INFOLINK Tech Talk

1
INFOLINK Tech Talk 3Computer and Network
Security

• Presented by Jeffrey Bombell, American Computer
  Technologies

2
Why do we need security?

• All men by nature desire knowledge
• - Aristotle c. 360 BC
• Knowledge is Power
• - Francis Bacon, 1597
• Forbidden Donut
• - Homer Simpson, 1989

3
Why do we need security?

• 70 of all security violations happen from within
  an organization.
• Of that 70, most attacks are not attacks.
  People make honest mistakes that cause bad things
  to happen.
• Of outside attacks, targets are normally unknown
  to the attacker.
• Most administrators are oblivious to the number
  of attacks that are attempted each day.

4
Overview

• Client Security
• Server Security
• LAN/WAN
• Social Engineering
• Tools
• Developing A Security Plan

5
Client SecurityCurrent State

• Most of the measures in libraries today address
  acceptable use, not security.
• Anti-virus is only as good as its last update.
  Antivirus program updates are released weekly.
• Most 3rd party software based security measures
  can thwarted on Windows 9x and ME systems.

6
Operating Systems Laying the ground work

• Start with an OS that can be hardened easily
• Windows 2000
• Windows XP
• Mac OS-X
• UNIX (Solaris, Linux, BSD)
• Windows 2000/XP
• Always install on a NTFS file system
• Remove all unnecessary programs
• Set Group Policies
• Use PAC from the Bill Melinda Gates Foundation

7
Client Security

• Secure the computer's BIOS
• Install the computer with minimal operating
  system features
• Require user authentication
• Keep the operating system and applications up to
  date with patches
• Install anti-virus software - UPDATES!
• Install desktop security software
• Securely configure applications
• Educate and constantly remind staff about the
  need for security

8
Client SecurityLockdown

• Lockdown software can control the computer at the
  application level and the OS level.
• WINSelect http//www.winselect.comUsing a
  proprietary non-registry lockdown method.Allows
  for customizable restrictions on most features on
  most programs.
• Fortress http//www.fortress.comSimilar to
  WINSelect, Fortress monitors each action the user
  performs and determines if it is authorized or
  not.
• Secure PC http//www.citadel.comSecure PC uses
  registry manipulation as well as direct
  monitoring of application functions.

9
Client SecurityMenu Replacement

• Menu Replacement / Kiosk Software
• Menu replacement software replaces the standard
  windows desktop with a third party program. Menu
  replacement programs replaces the Windows
  interface with their own and present the user
  with a different desktop, usually without the
  Start Menu, Task Bar, etc.
• CARL http//www.tlcdelivers.com
• WinU http//www.bardon.com/winu.htm
• CybraryN http//www.cybraryn.com

10
Client SecurityRoll Back

• Roll Back Gives the ability for users to make
  changes on a system and later revert back to the
  former state.
• DeepFreeze http//www.winselect.com
• CleanSlate http//www.fortress.com
• RestoreIT http//www.farstone.com

11
Server Security

• Same general guidelines as with Client OS
  Hardening. Enable only what is needed.
• Not running a web server, get rid of IIS.
• Limit who has access to Administrator accounts.
• Impliment strong passwords
• Change Passwords Often

12
Central Adminitration

• Terminal Services and Citrix Metaframe
• Move application loading to the server.
• Requires full-time trained IT Staff.
• Implement Active Directory to centrally manage
  group policies on Windows networks.
• Requires Windows 2000 or XP on the client.
• Requires client logons to be enforced.

13
LAN/WAN Security

• Partition the network. Keep the public access
  computers separate from the day to day business.
• xDSL is cheap and more than enough service for
  public access. Verizon DSL starts at 60/mo for
  768Kbps/128Kbps (that is ½ the download speed of
  a T1) up to 205/mo for 7.1Mbps/768Kbps.
• The average T1 circuit and service is _at_ 600/mo

14
LAN/WAN Security

• Firewall
• Separate DMZs for public and private networks
• Content Filtering
• Application Filtering
• Disallow access to harmful or disruptive internet
  applications.
• Policy Enforcement

15
Social Engineering

• What the _at_! is Social Engineering.
• Social Engineering is generally a hackers clever
  manipulation of the natural human tendency to
  trust.
• http//www.securityfocus.com

16
True Stories From ComputerWorld Shark Tank

• Pilot fish quits his county government job but
  still has his e-mail account to help during the
  transition. Then he receives a message from a new
  IT guy, asking all users with remote access for
  their phone numbers, log-ins and passwords. "I
  hoped all the users I had repeatedly schooled in
  security would refuse to respond," says fish. But
  one department head not only e-mails his
  password, but also clicks on "Reply to all," fish
  says -- "so every user in the county got
  themessage."
• http//www.computerworld.com/departments/opinions/
  sharktank

17
Social Engineering

• Teach your employees who is authorized to gather
  information about your systems.
• Teach your employees what information should
  never be released.
• Employees passwords are for their use only. No
  one else should ever need it.
• Administrators have their own passwords that
  allow them to do anything you can do.

18
Security Tools

• TRINUX - http//trinux.sourceforge.net/ -
  Trinux is a ramdisk-based Linux distribution
  that boots from a single floppy or CD-ROM, Trinux
  contains the latest versions of popular Open
  Source network security tools for port scanning,
  packet sniffing, vulnerability scanning, sniffer
  detection, packet construction, active/passive OS
  fingerprinting, network monitoring,
  session-hijacking, backup/recovery, computer
  forensics, intrusion detection, and more.
  Trinux gives you the power of Linux security
  tools without requiring a full-blown Linux
  install or the need to download, compile,
  install, and update a complete suite of security
  tools that are typically not found in mainstream
  distributions.
• TRINUX is FREE and is on your CD
• \Network Security\TRINUX

19
Security Tools

• Internet Security Scanner http//www.iss.net
• A suite of producs for security assessment and
  active security scanning of clients, servers and
  network.Will evaluate systems for open holes,
  security patches strong passwords, etc.
• Cost may be prohibitive for a single library.

20
Security Policy Components

• Objective or Abstract
• Scope
• Responsibilities
• Physical Security
• Network Security
• Software Control
• Disaster Planning
• Acceptable Use Policy
• Security Awareness
• Compliance
• http//www.infopeople.org/howto/security/basics/se
  curity_policies.html

21
Objective or Abstract

• The Objective or Abstract should be a mission
  statement that defines objectives of the policy.
  It summarizes what types of assets are important,
  what is the need to protect them, and summarizes
  procedures to be followed to protect assets.

22
Scope

• The Scope defines the specific assets to be
  protected by the policy, based on the Risk
  Assessment. It also defines who must follow the
  policy, such as members of the public, employees,
  outside contractors, and vendors.

23
Responsibilities

• The Responsibilities component describes who is
  responsible for protecting assets defined in the
  scope, and how. It generally outlines users'
  security responsibilities, but it can also
  include roles of particular users, such as IT
  department managers and administrators.

24
Physical Security

• The Physical Security section states how the
  library will physically protect its facility and
  assets. It should also state who has access to
  restricted areas, such as server rooms and
  telecommunications closets.

25
Network Security

• Network Security states how the library will
  protect data stored on the network(s). It should
  include information on
• Workstation security
• Access control and authentication
• Securing of file systems
• Backups and restoring backups
• Remote access
• Network monitoring
• Port restrictions
• Filtering
• Firewalls, proxy servers and border routers

26
Software Control

• Software controls should should be in place
  stating how your organization uses commercial and
  noncommercial software. It should describe
• Procedures for the purchase of software
• Procedures for installing software,
• Procedures for downloading software from the
  Internet

27
Disaster Planning - Hardware

• List all critical assets
• Complete a detailed hardware inventory with
  hardware specifications needed for critical
  assets
• Compile a list of the personnel, including
  contact information, needed to restore service.
• Establish a restore priority.
• May include vendors

28
Disaster Plan - Software

• Estabish a data backup plan.
• Determine need for off-site storage locations,
  contact information
• Compile information on what is backed up and
  when.
• Compile a list of personnel, including contact
  information, needed to restore data.
• Estabish a restore priority.
• May Include Vendors

29
Acceptable Use Policy

• An Acceptable Use Policy details the ways in
  which
• The network can be used, including use of the
  Internet
• Patrons may use the computers
• Computer use limitations are imposed (such as
  time constraints or filtering restrictions)
• Handling violations to the Acceptable Use Policy.

30
Security Awareness

• Security Awareness outlines what level of
  awareness of security issues staff are expected
  to have. This should include some information
  on new user training of security issues. This
  is one of the most important parts of a security
  policy. This will help stop any social
  engineering efforts before they happen.

31
Additional Information

• The SANS Institute http//www.sans.org/resources
  /policies/
• Computer Emergency Response Center -
  http//www.cert.org
• Symantec Antivirus Research Center -
  http//www.sarc.com
• Security Focus - http//www.securityfocus.com/

32
(No Transcript)