Thursday, February 16, 2006
Technology Updates
Technology Updates
10 MYTHs about IT Security
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler--allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.
MYTH #3: External consultants know more about information security than in-house personnel do. People believe consultants--whether they work for a consulting firm or independently--have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house--all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to provide additional support to existing staff--in other words, to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Memberships in professional organizations and certifications are helpful, although some certifications are more useful than others. Outside consultants can provide a good business partnership even beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help the staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective. At first glance, you may think keeping information security people together in one department is a good idea. After all, infosec professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters--most notably physical security, IT security and disaster security preparedness. If you keep your infosec professionals in one group, you risk alienating the business groups they'll need to work with to conduct security awareness and training programs.
Top-level management must realize that information security and infosec policies must fit into all facets of the organization. Information security is not solely the responsibility of IT but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprisewide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure. No one would argue that a password of 12 to 16 characters, with mixed upper- and lowercase letters, numbers and special characters, is hard to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Consider having users create easy-to-remember passphrases, such as "HotDogWithMustard," "8YearsOldToday" or "Please,Hold theMayo." Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Remember that passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe. This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted. It doesn't mean the Web site itself is safe. Web site certificates are text files of information--such as to whom the certificate belongs, who issued it, a unique identifier and valid dates of use--that's used by SSL protocols to establish secure connections. Five conditions must be met for a browser to accept a certificate. If any condition isn't met, the browser should display a warning to the user, who then decides whether to start a connection. The first condition is that the certificate is issued by a trusted certificate authority, which creates and manages security credentials and public keys for messaging encryption. Certificates and keys are regularly stored on the hard drive of the local computer being used. Second, the certificate must be within the validity period. Third, if a user is connecting to www.etrust-bank.com, then the certificate common name must be for www.etrust-bank.com. Fourth, the certificate must validate that it hasn't been altered, and finally, it must not be revoked. Unfortunately, most users don't bother to check site certificates when there is a problem. To check the Web site's certificate, double click the padlock icon in your browser window while you're active on the site. A pop-up window will show the name of the site and its certification information. Smart users will validate that the information matches that of the site and the organization with which they're conducting a transaction.
In addition, keep in mind that data sent isn't stored on the Web site but on a server, and you have no way of knowing if the data you sent is encrypted on that server. How well an organization safeguards its server is a bigger security risk than the communication transmission itself (see "Keeping Online Transactions Safe," page 32). Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure. Although Internet Explorer commands the majority of the browser market, Firefox is steadily gaining ground. But if a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic. The December 2005 Microsoft WMF vulnerability should re-emphasize the fact that users must still be trained not to accept or execute files or links from untrusted or unknown sources. As the download popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem--after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for admins to control how the browser is used. Second, if your company has several Web-based applications built around IE, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. In the long term, switching back and forth between browser vendors isn't cost-effective or efficient. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it." It's a time-consuming administrative task, but teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security. This is false. Organizations often use some sort of metric (or measurement tool) to justify their security spending within an IT budget. This can result in spending more money for security products but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire infosec budget on hardware and software technologies. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers in how their actions can result in a major network security breach. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure. Wireless is one of the hottest technologies around, but, like other new technologies, it has suffered from a bad reputation. Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, there are security methodologies and technologies that can be used in place of WEP, such as secure forms of key exchanges and encryption, VPNs and authentication servers. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. The IEEE 802.11i wireless security specification has been finalized and products are shipping with this support built in. Although wireless is more susceptible to security problems than wired networking, smart IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will make increase security. The media portrays Linux as a secure alternative to Windows, but will Linux make your enterprise that much more secure? Not really. With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. The CERT database lists the most recent flaws and fixes issued for Linux. But in fact, all operating systems have flaws. An improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While the Linux interface continues to improve, Windows is still better. And while more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix--testing applications to see if they function properly on the platform and retraining users--makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best--as the underlying OS on appliances and powering high-end workstations and file servers.
Source taken from: http://securitypipeline.com/showArticle.jhtml?articleId=177102317&pgno=5
10 MYTHs about IT Security
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler--allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.
MYTH #3: External consultants know more about information security than in-house personnel do. People believe consultants--whether they work for a consulting firm or independently--have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house--all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to provide additional support to existing staff--in other words, to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Memberships in professional organizations and certifications are helpful, although some certifications are more useful than others. Outside consultants can provide a good business partnership even beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help the staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective. At first glance, you may think keeping information security people together in one department is a good idea. After all, infosec professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters--most notably physical security, IT security and disaster security preparedness. If you keep your infosec professionals in one group, you risk alienating the business groups they'll need to work with to conduct security awareness and training programs.
Top-level management must realize that information security and infosec policies must fit into all facets of the organization. Information security is not solely the responsibility of IT but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprisewide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure. No one would argue that a password of 12 to 16 characters, with mixed upper- and lowercase letters, numbers and special characters, is hard to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Consider having users create easy-to-remember passphrases, such as "HotDogWithMustard," "8YearsOldToday" or "Please,Hold theMayo." Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Remember that passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe. This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted. It doesn't mean the Web site itself is safe. Web site certificates are text files of information--such as to whom the certificate belongs, who issued it, a unique identifier and valid dates of use--that's used by SSL protocols to establish secure connections. Five conditions must be met for a browser to accept a certificate. If any condition isn't met, the browser should display a warning to the user, who then decides whether to start a connection. The first condition is that the certificate is issued by a trusted certificate authority, which creates and manages security credentials and public keys for messaging encryption. Certificates and keys are regularly stored on the hard drive of the local computer being used. Second, the certificate must be within the validity period. Third, if a user is connecting to www.etrust-bank.com, then the certificate common name must be for www.etrust-bank.com. Fourth, the certificate must validate that it hasn't been altered, and finally, it must not be revoked. Unfortunately, most users don't bother to check site certificates when there is a problem. To check the Web site's certificate, double click the padlock icon in your browser window while you're active on the site. A pop-up window will show the name of the site and its certification information. Smart users will validate that the information matches that of the site and the organization with which they're conducting a transaction.
In addition, keep in mind that data sent isn't stored on the Web site but on a server, and you have no way of knowing if the data you sent is encrypted on that server. How well an organization safeguards its server is a bigger security risk than the communication transmission itself (see "Keeping Online Transactions Safe," page 32). Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure. Although Internet Explorer commands the majority of the browser market, Firefox is steadily gaining ground. But if a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic. The December 2005 Microsoft WMF vulnerability should re-emphasize the fact that users must still be trained not to accept or execute files or links from untrusted or unknown sources. As the download popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem--after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for admins to control how the browser is used. Second, if your company has several Web-based applications built around IE, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. In the long term, switching back and forth between browser vendors isn't cost-effective or efficient. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it." It's a time-consuming administrative task, but teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security. This is false. Organizations often use some sort of metric (or measurement tool) to justify their security spending within an IT budget. This can result in spending more money for security products but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire infosec budget on hardware and software technologies. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers in how their actions can result in a major network security breach. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure. Wireless is one of the hottest technologies around, but, like other new technologies, it has suffered from a bad reputation. Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, there are security methodologies and technologies that can be used in place of WEP, such as secure forms of key exchanges and encryption, VPNs and authentication servers. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. The IEEE 802.11i wireless security specification has been finalized and products are shipping with this support built in. Although wireless is more susceptible to security problems than wired networking, smart IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will make increase security. The media portrays Linux as a secure alternative to Windows, but will Linux make your enterprise that much more secure? Not really. With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. The CERT database lists the most recent flaws and fixes issued for Linux. But in fact, all operating systems have flaws. An improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While the Linux interface continues to improve, Windows is still better. And while more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix--testing applications to see if they function properly on the platform and retraining users--makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best--as the underlying OS on appliances and powering high-end workstations and file servers.
Source taken from: http://securitypipeline.com/showArticle.jhtml?articleId=177102317&pgno=5
# posted by David Low @ 1:33 PM 
