Balancing Security and Technology Implementation

We spent quite a lot of time in the spring and fall providing our customers with presentations at our Technology Showcases and Technology Days. For my part, I gave a presentation on how to Balance Security in today’s enterprise while Implementing New Technologies. The response by those who attended was extremely positive, and I would like to thank you for that response. The one thing that was common in all the sessions was the comment that there were people in the individual companies that they wished had been there for the presentation. Well, with schedules being what they are, not everyone could attend, so I decided to take my time this month to bring some of the highlights of that talk to you here.
 
What Are We Talking About
It becomes clear when you are talking about security that the days of the Server and Workstation have given way to additional hardware. This hardware includes laptops, Pocket PC’s, PDA’s, Blackberry^® Devices, even Smart PCS devices, yes, phones that work like a PDA or Blackberry, Each of these devices brings to the table its own security concerns, but so, too, do the methods of connection. In today’s environment, Internet connectivity, Email, Voice Communications, Instant Messaging and Mobile Computing all come into play. Voice communications is in the mix due to Voice over IP, which are telephone or voice conversations on your data network. Will the security you have in place allow for this type of connectivity or will you need to make it more secure due to sensitive voice communications suddenly being converted to more data on the network? The more mobile we all are, the more we must consider the ramifications of security, both inside and outside our office environment.
 
Asking the Right Questions Key in Security
You can start your ‘security watch’ by asking a few simple questions. Do you travel for your job?  Do you telecommute? Do you connect on a LAN? Do you connect on a WAN? Do you connect on WLAN? Do you connect via broadband from outside the company office? Does anyone in your organization do any of the above? If the answer to any of these questions is yes, then you must have more than one method to secure the hardware and data used by yourself or your people. Security, in all forms of its implementation encompasses many areas. There is physical security, enterprise security and data security. Physical security can refer to your office, your building, etc. Enterprise security involves making sure access to the PC and Server resources are secure by using passwords. Simple, right? Data security is an emerging area where individual files are encrypted and data is protected on a file by file basis. Most of the people we talked with at the sessions are not yet using this type of security in their offices.
 
Workstation Basics
While there are many things you can do to secure a workstation, there really is a very basic list that will help everyone as a baseline for security. These same tips work well for home users too. They include using passwords – and I Mean Something Other than your first name or your address or phone number. You must have some sort of Virus-Scanning Software installed and it must be up to a Corporate Firewall. If you are a mobile or home user, you should have a Personal Firewall. Spam Blocking Software is also a must, as 70% of the virus, worm and Trojan infections that attack computers come through SPAM and the Internet. Equally important is to make sure you do not have any Open or Everyone Shares on your system(s). Everyone is a very large group when you are connected to the Internet.
 
Enterprise Basics
While listed as Enterprise Basics, there are many things the small business and home networked user can take from the following top ten list. Some are a reiteration of the information under workstation basics, but when looking at the Enterprise level, the implications and implementation of the same items can be completely different.
 
 1. Use password protection.
 2. Choose creative passwords.
 3. Use encryption.
 4. Create Firewalls
 5. Don't allow all employees to load their own software.
 6. Do backups at least once a week.
 7. Store your backups off-site.
 8. Keep All Software Up-To-Date!
 9. Disable Web Folder Shares and Everyone Shares
 10. Disable NetBeui / NetBios on TCP/IP
 
Additional items for IT people include disabling NetBeui, disabling NetBIOS on TCP/IP, and disabling Web Folder Shares and Everyone Shares. Using passwords that are not so cryptic that people write them down and place them on the bottom of the keyboard is also very important. As an IT person, you must also take the next step. That includes having Firewalls / Security in Place, Identifying your Current Exposures and their Impact on your Business, creating an action plan and implementing that action plan, but the most important item of all is to keep that plan up to date. If you do not, the changes that occur will make it necessary for you to start over in a little as six (6) months
 
What about WI-FI Security?
You may well notice that depending on the speed you choose for your WI-FI hardware, there will be a direct correlation to the distance with which the hardware will work, as I mentioned in a previous article. Everyone wants the convenience of WI-FI. Implementing it with real security in mind is what you need to do. Hackers now use and tell others how to use USB WI-FI NIC’s with Chinese Cooking Vat Scoops so that the scoop can be used as a ‘collector’ to get better gain on your ‘stray’ WI-FI signal. Information on the use of this ‘antenna’ and other software and hardware that can be used to gain access to your WAP is still located at the web site at the following URL, http://www.wardriving.com . The site also contains the complete instructions and software downloads so you too can go war-driving (a term coined as the new version of war-dialing, that is the method of having a computer dial phone numbers until a modem was found as shown in the movie War Games). If you have a wireless router installed at work or at home, do not just install it with the default settings straight out of the box. Make sure WEP encryption is enabled, that you have enabled MAC address filtering so only the people with WI-FI NIC’s you want to access your wireless access point can access it. Another thing you can do is to make sure the SSID of the wireless router is not being broadcast to whoever might be listening. You can also enable DHCP logging so you know who is using you system and when. In a corporate or enterprise setting, you can use Windows Server 2003 to act as the gatekeeper for any sessions that attempt to communicate with your network through a WAP, that is, assuming you do not have a renegade user who bought one of the consumer devices from Circuit City or Best Buy and then installed it on your network, without your permission or knowledge and rendered your corporate firewalls ineffective!
 
Maintaining the Balance
The key to this type of implementation is maintaining the balance. You must secure the user with passwords and policies but at the same time they must be able to work. That means access to email, Internet, Instant Messaging and a host of other applications. You must also secure the hardware. This is easy in that if you have the latest versions and have patched and updated the hardware and firmware, you will be in better shape. It can also be difficult as you may not have the budget to replace wholesale all your hardware every eighteen to twenty four months. Securing the software, both at the application and operating system level is very important too. Unfortunately, you must do this with care or else your may cause even more problems (i.e. Windows XP Service Pack 2, and yes, I am still recommending you only install this if you have a compelling business reason to do so at this time).
 
Have A Question Or Comment?
We always like to get your feedback. After all, helping you to understand the issue at hand or new technology will result in better decisions, better connectivity, increased productivity and ultimately better security for hardware and software environments! If you have questions or comments about this article, contact me (JohnBoline@hagerman.com).
 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents © 2004 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.