The Seven Bad Things People Do To Endanger Their Network Security

(…Explained in Plain English)

Presented by SAGE Computer Associates, Inc. ¨ SAGE Computer Associates, Inc.:

– In business for 19 years – Hundred person-years of experience– Worked with many businesses– Certified Security Administrator on staff– Certified Microsoft Engineers on staff– Certified Novell Engineers on staff

Take away from today’s talk

¨ Nothing is secure¨ However, NO HEADS IN THE SAND¨ Inexpensive steps you can take NOW¨ Even on your home PC.

“There is nothing more secure than a computer which is not connected to the network ---

and powered off!”

What are the Seven Things?

¨ No Policies¨ Bad Passwords¨ No Virus Protection¨ No Backup¨ Inadequate protection against hackers¨ Don’t keep up with patches/fixes¨ Unrestrained e-mail/instant messaging

Mistake #1: No Policies• Data Security: Do you know who sees and has access to

what data? And should they have that level of access? • Termination policies: Disgruntled employees are the second

most common source of network sabotage• Remote access: A common hole in network security• Computer usage: Non-business activities that open your

network up to attack• Internet usage: You know there’s LOTS of bad stuff out

there – but do you know just how much? • Confidentiality awareness: Think about what your

employees know about your business• Hire the right people! It’s more important than you may

think

Internet Usage at Work¨ Productivity Issues:

– Cyber-loafing accounts for 30% to 40% of

lost worker productivity (Business Week)– 90% of those surveyed indicated that they view non-work related

web sites during work hours. (Vaultreports.com)¨ Resource use

– Downloading music/videos takes A LOT of network resources

More Reasons to Care

¨ Legal Liability– One in five men and one in eight women

admitted using their work computers as their primary lifeline to sexually explicit material online (MSNBC)

– Since the company is the one that gave employees access, the company is liable … unless the company can show it took reasonable steps to prevent problems (Corporate Politics on the Internet: Connection without Controversy)

Implement the Policies!

–Appropriate Security on the Network• Administrative/Supervisor rights• Appropriate Security for users

More Confidentiality Awareness

¨ Training

- particularly to address Social Engineering

“outside hackers use of psychological tricks on legitimate users of computer systems to get passwords/user-ids to get access to systems”

www.morehouse.org/hin/blckcrwl/hack/soceng.txt

Mistake #1: No PoliciesHow can we help?

Request a copy of our sample policies for:- Internet Usage- E-mail Usage- Virus Protection

and get SAGE to help you implement it

Mistake #1: No PoliciesHow can we help?¨ Internet Monitoring

– Monitor where people go on the Internet– Create reports– Block offensive/other sites- list updated 2x/week– Block specific kinds of traffic (music, photographs,

etc)– Block specific addresses– Block specific users– Block usage during specific times

Mistake #2: Bad Passwords

– 40% of all passwords are the word ‘password’

– Difficult passwords are hard to administerhttp://www.slac.stanford.edu/comp/security/password.html

Password Guidance¨ Password No-No’s:

less than eight characters a word found in a dictionary (English or foreign) a common usage word such as names of family, pets, friends,

co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies,

hardware, software. Birthdays/other personal information such as addresses and

phone numbers. Word or number patterns like aaabbb, qwerty, zyxwvuts,

123321, etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1,

1secret)

Password Guidance¨ Password Suggestions (Strong passwords)

Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., 0-9,

!@#$%^&*()_+|~-=\ {}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, Are not

based on personal information, names of family, etc. Easily remembered. One way to do this is create a password

based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~"

Mistake #2: Bad PasswordsHow We Can Help:¨ Password Cracking Tool:

L0phtCrack www.sunbelt-software.com

-Runs in the background

-Can collect all passwords, given enough time

We will run this for you and

help you implement a policy

Future Solutions

¨ Security Tokens-Secure Computing solution¨ Biometrics

Mistake #3: No Virus Protection

¨ Different threats under the same name:– Virus– Worm– Trojan horse– Malicious code– Blended Threat– Hoax– Denial of Service DoS (not a virus)

Virus Security¨ Example of malicious codeFrom: Microsoft Corporation Security Center

<rdquest12@microsoft.com>To: Microsoft Customer <'customer@yourdomain.com'>Subject: Internet Security UpdateAttachment: q216309.exe

Microsoft Customer,this is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

Would have recognized this as a threat?

Virus Security

¨ Anti-Virus software

¨ MUST BE UPDATED!!¨ Home users need it as much as business users¨ By subscription- TrendMicro, Symantec, other

vendors

Virus Security

¨ Business users should be set up to update automatically without ‘human intervention’

¨ Training¨ Many websites, ‘kits’ available to write your own

viruses– http://orbita.starmedia.com/~lautaroml/virus.html

Virus Security

¨ Turn off the Preview Pane in Outlook– Click on View, unclick ‘preview pane’

¨ Turn off disk and printer sharing in Windows– Start button, click ‘Settings’, ‘Control Panel’

‘Network’ and make sure ‘share disk’ and ‘share printer’ are NOT checked

Mistake #3: Virus Security How We Can Help

¨ Virus Software Audit¨ Network Audit

Mistake #4: No Backup

¨ Most people believe this is covered, BUT– Data stored on local drives– Data not restorable– Tapes not taken off site– Not enough data backed up– Open files not handled

Mistake #4: No BackupHow We Can Help

¨ Backup Audit

Future Solutions

¨ Internet-based backup¨ Optical Storage

Mistake #5: Inadequate Protection Against Hackers ¨ Firewalls

– Blocks incoming traffic– From free to millions $$$$

EVERYONE MUST HAVE ONE

www.zonelabs.com – Software (home)

www.sonicwall.com – Appliance (business)

Mistake #5: Inadequate Protection Against Hackers-If you host your own website

¨ Incoming Web Traffic– SSL certificates– Different type of firewall– Data available for customers on your website has to be

segregated from the rest of the company data– Outsourcing

Internet Security

¨ What to ask your outsourced web hoster– Power back up– Internet connection redundancy– Which firewall?– Data back up– Business questions – How can I make changes?– Register your URL in YOUR name

Mistake #5: Inadequate Protection- How we can help

¨ Port Scan– Reports open ports/vulnerabilities

Mistake #6: Not Keeping Up with Patches/Service Packs¨ Difficult to Keep Pace—But Imperative

– Your lack of patching can help spread viruses to other networks

– Workstation updates are now part of the problem too

Mistake #6: Staying Current-How we can help

¨ Penetration Testing– Check for documented vulnerabilities

Mistake #7: Unrestrained Email, Instant Messaging¨ “E-mail is like sending a postcard on the Internet”

– Can be read by many people (your ISP, any system admin at any server along the message path, your employer, the US Government using Carnivore/Echelon or other software).

http://www.surfcontrol.com/business/products

– Can be re-sent to someone else, looking like it came from you.

Solution to E-Mail Security

¨ PGP “Pretty Good Privacy”– Download free copy at www.pgpi.org– Go see Phil at http://web.mit.edu/prz/

¨ Digital IDdigitalid.verisign.com

E-Mail SecurityEmail Gaffes

-BBC sports executive sends “I think they’re both crap” email (about two on-camera execs) to entire BBC sports staff (500 people)-London lawyer forwards message from his girlfriend re: “intimate act”- his colleague forwards it to others, in hours, spread across whole Internet. 6 people suspended from their jobs.

Email Protocol/Guidance– http://www.bmcc.cc.or.us/cs/cs125e/notes/etiq.htm– http://www.cio.com/archive/120100/diff.html

Instant Messaging (IM)¨ AOL Instant Messaging/ICQ/Yahoo

Messenger/MSN Messenger/ other packages– The good news?

• they’re free– The bad news?

• Completely not secure• People can pretend to be who they are not• With no policies in place, users have no guidelines on what

they can/cannot say

Instant Messaging Security

¨ Centralize it– Log the traffic– Encrypt the traffic (PGP has a module for this)– Establish policies

OR¨ Block it

Steganography¨ “Embedding secret messages in other files in a way that

prevents an observer from learning anything unusual is taking place”– Greek soldiers tattooed maps on their heads, and

then grew their hair out– Romans obscured messages by applying layers of

wax onto the tablets on which they were written, then melted the wax to read the message.

– Osama bin Laden and his associates have been using steganography to hide terrorist plans inside pornography and MP3 files freely distributed over the Internet.

Resources¨ Pretty Good Privacy for email: www.pgpi.org¨ Firewalls

– www.zonelabs.com (free personal firewall)- see this link for article about it: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2870704,00.html

– http://www.firewall.com/ good general site for tech info¨ Virus software

– www.symantec.com– www.trendmicro.com(don’t use the free trial-pay for the real software)

Resources

¨ Steganography

http://members.tripod.com/steganography/stego.html

¨ Basic Security website:

http://online.securityfocus.com/infocus/1560¨ Security Certifications-Information Systems

Security Association

www.issa-intl.org/certification.html

Our Offer¨ When you fill out the evaluation form, you can choose

one of the services at no charge:1. Policy creation2. Virus protection audit3. Backup Audit4. Open Port Scan5. Patch/Service Pack Audit6. Internet Monitoring Pilot 7. Network Audit

Don’t Let the Perfect Interfere with the Good:¨ Download the policies if you don’t already have

them¨ Choose one of the free services on the evaluation

form to get started measuring the problem.¨ Download the free firewall (zonelabs.com) and

the not-free virus software for your home PC

For More Information:

jaymem@sagecomputer.com

(518) 458-9300

Thank You!

For More Information:

jaymem@sagecomputer.com

(518) 458-9300