Boomer Bulletin

You are at: Welcome > Library > Boomer Bulletin > 2006 > August > Simple Steps to Help Secure the Enterprise

Simple Steps to Help Secure the Enterprise

August 8 | Brian Joyce, Joseph Decosimo and Company, PLLC

In 1999, over 1800 security experts meeting at the Federal Computer Security Conference held in Baltimore, Maryland determined the top seven management errors that lead to computer security vulnerabilities. Although polled seven years ago, these errors are still commonly made today:

Seven Errors That Make Your Firm Vulnerable

  1. Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to do the job.
  2. Failure to understand the relationship of information security to the business model; not seeing the consequences of poor information security.
  3. Failure to deal with operational aspects of security; making fixes but not following through to make sure the problem stays fixed.
  4. Relying primarily on a firewall.
  5. Failing to realize how much money their information and organizational reputations are worth.
  6. Taking a reactive instead of proactive approach to dealing with security issues.
  7. Pretending that computer and data security problems will go away if ignored. The “that only happens to people in magazines or movies” mentality.

Do any of these sound familiar to you? The majority of these seven errors are issues of philosophy rather than technology.

In this article I want to highlight that—more often than not—simple security measures are the most effective means to keep bad guys outside the door, or at least giving them reason to move on to an easier target.

Life Used To Be Less Complicated

No email, few remote access options, centralized data generally inaccessible to those outside corporate office walls—these used to be the norm.

But that is not reality anymore, nor has it been for some time. Barely a day goes by where one does not read about stolen, lost or compromised data. Recently enacted legislation at federal and state levels makes poor security not just a matter of embarrassment or financial liability; lose the wrong kind of data and someone might go to jail.

Be Secure Across Many Boundaries

Today, every firm needs a well developed understanding of what it takes to secure the enterprise, keeping in mind that boundaries by virtue of remote access, the Internet and laptops have extended—if not obliterated—the enterprise “perimeter." Those who do not seriously address data security will eventually be compromised, with potentially firm-threatening consequences.

At Decosimo, we have implemented the security philosophy of “defense in depth." In short, we do not depend on any one security measure, whether software or hardware, to maintain data security, accessibility, integrity and availability. Rather, we employ numerous methods, processes, software and hardware. Defense in depth treats the simplest measure as important as the most complicated. The defense in depth philosophy is the basis for many “Best Practices” lists on computer and data security.

I recently attended a training seminar which examined hacker techniques, exploits and how to defend against them. During the six day class at least a dozen real life examples (some of which the reader would recognize from published reports during the past two years) were discussed. In every example, the initial “hole” exploited by attackers was due to a lack of simple security processes not being deployed or being deployed poorly.

In one case, an old anti-virus definition was the culprit; in another it was weak passwords. One case turned on the absence of security measures in a company’s wireless access points, which resulted in the theft of over a million credit cards. Another case could have been prevented by someone regularly reading server access logs. Not a single preventative measure would have cost the company in question much money or required sophisticated technology. However, these security failures resulted in great embarrassment, monetary loss, and civil law suits.

My point is that we can spend hundreds of thousands of dollars on intrusion detection and prevention systems, firewalls, filters, etc. But to do this and leave the obvious and simple processes either uninstalled or poorly implemented is more often going to be the cause of a breach in a firm’s security with subsequent embarrassment and monetary liabilities.

Take Security Seriously

Let's consider some obvious yet often overlooked security initiatives.

Your firm must treat the security, confidentiality and integrity of its computer systems seriously, as part of its business model and mission.

Someone should have the responsibility of securing the firm's computer systems in his or her job description. This person should be trained and included as part of the management team and in most operational discussions. This person should also be held accountable by the executive management team.

A commitment from the executive management of the firm is critical. Security takes resources, and unless the “owners” see the dangers, they will not see the need to allocate the time or money necessary to implement sound security in their organization.

If you do not have an I.T. Steering Committee that discusses security matters during regular and frequent meetings, you will lack direction that should be taken (even if you see the need.) Our committee has a member from each department including assurance, tax, corporate finance, firm administration, executive management and I.T. The person who is responsible for computer security must be a member of this committee. The Steering Committee insures buy in for sometimes sensitive security policies that must be implemented.

Outline Specific Policies

Policies are another overlooked but important and critical step in implementing security in the workplace. If you do not have clear and specific policies, you cannot expect your employees to understand the risks and their own responsibilities in keeping the enterprise secure.

Each policy should address a single subject, should state the purpose clearly in the first paragraph and list what is expected of the user in terms of compliance and consequences. Policy templates are available for free on several Internet sites, such as the SANS site.

Consider something as simple as physical access to your offices, computers and data center. If you do not know who is physically accessing what, when and where, then you do not have control over your computing environment. The more important the resource, the more difficult it should be to have physical access to it.

Keep Employees Aware

Another non-techie step to better security is fostering general employee awareness. Firms should hold regularly scheduled security awareness training and “what’s new” talks to staff. At Decosimo every new employee receives a computer policy packet that explains how seriously we take data security. We stress on a regular basis that our employees are the first line of defense in our security posture. A security conscious employee is an invaluable asset in the fight to secure your enterprise.

Employees should be reminded of the importance of compliance to written policies. Explaining why a policy is in place goes a long way to making allies from users that may view your computer policies as over protective or intrusive. We strongly and regularly emphasize Internet browsing awareness, password protection awareness and email awareness.

Follow Through With Your Tools

It is important to realize that merely installing a defense, such as a firewall or anti-virus, does little to insure defense. A tool’s effectiveness is not only dependent on installation, but also on its correct configuration, administration and maintenance.

To illustrate, if I install anti-virus software on my server and workstations, we would all agree that is necessary and good. But if I configure it poorly, such as installing the workstations in “unmanaged mode”, or allowing users to disable the anti-virus software on their local computers, then I will end up with users who do not keep their definitions up to date and you will (not may) be infected.

If I never bother to look at the anti-virus admin reports or alerts that show threat and virus logs, then I have failed to administer the product and will not be able to proactively make adjustments to my configuration for future threats.

If I infrequently (or never) update and patch the product, I fail to maintain the product correctly. Configuration, administration and maintenance are critical components in the effectiveness of any given computer security defense.

The lesson here is, yes; implement an anti-virus and anti-spyware defense. But don’t just stick it on the network and forget about it! Make sure all your systems have it, make sure it can only be disabled under special conditions (admin approval), make sure the definition subscriptions do not expire, keep the software patched and updated and take a look at the logs on a regular basis. There are no direct costs associated with these steps.

Employ Good Passwords

Everyone uses passwords. Unfortunately, few understand and employ good passwords.

Passwords have little to do with nuts and bolts technology. But understanding them, how they work and how to implement a good password policy are critical to securing your firm's systems. Some pundits have declared that passwords are old technology. I disagree, and there are some simple (that word again!) steps a firm can take to harden its password systems.

In his book Perfect Passwords, Mark Burnett states, “The single most important aspect of information security is strong passwords. Likewise the single greatest security failure is weak passwords”.

First, devise a policy about password sharing and password composition. Password cracking programs can be downloaded free from the Internet. Passwords made up of dictionary words, names and places are compromised within seconds. Really.

Hackers use files composed of entire dictionaries to compare against encrypted passwords. I was able to convince a skeptic to sign off on password hardening by showing him how quickly I could crack his password—right before his eyes. It took all of one second to pop up. That made the decision to change our password policy very easy!

The single most important factor for building a strong password is length. An eight character, multiple character set (upper and lower case, number and special character) password is less secure than a 15 character, all lowercase password. So what is easier to remember: “#3retRet” or “some kind of daisy”? Longer passwords, or pass phrases as some call them, are better.

Other good password practices are:

  • Put a number or special character somewhere other than at the end or beginning of the pass phrase above and you have a very strong password, one that would take many months of intense password cracking to decipher.
  • Change passwords regularly. Many recommend forcing password changes every 60-120 days. The longer and stronger the password, the longer the time required between changes.
  • Change system and admin passwords even more regularly.
  • Have a way to enforce your password policy and use it.
  • When installing software or hardware, change default passwords and administrator login IDs.

An excellent study on password creation and a generally entertaining and enlightening read is the aforementioned Perfect Passwords, by Mark Burnett, from Syngress Press.

Secure Your Perimeter

Implementing a firewall? That’s good, but it can lead to a false sense of security.

Make sure you have someone familiar with firewall settings and port designations—and speak with them about making out of the box changes to better secure your organization. Change the admin password. Deny all outbound traffic not coming from your IP network and deny all directed IP broadcast packets. For more detailed and technical steps, read the SANS Institute’s Securing Cisco Firewalls. Although the book focuses on Cisco equipment, the concepts are applicable to any capable firewall.

Installing wireless access points? Change the admin passwords and the admin login ID. Look at the options in the manuals and implement secure systems

No System is 100% Secure

Remember the story of two men walking in the woods? They came across a ferocious bear that starts to run after them. One says to the other, “I hope we can outrun this bear”, to which the other replies, “I hope I can just outrun you!”

No system is 100% secure. However, these simple measures will insure, for the most part, that your systems will not be hacked. Hackers are criminals, and like criminals everywhere, they want to take the easy route. Make it more difficult, and the bad guys will move on to an easier target. To paraphrase the popular story, you don’t have to have the best defense; you just need better defenses than the other people around you.

Other Important Actions

Now, for a quick list, by no means exhaustive, of other simple things to do, not expounded upon above.

  1. Keep your Microsoft Systems patched. At the minimum, use the Windows Update Service to push down MS patches and updates on a regular and consistent basis.
  2. Filter email before it is delivered to the desktop. Don’t rely only on your workstation anti-virus and your end user.
  3. Get away from older operating systems. Upgrade your Windows 95, 98, Me, and 2000 boxes.
  4. Use intelligent switches instead of hubs.
  5. Encrypt data on your laptops, or at least have a section of your laptop used for client data that contains encryption software and train users in its correct use.
  6. Have an idea of what hardware and software you have in your environment. Of course, an inventory tracking system is best.
  7. DO install firewalls on all outward facing interfaces.
  8. Turn off any services on your computers, especially servers that you do not use or need. These services, such as FTP, telnet, etc., keep ports open that are frequently used as avenues of attack. If you don’t need them, close that avenue down.
  9. Subscribe to a security e-news letter or visit a security site regularly. Some good ones are http://isc.sans.org, the Federal Government’s http://onguardonline.gov, and http://www.cisecurity.org. Each of these sites is an excellent resource for security tools and information.

Contract With a Security Firm

Finally, although more costly and not in the “simple to do myself” category, contract with a security firm to have a vulnerability test run against your systems. Even better, include a penetration test when negotiating a contract. I think such testing is well worth the money a dozen times over. At minimum, do this for all outward facing systems. Not only will this expose vulnerabilities in your defenses you didn’t know were there, it will also serve as a great roadmap to show you where you need to improve and where to target your resources.

Implementing enterprise security takes much more thought and resources than described here. There are many other issues that need to be addressed to implement a “defense in depth” strategy not discussed in this article. But grab a big bunch of low hanging fruit by making sure you don’t overlook the simple and often inexpensive practices and measures discussed here.

About Brian Joyce

Brian Joyce is Director of Information Technology for Joseph Decosimo and Co. In this position he manages all aspects of Decosimo's information technology efforts, including planning, design and implementation of network systems, client and server side applications and security analysis. He is Chairman of the firm's I.T. Steering Committee. Brian joined Decosimo in 1981 and left in 1983 to run his own technology consulting practice, Microcomputer Consultants. His firm specialized in the implementation of computerized accounting systems for medium to large-sized corporations.

Today, Brian oversees the IT infrastructure for all seven Decosimo offices and over 250 employees in three states. He has the GIAC Security Essentials Certification (GSEC) and is a Novell Certified Netware Engineer (CNE). Brian has given talks on I.T. security and risk assessment to various groups and has taken numerous security related training classes and seminars. Brian is active in many civic and professional organizations and was a Georgia State Representative from 1992-2004. 

Visit Joseph Decosimo and Company, PLLC