solving common security - thawte
TRANSCRIPT
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 1/14an Security eBook
Solving Common
IT SecurityProblems
®
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 2/14
2 What to Do When a Laptop is Stolen
4 PC Security Tips or Corporate Executives
8 The 20 Most Eective Controls to Protect
Your Enterprise
10 Seven Simple Wireless Security Tips
12 Five Advanced Wi-Fi Network Security Tips
Contents…
This content was adapted from Internet.com’s eSecurity Planet and Enterprise IT Planet Web siteContributors: David Strom, Michael Horowitz, Sonny Discini.
4 8
12
2
10
Solving Common IT Security Problems
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 3/14
2 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Ihad my laptop stolen once, about ve years ago,
rom the trunk o a locked car parked at a shopping
mall. You never orget that experience o being vio-
lated, o being stupid. (And it seems to be getting
more common, according to a story in the LA Times about
thieves who ollow customers home rom Apple Stores.)
So what can users do to be more proactive, given the
number o laptops that go missing every month? One way
is to use one o a growing number o recovery sotware
tools that automatically “phone
home” (in the Internet sense
o the word) and help you and
the authorities, should they be
interested, in trying to track
it down. Think o what LoJack
does or locating cars, with the
added inormation that hav-ing an Internet connection can
bring (indeed, the company is
one that oers a laptop tool).
While it sounds like a great idea,
there are several issues with us-
ing these tools.
First, most o them are de-
signed or individuals, not cor-
porations. Absolute Sotware’sComputrace has an enterprise version called Complete
in their LoJack or Laptops line, which has tools that oer
more asset tracking and remote hard disk destruction that
aren’t ound in an individual product. zTrace Technologies’
zTrace Gold, MyLaptopGPS or Windows, and Brigadoon’s
PC/Mac PhoneHome products all oer quantity pricing or
business customers, but not much else in terms o added
eatures over their individual versions.
Turn the TablesA second alternative is to look at central monitoring and
image automation tools, such as Symantec’s Altiris and
Kaseya that can be used in a stolen laptop situation. Greg
Hemig, a Sacramento Kaesya VAR, did exactly that and
was able to recover two independently stolen laptops by
using the remote control eatures.
“I was able to nd out not just an IP address, which is what
a typical anti-thet product like LoJack would provide, but
an actual physical address, the
names o the user’s girlriend
and amily, how to access thei
bank accounts, and even turn
on the microphone on the lap
top and listen to what they were
saying while they were typing,”
says Hemig. Scary stu, butwithin two weeks o contacting
law enorcement, he was able
to get back both machines to
their original owners.
OS-Based OptionsThird, the versions that are o-
ered dier as to eatures be-
tween Mac and Windows, with
the Mac (i it is supported at all)
usually being a poor cousin. I you have a mixed network
this could be a determining actor as to which product
you end up deploying. Taking Computrace as an example
again, the Mac version doesn’t include the special embed
ded BIOS agent that comes with their Windows product.
What to Do When a Laptop is StolenBy David Strom
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 4/14
3 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Phoenix Technologies oers something similar or its OEM
BIOS customers called FailSae, but not or the general
public. And GadgetTrak has sotware or both Mac and
Windows, but prices them dierently.
Well-RoundedNext, these tools are just part o an overall laptop secu-
rity solution that should also include disk encryption and
password-protecting the boot drive. I these tools live on
the hard disk and i you haven’t enabled a rmware or disk
password, any intelligent thie can just reormat your hard
drive and remove this protection, or just remove the hard
drive itsel. So it makes sense to start by putting password
protection on all o your machines as rst line o deense.Disk encryption is especially important i you need to pro-
tect condential corporate or business data, not to men-
tion personal data, such as bank account passwords as
well.
That brings me to my last point: Do you really need a ven-
dor-operated central monitoring station, or can you set
up your own central place where alerts can be sent? Gad-
getTrak, Oribicule’s Undercover or Macs and iPhones, Prey
(or Mac, Windows, and Linux), and PC/Mac PhoneHome
are all tools that don’t make use o any central monitor
ing station. Instead, the sotware sends ino to your e-mai
(and or GagetTrak, to Flickr) accounts directly. With some
o these products, upon booting they look or the pres-
ence or absence o a special URL that indicates the laptop
has been stolen. I so, they send inormation, such as the
current IP address, a snapshot rom a Webcam, screen-
shots, and other details to your e-mail address.
One user o Undercover had his laptop stolen about two
years ago, also rom his car. (Have you realized never to
leave a laptop in a vehicle now?) “Within a ew days, we
had screenshots and camera images o the thie and work-
ing with local authorities, we were able to recover the
laptop within a week,” said Lenny, a riend o mine who
has run several major corporations and is a big an o their
sotware.
While options vary depending on need, OS, and budget
the ideal approach to protecting laptops is to cover your
bases: use password protection and disk encryption, and
employ a collection o tools, including a monitoring prod-
uct with a corresponding tracking piece on each laptop —
and remind users to never leave a laptop in a car.
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 5/14
4 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
T
he recent attacks against Google and other
companies highlighted “spear phishing” at-
tacks. The term reers to scam e-mail messages
designed to trick the recipient into inecting hisor her own computer with malicious sotware (malware).
The end result o the phony yarn, spun in the body o an
e-mail message, is that the duped user visits an inected
Web page, opens a maliciously
crated document, or runs a
malicious program.
Unlike regular phishing e-mails
that are blasted out to millions,
spear phishing, as the nameimplies, is specically targeted.
Anyone that works with secrets
that the bad guys want may be
sent an e-mail message tar-
geted specically at them. The
message will appear to come
rom someone they know and
the topic will be something that
the sender would normally dis-
cuss. Everything about the mes-
sage is raudulent, including theFrom address.
The raud is successul, in part, because people trust the
From address o an e-mail message. No one should; org-
ing the From address is child’s play. But, since the From
address is correct 99 percent o the time and many don’t
know that it is easily orged, this gets the spear phishing
message in the door, so to speak.
As I recently wrote, the most important aspect o Deen-
sive Computing is skepticism. Corporate executives may
be skeptical when dealing with people, but lack awareness
o common online scams.
Just a ew days ago, Roger Thompson o AVG described
the hacking o the Oklahoma Tax Commission Web site
To be inected, the end user simply had to agree to an
Adobe license agreement. The
agreement looked legit, but it
was rom bad guys rather than
Adobe, and agreeing to it in-
stalled malware.
Here I assume we are conguring a computer or some-
one with access to corporate
secrets, someone whose lack
o technical know-how makes
them an easy target or online
scammers. What steps can we
take to protect this person rom
themselves?
Restricted UsersRunning as a limited (a.k.a., re-
stricted or standard) user is job one. For the sake o back-
ward compatibility Windows users, by deault, run as Ad-
ministrators, which lets them change anything, anytime
anywhere. Despite this deault behavior, Microsot recom
mends, and all techies agree, that people are saer running
as limited users.
PC Security Tips forCorporate Executives
By Michael Horowitz
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 6/14
5 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Other browsers are updated with bug xes when they are
needed. IE has to live in a huge bureaucracy that dictates it
only gets updated once a month. It makes headlines when
IE is patched when needed, as opposed to on schedule
Not good or security.
In addition to the slow IE patching imposed by the once-a-
month schedule, Microsot has a history o just being slow
For example, the IE bug that was exploited recently to at-
tack Google and others was initially called a zero-day vul
nerability; techie terminology or a newly discovered bug
It turns out not have been zero day at all, more like 120
days. Microsot was alerted to the problem our months
beore it was exploited on Google.
And, we’re still not done with IE issues. Computerworld
reports that design faws in the browser can let it expose
the entire C: disk.
There is no such thing as removing Internet Explorer, but
we can hide it. First, lock it down as best as possible. On
the Security tab (o Internet Options) set the Internet and
Local intranet zones to high security. Turn on protected
mode and DEP (note that DEP requires companion sup-
port in both the processor and BIOS).
Then get rid o all visible signs o Internet Explorer. Remove
it rom the desktop, task bar, and the Start button. It’s stil
there, only now the only way to run it is to navigate to
C:Program Files/Internet Explorer/iexplore.exe
Firefox and Adobe ReaderIn place o Internet Explorer, I suggest Fireox; no news
here. But, it does need some work out o the box.
A great security tweak to Fireox is to orce the address
bar to turn green on all secure HTTPS Web pages. It
shouldn’t be hard to train anyone that green is sae and
anything else is not. This tweak is done by editing a le
called userchrome.css.
Windows Vista and Windows 7 users may eel that UAC
protects them, even when logged on as an administrator.
It does not.
I’ve been testing lie as a restricted user or a while on both
Windows XP and Windows 7. It works better on Windows
7; XP has a number o quirks in the implementation. But
regardless o any quirks, this is perhaps the biggest weap-
on in the Deensive Computing sotware arsenal. Barring
severe bugs in Windows, it should prevent the installation
o any sotware (assuming the bigshot is not given an Ad-
ministrator password).
I, or whatever reason, running as a limited user is not an
option, Windows XP users can still get most o the protec-
tion it oers with the ree DropMyRights program. This Mi-
crosot program is used to ront-end another program and
drop its rights. For example, an Administrator class user
can click on an icon or the Adobe Reader, which actually
runs DropMyRights. It, in turn, runs the Adobe Reader, but
only ater dropping the rights down to those o a limited
user. Thus, i an inected PDF le tries to install sotware,
it ails.
Running as a limited user however does not prevent mali-cious sotware rom running, just rom running out o cer-
tain olders (and rom being permanently installed). More
steps are needed.
Internet ExplorerIt took security expert Steve Gibson a while to come around
to my Deensive Computing posture, but he nally did. No
more Internet Explorer.
Just say no. Friends don’t let riends use Internet
Explorer.
In part this is unair to Microsot, as IE is not necessarily any
buggier than competing browsers. But it is buggy enough,
and it has a huge target painted on its back. Plus, Micro-
sot makes a bad situation worse by being slow to x bugs.
I or no other reason than this, any other Web browser is
saer than IE.
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 7/14
6 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Another possibility is using the portable version o Fire-
ox rather than a normally installed copy. Not only does
this allow a limited/restricted/standard user to update the
browser with new patches, it also makes the sotware hard-
er to nd by any malware looking to inect it.
Another program that I’d ban rom the computer o anyone
involved with corporate secrets is Adobe Acrobat Reader.
Like Internet Explorer, the Adobe Reader has a big tar-
get painted on it. It has also been rather buggy over the
last couple years. At one point, Adobe thought it was a
good idea to only issue bug xes every three months. And
the procedure or updating the sotware is harder than it
needs to be.
In addition to the Reader itsel, Adobe installs two pro-
grams that run every time Windows starts, which is an acci-
dent waiting to happen. In act, simply hovering the mouse
over the name o a PDF le causes an Adobe program (Ac-
roRd32Ino.exe) to run, no clicking required. This is true
even i the Adobe Reader is not the deault program or
opening PDFs (tested on Windows XP with Adobe Reader
8.2.0).
It’s all just too intrusive or my taste.
There are many other PDF readers, any one o which will be
a lesser target. I use the one rom Foxit Sotware. It doesn’t
do everything that Adobe Reader does, but it should be
enough or almost everyone. I, or some reason, Adobe
Reader can’t be uninstalled, then at least don’t make it the
deault program or opening PDFs, and be sure to turn o
Javascript.
Other Software IssuesFor years viruses have spread on USB fash drives (a.k.a.
pen drive, thumb drive, etc.) and they continue to do so.
Windows 7 is more locked down in this respect than XP,
but it is not bullet-proo.
The good news is that with a simple update to the regis-
try, you can oer 100 percent protection rom all Autorun/
AutoPlay vulnerabilities.
While Internet Explorer and Adobe Reader are the most
requently targeted applications, bad guys also exploit
other popular sotware. Thus, the less sotware installed
the better. With this in mind, I would uninstall QuickTime,
Java, Shockwave, Real Player, and any other popular sot-
ware that is not absolutely needed.
Flash is a dicult choice. Because it’s popular, you can ex-
pect bad guys to exploit known vulnerabilities as they are
discovered. But, it’s also needed requently. As a compro-
mise, consider the Flashblock Fireox extension. It works by
blocking Flash objects on Web pages and replacing them
with placeholders. I a particular Flash object is needed
all you need do is click on it to run it. As I write this, the
Flashblock extension has been downloaded nearly 8 mil-
lion times.
Perhaps the king o popular sotware is Microsot Oce
Consider replacing it with Open Oce, the theory being
again, sotware that is a lesser target. Open Oce is not as
unctional as Microsot Oce, but or non-techies, such as
corporate bigshots, it should be unctional enough.
Did you know that the recent bug in Internet Explorer, the
one that was so critical that Microsot released an immedi-ate x without waiting or the second Tuesday o the month
also aected Microsot Oce? This didn’t get much press
In Microsot’s own words:
“We are also aware that the vulnerability can be exploit
ed by including an ActiveX control in a Microsot Access,
Word, Excel, or PowerPoint fle. Customers would have to
open a malicious fle to be at risk o exploitation. To pre
vent exploitation, we recommend that customers disable
ActiveX Controls in Microsot Ofce.”
Support or ActiveX controls in Oce documents is a se-
curity accident waiting to happen. I read the instructions
or disabling ActiveX controls in Microsot Oce 2003
They were so conusing, I couldn’t ollow them. The sa-
est thing to do is replace Microsot Oce with competing
sotware.
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 8/14
7 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Hardware EncryptionOn the hardware side, I have two suggestions. First, set a
password or the hard drive in the computer. This shouldbe a simple thing to do and hard drive passwords are more
secure than both BIOS level startup passwords and oper-
ating system passwords.
The best encryption is, arguably, ull disk encryption and i
an executive has sensitive les on his or her computer, this
might make sense. But sensitive les should not be kept on
a laptop or desktop computer. They are best stored on an
external hard drive, one that can travel with the bigshot to
places that a computer can’t go.
Two encrypted hard drives, the Lenovo ThinkPad USB
Secure Hard Drive and the Aegis Padlock, stand out or
not needing any sotware running on any computer; thus
they can work with computers running Windows, OS X, or
Linux.
Each has built-in buttons that are used to enter a pass-
word. Until a valid password is given, the computer can’t
see anything on the drive. Ater the password is validated,
the drives work like normal unencrypted hard drives. The
computer is totally unaware o the encryption. For the user,there is no learning curve, just a password.
Another big advantage to an external encrypted hard drive
is that it can be easily and quickly locked just by unplug-
ging it rom the computer.
Exploiting FriendsIs all this too much trouble? Am I over reacting?
The operation that Google uncovered at the end o 2009
was very sophisticated. The Financial Times reported tha
“personal riends o employees at Google, Adobe, and
other companies were targeted by hackers.”
Friends? The article, by Joseph Menn, says
“...the attackers had selected employees at the compa
nies with access to proprietary data, then learnt who thei
riends were. The hackers compromised the social net
work accounts o those riends, hoping to enhance the
probability that their fnal targets would click on the links
they sent.”
Yikes.
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 9/14
8 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
S
ecuring the enterprise against cyber attacks has
become one o the highest priorities o corpo-
rate leadership. To achieve this objective, net-
works, systems, and the operations teams thatsupport them must vigorously deend against a variety o
threats, both internal and external. Furthermore, or those
attacks that are successul, deenses must be capable o
detecting, thwarting, and responding to ollow-on attacks
on internal enterprise networks as attackers spread inside
a compromised network.
Following in theFootsteps of the FedsFor inspiration and guidance in
how to combat these threats,
look no urther than the U.S.
government. The ederal gov-
ernment revamped The Federal
Inormation Security Manage-
ment Act (FISMA) to address
the needs o securing Federal
computer systems. FISMA, the
U.S. ICE Act o 2009, speci-
cally addresses the same issues
many corporate security practi-
tioners ace. I you read through
the legislation, you come across
an interesting snippet o ver-
biage, “monitor, detect, ana-
lyze, protect, report, and respond against known vulner-
abilities, attacks, and exploitations” and “continuously test
and evaluate inormation security controls and techniques
to ensure that they are eectively implemented.”
What this really means is that oense and deense must
keep each other inormed, and as such, the overall ounda
tion o security is built on this fow o communication. En-
terprise security teams have struggled with this, but nowthey may have an eective model to apply.
The Path to Effective ControlsBeore we list specic technical controls, it’s important to
understand that because organizations do not have unlim-
ited unding, the only rational way they can hope to be
successul is to establish a prioritized baseline o inorma-
tion security measures and con-
trols that can be continuously
monitored through automated
mechanisms.
When devising controls, the
ollowing guiding principles
should be considered. Deenses
should ocus on addressing the
most common and damaging
attack activities occurring today
and those anticipated in the
near uture. Enterprise environ
ments must ensure consisten
controls across an enterpriseto eectively negate attacks
Deenses should be automated
where possible, and periodically
or continuously measured using automated measurement
techniques where easible. To address current attacks oc-
curring on a requent basis against numerous organiza-
tions, a variety o specic technical activities should be
undertaken to produce a more consistent deense.
The 20 Most Effective Controls toProtect Your Enterprise
By Sonny Discini
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 10/14
9 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
Now, when tailoring your controls to be enterprise-speci-
ic, consider the ollowing sub controls.
Low Hanging Fruit: The intent o identiying “low hanging
ruit” areas is to highlight where security can be improved
rapidly. That is, to rapidly improve its security stance gen-
erally without major procedural, architectural, or technical
changes to its environment.
Improved Visibility and Attribution: Improving the pro-
cess, architecture, and technical capabilities o organi-
zations so organizations can monitor their networks and
computer systems, gaining better visibility into the IT op-
erations. In other words, these controls help increase an
organization’s situational awareness o its environment.
Hardened Confgurations: This type o control ocuses on
protecting against poor security practices by system ad-
ministrators and end users who could give an attacker an
advantage in attacking target systems. Hardened system
conguration aims to reduce the number and magnitude
o potential security vulnerabilities as well as improve the
operations o networked computer systems.
There are 15 controls that can be handled via automationand ve that require manual application. The SANS Institute
provides specic details about each o these controls.
The 15 that can take advantage o automation are:
Inventory o Authorized and Unauthorized Devices1.
Inventory o Authorized and Unauthorized Sotware2.
Secure Congurations or Hardware and Sotware on Laptops,3.Workstations, and Servers
Secure Congurations or Network Devices such as Firewalls,4.Routers, and Switches
Perimeter Deense5.
Maintenance, Monitoring, and Analysis o Security Audit6.Logs
Application Sotware Security7.
Controlled Use o Administrative Privileges8.
Controlled Access Based on Need to Know9.
Continuous Vulnerability Assessment and Remediation10.Account Monitoring and Control11.
Malware Deenses12.
Limitation and Control o Network Ports, Protocols, and13.Services
Wireless Device Control14.
Data Loss Prevention15.
And the ve that must be done manually are:
Secure Network Engineering16.Penetration Testing17.
Incident Response Capability18.
Data Recovery Capability19.
Security Skills Assessment and Appropriate Training20.
The consensus eort to dene critical security controls
is an evolving eort. In act, changing technology and
changing attack patterns will necessitate uture changes
even ater the current set o controls has been nalized. In
a sense, this will be a living document moving orward, butthe controls described in this version are a solid start in the
quest to make undamental computer security deenses a
well understood, repeatable, measurable, scalable and re-
liable process throughout the ederal government.
Although there is no such thing as absolute protection
proper implementation o the security controls identied
will ensure an organization is protecting against the most
signicant attacks. As attacks change, additional controls
or tools become available, or the state o common security
practice advances, it is critical to review these controls andmake changes as needed. Treat this list as a living docu-
ment with requent evaluations to ensure that the most e
ective practices are indeed in place.
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 11/14
10 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
These days wireless networking products are so
ubiquitous and inexpensive that just about any-
one can set up a WLAN in a matter o minutes
with less than $100 worth o equipment. This
widespread use o wireless networks means that there may
be dozens o potential network intruders lurking within
range o your oce WLAN.
Most WLAN hardware has gotten easy enough to set up
that many users simply plug it in and start using the net-
work without giving much thought to security. Neverthe-
less, taking a ew extra minutes to congure the security
eatures o your wireless router or access point is time well
spent. Here are some o the things you can do to protect
your wireless network:
1. Secure Your Wireless Administration
InterfaceAlmost all routers and access points have an administrator
password that’s needed to log into the device and mod-
iy any conguration settings. Most devices use a weak
deault password like “password” or the manuacturer’s
name, and some don’t have a deault password at all. As
soon as you set up a new WLAN router or access point,
your rst step should be to change the deault password
to something else. You may not use this password very o-
ten, so be sure to write it down in a sae place so you can
reer to it i needed. Without it, the only way to access the
router or access point may be to reset it to actory deault
settings, which will wipe away any conguration changes
you’ve made.
2. Don’t Broadcast the SSIDMost WLAN access points and routers automatically (and
continually) broadcast the network’s name, or SSID (Ser-
vice Set IDentier). This makes setting up wireless clients
extremely convenient since you can locate a WLAN with-
out having to know what it’s called, but it will also make
your WLAN visible to any wireless systems within range
o it. Turning o SSID broadcast or your network makes it
invisible to your neighbors and passers-by (though it wil
still be detectable by WLAN “sniers”).
3. Enable WPA Encryption Insteadof WEP802.11’s WEP (Wired Equivalency Privacy) encryption has
well-known weaknesses that make it relatively easy or a
determined user with the right equipment to crack the en
cryption and access the wireless network. A better way to
protect your WLAN is with WPA (Wi-Fi Protected Access)
WPA provides much better protection and is also easier to
use, since your password characters aren’t limited to 0-9
and A-F as they are with WEP. WPA support has been built
into Windows since XP.
Seven Simple Wireless Security TipsBy eSecurity Planet Sta
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 12/14
11 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
4. Remember That WEP is BetterThan Nothing
I you nd that some o your wireless devices only sup-port WEP encryption (this is oten the case with non-PC
devices, such as media players, PDAs, and DVRs), avoid the
temptation to skip encryption entirely because, in spite o
its faws, using WEP is still ar superior to having no encryp-
tion at all. I you do use WEP, don’t use an encryption key
that’s easy to guess like a string o the same or consecu-
tive numbers. Also, although it can be a pain, WEP users
should change encryption keys oten — preerably every
week.
5. Use MAC Filtering for Access ControlUnlike IP addresses, MAC addresses are unique to specic
network adapters, so by turning on MAC ltering you can
limit network access to only your systems (or those you
know about). In order to use MAC ltering you need to nd
(and enter into the router or AP) the 12-character MAC ad-
dress o every system that will connect to the network, so
it can be inconvenient to set up, especially i you have a lot
o wireless clients or i your clients change a lot. MAC ad-
dresses can be “spooed” (imitated) by a knowledgeable
person, so while it’s not a guarantee o security, it does
add another hurdle or potential intruders to jump.
6. Reduce Your WLAN TransmitterPower
You won’t nd this eature on all wireless routers and ac-cess points, but some allow you to lower the power o you
WLAN transmitter and thus reduce the range o the sig
nal. Although it’s usually impossible to ne-tune a signa
so precisely that it won’t leak outside your home or busi-
ness, with some trial-and-error you can oten limit how a
outside your premises the signal reaches, minimizing the
opportunity or outsiders to access your WLAN.
7. Disable Remote AdministrationMost WLAN routers have the ability to be remotely admin
istered via the Internet. Ideally, you should use this eatureonly i it lets you dene a specic IP address or limited
range o addresses that will be able to access the router
Otherwise, almost anyone anywhere could potentially nd
and access your router. As a rule, unless you absolutely
need this capability, it’s best to keep remote administra-
tion turned o. (It’s usually turned o by deault, but it’s
always a good idea to check.)
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 13/14
12 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents
Solving Common IT Security Problems
I
you’ve ever Googled “Wi-Fi security,” (or you’ve
been reading this eBook) you probably have the ba-
sics down: don’t use WEP, use WPA or WPA2; disable
SSID broadcasting; change deault settings. I you’relooking or more advanced security tips or your WLAN,
consider these the ollowing ve tips or bringing enter-
prise-level protection to even the smallest o networks.
1. Move to Enterprise EncryptionI you created a WPA or WPA2 encryption key o any type
and must enter it when connecting to the wireless network,
you are only using the Personal or Pre-shared key (PSK)
mode o Wi-Fi Protected Access (WPA). Business networks
— no matter how small or big — should be protected with
the Enterprise mode, which adds 802.1X/EAP authentica-tion to the wireless connection process. Instead o enter-
ing the encryption key on all the computers, users would
login with a username and password. The encryption keys
are derived securely in the back-
ground and are unique or each
user and session.
This method provides central
management and overall better
Wi-Fi security.
Instead o loading the encryp-
tion keys onto computers where
employees and other users can
recover them, each user logs into
the network with their own ac-
count when using the Enterprise
mode. You can easily change or
revoke access when needed. This
is especially useul when employees leave the company o
a laptop is stolen. I you’re using the Personal mode, you’d
have to manually change the encryption keys on all the
computers and access points (APs).
The special ingredient o the Enterprise mode is a RADIUS/
AAA server. This communicates with the APs on the net-
work and consults the user database. Consider using the
Internet Authentication Service (IAS) o Windows Server
2003 or the Network Policy Server (NPS) o Windows Sev
er 2008. I you want to go vendor-neutral, try the popular
open source server, FreeRADIUS. I you nd setting up an
authentication server requires more money and/or exper-
tise than you have, consider using an outsourced service.
2. Verify Physical SecurityWireless security isn’t all technical. You can have the best
Wi-Fi encryption, but have someone plugging into an Eth-
ernet port that’s in plain sight
Or someone could come by and
hold in the reset button o an ac-
cess point, restoring it to actory
deaults and leaving your net
work wide open.
Make sure all your APs are welout o the reach o the public
and out o sight rom employees
too. Instead o sitting an AP on
a desk, mount it on the wall o
ceiling — better yet, put them
above a alse ceiling.
Five Advanced Wi-FiNetwork Security Tips
By Eric Geier
8/2/2019 Solving Common Security - Thawte
http://slidepdf.com/reader/full/solving-common-security-thawte 14/14
Solving Common IT Security Problems
You might consider mounting the APs out o sight and in-
stalling external antennas where you’ll get the most signal.
This will let you conne the AP even more while taking
advantage o the increased range and perormance o an
atermarket or higher gain antenna.
APs aren’t the only piece o equipment to be worried
about. All networking components should be secured.
This even includes Ethernet cabling. Though it might be a
little aretched to some, a determined hacker could cut an
Ethernet cable to tap into the line.
Along with mounting, you should keep track o the APs.
Create a spreadsheet logging the AP models used along
with the MAC and IP addresses, and note where the APs
are located. This way you know exactly where the APs
should be when perorming inventory checks or when
tracking down a problem AP.
3. Setup an Intrusion Detection/Prevention System (IDS/IPS)These systems usually consist o a sotware program that
uses your wireless adapter to sni the Wi-Fi signals or
problems. They detect rogue APs, whether a new AP is
introduced to the network or an existing one is reset to de-aults or doesn’t match a set o standards you’ve dened.
These systems also analyze the network packets to see i
someone might be using a hacking or jamming technique.
There are many dierent intrusion detection and preven-
tion systems out there that use a variety o techniques.
Open source or ree options include Kismet and Snort.
Commercial products are also available rom vendors,
such as AirMagnet, AirDeense, and AirTight.
4. Create Wireless Usage PoliciesAlong with other general computer usage guidelines, you
should have a specic set o policies or Wi-Fi access that
should at least include the ollowing items:
•List devices authorized to access the wireless network: It’s
best to deny all devices and explicitly allow each desired device
by using MAC address ltering on the network router. Though
MAC addresses can be spooed, this provides reasonable con-trol o which devices employees are using on the network. A
hard copy o all approved devices and their details should be
kept to compare against when monitoring the network and o
inputting into intrusion detection systems.
• List o personnel authorized with Wi-Fi access to the net
work: This could be regulated when using 802.1X authentica
tion (WPA/WPA2-Enterprise) by only creating accounts in the
RADIUS server or those who need Wi-Fi access. I 802.1X au-
thentication is also being used on wired side, you should be
able to speciy whether users receive wired and/or wireless ac-
cess by modiying the Active Directory or using authorizationpolicies on the RADIUS server itsel.
• Rules on setting up wireless routers or APs: For example
that only the IT department can set up more APs, so employ-
ees don’t just plug in an AP rom home to extend the signal. An
internal rule or IT department might cover dening acceptable
equipment models and conguration.
• Rules on using Wi-Fi hotspots or connecting to home net
works with company devices: Since the data on a device o
laptop can be compromised and the Internet activity be moni-
tored on unsecured wireless networks, you may want to limi
Wi-Fi connections to only the company network. This could becontrolled by imposing network lters with the Network Shel
(netsh) utility in Windows. Alternatively, you could require a
VPN connection back to the company network to at least pro-
tect the Internet activity and to remotely access les.
5. Use SSL or IPsec on Top of Wi-FiEncryptionThough you might be using the latest and greatest Wi-F
encryption (on Layer 2 o the OSI model), consider imple-
menting another encryption mechanism, such as IPSec
(on Layer 3 o the OSI model). In addition to providingdouble encryption on the wireless side, it can secure the
wired communication too. This would prevent eavesdrop-
ping rom employees or outsiders tapping into an Ether-
net port.