Tuesday 16 September 2008

Security: Securing The Network: Non Technical Guide to Corporate Security

Securing the Network
A Non Technical Guide to Corporate Security



Introduction

Security can be likened to Insurance. Most people and organisations never really consider it worthwhile until the worst happens. Today we live in an age where computer and network security has to be at the top of the CIO’s agenda. There is too much at stake for security to be an afterthought.

Unfortunately security and convenience/practicality are at opposite ends of the user experience. As such security will always be a compromise. To give a contemporary example: It is extremely easy to stop terrorists getting on airplanes. Use airplanes for cargo only. Problem Solved. This however is not a practical solution and so a compromise between security and practicality is necessary.

This document looks at the computer and network security that is needed within the modern enterprise and explains in layman’s terms the policies, procedures and settings that are essential to ensure that if security is going to be compromised then somebody is going to have to work hard to do it.

Implementing the ideas from this document does not guarantee that your network will be secure, a spokesman for the FBI recently said that the only secure computer was one buried under 20 feet of concrete, and even then he wasn’t sure !

Assuming you don’t design military hardware or do research into Biological Warfare, following this document will ensure that you have done the majority of things that can be done to secure your network considering the overriding factor of practicality.

This is not a comprehensive security document and it does not cover every eventuality. The suggestions it makes however, if followed, are likely to lead to more comprehensive security than what your competitors and most other companies have.

After all, you don’t always have to be able to run fast, as long as you run faster than the other person when you are both being chased by a bear …


What is a Hacker ?

You will see references to the word ‘Hacker’ throughout this document. I have used the word ‘Hacker’ as it should be used, not as it is often used in modern literature or in Hollywood films.

A Hacker is someone who likes to know, in depth, about a subject. Someone who is willing to study and tinker until they gain mastery of their craft. Generally accepted to be gifted Programmers or System Administrators they can I believe be categorised by their belief that if the knowledge is worth pursuing they won’t necessarily let laws or restrictions stop them. The average Hackers attitude is probably a bit ‘Grey’ as opposed to either ‘Black’ or ‘White’.

A Hacker , like anybody else can have either good or bad intentions, and be capable of either good, bad or indifferent acts. In this document you should understand the type of Hacker I am describing by the context of the paragraph in which they are mentioned.


The Security Triad

The three cornerstones of information security are:

Confidentiality
Integrity
Availability


Confidentiality is concerned with information being accessible to only the intended recipient. This may be documents, database information, emails or even instant messages.

Integrity is concerned with the fact that for information to be trusted we must know that it has only been modified by those who are authorised to do so. In addition the data must be 100% accurate.

Availability is making sure the information is available to the right person(s) when it is needed. Factors that affect this delivery of information such as incorrect permission settings or denial of service attacks are examples of how availability may be compromised.

TECH NOTE: Denial of Service Attack: This is when several hundreds or thousands of computers are commandeered by a Hacker and all set to send requests to a targeted website simultaneously. This can often cause the targeted website to crash or become otherwise unusable.

The concept of security in the enterprise involves considering and balancing these three concepts, every step of the way.


The Laws of Security

Client side security does not work.
You cannot securely exchange encryption keys without a shared piece of information.
Malicious code cannot be 100% protected against.
Any malicious code can be completely altered to bypass signature detection.
Firewalls cannot protect you 100% from attack.
Any Intrusion Detection System (IDS) can be evaded.
Secret cryptographic algorithms are not secure.
If you don’t have a key, you don’t have encryption, you have encoding.
Passwords cannot be securely stored on the client, without password protection.
For a system to be considered secure, it must undergo an independent security audit.
Security through obscurity does not work.

Source: INFOSEC Career Hacking, Syngress 2005.


Threats

The main threats that we face as a business if our network or computer or security systems are compromised, are listed below:

Data Loss
Data Theft
Identity Theft


The main ways in which these threats can be realised are listed below:

Malware / Trojans
Viruses
Pod Slurping
Social Engineering
Physical Destruction
Employee Dishonesty



Physical Security

Physical Security in the context of this document can be split into two areas, security of your building/office and security of your computers/servers.

The security of your building or office is covered in this document because if it is possible for somebody unauthorised to gain access to your building or office then the best computer security in the world will not help. They could steal your computer, plug a laptop into your network, put a tap on your phone, steal confidential information etc. etc.

Gaining access, even to a secure establishment can be as simple as ‘piggy backing’. This involves walking into a building close to a group of others, if this is done casually enough then you are extremely unlikely to be questioned. One way around this, typically used in high security installations, is the idea of a ‘man trap’, basically an enclosed ‘chicane’ type area which allows one person through at a time.

At the very least anybody visiting your establishment should be made to wear a ‘Visitors Badge’ displayed prominently, which should be handed in when leaving the premises.

Secondary entrances and Fire Exit’s should be kept closed and secured as far as possible.

Physical security of your computers and servers means paying particular attention to the CD/DVD Drives, USB Ports, Firewire Ports Etc. There items can all be used to apply Malware/Trojans/Viruses to a computer and in most cases can also be used to take data off the computer, and out of your control.

Any electrical device of value should be attached to a secure point via an armoured cable, available from many suppliers. Many desktop and laptop computers now have points that are designed to be used with the armoured cable and padlocks currently available.


Firewall

A Firewall is a device connected between your internal computer network and the external internet. A Firewall can either be software running on a computer or a dedicated hardware device.

The purpose of a Firewall is to stop undesirable access to the machines on your network and at the same time allow access and capabilities that you deem desirable.

A Firewall is not a guaranteed safeguard. Nevertheless it is an important item in your security portfolio. Without some sort of Firewall between you and the internet it is likely that your computer would be compromised within minutes.


User ID

Traditionally access to many computer systems has been via a ‘username’. Some examples are shown below:

Bilbo
Bilbobaggins
Bilbo.baggins

The problem with this of course is that an attacker can utilise employee information gained from many sources to guess the logons names to the computer system. If they know the logon name they are 50% of the way there to getting access.

Even worse, many people use the same ‘username’ as their email address, see below:

Bilbo@hobbit.com
Bilbobaggins@hobbit.com
Bilbo.baggins@hobbit.com

This means that an attacker has only to learn the name of an employee to have a good idea as to both their computer logon and their email address, or alternatively they only need the email address to learn an individuals computer logon and name.

TECH NOTE: Email SPAM: An additional problem with using name as an email address is the fact that some spammers now use code to churn out millions of emails to a domain name ie: hobbit.com using variations of peoples names. This in itself is a potentially massive problem.

My suggestion is that systems designed or re-engineered nowadays should use logons and email addresses that bear no relation to the name of the individual. For example:

M7071@hobbit.com

This may not be as simple or as intuitive as previous methods but it is a lot more secure, and anything we can do to secure ourselves that little bit more, is worth doing.


Passwords

User passwords should conform to the following criteria:

Minimum Length, 9 Characters
Combination of Letters, Numbers and Special Characters
Mixed Case
Does not form Proper Word

To ensure that the user remembers her password and does not stick it underneath the keyboard on a Post-It note, you may implement the following suggestions:

Let the user choose her own password
Build the password from a phrase, such as a line from a song.


The system should be setup so that after a given number of password attempts the account is locked, this helps prevent against Brute Force password attacks.

In addition the policy should be enforced so that passwords are changed at least twice a year, quarterly or more often would be better.


Authentication

Authentication is the act of confirming that someone is who they say they are. From the perspective of computer or network security the device needs to be able to cross reference the data that is input as the data that is expected in order to be able to allow access to controlled resources.

Authentication comes before, and is different to Authorisation. Once you are authenticated with a system, you can then be Authorised to access agreed system resources. Access criteria is the crux of Authorisation.

There are generally thought to be three ways to authenticate:

Something a person knows
Something a person has
Something a person is

Something a person knows:
Password, Pass Phrase or Pin Number Etc.

Something a person has:
ID Card, Security Token, Mobile Phone Etc.

Something a person is:
Fingerprint, DNA, Retina Scan, Voice Scan Etc.


Routers

Your internet router should be setup so that it does not respond to an ICMP query from the Internet, i.e. disallow external pings.

In addition UPNP (Universal Plug and Play) should also be switched off.

Unless you desperately need access to remotely configure your router then you should also disable the remote access facility.

TECH NOTE: ICMP (Internet Control Message Protocol) Query: This is generally known as a ‘Ping’. One computer can Ping another as a way of saying ‘hello, are you there ?’. A reply is expected from the computer that receives the message.

TECH NOTE: UPNP (Universal Plug and Play): This is a set of protocols designed to simplify device configuration by attempting to automatically configure them for you.



The Administrator Account

The Administrator account on each server should be setup with a large and complex password and then disabled. Changing the name of the Administrator account will not fool a decent hacker, under Windows the Administrator account always has the ID of 500, even if you do choose to rename it to BilboBaggins or BartSimpson.

Each Administrator should then be given their own Admin account and password, no Admin should know the password for another Admins account. This ensures that you are able to Audit the Administrator level access to the servers and tie it down to a specific individual.


Resources

When considering the resources that you provide for your users you should look at them in the context of:

Confidentiality
Integrity
Availability


The general rules to use when setting up access to resources are:

Need to know
Least Privilege


Need to Know
This applies to users and the information they need. There is nothing to be gained by passing on information to users regarding server and router IP addresses, DNS and DHCP if they do not need to be told these things to so their job.

Least Privilege
Basically what we are saying here is that users and employees should be given the lowest and most restrictive access possible, whilst still enabling them to do their job. It is easier to control the escalation of access rights than it is to try reducing them at a later date!

When setting up Access Control within a Network Operating System it is common to use Groups as a logical object to apply permissions to, instead of applying permissions against an individual user object. This makes system administration so much quicker and simpler. However from a security standpoint this practice is not recommended.


Servers

If somebody has physical access to your servers then all further security is completely compromised. Your servers should be located in a secure location, i.e. safe from theft, tampering, fire and flood and ideally accessed only remotely using tools such as Remote Desktop and VNC.

TECH NOTE: VNC (Virtual Network Computing): This is a desktop sharing system ideal for use when attempting to administer a computer that is located inconveniently.


Service Packs / Updates

As with anything else concerning security, the installation of Service Packs and Updates is a compromise.

Install them quickly when released and you may secure your servers from a current threat, however if you have not had time to test the updates then they may cause serious problems on your systems.

Personally I lean towards installing them quickly on machines that may be exposed to the external threat and taking my time on machines that are unlikely to be threatened.


Wireless Networks

Wireless networks are a major potential security breach. The following are some ideas on what you can do to minimize your exposure.

Change Your SSID
A SSID is the public name of your wireless network. SSID stands for Service Set IDentifier. Many people leave this set to the factory default, which may be LINKSYS or 3COM or similar. Change the SSID to something that describes your own network, this will at least ensure that people do not accidentally connect to your network instead of their own.

TECH NOTE: AP (Access Point): This is transmitter / receiver which connects your wireless network to you LAN (Local Area Network).

Turn off the Access Point Beacon
When you have setup your wireless network there is no further need for your AP to transmit it’s beacon that basically says ‘I AM LINKSYS. I AM HERE’. So within the administration software or webpage that you use to administer your AP, turn off the beacon. This will make your wireless network invisible to somebody who is just scouting around. If they know you have a network already or if they know the SSID they can still see and/or connect to you.

Restrict Access to specific MAC Addresses.
Each network card within a computer contains a Mac Address that is (to all intents and purposes) unique. With some AP’s you can restrict access to your wireless network to computers of a known MAC Address. The procedures differ for each AP and some do not even support this, but if your AP does support this it is worth pursuing. This assumes that you do not regularly have new computers needing to connect to your network. Also be aware that valid MAC Addresses can be sniffed from your network and the attacker can spoof his MAC Address so that it looks like yours ...

TECH NOTE: MAC (Media Access Control) Address: This is a unique identifier attached to most sorts of networking equipment and consists of two parts, the first part related to the manufacturer of the device and the second part is a serial number.

Change the Admin Password on your Access Point
This one goes without saying.

Implement Encryption
At a minimum, enable WEP. However if possible WPA should be setup and used. Use the maximum encryption length.

TECH NOTE: WEP (Wired Equivalent Privacy)
TECH NOTE: WPA (WI-FI Protected Access)



Workstations

Employee workstations can be the most difficult device to secure properly. For a start the employee has unrestricted physical access to the computer and (hopefully) restricted access to the network.

As much data and information as possible should actually be stored on the server with limited facilities for the employee to download and copy the data via his computer.

Ideally technologies such as server based profiles, Active Directory, Terminal Services and SMS (Systems Management Server) should be used to lock down employee access as much as possible without restricting them to the point of severe inconvenience.

Features of the operating system that the user does not need on a day to day basis, such as access to the Command Prompt on Windows, should be locked down and access restricted.

Users should never logon to their computers with the Administrator or Root account. See the sub-section on Least Privilege.


Laptops / Portable Devices

Data that is installed on a device that is going to be used in the field, must be encrypted. Under Windows a superb solution is Truecrypt.

Truecrypt allows you to set up a ‘container’ in which the contents are heavily encrypted, an encryption key must be entered every time the computer is turned on. This ensures that if the device is lost, you data will remain secure.


Auditing

It is important that part of your security initiative involves auditing your systems. A lot of important information is contained in logs that are scattered around your servers and devices.

It is necessary to look at what devices produce logs that are important and need regular monitoring, and then ensure that you do monitor them. It will be beneficial to introduce some mechanism so that the logs are sent to you on a regular basis, rather than you having to go and get them each time.

You should set up a document that details all your important logs along with the schedule for checking and auditing them.


Separation of Duties

Am important part of corporate security is Separation of Duties. This basically means that no one individual should be able to control a process from beginning to end.

Separation of Duties allows for checks to be made by a different individual which helps eliminate mistakes and minimises the risks of fraud.


Viruses

A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user. Though the term is commonly used to refer to a range of Malware, a true virus must replicate itself, and must execute itself. The latter criteria is often met by a virus which replaces existing executable files with a virus-infected copy. While viruses can be intentionally destructive—destroying data, for example—some viruses are benign or merely annoying.

(Source: WikiPedia)

The main source of a Virus infection today is via an email attachment. The ultimate solution of course is to stop the email attachments. Unfortunately due to the lack of an easy, user friendly alternative to sending files, email is now used in a way it was never originally intended, i.e. as a way of transporting files between individuals.

(A fast, easy to use, fully secure method of sending files between users instead of via email is something I am currently looking at creating personally next year)

Destructive Viruses are now far less common than previously. Capitalism has reared it’s ugly head and you are far more likely nowadays to have your computer compromised and used for criminal activities for which the instigators and controllers of this criminal activity receive payment in return for them supplying your computer as part of a ‘slave army’ of cycles and computer horsepower.

Viruses can be the transport , or distribution method for Malware. See the next section.

A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an ‘infection’, and the infected file, or executable code that is not part of a file, is called a ‘host’.

A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the Mydoom worm infected a quarter of a million computers in a single day in January 2004. In March 1999, the Melissa virus spread so rapidly that it forced Microsoft and a number of other very large companies to completely turn off their email systems until the virus could be dealt with. Another example is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. It stole most of its operating style from Melissa.


Malware

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words ‘malicious’ and ‘software’. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, ‘Virus’ is used in common parlance and often in the general media to describe all kinds of Malware.

Software is considered Malware based on the perceived intent of the creator rather than any particular features. It includes computer Viruses, Worms, Trojan horses, Spyware, Adware, and other malicious and unwanted software.

(Source: WikiPedia)


Pod Slurping

The most popular MP3 player, the Apple iPOD has sold 100 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, (possibly confidential data) onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. These portable devices are getting smaller and their capacity is increasing.


Instant Messaging

Instant Messaging using tools such as MSN Messenger, Windows Live Messenger, Skype, AOL IM and ICQ, have become standard applications for many of us. They do however have their risks.

It is important that a policy is in place that covers the use of Instant Messaging within your organisation, a policy that should be rigorously enforced by the IT Department.

Content sent through to your employees via IM tools completely bypass your perimeter network defences and due to the ignorance of most people where these matters are concerned, they pose a very real threat.


IDS (Intrusion Detection Systems)

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.

Sometimes, a distinction is made between misuse and intrusion detection. The term intrusion is used to describe attacks from the outside, whereas, misuse is used to describe an attack that originates from the internal network. However, most people don't draw such distinctions.

The most common approaches to ID are statistical anomaly detection and pattern-matching detection.

Intrusion Prevention Systems
Quite often discussed in the same context are IPS (Intrusion Prevention Systems). Intrusion prevention systems were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of Intrusion Detection Systems, they continue to be related.

An IPS is very similar to an Application Layer Firewall.


Encryption

IPSec
IPSec (IP Security) is based on the concept of a shared secret. The encoding and decoding of the information can only be done if the two devices share a piece of key information. This means that the data can be captured but not understood unless the third party shares the secret.

IPSec was designed to support the secure exchange of packets at the IP Layer. IPSec supports two modes of operation, Transport and Tunnel. Tunnel is the most secure and is the one we are most likely to be familiar with as it is widely used in the VPN (Virtual Private Network) domain.
The primary protocol used by IPSec for exchanging the secret is called Internet Key Exchange (IKE). Most of the IKE exchange process is based on a mechanism called OAKLEY, which works with assorted key exchange modes. Another similar mechanism also used by IKE is SKEME, this supplies IKE with the method of Public Key Encryption and its fast re-keying facility.

RSA
RSA was developed by three mathematicians, Ron Rivest, Adi Shamir and Lee Adleman. This system used a Public and Private Key. It is probably the most popular method for Public Key Encryption, and digital signatures, in use today.

RC4
RC4 was also invented by Ron Rivest and is used in certain commercial systems such as Netscape and Lotus Notes. It has a bit size of 2048 which makes it a fast and strong cypher.

AES
AES (Advanced Encryption Standard) is a block cipher that has been adopted by the US Government. Two Belgian cryptographers Joan Daeman and Vincent Rijden developed AES as Rijndael. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

In June 2003, the US Government announced that AES may be used for classified information:
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."


Social Engineering

‘The art and science of getting people to comply to your wishes’ (Source: Bernz 2), ‘an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system’ (Source: Palumbo), or ‘getting needed information (for example, a password) from a person rather than breaking into a system’ (Source: Berg).

In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (Source: Sarah Granger)

Social Engineering is probably one of the biggest threats we face in security and the one we can protect against the least. We have to rely on our employees to question and be vigilant. To do that we need to make them aware of security and the issues surrounding it. See the section on Employee Education.


Reverse Social Engineering

This is where the attacker assumes a position of authority and gets the victim to freely offer information and ask advice. This requires a high level of skill, preparation and research.


Disaster Recovery and Business Continuity

A Disaster Recovery and Business Continuity plan is essential. If the worst happens you want to be able to refer to a document that covers the steps to take to enable you to be back up and running without delay.

The scope of DR and BS could encompass everything from a server crashing and data being lost, to the building going up in flames.

Many companies have a ‘cold’, ‘warm’ or ‘hot’ site standing by to be used in the eventuality of the main place of work being destroyed through fire, flood, terrorist activity or something similar.

A Cold Site generally refers to an empty building, a Warm Site refers to a building with maybe desks and networking and a Hot Site refers to a building that is fully fitted with everything including computer systems, ready to have the backups loaded and be up and running in a very short space of time.

Definitions

Disaster Recovery Plan: Provides procedures for recovering from a disaster after it occurs and also documents how to return the normal IT functions back to the business.

Business Recovery Plan: Addresses how business functions will resume after a disaster, preferable at an alternate site.

Business Resumption Plan: This addresses how critical systems and the functions of the business will be maintained.

Contingency Plan: This addresses what actions can be performed with regard to the normal business activities after a disaster.


Disposal and Destruction

It is a little known fact that even following a format, data can be recovered from your computers hard disk by a determined hacker. This makes it essential that when disposing of old computers, unless you physically destroy them, you must go to some lengths to make sure that the data that was contained on the computer cannot be recovered.

There are various methods that can be used to securely wipe the data from a hard disk. It is important that you select a method that offers the level of protection you require and then use it. Always.


Employee Exit Procedures

When an employee leaves the company, or announces their intention to leave, this should trigger a sequence of documented events that are related to the job they do or did. For example the series of steps to be taken when the IT Manager leaves are different to the series of steps to be taken when the Receptionist leaves.

This series of steps should incorporate the removal of their access card, token, key or any other device they have that can be used to gain physical access to your premises.

Their access to the computer network via remote means should also be removed and any access to confidential data prior to their departure should be logged.

Each and every employee should have an exit interview where their responsibilities to the company are discussed as are any restrictions that are placed upon them contractually.


Employee Education

Good security is impossible to implement without the cooperation of the users and employees.

To this end investment in security training and briefings is likely to pay dividends. Posters should be placed around the working area highlighting key information relating to security threats and reminding users of their responsibilities.

Security cannot be delegated to one department and each and every user should understand that they have a part to play. Training and education for the users in basic security threats should be mandatory.

A lot of excellent material including leaflets and posters are available from the Department of Trade and Industry (DTI) website.


Security Testing

To ensure that your security policies are enforced it will be necessary to implement Security Testing. Security Testing can be carried out in any and all of the following ways:

Drills
Penetration Testing
Query Employees
Review the Procedures

In many cases the only way to adequately test you security is through the use of a third party company.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

No comments: