|
Steps to Proactive Network Security
by Gary S. Miliefsky, CISSP
There lies an opportunity beyond our daily barrage by hackers, attacks by new viruses and worms, and frequent risk of downtime. This is your opportunity to step away from the noise, for a moment, and take steps to build a more proactive network security model for your organization. Countermeasures like firewalls or anti-anything (anti-virus, anti-spam, anti-spyware, etc) are all reactive security tools. They are necessary countermeasures and a part of a comprehensive security system; but you must also take action, be proactive, to ensure the highest level of network security. Daily vigilance is crucial.
Before you pursue proactive network security, you need to understand the commonly used four pillars of network security. These pillars are firewalls, virtual private networks (VPNs), anti-virus software, and intrusion detection systems (IDS). Firewalls inspect packets and attempt to block bad packets, but they cannot recognize an attack or may block legitimate access. VPNs create secure tunnels between insecure computers, but they don't protect network assets. Anti-virus has its role and, vital as it is, cannot close the vulnerabilities that would prevent an attack. Finally, intrusion detection systems are purely reactive, dealing with an attack after it has occurred.
Proactive network security is the act of managing these countermeasures, so that you get the most performance from them. A more effective firewall is going to block the right traffic. A more effective anti-virus program is going to have less work to do, because viruses will have fewer opportunities to attack your systems. The IDS will become a backup system, rarely forced to sound an alarm that someone has actually gotten past your secure threshold.
The goal of proactive security is to prevent the attack. It just makes more sense to lock the doors and keep intruders out than to solve the problems after intruders have already broken in. You wouldn't leave your house unlocked, so why leave your network unlocked?
Develop a Security Policy
Good network security always starts with a living security policy. Even if it is one page, it should be an outline of security practices that every executive in the organization agrees to live by. Basic rules should include guidelines for everything from user access and passwords to business continuity planning and disaster recovery planning (BCP and DRP). For example, you should have policies in place for backing up financials and confidential customer records, as well as mirroring systems to be better prepared, proactively, in the event of a disaster. In some cases, your BCP and DRP may even require a "cold" or "warm" site where you can quickly relocate your staff to continue operations after a disaster or terrorist attack. Implementing a corporate security policy is the first step in achieving proactive network security.
Lock Down Mobile Devices
Among the growing threats to security are laptops and other mobile devices that need and deserve legitimate access to your network, but often pose a threat to that network because of the very characteristic that gives them value -- their mobility; this allows them to plug into other networks where they can be exposed to threats. Wireless devices fall into the same category as laptops.
According to Forrester Research, there will be 35 million remote users by 2005 and 15 billion devices on the Internet by 2010. You don't have to be a mathematician to see that the numbers indicate the existence of multitudes of possible interconnection paths, increasing the magnitude of a potential attack. And every system is potentially susceptible to access by unauthorized individuals.
You need to lock down your network by having a mobile-use policy in place and using systems that quickly determine when mobile devices have plugged in. These devices can then be audited for violations of the security policy and known vulnerabilities as soon as possible.
Reduce Violations of Security Policy
A lack of anti-virus software, no firewall, peer to peer programs installed (such as Kaza, Napster, or Gnutella), and instant messaging are all capable of creating security holes. You need to install anti-virus, turn on the built-in firewall in Windows XP or purchase and install a commercial grade desktop firewall and be sure to remove peer-to-peer programs and instant messaging software.
Close Known Vulnerabilities
Known weaknesses in systems are called Common Vulnerabilities and Exposures (CVEs), compiled and documented by the MITRE organization. These vulnerabilities should be eliminated from every system on your network by applying patches or taking other actions, as required, detailed at the cve.mitre.org web site.
Turn on Wireless Encryption
Wireless encryption (WEP) should be turned on and set at the highest level. Administrative username and passwords need to be changed immediately and frequently. Even this may not be enough, however, to stop hackers and cyberhijackers from breaking into your physical LAN through the wireless router. The reason is that there are specific CVEs in most wireless routers that have not yet been fixed. Good hackers can download free tools to take advantage of these weak spots and break through your security.
Patch Your Wireless Router, Use Its Firewall
Another strong recommendation would be to get the latest patch or firmware upgrade for your wireless router and, if you can buy one that comes with a built-in firewall, learn how to use it and properly configure it. You can also limit the number of users allowed in through your wireless router at any time. If you have only a few employees, why leave it set at the default (which might be unlimited)? Set it to as low a number as possible so that only your staff has access.
Keep Up with the Latest Threats
According to the Computer Security Institute (CSI), the results of the 2002 CSI/FBI Computer Crime and Security Survey indicate that "the threat from computer crime and other information security breaches continues unabated and the financial toll is mounting." You need to keep up with the latest threats to networks to keep your company safe. They are posted in many places on the web, starting with www.us-cert.gov and www.sans.org
Work with Your Firewall
Although firewalls are not going to implement proactive security for you, they can certainly be employed in the best ways possible to do their part. You should have intelligent firewall rules that help close traffic to potentially vulnerable ports. For instance, Port 1045 was (and still is) used by the SASSER worm, so you should be sure to have a firewall rule that closes traffic to that port on all systems. It also needs to be a dynamic rule that closes traffic to that port on laptops and wireless devices when they plug in.
Disable Potentially Exploitable Objects
Remove Browser Helper Objects (BHOs), which is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHOs and then creates them. Created BHOs then have access to all the events and properties of that browsing session. The APIs for building BHOs give developers almost complete control over Internet Explorer. Applications that install BHOs are becoming more and more popular because of the controls they give developers.
For example, Alexa uses a BHO to monitor page navigation and show related page links. GetRight and Go!Zilla use BHOs to monitor and control file downloading. Flyswat, Quiver, Blink and Harvest also use BHOs. BHOs don't require a user interface, although many install Internet Explorer toolbars.
I'm sure you can see the potential threat in a BHO. It's possible that there are BHOs installed on your system that you don't know about. They may not need your permission to be installed and they can be used for malicious purposes, such as gathering information on your surfing habits.
A lot of spyware and BHOs are written quickly and poorly. This can cause anything from incompatibility issues to corruption of important system functions, making them not only a threat to your security, but to your systems' stability as well.
Since programmers of spyware applications obviously do not care about you or your system (other than as a source of marketing information), they do not error check most of their products. Some companies go out of their way to hide the presence of the BHOs that they install. They go so far as to find ways around the most popular detection tools by changing their product regularly enough to avoid detection until the next version of the detection software comes out.
To see all BHOs you have installed on your machine right now, you can install BHODemon from Definitive Solutions. BHODemon will tell you about any BHO installed and allow you to disable it and re-enable it if you wish. Best of all, BHODemon is free. It's received rave reviews, and you'll be surprised what it finds installed in your browser. (http://www.definitivesolutions.com/)
Due to the high demand for BHODemon, they are currently unable to completely maintain their website, so I'd recommend downloading the latest version at PCWorld by following this link: http://pcworld.com/downloads/file_description/0,fid,23611,00.asp
Also, you should disable the ADODB Stream Object -- the engine that allows BHOs to work with Internet Explorer -- to stop BHOs from being able to write files, run programs, and take virtually any action on your host. Visit http://support.microsoft.com/default.aspx?kbid=870669
Download/Install Free Commercial Grade Security Tools
Although the tool is limited in scope, Microsoft offers a free baseline security analyzer. It helps with some of the critical flaws -- the vulnerabilities in Windows computers -- and you can run http://windowsupdate.microsoft.com frequently on your laptop to ensure you have the latest security fixes. Some of the patches from Microsoft will open new vulnerabilities, so you need to watch for news about this.
Other types of free tools that can help keep your network secure and some sites to download them from are detailed below:
Policy Templates -- One of the most respected security organizations in the world produces some policy templates to get you started on your own policy: http://www.sans.org/resources/policies/
Anti-Virus Scanning -- Two public companies with solid products offer some free anti-virus tools:
Trend-micro HouseCall http://housecall.trendmicro.com/
McAfee Freescan http://us.mcafee.com/root/mfs/default.asp
Microsoft Patch and Update -- This site includes links to Windows Update Service (WUS) and the Microsoft Baseline Security Analyzer (MBSA):
http://www.microsoft.com/technet/security/tools/default.mspx
Anti-Spyware -- Spyware is software that collects personal information from you without first letting you know what it's doing and without letting you decide whether this is acceptable. It can collect information on the Web sites you visit and possibly sensitive information like usernames and passwords. You might be the target of spyware if you download music from file-sharing programs, free games from sites you don't trust, or other software programs from an unknown source.
Ad-Aware 6.0 -- Spyware is often associated with software that displays advertisements, called adware. Some advertisers may covertly install adware on your system and generate a stream of unsolicited advertisements that can clutter your desktop and affect your productivity. The advertisements may also contain pornographic or other material that you might find inappropriate. The extra processing required to track you or to display advertisements can tax your computer and hurt your system performance. Ad-Aware helps find and remove adware and is free for home use: http://lavasoft.element5.com/software/adaware/
Pestscan -- Pestscan is a web-based anti-spyware system that looks for similar issues to those Ad-Aware uncovers. However, to remediate, you'll need to purchase PestPatrol. http://www.pestscan.com
Personal Firewalls -- Some places on the web to get free firewalls to install:
http://www.zonealarm.com/store/content/company/products/znalm/freeDownload.jsp?lid=selector_za (free version of ZoneAlarm)
http://www.kerio.com/us/kpf_home.html (Kerio Personal firewall, free for home use)
http://www.my-etrust.com/microsoft/ (CA and Microsoft-free for 1 year)
Anti-Spam -- Spam is annoying, time-consuming, and sometimes offensive. But you don't have to be plagued by unsolicited e-mail. Get tips for "hiding" your address from spammers, blocking junk mail before it gets to you, and reporting spammers to the proper authorities at:
http://www.ordb.org
http://www.eliminatespam.com
http://spamassassin.apache.org/ (more complex server-based solution)
Wireless Security -- Make sure you don't have rogue wireless devices roaming around your network. There are free tools to look for wireless devices and test to see if WEP encryption is enabled. This is a good way to make sure the wireless devices that you want to use on your network are setup with WEP properly so that the data being transferred over the airwaves is encrypted and safe from prying eyes.
NetStumbler displays wireless access points, SSIDs, channels, whether WEP encryption is enabled, and signal strength. NetStumbler can connect with GPS technology to accurately log the precise location of access points.
MiniStumbler is a smaller version of NetStumbler designed to work on PocketPC 3.0 and PocketPC 2002 platforms. It provides support for ARM, MIPS and SH3 CPU types.
Dowload NetStumbler and MiniStumbler at:
http://www.netstumbler.com/downloads/
WEPCrack
WEPCrack was the first of the WEP encryption cracking utilities. Download it from here:
http://www.zone-h.org/en/download/category=72/
You can use it to see how strong the encryption is on your wireless router.
In summary, proactive network security starts with good security policies. Next, you should take action and implement these policies. Finally, because business and networks are dynamic in nature and ever changing, you need to be one step ahead of the hackers, worms, malicious insiders and cyberterrorists that are lurking around every corner of cyberspace. To do this, you must proactively enforce and update your policies, then make sure you have the proper countermeasures installed and running to thwart their every attempt. You will never be 100 percent secure, but you will be standing on solid ground.
Gary S. Miliefsky (CISSP) is President and CEO of PredatorWatch Inc. (http://www.predatorwatch.com).
<< Previous Page
|
