Difference between revisions of "Team 12 Corporate Defenses"
Chris DuPuis (talk | contribs) |
Chris DuPuis (talk | contribs) |
||
| Line 5: | Line 5: | ||
These are all supposed to be things that the DHS can recommend as policy for companies to adopt. | These are all supposed to be things that the DHS can recommend as policy for companies to adopt. | ||
| + | |||
| + | The general principles of these suggested measures may be summed up as follows: | ||
| + | |||
| + | 1. Allow access only to needed services. If a service is not needed, access to it is only a potential security hole. | ||
| + | |||
| + | 2. Reduce the possibility of worms and other malware spreading from one computer to another by limiting the contact between computers, between organizational units, and especially between the business-critical servers and any other computer system. | ||
| + | |||
| + | 3. Be prepared. Keep software patches up-to-date, use antivirus software, keep logs and backups. | ||
---- | ---- | ||
| Line 71: | Line 79: | ||
- Needs more research, but a good answer is to make IT staff happy. It's not terribly wise to put your companies in the hands of disgruntled employees. | - Needs more research, but a good answer is to make IT staff happy. It's not terribly wise to put your companies in the hands of disgruntled employees. | ||
| + | |||
| + | |||
| + | ---- | ||
| + | |||
| + | '''Incentives for adopting these policies''' | ||
Revision as of 15:58, 24 October 2005
--Chris DuPuis 21:01, 23 October 2005 (PDT) This is just a list of items involved in defending corporate and financial networks. I will write up this section later, but, if you have anything to add, please do so here.
Network Security for Corporations
These are all supposed to be things that the DHS can recommend as policy for companies to adopt.
The general principles of these suggested measures may be summed up as follows:
1. Allow access only to needed services. If a service is not needed, access to it is only a potential security hole.
2. Reduce the possibility of worms and other malware spreading from one computer to another by limiting the contact between computers, between organizational units, and especially between the business-critical servers and any other computer system.
3. Be prepared. Keep software patches up-to-date, use antivirus software, keep logs and backups.
Firewall to keep out external intruders
- Co. should define policy listing services (specific servers and applications) that need to be accessible from outside the corporate network. (For example, most sites will require external web access to their web server.)
- Set firewall rules to refuse all other types of service requests from outside.
Firewall to keep out internal intruders
- Security isn't just a matter of outside=bad, inside=good.
- Issues include insider hacking, unauthorized access to sensitive information, and worm containment (keeping worms from spreading to other machines on the LAN).
- Also, the definition of "inside" and "outside" for the network gets fuzzy when factors such as laptops, wireless networks, and VPN access are added. Could a visitor with a laptop plug into your network and do bad things? Could someone sit in your parking lot and access your network wirelessly?
Server security for "internal" users - In order to grant access to anything outside of public services, you need to be sure of the identity of the user (authentication) and to verify his right to access the service (authorization).
- At the least, this means checking to see that users have strong passwords. There are tools available to do this automatically.
- Also, give serious consideration to adopting stronger methods of authentication, such as Kerberos, or two-factor authentication, in which one factor is something that the user knows (such as a password) and the other is something that the user has (like a "smart card").
- If internal users are allowed to access the corporate network from outside (via VPN or SSH), great care must be taken that all security patches are installed for these products.
Server security for "external" users - Keep systems that are accessible to external users in a "demilitarized zone (DMZ)", from which connections to machines within the greater company network are severely restricted. For example, your web server should not have ANY access to your payroll systems. This reduces the possible impact of a breakin in the web server.
- Do not keep any sensitive data on the web servers.
Intrusion detection - Keep logs of access to important systems, user authentication, and changes to the configuration of each computer system.
- Copies of interesting log messages must be mailed or otherwise sent to an administrator. By mailing out the log messages, attackers will be unable to fully cover their tracks after breaking in.
Software security
- At minimum, keep all systems up-to-date with vendor-supplied patches for all software products.
- Better: Do in-house testing of each patch, including its interaction with other software. Be prepared to work with the vendor in cases where problems are identified.
- Corporate policy should prohibit running servers on workstations, unless necessary.
- Antivirus software should be used.
Education
- Keep users informed of risks, as well as the costs (in terms of outages, at least) of ignoring these risks.
Auditing
- Need a policy in place for how to audit security measures for different types of computers.
Flexibility
- The business of the company is not its own security.
- Users must have ultimate say in what is needed. IT must work to fulfill these needs in a secure manner.
Quis custodiet ipsos custodes?
- The IT staff is expected to keep watch over corporate security, who watches the watchers?
- Needs more research, but a good answer is to make IT staff happy. It's not terribly wise to put your companies in the hands of disgruntled employees.
Incentives for adopting these policies
