Today is and you are here: News
 
Security 101

Lesson 1: Nobody believes anything bad can happen to them, until it does.

Lesson 2: Security only works if the secure way also happens to be the easy way.

Lesson 3: If you don't keep up with security fixes, your network won't be yours for long.

Lesson 4: It doesn't do much good to install security fixes on a computer that was never secured to begin with.

Lesson 5: Eternal vigilance is the price of security.

Lesson 6: There really is someone out there trying to guess your passwords.

Lesson 7: The most secure network is a well-administered one.

Lesson 8: The difficulty of defending a network is directly proportional to its complexity.

Lesson 9: Security isn't about risk avoidance; it's about risk management.

Lesson 10: Technology is not a panacea.

This article is oriented toward the person or persons charged with the responsibility of system administration, but we believe it to be of interest to decision-makers and non-technical managers as well.

Computer security is most effective as a "wall of protection". The wall is not built with one giant brick but is made up of many smaller bricks. When all of the bricks are used together, the security becomes stronger and able to withstand many different types of assaults.

Microsoft has published the Ten Immutable Laws of Security to help companies understand the core elements of a security strategy. The laws on this list reflect the basic nature of security, rather than any product-specific issue.  We at Teconic feel that this is an excellent "primer" on the sometimes inscrutable topic of security.

Lesson 1: Nobody believes anything bad can happen to them, until it does.

Many people are unwilling partners in computer security breaches. This isn't because they're deliberately trying to endanger the network - they simply have a different agenda than a systems administrator. The reason that a company has a network is because it lets the company conduct business, and the users are focused on the company's business rather than on the vagaries of computer security. Many users can't conceive why someone might ever go to the trouble of sending them a malicious email or trying to crack their password, but an attacker only needs to find one weak link in order to penetrate the network. As a result, relying on voluntary measures to keep the network secure is likely to be a non-starter. It is absolutely critical to mandate security on the network. Develop a security policy that spells out specifically what the value of the information on the network is, and what steps the company is willing to take to protect it. Then develop and implement security measures on the network that reflect this policy.

<Top>

Lesson 2: Security only works if the secure way also happens to be the easy way.

As discussed in Lesson #1, you need the authority to mandate security on the network. However, the flip side is that if you turn the network into a police state, you're likely to face an uprising. If security measures obstruct the business processes of the company, the users may flout them. Again, this isn't because they're malicious - it's because they have jobs to do. The result could be that the overall security of the network would actually be lower after implementing more stringent policies. There are three key things that can be done to prevent your users from becoming hackers' unwitting accomplices.

  1. Make sure the corporate security policy is reasonable, and strikes a balance between security and productivity. Security is important, but if the network is so secure that nobody can get any work done, you haven't really performed a service for the company.

  2. Look for ways to make security processes have value to the users. For instance, if you have a security policy that calls for virus signatures to be updated once a week, don't expect the users to do the updates manually. Instead, consider using a "push" mechanism to do it automatically. The users will like the idea of having up to date virus scanners, and the fact that they didn't have to do anything makes it doubly popular.

  3. In cases where you must impose a restrictive security measure, explain to your users why it's necessary. It's amazing what people will put up with when they know it's for a good cause.

<Top>

Lesson 3: If you don't keep up with security fixes, your network won't be yours for long.

It's a fact of life: software contains bugs. Some of these bugs involve security, and there's a huge number of disreputable people actively searching for them in the hope of using them against you. No matter how secure your network is today, it could all change overnight if a particularly serious vulnerability is discovered. It could even happen if a series of less-serious vulnerabilities are discovered that can be used in tandem, in an attack that's greater than the sum of its parts. It's vital that you stay on top of the tactical world of security, and plug the holes in your armor whenever one is found.

The good news is that there are a lot of tools to help you do this. Security mailing lists like NTBugTraq, BugTraq and Win2kSecAdvice are a great way to learn about the latest attacks. In addition, many software vendors have developed security response processes to investigate and fix vulnerabilities. Make sure you check for new bulletins frequently. And don't forget service packs - they're one of the best ways to ensure that you're as secure as possible.

<Top>

Lesson 4: It doesn't do much good to install security fixes on a computer that was never secured to begin with.

What good are security patches if there is a weak administrator password on the domain controller? Or if the Guest account on the payroll server is enabled? The time to lock down a machine is before it's ever connected to the network. If this sounds like too much work, consider that, if a bad guy compromises the machine, you're going to need to rebuild it anyway. Microsoft provides security checklists that make it easy to lock down your machines, as well as a security lockdown tool that you can use to automatically secure IIS 5.0 web servers. These tools are invaluable in establishing and maintaining a strong security presence.

<Top>

Lesson 5: Eternal vigilance is the price of security.

OK, so you read Lessons 3 and 4 and patted yourself on the back. You've done everything right - you secured your machines before putting them into production, you've got the latest service pack installed, and you've been diligently applying security patches. You must be secure, right? Well, maybe, but maybe not. Even under these conditions, a malicious user could attack your network. For instance, he could mount flooding attacks, and simply send huge numbers of legitimate requests to a server in order to use all of its resources. Or he could conduct brute-force password-guessing attacks. Neither security patches nor machine configurations can totally prevent attacks like these, because the bad guy's activities, although malicious, aren't invalid.

You do have a weapon, though - the event logs. They'll reveal information about who is using system resources, what they're doing, and whether the operation succeeded or failed. Once you know who's doing what, you can take appropriate action. If someone is flooding your system, you can block requests from their IP addresses. If someone is trying to brute-force your accounts, you can disable ones that are at risk, set up "honey traps" to catch him, or increase the lockout interval on the accounts. In sum, the event log lets you gauge the health of your systems, and determine the right course of action to keep them safe.

Be careful when configuring the event logs - you can easily audit so many events that you'll exceed your ability to analyze the data. Carefully plan what events you need to log, and whether you need to audit only successes, failures or both. The security checklists include suggested settings in this regard. Finally, keep in mind that the data won't do any good unless it is used. Establish procedures for regularly checking the logs. If you've got too many machines to check them all yourself, consider buying a third-party data mining tool that will automatically parse the logs for known indicators that your system is under attack.

<Top>

Lesson 6: There really is someone out there trying to guess your passwords.

Passwords are a classic example of the truism that your system is only as secure as the weakest part of your defenses. One of the first things an attacker may test is the strength of your passwords, for two reasons: They're extraordinarily valuable. Regardless of the other security practices you follow, if a bad guy can learn just one user's password, he can gain access to your network. From there, he has a perfect position from which to mount additional attacks. Passwords are "low-hanging fruit". Most people pick lousy passwords - they'll pick an easily guessed word, and never change it. If forced to pick a more-difficult password, many users will write it down. (This is also known as the "yellow sticky pad" vulnerability). You don't have to be technical whiz to crack someone's account if you already know their password.

Unless you can enforce a strong password policy, you'll never secure your network. Establish minimum password length, password complexity, and password expiration policies on your network. Also, use account lockout, and make sure you audit for failed logon attempts. Finally, make sure that your users understand why it's a bad practice to write their passwords down. If you need a demonstration, get management approval to periodically walk through your users' offices, and check for the dreaded sticky note with a password written on it. Don't do an intrusive search, just check the top desk drawer, the underside of the keyboard, and the pull-out writing table that's found on many desks. If your company is typical , you'll be amazed how many you'll find. This activity, also known as "social engineering" or "people hacking" is the primary tool of the person engaged in corporate espionage.

<Top>

Lesson 7: The most secure network is a well-administered one.

Most successful attacks don't involve a flaw in the software. Instead, they exploit misconfigurations - for example, permissions that were lowered during troubleshooting but never reset, an account that was created for a temporary employee but never disabled when he left, a direct Internet connection that someone set up without approval, and so forth. If your procedures are sloppy, it can be difficult or impossible to keep track of these details, and the result will be more holes for a bad guy to slither through. The most important tool here isn't a software tool - it's procedures. Having specific, documented procedures is an absolute necessity. As usual, it starts with the corporate security policy, which should spell out, at a broad level, who is responsible for each part of the network, and the overall philosophy governing deployment, management and operation of the network.

But don't stop with the high-level corporate policy. Each interest group should refine the policy and develop operating procedures for their area of responsibility. The more specific these procedures are, the better. And write them down! If procedures exist only as oral tradition, they will be lost as IT and functional department personnel changes. Next, consider setting up a "Red Team", whose only job is to scour the network for potential security problems. Red Teams can immediately improve security by bringing a fresh set of eyes to the problem. But there can be a secondary benefit as well. Network administrators will be much more likely to think about security in the first place if there's a Red Team on the prowl - if only because nobody wants the Red Team showing up at their office to discuss the latest security problem they found.

<Top>

Lesson 8: The difficulty of defending a network is directly proportional to its complexity.

This law is related to Lesson #7 - more complex networks are certainly more difficult to administer - but it goes beyond just administering it. The crucial point here is the architecture itself. Here are some questions to ask: What do the trust relationships between the domains in your network look like? Are they straightforward and easily understood, or do they look like spaghetti? If it's the latter, there's a good chance that someone could abuse them to gain privileges you don't intend for them to have. Do you know all the points of access into your network? If one of the groups in your company has, for instance, set up a public FTP or web server, it might provide a back door onto your network. One of the newest security challenges to systems administrators is the wide availability of inexpensive wireless network access points (WAP) and wireless network cards for laptops. Computer users are attracted to this technology as a way of adding departmental PCs to the network without having to deal with the IT support group and their procedures.

Installing a WAP is as simple as plugging it into an existing network connection and turning it on. Unfortunately the default settings for these devices is unsecured data transmission mode and most installations remain in the default state. Not only is there now an unauthorized access point into the network, but network traffic is now being broadcast to anyone within a 1000 feet of the WAP. Anyone with a wireless network card in a laptop can have full access to your network - possibly from the parking lot across the street! Do you have a partnership agreement with another company that allows their network users onto your network? If so, the security of your network is effectively the same as that of the partner network. Adopt the phrase "few and well-controlled" as your mantra for network administration. Trust relationships? Few and well-controlled. Network access points? Few and well-controlled. The point here is that you can't defend a network you don't fully understand.

<Top>

Lesson 9: Security isn't about risk avoidance; it's about risk management.

One of the most oft-cited truisms in computer security is that the only truly secure computer is one buried in concrete, with the power turned off and the network cable cut. It's true - anything less is a compromise. However, a computer like that, although secure, doesn't help your company do business. Inevitably, the security of any useful network will be less than perfect, and you have to factor that into your planning. Your goal cannot be to avoid all risks to the network - that's simply unrealistic. Instead, accept and embrace these two undeniable truths:

There will be times when business imperatives conflict with security. Security is a supporting activity to your business rather than an end unto itself. Take considered risks, and then mitigate them to the greatest extent possible. Your network security will be compromised. It may be a minor glitch or a bona fide disaster, it may be due to a human attacker or an act of God, but sooner or later your network will be compromised in some fashion. Make sure you have made contingency plans for detecting, investigating and recovering from the compromise.

The place to deal with both of these issues is in your security policy. Work to set the overall guidelines regarding the risks you're willing to take and how you intend to manage them. Developing the policy will force you to consider scenarios that most people would rather not think about, but the benefit is that when one of these scenarios occurs, you'll already have an answer.

<Top>

Lesson 10: Technology is not a panacea.

Technology by itself isn't enough to guarantee security. That is, there will never be a product that you can simply open, install on the network, and instantly gain perfect security. Instead, security is a result of both technology and policy -it's how the technology is used that ultimately determines whether your network is secure. IT vendors deliver the technology, but only a close alliance of systems administration and corporate management can determine and implement the right policies for the company. Plan for security early. Understand what you want to protect and what you're willing to do to protect it. Finally, develop contingency plans for emergencies before they happen. Couple thorough planning with solid technology and flawless execution, and you'll achieve world-class security.

<Top>

 

     

Set up an interview
Call 1.877.386.9505

 

Tell us your story and receive your own Teconic 'Level of Understanding' 

 

Request Additional Information

     
 
 
A New Level ofUnderstanding
Copyright 2003 Teconic, Inc.