How to Set Effective Security Policies at Your Organization

1
How to Set Effective Security Policies at Your
Organization

• David Strom
• VAR Business Technology Editor
• June 20, 2002

2
My background

• Author of Home Networking Survival Guide book
  from Osborne/McGraw Hill
• Founding Editor-in-Chief, Network Computing
• Tested numerous networking and security products

3
Things to know before you can set effective
policies

• Problems with existing network and applications
  infrastructure
• Issues with products and protocols
• Ways around the various tools that you are trying
  to use to lock things down

4
Who is in charge, anyway?

• Do you have a chief security officer?
• Does s/he have any real authority?
• Does s/he have control over corporate
  directories, network infrastructure decisions,
  and internal applications development?

5
Look at your exposure from within

• Network admins who have rights to everything
• Applications that have access to other
  applications
• Users who temporarily gain access outside of
  their normal departments

6
So lets look at the following

• VPN policies and choices
• Email policies and issues
• eCommerce issues
• Firewalls dont protect you all the time

7
Role of integrators with VPNs

• Help with their rollout and configuration
• Help with remote support and troubleshooting
• Recommend equipment and configuration
• Include as part of overall telecommuting
  application

8
VPN Issue 1 Ease of use

• VPNs still vexing
• Matched pair problem
• Hardware or software choices not always obvious

9
VPN Issue 2 Cable providers dont like home
networks

• Getting static IPs can be a problem
• Changing MAC addresses is an issue
• Administering and supporting a home network is
  sometimes beyond their abilities or interest
• Yet all cable modems come with Ethernet!

10
VPN Issue 3 Providers hate VPNs

• Well, maybe they are more ignorant than hate them
• Some dont include VPNs in their TOS
• Some do everything they can to discourage their
  use (frequent IP changes, for example)

11
VPN Issue 4 Remote support

• Coordinating a VPN roll out for telecommuters can
  swamp a small tech support department
• Variations in Windows OS, and non-Windows PCs can
  be difficult!
• What if users require more than one tunnel?

12
State of VPNs

• Software now comes included in residential
  gateways like Sonic and Netgear
• Still too hard for the average consumer, and the
  average business computer user
• But wider support is inevitable
• Costs too much and requires some careful
  justification
• VPN.net A new way of establishing VPNs

13
Email policies

• How accurate is your employee directory?
• Do outsiders have access to your email system?
  And for how long?
• Do terminated employees have access still?
• How often do employees copy all by mistake?

14
Making email secure

• Use Notes or Groupwise
• Dont run Outlook, Outlook Express
• Use PGP or SMIME products

15
eCommerce issues

• Make sure you protect your enterprise network
  from intrusion
• Limit user access, isolate servers, lock down
  scripts, harden servers
• See www.nwfusion.com/netresources/0202hack1.html

16
Web/database issues

• Understand security weaknesses and access
  controls of local database users
• Understand web/database interaction from security
  perspective
• Understand proxy server attacks (ala Adrian Lamo)
• Block them CGI scripts!
• Who is root and what can they really do?

17
Common mistakes with payment processing

• Provide too few or too many order confirmation
  pages
• Confusing methods and misplaced buttons on order
  page
• Make it hard for customers to buy things
• Dont make your customers read error screens

18
ConEd bill payment issue

• Claim they needed 100,000 customers to break even
• https//m020-w5.coned.com/csol/main.asp
• Note lack of security, anyone with valid account
  number can see your bill! Try acct no.
  434117168910006

19
Preventing credit card fraud

• Don't accept orders unless full address and phone
  number present
• Be wary of different "bill to" and "ship to"
  addresses
• Be careful with orders from free email services
• Be wary of orders that are larger than typical
  amount
• Pay extra attention to international orders

20
Ways around firewalls

• Uroam.com
• GoToMyPC.com
• Neoteris, other appliances
• Remote control software (PC Anywhere, Ccopy,
  etc.)
• Wireless LANs!

21
Remote control loopholes

• Do you even know if they are running?
• Do port scans for common ports that are used
• PC Anywhere 5631-2
• Control IT 799
• Carbon Copy 1680
• VNC 5900

22
Wireless LAN loopholes

• Do you even know if they are running?
• NetStumbler.com good resource
• Read this article too.

23
Wireless VPN/firewall appliances

• BlueSocket
• ReefEdge
• Vernier Networks
• Mobility from Netmotion Wireless

24
Conclusions and questions

• David Strom
• Technology Editor
• VAR Business magazine
• dstrom_at_cmp.com
• (516) 562-7151