how to set effective security policies at your organization
DESCRIPTION
How to Set Effective Security Policies at Your Organization. David Strom VAR Business Technology Editor June 20, 2002. My background. Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill Founding Editor-in-Chief, Network Computing - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/1.jpg)
How to Set Effective Security Policies at Your OrganizationDavid StromVAR Business Technology EditorJune 20, 2002
![Page 2: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/2.jpg)
My background
Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill
Founding Editor-in-Chief, Network Computing
Tested numerous networking and security products
![Page 3: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/3.jpg)
Things to know before you can set effective policies
Problems with existing network and applications infrastructure
Issues with products and protocolsWays around the various tools that you
are trying to use to lock things down
![Page 4: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/4.jpg)
Who is in charge, anyway?
Do you have a chief security officer?Does s/he have any real authority?Does s/he have control over corporate
directories, network infrastructure decisions, and internal applications development?
![Page 5: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/5.jpg)
Look at your exposure from within
Network admins who have rights to everything
Applications that have access to other applications
Users who temporarily gain access outside of their normal departments
![Page 6: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/6.jpg)
So let’s look at the following:
VPN policies and choicesEmail policies and issueseCommerce issuesFirewalls don’t protect you all the time
![Page 7: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/7.jpg)
Role of integrators with VPNs
Help with their rollout and configurationHelp with remote support and
troubleshootingRecommend equipment and configurationInclude as part of overall telecommuting
application
![Page 8: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/8.jpg)
VPN Issue #1: Ease of use
VPNs still vexingMatched pair problemHardware or software choices not always
obvious
![Page 9: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/9.jpg)
VPN Issue #2: Cable providers don’t like home networks
Getting static IPs can be a problemChanging MAC addresses is an issueAdministering and supporting a home
network is sometimes beyond their abilities or interest
… Yet all cable modems come with Ethernet!
![Page 10: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/10.jpg)
VPN Issue #3: Providers hate VPNs
Well, maybe they are more ignorant than hate them
Some don’t include VPNs in their TOSSome do everything they can to
discourage their use (frequent IP changes, for example)
![Page 11: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/11.jpg)
VPN Issue #4: Remote support
Coordinating a VPN roll out for telecommuters can swamp a small tech support department
Variations in Windows OS, and non-Windows PCs can be difficult!
What if users require more than one tunnel?
![Page 12: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/12.jpg)
State of VPNsSoftware now comes included in residential
gateways like Sonic and NetgearStill too hard for the average consumer,
and the average business computer userBut wider support is inevitableCosts too much and requires some careful
justificationVPN.net: A new way of establishing VPNs
![Page 13: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/13.jpg)
Email policies
How accurate is your employee directory?Do outsiders have access to your email
system? And for how long?Do terminated employees have access still?How often do employees copy all by mistake?
![Page 14: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/14.jpg)
Making email secure
Use Notes or GroupwiseDon’t run Outlook, Outlook ExpressUse PGP or SMIME products
![Page 15: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/15.jpg)
eCommerce issues
Make sure you protect your enterprise network from intrusion
Limit user access, isolate servers, lock down scripts, harden servers
See www.nwfusion.com/netresources/0202hack1.html
![Page 16: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/16.jpg)
Web/database issuesUnderstand security weaknesses and
access controls of local database users Understand web/database interaction
from security perspectiveUnderstand proxy server attacks (ala
Adrian Lamo)Block them CGI scripts!Who is root and what can they really do?
![Page 17: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/17.jpg)
Common mistakes with payment processing
Provide too few or too many order confirmation pages
Confusing methods and misplaced buttons on order page
Make it hard for customers to buy thingsDon’t make your customers read error
screens
![Page 18: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/18.jpg)
ConEd bill payment issue
Claim they needed 100,000 customers to break even
https://m020-w5.coned.com/csol/main.asp
Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006
![Page 19: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/19.jpg)
Preventing credit card fraud
Don't accept orders unless full address and phone number present
Be wary of different "bill to" and "ship to" addresses
Be careful with orders from free email services
Be wary of orders that are larger than typical amount
Pay extra attention to international orders
![Page 20: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/20.jpg)
Ways around firewalls
Uroam.comGoToMyPC.comNeoteris, other appliancesRemote control software (PC Anywhere,
Ccopy, etc.)Wireless LANs!
![Page 21: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/21.jpg)
Remote control loopholes
Do you even know if they are running?Do port scans for common ports that are
used:• PC Anywhere: 5631-2• Control IT: 799• Carbon Copy: 1680• VNC: 5900
![Page 22: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/22.jpg)
Wireless LAN loopholes
Do you even know if they are running? NetStumbler.com: good resourceRead this article too.
![Page 23: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/23.jpg)
Wireless VPN/firewall appliances
BlueSocketReefEdge
Vernier Networks
Mobility from Netmotion Wireless
![Page 24: How to Set Effective Security Policies at Your Organization](https://reader036.vdocuments.site/reader036/viewer/2022081520/5681522b550346895dc075a4/html5/thumbnails/24.jpg)
Conclusions and questions
David Strom
Technology Editor
VAR Business magazine
(516) 562-7151