Chapter 12. General Rules For All Computer Users And Companies Engaged In E-commerce
Four Easy Steps to a More Secure Computer
Running a secure computer is a lot of work. If you don’t have time for the full risk-assessment and cost-benefit analysis described previously, we recommend that you at least follow these four easy steps:
1. Decide how important security is for your site. If you think security is very important and that your organization will suffer significant loss in the case of a security breach, the response must be given sufficient priority. Assigning an overworked programmer who has no formal security training to handle security on a half-time basis is a sure invitation to problems.
2. Involve and educate your user community. Do the users at your site understand the dangers and risks involved with poor security practices (and what those practices are)? Your users should know what to do and who to call if they observe something suspicious or inappropriate. Educating your user population helps make them a part of your security system. Keeping users ignorant of system limitations and operation will not increase the system security—there are always other sources of information for determined attackers.
3. Devise a plan for making and storing backups of your system data. You should have off-site back ups so that even in the event of major disaster, you can reconstruct your systems.
4. Stay inquisitive and suspicious. If something happens that appears unusual, suspect an intruder and investigate. You’ll usually find that the problem is only a bug or a mistake in the way a system resource is being used. But occasionally, you may discover something more serious. For this reason, each time something happens that you can’t definitively explain, you should suspect a security problem and investigate accordingly.
Twenty-five Specific Rules for More Secure Computing
Rule 1: Think about computer theft before it happens.
Rule 2: Make backups regularly and take steps to ensure that they will survive if your computer is physically threatened.
Rule 3: Select passwords that you will be able to remember but will be very difficult for someone else to guess.
Rule 4: Keep your operating system and key application software up-to-date.
Rule 5: Configure your mail program not to open attachments automatically.
Rule 6: Before opening any attachment, look at the name to verify that it is not an executable program.
Rule 7: Never open an attachment from someone you do not know unless you are very sure that it is a type of file that cannot contain malicious code.
Rule 8: Do not open an attachment from someone you do know and trust unless you are sure that they sent it deliberately.
Rule 9: Consider configuring your e-mail program to not process “fancy” HTML and not to send it to other computers.
Rule 10: Check with your ISP to see if they are checking e-mails for viruses and similar threats before delivering e-mail.
Rule 11: Do not allow web sites to download and execute potentially malicious programs on your computer unless you know that the site is trustworthy.
Rule 12: Display the web site address you are visiting and the address you are linking to, and pay attention to them while visiting an unfamiliar web site, especially if you are allowing the site to execute programs on our computer.
Rule 13: Consider controlling under what situation you allow cookies to be stored on your computer. If you cannot control them (such as when using a computer in a public location), consider not entering private information.
Rule 14: If there is any sort of private information displayed on a web page, clear the cache after the session is over. If you cannot clear the cache (from a computer in a public location, for example), you may decide not to use this particular computer for the task.
Rule 15: If you are not using file sharing, disable it. If you are using it, to the extent possible, limit the kinds of things that can be done to those functions that you need.
Rule 16: If you use file sharing, set robust usernames and passwords and limit the access permissions to the least possible that will allow you to do your work.
Rule 17: If you share files with another user, make sure that they take security seriously.
Rule 18: Instant messaging can be very helpful, but use it with care and knowledge.
Rule 19: Disable all Internet services that are not needed and used regularly.
Rule 20: Every computer that is vulnerable to viruses should run anti-virus software and should check for up-to-date virus signatures daily. A full scan of the machine should be performed periodically as well.
Rule 21: Computers that are not particularly subject to viruses such as Unix-based systems should nevertheless ensure that the mail that they send out does not contain a virus that may harm the recipient.
Rule 22: Keep your operating system and key application software up-to-date.
Rule 23: All computers should be protected by a firewall of some sort, either software within the computer, or an external firewall protecting that computer or an entire local network of computers.
Rule 24: If you use remote access facilities to remotely control any computers, make sure that they have robust security (at the very least, excellent usernames and passwords) to ensure that attackers do not use these same tools.
Rule 25: System functions and applications logs should be judiciously enabled.
Checklist for Companies Engaged in Credit Card Transactions
A) If your computer is not on a network:
• The company’s computers should be kept in a physically secure location.
• A robust password is used to unlock the computer and a minimum number of people should know the password.
• Physical access allows a person to circumvent passwords, so physical security is important. If you have physical access to the machine, you can boot it using a CD or floppy, completely bypassing all security measures built into the operating system and application (other than encryption).
• File-level security should be used to restrict access to data; only those people that must work with the data should have access to it. (For Windows machines, this means you must use the NTFS file system).
• Deploy up-to-date security patches on the operating system, the database system and all application software. Note that more recent versions of operating systems are much easier to secure than older versions.
• Run anti-virus and intruder detection software on the system.
• Credit card data files should be encrypted with strong encryption.
• Precautions should be taken to ensure that temporary files do not contain unencrypted information. When no longer needed, these files should not be simply erased, they should undergo the electronic equivalent of shredding.
• Logs should be used to track all accesses to sensitive files, and the logs should be scanned regularly for potential problems or error indications. Consider writing two copies of logs and locating the second log on a different host than the one running the application.
• Monitor security alert mailing lists to ensure that if there is a potential breach related to your systems, you know about it quickly.
• In the case of a potential or actual breach, take all precautions immediately to reduce risk – containment.
• Ensure that all staff understand that security is important to the organization and that senior management places it very high on its priority list.
• If you dispose of the hard disk, which contains credit card or other financial data, make sure that the data is no longer accessible; this procedure goes beyond deleting the files; seek professional assistance if you are not sure how to destroy data completely.
• Make regular backups and ensure that backups which contain credit card information are handled securely.
• Publish a Privacy Policy telling your users that you are storing this information, what you will use it for, and (in vague terms) how you are protecting it.
• If you do credit card charge validation online, make sure that this link is secure. If you are working with a dial-up modem, ensure that incoming calls are not allowed.
• If you print records with credit card information on them, physically secure them, and shred them when they are no longer needed.
• Buy several up-to-date books from respected sources on e-commerce security, read them, and follow their advice. O’Reilly & Associates, John Wiley & Sons and Osborne/McGraw-Hill have excellent books on the subject of IT security. Such books may be expensive, depending on your location, but they are a good investment.
B) If the computer must be accessible to internal network:
• All the items mentioned above, and:
• Set up a firewall to ensure that only legitimate users and transactions can contact this machine, and that general Internet access is not allowed.
• Install up-to-date security patches on all network equipment (routers, firewalls, switches, etc.).
• Consider using encrypted transmission for all credit card-related messages.
• Turn off all network services on the computer that are not essential (such as File Transfer Protocol, Remote Procedure Call, web server)
C) If credit card information is accessible via the WWW:
• All previous items mentioned above, and:
• Do not put credit card information on an Internet accessible machine. Keep the data on a separate machine behind a firewall and use a remote procedure call (RPC) or other communications method to access the file, with appropriate filtering at the fire wall.
• Encrypt the transactions over the network (SSL or an equivalent) using the strongest encryption practical (128 bit, if available).
• Ensure that credit card information that is temporarily stored on the web server is erased once the transaction is complete.
If credit card information must reside on the Internet-accessible machine:
• All of the above precautions apply, but with increased awareness of the security risks – monitor this machine, the transactions, and the logs very carefully.
Checklist for Consumer Data Protection on a Web Site
Here is a simple but workable policy that we recommend for web sites that are interested in respecting personal privacy. Tell people about your policy on your home page, and allow your company to be audited by outsiders if there are questions regarding your policies.
• Do not require users to register to use your site.
• Allow users to register with their e-mail addresses if they wish to receive bulletins.
• Do not share a user’s e-mail address with another entity without that user’s explicit permission for each organization with which you wish to share the e-mail address.
• Whenever you send an e-mail message to users, explain to them how you obtained their e-mail addresses and how they can get their addresses off your mailing list.
• Do not make your log files publicly accessible.
• Delete your log files when they are no longer needed.
• If your log files must be kept online for extended periods of time, remove personally identifiable information from them.
• Encrypt your log files if possible.
• Do not give out personal information regarding your users.
• Discipline or fire employees who violate your privacy policy.
Checklist for Internet Service Providers (ISPs)
This list is more inclusive than many ISPs will implement, but it is important to assess all options and make conscious business decisions regarding which you will implement.
• Since you certainly store credit card and/or other customer financial information, all of the rules for credit card storage apply.
• Security should not be haphazard – understand the issues and draw up a plan.
• Establish a security policy including: to what extent you will respect the privacy of customer data (with respect to access by your staff or outside agencies); reporting processes in the event of a security breach (reporting both within your organization, to outside Internet providers, and the authorities).
• Identification of your legal responsibilities (are you a common carrier, to what extent must you retain log files, etc.)
• Establish policies on how you will respond to security alerts and concerns from your clients, from other peer ISPs, from your major bandwidth providers and from the rest of the Internet.
• Beware of the fact that certain customers of your service may attack outside systems. You may develop a policy for responding to reports from other ISPs that one of your customers is engaging in an attack, spreading a virus, etc.
• You may decide not to send virus-blocked notifications back to senders via e-mail if ISP-wide virus scanning is in place.
• Establish an Acceptable Use Policy (AUP) including ISP and Client responsibilities. This AUP should be referenced in any client contracts.
• Design a network so that to the extent practical and possible, the systems that control and manage your network (including accounting) and fire walled from the general Internet.
• Ensure that you use robust passwords and restricted access rules for all of your management machines, service machines (such as e-mail, web, authentication, proxy and DNS servers) and all network routing and monitoring equipment.
• Ensure that all non-essential services (ftp, icq, finger, compilers, etc.) are disabled on machines accessible to the Internet.
• Ensure that all machines, but particularly ones accessible to the Internet are kept up to date with respect to security patches.
• Establish continuous network monitoring so that you can recognize problems such as denial of service attacks and major spam and virus activities. This requires understanding what your normal traffic patterns are.
• Establish computer monitoring capabilities to attempt to recognized computer intruders (don’t forget machines housing logs, accounting data)
• Consider installing virus checkers for all incoming and outgoing e-mail.
• Consider making one of the free or low-price antivirus products available to your customers to encourage them to be secure.
• Protect you mail servers from being used as spam relay points.
• Consider installing spam control measures.
• Log all server accesses and network connection/dis connections maximizing your ability to retroactively do forensic analysis to understand security breaches.
• Establish a rigorous and redundant set of procedures for backing up your data and that of your users.
• Consider downloading and distributing (electronically or via CD) major software patches to your customers (thereby making it easy for them to remain current and secure, and reducing your international band width).
15 Steps to Securing WLANs
Wireless network security is much like the physical security at the entrance of a building. Someone with enough interest, resources, and time is going to be able to gain access. First and foremost, it is important to treat your wireless network as though it were a publicly accessible network. A system administrator should not make any assumptions that his or her traffic on that network is private and secure. The following security recommendations, compiled from a host of industry leaders, will provide some simple rules of thumb that can provide a foundation for securing a WLAN:
1. Create an institution wide policy regarding wireless devices. Tailor the corporate security policy to address network usage guidelines.
2. Track how many employees have WLANs at home. These remote access users need to be monitored, in order to eliminate unauthorized wireless access points.
3. Define an account provisioning process to securely manage client’s accounts which includes tokens.
4. Disable all unneeded services and applications on each client and server. Typically, all services and applications that are not known or in use should be disabled.
5. Change the default settings of your product. Many administrators make the mistake of not changing any of the SSID or IP address information for their access points. Don't change the SSID to reflect your company's name, divisions, or products. Since this information is broadcast by the access point, once the hacker has broken WEP, they know exactly whose network they are accessing.
6. Change the default password on your access point or wireless router. Hackers often know the manufacturers' default passwords, and will try them first.
7. Plan your coverage to radiate out to the windows, but not beyond. As you do your site survey for access point deployment, think about locating the access points toward the center of your building rather than near the windows. If the access points are located near the windows, a stronger signal will be radiated outside your building making it easier for people to find you.
8. Provide directional antennas for wireless devices. Most wireless devices utilize omni-directional antennas, these antennae allow for systematic “sniffing” (recording) of all communications. Directional antennas coupled with a 2.4 Gig or higher frequency will lessen the propagation of the signal.
9. Turn WEP on and manage your WEP key by changing the default key and subsequently, changing the WEP key on a weekly basis.95
10.Use VPN tunneling between the network firewall and the wireless. Though it would require a VPN server, the VPN client is already included in many operating systems such as Windows 98 Second Edition, Windows 2000, and Windows XP.
11.Deploy a network based intrusion detection system (NIDS) on the wireless network.96
12.Deploy enterprise-wide anti-virus software on all wireless clients.
13.Employ two-factor authentication. There are two ways in which two-factor authentication is best employed. First, token-based smart cards that store a biometric record.97 The two- factor approach mitigates a tremendous amount of risk. Second, the use of Radius Servers, which authenticate the machine to the network. A Radius server permits association with your access points. A user connects to the radius server merely for authentication to the other servers. One can implement a biometric to initialize the server thus abiding by the two-factor authentication mantra. Radius98 servers act as a guard would in a lobby, authorizing passage to the rest of the building.
14.Consider using a Wireless Firewall Gateway.99 This device operates as a standard dual-homed firewall with the wireless network on one side and the trusted network on the other. The firewall has security software such as IPSEC or other VPN enabled and only after authenticating to that software can be granted access to the internal network. The firewall rules may also be used to limit where traffic originating from wireless networks may traverse. Make sure that the network firewall is between all wireless access points and the internal network or Internet.
15.Disable DHCP and use static IP addresses for your wireless NICs. Also change the default IP address range for your wireless network from the manufacturers default.
16.Purchase access points that have “flashable” firmware only. There are a number of security enhancements that are being developed, and you want to besure that you can upgrade your access point.
95 Input provided by the NIPC http://www.nipc.gov/publications/nipcpub/bestpract.html.
96 Input provided by Chris Bateman of CERT Analysis Center.
97 Bateman recommends the e-thenticator, which is a thumb print biometric scanner that stores the image on a smart card.
98 RADIUS or Remote Authentication Dial-In User Service is an authentication service that verifies user information and once verified, allows users to access certain network services. Part of what RADIUS can provide is encrypted communication between the remote client and the RADIUS server. Virtual Private Networks (VPNs) work in a similar manner but tend to operate on a network-to-network connection instead of the remote host to network method of RADIUS. Once the remote computer is authenticated and connected to the internal network via a RADIUS server, it operates as if it were physically located near and connected to the network. In other words, the encryption provided by the RADIUS server is only between the RADIUS server and the client machine, not over the network as a whole. Rick Fleming stated that: "Cisco’s Aeronet Tacacs Server is premier for this service."
Additional Information on VPNs
To protect information systems that may use any of these technologies, users should deploy Virtual Private Network (VPN) technology at each and every trusted gateway into their networks and ensure that every user accessing the trusted network uses VPN technology. A virtual private network is essentially a private connection between two machines that sends private data traffic over a shared or public network, the Internet. VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated private wide area network (WAN). VPNs allow remote workers access their companies’ servers.
To use the Internet as a private wide area network, organizations may have to overcome two main hurdles. First, networks often communicate using a variety of protocols; VPNs provide a way to pass non-IP protocols from one network to another. Second, data packets traveling the Internet are transported in clear text. Consequently, anyone who can see Internet traffic can also read the data contained in the packets. This is clearly a problem if banks desire to use the Internet to pass important, confidential business information. VPNs overcome these obstacles by using a strategy called tunneling. Instead of packets crossing the Internet out in the open, data packets are first encrypted for security, and then encapsulated in an IP package by the VPN and tunneled through the Internet.
Many vendors such as Nokia, Cisco, Nortel, Checkpoint, and Microsoft among others have viable, secure VPN technologies100 that can be deployed at multiple locations in a corporate network. While VPNs provide content protection for that information traversing the network, depending on how they are deployed, they may not provide any protection from extraneous users accessing the network itself. In other words, an unauthorized user may not be able to see the content because of the VPN, but they can still access the network resources and utilize the bandwidth causing network congestion and possibly denial of service to authorized users. Access control, authentication, and encryption are vital elements of a secure connection. The Point-to-Point Protocol (PPP) has long been used as the Internet's universal link layer for creating tunnel links between devices, but in more recent years, the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) have prevailed.101
99 Rick Fleming, VP of Security Operations, Digital Defense, Inc.
100 The standards for VPN are currently in revision by the IETF to make IP Sec more secure, but also make it compatible with satellite communications.
101 Karen Bannan’s article "Safe Passage" in PC Magazine reviews seven VPN providers for products that would suit a medium-size business with a budget of $10,000 that needed a VPN for its central and branch offices. http://www.pcmag.com/print_article/0,3048,a%3D12352,00.asp
|
