to the 'cutting edge' OS or latest 
> 2. Regular patching for security issues. Given the number of 
> vulnerabilities being posted I think it may be unreasonable 
> to expect patches to be installed as soon as they're posted - 
> each change will require a degree of administration (testing 
> etc) but perhaps scheduled quarterly updates... 

Quarterly may be too slow, though.  It seems obvious that people writing
exploits are jumping on the announced exploits with the full realization
that many if not most companies will not install the patches right away.
Slammer, for one good example, was preventable by installing a patch that
had been released well before the actual attack was unleashed.

I'd have to have a patch in my lab for 5 weeks while my production servers
get taken down by the exploit.  It's a tough call, no doubt.  You have to
balance two old proverbs:

        "Fools rush in where angels fear to tread" vs. "He who hesitates is
lost."

> reported 6 months ago) Do you schedule patch updates (what's 
> the preferred frequency)?

We update fairly urgently, though we do try to aggressively monitor the
community to see if the first people to install it had any problems.  We
have backups and try to be prepared to roll-back if we need to, but if the
patch fixes what we consider to be a serious vulnerability we'll usually try
to be the 2nd or 3rd to install it; in a manner of speaking.
 
> 3. Control the build of internal systems so that unneeded 
> services are disabled. 

Another good point.  As I understand it, Windows 2003 ships with that
philosophy as well; little used services are turned off by default and must
be explicitly enabled by admins who want them.  As opposed to the way it was
done in prior versions of the OS.

> 4. Raise staff awareness of security issues (this is actually 
> the most important factor of all).

Education, education, education.
 
> The question is, how to approach the staff who've got their 
> heads buried in the sand.

Depends upon how far they're buried.  If they're unretrievable then perhaps
you need to approach them with a pink slip in hand.  Otherwise it comes back
to education and some of them will require more than others.

-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com