A small research company in Pittsburgh is working to develop a new method of mas

Question

A small research company in Pittsburgh is working to develop a new method of mass storage to replace current hard drive technology. Four engineers and an office manager work there. The engineers are highly skilled professionals, and the office manager is a capable computer user. The company has an always-on Internet connection because employees must conduct research frequently. The employees have hopes of making a breakthrough and bringing the company public within the next two years. You have been hired as a security consultant to assess the company’s needs. What type of security policy should be used (open, moderately restrictive or highly restrictive) and what security technologies should be used? On what areas should the security policy focus (physical security, data security, auditing, passwords, and so forth), and what technologies should be used to secure these areas? What are the differences between a private network and a public network? How is data stored on each? Where is the emphasis on securing the data on each placed?

Explanation / Answer

IT Security Standards and Best Practices

To facilitate your planning on information security management for your company, we have highlighted some internationally recognised information security standards, guidelines and effective security practices for reference.

There is increasing public concern about the security of information passing through public Wi-Fi networks. To address such a concern, the Communications Authority (CA) has published a set of security guidelines for public Wi-Fi service operators to follow. The guidelines are developed jointly with the industry and the relevant professional bodies.

IT Governance Standards and Best Practices

Guidelines on Conducting Online Businesses and Activities

Guidelines on Safeguarding Data Privacy

Other References

Corporate security consumes a huge chunk of time, money, and human resources. It's no wonder that companies like Symantec exist. Symantec produces some of the security industry's best software, but its contribution doesn't stop there. As I wrote yesterday in " Don't you just love mobile apps? So do malicious code writers ", Symanctec also produces an annual Internet Security Threat Report. In these reports, Symantec highlights security threats and trends and then tells you how to fix and prevent them. They also offer some best practices of their own. My list of the 10 best practices is based loosely on their 14 or so security recommendations. I do, however, deviate from their list on items that are either too obvious or just don't work in practical terms.

This list is not entirely focused on mobile security, but is general to corporate security.

Here's my list of 10 security best practice guidelines for businesses (in no particular order).

Just so you know, I'm not leaving out things like physical security, which is one of those obvious — or should be obvious — security measures. Other such "obvious" measures are to use security-screened software, use software that has been regression tested with your operating system, use VPNs, use strong passwords, and so on.

Businesses can't afford to take chances with security. Doing so is costly. How costly? The average is $429,000* loss for large companies due to mobile computing "mishaps". Perhaps your company can afford these half-a-million-dollar mishaps, but few can. It's best to stay on top of security with a multilayered, multi-tiered approach. Vigilance is key and so is awareness.

In a few weeks, I'll introduce you to a way to alleviate a huge chunk of your security worries with a single solution. Stay tuned for that earth-shattering product information. Before that, tomorrow I'll offer up a list of 10 best practice guidelines that you can do as a consumer to prevent security mishaps. They will make you more aware and better prepared for your next encounter with internet malware.

What are the differences between a private network and a public network?

IP addressing involves many considerations, not least important of which are public and private networks. A public network is a network to which anyone can connect. The best, and perhaps only pure, example of such a network is the Internet. A private network is any network to which access is restricted. A corporate network or a network in a school are examples of private networks.

The main difference between public and private networks, apart from the fact that access to a private network is tightly controlled and access to a public network is not, is that the addressing of devices on a public network must be considered carefully, whereas addressing on a private network has a little more latitude.

As already discussed, in order for hosts on a network to communicate by using TCP/IP, they must have unique addresses. This number defines the logical network each host belongs to and the host's address on that network. On a private network with, say, three logical networks and 100 nodes on each network, addressing is not a particularly complex task. On a network on the scale of the Internet, however, addressing is very complex.

If you are connecting a system to the Internet, you need to get a valid registered IP address. Most commonly, you would obtain this address from your ISP. Alternatively, for example, if you wanted a large number of addresses, you could contact the organization responsible for address assignment in your geographical area. You can determine who the regional numbers authority for your area is by visiting the IANA website.

Because of the nature of their business, ISPs have large blocks of IP addresses that they can assign to their clients. If you need a registered IP address, getting one from an ISP will almost certainly be a simpler process than going through a regional numbers authority. Some ISPs' plans actually include blocks of registered IP addresses, working on the principle that businesses are going to want some kind of permanent presence on the Internet. Of course, if you discontinue your service with the ISP, you will no longer be able to use the IP address they provided

When you think about it, the most valuable thing on your computer or network is the data you create. After all, that data is the reason for having the computer and network in the first place—and it's the bits and bytes that make up that data that are your first priority when putting protective strategies in place. Operating systems and applications can always be reinstalled, but user-created data is unique and if lost, may be irreplaceable.

Some data is also confidential; not only do you not want to lose it, you don't want others to even view it without authorization. Exposure of your social security number, credit card, and bank account information could subject you to identity theft. Company documents may contain trade secrets, personal information about employees or clients, or the organization's financial records.

Let's look at some ways to protect your all-important user data from loss and/or unauthorized access.

#1: Back up early and often

The single most important step in protecting your data from loss is to back it up regularly. How often should you back up? That depends—how much data can you afford to lose if your system crashes completely? A week's work? A day's work? An hour's work?

You can use the backup utility built into Windows (ntbackup.exe) to perform basic backups. You can use Wizard Mode to simplify the process of creating and restoring backups or you can configure the backup settings manually and you can schedule backup jobs to be performed automatically.

There are also numerous third-party backup programs that can offer more sophisticated options. Whatever program you use, it's important to store a copy of your backup offsite in case of fire, tornado, or other natural disaster that can destroy your backup tapes or discs along with the original data.

#2: Use file-level and share-level security

To keep others out of your data, the first step is to set permissions on the data files and folders. If you have data in network shares, you can set share permissions to control what user accounts can and cannot access the files across the network. With Windows 2000/XP, this is done by clicking the Permissions button on the Sharing tab of the file's or folder's properties sheet.

However, these share-level permissions won't apply to someone who is using the local computer on which the data is stored. If you share the computer with someone else, you'll have to use file-level permissions (also called NTFS permissions, because they're available only for files/folders stored on NTFS-formatted partitions). File-level permissions are set using the Security tab on the properties sheet and are much more granular than share-level permissions.

In both cases, you can set permissions for either user accounts or groups, and you can allow or deny various levels of access from read-only to full control.

#3: Password-protect documents

Many productivity applications, such as Microsoft Office applications and Adobe Acrobat, will allow you to set passwords on individual documents. To open the document, you must enter the password. To password-protect a document in Microsoft Word 2003, go to Tools | Options and click the Security tab. You can require a password to open the file and/or to make changes to it. You can also set the type of encryption to be used.

Unfortunately, Microsoft's password protection is relatively easy to crack. There are programs on the market designed to recover Office passwords, such as Elcomsoft's Advanced Office Password Recovery (AOPR). This type of password protection, like a standard (non-deadbolt) lock on a door, will deter casual would-be intruders but can be fairly easily circumvented by a determined intruder with the right tools.

You can also use zipping software such as WinZip or PKZip to compress and encrypt documents.

#4: Use EFS encryption

Windows 2000, XP Pro, and Server 2003 support the Encrypting File System (EFS). You can use this built-in certificate-based encryption method to protect individual files and folders stored on NTFS-formatted partitions. Encrypting a file or folder is as easy as selecting a check box; just click the Advanced button on the General tab of its properties sheet. Note that you can't use EFS encryption and NTFS compression at the same time.

EFS uses a combination of asymmetric and symmetric encryption, for both security and performance. To encrypt files with EFS, a user must have an EFS certificate, which can be issued by a Windows certification authority or self-signed if there is no CA on the network. EFS files can be opened by the user whose account encrypted them or by a designated recovery agent. With Windows XP/2003, but not Windows 2000, you can also designate other user accounts that are authorized to access your EFS-encrypted files.

Note that EFS is for protecting data on the disk. If you send an EFS file across the network and someone uses a sniffer to capture the data packets, they'll be able to read the data in the files.

#5: Use disk encryption

There are many third-party products available that will allow you to encrypt an entire disk. Whole disk encryption locks down the entire contents of a disk drive/partition and is transparent to the user. Data is automatically encrypted when it's written to the hard disk and automatically decrypted before being loaded into memory. Some of these programs can create invisible containers inside a partition that act like a hidden disk within a disk. Other users see only the data in the "outer" disk.

Disk encryption products can be used to encrypt removable USB drives, flash drives, etc. Some allow creation of a master password along with secondary passwords with lower rights you can give to other users. Examples include PGP Whole Disk Encryption and DriveCrypt, among many others.

#6: Make use of a public key infrastructure

A public key infrastructure (PKI) is a system for managing public/private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certification authority, either an internal one installed on a certificate server on your network or a public one, such as Verisign), certificate-based security is stronger.

You can protect data you want to share with someone else by encrypting it with the public key of its intended recipient, which is available to anyone. The only person who will be able to decrypt it is the holder of the private key that corresponds to that public key.

#7: Hide data with steganography

You can use a steganography program to hide data inside other data. For example, you could hide a text message within a .JPG graphics file or an MP3 music file, or even inside another text file (although the latter is difficult because text files don't contain much redundant data that can be replaced with the hidden message). Steganography does not encrypt the message, so it's often used in conjunction with encryption software. The data is encrypted first and then hidden inside another file with the steganography software.

Some steganographic techniques require the exchange of a secret key and others use public/private key cryptography. A popular example of steganography software is StegoMagic, a freeware download that will encrypt messages and hide them in .TXT, .WAV, or .BMP files.

#8: Protect data in transit with IP security

Your data can be captured while it's traveling over the network by a hacker with sniffer software (also called network monitoring or protocol analysis software). To protect your data when it's in transit, you can use Internet Protocol Security (IPsec)—but both the sending and receiving systems have to support it. Windows 2000 and later Microsoft operating systems have built-in support for IPsec. Applications don't have to be aware of IPsec because it operates at a lower level of the networking model.

Encapsulating Security Payload (ESP) is the protocol IPsec uses to encrypt data for confidentiality. It can operate in tunnel mode, for gateway-to-gateway protection, or in transport mode, for end-to-end protection. To use IPsec in Windows, you have to create an IPsec policy and choose the authentication method and IP filters it will use. IPsec settings are configured through the properties sheet for the TCP/IP protocol, on the Options tab of Advanced TCP/IP Settings.

#9: Secure wireless transmissions

Data that you send over a wireless network is even more subject to interception than that sent over an Ethernet network. Hackers don't need physical access to the network or its devices; anyone with a wireless-enabled portable computer and a high gain antenna can capture data and/or get into the network and access data stored there if the wireless access point isn't configured securely.

You should send or store data only on wireless networks that use encryption, preferably Wi-Fi Protected Access (WPA), which is stronger than Wired Equivalent Protocol (WEP).

#10: Use rights management to retain control

If you need to send data to others but are worried about protecting it once it leaves your own system, you can use Windows Rights Management Services (RMS) to control what the recipients are able to do with it. For instance, you can set rights so that the recipient can read the Word document you sent but can't change, copy, or save it. You can prevent recipients from forwarding e-mail messages you send them and you can even set documents or messages to expire on a certain date/time so that the recipient can no longer access them after that time.

To use RMS, you need a Windows Server 2003 server configured as an RMS server. Users need client software or an Internet Explorer add-in to access the RMS-protected documents. Users who are assigned rights also need to download a certificate from the RMS server.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.