Vulnerability Assessment Security departments should perform vulnerability assessments (or scans) of the organiza - tion’s systems on a regular basis. The department should plan monthly assessments of all systems within an organization. If the number of systems is large, the systems should be grouped appropriately and portions of the total scanned each week. Plans should also be in place for follow-up with system administrators to make sure that corrective action is taken. Audit The security department should have plans to conduct audits of policy compliance. Such audits may focus on system configurations, on backup policy compliance, or on the pro - tection of information in physical form. Since audits are manpower-intensive, small por - tions of the organization should be targeted for each audit. When conducting audits of system configurations, a representative sample of systems can be chosen. If significant non-compliance issues are found, a larger audit can be scheduled for the offending de - partment or facility. Training Awareness training plans should be created in conjunction with the human resources de- partment. These plans should include schedules for awareness training classes and detailed publicity campaign plans. When planning classes, the schedules should take into account that every employee should take an awareness class every two years. Policy Evaluation Every organization policy should have built-in review dates. The security department should have plans to begin the review and evaluation of the policy as the review date ap- proaches. Generally, this will require two policies to be reviewed each year. TECHNICAL SECURITY Technical security measures are concerned with the implementation of security controls on computer and network systems. These controls are the manifestation of the organiza - tion’s policies and procedures. Network Connectivity The movement of information between organizations has resulted in a growing connec - tivity between the networks of different organizations. Connectivity to the Internet is also increasing as organizations seek to utilize the Net for communication, marketing, re - search, and, increasingly, for business. To protect an organization from unwanted intru - sions, the following items are recommended as best practices. 124 Network Security: A Beginner’s Guide Permanent Connections Network connections to other organizations or to the Internet should be protected by a firewall. A firewall acts in the same manner as a firewall between two rooms in a build - ing: It separates the area into different compartments so that a fire in one room will not spread to another. Likewise, firewalls separate an organization’s networks from the Internet or from the networks of other organizations so that damage in one network can - not spread. Firewalls may be filtering routers, packet filtering firewalls, or application layer firewalls, depending on the needs of the organization (see Chapter 9). Dial-in Connections Dial-in connections can be targeted to gain unauthorized access to organizations and therefore should be protected. Since dial-in connections can allow access to the internal network of an organization just as a permanent connection can, some form of two-factor authentication should be used. Two-factor authentication mechanisms that are appropri - ate include ▼ Dial-Back Modems Dial-back modems used in conjunction with an authentication mechanism may be sufficient. In this case, the dial-back modems must be configured with a number to call prior to the dial-in connection being attempted. The user attempting to connect should not be able to change the number. Dial-back modems are not appropriate for mobile users. ■ Dynamic Passwords Dynamic passwords are appropriate to use as an authentication mechanism as long as the dynamic password must be combined with something known by the user. ▲ Encryption Devices Portable encryption devices are appropriate to use as an authentication mechanism as long as they are combined with something known by the user. The encryption device should be pre-loaded with appropriate encryption keys so that it constitutes something the user has. Any of these mechanisms are appropriate for authenticating users over dial-in con - nections. Note that these mechanisms might also be appropriate for VPN connections. Virus Protection Computer viruses are one of the most prevalent threats to organization information. The number and sophistication of viruses continue to increase and the susceptibility of cur - rent desktop application software to misuse by viruses also continues. Viruses enter or - ganizations through three primary ways: ▼ Files shared between home computers and work computers ■ Files downloaded from Internet sites ▲ Files that come into an organization as e-mail attachments Chapter 8: Information Security Best Practices 125 To manage this risk, best practices recommend that a strong anti-virus program be created for the organization. A strong anti-virus program controls viruses at three points: ▼ Servers Anti-virus software is installed on all file servers and is configured to periodically run complete virus checks on all files. ■ Desktops Anti-virus software is installed on all desktop systems and is configured to periodically run complete virus checks on all files. In addition, the anti-virus software is configured to check each file as it is opened. ▲ E-mail Systems Anti-virus software is installed either on the primary mail server or in the path that inbound e-mail takes to the organization. It is configured to check each file attachment prior to delivery to the end user. The installation and configuration of the anti-virus software is only half of the solu - tion to the virus problem. To be complete, an anti-virus program must also allow for fre - quent virus signature updates and the delivery of the updates to the servers, desktops, and e-mail systems. Updates should be received based on the software manufacturer’s recommendations. This should be no less frequently than monthly. Authentication The authentication of authorized users prevents unauthorized users from gaining access to corporate information systems. The use of authentication mechanisms can also pre- vent authorized users from accessing information that they are not authorized to view. Currently, passwords remain the primary authentication mechanism for internal system access. If passwords are to be used, the following are recommended as best practices: ▼ Password Length Passwords should be a minimum of eight characters in length. ■ Password Change Frequency Passwords should not be more than 60 days old. In addition, passwords should not be changed for one day after a password change. ■ Password History The last ten passwords should not be reused. ▲ Password Content Passwords should not be made up of only letters but instead should include letters, numbers, and special punctuation characters. The system should enforce these restrictions when the passwords are changed. Passwords should always be stored in encrypted form and the encrypted passwords should not be accessible to normal users. For extremely sensitive systems or information, passwords may not provide suffi - cient protection. In these cases, dynamic passwords or some form of two-factor authenti - cation should be used. All organization systems should be configured to start a screen saver to remove information from the screen and require re-authentication if the user is away from the 126 Network Security: A Beginner’s Guide computer for longer than ten minutes. If an employee were to leave a computer logged into the network and unattended, an intruder would be able to use that computer as if he was the employee unless some form of re-authentication were required. Audit Auditing is a mechanism that records actions that occur on a computer system. The audit log or file will contain information as to what events (logins, logouts, file access, and so on) took place, who performed the action, when the action was performed, and whether it was successful or not. An audit log is an after-the-fact, investigative resource. The audit log may hold information as to how a computer system was penetrated and which infor - mation was compromised or changed. The following events should be recorded: ▼ Logins/logoffs ■ Failed login attempts ■ Network connection attempts ■ Dial-in connection attempts ■ Supervisor/administrator/root login ■ Supervisor/administrator/root privileged functions ▲ Sensitive file access Ideally, these events are recorded in a file that is located on a secured system. In this way, an intruder will not be able to erase the evidence of her actions. To be effective, audit logs must be reviewed on a regular basis. Unfortunately, audit logs are among the most tedious files to review by hand. Humans are just not good at re- viewing huge audit logs looking for a few entries that may indicate some event of inter - est. Therefore, organizations should use automated tools to review audit logs. The tools may be as simple as scripts that work through the log files looking for pre-configured strings of text. It is recommended that audit logs be reviewed on a weekly basis. Encryption Sensitive information may be put at risk if it is transmitted through unsecured means such as Internet electronic mail or phone lines. Sensitive information may also be put at risk if it is stored in an unprotected portable computer. Encryption provides a means of protecting this information. If the sensitivity level of the information warrants it, information should be encrypted when transmitted over unsecured lines or electronic mail. The algorithm used should have a level of assurance that matches the sensitivity of the information being protected. Link encryption should be used for transmission lines between organization facilities. If virtual private network links are used between facilities, the VPN should use a strong form of encryption on all information sent between the two sites. Chapter 8: Information Security Best Practices 127 128 Network Security: A Beginner’s Guide If electronic mail is used to transmit sensitive information within an organization, it may not be necessary to encrypt the messages. However, if electronic mail is used to transmit sensitive information outside of the organization’s internal network, the mes - sages should be encrypted. If the message is being sent to another organization, proce - dures should be established beforehand to allow for the encryption of the message. Sensitive information should be encrypted when kept on portable computers. The al - gorithm used should have a level of assurance that matches the sensitivity of the informa - tion being protected. The system used for portable computers should require the user to authenticate himself prior to gaining access to the information. Ideally, the system used will allow the organization to gain access to the information if the user is unavailable. The encryption algorithms used for any encryption should be well known and well tested (see Chapter 12 for more information on encryption algorithms). Backup and Recovery As stated in the “Administrative Security” section, backup and recovery are integral parts of a company’s ability to restore operations after a failure. The more current the backups, the easier it is for the organization to restore operations. Information on server systems should be backed up daily. Once per week, a full backup should be performed. Backups on the other six days should be incremental. All backups should be periodically verified to determine if the backup successfully copied the important files. Regular schedules of tests should be established so that all me- dia are tested periodically. Backups of desktop and portable systems can be problems for any organization. One problem is the sheer volume of data. A second problem is the need to perform these back- ups across networks. Generally, backups of desktop and portable computers should only be performed if the information is too sensitive to be stored on a network file server. In this case, the backup system should be co-located with the computer system. As important as making the backups is the storage of the backups once they are suc - cessfully made. Backups are made so that the organization can recover the information if a failure occurs. The failures may range from a user mistakenly deleting an important file to a site-destroying disaster. The need to restore from both types of events creates con - flicting requirements for the storage of backups. To restore important user files, the back - ups need to be close and available so that the restore can be done quickly. To protect against disasters, the backups should be stored off-site for protection. Best practices recommend that backups be stored off-site to maximize the protection of the information. Arrangements should be made to have backups brought back to the organization’s facility in a timely manner if they are needed to restore certain files. Backups should be moved off-site within 24 hours of being made. Physical Security Physical security must be used with other technical and administrative security for full protection. No amount of technical security can protect sensitive information if physical access to computer servers is not controlled. Likewise, power and climate conditions may affect the availability of information systems. Best practices recommend that physical se - curity be used to protect information systems in four areas: ▼ Physical access ■ Climate ■ Fire suppression ▲ Electrical power Physical Access All sensitive computer systems should be protected from unauthorized access. Normally, this is done by concentrating the systems in a data center. Access to the data center is controlled by an access list. Badge access or combination lock access is used to re- strict the employees who can enter the data center. The walls of the data center should be true-floor-to-true-ceiling walls that do not al- low access to the data center by going through a false ceiling. Climate Computer systems are sensitive to high temperatures. Computer systems also generate significant amounts of heat. The climate control units for the data center should be capa- ble of maintaining constant temperature and humidity and should be sized correctly for the room and heat put out by the expected number of computer systems. The climate con- trol units should be configured to notify administrators if a failure occurs or if the temper - ature goes out of the normal range. Water condenses around air conditioning units. This water must be removed from the data center. Fire Suppression Water fire-suppression systems are not appropriate for data centers as a discharge will damage computer systems. Only non-water fire-suppression systems should be used in data centers. The fire-suppression system should be configured so that a fire in an adjoin - ing space does not set off the system in the data center. NOTE: Many fire regulations require that all spaces in a building have sprinkler systems installed re - gardless of other fire-suppression systems. If this is the case, the non-water fire-suppression system should be configured to go off before the sprinkler system. Chapter 8: Information Security Best Practices 129 Electrical Power Computer systems require electrical power to operate. In many locations, spikes and short interruptions occur in the electric power supply. Such interruptions can cause com - puter systems to fail and result in the loss of data. All sensitive computer systems should be protected from short outages. Battery backups best accomplish this. Battery backups should be sized to provide suf - ficient power to gracefully shut down the computer systems. To protect systems from longer outages, emergency generators should be used. In either case, alarms should be configured to notify the administrators that a power outage has occurred. 130 Network Security: A Beginner’s Guide TEAMFLY Team-Fly ® PART III Practical Solutions 131 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. . Vulnerability Assessment Security departments should perform vulnerability assessments (or scans) of the organiza - tion’s systems on a regular basis. The department should plan monthly assessments. be scheduled for the offending de - partment or facility. Training Awareness training plans should be created in conjunction with the human resources de- partment. These plans should include. follow-up with system administrators to make sure that corrective action is taken. Audit The security department should have plans to conduct audits of policy compliance. Such audits may focus on system