The Little Geeni

It’s strange how the network security policies in place at a company can actually damage, rather than enhance their security. Security measures which are too stringent can lead to employees going around security for convenience’s sake. Employees can actually create security vulnerabilities which your IT department may not be able to protect against; because they may be unaware that they exist!

Not long ago, I spoke with the business director of a large company (I’ll call her Susan). Her company’s IT department requires employee passwords for their network be at least eight characters in length and be comprised of a random mix of letters, symbols and numbers. She also must change her passwords every sixty days. While Susan goes along with the security policies put in place by her IT department, if you were to walk into her office, she has her logon password written right there on her desk – “Password: 1jy^hndT”.

The work environment in many companies these days involves understaffing, tight deadlines and long workdays. When you add yet another complication into the lives of already overworked employees, it is only natural that they choose convenience over security. You see everyone doing this; from the CEO on down to the temps. While it sounds like a good idea to have employees remember complex passwords, what happens in practice is that it slows things down and leads to security being circumvented.

The real problem isn’t the security policy; it’s actually a very sound one – it’s the way that it is implemented which makes it a problem. IT departments are prone to ignoring the human factor when they design security policies. Most people can’t remember two complex passwords; and many can’t even remember one! By making employees change their passwords every two to three months, they further complicate the situation and practically force employees to engage in insecure practices in order to get their work done while still complying with corporate security policies.

This gives management a false sense of security when it comes to network security, since they don’t even know where to look for potential problems. Let’s say that someone copies down Susan’s password and logs in as her – the network monitoring software simply accepts as fact that she is working at 3 am. These security systems will not be able to prevent these attacks until the damage has already been done.

Password security which does not offer convenient implementation is not something which comes without a cost. Resetting passwords can take anywhere from 20% to 50 % of an IT departments time – this translates into about $70/incident. This time and money could be better used by your IT department. There are other costs; lost productivity when employees are unable to access the network.

A rule of thumb to keep in mind is that the greater the level of password security without a convenient management system in place, the more often you’ll need to do password resets. Smartcard security tokens offer a solution which balances productivity, security and technical support.

Smartcard based security tokens allow employees to manage network and computer security themselves without compromising the security of your corporate network. They do this by:

1. Offering double, two factor authentication – the user has the card (something they have) and the PIN (something they know). The computer has the card (something it has) and stored complex passwords (something it knows).

2. Being portable to other machines.

3. Having no information is stored on the computer for prying eyes to find and use.

4. Convenience – the user only needs one password.

5. Employees always have possession of their passwords.

6. Token data is securely stored and protected in the event that the token is stolen or lost.

7. The token can store passwords for many accounts.

Smartcard based security tokens prevent data thieves from merely looking over someone’s shoulder to learn passwords or look for notes taped to desks or inside drawers bearing this information. If each account is set with its own unique password, even if a data thief somehow gets one password, all other accounts are still protected. Smartcard based security tokens allow employees to stay within IT security policies and keep corporate networks better protected while offering the convenience employees want and need. This can make even the most careless employee a security conscious one.

Computer Security Breaches, Cause, Data, Network, Policies, Security

The reason why wireless networks are more vulnerable than wired networks is that because the data is transmitted through the broadcast radio technology that works on the same microwave radio band (2.4 gigahertz) as cordless phones, instead of a dedicated cable.

It is possible to be intercepted by hackers, especially if there is not a firewall installed because the networking transmissions are broadcast indiscriminately. Drive by hackers and casual intruders can pick up the radio signal 20 to 50 meters and as much as 500 meters if there is sensitive equipment. It is estimated that 30 percent of all wireless networks have already had a hacking attempt made, even though it is illegal.

Your wireless network can become contaminated with a virus, if another wireless computer taps into the network and has it, contaminating your server and the other computers on that network.

When wireless networks came out, they were more convenient and often a higher speed access than traditional wired networks. It soon became evident that they were easier to be compromised since multiple users were using the same broadcast signals. If a server is not secure, encrypted and firewall protected, it can cause data loss of confidential information and virus attacks that can make a system vulnerable to crashing.

Many government agencies are no longer using wireless networks because of the security issues. For most other usages, a wireless network is suitable, as long as it is firewall protected properly, but you may want to consider the additional security of a wired network, if you handle sensitive information.

The safest thing is to have an IT or network security audit done to evaluate the multiple computers on your network, whether wireless or wired, for security and firewall needs. Businesses that transmit data, store crucial customer information like credit cards and other confidential information need to be especially aware of the consequences, should the information fall into the wrong hands.

By having an IT security audit done on your system, you can discover any vulnerabilities and protect against them. Typically, they will do audits that involve external penetration tests and internal management tests to uncover any possible threats, intentional or by ignorance of protection on the part of users.

Not only can security be compromised through wireless networks that are not properly secured, but wired networks need to have proper security software and firewalls working on their server to assure protection, on an internal, physical basis.

An IT security audit will evaluate the environment of the server, whether wireless or wired and any weak links in the security including the physical location and access to the server and settings for anti-virus and firewall programs.

Wireless networks have gained in popularity due to the ease of installation, especially in older buildings and the cost is less to install than cabling a wired network. The chances of contamination of data, information loss and virus or hacking by intruders may not be worth the cost savings, due to the vulnerability of wireless systems.

Computer Security More, Networks, Than, Vulnerable, Wired, Wireless

Today it is almost inconceivable for a business not to have computers, whether it is a construction company or a high technology firm. When a business has more than one computer, they are almost always connected together in a local area network. These networks may be more or less advanced and therefore more or less costly.

Companies invest so much (in terms of both money and time) in a local area networks because there are many advantages that a local area network brings to a business and how it is administered.

Some businesses use a local area network in such a way they are highly dependent on it always working. If the company’s network fails, then you may see all the employees chatting away in the corridors because they can’t do their work. This means big losses for the company and causes stresses on the employees. All companies must consider their local area networks a vital asset and downtime must be avoided. This imposes huge demands on the network staff to keep such networks running almost 100% of the time.

The advantages of Computer Network Management

One of the main advantages of installing and maintaining LANs is the opportunity they create for better communication and cooperation between employees and customers.

Security considerations: Local Area Network security can be both a help and hindrance. Comprehensive security is beneficial because it provides a central and safe strategy for data access and disaster recovery. All information is protected by the design and implementation of the network security solution. On the other hand, interconnecting computers in local area networks creates a security risk, since doing so makes it technically possible for intruders to access many machines on the network at once.

Cost considerations: Installing a local area network is a relatively expensive project. Servers, cabling, switches, routers and software can all be expensive and should never be purchased without expert advice. Keeping the network operating and secure also requires a lot of resources and can be costly.

Surprisingly, a local area network can bring a number of cost savings. Sharing resources avoids the need to purchase equipment for each individual. Even more important is the security that a local area network can provide. Data loss could cost a business a great deal of money and in some cases, cause the business to shutdown altogether. Computer Network Management should require a consistent routine for data backups with regular checkups of data quality – a practice that will save a company huge sums in the event of a mishap.

Computer Network Management: preliminary analysis phases

The first phase of computer network management is to determine the source of the problem (a preliminary study that looks into several options of differing scope may be useful here) and defining it in a specification of requirements. Examples of what should be evaluated are different network operating systems, mail systems, and other applications. The choice of hardware components should also be evaluated. This phase is generally aimed at establishing what the system should do, not how it should do it.

Computer Network Management: design phase

The purpose of design phase is to determine how the requirements of the specification are to be met. The current approach to large, complex projects is to break them down into smaller, more manageable subprojects.

Computer Network Management: implementation phase

This phase involves the physical installation of the local area network. Cables are run, software is installed, and computers and other hardware are put in place.

Computer Network Management: integration and system testing phase

In this phase, commissioning of the network begins, and routines are adapted to users and the operating personnel. The system must be tested, both to ensure that the network meets the requirements set out in the specification and that it is stable enough to perform the central function it has in the organization.

Computer Network Management: operation and maintenance

Local area networks have complex operating routines. This is because there may be serious consequences when faults occur or unauthorized persons gain access to the system. Many companies have employees devoted solely to take care of running and maintaining computer networks. These system administrators may deal with network issues such as performance, reliability and security of both hardware and software.

Computer Network Management: tools

Although an organization may have computer administrators on site, they must also monitor the network more than eight hours a day. In fact, some of the worst trouble that arises with networks can happen during the night hours when nobody is using the network. With the right computer network management tools, your organization can receive the security of knowing that problems will be foreseen, prevented, and taken care of – and that your network administrator can be notified at a moment’s notice, should anything go exceptionally wrong.

Computer Security Computer, Management, Network

As with any other year, in 2008 network and systems administrators will have to face challenges which will tax their ability to adequately protect corporate networks. Experience shows that maintaining and improving on security is never easy; hackers, malware creators, spammers, malicious insiders and other, mostly unpredictable, elements all add up to the factors which tend to give these network security professionals many a sleepless night.

Various 2008 threat predictions have already hit headlines. Some mention VOIP and virtualization , others mention malware evolution and Facebook widgets that will be used to distribute malware; However, facts and figures indicate that the challenges faced in 2008 will not stem from technology itself; for in its nature technology is a neutral element that can either be used in a good or in a bad way. The biggest threat for 2008 is the same threat to businesses that has been around for the last 200,000 years – the Human Being himself!. Human beings, their weaknesses, fallacies and inquisition can all be exploited to wreck havoc within organizations.

Human Overconfidence

History shows that we tend to rely too much on the claims which operating system vendors and business software vendors make. New systems sell themselves as being more secure and more fail-safe than their predecessors. While this is undoubtedly true, one must remember that at every release of each operating system and business software throughout the years vendors have all made the same claim, over and over again, year after year. This has never. However. deterred hackers and other malicious individuals from researching and executing attacks against newer systems.

A case in point is Microsoft Windows Vista, which by end 2007, will hit the 10% market share, with a projected 30% adoption rate expected by end 2008. Microsoft Windows Vista does not only equate to a new operating system, it also equates to a new user expierience. While this system is much more secure than its predecessors, its users are still the same as before, and therefore they are the path of least resistance to the average network environment exploit. Through social engineering, security features such as the new user access control can be easily circumvented, duping users in installing software which is insecure or tainted with malware.

Humans’ misplaced trust

Trust should be earned and not automatically afforded. Dangers to business do not only lie outside of the business perimeters; recent history shows that insider attacks to businesses cost as much, if not more, than attacks originating from the outside. Insiders have their own advantages for they have an intimate knowledge of your network and its inner workings. In 2008, an ever increasing proliferation of portable storage and communication devices (iPods, USB drives, USB WiFi cars, etc) will highly facilitate data theft, logic bombs and other forms of sabotage that can throw your business back to the Stone Age. Yet again, while it might be easy to put the blame on such devices it’s not these devices that are at fault; once again, technology is a neutral entity. The main fault here is the use made of such devices – banning them will simply not work because you simply cannot rely on voluntary compliance, supervision is too laborious, the devices can be easily concealed and you’ll just create dissent.

Human lack of knowledge

When it comes to network security, ignorance in neither bliss nor excuse. In 2008, a lack of basic security principles and a lack of knowledge in the trends that malware, spyware, spam and other malware are taking will greatly contribute to the downfall of network security. This most often is due to lack of time or resources to research security principles and trends; an issue that translates into a firefighting approach to network security: reacting to incidents after being hit.

This is, once again, a human issue. Malware does not evolve on its own, in a vacuum. The reason why malware evolves is greed – Hackers and other malicious individuals today create targeted attacks not to create havoc but for financial gain. Targeted exploits that attempt to address the inquisitive human nature to make them click on a tainted link will become more and more commonplace. This makes them much more dangerous than ever before, making the issue of lack of knowledge even more critical. Limiting human inquisitiveness through a blanket ban on access to resources will also backfire since it will create both dissent and boredom, all of which hamper productivity.

Human gullibility

Being gullible does not only make you the butt of jokes but also exposes you to myriad network security threats. In 2008, targeted email spam will continue in its evolution with newer and novel attempts to breach network defenses using social engineering. These will extend beyond email and attempt to, for example, compromise VOIP infrastructures through denial of service attacks, SIP vulnerabilities and Spit (Spam Over Internet Technology) attacks. In 2008, an increase in the number of attacks targeted at specific individuals or businesses is also expected, and it is highly plausible that the perpetrators of such attacks will use social engineering to gain access to confidential information that enables them to gain access to your systems.

As with malware, social engineering attempts at exploiting human gullibility evolve for financial gain. No one will be calling anyone up asking for passwords; more subtle methods such as targeted attacks on social networking sites (myspace, facebook, etc) where users are duped in exchanging personal information for virtual goods empower hackers and other malicious individuals to gain unauthorized access to networks.

Conclusion

In 2008, network and security administrators will have to wear more hats than ever before and employ all sorts of defenses against attacks directed at the human nature – overconfidence, trust, lack of knowledge and gullibility will all be decisive factors in how successful network security will be. More than ever before it will be a question of managing the risks that humans pose to businesses; for even if the risks humans pose are the same risks as before, the motivation behind attacks in 2008 is changing and becoming much more dangerous. The best way to defend infrastructures from potential threats is for administrators to implement methods to:

• Monitor the user’s activity 24 x 7 x 365

• Control access to network resources

• Safeguard all the business information

• Backup all communications to, from and within the business

• Enact technological barriers that permit device use according to a clear and defined policy.

• Train network resource users in both network security and information disclosure policies.

In 2008, systems administrators will have to find the fine balance that suits and encourages the human inquisitive nature – without becoming the dreaded medieval Inquisitors!

Computer Security 2008, Administrators, Concerns, Major, Network, Systems