Recently, I’ve been consulting with a client on network improvements. Following is an email correspondence sent to them in preface to some upgrades – such as migrating to a Novell SUSE Linux network.
============
From Email
============
As a reminder, security is relative. You have to weigh the cost vs usability vs convenience. If security practices are too complicated, end users will attempt to circumvent them at every turn. However, if the security measures only present a small burden to the end users, then most users will embrace them.
There are no 1-stop security solutions. Period. Anyone that tries to embrace that philosophy is selling snake-oil and will lull you into a false sense of security. Always avoid single vendor lockin to proprietary solutions as much as possible. I always favor free and/or open-source solutions where possible.
##############
User Training
##############
Most companies fail at training their users in basic technical skills and safe practices. In the short-term weak training expenditures may result in faster employee turn-around; however, in the long-term it costs more.
Not only should users (employees) be educated on the basic skills for their jobs, they should also be educated on basic security best-practices and company policy. As technology changes, users should be further educated as necessary for their particular job. In today’s fast-paced world of data exchange, this is a necessity not an option.
##############
Data Security
##############
First, you need consider that like most things, your data is only as safe as the weakest link in the change. No matter what types of technology you employ, all it takes is one rogue employee with access to the data. This is where your company policies and NDA’s come into play heavily. Employees must know that there are severe consequences for breaching policies.
Data must not be permitted to leave the company network unless a user has specific permission to remove the data. This includes USB drives, company and non-company laptops, cell phones, pda’s, etc. Even hand-written notes concerning company information must be carefully considered.
Any data that is allowed to leave the company network and confines must be encrypted (see mobile security). It does no good to have the company information locked down, only to transport it in the free and clear.
##############
Email Security
##############
All company email must be controlled tightly through a service such as Google Apps Premier Edition powered by Postini. This allows for superior email security, archiving, and control.
“By 2005, 24% of companies had email subpoenaed and 15% had gone to court over lawsuits triggered by just employee email. According to the same survey, 10% of email at work contained sexual, romantic, or pornographic content.” – http://www.amanet.org/press/
Plan Now for Managing Electronic Data Avoid Tomorrow’s Legal Risks
www.google.com/a/help/intl/en/security/pdf/WP44-BMGuide.pdf
www.google.com/a/help/intl/en/security/pdf/WP42-FRCP_0107.pdf
The use of private consumer accounts must be heavily discouraged. This is one of the easiest attack vectors as a simple copy/paste or upload of a file is all it takes for data leakage. As evidenced by the recent Sarah Palin Yahoo account compromise, most individual users do not employ any sort of security with regard to challenge/response systems, etc.
http://www.google.com/apps/
$50/year/user
Emailed information is not secure unless you use end to end encryption techniques such as openPGP. This is a non-proprietay protocol for email encryption using public key cryptography.
SSL connections provide security from the sender’s application to the email server, but the security stops there if then receiver’s email provider does not support SSL.
I would even go so far as discouraging the use of MS Outlook and recommending the use of web-based email only via Firefox and Google with the Better Gmail extension for persistent SSL. For those requiring a desktop application – Mozilla Thunderbird combined withSunbird and Lightning extension for Google Calendar integration provides a near-complete replacement for Outlook.
##############
Network Security
##############
Users should be able to access exactly the resources they need to do their job and do it well. By extension users should have no access to resources that are not needed.
This security should be enforced by secure and robust authentication measures such as those provided by Novell and SUSE. Also, there should be sufficient measures for firewalls and security gateways to enforce policies. This also extends to Internet access.
http://www.astaro.com/our_products/astaro_security_gateway
http://www.opendns.com
*See attached screenshot – 24 hr period attempts to access MySpace
WiFi security should be a subset of the network security. Encryption should be provided by WPA-PSK or Radius with a sufficiently strong key (at least 20 characters) to prevent brute-force attack possibilities. 10 non-random characters are not enough. WEP should never be used. As users are able to access the network, then the network authentication should enforce resource access.
##############
Desktop Security
##############
If your desktop computers are compromised, then the other security practices become a moot point. Not only must you have strong network security to provide authentication for your users’ desktops, you must also have a strong policy of “not leaving your desktop while logged in”, etc. Passwords written on sticky notes on the monitor are simply unacceptable.
You must also strongly enforce software the use of safe software practices such as using Firefox as the primary browser and IE only for specific trusted sites. Each desktop computer should be configured with an appropriate anti-virus license (such as AVG). You users should be strongly discouraged from downloading and installing non-approved 3rd party software.
External device connections (USB drives, etc) should be discouraged without approval. These are easy vectors for data leakage.
##############
Mobile Security
##############
Anytime devices are taken off-site, the security risks increase by a factor of 1000. Company network access should be provided by VPN only. Company email should be provided by SSL only.
ALL LAPTOPS should have full-drive encryption or at the least encrypted containers for all company data.
www.truecrypt.org
A strong policy of data privacy should be enforced with all mobile users.
##############
Backup Security
##############
A solid backup plan involves primary local backups and secondary off-site backups. All backup data should be encrypted. It does zero good to have security on your network, devices, etc, and your backup files are in the free and clear.