Network+ Study Guide

A security policy defines how security will be implemented in an organization, including physical security, document security, and network security.

Security policies must be implemented completely because random implementation is similar to blocks of Swiss cheese. Some areas are covered, and others are full of holes. Before a network can be truly secure, the network support staff must implement a total network security policy that includes posting company information on bulletin boards, clean desks, audits, recording, and the consequences of not complying with the security policy.

Security Audit

A security audit is a review of your network to identify components that aren’t secure. Although you can do a security audit yourself, you can also contract an audit with a third party. This is a good idea if you want the level of security to be certified. A consultant’s audit is a good follow-up to an internal audit.

Government agencies may also require that your network be certified before granting you contract work, especially if the work is considered confidential, secret, or top secret.

Clean Desk Policy

A clean desk policy does not mean that employees must wipe the bread crumbs from their last lunch. (Being clean with food is still a good idea. Mice and ants are difficult to get rid of once an infestation occurs.) A clean desk policy means that all important documents, such as books, schematics, confidential letters, and the like, are removed from a desk (and locked away) when employees leave their workstations. This goes for offices, laboratories, workbenches, and desks and is especially important for employees who share space. It is easy to grab something off someone’s desk without that person’s knowledge, and most security problems involve people on the inside. Implementing a clean desk policy is the number-one way to reduce such breaches.

Note 

The International Computer Security Association ( www.icsa.net) reports that as much as 80 percent of all network break-ins occur from within the company by employees. Thus, protecting your data with a firewall is just the beginning of establishing network security.

For a clean desk policy to be effective, users must clean up their desks every time they walk away from them, without exception. The day this is not done will be the day when prospective building tenants are being shown the layout of the building, and an important document ends up missing. Additionally, workstations should be locked to desks, and you should spot-check to help enforce the clean desk policy. Spot-check randomly, for example, before the company picnic or before a child-at-work day.

Tip 

The ICSA is a vendor-neutral organization that certifies the functionality of security products as well as makes recommendations on security.

Recording Equipment

Recording equipment, such as tape recorders and video cameras, can contain sensitive, confidential information. A security policy should prohibit their unauthorized presence and use.

When you walk into almost any large technology company, you are confronted with signs. A common sign is a camera with a circle surrounding it and a slash through the center of the circle. The text below the sign usually indicates that you cannot bring any recording devices onto the premises. This applies to, but is not limited to, still cameras, video cameras, and tape recorders of any kind.

The NSA recently updated its policy to disallow the Furby doll on government premises. Why would a government not allow dolls on its premises? Well, the Furby doll has a sophisticated computer inside with a digital recording device. The doll repeats what it hears at an interval of time later. This is quite harmless in the playroom at a children’s daycare center. A recording of conversations at the NSA, however, cannot be allowed.

Other Common Security Policies

Security policies can cover hundreds of items. Here are some of the more common:

Notification  What good is a security policy if no one knows about it? Give users a copy of the security policy when you give them their usernames and passwords. Computers should also display a shortened version of the policy when a user attempts to connect. For example, “ Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.” One hacker argued that since a computer did not tell him otherwise, anyone was free to connect to and use the system.

Equipment Access  Disable all unused network ports so that nonemployees who happen to be in the building cannot connect a laptop to an unused port and gain access to the network. Also, place all network equipment under lock and key.

Wiring  Network wires should not run along the floor where they can be easily accessed. Routers, switches, and concentrators should also not be hooked up in open office space. They should be in locked closets or rooms, with access to those rooms controlled by badge-swiping systems.

Door Locks/Swipe Mechanisms  Be sure that only a few, key people know the combination to the cipher lock on data center doors or that only the appropriate people have badges that will allow access to the data center. Change lock combinations often, and never leave server room doors open or unlocked.

Badges  Require everyone to wear an ID badge, including contractors and visitors, and assign appropriate access levels to contractors, visitors, and employees.

Tracking  Require badge access to all entrances to buildings and internal computer rooms. Track and record all entry and exit to these rooms.

Passwords  Reset passwords at least every month. Train everyone on how to create strong passwords. Set BIOS passwords on every client and server computer to prevent BIOS changes.

Monitor Viewing  Block computer monitors so that visitors or people looking through windows can’t see them. Be sure that unauthorized users/ persons cannot see security guard stations and server monitors.

Accounts  Each user should have their own, unique user account, and employees should not share user accounts. Even temporary employees should have their own account. Otherwise, you will not be able to isolate a security breach.

Testing  Review and audit your network security at least once a year.

Background Checks  Do background checks on all network support staff. This may include calling their previous employers, verifying their college degrees, requiring a drug test, and checking for any criminal background.

Firewalls  Use a firewall to protect all Internet connections, and use the appropriate proxies and dynamic packet-filtering equipment to control access to the network. Your firewall should provide as much security as your company requires and your budget allows.

Intrusion Detection  Use intrusion-detection and logging software to determine a breach of security. Be sure that you are logging the events you want to monitor.

Cameras  Cameras should cover all entrances to the building and the entire parking lot. Be sure that cameras are in weather-proof and tamperproof housings, and review the output at a security monitoring office. Record everything on extended-length tape recorders.

Mail Servers Provide each person with their own e-mail mailbox, and attach an individual network account to each mailbox. If several people need to access a mailbox, do not give all of them the password to a single network account. Assign privileges to each person’s network account. You can then track activity to a single person, even with a generic address such as info@mycompany.com.

DMZ  Use a demilitarized zone for all publicly viewable servers, including web servers, FTP servers, and e-mail relay servers. Do not put them outside the firewall. Servers outside the firewall defeat the purpose of the firewall.

Mail Relay  Use a mail-relay server for e-mail. E-mail traffic should not go straight to your production servers. That would enable a hacker to directly access your server as well. Use a relay server in a DMZ.

Patches  Make sure that the latest security updates are installed after being properly tested on a non-production computer.

Backups  Store backup tape cartridges securely, not on a shelf or table within reach of someone working at the server. Lock tapes in a waterproof, fireproof safe, and keep at least some of your backups offsite.

Modems  Do not allow desktop modems for any reason. They allow users to get to the Internet without your knowledge. Restrict modem access to approved server-based modem pools.

Guards  In some cases, security guards are necessary. Guards should not patrol the same station all the time. As people become familiar with an environment and situation, they tend to become less observant about that environment. Thus, it makes sense to rotate guards to keep their concentration at the highest possible levels. Guards should receive sufficient breaks to ensure alertness. All patrol areas should be covered during shift changes, rotations, and breaks. Guards should also receive periodic training. Test to ensure that guards can recognize a threat and take appropriate action.

Warning 

Covering all these bases does not ensure that your network or facility is secure. This is just a starting point to head you in the right direction.

Breaking Policy

A security policy is not effective unless it is enforced, and enforced consistently. You cannot exempt certain individuals from policies or the consequences of breaking them. Your network users need to have a clearly written document that identifies and explains what users are and are not allowed to do. Additionally, it is important to state that breaking the policy will result in punishment, as well as which types of policy breaks result in which kind of punishment. Punishment may vary, depending on the severity of the incident. If a policy is broken, the appropriate punishment should be administered immediately.

Major Infractions

As far back as the mid-1980s, employees were being immediately terminated for technology policy infractions. One employee was immediately terminated from a large computer company when pornography was found on his computer’s hard drive. A manager and a security guard visited the employee. The manager informed the employee that he was being summarily terminated. The guard was there to ensure that the employee touched only personal items. The manager logged out the computer session. The former employee could now touch no computer equipment, including storage media such as floppy disks. The manager then informed the guard that the employee had one hour to vacate the premises.

Minor Infractions

A lesser infraction might be accidentally corrupting your desktop computer by installing software from the Internet. Beta products, new releases of software, and patches need to be tested by the IS department before implementation. One episode of downloading and installing a beta release of a web browser invoked action at a national telephone company. After installing the beta version and rebooting, the production Windows NT server became inoperable. The employee’s Internet FTP privileges were revoked for three months.

The Exit Interview

The exit interview is the process in which employers ask employees who are leaving the company about their employment experience. The exit interview is used to minimize risks whether the employee is leaving under favorable circumstances or is being terminated. During the exit interview, a manager, a human resources representative, a network administrator, and a security guard may be involved to different extents.

Returning and Logging Property

When an employee leaves the company, all company property needs to be turned in and logged. This includes, but is not limited to, cellular phones, pagers, toolkits, keys, badges, security tokens, models, and all documents. Obviously, coffee mugs and photos of the spouse do not count. The manager, security guard, or both handle this, depending on whether the employee is being terminated or leaving voluntarily.

Disabling Accounts

The information systems division or department needs to disable all accounts immediately, including those for network and voice mail. This should coincide with the announcement that the employee is leaving (either voluntarily or forcefully). This is especially important when the employee has access to sensitive documents. Even if the person is leaving under favorable conditions, she may still be able to log in and copy data to floppy disks to take with her for her own use. Common practice has extended this from just system administrators to everyone.

Salespeople can easily hurt a company by taking client information with them. One salesperson accessed his former company’s voice mail system and stole sales leads. For total security, you need to look beyond the obvious disgruntled ex-network administrator who demolishes your website after leaving.

Категории