Network Security: A Primer on Vulnerability, Prevention, Detection and Recovery

Vulnerability:

Many resource-strapped associations scrimp on security procedures because they don’t think of security risks as either real or immediate. According to the FBI, the US economy lost $100 billion dollars in 1997, up 500 per cent per year since 1992. Security breeches include the compromise of proprietary or sensitive information, loss of data or software integrity, and loss of system availability.

Who would or who could jeopardize our systems? The FBI Computer Crime Unit reported that 80 percent of all network security breeches come from inside the company. The March 10, 1999 cover story of the Washington Post states, "…Along with the breathtaking advances in computer technology has come a vast proliferation of easy, ready-to-use computing hacking programs, freely available on the Internet, and a boon to greenhorn hackers….Experts believe there are tens of thousands of hacking-related Web sites, and hundreds that approach the subject seriously…You no longer have to be an expert [to crack an organization’s network]." Additionally, the Computer Emergency Response Team (CERT) reports an increased use of automated scripts that permit a single individual to attack more systems with less effort.

Understand that if you connect to the Internet, you use the Internet Protocol, which by design, provides no inherent security features. You must provide any security to prevent damage or compromise to your network’s security.

Viruses can destroy data and even render systems completely inoperable. We need only look back to the Mellissa Virus that rendered thousands of systems inoperable.

Many operating systems provide an open door by default. For example, Windows NT Server allows any workstation, even one that is not logged in, to access any network-share directory created with default values. Yes, that’s correct—without any knowledge of your system, by default, a hacker can walk up to your Windows 95 PC and infiltrate your NT server.

So far, I have addressed only intentional hazards to your network. A much greater threat is represented by the untrained, unwashed and uninformed. Some of the biggest threats to systems include power failure, viruses, and hardware failure. Power failures can crash systems, destroy data, and even destroy hardware. Hardware failures will make those systems dependent upon that hardware inoperable. In the next section of this article, I will address ways to help protect both intentional and unintentional threats.

Prevention:

There are policies and procedures that organizations can take to reduce the risk of security breeches and minimize losses from those breeches. The following paragraphs provide a brief checklist of security precautions:

The first area to consider is physical security. Are servers contained in locked rooms? Can only authorized individuals gain access to a logged on system? If the answer to these questions is "no", you are 100 percent vulnerable.

Ensure that staff log off their computers whenever they leave the office. Under no circumstances should staff leave computers logged on overnight. You can enforce this policy in Windows by setting the system to log off after a certain time interval.

Maintain user name and password security on all computer systems. Each user must have his or her own unique logon name. I recommend the following policies for passwords:

• Passwords should have a minimum of five characters.
• Users must change passwords every 30 to 90 days with a password history that disallows repetition of the last six passwords used.
• Users should not store passwords in places that can be easily compromised—on their computer screens, in their desks or under the keyboard.
• Passwords should not be easily guessible—this means that passwords may not be any word found in the dictionary, any name, or any number having any significance. All such passwords can be easily compromised. Some computer systems can enforce such rules.

Once you have established user name and password security, you should control access to various resources based on user name. Permitting only the type of access required (read, write, modify, create, delete, etc.) helps ensure that sensitive information is not compromised—this reduces the risk that staff may harm systems, either by accident or by intent. As a rule, when establishing access control, always err on the side of caution—overly strict security is quickly detected and quickly corrected. Lax security is often detected only after systems are infiltrated and damage has been perpetrated.

Careful consideration should be given to the purchase of redundant hardware for all critical systems. Every critical system should include an uninterruptible power supply (UPS) that allows graceful shutdowns including the completion of all transactions. Current virus software is essential for all systems and should be updated at least once a month. Many software vendors like McAfee and Semantec update their data files almost daily in response to the growing proliferation of damaging viruses.

A firewall can help protect your network from external assaults and other forms of infiltration. I will cover firewalls in the next article in this series. Know that firewalls without proper planning and set up will not provide adequate protection.

Finally, the last item on our security checklist is to protect very sensitive data using encryption. Tapping your network wires and reading the information crossing those wires can compromise document security. Will this happen to you? If your organization has enemies, you may have your answer. Encryption will require a password to read the document, making it extremely difficult for an infiltrator to decode.

Detection:

Detection of security breeches is very important. Most operating systems provide logging options to:

• Record login attempts that could indicate an attempted breech.
• Record accesses to critical files.
• Record any changes to your security configuration.

Such options should be turned on and checked regularly. However, watch out for the amount of disk space these logging options will consume. The log should be monitored regularly to ensure the integrity of your network’s security. Detection of attempted breeches can assist you in providing better prevention.

Recovery:

Recovery from a system failure or security breech generally involves restoring data and programs from backups. It then follows that business continuity depends on the quality of the backup procedures and media. Make sure that all users store all mission-critical data on systems that you back up each night. If you leave backups up to end-users, you put your organization’s data at risk. You should carefully document your backup and restore procedures and include how to reach key individuals in case of emergency. Store backup media in a safe and secure locations, including some off-site. One rule of business continuity is that unless you test your recovery procedures, you cannot guarantee their effectiveness. Organizations should test recovery procedures once per year. If you can back up all of your systems nightly, without otherwise disrupting operations, do so. Otherwise perform a "full" backup of your systems weekly, while backing up "changed" data nightly.

Security Audit:

Has the information in this article scared you yet? Well, what can your organization do? Do you have the expertise to secure your systems? One way to help protect your organization is to have a computer security expert audit your network security once a year. The audit will identify vulnerabilities and recommend protective measures.

A Final Word:

If you were preparing for a board meeting and the entire board presentation resided on a failed or corrupt system, how much would you pay to recover? How much would you pay for the failure to not occur at all? As the old cliché goes, "an ounce of prevention is worth…"