security management in intranet

8/8/2019 Security Management in Intranet

1/13


2/13

What is Intranet?

y A network based on TCP/IP protocols (an internet)belonging to an organization, usually a corporation,accessible only by the organization's members,employees, or others with authorization. An intranet's

Web sites look and act just like any other Web sites, butthe firewall surrounding an intranet fends offunauthorized access.

y Like the Internet itself, intranets are used to shareinformation. Secure intranets are now the fastest-growing segment of the Internet because they are muchless expensive to build and manage than privatenetworks based on proprietary protocols.


3/13

Security


4/13

Security Management in Intranet

An intranet security strategy begins with a riskassessment that includes the following:

understanding the security vulnerabilities in anorganization identifying the threats that face your organization assessing the risk of each threat identifying appropriate steps to reduce risk to an

acceptable level verifying that the system meets the security

benchmark appropriate for a particular organization


5/13

Top Security Issues

y Encryption

y Access Control

y Passwords

y Content Publishing and Management

y Firewall Set Up

y Remote Access

y Manage E-Maily Viruses and Rogue Code


6/13


7/13

Access Control

y Are the server or servers protected by both hardware andsoftware defenses?

y Is access to the intranet sites limited to internal locations?

y Is secured remote access made available?

y Are access controls tied to job function, specific employees,and specific content?

y This means that the manager of department has access via aspecific mechanism to certain information specified in theaccess control table.

y Action to take: Make certain that the information in thesecurity policy has been communicated to appropriateindividuals. Verify that access controls are in place as part ofthe security audit, item 10 below.


8/13

Passwords

y Are employees required to change their passwords on acycle, for example, every 60 days or more frequently?

y Is this process automated and enforced?

y A bad password is the name, a pet's name, or a singlecharacter such as d. A good password is a combination ofletters and keyboard symbols; for example,h@pp7bo$car.

y Action to take:Enforce password changes, length, anda combination of letters and keyboard symbols. (Make

certain users do not tape user names and passwords totheir keyboards or laptops.)


9/13

Content Publishing and Management

y Who is responsible for making changes to marketing-related Web pages?

y Who has the of deleting and posting new pages on anintranet portal?

y The intranet is intended to facilitate the exchange ofinformation and applications among colleagues.Nevertheless, servers and Web pages should havedesignated "owners"that is, people who have specificpermission to add, remove, and change content.

y Action to take:Verify and update the table that showseach job function, ownership of data and Web pages for

that function, and the specific rights accorded that jobfunction.


10/13

Remote Access

y Does the organization allow users dial-up access behind thefirewall?

y Does the organization support wireless access from anylocation?

y

Special steps are necessary toh

andle remote access. Oth

erprecautions are necessary for wireless access, including theuse ofWEP security. Restricting remote-access users to thesame access offered to the rest of the Internet in front of thefirewall denies them valuable services. A virtual privatenetwork (VPN) allows an authorized user to establish a secure

connection to th

e intranet. An employee wh

o is careless with

auser name and password can compromise the system.y Action to take: Test the organization's remote access

system. Make certain that the security audit analyzes andaddresses any weaknesses in the virtual private network.


11/13

Manage E-Mail

y How easy would it be for the organization to give upelectronic mail?

y Many professionals perceive e-mail as a variant oftraditional paper-based mail. It is not. Organizations

need to have an active approach to e-mail security.Anyone with access to an organization's e-mail will needsome education about the vulnerability of unencrypted e-mail. Not only is clear-text e-mail easy to intercept, but e-mail messages reside in multiple servers and machines ina network.

y Action to take:Verify that the ISP supports S/MIME(Secure Multipurpose Internet Mail Extensions). If itdoesn't, ask when the ISP will.


12/13

Viruses and Rogue Code

y Most organizations know to have antivirus software installed.There are different schools of thought about which antivirussystem is optimal and the use of antivirus software on theuser's machines. Part of the antivirus security procedure

includes settings in the mail client, settings in the browserwith regard to executable on Web pages, and the types of writeprotection implemented for various users. Rogue codethatis, Java or other executable embedded in a Web page ordocument opened by an applicationis an unfortunate fact oflife in organizations today.

y Action to take: Ensure that the organization's securitypolicy addresses antivirus programs and settings for whatexecutables are automatically launched by an application.


13/13

Remember

The only secure computer is one with no power,

locked in a room, with no user.

security management in intranet

Documents