1 Cyber Security: An Introduction Security is always a trade-off between convenience and protection. A good security policy is convenient enough to prevent users from rebelling, but still provides a reasonable amount of protection against common threats. Prepared by Cronkite Security Consulting
3 1 Cyber Security: An Introduction Rationale The purposes of this report are the following: Inform clients of Cronkite Security Consulting of the current issues related to computer security Educate clients on steps they can take to make their computers more secure This document specifically pertains to our clients Information Technology, but is applicable to all departments and their computer facilities. This document does not supersede, but rather enhances, clarifies, and complements, the standards for computer use already specified by the each client s Threat Protection Plan Modern Threats Every day and night, a typical Information Technology (IT) Department at a typical midsized corporation is quietly attacked by Internet outsiders who are trying to find weaknesses in the company s network by using port scans, Trojan horses, viruses, and other hacker tools. All of our clients report that their systems have at one time or another been compromised by outsiders. In some cases, the outsiders then used company systems to attack and wreak havoc on other network locations. Some of our clients files have been corrupted or deleted by unscrupulous hackers. Unauthorized personnel have used IT computers to send inflammatory messages. Modern Solution The solution is for all IT staff to become informed of the dangers of the Internet and to take necessary precautions. This is not easy. In fact, a state of perfect security is impossible. Security is not a destination, but a journey a process requiring vigilance from all the members of an organization. Security is a process of constantly adjusting to changing conditions, modifying existing passwords, enhancing existing firewalls, securing the physical locations of computers, training personnel, and updating all security systems. IT personnel have the continual and constant responsibility for protecting their organization s resources. A Secure Plan The policies and procedures described in this document seek to find a happy medium between security on the one hand and convenience, flexibility, and budget limitations on the other. No organization can enjoy both a high level of security and a high level of convenience. Increased security always decreases convenience, and vice versa. For this reason, security procedures demand constant communications between users and managers. Therefore, all personnel are cordially invited to discuss this document
4 A Secure Plan 2 with their organization s IT Director so that the balance between security and convenience is continuously updated. The security procedures involve the following general areas: Structured Security Location Security Password Security and Anti-Virus Security Operating System Security By taking the necessary steps in each of these areas, the risk of security compromises will be lowered to an acceptable level. Structured Security IT security should be under the direction of a Computer Security Committee. Ideally, this committee would consist of six people: The IT Director Three managerial members from different departments in the organization Two non-managerial members, usually members of the support staff The responsibilities of the Computer Security Committee are fourfold: Oversee all security matters in the organization Set and enforce security policies Monitor the balance between security and convenience The person directly in charge of computer security is the IT Director. He or she carries out the policies set by the Computer Security Committee. We recommend that each IT department employ one employee who can spend up to 20 hours per week on security measures. Location Security During hours that an organization s facilities are unlocked, its IT Department personnel should do the following: Keep IT offices locked while not present. Keep outer doors to office complexes locked when appropriate. Keep doors to computer network servers locked at all times. Maintain backups of all important files in separate physical locations. Backups Off Site Figure 1 illustrates these important recommendations. For a larger, poster-sized copy of Figure 1, please Thalia Cruz at Server Doors Locked Figure 1 IT Doors Locked Outer Doors Locked
5 3 Cyber Security: An Introduction She would be happy to send multiple copies for posting throughout your organization s IT department. Passwords Eighty percent of security is proper password management. This means that: Every computer, where possible, has an access password. Each user has a password to access the department network. Large, important, or confidential files should be password protected. For passwords to be most effective, users should use the following guidelines: Passwords should be at least 8 characters long. Passwords should not be words found any dictionary. Passwords should include letters, numbers, and punctuation. Passwords should not be written down anywhere, and therefore should be easily remembered by the user but nonsense to anyone else. For example, w2mmed means walk to mountain meadow to the user, but would be nonsense to others. The password wrks4zip means works for nothing to the user but would be impossible to guess by anyone else. Passwords should never be given to anyone else. Passwords should never include readily accessible personal information such as addresses, telephone numbers, or family or pet names. The goal, then, in creating passwords is to combine letters, symbols, and numbers to make lengthy nonsense. This makes the password nearly impossible for malicious hackers to determine. Users should change their passwords monthly, without ever repeating a previous password. If a computer system is suspected of being compromised, then all passwords on that system should be changed immediately. An IT officer should periodically remind the network users to make sure their passwords follow the above guidelines. & Anti-Virus Protection All users should have anti-virus software loaded on their computers and should be diligent in keeping anti-virus definitions current to protect against the latest viruses. Users of Microsoft Outlook and Outlook Express should make sure that their mail clients have the latest security patches to prevent the automatic running of attachments. users should never open attachments or messages from unknown sources. Network Security Network security begins with the department network firewall. The Information Technology firewall should be configured to deny all traffic to and from computers outside the department unless such traffic meets a clear need and is approved by the department Computer Security Committee. No FTP or Telnet should be allowed through the firewall without specific approval. Even with approval, those using FTP, Telnet, Xwindows, or VPN should use Secure Shell for Unix/Linux/Windows clients.
6 A Secure Plan 4 All Web and servers should reside on the DMZ port of the firewall only. Data packets attempting to pass through the Information Technology network should be allowed only if they come from internal addresses or from approved external addresses. The Computer Security Committee should review specific exceptions to these firewall rules. Department network ports should allow access to HTTP (Web), HTTPS/SSL (Secure Web), SMTP and POP3 ( ), and other necessary services vital to department functions. NAT (Network Address Translation) will be deployed on the private (trusted) side of the Information Technology network to translate all internal (private) TCPIP addresses to one public (untrusted) TCPIP address that can be seen on the public (untrusted) side of the Information Technology network.
7 5 Cyber Security: An Introduction Index Information Technology, 1, 3, 4 IT. See Information Technology password, 3 Password, 2 passwords, 1, 3 Passwords, 3