The need to allow access through the Internet to information kept in host databases has added urgency and importance to security issues. Many companies will eventually allow Internet access, and, regardless of the architecture used, a well-written security policy with sound, tested security procedures will be needed.
Why Have a Security Policy?
The purpose of a security policy is to help protect the company, employees, and customers from business interruptions, liability, loss of private information, and loss of business opportunities due to unauthorized use of company computers. The security policy states the departmental and computer-user responsibilities for the protection of equipment and information. It describes what is and is not an appropriate use of company equipment, computers, facilities, and information.
The security policy should state what is to be secured and should be as generic as possible. The security procedures should state how to implement the goals of the security policy. Many examples of security policies are commercially available for a broad range of prices. These can give you ideas and save a lot of time. And, as with anything else that has to do with computers, testing and training is a requirement.
Security Areas to Control
Besides the obvious security measures needed at any site, the following areas should be closely considered and examined when connecting a host to the Internet: password security, user access management, malicious hacking, social hacking, and viruses. Password Security Password security is probably the most important and visible portion of host security. The following paragraph is an example that could be used in a security policy regarding password security:
All passwords will be assigned according to predefined security rules. Passwords will be changed at regular intervals defined by management. These passwords will be difficult to remember but must not be kept in written format in a work area. This includes any form of writing on or attached to work area equipment or furniture. If a written password is needed, it must be kept in a secure area, such as a purse or wallet. Passwords are not to be shared with anyone, and suspected misuse of passwords should be reported immediately. No password will be transmitted via email. All password or account information requested by telephone will be verified through the use of information normally known only by the requestor.
The security procedures to implement the password policy could include the following:
All network passwords should be different from AS/400 passwords and could be separately administered.
Employee accounts will be disabled and modified immediately upon notification of termination; if it is not possible to disable a profile, the password must be changed.
Passwords will be assigned according to the following predefined security rules: Minimum length of six characters, maximum length of 10 characters; the pound symbol (#), the dollar sign ($), and the at symbol (@) cannot be used; adjacent digits are not allowed; characters cannot be repeated; at least two digits are required; cannot begin with a digit; passwords cannot include family or pet names.
When a telephone user requests password changes or enablement, the users name, employee number, and social security number should be verified; if the request is via email, the user should telephone the requestor for verification.
All passwords will be changed at least twice a year.
User account will be disabled after three unsuccessful logon attempts. User Access Management How often do you discover user profiles that are still usable long after they should be? This has always been a problem, but it is more important than ever that a procedure be put in place to make sure that user accounts are disabled when they should be, especially in cases of hostile-employee terminations. With Web-to-host availability, former employees can access the system through the Internet from anywhere in the world! The management, the personnel department, and the computer services department must agree on a procedure that will minimize the number of enabled yet unauthorized users. An email or a phone call is a quick method that will usually work to identify terminated employees, but how will you know whether the email will be received or whether someone will be available to take the call? A set procedure could specify an in-box that will be checked before 4:00 p.m. daily for paper termination requests. The request is hand-delivered to the person on the list authorized to disable the account on all systems capable of remote access. There must always be an alternate employee for request-checking and account-disabling. No matter how hard you try, there will still be occasional unauthorized user profiles. Run an unused profiles report regularly to spot these lapses.
Why allow users access during periods of the day when it is not needed? It is easy to set time and day restrictions for accounts on some systems, and more difficult on others. To accomplish this, you could either write your own program or buy an add-on. There are different ways this can be done; the point is, an employee who works from 8:00 a.m. to 5:00 p.m. does not need 24/7 access. Consider implementing a procedure to change this
capability. This needs to be well-planned, since changing the security policy can be frustrating for users and adds to administrative overhead. Malicious Hacking There are many security issues to consider when addressing the subject of hacking. I normally think of a hacker as a person who uses electronic means of password-guessing to penetrate computer systems for theft. Many times, however, theft is not the objectiveit could be vandalism or thrill-seeking. Whatever the purpose, hacking can be expensive and destructive.
Encryption is an important safeguard against hacking and should always be used in a Web-to-host implementation. Most modern encryption algorithms are almost impossible to break, and a hacker who captures and reads encrypted data will most likely move on to an easier target. A virtual private network (VPN), Secure Sockets Layer (SSL), or some other proprietary method can be used. There are many considerations with these encryption implementations. VPN is the most secure type of communication method, but it requires the most administrative overhead and support and is generally the most expensive option. SSL is more flexible, but a full-blown implementation is similar to VPN, in terms of administration and support costs. With SSL, you have to decide if you want one- or twoway authentication. If you want the more secure two-way authentication, you have to decide if you wish to be the certificate-issuing authority or if the remote computer will obtain the digital certificates from an outside authority. If you use host authentication, the only certificate required will be on the host, and there will be less administrative and support costs.
A firewall should always be used to provide a Web-to-host guard against hacker attacks. After you have decided what services are to be allowed and the installation is complete, get an outsider to perform an ethical hack. An ethical hack will show you what security problems a hacker might exploit. The extent of the ethical hack you will use depends on your budget, but at the very least you should make sure that the ports and services you dont want are truly shut off. Physical and network access to the firewall should be strictly controlled. Every configuration change should be documented, and the rules should be backed up and printed. Periodically, a hard copy of the rules should be compared with the existing firewall rules.
Your router connection to the Internet can be hacked. Are you sure that all unneeded services are turned off? For example, if Telnet access is available, your router could be hacked. This might not be as damaging as a host intrusion, but it could cause some downtime. Make sure the routing entries are backed up and you have appropriate password security.
Intrusion detection is an important defense against hackers. There are several products available for different needs or budgets. If you would like to see how often you are scanned or probed by intruders, place an intrusion detection system on the unprotected side of your firewall. After you see how real the threat is, place the product inside your network. This can tell you whether an intruder got past your firewall or attacked from the inside. This could be your chance to catch a hacker in the act, so you need to decide how you will respond to an attack and document the response procedure.
Social Hacking
Social hackers attempt to compromise security by deceptionnot just by electronic meansand are the cause of a large number of security breeches. This type of hacker doesnt need to know much about computers or networking, he just needs to know how to fool people into supplying information about a user account. Social hacking can be accomplished by finding out details about an employee and attempting to gain access to the host or network by guessing that employees password. Another method of social hacking might be for a hacker to assume the identity of an employee over the phone and attempt to learn further details or cause actions that could aid in his hacking attempts. A social hacker could tell the help desk, I am an employee in an important meeting with an unsuccessful sales demonstration. The sale would be successful if the firewall protection were
temporarily lowered or if a certain port were opened. Once he has access, he could plant a program that would allow easy access at a later time. Social hacking is why it is necessary that all help desk personnel have some method to verify a user account over the phone. For example, this could be a social security number, mothers maiden name, or some other type of information that is not easily obtainable. No changing of passwords or enabling of user accounts should be allowed without some form of verification. A change can be requested by email, but the help desk must call back and verify the information over the phone. Also, no security measure should be circumvented without the approval of a manager who has appropriate authority.
Viruses
Viruses are increasingly difficult and expensive to contain. This is a threat to all computer installations, but it is a more serious threat to companies that depend on email as a core part of their business. It should be treated with the same degree of importance as any other disaster recovery scenario. The security policy should state what to do to avoid viruses and what a user should do if a virus is discovered. The security policy should clearly state in detail the methods used to prevent viruses and how to react if one is reported or discovered. This may mean shutting down email. If so, the procedures should state how to shut down email services and the chain of command to authorize such action. Quick action can save many hours of downtime and work, so make sure everyone involved knows exactly what to do. Business partners and customers will not appreciate any viruses you send their way, so there is a certain amount of goodwill at stake.
Viruses are such a big problem that two kinds of virus scanning software are needed for serious e-businesses. The most effective type of scanning software for email viruses resides on the email server and will not allow viruses to make it to the network or desktop. Even with server scanning, you still need desktop scanning for internally loaded software. Since you need both types of virus scanning software, consider different vendors for the desktop and server software. That way, if one doesnt catch a virus, the other might. If any of the remote Web-to-host users are under your control, make sure you have a procedure in place to notify or distribute virus software updates to them.
It doesnt do much good to have virus protection unless it is kept current. Make sure that the security policy document states who will be responsible for virus updates and how often they will check for updates. Dont depend on the user to update desktop software; consider a method to automatically distribute virus scanning software updates. Virus prevention is a big subject and requires research, planning, updating, and management.
Only the Beginning...
The use of the Internet for business purposes is only now in its infancy. This is the time to prepare for the changes that using the Internet in your business might bring to your current security implementation. With proper planning, procedures, and testing, you will be ready for the security challenges that lie ahead in the Internet world.
LATEST COMMENTS
MC Press Online