The security survey
which FBI conducted gives a lot of insight towards the possible threats faced
by companies using IT. Now a days, the business is 100% depends on IT and we can’t
even image a corporate working without the support from IT. This makes computers as the target for
attackers. An attack on IT and IT
infrastructure can cause more damage to a company than using a bomb. And corporate being one of the back bones of
any nation’s economy, the impact will be more damaging.
FBI did a very good
job in this survey and it is an eye opener for corporate world. This article looks in to few of the key
findings of the survey and suggests some best practices.
This survey covered all most all the industries and one of
the findings is there is threat with in an organization is very high. In some cases the attack/incident is very
much intentional and in other cases (most of the cases), employee’s lack of
knowledge & the week understanding cause the
damage. An employee gets an infected
file thru attachment, using chat clients and accepting files, visiting
Pornography and warez sites etc invites trouble. Most of the employees are not aware of the
traps and the amount of damage they might cause to their paying masters.
There should be a
in depth background checking before employing people as system & network
administrators and their activities too should be logged and monitored. Employees visiting non-business related
sites, installing software etc can be prevented by using Group Policy and
effective utilization of the existing (ie : without spending anything more in new
stuffs). If an organization does not
have any such features, there are a lot of open source solutions available
(like SQUID, in which you can prevent users accessing non-business related
sites.) A very high percentage of
security related incidents are due to Virus and Spyware. Limited access to internet will take care of Spyware in a large scale.
Implementing
Antivirus is something almost all the organizations have done. But the irony is,
attack from a virus is the most common security incident. There is a famous IT joke, if you want to
safe guard your computer from Virus, shut it down and never switch on. Yes….virus and anti-virus are something like
a never ending story. But with little
bit of talent and interest, a system administrator can control this to a very
large extent. He/She should make sure
that the anti-virus is installed on all the systems, and the signature files
are updated on regular intervals. System
administrators should have the habit of visiting web sites of famous anti-virus
organizations, so that their knowledge about new bread of viruses is
updated. Another best practice is to
harden the OS of workstations. This will
make the system tough for the virus/attacker to get in and this can be done,
without buying any extra software/hardware.
Majority of the
organizations are on Windows platform, effective use of Group Policy will
prevent user installing software and access to critical data. Educating the employees about the possible
threats will reduce the risk and this will take care of attackers using Social
Engineering. Another useful practice is
enabling logging (and analyzing them periodically) for critical recourse.
A campaign from
government about effective use of existing tools and technologies will make sea
difference. Again, encouraging
organizations to go for certifications like ISO 27001 (BS 7799) will bring in a
lot of control and safety for IT related recourse.
Below table shows some of the best practices
|
Action |
Remarks |
|
Enforce strict group policies,
which will prevent end user installing software and accessing critical,senstive
recourse |
Initially,
this will attract some dis-statifation from the user community and over a
period of time, this will be set right. |
|
Block USB drives, CD ROMs etc |
This will
prevent data steeling and possibility of a virus/worm coming inside
organization |
|
This can
be done by blocking them in BIOS or using software |
|
|
Enforce strong & complex
password, and set expiry for the passwords |
This
makes guessing the passwords tougher.
This can be done thru group policy |
|
Enable URL Filter |
Management
can define what the employees should browse and what not. |
|
Try open
source solutions like SQUID. Setting
up of this tool is also very easy |
|
|
Discourage the use of cell phone with memory, blue tooth,
infra-red,camera etc |
Uh!! This
is going to invite some good amount of resistance from employees |
|
|
But there
are lots of virus/worms which spreads thru blue
tooth and if you have a bad elements in the organization, he can take snaps
of sensitive areas or copy data to cell phone. |
|
Make the Active X configuration
and other such stuffs non-editable for user |
This is
just a kids play, if you have a system admin with
basic knowledge. |
|
Keep the system updated with
updates and patches |
Use WSUS
and other tools, which are handy and effective |
|
Enable logging of information |
This will
keep track of all the users who logs in |
|
Do a detailed analyze of the logs |
Ype…just by
enabling logs, you can't be proactive.
You need to analyze them and take nesseary action. Watch the logs carefully when a system
admin or any person is about to quit the company |
|
Enable firewall (software) on
desktops too |
If you
are on Windows XP with Service Pack 2, it is much easier |
|
Do a risk assessment for critical
servers and recourse. |
This will
enable you to understand how vulnerable your IT assets are. |
|
Back up the data. |
Yes..it is very very
important. Due to an attack or due to some
system failure or accident deletion, you may loose data. Even though the last two are not security
incidents, this will have some what same effect of an attack. Your business is impacted. If you have the backup, the impact can be
reduced. |
|
Keep a copy of your back up in a
different location |
This will
reduce the impact on business if there a tsunami, 7/11, etc |
|
After 3 failed login attempts, the
account should be locked. |
This will
eliminate, an attacker trying different combinations in trail and error
method |
|
Any account not in used should be
deleted or blocked |
If there
is an inactivity for more then 21 days, lock the
account. |
|
SNMP Enabled devices |
New
generation printers can order cartridge by itself when the toner is running
out. It is cool !!!
But, these features will have some back doors (the manufactures may not have
tested all the loops hopes ) So, do not expose these devices directly to
the outer world. Your printer may give
a grant welcome party to an attacker!!!! |
|
Discourage user opening
attachments from strangers |
We don’t
what these files will do. If you must,
keep a system only for such activities.
This system should have more policies and preferably on a different
sub-net. |
|
Stop chain mails |
Some
mails are good…make you smile or laugh. But there are balk sheep too. |
|
Use CCTV in datacenter and work
area |
“Shhh!!! Some one is watching….” This will add a lot of safety. Right ? |
|
Use different VLAN/Sub-nets |
The
Marketing team does not require access to the servers used by Pay Roll
team. In such scenarios, use different
networks. In other words, people see
what they need to see. Critical data
of both the team will be secure and will not be visible to other team. In case of any virus attack, only one team
will be affected, not the whole office. |
|
Analyze the nature of business and
define a IT Security policy, which includes access (physical too), rights etc |
If you
have a policy, stick to it. Do not
allow any one to violate it. If you
think a change will do good, think again, discuss,
do some testes and implement. |
|
Finial and most important |
Successful
implementation of any security policy is 100% depend on the top level
management. It should flow from top to
bottom. |
|
Different Anti Virus software |
If your
organization can buy anti virus from two different manufactures (for example
50% system on McAfee and rest on Norton) because, some virus will not
detected by some scanners. |
|
Make OS Hardening a must for all
the Desktops and servers |
If you
are not using a service, turn it off.
This will reduce the risk and it will make the system work
better. More over this make your
system healthier. |
|
There are a lot of support and
help from government and organizations.
Use them |
To name a few : http://www.infragard.net/, http://www.cert-in.org.in/, http://www.ic3.gov/, |
Download FBI’s survey report.
Note ::
I am yet to upload the report. Contacted FBI for approval.
If you want a notification, when it is uploaded, please mail me.