Take Care of the Details for a Secure Network
eSecurityPlanet columnist Linda LeBlanc takes a look at the small details that could mean the difference between a secure network and one riddled with holes.
Many users get overwhelmed by the notion that there are 'all these things' they must do to stay safe, so they don't do anything or they implement poorly conceived notions of what they think defense in depth means.
What it's really all about though is taking simple steps to protect small aspects of our computer systems, whether it's our hardware, software or our sensitive data.
We want to protect ourselves in our email and web-browsing habits. This means using virus software, and spyware and adware detection measures, along with pop-up blockers (Pop-ups aren't just inconveniences. They frequently carry payloads for Trojans and other types of malware.) We want to protect ourselves from personal and sensitive data leakage, whether its our personal information, or sensitive data belonging to our company. Finally we want to protect ourselves from network computer compromises.
Be aware of the types of information you send in email -- since email is always sent in the clear unless you encrypt the body of the text. This is just email. Looking again at the previous litany, we can see this is all common sense that requires some thought and only a little effort.
When you send email to a colleague, think about the purpose of the message, and the attachments. Think about the potential loss of information if that message is compromised while in transit. Consider the need for using email, and whether a short phone call or face-to-face conversation might prevent the loss of sensitive data. Recognize that once it's gone, it's out of your control. That data can be replicated, transferred or disseminated to any number of places without your knowledge. Anyone who has ever dashed off a rash message taunting the boss' computational skills, knows what I'm talking about.
Web browsing presents other issues.
Know the sites you visit. Use HTTPs when completing financial transactions. Be aware of the things you click on within sites. Piggybacked applets that hide in innocuous content can install Trojans. And in some cases, sites that promise one thing actually give something much different.
If you choose to download something from the Web, and install it on your machine, please at least read the license agreement that gives away all your rights to privacy. Look closely at the EULA's for things such as Web-anonymizers and Web-accelerators, as well as some file sharing programs.
Proper password protocols go a long way to protecting your network access, documents, email, and secure Websites, such as banking and human resources sites. Choose passwords that are appropriate to the level of need. Your network account password should be as complicated as possible. If you must write it down, use a secure place as long as you don't keep your password and username together. Also don't leave it anywhere near your system, even if you think it's well hidden. This is insurance for that rare occasion when you can't quite come up with the correct order of letters, numbers and special characters.
Also remember that you should be working on schemes that allow you to create passwords built on similar principles. Just remember your passwords should be as strong as the system allows.
And consider ways into your system that might seem invisible.
Do you have an FTP site? Is your system listening on the standard FTP port? Is your system listening on port 80 even though you don't have a Website? Mac users can click on the sharing icon in the system preferences panel to see what types of network services may be turned on automatically. On a Windows machine you can click on the control panel and select the services icon. Only run those services you actually use. No Webpage? No IIS. Telnet and FTP should never be enabled because they are inherently insecure. They should be replaced, if needed, with ssh and scp, the encrypted versions of those protocols.
Windows machines also allow users to prevent any connection that they don't initiate by using TCP/IP filtering. This can be set by following the directions in Step 13 on this Website.
Defense in depth includes taking precautions regarding the physical access to your computer. Sure, it's a desktop and you can't lock it in the cabinet, but do you lock your screen when you step away for coffee or lunch? Have you conveniently left your really-hard-to-remember password written down in an unlocked drawer for the janitor to find? Do you ever look to see if there are any strange wires or frobs sticking out of the back of your unit? Corporate espionage often begins at home with hardware keystroke loggers that later provide easy remote access.
Having a computer is similar to owning a car. Without thinking about it, we strap in, turn on and it takes us where we want to go. But with a little more thought, we realize that we also fill the gas, change the oil, check the brakes and keep the tires filled with air. Hopefully, we use fresh wiper blades, and keep the engine tuned for optimum performance. This is our defense in depth from bad things happening on the road. Underinflated tires and bad rubber can lead to blow outs. Poor engine performance can lead to the purchase of a new engine or even a new car.
Keeping our computers tuned by taking care of the simple details gives us that new car smell in the networked world.