Security checks for the CEO

Here's how non-technical executives can spot-check security, from the front door to the backbone. by Jeff Hurmuses

How secure is your corporate infrastructure? That's tough to measure. But if your network is breached, customers, shareholders, and board members will blame you-the senior executive.

Here is an exercise which can help you build concrete data about how well prepared your organisation is to respond to unexpected network emergencies and how to make your defences genuinely tougher. The time to test your infrastructure is not during an emergency, but well before one.

11 security buttons

Let me take you through 11 information security areas to help you identify the strengths and weaknesses.

Message security

How much are spam e-mail messages costing you? Calculate this formula to find out: (n x 15) x E x A = labour cost.

Example. Assuming you personally receive 30 spam messages per day and there are 50 employees in your company:

30 messages x 15 seconds (time to identify each message as spam and discard it) comes to 450 seconds. Divide this by 60 seconds to convert to minutes = 7.5 minutes x 50 employees. We get 375 minutes (divide by 60 minutes to convert to hours) = 6.25 hours x average hourly wage. The product gives the total daily labour cost of spam on your network.

There are additional resource costs. Spam takes up some amount of space on your e-mail server. This pushes hardware and maintenance costs up because your e-mail system has to handle both the good and bad e-mail until the bad is discarded.

Clearly, spam is more than an annoyance. Spam and viruses are beginning to converge in scary new ways, so the problem would only worsen.

Employees and physical security

Are your employees helping or hindering physical security? An e-mail list for security consultants described a business that had installed imposing new biometric security devices on the external doors, including fingerprint and retina scanners.

The business hired a consultant to see if he could defeat the new security measures. He did so by observing where the company's smokers hung out and followed them back to the office-one employee even held the door open for him.

To see if your facility is vulnerable to this type of 'social engineering', ask a friend to try and walk into your company's LAN room or sensitive area and see how far he or she gets.

MBWA to the LAN room

Have you applied your MBWA to the LAN room? Many top-flight CEOs praise the value of 'MBWA' (Management By Walking Around). Walk into the LAN room and check for any obvious problems.

Here are the things to look for:

Was the door locked? - It should have been. LAN rooms are no place for casual visitors.

Is wiring organised and labelled? - An unlabeled wire can be confused with something unimportant, and can be inadvertently unplugged. Then whatever that wire is attached to is not available to the network. Time will also be lost if you need to sort through a tangle of electrical spaghetti to figure out what's what.

Further, poorly placed extension cords and power strips can create a tripping hazard, and can proliferate until a circuit overloads. Cable-ties and other cable-organising helps are cheap and provide excellent ROI.

Are your servers labelled? - Each server should be clearly labelled with its function so your staff or an outside helper will not burn billable time trying to figure out the set up in an emergency. In addition, a change log that outlines what IT staff do each time they log in to the server is required if they're not doing so already.

This speeds the process of learning who made a regrettable change, or noticing the symptoms of a change and verifying whether it was authorised.

Do server screen-savers require a password? - Sometimes workers need to stay logged into a server over some period of time. But if that server is unattended, an unauthorised person can accidentally destroy or intentionally steal the crown jewels of your company's data.

The best way to secure the server in this case is to set up a screen saver that activates automatically after a few minutes, and requires a password before allowing further access.

Are you hot or cold? - Server rooms generate a lot of heat. If servers get too hot, for example, they can lock up, reboot, or power off. If your LAN room is just a closet, at least ensure there's ventilation.

Where are the backup discs? - If all of your backup discs are in one room, whatever happens to that room also happens to those discs. It'll be best to hire a third party to store them in a safe place. And by the way, has anyone recently performed a 'restore' from those backups, to verify they really work? Be sure to ask.

Do business-critical machines have working backup? - To determine whether your network has a single point of failure, during a slow period, disconnect a server from the network and see what happens. Don't do this risky move lightly. But as a part of a planned drill, it can yield valuable intelligence about whether your business continuity measures truly work.

Operational issues - vulnerability assessment

Have you performed a recent vulnerability assessment? What did it find? To an attacker, your network is merely a target of opportunity; to you, it's the lifeblood of your business. Doesn't it make sense to know at least as much about your network's weak spots as an attacker does?

The Code Red worm (which had an estimated worldwide economic impact of US$2.62 billion) and the SoBig worm (estimated worldwide economic damage, US$29.7 billion) exploited well-known holes in common applications. The aftermath left some organisations with servers offline for days.

Anti-virus signatures

When were your anti-virus signatures last updated? Since each new computer worm or virus is really a small computer program, each individual virus has a unique code.

Anti-virus vendors refer to recognisable patterns in the code as 'signatures'. All of the major anti-virus vendors release new signatures at least weekly, but that helps you only if you have added the downloadable signatures to your anti-virus software. It's vital that all of your systems are protected with the most up-to-date signatures.

Firewall logs

What can you learn from your firewall logs? Ask your firewall expert to bring in the latest firewall logs and explain to you what they say.

• Ask, what does this log entry mean?
• For trending data on attacks - "What attacks have been denied this week?"
• How long does your firewall expert keep old log files?
• When the hard drive space allotted to the logs fills up, what does the system do about it?

Make sure you understand what your staff is saying about the attacks that your firewall blocks. Log analysis can be complex and utterly boring. It's also vital, because it indicates whether your public-facing network is defending itself. Consider reviewing logs with your staff sporadically, to keep your pulse on network defences and to motivate staff to stay attentive.

Useless Web sites

Is access to useless Web sites blocked? Due to legal liabilities, some Web sites should never be accessible from the corporate network. Even in the most permissive environments, you run real risks by not controlling access to Web content. Perhaps it's time to put stronger measures in place. Content filtering software will help you know, and control, who's surfing where.

P2P clients

Can you download and install a P2P client? P2P stands for 'peer to peer' sharing software. Stopping P2P is as tough as 'whack-a-mole', because it's designed to sneak through firewalls by masquerading as legitimate Web traffic.

The Recording Industry Association of America (RIAA) has recently started suing people who illicitly download songs protected by copyright. If employees are downloading music or movies on your network, you are exposed to that risk. As with most undesirable network behaviours, the best way to manage it is with a policy first, using technology second to track compliance and keep honest employees honest.

Password changes

When were you last asked to change your password? If you haven't been forced to change it in more than 90 days, ask why. Password theft is the easiest and most direct way to access your information. You are exposed to the risk of someone stealing your identity on the network if you have a weak password or a password you rarely change, or a password written on paper and 'hidden' around your workstation.

There are numerous easy, low cost ways to enforce password changes at reasonable intervals; some are built into the operating system of your computers. In general, the easiest way to choose a strong yet memorable password is to use a pass phrase rather than just a pass word.

Adherence to policy

Ask to review your business continuity plan, document retention plan, disaster recovery plan and security policy.

Prepare a security policy if you have not done so. Assess what your true needs are and scale your efforts to meet those needs (i.e., don't spend a dollar in overhead to protect a nickel in assets).

Security vs. convenience

'Security' and 'convenience' are like a teeter-totter. If one goes up, the other goes down. The goal of network security is security that supports your business mission. You know the drill: plan the work, then work the plan. Set realistic policies, then lead the way.

Not rocket science

The secret of network security is that it's not rocket science. Most experts will tell you network security is the responsibility of every person on the network. That's true. However, if the network is breached, customers, shareholders, and board members will not blame the employee sneakily downloading Eminem MP3s. They'll look for you and demand an explanation.

So whether on behalf of your business, or in the cause of enlightened self-interest, press a few security buttons. The results will help you cut through any 'yes men' ear-tickling and empower you to lead an organisation prepared to handle networking emergencies-not just in theory, but in fact.

The author is the Managing Director Asia Pacific at WatchGuard Technologies