http://eprairie.com/news/viewnews.asp?newsletterID=3585

[I just love this fellow's password policy, I wonder how often he
changes his toothbrush? - WK]

James Carlini
4/16/2002

CHICAGO - Since September 11, many organizations have taken a second
look at their readiness for a disaster. They've realized that they
just aren't prepared for a major catastrophe or they have
underestimated what they really need. Are you and your organization
prepared?
 
Since the aftermath, some are also uncovering that they could do a
better job at both network and physical security. Many have found that
security needs to have a greater budget as well as a higher authority
within the organization. This hasn't taken on the magnitude of Y2K
issues, but some are focusing on this heavily.

Currently, the problem with some organizations is that they have not
improved their basic security to a point where they should be. The
ones that have have had senior management pushing the issue due to all
of the press and raised "sensitivity" to the security issue. Others
have yet to review the wide gaps in their security as well as their
awareness to weaknesses in their network or application design. The
"that can't happen to us" attitude is taking hold in the minds of some
executives.

At one company, each person had the same rights assigned to them as
the systems administrator so they could "get around the system
easily". This goes against any recommendation from any network
software maker or security consultant that clearly points out you
should limit or restrict file access based on a "need-to-know" basis.

At another in the financial industry, each user has open access to
trades and other sensitive materials. What happens if the trades get
changed? Who is liable?

Are Any Platforms Safer?

Many other companies have serious access capabilities for users that
are overlooked by systems administrators who are more worried about
having an "easy system" to work on.

Many managers think that certain types of operating systems and/or
software are going to make them invincible to outside hacker attacks.
The truth is, all of them have their vulnerabilities and none are
100-percent bulletproof. Some managers are finding this out the hard
way.

Some problems do not originate from the type of operating system you
use. The real problems stem from lazy or poorly trained systems
administrators. Many organizations can step up their security by
making sure their systems administrators are doing a better job.

Another area is poor password enforcement. Easy passwords make for
easy access. "TOM" or "LEXUS" is a lot easier to figure out than
"JH2?$aL" or "$Ee!DFj6". Again, the systems administrator needs to do
a more effective job and be given the support of upper management.

Protecting Your Assets

No one is ever going to have 100-percent protection from any type of
disaster or intrusion that is possible. There will always be some
contingency that was not planned for. However, by doing some
fundamental things, you can avoid or at least minimize problems.

You can make systems harder to penetrate by doing several things.
First, limit outside access to your system by turning off or shutting
down different ports. (There are many books and guides on how to do
this.) This helps reduce the "opportunities" for hackers to get into
your system. This is not done enough and many systems administrators
do not maximize this safeguard.

Second, limit rights, privileges or access to all of the files on the
system. This sounds so basic, yet there are several current examples
that I have just run across where organizations have left their
systems wide open for their internal people to use. While one could
say it's easier to use, it's also easier to create a major disaster.
Employees as well as outside hackers that "get into their user IDs"
can cause a lot of damage.

Third, get the systems administrator to start looking at the logs that
are generated by the system. These logs provide a wealth of
information as to who logged in, when they did, for how much time, and
how many "attempts" were tried to access the system via a user ID. You
can pinpoint invalid and excessive attempts and shut that user ID
down. You can also often tell where the access is originating. Many
systems administrators either don't bother to look or have no ideas
where to look.

Fourth, have password enforcement stepped up to include users changing
their passwords every 50 to 90 days. All in all, some of these easy
"fixes" will create a lot of stronger intrusion detection and
prevention.

-------------------------------------------------------------------

James Carlini is president of Carlini & Associates, a management
consulting firm focusing on developing marketing strategies and
applications of strategic integrated information, as well as
litigation support. He is also an adjunct professor in the
Communications Systems Program, Executive Masters Program at
Northwestern University. He can be reached at carlininorthwestern.edu
or (773) 370-1888.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]