Playing it Safe.Implementing a network security policy can help protect your company from security exploits. Following these five steps will ensure that your security concerns are successfully met. A security policy is a simple-to-understand document that says what a company must do to protect itself. A good security policy focuses on business drivers, such as the accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying , research and the five-year corporate plan, which must be protected from theft at all costs. The security policy is the foundation for creating both a procedures document for employees to follow and a security technology implementation plan. A company can then use the procedure document to create simple employee guidelines along with a definition of how infringing employees will be dealt with, as well as an ongoing security training program. The security technology implementation plan defines an infrastructure which may include firewalls, intrusion detection See IDS and IPS. tools, anti-virus and anti-active code software, employee Internet use reporting tools, e-mail content management and reporting tools, and ongoing security testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, . Ongoing security testing should be part of a security policy. It should be performed to ensure that the policy is being followed and to uncover new security threats. Network penetration testing A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, and network security vulnerability scanning are two key components of security testing. Creating a network security policy The main ingredients of creating a policy are the information-gathering phase about a company's network and the writing of the policy document itself. The information-gathering process involves testing and assessing the company's network to determine existing security vulnerabilities and interviewing the company's key technical and management people. The technical group includes members of the network design, operations, and security groups. Once the solutions provider has a good understanding of the current security status of a company's network, and the nature of the key security concerns of the company's networking staff; members of the company's management team should then be interviewed. It is important to allow the provider to interview managers of all departments responsible for key corporate assets and processes, such as human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. , finance, operations, research and development, legal, sales and manufacturing, as well as the president or members of the senior management team. The goal here is to gather enough information to create a security policy that minimizes both the possibility of security breaches and the inconven4ience and cost associated with implementing the policy. 1. The interview process Representatives of both a company's technical and management teams should be interviewed as part of the process of creating a security policy. Both groups are asked a number question concerning business drivers that relate to network security. Such questions may include what type of losses of information and operational capabilities as well as legal liabilities the company wishes to avoid, ranked in order of priority. The management should be asked about the level of risk they wish to endure versus the level of flexibility of operations they may lose by imposing security procedures and technology. The technical staff is asked about the details of the client's network construction and operation, plans for growth, how the network is used, and any security concerns they may have. 2. Network security testing Several methods and tools can be used for testing for security vulnerabilities in a company's network. The two most commonly used types of tests are penetration tests and vulnerability scanning tests; these are usually accompanied by a network architecture security analysis. In addition, content scanning is done to find security weaknesses that are simply invisible to the other types of tests. Penetration testing Several test methods can be used to determine the existing network security vulnerabilities within a company's network. One of the types of testing is penetration testing, which involves trying to circumvent, disable To turn off; deactivate. See disabled. , or learn information about key elements in a company network. The components on a network that are tested are typically the firewall, routers, the most important servers, any special-use workstations and any other key communications devices Typically refers to a terminal used to send voice, video or text. Mobile phones, wireless PDAs and personal computers equipped with microphones, speakers and cameras are all considered communications devices. See modem. . The testing may cause devices to stop working and data may be lost so it is important for the company to perform data backups prior to the test, and to have operations people on site during the test period so they can reset any devices that might "crash." The tests are typically done in two phases. The first phase is conducted from the provider's office to see if they can circumvent or disable any of the company's security devices, such as firewalls (and routers) that are accessible via the Internet. They may also search for modems connecting to the company's network, and may test any dial-in terminal servers or other publicly accessible entry points into the network. The second phase is conducted behind the security devices just mentioned, in order to identify security risks within the company network. The FBI estimates that 75% of security exploits are conducted from behind firewalls, within the confines of a company network. Such exploits, which may be unintentional, come in the form of viruses and Trojan Horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse programs introduced by employee media, such as floppy disks or tapes. The solutions provider should look for weaknesses that may be exploited by intentional attacks such as by a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employee, previous employee or competitor. Disruptive and non-disruptive penetration testing Penetration testing is not always disruptive. The non-disruptive testing involves looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. and identifying security holes such as easily broken passwords, variable settings on operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. that allow for easy access by non-authorized personnel, and incorrectly tuned firewalls that do not sufficiently restrict access to the client's network. Disruptive testing is disruptive because the goal of the testing is to cause a device such as a firewall, server or router to stop functioning. There are a few different types of vulnerabilities that are tested for, all of which are considered denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DoS) attacks because they often crash either the application or in some cases, the whole server. These DoS attacks See denial of service attack. are often due to either weaknesses in application programs or operating systems that can be used to disable that piece of software. Some examples of these weaknesses are a buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. bug in an application or a programming error in the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. that causes the TCP/IP stack An implementation of the TCP/IP communications protocol. Network architectures designed in layers, such as TCP/IP, OSI and SNA, are called "stacks." See TCP/IP, OSI model and protocol stack. to be susceptible to attacks. 3. Non-disruptive security vulnerability scanning The vendor should use tools that scan for security vulnerabilities that are known to exist in operating systems, some widely used software programs such as Windows 95 or NT, and on commonly used hardware such as routers and servers which have IP addresses. One such tool scans a company's network and creates an inventory list of its network technology. It then compares the company technology inventory with its database of known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. and specifies the potential vulnerabilities for these specific technologies. Once any remedies taken by the company to address the vulnerabilities are described to the tool, the tool generates a list of specific remaining vulnerabilities and how to fix them. Some of the scanning tools also do non-disruptive penetration testing. Some remember the inventory list of a client's network and the next time the tool is run on the client's network, it creates a report showing changes to the network. They can also automatically dial large numbers of phone numbers in a sequence surrounding the client's main telephone number. The goal here is to find phone numbers that have modems attached to the client's network possibly allowing undetected access into the customer's internal network. The various types of security weaknesses that may be detected with penetration testing and security scanning include: open modems; denial of service; spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. ; application holes providing elevated user access; misconfigured firewalls and software packages; unmatched software bugs A problem that causes a program to produce invalid output or to crash (lock up). The problem is either insufficient logic or erroneous logic. For example, a program can crash if there are not enough validity checks performed on the input or on the calculations themselves, and the computer ; trust relationships between hosts; crackable passwords; intrusion detection system This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. (IDS) flaws; and publicly accessible services that are not required for operations. 3. Network architecture security evaluation A vendor should also evaluate a client's network at the architectural level for security weaknesses that otherwise may not be revealed during network penetration testing or vulnerability scanning. For instance, the Canadian branch of an American company may derive their Internet access See how to access the Internet. via a private dedicated circuit network flowing north from the head office network to the Canadian branch. The Canadian branch may have no control over the firewall used by the head office to manage the Internet access that is flowing to the Canadian branch. The head office may not allow the provider to conduct any security or penetration testing of their firewall or network security infrastructure. 4. Content scanning For completeness, a class of security tools that complement penetration testing and scanning should be used. These tools look for potential security breaches that are imported into a company network and pass through security technology, such as firewalls, completely undetected. These threats are in the form of active code such as Java Applets, Active X, and Trojan Horse programs. They are also in the form of viruses, which may also contain Trojan Horse programs. These potentially destructive programs can destroy or change valuable corporate information, or export it to a competitor or into the public domain. 5. Ongoing testing Companies that are implementing a network security policy should undergo regular penetration testing and vulnerability scanning of their networks, even if the solutions provider initially performs these testing services. Network security is an ongoing process, not a point solution. Networks change. Network users change how they work and the applications they use on networks. Software threats to networks, such as malicious programs (Trojan Horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
There are three business drivers upon which the recommendation for ongoing testing is made: First, company networks are usually dynamic, almost living evolving entities. Any changes to the network, such as the addition of new hardware, a software revision or patch installation, may introduce security vulnerabilities. If these go unnoticed by the network security planner, actual security vulnerabilities may spring to life, totally undetected. Second, users of networks may make changes to the way they work or to the actual network. For instance, they may start to use previously not used Internet services, such as web browsing, ICQ ("I Seek You") A conferencing program for the Internet from Mirabilis, Tel Aviv, Israel (www.icq.com). It provides interactive chat, e-mail and file transfer and can alert you when someone on your predefined list has also come online. , or FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to . If the network security manager has not adjusted the firewall or other security technology to account for and to manage these changes, security weaknesses may appear. Users may also add modems to a network without informing security or network management, or they may change a network configuration to the detriment of overall network security. Third, tools to be used for malicious intent -- Trojan Horses and viruses -- are being created daily. If technology to detect and deal with these threats is not constantly retuned and updated, the technologies may as well not exist. If a company can not detect and contain these programs, the company will remain vulnerable to them. Ron Lepofsky is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of PTI PTI - Portable Tool Interface Telecommunications, a network telecommunications engineering company based in Richmond Hill Richmond Hill may refer to: Places:
Hacker Heaven There are over 3,000 hacker sites on the Internet, many of which freely provide destructive toots toots n. Slang Babe; sweetie. [Perhaps short for tootsie.] with which to attack networks, complete with easy-to-follow operating instructions, as well as a plentiful choice of viruses. This phenomena alone is reason enough for business executives, who are interested in the long-term viability of their businesses, to address network security as seriously and as timely as they address cash flow or market penetration Noun 1. market penetration - the extent to which a product is recognized and bought by customers in a particular market penetration - the act of entering into or through something; "the penetration of upper management by women" issues. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion