Security checks for the CEO
how non-technical executives can spot-check security, from the front door to
the backbone. by Jeff Hurmuses
How secure is your corporate infrastructure? That's tough
to measure. But if your network is breached, customers, shareholders, and board
members will blame you-the senior executive.
Here is an exercise which can help you build concrete data about how well prepared
your organisation is to respond to unexpected network emergencies and how to
make your defences genuinely tougher. The time to test your infrastructure is
not during an emergency, but well before one.
11 security buttons
Let me take you through 11 information security areas to help you identify the
strengths and weaknesses.
How much are spam e-mail messages costing you? Calculate this formula to find
out: (n x 15) x E x A = labour cost.
Example. Assuming you personally receive 30 spam messages per day and there
are 50 employees in your company:
30 messages x 15 seconds (time to identify each message as spam and discard
it) comes to 450 seconds. Divide this by 60 seconds to convert to minutes =
7.5 minutes x 50 employees. We get 375 minutes (divide by 60 minutes to convert
to hours) = 6.25 hours x average hourly wage. The product gives the total daily
labour cost of spam on your network.
There are additional resource costs. Spam takes up some amount of space on your
e-mail server. This pushes hardware and maintenance costs up because your e-mail
system has to handle both the good and bad e-mail until the bad is discarded.
Clearly, spam is more than an annoyance. Spam and viruses are beginning to converge
in scary new ways, so the problem would only worsen.
Employees and physical security
Are your employees helping or hindering physical security? An e-mail list for
security consultants described a business that had installed imposing new biometric
security devices on the external doors, including fingerprint and retina scanners.
The business hired a consultant to see if he could defeat the new security measures.
He did so by observing where the company's smokers hung out and followed them
back to the office-one employee even held the door open for him.
To see if your facility is vulnerable to this type of 'social engineering',
ask a friend to try and walk into your company's LAN room or sensitive area
and see how far he or she gets.
MBWA to the LAN room
Have you applied your MBWA to the LAN room? Many top-flight CEOs praise the
value of 'MBWA' (Management By Walking Around). Walk into the LAN room and check
for any obvious problems.
Here are the things to look for:
Was the door locked? - It should have been. LAN rooms are no place for casual
Is wiring organised and labelled? - An unlabeled wire can be confused with something
unimportant, and can be inadvertently unplugged. Then whatever that wire is
attached to is not available to the network. Time will also be lost if you need
to sort through a tangle of electrical spaghetti to figure out what's what.
Further, poorly placed extension cords and power strips can create a tripping
hazard, and can proliferate until a circuit overloads. Cable-ties and other
cable-organising helps are cheap and provide excellent ROI.
Are your servers labelled? - Each server should be clearly labelled with its
function so your staff or an outside helper will not burn billable time trying
to figure out the set up in an emergency. In addition, a change log that outlines
what IT staff do each time they log in to the server is required if they're
not doing so already.
This speeds the process of learning who made a regrettable change, or noticing
the symptoms of a change and verifying whether it was authorised.
Do server screen-savers require a password? - Sometimes workers need to stay
logged into a server over some period of time. But if that server is unattended,
an unauthorised person can accidentally destroy or intentionally steal the crown
jewels of your company's data.
The best way to secure the server in this case is to set up a screen saver that
activates automatically after a few minutes, and requires a password before
allowing further access.
Are you hot or cold? - Server rooms generate a lot of heat. If servers get too
hot, for example, they can lock up, reboot, or power off. If your LAN room is
just a closet, at least ensure there's ventilation.
Where are the backup discs? - If all of your backup discs are in one room, whatever
happens to that room also happens to those discs. It'll be best to hire a third
party to store them in a safe place. And by the way, has anyone recently performed
a 'restore' from those backups, to verify they really work? Be sure to ask.
Do business-critical machines have working backup? - To determine whether your
network has a single point of failure, during a slow period, disconnect a server
from the network and see what happens. Don't do this risky move lightly. But
as a part of a planned drill, it can yield valuable intelligence about whether
your business continuity measures truly work.
Operational issues - vulnerability assessment
Have you performed a recent vulnerability assessment? What did it find? To an
attacker, your network is merely a target of opportunity; to you, it's the lifeblood
of your business. Doesn't it make sense to know at least as much about your
network's weak spots as an attacker does?
The Code Red worm (which had an estimated worldwide economic impact of US$2.62
billion) and the SoBig worm (estimated worldwide economic damage, US$29.7 billion)
exploited well-known holes in common applications. The aftermath left some organisations
with servers offline for days.
Anti-virus vendors release new signatures at least weekly,
but that helps you only if you have added the downloadable signatures
to your anti-virus software. It's vital that all of your systems are protected
with the most up-to-date signatures.
When were your anti-virus signatures last updated? Since each
new computer worm or virus is really a small computer program, each individual
virus has a unique code.
Anti-virus vendors refer to recognisable patterns in the code as 'signatures'.
All of the major anti-virus vendors release new signatures at least weekly,
but that helps you only if you have added the downloadable signatures to your
anti-virus software. It's vital that all of your systems are protected with
the most up-to-date signatures.
What can you learn from your firewall logs? Ask your firewall expert to bring
in the latest firewall logs and explain to you what they say.
- Ask, what does this log entry mean?
- For trending data on attacks - "What attacks
have been denied this week?"
- How long does your firewall expert keep old log
- When the hard drive space allotted to the logs fills
up, what does the system do about it?
Make sure you understand what your staff is saying about the attacks that your
firewall blocks. Log analysis can be complex and utterly boring. It's also vital,
because it indicates whether your public-facing network is defending itself.
Consider reviewing logs with your staff sporadically, to keep your pulse on
network defences and to motivate staff to stay attentive.
Useless Web sites
Is access to useless Web sites blocked? Due to legal liabilities, some Web sites
should never be accessible from the corporate network. Even in the most permissive
environments, you run real risks by not controlling access to Web content. Perhaps
it's time to put stronger measures in place. Content filtering software will
help you know, and control, who's surfing where.
Can you download and install a P2P client? P2P stands for 'peer to peer' sharing
software. Stopping P2P is as tough as 'whack-a-mole', because it's designed
to sneak through firewalls by masquerading as legitimate Web traffic.
The Recording Industry Association of America (RIAA) has recently started suing
people who illicitly download songs protected by copyright. If employees are
downloading music or movies on your network, you are exposed to that risk. As
with most undesirable network behaviours, the best way to manage it is with
a policy first, using technology second to track compliance and keep honest
When were you last asked to change your password? If you haven't been forced
to change it in more than 90 days, ask why. Password theft is the easiest and
most direct way to access your information. You are exposed to the risk of someone
stealing your identity on the network if you have a weak password or a password
you rarely change, or a password written on paper and 'hidden' around your workstation.
There are numerous easy, low cost ways to enforce password changes at reasonable
intervals; some are built into the operating system of your computers. In general,
the easiest way to choose a strong yet memorable password is to use a pass phrase
rather than just a pass word.
Adherence to policy
Ask to review your business continuity plan, document retention plan, disaster
recovery plan and security policy.
Prepare a security policy if you have not done so. Assess what your true needs
are and scale your efforts to meet those needs (i.e., don't spend a dollar in
overhead to protect a nickel in assets).
Security vs. convenience
'Security' and 'convenience' are like a teeter-totter. If one goes up, the other
goes down. The goal of network security is security that supports your business
mission. You know the drill: plan the work, then work the plan. Set realistic
policies, then lead the way.
Not rocket science
The secret of network security is that it's not rocket science.
Most experts will tell you network security is the responsibility of every person
on the network. That's true. However, if the network is breached, customers,
shareholders, and board members will not blame the employee sneakily downloading
Eminem MP3s. They'll look for you and demand an explanation.
So whether on behalf of your business, or in the cause of enlightened self-interest,
press a few security buttons. The results will help you cut through any 'yes
men' ear-tickling and empower you to lead an organisation prepared to handle
networking emergencies-not just in theory, but in fact.
The author is the Managing Director Asia Pacific at WatchGuard