Red Cell Security - Ten Rules of InfoSec

NETWORK SECURITY: 10 SIMPLE RULES.

As a CISSP, Certified Ethical Hacker, Network Security Engineer, and author of InfoSec material such as the Hacking Explained book and a study guide for the CompTIA Security+ test, I deal with network security issues that affect both corporate environments and individuals on a daily basis. And what I see scares me.

In this article, I will highlight 10 simple rules/concepts that can help you be more efficient in terms of deploying an adequate network security policy for either your home or your company. As you will see, a lot of it is common sense-based and does not necessarily involve spending money. How refreshing!

Rule #1: There is no such thing as true, infallible Network Security.

The sooner you accept that there is no such thing as network security, the better off you will be. Simply put, what we can engineer, someone else can reverse-engineer. So what we try and do is not eliminate risk, but instead mitigate it. The first thing we do is run a risk assessment that will include an asset inventory and a vulnerability study for said assets. Then we can attach a cost to the risks that are identified, so that we can design and deploy a strategy to protect those assets, the cost of which does remains reasonable compared to the loss of those assets. Indeed, it would be counter-productive to deploy a $100,000 security strategy to protect $50,000 worth of assets! Sometimes, risk transference is more cost-effective than risk elimination.

Once we have deployed our strategy, we have reduced the overall risk to our data/assets. We have not necessarily eliminated all the risk. The remaining percentage of risk should be either acknowledged and accepted, or better yet, transferred to an insurance company, for example.

Rule #2: Deploy hardware and software security solutions.

A firewall or two sure can go a long way when it comes to network security. But make sure that you are filtering both incoming and outgoing traffic. A VPN is also an effective solution to deploy for your remote users, but confirm that they also use a firewall on their end. Intrusion Detection Systems are all the rage, and are very efficient tools when configured correctly, but outsource the monitoring of the results unless you want to hire three fulltime employees to do so. Create and deploy an audit strategy, but remember that auditing means nothing if the logs are not reviewed at least once daily. Do not give more permissions to your users than they need to accomplish their job (this is a principle known as "least privilege"). Similarly, limit the amount of admin-level user accounts on your network, and install a separation of duties strategy, whereby the people who have admin rights on the network are not also the people who review the audit and security logs. If possible, outsource the log monitoring to a third-party company.

Rule #3: Don't deploy wireless LANs.

No matter what vendors tell you, Wireless LANs (WLANs) are not secure. Period. WEP, the so-called encryption mechanism used in WLANs, uses a weak encryption key, and can be cracked easily. Many homes are now equipped with WLANs, especially where home users want to share a broadband connection between different roaming laptops - yes, it's cool to be surfing the web from your garden, but it also means that anyone driving by can hop on your network and start either using your bandwidth, or even peruse your personal data! If you are going to deploy a WLAN, either in the home or at work, there are simple guidelines that should be put in place: don't allow SSID broadcasts, turn off DHCP, use MAC filtering, enable 128-bit WEP, and by all means, replace all the default security features on your Wireless Access Point such as admin logon information and the name of the AP. And do yourself a favor: if what you just read is foreign to you, hire a security professional to come do it for you. It takes less than an hour, and constitutes a valid first line of defense.

Rule #4: Deploy and update an anti-virus solution.

If a computer exists on your network, it should be running an updated anti-virus solution. You can even download one for free - and legally - from the Internet if you can't afford to pay for one. What you really can't afford to be doing is not running an anti-virus software. And again, make sure that it is updating itself at least once a day! Many software packages can be configured to automatically run these updates, so that users don't have to remember to do it - which we all know we don't...

In this category, I would also like to point out that a pop-up blocker is a darn good idea, along with using anti-spyware software such as Ad-Aware and Spybot on a regular basis.

Rule #5: Patch all your servers and workstations.

Manufacturers release security patches and other assorted hotfixes at regular intervals. This constant research and development costs these companies a lot of money - so they are not doing it just for fun. Did you know that most if not all of the latest worms and viruses that plagued computer networks the world over in the past 2 or 3 years had patches released at least 90 days prior to when the worms were released? In other words, had people kept up to date with their patches, those worms would have had absolutely no impact on our networks - and our economy. None. So who is the real criminal: the person who releases a worm, or the person who fails to update their machines and allows their network - at home or at work - to be vulnerable to obsolete exploits?

Rule #6: Educate your users.

The more training and awareness you bring to your users, the more secure your network will become. This is just about the best money you can spend on security. And no, user training is not a once a year affair, but instead should be a recurrent activity. I simply cannot stress with adequate emphasis how important this point is. But I guarantee you this: if you don't train your users, your network is more at risk than if you walked around with a sign that says HACK ME in the middle of LAX, complete with your administrator-level username and password. But hey, you may meet some new friends while you stroll from flight terminal to flight terminal with your little sign. Just make sure to give them a fake phone number and address!

Rule #7: Understand the threat of Social Engineering.

Social Engineering is the number one hacking threat against your network. It involves a hacker with malicious intent calling your users more or less randomly, and extracting information about the network from them. You would be amazed to see how easy it is to gain extremely insightful information about a network by simply *asking*. And realize this: there is no technological gizmo you can spend a fortune on that will fix this issue. So what can we do? Please refer yourself to Rule #6. Social Engineering is so strong a threat that ignoring it will lead to your network being compromised and your data being not as confidential as you would hope that it would remain.

Rule #8: Use a shredder and other seemingly paranoid activities.

Any document that includes any personal, protected, private and/or confidential data should be shredder. If you donate or throw away old computers, physically destroy the hard drives. If you have dumpsters outside your home/office, lock them up to prevent dumpster diving. Do not give personal/private/confidential information over the phone or via email/website form unless *you* initiated the conversation. No legit bank/company will ever ask you to verify your identity/username and password unless you started the process. Identity theft is at an all time high, and these simple measures will help you protect yourself and your company from it.

Rule #9: Use a real password.

And by real, I mean a strong password. A strong password includes at least 8 characters, both upper case and lower case characters, letters, numbers and ASCII signs such as !@#$ and %. A password should never be written down, shared, reused, or kept for more than 30 days. A password is a secret between a server and yourself, and like all good secrets, should not be shared with anyone else. If you feel that your password may have been compromised, change it. A password should never be an actual word that can be found in a dictionary, and should never be an obvious word or amalgam of words that are easy to guess. Your dog's name or your anniversary date are not good passwords.

Deploying a strong password policy will not make you everybody's new best friend, but hey, luckily, that's not part of our job description anyway!

Rule #10: Apply real world common sense to your computer activities.

If you drive down the road and see what looks like a car part on the side of the road, you are not going to stop and force that part into your automobile. Why would you do that with your computer? I have seen countless occurrences of users downloading and installing software on their machine without really knowing what that software is or does, just because a pop up window told them to do so. Don't allow Instant Messenger traffic on your corporate network, since it is basically clear text and a hole in your firewall. Don't allow peer-to-peer software such as Napster, Kazaa or Morpheus, since it is riddled with spyware and malware of all sorts, not to mention the risk that your users may download and store on your corporate network pirated versions of copyrighted material, from songs to movies, from software to ebooks.

Conclusion:

In conclusion, a lot of what these rules are based on is simple common sense. This article is not by any means an end point on the matter, but more a starting point for home users and corporate users alike to re-think their security strategies.

Home users always tell me "there is nothing in my computer, so I don't care if hackers look at it." Remember: hackers are not only interested in the data that may or may not be stored on your home computer. They are also interested in compromising all sorts of machines, and launching Distributed Denial of Service attacks from them. So even if your data is safe, your machine, network, and bandwidth can be used to create havoc on some company's network. This havoc can include financial damages that rise up pretty fast - and for which you may be held partially or even entirely responsible, if you can't show due diligence in the way you secured your home computer/network.

It is our responsibility to be aware of our network security, just as it is our responsibility to drive safely and not endanger others. This is more a question of awareness than anything else, but in these post 9/11 days, this awareness needs to remain at the forefront of our consciousness. And remember: patch servers, train users, apply anti-virus solutions, and use common sense. And if you can't do it, hire someone who can!

David Jacquet
Sec+, MCSE, CEH, CEI, CISSP

Dave is the President of Red Cell Security (www.RedCellSecurity.com). Dave serves as Network Security Engineer and InfoSec Trainer, focusing on core security services such as Vulnerability Assessments, Penetration Testing and Social Engineering engagements.

NOTE: This content is copyright 2006 Red Cell Security and may not be reproduced in any fashion without prior written content from Red Cell Security.