How to Set Effective Security Policies at Your Organization

How to Set Effective Security Policies at Your OrganizationDavid StromVAR Business Technology EditorJune 20, 2002

My background

Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill

Founding Editor-in-Chief, Network Computing

Tested numerous networking and security products

Things to know before you can set effective policies

Problems with existing network and applications infrastructure

Issues with products and protocolsWays around the various tools that you

are trying to use to lock things down

Who is in charge, anyway?

Do you have a chief security officer?Does s/he have any real authority?Does s/he have control over corporate

directories, network infrastructure decisions, and internal applications development?

Look at your exposure from within

Network admins who have rights to everything

Applications that have access to other applications

Users who temporarily gain access outside of their normal departments

So let’s look at the following:

VPN policies and choicesEmail policies and issueseCommerce issuesFirewalls don’t protect you all the time

Role of integrators with VPNs

Help with their rollout and configurationHelp with remote support and

troubleshootingRecommend equipment and configurationInclude as part of overall telecommuting

application

VPN Issue #1: Ease of use

VPNs still vexingMatched pair problemHardware or software choices not always

obvious

VPN Issue #2: Cable providers don’t like home networks

Getting static IPs can be a problemChanging MAC addresses is an issueAdministering and supporting a home

network is sometimes beyond their abilities or interest

… Yet all cable modems come with Ethernet!

VPN Issue #3: Providers hate VPNs

Well, maybe they are more ignorant than hate them

Some don’t include VPNs in their TOSSome do everything they can to

discourage their use (frequent IP changes, for example)

VPN Issue #4: Remote support

Coordinating a VPN roll out for telecommuters can swamp a small tech support department

Variations in Windows OS, and non-Windows PCs can be difficult!

What if users require more than one tunnel?

State of VPNsSoftware now comes included in residential

gateways like Sonic and NetgearStill too hard for the average consumer,

and the average business computer userBut wider support is inevitableCosts too much and requires some careful

justificationVPN.net: A new way of establishing VPNs

Email policies

How accurate is your employee directory?Do outsiders have access to your email

system? And for how long?Do terminated employees have access still?How often do employees copy all by mistake?

Making email secure

Use Notes or GroupwiseDon’t run Outlook, Outlook ExpressUse PGP or SMIME products

eCommerce issues

Make sure you protect your enterprise network from intrusion

Limit user access, isolate servers, lock down scripts, harden servers

See www.nwfusion.com/netresources/0202hack1.html

Web/database issuesUnderstand security weaknesses and

access controls of local database users Understand web/database interaction

from security perspectiveUnderstand proxy server attacks (ala

Adrian Lamo)Block them CGI scripts!Who is root and what can they really do?

Common mistakes with payment processing

Provide too few or too many order confirmation pages

Confusing methods and misplaced buttons on order page

Make it hard for customers to buy thingsDon’t make your customers read error

screens

ConEd bill payment issue

Claim they needed 100,000 customers to break even

https://m020-w5.coned.com/csol/main.asp

Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006

Preventing credit card fraud

Don't accept orders unless full address and phone number present

Be wary of different "bill to" and "ship to" addresses

Be careful with orders from free email services

Be wary of orders that are larger than typical amount

Pay extra attention to international orders

Ways around firewalls

Uroam.comGoToMyPC.comNeoteris, other appliancesRemote control software (PC Anywhere,

Ccopy, etc.)Wireless LANs!

Remote control loopholes

Do you even know if they are running?Do port scans for common ports that are

used:• PC Anywhere: 5631-2• Control IT: 799• Carbon Copy: 1680• VNC: 5900

Wireless LAN loopholes

Do you even know if they are running? NetStumbler.com: good resourceRead this article too.

Wireless VPN/firewall appliances

BlueSocketReefEdge

Vernier Networks

Mobility from Netmotion Wireless

Conclusions and questions

David Strom

Technology Editor

VAR Business magazine

dstrom@cmp.com

(516) 562-7151