Ok, we have all heard them, oxymorons, that is, adopted phrases that seem to describe something but use two diametrically opposed words to convey them, e.g., true story, talk show, smart ass, airline food, airline schedules (for that matter), American English, assistant supervisor, authentic reproduction, childproof, civil war, common courtesy, completed website, communist party…
But yet I digress… I would like to submit a new one… Network Security. I don’t believe anyone would deny me this one..
So, what does one do when presented with such a task? I would like to submit the following as, if you will, a hitchhiker’s guide to Network Security….
First, one must look the animal in the eyes. Today, “BOTNET and computer Trojan attacks are so common they barely make the news… The biggest threat still comes from outside the perimeter” (of the company) . “There are two overriding principles in security design: 1) The overall level of security protection is only as good as the lowest common denominator, as attackers will always find the weakest link; and 2) complexity is the enemy of security.”
Security Policies defines the simplest, lowest common denominator necessary to meet business security goals. In order to accomplish this objective the following topics must be considered.
- Virus Protection
- System Penetration
- External hacking
- Theft of proprietary information
- Theft of transaction information
- Financial fraud
- Unauthorized insider access
- Denial of service (DoS)
- Web site vandalism
- Internal hacking
- Physical break-in and/or theft of computer equipment
With that, I would like to present, certainly not the end all, but at least the fundamental elements of what an organization should consider to have in place if there are even to have a prayer to address the above. So, submitted for your approval, we would like to share the
- A SECURITY POLICY
- NETWORK SECURITY
- DESKTOP SECURITY
Elements of a SECURITY POLICY
- The security policy is not displayed on the Internet but is used to direct and guide development of web sites in order to create a safe user environment.
- For all transmissions between clients (i.e. web browser) to web server through the Internet containing ‘sensitive’ data use a Secured Sockets Layer (SSL) connection.
- For all transmissions between the web server (i.e. IIS) and the database containing ‘sensitive’ data use approved encryption.
- For the storage (i.e. persistence) of ‘sensitive’ data within Database Management Systems (e.g. Microsoft SQL Server) use approved encryption unless otherwise instructed.
- For the storage (i.e. persistence) of Microsoft OS level files use Microsoft security guidelines / best practices (e.g. on NT servers running IIS use NTFS not FAT). Always set file access privileges within NTFS and IIS to ensure optimal security (optimal is defined as allowing access to only users and applications that are authorized and entitled), unless otherwise instructed.
- For all transmissions containing ‘sensitive’ data between the web server and other servers within local control use approved encryption unless otherwise instructed.
- For user login authentication use the secure authentication mechanisms, e.g., two factor, certificate, or credentialed mechanisms.
- Monitor the availability of security related patches and updates to products that pose security risk (e.g. IIS patches to security related ‘holes’), and apply in an expeditious manner.
- Avoid use of system default values (out of box settings) within publicly available software, absolute path names to files, and sample code that encourage breaches in security.
- Check Computer Emergency Response Team (CERT) (www.cert.org) and System Administration, Networking, and Security (SANS) Institute (www.sans.org) security web sites on a prescribed basis for warnings, announcements, and updates as they become available.
- Perform regular frequent system backups.
- Implement strict review, testing, change control and documentation processes as defined by your organization. These processes should surround all changes (e.g., home grown CGI scripts may inadvertently open a door to an intruder).
Physical Connection and Web Servers
- When ‘sensitive’ information is passed between the users on the Internet and the web server use an SSL connection. Encrypt all web pages that display user-specific and financial information using 128-bit SSL. Use built-in browser SSL features and server-side SSL certificates provided by the hosting facility.
- Web servers, database servers and application servers must be physically located only at secure hosting facilities compliant to organizational standards.
- Files passed between web servers and the organization will be through private lines between and the hosting facility.
- Use of firewalls (and a DMZ?) is required to isolate commerce servers from other merchant networks and systems.
- Incorporate the organization approved fraud detection metrics on web server (assuming credit card usage).
Database Encryption for Sensitive Data
- ‘Sensitive’ information will be encrypted in the database.
- Use an organization-authorized third-party encryption component to encrypt and decrypt all ‘sensitive’ data fields in the organization business databases.
- Use stored procedures for accessing data in the database, and ensure that access permissions are correct. Only applications that have proper Windows authentication permissions are entitled to run stored procedures and have access to the Relational Database Management System servers.
- Store ‘sensitive’ information like credit card numbers on back-end machines that are better protected than the commerce servers.
- When sending email confirmation of orders, indications of shipping status, etc. mask all confidential information like credit card numbers (to prevent unauthorized use).
- Use of basic entitlement mechanisms for company directory access to ensure the user being properly authenticated. Redirect users that are not authenticated to the login.
- After login authentication require Web users to authenticate themselves by entering additional personal information as directed by the organization. For example the organization finance project users must enter their Account Number and SSN to access their account information).
- Users will only be shown account information for which they’ve provided adequate authentication. Also, the application will enforce business rules on various levels of account access based on the account status.
- COM components must use Microsoft operating system (e.g. NT / Windows 2000) authentication facilities along with proper permissions and rules.
Elements of NETWORK SECURITY
Firewall and Router screening
Ensure that firewall/router screening is in place to restrict access to only necessary services, e.g., HTTP, SSL.
An intrusion detection policy can help find those attackers that are able to subvert the web server. This policy will help Honda’s Legal Department in prosecuting these attackers.
- Ensure that mechanisms are in place to identify apparent unusual accesses to the systems
- Provide alerts to the administrator in the case of unusual accesses to the systems.
IP reputation is a new service that enable the filtering of messages based on the sending server’s IP address. The type of messages sent from that IP address are tracked and stored so your perimeter firewall knows if the sending server is a likely source of spam. There are three functions of IP reputation: Blacklist, Graylist, and Whitelist
ISP Reviews and Audits
ISPs must cooperate with Honda’s independent reviewers (Internal and external auditors, risk assessors, etc.). If this is not possible the ISP must provide a recent SAS70 evaluation to the organization and a contract to have ISP’s agree to share any economic loss from a security breach is required.
Elements of DESKTOP SECURITY
Find a program that examines .exe, .dll, and .ocx files on your computer and matches the data against a file signatures engine to determine whether you are running unpatched software programs. It then provides help in patching the vulnerabilities that are identified. Example link: https://psi.secunia.com/
No software to install. Just change your DNS settings to use OpenDNS servers (22.214.171.124 and 126.96.36.199) to get valuable security features—content filtering, adult site blocking, phishing and malware blocking, and protection against DNS rebinding attacks. Example link: http://www.opendns.com
The free browser plugin (Internet Explorer and Firefox) covers the growing data security hole between your firewall and anti-virus programs. It provides an aggressive, color-coded early warning system for drive-by malware attacks. Example link: http://www.hautesecure.com
A program is needed to intelligently monitor Windows machines for remote botnet C&C (command and control) commands. These can include commands to turn the zombie machine into a spam relay; launch denial-of-service attacks; or host malicious Web sites for phishing attacks. Example link: http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
A program that detects and removes stealthy rootkits used by hackers to hide malicious software from security programs. Example link: http://free.grisoft.com/doc/39798/us/frt/0