Four ways to secure your company on a shoestring budget

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,86628,00.html

Advice by Peter H. Gregory
OCTOBER 30, 2003 
COMPUTERWORLD 

Blaster, Nachi and SQL Slammer are modern plagues that strike wired
businesses with increasing regularity. But even if these cataclysms
have failed to bring in more budget dollars, you, the security
professional, are still expected to keep company networks and assets
protected. Here are four steps you can take, using zero capital
dollars, that will visibly reduce risks and improve your security
program.

1. Update and publish your security policy. 

The weakest link in many organizations' security perimeter is 
employees. Therefore, it's important that workers be aware of what 
they're permitted—and not permitted—to do with their workstations. 
Security policies address this issue head-on by defining the 
boundaries of acceptable behavior. 

Part of an organization's security policy should be its Internet 
acceptable-use policy. Here are some of the main points that should be 
included: 

* Don't open e-mail messages from unknown or suspicious persons, or 
  suspicious e-mail messages from known persons. Many viruses have 
  been known to spread because of their enticing subject lines. 

* Don't share access to computers or applications with other 
  employees, and don't use other employees' access: Get your own. Anyone who 
  requires additional access to computers or applications should make 
  a formal request to the person or group that administers access. 

* Use locking screen savers and lock your workstation when you leave 
  your desk. 

* Don't use the Internet at work for non-business-related purposes. 
  This includes personal e-mail or Web surfing. Most organizations permit 
  occasional exceptions. 

* Don't install programs that are not approved by the IT department. 
  Unsupported programs can not only jeopardize the stability of one's 
  PC, but they also introduce undesirable programs such as spyware 
  into the business network. 

* Don't allow personally owned computers to connect to the business 
  network, even via an approved VPN program. Personally owned 
  computers often lack up-to-date antivirus software and other 
  protections. 

Make sure employees are keenly aware of these rules. 
Here are a few ideas for ensuring that the word gets out: 

* Hold mandatory security-awareness training classes. 

* Get senior management's support for these policies, and have the CEO 
  or chief operating officer send out e-mail(s) drawing employees' 
  attention to these policies. 

* Include a rule that states that failure to comply with policies will 
  result in disciplinary action up to and including termination of 
  employment.


2. Protect the entire perimeter, including laptops. 

If your organization has users with laptops, you can bet that some of 
them are connecting to the Internet via broadband connections (DSL, 
cable, satellite) lacking firewalls. This is exposing your laptops to 
the full force of still-active worms such as Blaster, Nachi, Slammer, 
Nimda and Code Red. A laptop whose antivirus signatures are not up to 
date and is connected to a broadband connection for any appreciable 
length of time will become infected with one of these worms. 

Then, if the user connects the laptop to the corporate network—whether 
via VPN, RAS or on the premises—the laptop will begin scanning the 
network for more victims. Even if the rest of your systems' antivirus 
software is up to date (and who in a large organization can claim 
100%?), the effects from the scanning traffic alone is often enough to 
take down business-critical applications. 

Don't permit contractors, temps, consultants or vendors to connect 
their laptops and other TCP/IP-enabled devices without approval from 
IT. You would be surprised by how many people - especially consultants 
and temps - still don't have any antivirus software on their laptops. 
Don't have a process? Make one, and quickly, that looks something like 
this: 


1. User or manager calls IT help desk with a request that IT examine a 
   third-party device that he wants to connect to the network. 

2. IT sends a PC technician to examine the device for up-to-date 
   antivirus software and signatures. 

3. If the device has working antivirus software, it will be permitted   
   to connect to the network. If not, the device's owner will be 
    required to acquire and install antivirus software. Back to Step 1.

Later, if a third-party laptop or other device is suspected of being 
infected with a worm or virus, IT can check its records to see if the 
person or department responsible made a request to have the device 
examined before connecting it to the network. If the device was 
connected without IT's approval, the responsible party should be taken 
behind the woodshed and taught a lesson. 


3. Block risky attachments on e-mail servers and gateways. 

A significant portion of Trojans and viruses are transported via
e-mail. Even if your mail server has antivirus software, it would be
prudent to strip certain attachment types from incoming e-mail
messages, including .exe, .bat, .reg, .vb, .vbs, .com and .pif. For a
list of selected attachment types to block, see [1] the report "E-mail
Attachment Safety" from Great White North Technologies, or refer to
information available from most antivirus software vendors.

You would be considered a good Netizen if you also blocked these
attachment types in outbound messages, thereby halting the spread of a
Trojan or virus. There is, by the way, a growing legal basis for
preventing malicious code such as Trojans, viruses and worms from
leaving your organization: You could be sued for damages related to
your organization's permitting malicious code to penetrate your
network and then spread to another.


4. Develop a security architecture, standards and requirements. 

Assemble a team of senior technologists to develop long-range
objectives. First, take a look at your organization's current
enterprise architecture and standards. Underneath all of this you
should be able to develop a security architecture that provides common
authentication services, as well as other "public utilities" such as
central audit and event logging, and encryption of network traffic
between servers.

When you get an idea of what your security architecture is going to
look like, you can then take a shot at developing product and protocol
standards. In each category of need, specify which product or protocol
will be used. For instance, you might state that each desktop system
will use Norton AntiVirus software and no other. For encryption of
application and administrative traffic between systems, you could use
IPsec. Do this for each area where a product, protocol or method is
needed to fulfill a particular purpose.

Develop a boilerplate requirements document that will be given to all
software and hardware vendors, and also to internal systems developers
and integrators. These requirements define how information systems
must behave and what protocols and standards they must support. This
will streamline the adoption of new products into your infrastructure
by make them more consistent with what you already have.

These measures will save your organization money in the long run by
reducing implementation and operating costs. A more consistent
infrastructure is less expensive to maintain.


Epilogue

I have always been a proponent of the phrase, "More than just
technology, security requires people and processes, too." In the
spending frenzy of the 1990s, many organizations overspent on hardware
and software. In information security, you can use capital budget
droughts to your advantage by shoring up policies, processes and
knowledge for your staff and your users.


Postscript

If your company lacks the basics—antivirus software, firewalls and
other basics—then your organization is in serious trouble. The only
way you can survive in this situation is if you are not connected to
the outside world at all. If you are in this unfortunate situation and
can't convince your senior management of the extreme danger of this
position, then I'd suggest you polish your resume, hone your skills
and start packing.


[1] http://www.novatone.net/mag/mailsec.htm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.