Take Care of the Details for a Secure Network

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Often people ask about ways to protect their computers from beingattacked. They say something like, 'I've heard about this defense indepth thing but I don't know where to get it.' As IT professionals, wefrequently get caught up in jargon that prevents us from helping clientshelp themselves.

Many users get overwhelmed by the notion that there are 'all thesethings' they must do to stay safe, so they don't do anything or theyimplement poorly conceived notions of what they think defense in depthmeans.

What it's really all about though is taking simple steps to protect smallaspects of our computer systems, whether it's our hardware, software orour sensitive data.

We want to protect ourselves in our email and web-browsing habits. Thismeans using virus software, and spyware and adware detection measures,along with pop-up blockers (Pop-ups aren't just inconveniences. Theyfrequently carry payloads for Trojans and other types of malware.) Wewant to protect ourselves from personal and sensitive data leakage,whether its our personal information, or sensitive data belonging to ourcompany. Finally we want to protect ourselves from network computercompromises.

We repeatedly tell anyone who will listen to keep virus signaturesupdated, and scan all incoming email files. Never, ever, ever openattachments from strangers. Think before opening email attachments fromfamily or friends. When in doubt, call and ask if they really sent youthe Read-ME.doc.exe file. Filter your spam. Never click on linksregardless of the originator. (Hand-type the link if you think theremight be some slight possibility that the GOAR Bank of West Virginiawants you to verify your non-existent account.)

Be aware of the types of information you send in email -- since email isalways sent in the clear unless you encrypt the body of the text. This isjust email. Looking again at the previous litany, we can see this is allcommon sense that requires some thought and only a little effort.

When you send email to a colleague, think about the purpose of themessage, and the attachments. Think about the potential loss ofinformation if that message is compromised while in transit. Consider theneed for using email, and whether a short phone call or face-to-faceconversation might prevent the loss of sensitive data. Recognize thatonce it's gone, it's out of your control. That data can be replicated,transferred or disseminated to any number of places without yourknowledge. Anyone who has ever dashed off a rash message taunting theboss' computational skills, knows what I'm talking about.

Web browsing presents other issues.

Know the sites you visit. Use HTTPs when completing financialtransactions. Be aware of the things you click on within sites.Piggybacked applets that hide in innocuous content can install Trojans.And in some cases, sites that promise one thing actually give somethingmuch different.

If you choose to download something from the Web, and install it on yourmachine, please at least read the license agreement that givesaway all your rights to privacy. Look closely at the EULA's for thingssuch as Web-anonymizers and Web-accelerators, as well as some filesharing programs.

Proper password protocols go a long way to protecting your networkaccess, documents, email, and secure Websites, such as banking and humanresources sites. Choose passwords that are appropriate to the level ofneed. Your network account password should be as complicated as possible.If you must write it down, use a secure place as long as you don't keepyour password and username together. Also don't leave it anywhere nearyour system, even if you think it's well hidden. This is insurance forthat rare occasion when you can't quite come up with the correct order ofletters, numbers and special characters.

Also remember that you should be working on schemes that allow you tocreate passwords built on similar principles. Just remember yourpasswords should be as strong as the system allows.

And consider ways into your system that might seem invisible.

Do you have an FTP site? Is your system listening on the standard FTPport? Is your system listening on port 80 even though you don't have aWebsite? Mac users can click on the sharing icon in the systempreferences panel to see what types of network services may be turned onautomatically. On a Windows machine you can click on the control paneland select the services icon. Only run those services you actually use.No Webpage? No IIS. Telnet and FTP should never be enabled because theyare inherently insecure. They should be replaced, if needed, with ssh andscp, the encrypted versions of those protocols.

Windows machines also allow users to prevent any connection that theydon't initiate by using TCP/IP filtering. This can be set by followingthe directions in Step 13 on