Computer and Network Security: Best Practices

Computer Security

Computer Security is keeping anyone from doing things that you do not want them to do, with, or from your data, computers, or any peripheral device.

We must protect

stored information

accuracy of information

information value

access to external services

access to internal services

the organization's privacy

We protect against

Hackers/Crackers - typically young hobbyists, who gain access via external network connections

Criminal Intruders - they have more resources and capabilities than the hobbyists

Corporate/Industrial/Foreign Espionage - they have even more resources, and great skills and determination

Insiders - they are very dangerous, since they are already past the first barrier

Contractors - they present the same problems as insiders, and have less reason for loyalty

Levels of Responsibility

The personal level of responsibility implies that security is everyone's job. Good passwords, careful assessment of software installed, good virus practices, and the recognition that security is the responsibility of each person with a password. System administrators and each single computer or network user are in this category.

The interior level of responsibility governs the responsibilities of the network administrator, and also covers many of the responsibilities of the system administrators. Groups of machines, and local area networks, are at this level.

The exterior level of responsibility lies with the network administrator, and the computer or network security administrators. The firewall and other countermeasures are at this level.

Types of Attacks

Social Engineering - This is always the easiest way in.

Ask the local administrator to change "your" account's password

Look over the shoulder of someone while they type (shoulder surfing)

Look for passwords that are written down in obvious places

Look for computers that are logged in to the network, or are otherwise vulnerable, and are unattended

Bugs, Backdoors, and Bad Practices

Easy or compromised passwords create an authenticated user

Operating systems and networks should always be up to the latest patch levels

Unused software packages and services should be removed or disabled

Protocols are not designed to be secure (TCP/IP, SNA, DECNet, Appletalk, etc.)

Denial of Service - very little can be done to defend against this. Assume that it will happen and make contingency plans.

Using up the resources of a machine or network

Disrupt communications via corrupt routing tables or other attacks

Levels of Data

Data can be divided up into (at least) three layers, according to the level of protection required for it.

Level 1 data is defined to be that any compromise or harm to will cause irreparable damage to the reputation of the company, or will cause a loss of more than 10 million dollars (adjust this according to the current worth of your company)

Level 2 data is defined to be data that will cause poor publicity, or will cause a loss of between one-half million and 10 million dollars (same caveat as above)

Level 3 data is defined to be data that will cause a loss of less than one-half million dollars (same caveat), or cause inconvenience and disruption to the enterprise

Personnel data is assumed to be level 1 or level 2 data. Yearly forecasts, and other irreplaceable items are level 1 data. Different protection is required for these levels. Level 1 data should be secured at all times, and probably should not be available from the external network, or else should be placed under heightened protection.

Cryptography is not a Toy

Cryptographic protocols and packages should never depend on the outmoded "security through obscurity" philosophy.

Extend trust only where necessary

Use well-known packages

Do not trust certificate authorities, as these may be compromised or forged (This is a politically charged statement, and may or may not be palatable to all entities)

Keep up with current techniques, and use the strongest encryption methods available to you

The Security Policy

This is a formal definition of an organization's stance on security - on what is and is not allowed. Each organization must determine for itself what level of security is wise, and how much enforcement is necessary.

Everything not explicitly prohibited is permitted (permissive policy)

Everything not explicitly permitted is prohibited (restrictive policy)

A certain level of security may be a legal requirement (various countries have privacy protection acts, or requirements for protection of data)

There may be restrictions in what you may, or may not, monitor

Prosecution of intruders depends on evidence that is admissible in court.

Computer logs are probably not qualified, nor is most electronic media. The policy must state what evidence is or will be maintained for this purpose.

Password Rules

Passwords guard the perimeter of the organization. Each and every password scheme should use some form of true encryption (no ROT13 or simple hashing), and should belong to a single user. Passwords should never be shared. There are many available programs that will "crack" simple passwords.

Minimum standards for passwords are:

At least 6 characters in length

Mix case and other characters

Do not use dictionary words

Use other rules as they make sense for your organization

Protect the Physical Network

Sniffers and network taps are still easy to install, even though many organizations use modern cabling. Physical inspection of the network is important. Network monitoring for unusual or odd traffic patterns may also help spot protocol analyzers. Session authentication and password protection are useless if the network itself is compromised.