infolink tech talk #3 computer and network security
DESCRIPTION
TRANSCRIPT
INFOLINK Tech Talk #3Computer and Network Security
Presented by: Jeffrey Bombell, American Computer Technologies
Why do we need security?
“All men by nature desire knowledge”
- Aristotle c. 360 BC “Knowledge is Power”
- Francis Bacon, 1597 “Forbidden Donut”
- Homer Simpson, 1989
Why do we need security?
70% of all security violations happen from within an organization.
Of that 70%, most “attacks” are not attacks. People make honest mistakes that cause bad things to happen.
Of outside attacks, targets are normally unknown to the attacker.
Most administrators are oblivious to the number of attacks that are attempted each day.
Overview
Client Security Server Security LAN/WAN Social Engineering Tools Developing A Security Plan
Client Security
Current State Most of the measures in libraries today
address acceptable use, not security. Anti-virus is only as good as it’s last
update. Antivirus program updates are released weekly.
Most 3rd party software based security measures can thwarted on Windows 9x and ME systems.
Operating Systems Laying the ground work
Start with an OS that can be hardened easily– Windows 2000– Windows XP– Mac OS-X– UNIX (Solaris, Linux, BSD)
Windows 2000/XP– Always install on a NTFS file system– Remove all unnecessary programs– Set Group Policies– Use PAC from the Bill & Melinda Gates Foundation
Client Security Secure the computer's BIOS Install the computer with minimal
operating system features Require user authentication Keep the operating system and
applications up to date with patches Install anti-virus software - UPDATES! Install desktop security software Securely configure applications Educate and constantly remind staff about
the need for security
Client Security
Lockdown Lockdown software can control the
computer at the application level and the OS level.– WINSelect: http://www.winselect.com
Using a proprietary non-registry lockdown method.Allows for customizable restrictions on most features on most programs.
– Fortress: http://www.fortress.comSimilar to WINSelect, Fortress monitors each action the user performs and determines if it is authorized or not.
– Secure PC: http://www.citadel.comSecure PC uses registry manipulation as well as direct monitoring of application functions.
Client Security
Menu Replacement Menu Replacement / Kiosk Software
– Menu replacement software replaces the standard windows desktop with a third party program. Menu replacement programs replaces the Windows interface with their own and present the user with a different desktop, usually without the Start Menu, Task Bar, etc. • CARL: http://www.tlcdelivers.com• WinU: http://www.bardon.com/winu.htm• CybraryN: http://www.cybraryn.com
Client Security
Roll Back Roll Back
Gives the ability for users to make changes on a system and later revert back to the former state.
• DeepFreeze: http://www.winselect.com• CleanSlate: http://www.fortress.com• RestoreIT: http://www.farstone.com
Server Security
Same general guidelines as with Client OS Hardening. Enable only what is needed.
• Not running a web server, get rid of IIS.
Limit who has access to Administrator accounts.
Impliment strong passwords Change Passwords Often
Central Adminitration
Terminal Services and Citrix Metaframe – Move application loading to the server.– Requires full-time trained IT Staff.
Implement Active Directory to centrally manage group policies on Windows networks.– Requires Windows 2000 or XP on the client.– Requires client logons to be enforced.
LAN/WAN Security
Partition the network. Keep the public access computers separate from the day to day business.
xDSL is cheap and more than enough service for public access. Verizon DSL starts at $60/mo for 768Kbps/128Kbps (that is ½ the download speed of a T1) up to $205/mo for 7.1Mbps/768Kbps.
The average T1 circuit and service is @ $600/mo
LAN/WAN Security
Firewall– Separate DMZs for public and private networks
Content Filtering Application Filtering
– Disallow access to harmful or disruptive internet applications.
Policy Enforcement
Social Engineering
What the $@#%%! is Social Engineering.– Social Engineering is generally a
hacker’s clever manipulation of the natural human tendency to trust.
– http://www.securityfocus.com
True Stories From ComputerWorld – Shark Tank Pilot fish quits his county government job but still
has his e-mail account to help during the transition. Then he receives a message from a new IT guy, asking all users with remote access for their phone numbers, log-ins and passwords. "I hoped all the users I had repeatedly schooled in security would refuse to respond," says fish. But one department head not only e-mails his password, but also clicks on "Reply to all," fish says -- "so every user in the county got themessage."
– http://www.computerworld.com/departments/opinions/sharktank
Social Engineering
Teach your employees who is authorized to gather information about your systems.
Teach your employees what information should never be released.
Employees’ passwords are for their use only. No one else should ever need it.
Administrators have their own passwords that allow them to do anything you can do.
Security Tools TRINUX - http://trinux.sourceforge.net/ -
Trinux is a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM, Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more.
Trinux gives you the power of Linux security tools without requiring a full-blown Linux install or the need to download, compile, install, and update a complete suite of security tools that are typically not found in mainstream distributions.
– TRINUX is FREE and is on your CD\Network Security\TRINUX
Security Tools
Internet Security Scanner – http://www.iss.net – – A suite of producs for security assessment and active
security scanning of clients, servers and network.Will evaluate systems for open holes, security patches strong passwords, etc.
– Cost may be prohibitive for a single library.
Security Policy Components1.Objective or Abstract 2.Scope 3.Responsibilities 4.Physical Security 5.Network Security 6.Software Control7.Disaster Planning8.Acceptable Use Policy 9.Security Awareness 10.Compliance
– http://www.infopeople.org/howto/security/basics/security_policies.html
Objective or Abstract
The Objective or Abstract should be a mission statement that defines objectives of the policy. It summarizes what types of assets are important, what is the need to protect them, and summarizes procedures to be followed to protect assets.
Scope
The Scope defines the specific assets to be protected by the policy, based on the Risk Assessment. It also defines who must follow the policy, such as members of the public, employees, outside contractors, and vendors.
Responsibilities
The Responsibilities component describes who is responsible for protecting assets defined in the scope, and how. It generally outlines users' security responsibilities, but it can also include roles of particular users, such as IT department managers and administrators.
Physical Security
The Physical Security section states how the library will physically protect its facility and assets. It should also state who has access to restricted areas, such as server rooms and telecommunications closets.
Network Security Network Security states how the library
will protect data stored on the network(s). It should include information on:– Workstation security – Access control and authentication– Securing of file systems – Backups and restoring backups– Remote access – Network monitoring – Port restrictions – Filtering – Firewalls, proxy servers and border routers
Software Control
Software controls should should be in place stating how your organization uses commercial and noncommercial software. It should describe;– Procedures for the purchase of software– Procedures for installing software, – Procedures for downloading software
from the Internet
Disaster Planning - Hardware List all critical assets Complete a detailed hardware
inventory with hardware specifications needed for critical assets;
Compile a list of the personnel, including contact information, needed to restore service.*
Establish a restore priority. *May include vendors
Disaster Plan - Software Estabish a data backup plan. Determine need for off-site storage
locations, contact information Compile information on what is backed
up and when. Compile a list of personnel, including
contact information, needed to restore data.*
Estabish a restore priority.
*May Include Vendors
Acceptable Use Policy
An Acceptable Use Policy details the ways in which;– The network can be used, including use
of the Internet– Patrons may use the computers– Computer use limitations are imposed
(such as time constraints or filtering restrictions)
– Handling violations to the Acceptable Use Policy.
Security Awareness Security Awareness outlines what
level of awareness of security issues staff are expected to have. This should include some information on new user training of security issues.
This is one of the most important parts of a security policy. This will help stop any social engineering efforts before they happen.
Additional Information
The SANS Institute –http://www.sans.org/resources/policies/
Computer Emergency Response Center - http://www.cert.org
Symantec Antivirus Research Center - http://www.sarc.com
Security Focus - http://www.securityfocus.com/
