In this excerpt from Maximum Security: A Hacker's Guide to Protecting Your Computer Systems and Networks (SAMS Publishing), contributor Gregg Vaughn outlines steps IT administrators can take to bolster their organizations' internal security.
You'll want to establish clear, written policies in partnership with your organization's management team. This partnership can't be emphasized enough -- a policy without teeth might as well never have been written. You'll want to:
Establish good physical security for all infrastructure-no matter how insignificant a piece of infrastructure might seem.
Get management to build some level of concern for network security into the hiring process.
Explicitly forbid bypassing security checkpoints (such as firewalls, remote access servers, and so on) in your AUP [Acceptable Use Policy].
Establish desktop management policies as they relate to virus/Trojan protection and levels of workstation lockdown.
Encourage small teams of administrators to collaborate. If there's more than one administrator watching the henhouse, it's less attractive to the fox.
Employ intrusion detection systems (IDSs), being careful to employ those that can handle high-bandwidth internal networks.
Audit your systems and procedures periodically.
- Maintain current levels of operating systems and applications -- vendors usually patch script kiddie exploits rather quickly.
Physical Security
It's actually pretty easy to practice due diligence with physical security. You've just got to be meticulous and consistent, and take it seriously. Pretend that someone could burglarize you personally if you're not careful. It might help to pretend that you live in New York.
In all seriousness, physical security is where the battle can easily be lost -- although it can't be totally won with just physical safeguards. Little things like the capability to reboot a server from a floppy, or finding an unused username on a printout -- or even finding a tape with a copy of a security database on it -- make an intruder's job easier. Let's make it hard.
Here are some "dos" and "don'ts" that will make your job a little easier, an intruder's life a little harder, and your data a little more secure:
DO lock every wiring closet-and keep them locked.
DO use switches rather than hubs, especially for LAN segments that have administrative users on them. (They still must be physically secure to ensure that someone can't access the switch and packet sniff via port mirroring.) The price differential between hubs and switches has come down dramatically in recent years.
DO change locks or door passcodes, and passwords to any shared accounts immediately when employees leave.
DO erase hard drives, flash, and so on, when you take them out of service. Nobody's going to remember to do it before the surplus auction, and all sorts of passwords and/or sensitive data might be on them.
DO write nonsense data to magnetic media when you are erasing it. Dropping a partition table is NOT good enough. (Degaussing is okay, though.)
DO use a paper shredder. Don't laugh. Dumpster diving is more common than you think.
DO lock your server cabinets when you're not using them.
DO restrict or forbid the use of modems on desktops; they are the number one method of bypassing your organization's security checkpoints.
DO make sure that any "road" laptop or PDA has appropriate data protection software and hardware installed before deployment.
DO consider whether user access to floppy disks or other removable media makes sense for your environment; they constitute a possible bypass of your security checkpoints.
DO consider the use of smart cards/token-based security devices rather than passwords for administrative users or sensitive systems. Many operating systems now support token-based authentication in addition to passwords.
DO remember that your phone PBXs must also be secured.
DON'T send off-site backups to unsecured locations.
DON'T give keys to vendors. Let them in to do their work, and then politely wave bye-bye when they leave.
DON'T allow anyone other than key personnel ad hoc access to the data center.
DON'T share wire closets with user-oriented peripherals such as printers.
DON'T put servers into unsecured areas.
DON'T leave server keys attached to the back of a server. Believe it or not, other people will think of this, too.
DON'T let cleaning people -- or other untrusted service people -- into secured areas without an escort.
DON'T store any sensitive data on user hard drives -- if you must, think about hard drive encryption products.
DON'T discuss passwords or other sensitive information over unsecured channels such as cell phones, cordless phones, 800MHz radios, or instant messaging.
- DON'T put consoles, keypads, or administrative workstations near windows.
The Hiring Process
Naturally, J. Random Hacker isn't going to show up and reveal his otherworldly activities at a job interview. And even doing background checks can turn into nothing more than lip service, depending upon who's doing the checks -- and whether the individual has been caught in the past.
Still, there are things you can do to minimize your risks during the employment process. Start out by doing a "due diligence" background check -- particularly for employees that will be involved in any level of IT. Do your homework and use a reputable agency to do your background checks -- as with anything else in computing, "garbage in, garbage out." If you are using an internal HR check or some other check that you don't get invoiced for, communication is the key. Don't assume that silence from your background check folks means "Everything is OK." Lack of "NACK" (Negative ACKnowledgement) does not mean "ACK." It might simply mean that your request form got thrown out with lunch's pizza box. See http://www.nwc.com/1201/1201colfeldman.html for more discussion of the hiring process.
After you've worked with management to establish an Acceptable Use Policy, your next step is to work with HR to integrate it as part of the employment process for any employee. You want it integrated for two reasons: First, because it sends a message, and might dissuade an employee from snooping or fiddling where she doesn't belong. Second, if termination or disciplinary action is necessary because of AUP violation, it's definitely a lot easier to do if you have an "I-have-read-and-understood-this" AUP to back you up.
Establishing Desktop Lockdown
Lockdown, in the desktop management context, means that you've managed to apply the straps to your users in such a way that they can't hurt themselves -- or your network. In the best case, this is done in such a way that the users don't feel constricted or stifled. Having a heart-to-heart with management about the level of lockdown can only be a good thing. Users get extremely irrational about losing any amount of autonomy, and you will definitely want management to buy into any lockdown that you need to enact.
It should be pointed out that desktop management -- any desktop management -- that resides on a local workstation can be bypassed by a clever user, unless there is serious physical security in place (no floppies, an "unpickable" case lock, and so forth). This, of course, is the type of security that you must have if you have public information terminals, kiosks, and so on. The point is that any workstation that isn't physically secured can usually be booted from alternative media, and then the local OS can be modified to a malicious user's heart's content.
Still, desktop management and lockdown for nonpublic users are important due diligence measures, and definitely should not be skipped. The important thing here is to prevent either well-meaning or scofflaw users from hurting themselves and others. Defeating a truly noncasual and malicious user isn't the primary purpose of desktop management.
Tip
As far as manual procedures go, you can see some sample system lockdown checklists at http://www.nswc.navy.mil/ISSEC/Form/index.html.
Virus protection, of course, is a mandatory component to desktop management. Virus protection is (or should be) such second nature to today's IT staff that we mention it here simply to ask one question: Can the user turn off virus protection?
Some virus protection suites let the user do this; others password-protect the entire control panel. You should certainly password-protect the control panel if possible, but you should also enact desktop management policies that check and re-install virus protection if the workstation's otherwise permissive operating system allows its removal.
Good desktop management tools enable you to not only "force" certain applications, but they can also