10 Steps to Secure Your Business Network

abusivetrainerΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

130 εμφανίσεις





10 Steps to Sec
ure

Your Business Network

Authored by Neil A. Rosenberg, a
Certified Information Systems Security
Professional (“CISSP”) and frequent
speaker and author on information
security topics, this paper will discuss key
steps in securing business networks, with
particular focus on medium
-
sized
organizations. With increasing regulatory
requirements and increa
sed business
reliance on technology, information
security is becoming more and more
critical to businesses of all sizes. In this
white paper, we will provide a strategy
for helping you to secure your business
and its information assets.





From the QTS White Paper Series

Quality Technology Solutions, Inc.

1639 Route 10, Suite 103

Parsippany
, NJ
07054


(973)984
-
7600

www.QTSnet.com

info@QTSnet.com

Providing Worry
-
Free
Network Solutions!

A High Level Review of Critical Information Security
Strategies and Tactics



Table of Contents


Introduction

................................
................................
................................
.................

1

Why Do We Care?

................................
................................
................................
......

1

Ten Steps

................................
................................
................................
...................

3

1. Begin at the Beginning

................................
................................
............................

4

2. Manage Patches

................................
................................
................................
.....

5

3. Harden Your Network

................................
................................
.............................

6

4. Control Perimeter Traffic

................................
................................
.........................

7

5. U
se Smart Antivirus Software

................................
................................
.................

8

6. Redefine the LAN, Secure the VPN

................................
................................
........

9

7. Know What’s Going On
................................
................................
.........................

10

8. Train

Your Users

................................
................................
................................
...

10

9. Really, Truly Secure Your Data

................................
................................
............

11

10. Audit Annually

................................
................................
................................
.....

12

Bonus Step: Home Network Security

................................
................................
........

14

About the Author

................................
................................
................................
.......

15

About Quality Technology Solutions

................................
................................
.........

16









Copyright

©
2006
Quality Technology Solutions, Inc.

All rights reserved.


QuikAssist, QuikAlert, QuikDesign,
QuikDeploy,
QuikStart,
QuikSecure
,

QuikRecover
and QuikNews
are trademarks of Quality Technology Solutions, Inc.


The names of actual companies and products mentio
ned herein may be trademarks or registered
trademarks of their respective owners.


This white paper is for informational purposes only. QTS makes no warranties, express or implied, as
to the information contained in this document.







10 Steps to Secure Your Business Network

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
1

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Risk Mitigation


Information
Security is about
mitigating risk. In
that regard, the
decisions you
make are not
unlike insurance
decisions. You
probably would
not choose to
drive a car
without auto
insurance


aside
from the legal

issues
, the risk
of
loss can be high.


However, you
might choose a
high deductible,
or a limit on
coverage, to
reduce your
premium.
Similarly, how
much time and
money you spend
on security is a
business decision,
that should
correlate to a
combination of:


1.

The risk a
security
incident poses
to your
business

2.

The impact of
a security
incident on
your business


The level of
spending around
security is a
business decision
requiring business
management buy
-
in and
understanding of
risk and impact.


I
ntroduction


Information Security is not simply about technology. Effective security
strategies deal with the combination of technology, people and processes.
For those of you that remember the Code Red worm in 2001 and the
damage it did to vulnerable businesses, it

is noteworthy that the vulnerability
Code Red exploited was discovered six months before the worm hit


and
the patch to prevent the worm was made available immediately
upon
discovery
. Moreover, a year after Code Red, one
-
third of all the Microsoft
IIS w
eb servers on the Internet remained unpatched. This is not a
technology issue


it is a people issue (with training
, communication

and
awareness being closely interrelated). If a fix to a problem is available, but
is not utilized, then part of the respon
sibility lies with those who did not apply
the

fix
.


This white paper is not going to primarily focus on technology and technical
details. We will certainly present technical information and
recommendations. However, most of our focus will be on strategy
, to
identify some specific and high
-
impact steps that can be taken to improve
your organization’s security posture. And the majority of these
recommendations do not involve buying hardware of software


they do,
however, require time, attention and effor
t.


This white paper is intended to give its readers a framework with which to
review their business networks against a baseline of ten fundamental and
important elements of business security. Most businesses are already
doing several of these things, but

most likely we’ll have identified some
areas where you can leverage this document to realize improvements. And
that is our goal.


Why Do We Care?


We’ve been through Code Red, NIMDA
, SQL Slammer, Blaster

and plenty
of other viruses and worms over the past few years. There has been plenty
of time to learn the lessons, sometimes painfully. And yet, over the course
of 2004
and 2005
countless IT managers and businesspeople were affected
by Blaster, Sobig
,

S
lammer

and others
. And they were lucky


security
analysts are genuinely surprised it wasn’t worse


imagine a worm like
Blaster, exploiting a recent vulnerability, but with a destructive payload such
as wiping hard disks, or insidiously corrupting data f
iles. Professionals are
surprised we actually haven’t seen this yet, and believe it is coming.


Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
2

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

A
nd yet we all have antivirus software and firewalls. Why are we still
having these problems, after the major investments we’ve made in security
technology? Unfortunately, it’s not just about the technology. The people
and

process elements of security drive how the technology is used, or not
used, and a strategic approach to security is necessary.


In the midst of these threats, we’re seeing the business value associated
with our network, our applications and our data stead
ily increasing. Think
for a moment about email


five years ago, how much did you rely upon
email to communicate with customers, suppliers and partners? How much
do you do so today? The stakes are even higher if you leverage your
network for eCommerce,
EDI, client extranets or other forms of customer
and supply chain communications. With this increased business value
comes an increased requirement for up
-
time and reliability, and for security.




So, based on this increased business value, what are we doing to secure
our networks? Surprisingly little, in many cases. Security is one of those
areas where people often speak of it as a priority, but subsequent actions
are often limited. This is beca
use the reality is that in most cases we have
the products


the hardware and software


in place for at least the
fundamentals. The steps that remain are the challenging ones


education
and awareness, management, and driving changes in organizational cu
lture
and behavior. This is far more difficult than installing a software program or
C
.
I
.
A
.


Confidentiality,
Integrity and
Availability are
the three core
elements of
information
security:


Confidentiality



Preventing the
unauthorized
disclosure of
information.


Integrity



Ensuring no
unauthorized
modifications are
made to data, and
that data is
accurate.


Availability



Ensuring users
have access to the
data they need,
within acceptable
response times,
a
nd that all
needed systems
are up and
running.


Availability
obviously has
close ties to
Backup and
Disaster Recovery
Planning, a key
element of
Information
Security.


Most people think
of Confidentiality
when they think
of security.
However, the
other tw
o areas
are equally
important.

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
3

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

CSI
-
FBI
Computer
Crime Study


Every summer,
the Computer
Security Institute
and the San
Francisco

branch
of the Federal
Bureau of
Investigation
prepare a study
on current trends
and statistics
around
info
rmation
security.


The study
provides highly
valuable
, and
interesting,

information on the
security risks and
exposures faced
by organizations
in tod
ay’s
economy, and
sobering statistics
on incidents
experienced and
actual losses
suffered.


The study also
discusses trends
in mitigation and
reviews current
security options.


It is available for
free download at
GoCSI.com
.

a

hardware appliance, and thus security initiatives often stall out here. Yet
this is the stage where the battle is usually won or lost.


Ten Steps


It seems like
m
any prescriptive
lists boil

down to “ten poi
nts,” and after
some careful review I am presenting what I have seen to be the ten key
steps to truly securing a small/medium business network. It is possible not
all steps apply to all people, as different people are comfortable with
different levels of
risk. However, I would say that they represent ten “best
practices” that should generally be applicable across the spectrum.


Change does not happen overnight. It is not possible to have needs in all of
these areas and simultaneously fix everything, nor
is it realistic to try.
Rather, evaluate your security posture relative to these steps and determine
your needs. Then, set a realistic plan for addressing each area in a logical
sequence or in priority order, with a realistic timeline. Budget for any
ne
cessary expenses (hardware, software, outside assistance) and organize
a cost
-
benefit analysis to make sure that the anticipated benefit (whether it
is a true “return on investment” or risk avoidance, which has its own
monetary value) does in fact outweigh

the cost.


Once you have your plan, with sequenced activities and a realistic timeline,
you are ready to begin. And I am confident that by addressing most or all of
these points, you will see a genuine and substantive improvement in your
organization’s s
ecurity posture, and a subsequent reduction in business
risk.


Since the majority of small and medium business networks are based on
Microsoft technology, we’ll pay particular attention to Microsoft products
here, but these points apply across the board.

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
4

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Security Policy


An Information
Security Policy is
a business
document that
reflects the
organization’s
decisions on how
its data assets
and systems are
to be managed
and handled. It
should include the
following
elements:


o

Employee
Behavior:
Acceptable
Use, Email,
Information
Classification

o

Passwords &
Authentication

o

Remote
Access

o

Protecting
Company
Resources
(laptop
policies, data
backup, etc.)

o

Protecting
Network
Resources
(firewall
policies,
backup
procedures,
etc.)


QTS o
ffers a one
day workshop to
“jump
-
start” the
process of
developing and
communicating an
Information
Security Policy

specific to your
organization, and
build the required
buy
-
in
.

1. Begin at the Beginning


Or, as Steven Covey would say, begin with the end in mind. Develop a
Security

Policy



whether it is a comprehensive, detailed document
(preferably) or
at least
a basic acceptable use policy for email and web
surfing. If you have not defined what you are protecting, and how you want
to protect it, then how can you intelligently go

about doing so? Security
professionals agree that all actions ultimately should flow from policy, at a
business level, to support business goals and objectives.


Security Policies also help protect against legal liabilities, and provide a
framework for d
iscipline against unauthorized behaviors. If you, for
example, fire an employee for improper web surfing, but you have not
documented a policy that clearly says this is unacceptable, you are subject
to potential legal action. Conversely, you might be sub
ject to sexual
harassment liability if you allow certain behaviors to continue whether you
have a policy or not.
So the best thing you can do is develop a policy,
communicate it, and enforce it.

This requires careful coordination
between IT, HR, Legal an
d middle management, under upper management
direction and support.


This raises a critical point


most security policy efforts that do not have
buy
-
in and active participation from an organization’s upper management
ultimately fail. This is because when
the policies are coming from the IT
group, the situation develops into “users versus IT,” and in such battles IT
ultimately loses because it has no direct authority over the users.
Enforcement of policies from middle management is absolutely critical, and

to enable this, the policies need to come from senior management. When
coming from senior management, the policy decisions are tied to the
business and its objectives and thus are not seen as IT inconveniencing the
users for their own benefit. When poli
cy comes from upper management, it
is enforceable. Ideally, middle management and staff have some level of
representation and participation in development of the policies to ensure
they are realistic, and to drive buy
-
in across the organization.


Informat
ion Security Policies should be reviewed with employees upon hire,
with a written acknowledgement. They should be re
-
reviewed annually (this
can be tied to performance reviews) with ongoing reinforcement by upper
and middle management. The goal should be

to create a “culture of
security awareness” within the organization, where people understand that
information security is a core element of doing their jobs, not an IT
responsibility. With this level of buy
-
in and understanding, significant
exposure and
risk can be mitigated.

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
5

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Network
Access Control


An emerging area
in network
security is
“NAC.”

This started
getting

attention
when worms
began bouncing
around networks
that IT thought
were protected,
using
uncontrolled
computers hosting
malicious code
that
connect
ed

either from the
inside or the
outside of the
network, making
internal systems
vulnerable.


NAC is about
preventing this
exposure, by
defining security
policies that
systems must
compl
y

with
in
order
to connect
to the network.


Typically

these
checks
include:


o

Antivirus
software must
be running,
with current
signature files
and scan
engines;

o

Systems must
be acceptably
patched;

o

Systems must
run a personal
firewall.


Microsoft, Cisco,
Citrix, Symantec
and others have
solutions in
this
still
-
developing
space.

2. Manage Patches


In spite of free tools like Microsoft’s Software Update Service
(replaced in
2005 by Windows Server Update Service)
and Windows Update, m
any

organizations

still don’t have a comprehensive or bullet
-
proof way of
distributing and managing patches. Blaster spread from unpatched system
to system, exploiting a vulnerability that was easily closed. Unfortunately,
patch management is a very effort
-
intensive, man
ual task that often gets
ignored because without the right tools it is nearly impossible to manage.
This is a major area of vulnerability for most businesses, and it is one of the
easiest of these steps to implement for most businesses, thanks to
Microsof
t’s Trustworthy Computing initiative.


Microsoft Windows Update is built into all current operating systems and
allows users to check their systems against a database of current patches,
and automatically apply all missing patches. This is a terrific tool for
stand
alone and consumer PCs, as it is very easy to use. Unfortunately,
most people don’t even know they have it.


The problem with Windows Update in a business context is that IT doesn’t
want users deciding whether to apply patches or not, and doesn’t want a
h
odge
-
podge of configurations across the network. Consistency is very
important in supporting a network, particularly with the complexity of today’s
modern networks. Ideally, IT can decide if a patch is appropriate for its
systems, then if
it is,
push it
down to all PCs on the network, automatically.
This is what Microsoft Windows Server

Update Service
(
“WSUS”
) does.


Microsoft
W
SUS requires a Windows 2003 server running IIS (Internet
Information Server


its web server software), and supports PCs running

Windows 2000 Professional and Windows XP Professional. It does not
work with Windows NT or 95/98/ME.
W
SUS allows IT to push approved
patches down to all properly configured PCs, automatically and centrally,
with minimal effort
, ideally using Group Polic
y
.


It is important to test patches against your key applications before broadly
distributing them, so set up a sample/test group first to do so. For most
small/medium businesses, server patches are still best done manually since
servers tend to be more sensi
tive, but this is still critically important, and
don’t let it slip. Microsoft presently releases new patches on a monthly
basis (the second Tuesday of each month) unless a major vulnerability is
discovered in between updates. Subscribe to Microsoft’s Se
curity Bulletins
at
www.microsoft.com/security
, and make sure your systems are being kept
up to date. This is a manageable task if approached properly. If you don’t
h
ave the time and resources to do this
in
-
house, then outsource it. It is that
important.


Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
6

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Vulnerability
Assessment &
Vulnerability
Management


A Vulnerability
Assessment
allows you to
proactively find,
and fix, system
vulnerabilities.
Vulnerability
Management tools
extend this by
allowing you to
define your
desired
configuration
s,

and notify you
when systems fall
out of compliance.


There are a
variety of
scanning tools
that can be used,
ranging from
freeware to
expensive
software. In
either case, the
tools are only

as
good as the skill
of the operators
using them.


QTS offers its
QuikSecure
Vulnerability
Assessment
service to scan
networks and
identify
vulnerabilities,
then work with
the customer to
help remediate
them. QTS can
also help with
implementing an
ongoin
g
vulnerability
management
solution.





3. Harden
Y
our Network


Just because systems are patched does not mean they are not vulnerable.
Next, you need to focus on other vulnerabilities such as unnecessary
services, software bugs, weak or missing passwords, and other
weaknesses
. The best way to go about this is to scan your systems, from
outside your firewall and also from inside (once you’re hacked or malicious
code gets past it, the firewall does not matter).


Microsoft offers a free, basic scanner called the Microsoft Baseli
ne Security
Analyzer that is a good start (and is also a free download from
www.microsoft.com/security
). The Baseline Security Analyzer can be run
against
Windows
servers and PCs and will identify and prioritize security
vulnerabilities so you can take steps to fix them. It is
very easy to use, but
taking action does require an understanding of server configuration and of
the impact of making the changes. So use t
he tool to identify your issues,
then if you need help bring in outside assistance as needed. And make
changes one at a time, so if something breaks or stops working, you know
which change caused it. Remediation is a time
-
consuming process if done
proper
ly, but a risk
y

process if done quickly and without proper planning.


Moving beyond this, you will want to use a more powerful scanning tool to
scan not just your servers, but also your firewall, your routers and switches,
wireless access points and other
devices. For example, QTS uses
Symantec’s NetRecon when performing Vulnerability Assessments for its
customers’ networks, to generate a comprehensive report of vulnerabilities
and the affected systems. Once you have the report, pick the top few
vulnerabi
lities and take steps to r
emedy them. It is unrealistic t
o deal with
this all at once


conversely, if you remove one vulnerability a week across
your systems, then in 6 months you’ll have made remarkable progress in
clearing the top, high
-
impact vulnerab
ilities from your systems.


The remediation process needs to be approached carefully and
methodically, just as patching does. Any change to your systems can cause
unforeseen problems, and therefore each change needs to be tested
(ideally with a
predetermined test plan) and have a rollback procedure in
case the testing, or the change itself, reveals unforeseen problems.


Removing vulnerabilities
is such a critical step. Many people never get to it,
and it is frustrating how many times we’ve gener
ated these reports for
customers an
d found months later that

no action has been taken. Most
firewalls and servers are installed but never truly hardened. Then, we
wonder why we have security problems.



Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
7

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

DMZ


A “DMZ,” or
De
-
Militarized Zone,
is a

segment of
the network that
is “semi
-
protected.”
Normally,
externally facing
web servers are
placed here. We
usually place an
email screening
server here as
well.


In an optimally
secured network,
no un
-
authenticated
external tr
affic is
allowed into the
internal network.
It is completely
secured, or
“white.” Outside
the firewall is
outside of control


it is “black.”
The DMZ is
therefore “grey”


semi
-
secured.
Only the traffic
that is required
will be allowed
there, and all
u
nnecessary
traffic will be
blocked by the
firewall.


A DMZ is usually
formed by
hanging a
separate network
segment off a
third network card
in a firewall.
However,
sometimes it is
formed as a
“layer” in between
two firewalls.



4. Control Perimeter Traffic


A poorly configured firewall is worse than none at all, since it gives a false
sense of security. Over the last
few
year
s
, our engineers have gone to new
customer sites and seen firewall after firewall that was put in half
-
configured. High ports are open
, all outbound traffic is allowed, un
-
authenticated traffic is allowed to the internal network. These are common,
but easily fixed, issues. A basic review of firewall configuration, and
corrective action (
always test changes, though!
) only takes a few ho
urs, and
is invaluable. Many firewalls are configured poorly, because most people
don’t really understand how to configure them properly.


A firewall configuration review should include the following:


o

Identify all open ports for inbound traffic.
Determine if these ports are
truly necessary, and close those that are not.

o

Optimal security dictates that
no unauthenticated traffic be allowed to
cross the firewall and reach the internal network.

Design a DMZ
configuration so unauthenticated traffic is

allowed to servers in the DMZ,
and from there those servers can communicate with the internal network

(preferably only to specific servers, encrypted via SSL or IPSec)
.

o

Review outbound traffic rules, and lock down all unnecessary ports for
outbound traffi
c. Normally the number of ports needed for outbound
traffic should be minimal, and exceptions can always be made to the
general firewall policy.

o

Verify that the firewall has all current security updates and patches.

o

Verify that the firewall cannot be expl
oited or attacked using remote
management tools such as Telnet

or Terminal Services
.


It is optimal to have your firewall, or proxy server if applicable, inspect the
traffic. It is no longer adequate to block traffic based simply on port number,
as most t
raffic is easily tunneled through HTTP on port 80. Perimeter
security needs to look at what the traffic contains and is doing, not just what
port it is using. In some cases, this may require multiple layers of security


which is absolutely appropriate a
s your business size, or business risk,
increases on the scale.

At QTS, we’ve had good success combining a
Layer 3 Stateful Inspection firewall (such as a Cisco PIX) for basic perimeter
security and high performance with a Layer 7 Application Layer Gatewa
y
(such as Microsoft ISA Server) to allow for deeper traffic inspection on
inbound web access to sites like Outlook Web Access


in effect, delivering
the best of both worlds.

An Intrusion Prevention System deployed at the
network perimeter (see sidebar b
elow) nicely complements this security
architecture.


Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
8

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com


5. Use Smart Antivirus Software


People wonder why they still have viruses. Most antivirus packages now
support automated downloads of current signature files, and furthermore of
current scan engin
es (which process the signatures


new signature files
are useless if the scan engine is outdated). Make sure you’re auto
-
updating
a
nd downloading current code across your network. Make sure
all of your systems are covered


rogue systems are usually the

culprit for
things like worms. I’ve heard
several times
of systems that got infected by
a worm within minutes of being put on the network, before IT could apply
patches

(something Windows Vista is anticipated to prevent)
. Of course,
something else had t
o be infected to cause this.


Do not leave these updates to a manual process


set up a daily
automated update schedule that brings down new signatures and scan
engines every morning to your distribution server, which then pushes them
down to your PCs and
other servers. Some network managers prefer to
review these updates before applying them, and prefer to control the
process, but this creates the risk of not applying updates on a given day.
Although there is always a risk of any change having a negative

impact,
the risk of signature updates causing problems is very, very remote, and
far outweighed by the risks of not being current.


Smart antivirus software applies behavioral scanning


it looks at what is
being done inside the system, and can detect ma
licious code based on
behavior as well as signatures. Whether you call the software antivirus,
personal firewall or host intrusion detection, some form of workstation
protection is important these days, across the entire network.

We are
seeing a merging
of these functions, with an example being Symantec
Client Security.


Intrusion Detection can be considered another element of Host systems
defense. Host IDS software monitors what’s going on inside a server
operating system


how it is using memory, wheth
er unauthorized access
to the file system is occurring, etc.


and can take action based on
unauthorized behaviors. Because of the more proactive nature here, and
the checkered past of IDS systems of the past, vendors have moved to
calling this Intrusion
Prevention, rather than intrusion detection. Network
IDS/IPS systems monitor the wire


network traffic


from a similar vantage
point.


Some vendors offer products than scan traffic as it passes beyond the
firewall into the internal network. Since firewalls generally will look at the
“package” the traffic is in, but not necessarily at the contents of the traffic,
this can be a useful approach. In effect, this is like “taste testing” the
Spyware


Most people know
what spyware, or
what is now often
more broadly
being called
“malware,” is,
because most of
us have in some
way experienced
this. At best,
computers crawl
to a sluggish halt
and need to be
cleaned, wasting
valuable and
expensive IT staff

or vendor time.
At worst, private
data is exposed,
causing loss or
embarrassment.


Malware typically
gets onto a PC
because a user
visited a web site
that automatically
downloaded the
malicious code,
often without the
user knowing it
happened. In our
ex
perience,
organizations that
have enforced
web surfing
policies don’t have
many spyware
problems.


Fortunately, most
antivirus vendors
now include at
least basic anti
-
spyware features
in their software.
Many companies
still choose to
deploy separate
tool
s for spyware,
but over time this
will become less
necessary.


Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
9

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Strong
Authentication


Strong, or

multi
-
factor,
authentication
provides a better
way to be sure
the person who is
connecting to your
network is really
who they say they
are. It is like
asking for two
forms of ID.


The most common
form of strong
authentication
today is RSA’s
SecurID token
s,
which display a
number that
changes every 60
seconds. To
connect to a
network, users
need to supply
not only their user
ID and password,
but the number
on the token


something they
know, and
something they
have. Without
both, they can’t
get in.


Toda
y, biometrics
are getting closer
to “prime time”
with fingerprint
readers included
on many notebook
PCs and used
more broadly in
hospitals. As this
technology
continues to
mature and drop
in cost, it will be
more widely
adopted and
provide a useful
second

option.


beverage in a container before allowing it to pass through


and if the
beverage has poison, it can be cordoned off and not allowed to pass. Most
firewall products do not offer this level of inspection, but remember also that
the more inspection

that is performed, the more traffic will be slowed down
to do so. And each layer of security has an associated cost.


6. Redefine the LAN, Secure the VPN


Virtual Private Networks (“VPNs”) are used to provide for secure remote
access by users (“client to

site VPNs”) and to securely link remote networks
over public Internet connections (“site to site VPNs”). They are increasingly
common in today’s Internet
-
connected world, and this increase has resulted
in a sharp decrease in private dial
-
in modem links t
o business networks.


VPNs do two things


they authenticate machines/users, and they encrypt
traffic based on that authentication. So, when remote VPN users
authenticate, they now have a secure encrypted tunnel for their data to
travel through.
Unfortunately, this also means that malicious code, viruses,
worms and even hackers can use this encrypted connection to travel into
your network.


The bad news with VPNs is that your LAN has now extended to include
every home and remote computer that conn
ects to your network through the
VPN, and you need to manage security now at each and every one of those
points. The good news is that there are tools to help you do so


though
they take time and effort and cost to deploy. It is critical that all VPN us
ers
have current, auto
-
updating antivirus software, that they have personal
firewall software, and that they be currently patched. Network security is
only as good as the weakest link, and in a modern network, the weak links
are usually uncontrolled home
computers.


A very smart alternative is what is being called “
SSL
VPNs”


where VPN
access is allowed through an appliance that uses SSL (preferably with a
digital certificate from a trusted Certificate Authority), rather than IPSec, to
encrypt the traffic
. This eliminates the need for a VPN client on the end
point, with the associated security issues. Furthermore,
by using remote
control technology such as Citrix MetaFrame

Presentation Server
, and
leveraging SSL for encryption, it is possible to set up a remote access
solution where it is totally client
-
independent. If the client is simply receiving
screens and sending keystrokes, and nothing is passing back from the client
to the network exc
ept keystrokes and mouse clicks, the state of the client
computer isn’t critical to security. This can save IT organizations a TON of
work, and we’ve deployed it effectively
numerous
times. Use strong
or
Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
10

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Security
Management


Monitoring
firewalls is
important to
detect threats as
they develop.
Most attacks are
not spontaneous.


Some vendors
offer “Managed
Security Services”
in which the
vendors supply
their own
equipment,

and
provide a
monitored,
managed service
for a monthly fee.
This is usually
quite expensive,
but it does ensure
someone is
watching the
system.


Some vendors,
including Cisco
and Symantec,
are now offering
appliances that
collect information
from differe
nt
security devices
and bring them to
one place, with
alerting and
correlation. With
such tools, there
is then one place
to look for events
and alerts.


QTS offers an
“Assisted Security
Management”
service to monitor
customer firewalls
and IPS devices
whe
n clients don’t
have time to do
this themselves.


multifactor
authentication, such as RSA SecurID to
kens, for even better
security.


7. Know What’s Going On


Most IT people don’t ever review logs for their firewalls and servers. Some
do so infrequently. Very few do so daily. Yet these logs tell you what’s
really happening on your net
work. If you don’t have time, or don’t know
what to look for, then outsource it (that’s why we developed our QuikSecure
ASM offering). Otherwise, make the time to review them and understand
them


a cursory review of meaningless data doesn’t accomplish a
nything.


Your logs (firewall, web server, other server) contain the history of access to
these systems (if configured properly), the proverbial “smoking gun.” Not
reviewing them is like buying a surveillance system, then not hiring guards
to watch the c
ameras.

You may be collecting evidence with the cameras,
but often too late to prevent an attack.


Start
by monitoring your
firewall and public web servers, since these are the
highest risk components on the network. By looking for specific signs of
acce
ss


specific codes and event entries in the logs


as well as patterns
of access, you can determine if traffic is normal or abnormal. Many devices
and servers support bringing the log files to a centralized management
server (“syslog” is a commonly used,

free tool for this that evolved out of the
UNIX world). You can also purchase products from various vendors that
allow you to generate alarms when specific actions or events are detected.


The optimal solution, on top of reviewing the logs, is to install a behavior
-
based Intrusion Detection/Prevention software on your key systems, so you
can take proactive action to stop attacks. In today’s world, proactive is
always better than reactive.


8. Train Your Users


This is one of the biggest omissions we see when we review an
organization’s security posture. Often, it is because user training takes
time, is hard to do, and IT has little leverage to make sure they comply.
Often, there is a lack
of coordination between IT, HR and middle
management. The result is frustration, and failure.


This is where an organization’s Security Policy comes into play


if an
organization has mandated certain security rules as part of its business
policy, and the

rules come from senior business management, rather than
Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
11

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Intrusion
Prevention


Until a few years
ago, the term
“IDS,” short for
Intrusion
Detection System,
was used to
describe products
that monitored
specific servers
(“Host IDS”) or
network segments
(“Network IDS”)
to detect sec
urity
problems. At the
time, the
technology was
only successfully
adopted by larger
companies with
dedicated IT
security staff, who
had time to
monitor the
systems and react
to events as they
were detected.


In the last few
years, the
technology has
impro
ved and
become more
proactive, and the
name has
changed to
“Intrusion
Prevention
System” (IPS) to
reflect the more
automated,
proactive nature
of these tools.
Symantec, Cisco
and others have
good technologies
here that can help
mid
-
market
businesses, if t
he
value of the
assets being
protected makes
the investment
worthwhile.


the IT Department, then the rules need to be followed


period. It is no
longer a turf war, it is no longer optional, it’s a matter of business policy. IT
can now effectively enforce necessary poli
cies such as strong passwords
and password expiration/rotation, which do inconvenience users, but which
serve a purpose.


Some key points to build into user training, as part of new employee
orientation, are:


o

A
cceptable Use Policy for Web Surfing and Internet Email, including
Email Etiquette;

o

Password Policies (creating strong passwords, password rotation
policies and protecting passwords);

o

How to respond to and report suspicious behavior;

o

Where to store data, a
nd how it is backed up;

o

Security Policies


what they are, and why they exist;

o

Notebook computer and PDA security (as applicable);

o

Information Classification and Confidentiality Rules.


Most companies take the time to train employees on how to use their
computers. Why not take the time to train them to do so properly, and
securely?


Users need training to understand the importance of security and its impact
on the business. Users also need to be trained on and understand the risks
and considerations inh
erent in web surfing and Internet mail. The best
security technology in the world will always be defeated by users not
following security procedures.
Always
.


9. Really, Truly Secure Your Data


Many organizations set up some basic rights on their network

shares or
directories, and that’s the end of it. True security is well thought out and
goal
-
oriented.


The principle of
Least Privilege

should always be applied


give people the
minimum level of rights they need to do their job. If they only need to vi
ew
data, don’t give them “write” rights. If someone doesn’t need access to files,
don’t provide it. For sensitive data, such as customer information, sales
databases, service history, etc., properly secure the system, then consider
adding Host Intrusion D
etection software if it allows for prevention of
unauthorized file copying


I still hear situations where a salesperson leaves
a company, and takes the entire customer/prospect database with him,
Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
12

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

Security
Auditing Tools


Security auditing
can be time
cons
uming, but is
a necessity.
Poorly secured
data (file shares,
documents and
databases) and
poorly managed
user IDs and
passwords can be
significant
vulnerabilities on
any network.


Tools from
vendors like
BindView (now
part of
Symantec),
ScriptLogic and
ot
hers can be
used to scan and
audit Active
Directory for
accounts with
weak or missing
passwords, or
accounts that
have not been
used recently
(and therefore
should be de
-
activated). These
tools can also be
used to scan file
systems and
review access
right
s (so they
can be refined and
minimized).
Finally, tools like
this can often be
used to assess
regulatory
compliance (SOX,
HIPAA, GLB, etc.).


QTS can help with
services in these
areas, including
knowledge
transfer.



without the company knowing it.

Some Host Intrusion Preven
tion systems
can prevent this.


It takes some effort to protect the proprietary data assets of a business, but
it is well worth it. A good exercise to start is to identify your organization’s
physical and data assets. Then for
each asset, identify why it is important,
and what the impact of loss is. Then you can devise a plan, or appropriate
rights, to protect it. This is not only good for security, but represents an
excellent step in building a Disaster Recovery Plan.


Also,
look at your Information Classification policies, if you have them. If the
President of your company makes something as confidential, what does it
mean to them? Does it mean the same thing to an operations manager?
To the IT Department? To a normal use
r? Information Classification is
about clearly defining business rules for how classes of data, paper or
electronic, are to be handled


storage, transmission, access, destruction. I
often find that organizations take it for granted that employees know w
hat to
do with confidential information. They don’t


employees are not mind
-
readers. This is a very important step that cuts across the entire business.
It just takes time and effort to define the rules, document them,
communicate them and follow
-
up wi
th enforcement and ongoing education.


Finally, PCs themselves often pose a major vulnerability from a rights
perspective. Most networks allow users to log onto their systems with local
Administrator account equivalence, since it is often hard to make sof
tware
run, or for maintenance to be automated, without this rights level under
Windows 2000 or Windows XP. Removing this rights level is often
impractical, but remains highly desirable. Microsoft’s upcoming Windows
Vista operating system, the replacement

to Windows XP, will allow for
running at this lower rights level, along with numerous other significant
security enhancements, making it a highly desirable upgrade from a security
perspective.


10. Audit Annually


It is important to checkpoint your organi
zation’s security posture against
best practices, and against known vulnerabilities and issues. On an annual
basis, you should have an outside, objective party perform a review of your
business’ security, at a “strategic” level
(What is your security post
ure? Do
you have the right technologies? Are they being used properly? What are
the “people” and “process” elements?)

and at a “tactical” level
(What
specific vulnerabilities do each of your systems have? How do you
remediate against them)
.


Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
13

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com


Security
Evaluation


It is important to
step back and
look at your
organization’s
security posture


the way people do
their jobs and
treat data, your
operational
procedures,
authentication
systems, and the
technologies you
have in place to
protect your
assets.


Fixing tactical
vulnerabilities is
important, but
this can be
rendered moot by
strategic
vulnerabilities. If
people don’t lock
the door when
they leave, the
lock isn’t

very
useful. Similarly,
a compromised
password can
render the best
security
technologies
moot.


QTS offers its
QuikSecure
Security
Assessment
service to help
mid
-
market
businesses define
their strategic
security
vulnerabilities
(around people
and process

elements as well
as technology)
and define an
action plan for
improvement.

Both
elements are important


I often speak with IT staff that want to skip
the strategic review and get right into the tactical stuff


scanning software
is, after all, cool stuff. However, think about this


if you have a world
-
class
alarm system for your ho
use, does it really do you any good if your family
doesn’t bother to turn it on when they leave the house? A great security
system can be defeated by a single password on a single post
-
it note, and
most security breaches, with the greatest financial loss,

still occur from
inside a network. An annual review of security, in both of these areas, is
critically important.


Important elements to look at in a strategic security assessment include:


o

Security Policies, including employee training, education and aw
areness;

o

Physical and Operational Security;

o

Password Policies and Management;

o

Security Architecture


firewalls, VPNs, email and web servers,
telecommunications links;

o

IT Procedures around security and security management;

o

Backup and Disaster Recovery.


W
hen conducting a tactical scan of your network for vulnerabilities, start by
looking at:


o

Patch levels for servers, firewalls, routers, switches and wireless access
points;

o

Weak, guessable or missing passwords;

o

Unnecessary services (for example, if a Wind
ows 2000 server is not a
web server, why not shut off IIS
-
related services?);

o

Obvious misconfigurations.


A Penetration and Attack Test (“PAT”) performed by an ethical hacker (also
known as a “White Hat”) can be very valuable, but don’t spend time and
mone
y on this until you’ve done the strategic
and tactical
review
s

and taken
as many steps as possible to remediate against the obvious vulnerabilities
such as missing patches, weak passwords and systems that haven’t been
at least basically hardened.
PAT
enga
gements are expensive, and you
won’t get proper value from spending this money if you make it too easy for
them.


Also, for PAT and security work be sure to verify the credentials of your
security consultants. There are many “Black Hats” (hackers who may

have
questionable ethics based on their hacking background) offering security
services. I would argue that in spite of the considerable skills these people
have, their past background may very well make them undesirable as
consultants and trusted advisor
s to your business.

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
14

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com


Phishing


Phishing is,
unfortunately, an
increasingly
common
technique to steal
a person’s
identify, and
potentially
financial assets.


A phishing attack
occurs when an
email is sent,
presumably from
a trusted source
like a bank,
asking the user to
log into their site.
The problem is
that the email is
“spoofed”
(identity is faked
to make the
address look real)
and the login link
takes you not to
the bank, but to a
malicious site that
captures your
user ID/password.
W
ith this data,
your identity has
been stolen and
your assets are at
risk.


Microsoft has
recently taken a
leadership role in
this area, and is
including anti
-
phishing filters in
the upcoming
release of Internet
Explorer, IE 7.
Until that time, it
is impor
tant to be
suspicious of all
such emails, and
never follow such
instructions unless
absolutely certain
they are
legitimate.

Bonus Step: Home Network Security


When speaking at events, I am often asked about home network security.
Once people start thinking about the computers in their office, they
invariably start to think about their own computers at home,

and the
associated risks. To an individual, the risks of poor security are also very
high


identity theft is becoming a huge issue in today’s electronic world of
Internet purchasing, and it is easy for hackers to steal information such as
credit card nu
mbers from unprotected systems.


Some basic steps that can be taken to protect home networks and
computers would include:


o

Run current, auto
-
updating antivirus soft
ware on all PCs;

o

Run a software
-
based personal firewall program on all PCs;

o

Use Windows Update to keep current on patches;

o

Use an anti
-
spyware package such as Ad
-
Aware, Search & Destroy
Spybot or Windows Defender;

o

Learn to recognize
Phishing attacks (see s
idebar) and install anti
-
phishing
software
;

o

If you share a cable modem or DSL connection,
consider
us
ing

a
hardware firewall between your PCs and the Internet. These devices
often include wireless access points and multi
-
port switches. Use NAT
to protect

the PCs

behind the firewall;

o

If using wireless communications, enable wireless security such as WEP

or WPA
. It isn’t all that hard to configure, and this way your neighbors
don’t get to use your connection for free.
Shut down SSID broadcasts
so other pe
ople can’t see your access point, and therefore won’t attach
to it.
Remember to get everything working first,
then

turn on the secu
rity
features as an add
-
on step;

o

If you have children at home, consider software to enforce parental
controls and/or log
actions.


Home computers are often much more vulnerable than work computers
because the software that is installed, and the way these systems are used,
is so varied. Home systems get much “messier,” much faster, than
equivalent work systems, and therefore

pose more challenges to maintain.


Finally, ensure your data is being backed up


this is a step many home
users ignore,
often enough with unfortunate consequences. CD or DVD
writers are a good data backup medium.


I
t is interesting how similar these

steps are to many of the items that are
discussed above for our businesses. People are people, and computers are
computers. The same issues invariably apply.

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
15

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com

A
bout the Author


Neil A. Rosenberg is the President and CEO of Quality Technology
Solutions, Inc., a leading New Jersey network integration and security
services firm. Mr. Rosenberg is a 20
+

year computer industry veteran with
technical expertise spanning Local and Wide A
rea Networking and
Internetworking, Host systems integration, software development and
integration,
Disaster Recovery
and Information Security, as well as
extensive consulting and project management experience.


Mr. Rosenberg holds a wide range of computer

industry certifications,
including the following:


o

Certified Information Systems Security Professional (“CISSP”)

o

Symantec Certified Security Practitioner
(“SCSP”)
and Technology
Architect
(“SCTA”)
for Vulnerability Management and Firewalls

o

Cisco Certified

Design Associate (“CCDA”)

o

Microsoft Certified Professional (“MCP”)

o

Novell Certified NetWare Engineer (“CNE”)


Mr. Rosenberg is a frequent speaker at information security and networking
events, and has presented on behalf of Microsoft, LegalTech, the NY St
ate
Society of CPAs and other organizations. Mr. Rosenberg has also written
articles for the NJ and NY State Society of CPA newsletters and magazines
,
and authors QTS’ QuikNews monthly email newsletter
.

He has also
provided feedback at an executive and a

product team level to Microsoft,
Novell and other partners.


Mr. Rosenberg has spent the last 1
4
+

years building QTS into one of the
industry’s leading regional integrators. He has developed numerous
product offerings, including the launch of QTS’
QuikDe
sign,
QuikSecure
and
QuikRecover
line of offerings, and
QTS’
service delivery methodologies.


Prior to QTS, Mr. Rosenberg served for seven years at Blue Cross Blue
Shield of New Jersey, as an analyst and manager in the Contract
Development/Legal Department
. Mr. Rosenberg helped modernize and
automate the organization’s paper
-
bound workflows, installing the
company’s first Novell LAN and leading development of its mainframe
-
based benefits administration system

along with numerous other
automation initiative
s
.


Mr. Rosenberg earned a B.A. with Honors in History and English from
Rutgers College, and a J.D. degree from Rutgers School of Law


Newark.
He passed the New Jersey Bar and served as a member of the N
J
State Bar
Association’s Law Office Management Com
mittee for several years.



Highlights:


o

Frequent
Computer
Industry
Speaker

o

Author of
numerous
information
security
articles

for
various
publications

o

20+ years of
computer
industry
experience

o

Numerous
technical
certifications

including
CISSP

o

Extensive
consulting and
project
management
experience

o

Attorney

Providing Worry
-
Free Network
Solutions!





10 Steps to Secure Your Business Network


Page
16

of
16

Quality Technology Solutions, Inc.

1639
Route 10, Suite 103, Parsippany, NJ 07054

(973)984
-
7600 www.QTSnet.com














QTS also offers:


o

QuikRecover

Disaster
Recovery
services;

o

QuikAssist

support plans;

o

QuikAlert

remote server
monitoring;

o

QuikStart

knowledge
transfer
engagements

o

QuikDesign

planning &
architecture
services

o

QuikDeploy

Windows
desktop
deployment
services






A
bout Quality Technology Solutions


Quality Technology Solutions is one of the leading network integrators and
security service providers in the NJ/NY metro area. QTS has been serving
businesses in New Jersey and New York for over 1
4

years, leveraging a
senior talent model to deliver award
-
winning service and expertise to its
customers.


Quality Technology Solutions is:


o

Microsoft Gold Certified Partner for Security Solutions, Network
Infrastructure
,

Advanced Infrastructure

and Information Worker
Solutions
;

o

Winner of Microsoft Worldwide Part
ner Awards in 2004 & 2005;

o

Microsoft’s NJ Medium Enterprise Partner of the Year for 2001
-
2002
,
and NYNJ Partner Excellence Award Winner in 2005

and 2006
;

o

Winner of Novell’s Service Excellence Award in 2000 and 2001, one of
15 companies in all of North Amer
ica to win the award;

o

Citrix Gold Partner
,

Symantec
Gold
Partner

and Cisco Premier Partner
;

o

Partner with

HP,
Double
-
Take Software
,
Captaris, SurfControl, RSA
Security
, Good Technology

and others

to provide a comprehensive
range of network solutions
.


QTS’ goal is to provide its customers with Worry
-
Free Network Solutions


well
-
planned and well
-
implemented projects to ensure networks are reliable,
secure and highly available. An important element of this is QTS’
QuikSecure methodology, which it utiliz
es to maximize
the Confidentiality,
Integrity and Availability of its customers’ networks and data resources.


QTS’
QuikSecure
TM

Program presents a complete approach to the lifecycle
of implementing a network security system for mid
-
size businesses. Each
stage can be a distinct engagement, or the components can be done
together in sequence. QTS’ QuikSecure Lifecycle consists of:


o

Security Policy
Development

o

Architecture & Design

o

Integration & Engineering
Services

o

Assisted Security
Management Services

o

Security Evaluation
Services

o

Microsoft Platform Review
Engagement