These problems are relatively easy to mitigate with a content-inspecting firewall or proxy server. Configure your firewall or proxy to strip ActiveX, Java, and executable attachments including those embedded in zip files. This will prevent users from accidentally downloading dangerous content. Avoid using services that rely on these inherently unsafe practices in order to operate. The automatic password problem is a lot more sinister. Microsoft Internet Explorer will automatically transmit your network account name and a hash of your password to any server that is configured to require Windows Challenge and Response as its authentication method. This hash can be decrypted to reveal your actual network password. Be sure to configure Internet Explorers security settings to prevent this, or use Netscape Navigator instead of Internet Explorer to decouple the web browser from the operating system. Implementing Security Policy Once youve completed your security policy document, its time to translate it from human readable form into the various configurations that will actually implement the policy. Implementation varies from one system to the next. A policy of Strip e-mail attachments on all mail servers is implemented far differently in UNIX Sendmail, Microsoft Exchange, or Lotus Notes. Your policies should not be written specifically to certain systems; they should be general statements that apply to any system that performs the specified function. Implementation occurs when a security policy is applied to a specific system. But nothing in your policy will help you select which systems to use to implement the policy. A requirement that Permissions can be used to block access to certain documents does not stipulate Windows 2000, UNIX, or the Mac OS X systems-they can all perform this function. It does eliminate the choice of Windows 98, MS-DOS, or the original Mac OS, because they have no true permissions infrastructure. In order to select systems that match your security policy requirements, make a complete list of possible systems and eliminate those systems that cannot implement your security requirements. Select the systems that can implement your security requirements most easily from the remaining candidates. Of course, this only works in the theoretical world where security requirements are defined before systems are built, rather than after hackers exploit systems in a major way and reveal the lack of security. When you are retrofitting security policy, be prepared for the fact that some of your systems and software may have to be replaced in order to achieve real security. Applying Automated Policy The method youll use to apply automated policy differs for each system in your network. On firewalls, youll use a web browser or an enterprise manager application. In Windows 2000, youll modify group policy objects in the Active Directory. In Linux, youll directly edit text files in the etc directory. You may change the startup type of a service or remove operating system components that provide unnecessary services. You may block certain port ranges on your firewall, or allow only approved outbound connections. There is no standardized way to apply an automated policy. A few attempts have been made at automating policy by various vendors, but the lack of consensus and protocol keeps that from happening. So what is a security administrator to do? Thats the hard part. You have to individually learn and understand the security interface for each type of system in your network. Typically, this will mean understanding the interface for every operating system in use in your network and each security-related device. This is the major reason why consolidating on a single operating system is a good idea. Most modern operating systems have graphical user interfaces that combine security configuration management into some sort of unified view. In Windows 2000, this is called the group policy manager. In most firewalls, its either a web-based user interface or a program that runs on an administrators computer. The remainder of this book contains details for applying automated policy, but for the most part, the technical manuals for your various systems will teach you how to apply their specific security policies. Human Security After everything that can be automated has been automated, humans must implement any parts of the security policy that are left over. They are therefore an integral and necessary component of computer security. People are the most likely breach in any security environment, including secure networks. Most breaches are completely accidental; few people actually set out to sabotage network security. In fact, most people never find out that theyve compromised the networks security. Hackers routinely exploit weaknesses in network security caused by this lack of awareness among users. For example, humans select memorable passwords by nature, and then write them down on post-it notes so they dont forget them. Employees are sometimes enticed to provide information for favors, money, or higher paying jobs. Traveling sales people can leave your office and head for the office of your competition with interesting tidbits of information to trade. Of course it is not the intent of this chapter to leave you feeling that your co-workers and business associates cannot be trusted. The vast majority of them can, but it takes only one individual in your entire organization with access to your network to compromise its security. Unfortunately, this means that security restrictions must be applied to everyone because you dont know who is going to slip up in the future. People cause security problems because they: Dont understand security. Security is not an instinct-it must be taught. You cannot simply tell people to choose strong passwords and expect to have an impenetrable fortress. You must teach security to every person who participates in a secure environment. Underestimate the threat. Many people simply dont believe that much of a problem really exists. Theyve never met or known anyone affected by a hacker, and theyve never seen a disgruntled worker cause serious problems. For them, security is an abstraction that simply isnt all that important. As a security manager, your job is to explain the threat clearly. This is getting easier, as most people have been affected by a computer virus at least once. Fail to make security a work habit. Many people simply dont change easily. They have old habits-and old passwords. Habitual security is hard to force, so make it as simple for users as possible by implementing automated policies that dont rely on people to remember security; have the policies be enforced by the network and by the work environment. Forget about security outside the work environment. Many people leave their work at work-and their security habits too. They may take an employee list home and throw it in their trash. They may brag to a recent acquaintance about the importance of their job. They may write down their password on a sticky note and leave it in their daytimer. These sorts of problems can only be dealt with by reminding people to leave work completely at work-dont talk about it except in vague references and dont transfer company materials between work and home. Remind them never to re-use their work password or account name on other systems, like membership websites. Passively resist security measures. Many people see security as an abridgement of their personal liberty and freedoms or as an indication that they are not trusted. Remind them that they are free to live their lives as they please when they are not at work, but that as an employee they have a responsibility to safeguard the companys proprietary information. Explain that security policies by nature must deal with the lowest common denominator of trust, and that security should not be viewed as an insult to any single individual. Human security is problematic because it is the only aspect of total network security not directly controlled by the information system staff. Unlike computers, your co-workers cannot simply be programmed with a strong security policy and let run. They must be taught, reminded, and encouraged. Security managers are often given the responsibility to enforce security policy without being given the authority to enforce security on end users. You probably wont be able to fire anyone for a major security breach, you cant dock his or her pay, and you may not even be able to write an administrative letter of reprimand. Without some form of force, the concept enforcement is meaningless. Fortunately, humans are gregarious creatures and respond well to group opinion. This means that for serious security breaches, you can use publicity both to embarrass the people at fault and to teach everyone else what not to do. Publicize security failures within the company as part of a lessons learned document, usually in the form of an e-mail message to everyone in the company. Whether or not you identify people by name is up to you and probably depends largely on company policy and the severity of the breach and even if you dont name them, the buzz around the water cooler will. Each lesson learned should be appended to your security policy for further analysis so these breaches can be prevented in the future. lessons learned A documented failure analysis that is disseminated to system users in order to prevent the same failure from recurring. Teaching Security Principles The best way to avoid security lapses due to human activity is to teach proactive security and to get every user to commit to taking security seriously. Teaching security is not that difficult. Set up security seminars for groups of employees that are small enough to be interactive-up to about 25 at a time in my experience-and simply go through the computer acceptable use policy item by item. Lets face it: e-mailing a link to CAUP.DOC to every user in your system will encourage exactly nobody to actually read it. By holding a seminar, you will simply be reading it to them, with a darkened room, a projector, and donuts to mesmerize them into listening. But youll also have the opportunity to explain why the policies are important and which threats the company is worried about. You can provide anecdotes about hacker break-ins, what happened at companies that didnt implement policy, and so forth. Understanding policy is the key to gaining the all-important buy-in, or the acceptance of a personal responsibility to implement security policy. Without buy-in, users are likely to at best ignore and at worst circumvent an acceptable use policy. At the end of the security training, present each user with a certificate of completioncontract that lets them agree in writing to abide by the companys acceptable use policy. By requiring their signature on a security contract, you will let users know exactly how serious security is to the organization. Users should go through the security training seminar when they are hired and once per year thereafter, so they can learn about new threats, ask questions about restrictions theyve run into, and otherwise stay in the security loop. Updating the Security Policy So, youve outlined your security requirements, derived a security policy, refined elements of policy, separated them into human security and automated policy, created an acceptable use policy, read it to the end-users, and applied the security settings required by policy for all of your systems. Now youre done, right? Wrong. Now you start over. Security administration is a perpetual cycle because new threats appear all the time. Every time you integrate a new device into your network, you need to consider its security ramifications and update your security policy. In short, youre never done. The Security Cycle Security administration is work that must be continually performed to keep a system as free from the loss or compromise of company data as is practicable. As a security administrator, it is your job to determine which security measures need to be taken and if those security measures have been properly executed. Although the task is daunting, it can be broken down into discreet steps that can be methodically executed. The cycle of security administration is as follows: • Identify potential vulnerabilities. • Evaluate vulnerabilities to determine how they can be effectively nullified. • Determine which of the identified countermeasures you can effectively employ against the vulnerabilities. • Employ countermeasures. • Test countermeasures for effectiveness by simulating an attack. • Monitor server logs and firewalls for evidence of security breaches. • Investigate any indications of a breach to determine the breach progression and identify new potential vulnerabilities. • Study public security sources for news of newly discovered security vulnerabilities. • Repeat the cycle of security administration. The cyclical nature of security cannot be stressed enough. Unlike a vault, which is static through time and suffers from only a few well-known vulnerabilities, computer networks are not static-they change constantly. Every new addition, be it software or hardware, must be evaluated in the context of security to determine if it will add a new vulnerability to the system. The methods used by hackers to gain access to a system must be continually researched, and system software must be updated as new security fixes are released. Network security is like walking against a treadmill-you have to keep moving just to stay in place because as time goes by, new vectors of attack will be discovered and your network will become less secure without any changes at all on your part. Review Questions 1. What is the purpose of a security policy? 2. What is the first step in developing a security policy? 3. Why is it important to automate security policies as much as possible? 4. Why is an appropriate use policy important? 5. How often should users be required to change their passwords? 6. What is the minimum length of a password that could be considered to be strong in the context of todays computing power?

7. Why is the inconvenient policy of enforcing a password lockout after a few

incorrect attempts important? 8. Why are execution environments dangerous? 9. Which is more secure: ActiveX or Java? 10. Why doesnt a digital signature mean that an ActiveX control is secure? Answers

1. A security policy describes security rules for your computer systems and defends against

all known threats.

2. The first step in establishing a security policy is to establish functional requirements,

features, and security requirements.

3. Automated security policies avoid the weakness of having to be enforced by humans.

4. An appropriate use policy allows users to understand their security responsibilities.

5. Users should not be required to change passwords often; rather, they should select

extremely strong passwords which can be relied upon for much longer periods of time than simple passwords. 6. 8 characters should be the minimum length of a password in todays environment.

7. Enforcing password lockout after failed attempts prevents automated password guessing.

8. Execution environments are dangerous because they can be exploited to propagate viruses and Trojan horses. 9. Java is limited to a sandbox environment, which while not perfect, is far more secure than the unlimited ActiveX execution environment. 10. Digital signatures are only a means of verification; They do not perform any security function beyond attesting that content has not been modified and that it originates from a known source. 323Terms to Know • ActiveX • application • appropriate use policy • attachment • content signing • execution environment • firewall • group policies • Java • lessons learned • macro • password • permissions • policy • requirements • sandbox • system

Chapter 5: Border Security

Overview Where does your network stop, and the Internet begin? Thats like asking where one country stops and another starts. The line between them is merely a subjective boundary where one set of rules start and another set of rules stop. But like the border between China and Russia, where one country is built out and densely populated right to the edge, while the other is