NETWORK SECURITY REQUIREMENTS FOR SYSTEMS CONNECTED TO THE
on voluntary measures to keep your network secure is not acceptable.
Authority to mandate security on the network is essential.
A security policy that spells out the specific value of the
information on your network, and what steps the company is
willing to take to protect it, is required. Security measures
on the network that reflect this policy must be implemented.
Below is a description of key elements of security requirements
that should be formally implemented by business management
for LAN and remote computers.
business computers are connected to the Internet, due diligence,
accepted practice, and the Sarbanes-Oxley Act require that
specific precautions be undertaken to protect confidential
business and consumer data from unauthorized access. Off-site
PC's with any connection to a corporate LAN must also be just
as secure as the corporate network. This includes PC's that
are merely connected or have access to the same local area
network as a PC that has trusted access to a corporate network,
such as is common with home computer networks where a laptop
is brought home from work.
security must deal with several issues: Firewalls, Intrusion
Prevention, Anti-Virus, Spy Ware, Cookies, Unsafe email Attachments,
Inappropriate Software, Wireless Access, Home/Remote Access,
Security Auditing, and Acceptable Use Policy.
A firewall is a tool designed to prevent unauthorized access
to computers from the Internet. The key word is "from".
If someone or something on a network PC initiates an Internet
connection, the firewall, by design, must let that data through,
as well as the data returning in response from the initial
action. If for any reason an unknown program, trojan horse,
or similar action where to initiate a dialog without the user's
knowledge, the firewall is helpless to prevent this type of
security breech. In order to protect against intrusion, a
firewall is required at two points: 1) at the Internet connection
(DSL, T1, etc); and 2) on every PC on the local area network
connected to the Internet. Alternately, firewall based Intrusion
Prevention with deep packet inspection can fully inspect all
incoming and outgoing traffic payload contents.
Evolving security exploits that can result in the compromise
of corporate networks and confidential information require
new defenses and counter-measures. Stateful packet inspection
firewalls are no longer suitable to detect and block emerging
blended threats such as the ADODB exploit. Corporations can
implement Intrusion Prevention based firewall appliances that
provide deep packet inspection. This provides the framework
for bi-directional logging and/ or blocking of 50 categories
and over 1800 signatures of known intrusion exploits. An awareness
of this new avenue of defense by businesses of all sizes is
important to the security of corporate networks.
Newer generations of the family of virus, worm and Trojan
programs are much more sophisticated and damaging, consisting
of "blended threats" such that multiple sources
and steps are involved, most of which are not detectable by
stateful packet inspection firewalls. The impact of virus,
Trojan, worm, and blended attacks on a business network cannot
only result in the loss of resources while recovery is undertaken.
Confidential business data can be compromised as well. It
is imperative that a uniform anti-virus system be implemented
that includes every PC connected to any local area network
so long as any one of those PC's may have trusted network
access to corporate resources.
Different from the category of virus programs, spy ware consists
of programs that end up on a PC that enable a third party
to gain information about activity on that PC, with or without
that user being aware of the data collected. The collection
of data can include personal information that should remain
business confidential, including login accounts and/or passwords.
These are web-browsing programs intended to identify the PC
on which they are placed. Their functionality can be used
in unintended ways to gather personal information similar
to spy ware, and to result in spy ware and/or trojans ending
up on a PC.
Generally accepted network security practice does not allow
accepting email attachments that are capable of running scripts,
executing instructions, or otherwise initiating activity which
could result in a compromise of the recipient, and/ or cause
actions to occur on the recipient workstation unknown to the
recipient. This is not directly related to virus, Trojan horse
or worm issues, but rather to legitimate functions performed
in a way that would be unacceptable if understood by the recipient.
The most flagrant of these potentially unsafe files are: .doc
.xls. Due diligence suggests that corporate acceptable use
policy require the use of .rtf or .pdf files in lieu of .doc,
and the use of .csv (comma delimited ascii) in lieu of .xls,
thus avoiding potentially unsafe outcomes. Most of the time,
.rtf does just fine for nicely formatted document exchange.
It is very easy to tell Word to use .rtf as the document storage
format. If there are lots of graphics in a document, .pdf
is a better choice. There are many .doc to .pdf conversion
programs available for free or very little cost.
These are programs commonly used in home or school environments
to do things like share or download music off the Internet,
conduct "chat" activity with other Internet users,
and many other seemingly harmless activities. However in a
business environment, many of these programs are inappropriate.
Some of these activities violate copyright laws and place
the business at risk. If you don't think this is a real problem,
you should know that even private individuals are being pursued
in the courts for copyright violation. In other cases, these
types of programs open a channel of communication through
the firewall that then expose the business to network compromise
by hackers. The list of specific inappropriate software is
endless. In general, business network security issues require
that all of the PC's connected to a local area network must
adhere to an Acceptable Use Policy. This policy must not allow
the downloading or sharing of any type of audio and/or video
data, period. Also not to be allowed are Internet Chat programs.
Programs freely available to feed weather, news, headlines,
etc. must not be used on any PC connected or with access to
any local area network that has so much a one PC with access
to a corporate LAN. All of this type of computer use carries
the risk of compromise by hackers, and must not be allowed.
Almost all wireless access points in use today are security
risks, even if Wireless Encryption Protocol (WEP) is being
used. No wireless access devices are to be used on any local
area network if that local area network has even one PC that
has access to the corporate LAN. If you believe that you have
a legitimate need for wireless access, approved, secure equipment
and implementation of wireless access via IPSec is possible.
or Remote Access to Business Network Computers and/or Resources
This should not be allowed unless approved, secure means are
being used that have the same level of security as if the
PC is connected directly to the business network. This is
the weakest link issue. Hackers now look for home PC's with
trusted access to business networks, and then have the same
access to confidential data as they would if they were sitting
at a PC in the office of that business. PC's used to access
business networks remotely must be as secure as if they where
at the office. Programs like pcAnyWhere are not to be allowed
due to known security risks. If business computing resources
must be accessed by users not at the office, the access must
only be done in an approved, secure manner. Arrangements for
secure remote access can be made.
Remote offices with corporate LAN access via the Internet
must be audited for remote network security compliance by
the use of network security auditing tools commonly used in
business environments. Such auditing does not need to gather
business or personal data at any remote location. This auditing
should be conducted on a regular basis and performed in such
a manner as to not interfere with normal business PC use.
In the event that a security risk is discovered, there should
be a pre-existing policy that defines a suitable response.
Such response may include requesting a specific change be
made at a remote location within a specified time period or
if deemed a severe risk, discontinuing the access granted
to a remote location in order to avoid a compromise that could
adversely affect the corporate LAN or other remote users.
©2004, Nova Business Systems, Inc. Reproduction
of this article is forbidden without prior consent from Nova
Business Systems, Inc.