Spring cleaning tips for managers who worry about security
Shawn P. McCarthy
If your agency deals in classified or sensitive information, you probably wage an ongoing war against Internet hackers. The danger isn't so much from hackers' creativity as much as it's due to managers' failures to seal security holes, establish policies for information sharing on intranets and public Web sites, and protect the data physically.
The SANS Institute of Bethesda, Md., recently sent an e-mail alert to network administrators to remind them of more than 1,000 known operating system vulnerabilities they should check for and close. If agencies won't give administrators the time to make such checks and take the relevant training, their systems will continue to be vulnerable despite firewalls, intrusion detection software and other remedies.
Here are some suggestions:
'Provide dedicated time to get the security work done.
'Establish a strict, agencywide security protocol for bringing up new servers. This might include such actions as removing factory-set configurations or accounts and requiring one specific configuration for all servers.
'State in the agency's security policy that managers are responsible for monitoring security bulletins specific to their hardware and software, and for implementing any suggested patches or system changes at once.
'Develop a priority list for handling security events based on consensus. Attack the most serious problems first.
'Fund training for staff members to learn how to fix specific problems and to understand general security maintenance issues.
One way to prepare for inevitable trouble is to nominate a network security guard within your staff. Check out the Security Skills Certification course offered by the SANS Global Incident Analysis Center. Details appear at www.sans.org/giactc.htm
.Ignorance isn't bliss
Another concern is employee ignorance of what should and should not be accessible on an agency Web site. Employees might not understand that outsiders or contractors with minimal security clearances can sometimes enter an intranet. Civilian agencies would do well to follow the Defense Department's lead and set up a team to check for inappropriate materials on the intranet at a prescribed time each month.
The reserve troops assigned to do monthly checks of DOD sites stirred up controversy last month when they got at classified information via public sites. It was embarrassing for DOD, but the department deserves to be commended for its approach.
You can ask such teams to pull double duty. As they scan the intranet for inappropriate materials, they can also look for wrong dates in headers and footers, broken images, poor navigation and so on.
Another issue is the physical security of computers. In the wake of the recent disappearance of a State Department portable computer storing highly secret information, Secretary of State Madeleine Albright blasted her own employees for not doing enough to protect data on computers. Use the password
The quick fix is to heavily encrypt each portable computer. The data and applications should be available only to a user who knows the password or holds a smart token. One group of software products that enables this function is Stoplock from a British company, PC Security Ltd., at www.pcsl.com/prodover.htm
. Look for the disk encryption package.
A new hacker tool called Mstream torques the damage from a typical denial-of-service attack by placing additional processing demands on the computers that unwittingly launch the attack.
For details about Mstream, see an analysis at staff.washington.edu/dittrich/misc/mstream.analysis.txt
.Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at email@example.com.