INFOLINK Tech Talk #3Computer and Network Security Presented by: Jeffrey Bombell, American Computer Technologies
Why do we need security? • “All men by nature desire knowledge” - Aristotle c. 360 BC • “Knowledge is Power” - Francis Bacon, 1597 • “Forbidden Donut” - Homer Simpson, 1989
Why do we need security? • 70% of all security violations happen from within an organization. • Of that 70%, most “attacks” are not attacks. People make honest mistakes that cause bad things to happen. • Of outside attacks, targets are normally unknown to the attacker. • Most administrators are oblivious to the number of attacks that are attempted each day.
Overview • Client Security • Server Security • LAN/WAN • Social Engineering • Tools • Developing A Security Plan
Client SecurityCurrent State • Most of the measures in libraries today address acceptable use, not security. • Anti-virus is only as good as it’s last update. Antivirus program updates are released weekly. • Most 3rd party software based security measures can thwarted on Windows 9x and ME systems.
Operating Systems Laying the ground work • Start with an OS that can be hardened easily • Windows 2000 • Windows XP • Mac OS-X • UNIX (Solaris, Linux, BSD) • Windows 2000/XP • Always install on a NTFS file system • Remove all unnecessary programs • Set Group Policies • Use PAC from the Bill & Melinda Gates Foundation
Client Security • Secure the computer's BIOS • Install the computer with minimal operating system features • Require user authentication • Keep the operating system and applications up to date with patches • Install anti-virus software - UPDATES! • Install desktop security software • Securely configure applications • Educate and constantly remind staff about the need for security
Client SecurityLockdown • Lockdown software can control the computer at the application level and the OS level. • WINSelect: http://www.winselect.comUsing a proprietary non-registry lockdown method.Allows for customizable restrictions on most features on most programs. • Fortress: http://www.fortress.comSimilar to WINSelect, Fortress monitors each action the user performs and determines if it is authorized or not. • Secure PC: http://www.citadel.comSecure PC uses registry manipulation as well as direct monitoring of application functions.
Client SecurityMenu Replacement • Menu Replacement / Kiosk Software • Menu replacement software replaces the standard windows desktop with a third party program. Menu replacement programs replaces the Windows interface with their own and present the user with a different desktop, usually without the Start Menu, Task Bar, etc. • CARL: http://www.tlcdelivers.com • WinU: http://www.bardon.com/winu.htm • CybraryN: http://www.cybraryn.com
Client SecurityRoll Back • Roll Back Gives the ability for users to make changes on a system and later revert back to the former state. • DeepFreeze: http://www.winselect.com • CleanSlate: http://www.fortress.com • RestoreIT: http://www.farstone.com
Server Security • Same general guidelines as with Client OS Hardening. Enable only what is needed. • Not running a web server, get rid of IIS. • Limit who has access to Administrator accounts. • Impliment strong passwords • Change Passwords Often
Central Adminitration • Terminal Services and Citrix Metaframe • Move application loading to the server. • Requires full-time trained IT Staff. • Implement Active Directory to centrally manage group policies on Windows networks. • Requires Windows 2000 or XP on the client. • Requires client logons to be enforced.
LAN/WAN Security • Partition the network. Keep the public access computers separate from the day to day business. • xDSL is cheap and more than enough service for public access. Verizon DSL starts at $60/mo for 768Kbps/128Kbps (that is ½ the download speed of a T1) up to $205/mo for 7.1Mbps/768Kbps. • The average T1 circuit and service is @ $600/mo
LAN/WAN Security • Firewall • Separate DMZs for public and private networks • Content Filtering • Application Filtering • Disallow access to harmful or disruptive internet applications. • Policy Enforcement
Social Engineering • What the $@#%%! is Social Engineering. • Social Engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. • http://www.securityfocus.com
True Stories From ComputerWorld – Shark Tank • Pilot fish quits his county government job but still has his e-mail account to help during the transition. Then he receives a message from a new IT guy, asking all users with remote access for their phone numbers, log-ins and passwords. "I hoped all the users I had repeatedly schooled in security would refuse to respond," says fish. But one department head not only e-mails his password, but also clicks on "Reply to all," fish says -- "so every user in the county got themessage." • http://www.computerworld.com/departments/opinions/sharktank
Social Engineering • Teach your employees who is authorized to gather information about your systems. • Teach your employees what information should never be released. • Employees’ passwords are for their use only. No one else should ever need it. • Administrators have their own passwords that allow them to do anything you can do.
Security Tools • TRINUX - http://trinux.sourceforge.net/ - Trinux is a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM, Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more. Trinux gives you the power of Linux security tools without requiring a full-blown Linux install or the need to download, compile, install, and update a complete suite of security tools that are typically not found in mainstream distributions. • TRINUX is FREE and is on your CD \Network Security\TRINUX
Security Tools • Internet Security Scanner – http://www.iss.net – • A suite of producs for security assessment and active security scanning of clients, servers and network.Will evaluate systems for open holes, security patches strong passwords, etc. • Cost may be prohibitive for a single library.
Security Policy Components • Objective or Abstract • Scope • Responsibilities • Physical Security • Network Security • Software Control • Disaster Planning • Acceptable Use Policy • Security Awareness • Compliance • http://www.infopeople.org/howto/security/basics/security_policies.html
Objective or Abstract • The Objective or Abstract should be a mission statement that defines objectives of the policy. It summarizes what types of assets are important, what is the need to protect them, and summarizes procedures to be followed to protect assets.
Scope • The Scope defines the specific assets to be protected by the policy, based on the Risk Assessment. It also defines who must follow the policy, such as members of the public, employees, outside contractors, and vendors.
Responsibilities • The Responsibilities component describes who is responsible for protecting assets defined in the scope, and how. It generally outlines users' security responsibilities, but it can also include roles of particular users, such as IT department managers and administrators.
Physical Security • The Physical Security section states how the library will physically protect its facility and assets. It should also state who has access to restricted areas, such as server rooms and telecommunications closets.
Network Security • Network Security states how the library will protect data stored on the network(s). It should include information on: • Workstation security • Access control and authentication • Securing of file systems • Backups and restoring backups • Remote access • Network monitoring • Port restrictions • Filtering • Firewalls, proxy servers and border routers
Software Control • Software controls should should be in place stating how your organization uses commercial and noncommercial software. It should describe; • Procedures for the purchase of software • Procedures for installing software, • Procedures for downloading software from the Internet
Disaster Planning - Hardware • List all critical assets • Complete a detailed hardware inventory with hardware specifications needed for critical assets; • Compile a list of the personnel, including contact information, needed to restore service.* • Establish a restore priority. *May include vendors
Disaster Plan - Software • Estabish a data backup plan. • Determine need for off-site storage locations, contact information • Compile information on what is backed up and when. • Compile a list of personnel, including contact information, needed to restore data.* • Estabish a restore priority. *May Include Vendors
Acceptable Use Policy • An Acceptable Use Policy details the ways in which; • The network can be used, including use of the Internet • Patrons may use the computers • Computer use limitations are imposed (such as time constraints or filtering restrictions) • Handling violations to the Acceptable Use Policy.
Security Awareness • Security Awareness outlines what level of awareness of security issues staff are expected to have. This should include some information on new user training of security issues. This is one of the most important parts of a security policy. This will help stop any social engineering efforts before they happen.
Additional Information • The SANS Institute –http://www.sans.org/resources/policies/ • Computer Emergency Response Center - http://www.cert.org • Symantec Antivirus Research Center - http://www.sarc.com • Security Focus - http://www.securityfocus.com/