Slides

7 Things People Do To Endanger Their Networks

Description
1. The Seven Bad Things People Do To Endanger Their Network Security 2. (…Explained in Plain English) 3. Presented by SAGE Computer Associates, Inc. SAGE Computer…
Categories
Published
of 45
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  • 1. The Seven Bad Things People Do To Endanger Their Network Security
  • 2. (…Explained in Plain English)
  • 3. Presented by SAGE Computer Associates, Inc. SAGE Computer Associates, Inc.: – In business for 19 years – Hundred person-years of experience – Worked with many businesses – Certified Security Administrator on staff – Certified Microsoft Engineers on staff – Certified Novell Engineers on staff
  • 4. Take away from today‘s talk Nothing is secure However, NO HEADS IN THE SAND Inexpensive steps you can take NOW Even on your home PC.
  • 5. ―There is nothing more secure than a computer which is not connected to the network --- and powered off!‖
  • 6. What are the Seven Things? No Policies Bad Passwords No Virus Protection No Backup Inadequate protection against hackers Don‘t keep up with patches/fixes Unrestrained e-mail/instant messaging
  • 7. Mistake #1: No Policies • Data Security: Do you know who sees and has access to what data? And should they have that level of access? • Termination policies: Disgruntled employees are the second most common source of network sabotage • Remote access: A common hole in network security • Computer usage: Non-business activities that open your network up to attack • Internet usage: You know there‘s LOTS of bad stuff out there – but do you know just how much? • Confidentiality awareness: Think about what your employees know about your business • Hire the right people! It‘s more important than you may think
  • 8. Internet Usage at Work Productivity Issues: – Cyber-loafing accounts for 30% to 40% of lost worker productivity (Business Week) – 90% of those surveyed indicated that they view non-work related web sites during work hours. (Vaultreports.com) Resource use – Downloading music/videos takes A LOT of network resources
  • 9. More Reasons to Care Legal Liability – One in five men and one in eight women admitted using their work computers as their primary lifeline to sexually explicit material online (MSNBC) – Since the company is the one that gave employees access, the company is liable … unless the company can show it took reasonable steps to prevent problems (Corporate Politics on the Internet: Connection without Controversy)
  • 10. Implement the Policies! – Appropriate Security on the Network • Administrative/Supervisor rights • Appropriate Security for users
  • 11. More Confidentiality Awareness Training - particularly to address Social Engineering ―outside hackers use of psychological tricks on legitimate users of computer systems to get passwords/user-ids to get access to systems‖ www.morehouse.org/hin/blckcrwl/hack/soceng.txt
  • 12. Mistake #1: No Policies How can we help? Request a copy of our sample policies for: - Internet Usage - E-mail Usage - Virus Protection and get SAGE to help you implement it
  • 13. Mistake #1: No Policies How can we help? Internet Monitoring – Monitor where people go on the Internet – Create reports – Block offensive/other sites- list updated 2x/week – Block specific kinds of traffic (music, photographs, etc) – Block specific addresses – Block specific users – Block usage during specific times
  • 14. Mistake #2: Bad Passwords – 40% of all passwords are the word ‗password‘ – Difficult passwords are hard to administer http://www.slac.stanford.edu/comp/security/password.html
  • 15. Password Guidance Password No-No’s:  less than eight characters  a word found in a dictionary (English or foreign)  a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.  Computer terms and names, commands, sites, companies, hardware, software.  Birthdays/other personal information such as addresses and phone numbers.  Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.  Any of the above spelled backwards.  Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
  • 16. Password Guidance Password Suggestions (Strong passwords)  Contain both upper and lower case characters (e.g., a-z, A-Z)  Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-= {}[]:quot;;'<>?,./)  Are at least eight alphanumeric characters long.  Are not a word in any language, slang, dialect, jargon, Are not based on personal information, names of family, etc.  Easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: quot;This May Be One Way To Rememberquot; and the password could be: quot;TmB1w2R!quot; or quot;Tmb1W>r~quot;
  • 17. Mistake #2: Bad Passwords How We Can Help: Password Cracking Tool: L0phtCrack www.sunbelt-software.com -Runs in the background -Can collect all passwords, given enough time We will run this for you and help you implement a policy
  • 18. Future Solutions Security Tokens-Secure Computing solution Biometrics
  • 19. Mistake #3: No Virus Protection Different threats under the same name: – Virus – Worm – Trojan horse – Malicious code – Blended Threat – Hoax – Denial of Service DoS (not a virus)
  • 20. Virus Security Example of malicious code From: Microsoft Corporation Security Center <rdquest12@microsoft.com> To: Microsoft Customer <'customer@yourdomain.com'> Subject: Internet Security Update Attachment: q216309.exe Microsoft Customer, this is the latest version of security update, the quot;7 Mar 2002 Cumulative Patchquot; update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer. Description of several well-know vulnerabilities: Would have recognized this as a threat?
  • 21. Virus Security Anti-Virus software MUST BE UPDATED!! Home users need it as much as business users By subscription- TrendMicro, Symantec, other vendors
  • 22. Virus Security Business users should be set up to update automatically without ‗human intervention‘ Training Many websites, ‗kits‘ available to write your own viruses – http://orbita.starmedia.com/~lautaroml/virus.html
  • 23. Virus Security Turn off the Preview Pane in Outlook – Click on View, unclick ‗preview pane‘ Turn off disk and printer sharing in Windows – Start button, click ‗Settings‘, ‗Control Panel‘ ‗Network‘ and make sure ‗share disk‘ and ‗share printer‘ are NOT checked
  • 24. Mistake #3: Virus Security How We Can Help Virus Software Audit Network Audit
  • 25. Mistake #4: No Backup Most people believe this is covered, BUT – Data stored on local drives – Data not restorable – Tapes not taken off site – Not enough data backed up – Open files not handled
  • 26. Mistake #4: No Backup How We Can Help Backup Audit
  • 27. Future Solutions Internet-based backup Optical Storage
  • 28. Mistake #5: Inadequate Protection Against Hackers Firewalls – Blocks incoming traffic – From free to millions $$$$ EVERYONE MUST HAVE ONE www.zonelabs.com – Software (home) www.sonicwall.com – Appliance (business)
  • 29. Mistake #5: Inadequate Protection Against Hackers- If you host your own website Incoming Web Traffic – SSL certificates – Different type of firewall – Data available for customers on your website has to be segregated from the rest of the company data – Outsourcing
  • 30. Internet Security What to ask your outsourced web hoster – Power back up – Internet connection redundancy – Which firewall? – Data back up – Business questions – How can I make changes? – Register your URL in YOUR name
  • 31. Mistake #5: Inadequate Protection- How we can help Port Scan – Reports open ports/vulnerabilities
  • 32. Mistake #6: Not Keeping Up with Patches/Service Packs Difficult to Keep Pace—But Imperative – Your lack of patching can help spread viruses to other networks – Workstation updates are now part of the problem too
  • 33. Mistake #6: Staying Current- How we can help Penetration Testing – Check for documented vulnerabilities
  • 34. Mistake #7: Unrestrained Email, Instant Messaging ―E-mail is like sending a postcard on the Internet‖ – Can be read by many people (your ISP, any system admin at any server along the message path, your employer, the US Government using Carnivore/Echelon or other software). http://www.surfcontrol.com/business/products – Can be re-sent to someone else, looking like it came from you.
  • 35. Solution to E-Mail Security PGP ―Pretty Good Privacy‖ – Download free copy at www.pgpi.org – Go see Phil at http://web.mit.edu/prz/ Digital ID digitalid.verisign.com
  • 36. E-Mail Security Email Gaffes -BBC sports executive sends ―I think they‘re both crap‖ email (about two on-camera execs) to entire BBC sports staff (500 people) -London lawyer forwards message from his girlfriend re: ―intimate act‖- his colleague forwards it to others, in hours, spread across whole Internet. 6 people suspended from their jobs. Email Protocol/Guidance – http://www.bmcc.cc.or.us/cs/cs125e/notes/etiq.htm – http://www.cio.com/archive/120100/diff.html
  • 37. Instant Messaging (IM) AOL Instant Messaging/ICQ/Yahoo Messenger/MSN Messenger/ other packages – The good news? • they‘re free – The bad news? • Completely not secure • People can pretend to be who they are not • With no policies in place, users have no guidelines on what they can/cannot say
  • 38. Instant Messaging Security Centralize it – Log the traffic – Encrypt the traffic (PGP has a module for this) – Establish policies OR Block it
  • 39. Steganography ―Embedding secret messages in other files in a way that prevents an observer from learning anything unusual is taking place‖ – Greek soldiers tattooed maps on their heads, and then grew their hair out – Romans obscured messages by applying layers of wax onto the tablets on which they were written, then melted the wax to read the message. – Osama bin Laden and his associates have been using steganography to hide terrorist plans inside pornography and MP3 files freely distributed over the Internet.
  • 40. Resources Pretty Good Privacy for email: www.pgpi.org Firewalls – www.zonelabs.com (free personal firewall)- see this link for article about it: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,287 0704,00.html – http://www.firewall.com/ good general site for tech info Virus software – www.symantec.com – www.trendmicro.com (don‘t use the free trial-pay for the real software)
  • 41. Resources Steganography http://members.tripod.com/steganography/stego .html Basic Security website: http://online.securityfocus.com/infocus/1560 Security Certifications-Information Systems Security Association www.issa-intl.org/certification.html
  • 42. Our Offer When you fill out the evaluation form, you can choose one of the services at no charge: Policy creation 1. Virus protection audit 2. Backup Audit 3. Open Port Scan 4. Patch/Service Pack Audit 5. Internet Monitoring Pilot 6. Network Audit 7.
  • 43. Don‘t Let the Perfect Interfere with the Good: Download the policies if you don‘t already have them Choose one of the free services on the evaluation form to get started measuring the problem. Download the free firewall (zonelabs.com) and the not-free virus software for your home PC
  • 44. For More Information: jaymem@sagecomputer.com (518) 458-9300
  • 45. Thank You! For More Information: jaymem@sagecomputer.com (518) 458-9300
  • We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks