Transcript Security Decisions

How to Set Effective
Security Policies at Your
Organization
David Strom
VAR Business Technology Editor
June 20, 2002
My background
 Author of “Home Networking Survival Guide”
book from Osborne/McGraw Hill
 Founding Editor-in-Chief, Network Computing
 Tested numerous networking and security
products
Things to know before you can set
effective policies
 Problems with existing network and applications
infrastructure
 Issues with products and protocols
 Ways around the various tools that you are trying
to use to lock things down
Who is in charge, anyway?
 Do you have a chief security officer?
 Does s/he have any real authority?
 Does s/he have control over corporate
directories, network infrastructure decisions, and
internal applications development?
Look at your exposure from within
 Network admins who have rights to everything
 Applications that have access to other
applications
 Users who temporarily gain access outside of
their normal departments
So let’s look at the following:
 VPN policies and choices
 Email policies and issues
 eCommerce issues
 Firewalls don’t protect you all the time
Role of integrators with VPNs
 Help with their rollout and configuration
 Help with remote support and troubleshooting
 Recommend equipment and configuration
 Include as part of overall telecommuting
application
VPN Issue #1: Ease of use
 VPNs still vexing
 Matched pair problem
 Hardware or software choices not always obvious
VPN Issue #2: Cable providers don’t
like home networks
 Getting static IPs can be a problem
 Changing MAC addresses is an issue
 Administering and supporting a home network is
sometimes beyond their abilities or interest
… Yet all cable modems come with Ethernet!
VPN Issue #3: Providers hate VPNs
 Well, maybe they are more ignorant than hate
them
 Some don’t include VPNs in their TOS
 Some do everything they can to discourage their
use (frequent IP changes, for example)
VPN Issue #4: Remote support
 Coordinating a VPN roll out for telecommuters
can swamp a small tech support department
 Variations in Windows OS, and non-Windows PCs
can be difficult!
 What if users require more than one tunnel?
State of VPNs
 Software now comes included in residential
gateways like Sonic and Netgear
 Still too hard for the average consumer, and the
average business computer user
 But wider support is inevitable
 Costs too much and requires some careful
justification
 VPN.net: A new way of establishing VPNs
Email policies
 How accurate is your employee directory?
 Do outsiders have access to your email system?
And for how long?
 Do terminated employees have access still?
 How often do employees copy all by mistake?
Making email secure
 Use Notes or Groupwise
 Don’t run Outlook, Outlook Express
 Use PGP or SMIME products
eCommerce issues
 Make sure you protect your enterprise network
from intrusion
 Limit user access, isolate servers, lock down
scripts, harden servers
 See
www.nwfusion.com/netresources/0202hack1.html
Web/database issues
 Understand security weaknesses and access
controls of local database users
 Understand web/database interaction from
security perspective
 Understand proxy server attacks (ala Adrian
Lamo)
 Block them CGI scripts!
 Who is root and what can they really do?
Common mistakes with payment
processing
 Provide too few or too many order confirmation
pages
 Confusing methods and misplaced buttons on
order page
 Make it hard for customers to buy things
 Don’t make your customers read error screens
ConEd bill payment issue
 Claim they needed 100,000 customers to break
even
 https://m020-w5.coned.com/csol/main.asp
 Note: lack of security, anyone with valid account
number can see your bill! Try acct no.
434117168910006
Preventing credit card fraud
 Don't accept orders unless full address and phone
number present
 Be wary of different "bill to" and "ship to" addresses
 Be careful with orders from free email services
 Be wary of orders that are larger than typical
amount
 Pay extra attention to international orders
Ways around firewalls
 Uroam.com
 GoToMyPC.com
 Neoteris, other appliances
 Remote control software (PC Anywhere, Ccopy,
etc.)
 Wireless LANs!
Remote control loopholes
 Do you even know if they are running?
 Do port scans for common ports that are used:
• PC Anywhere: 5631-2
• Control IT: 799
• Carbon Copy: 1680
• VNC: 5900
Wireless LAN loopholes
 Do you even know if they are running?
 NetStumbler.com: good resource
 Read this article too.
Wireless VPN/firewall appliances
 BlueSocket
 ReefEdge
 Vernier Networks
 Mobility from Netmotion Wireless
Conclusions and questions
David Strom
Technology Editor
VAR Business magazine
[email protected]
(516) 562-7151