Computer security is an ongoing process - 24/7/365 days a year. Developing and maintaining an effective computer policy involves dealing with the causes of security breaches and not the symptoms.

Computer security is not

• Installing a firewall or anti-virus software.

• Something provided by a product.

• Turning off services on a computer.

• Denying access to services on a computer or network.

Computer security is

• Measuring productivity against limiting the functionality of computers and networks.

• Developing and maintaining a dynamic and ongoing security policy.

• Knowing the “weakest link” of your system or network.

• Assessing and maintaining a risk management policy for hardware, software and the people who use it.

• Researching new security issues and adapting your policies without degrading the performance of computers and networks.

• Managing physical access to PC(s) or laptop(s).

• Doing all of the above, without causing disruption and inconvenience to those who rely on your network.

Overview

A sound security policy should include, but not be limited to, regularly checking for software updates and security patches, installing them where and when appropriate and maintaining a firewall and anti-virus policy. NOTE: Firewall and anti-virus products can lend a false sense of security. Management of risks and weakest links will minimise security breaches while maximising productivity and performance. The most effective methodology in computer security is to assert and maintain an intelligent policy to risk manage workstation use and functionality without inflicting a denial-of-service to the people who rely on access to your computer or network.

Example of an internal security issue

During the Sasser worm outbreak in Spring 2004, “Sampo”, Finland’s third largest bank, closed 130 of its branches and offices on the grounds that their network might be vulnerable to the virus. Most security issues are internal, and in this case, the bank self-inflicted a denial-of-service to its customers and staff based on mass-hysteria. Do not react to security issues by self-damaging your corporate/home network functionality and productivity.

Tips

The majority of software from the Internet is safe, since vendors would not risk their reputation by bundling their products with malware. Users should however, endeavour to question the purpose of software before installing it. Does the machine really need the program and how often will it be used? Will the software degrade the performance of the computer or open ports or change file permissions?

Sometimes software can contain a non-Microsoft certificated device driver, which can damage a system by over-writing existing drivers. Windows XP will notify users if an attempt is made to install non-compatible drivers. Damage to operating systems owing to bad drivers can lead to data corruption and system-wide failure.

The use of a poorly coded software installer can lead to something called "dll-hell". Dynamically Linked Library files are shared by many programs and processes at the same time. Installing poorly coded software can lead to the overwriting of newer dll files with older dll files. If the software is uninstalled, it is possible that process-dependant dll files will be deleted. If a system process requires the missing dll to function, the process will fail to start and all services dependant on the process will fail also. Therefore, in order to avoid dll-hell, it is important to research how a program will utilise dynamically linked libraries before installation. It is preferable for programs to have their own dll files and for the installer to be coded to not overwrite dlls essential to other processes. Windows XP will create a system restore point when a program is (un)installed, but those running other operating systems should create a manual backup before (un)installing software.

Most computer viruses are propagated by email. The view that commercially available software and software downloaded from newsgroups contains viruses is false (occasionally, it may contain adware, however). Email is an efficient way to spread viruses. Users should be instructed not open email attachments ending with the following extensions: .exe; .pif; .zip; .com; .cab; .scr; .vbs or any other extension relating to executables. Some email viruses have a double extension; e.g., mpeg.exe or jpeg.zip to trick you into thinking the attachment is a movie or picture. Postmasters should filter attachments with well-known viral extensions.

Intrusion detection systems, such as [Snort], can alert system administrators to unauthorised access attempts on a network. Snort servers should be made extremely secure and placed in a DMZ to listen for traffic on a variety of interfaces. System administrators should be trained to react quickly and effectively to incidents, and not use short-term fixes or rely solely on low-level security barriers such as firewalls. There is no use in allowing an intruder to penetrate a firewall, if the machines sitting behind it are not properly patched with security updates. Snort can be ineffective when trying to sniff secure traffic, such as OpenSSL or SSH. Since secure data is wrapped in a ciphered envelope, only transport headers are broadcast in plain text and hence snort will not detect malicious secure traffic, unless configured to do so.

Good security practice checklist

Users on a corporate network and at home should read and abide by the following:

• Users will not download computer games, freeware and shareware without first risk assessing the content of the software installer file. Users will read the editor’s and user reviews of the software when visiting http://www.download.com to check for adware, spyware, non-certificated drivers and dll problems before installing the software on computers. Note: It is highly unlikely the software will contain viruses. It is important to understand the difference between viruses and other types of malware, since the two are often confused. It was once believed that freeware and shareware were major boot sector viral vectors. However, there is wide disagreement among virus experts, since boot sector viruses do not tend to spread easily.

• Users will not open email attachments from unknown or untrustworthy sources. Users should be trained to understand that the authors of viruses use social engineering to encourage users to open attachments, thus installing backdoor components of your machine. Users should always question the source and purpose of emails containing attachments. The disabling of the preview pane in Outlook and/or Outlook Express is recommended. Proper configuration of email clients will prevent the auto-execution of attachments and system administrators should deploy service packs. Users should delete viral emails without opening them.

• Postmasters should filter the SMTP gateway [port 25] for viruses.

• "Insecure" services such as [HTTP, FTP, POP3, DNS, TELNET] should be placed in a demilitarized zone or DMZ and insecure services should not be allowed to access the private LAN within the firewall. System administrators should manage access from the LAN to insecure services in the DMZ. Insecure servers will have the latest security patches, up-to-date anti-virus software and will be protected by firewall rules allowing access to open services only, and not all services.

• Windows clients should have SSH and SFTP installed.

• Wireless networks should be kept separate from the cabled LAN and secured using a WPA-PSK passphrase of at least 20 random characters and numbers [preferably more], TKIP encryption, MAC filtering and static IP rather than DHCP.

• Cables and plugs in server rooms should be properly secured to prevent someone accidentally disconnecting them.

• Only the root user should be authorised to shut down or reboot servers. Authorised personnel should login as sudo and not root. Files such as /etc/private/sshd_config should be modified to deny root logon.

• Firewalls and anti-virus software will not necessarily prevent viruses, adware and spyware from affecting workstations. Once malware is discovered, it is too late and the damage is already done. Only risk management will keep workstations free of malware.

• Users on the corporate network are forbidden from visiting pornographic websites. Such websites often force users to download adware, spyware and premium rate dialer(s), even if the download is cancelled. Employers' reputations could be put at risk, if pornographic material were to be discovered on their machines and/or servers. See Work porn risk for businesses - BBC News (http://news.bbc.co.uk/1/hi/technology/3701907.stm)

• Users will not open links embedded in spamming emails nor will they hit the “reply” button. Users could be notifying the spammer that their email address is active. The spammer may sell email addresses to third parties, resulting in even more SPAM. Such emails should be deleted.

• Users will not open links in SPAM emails that purport to unsubscribe recipients from mailing lists. By opening the link, users are telling the spammer that their address is in use. Such emails should be deleted.

• Users are forbidden from forwarding hoaxes, chain-letters, SPAM, special offers and fake business deals. Such emails should be reported to the company IT department, or ISP if the user is at home.

• Users will not give out confidential information to third parties under the following circumstances: 1. In response to any emails purporting to be sent by a bank or company requesting passwords, PIN numbers, telephone numbers, addresses and other confidential information. Banks already have this information and would never ask for it under any circumstances in an email. 2. When submitting information to websites, Users will read the privacy policy of websites before submitting information, including email addresses. 3. Accidentally sending an email to the wrong recipient(s).

• Users and especially system administrators should create regular back-ups of data.

• System administrators will enforce strong passwords and password policies for access to the accounts stored on their computers/domains and manage physical access to machines.

• Users and system administrators will not restrict the functionality of computers or access to machines under circumstances including, but not limited to; potential viral infection, potential hacking, media hysteria, the factoids of false authorities, and any other misinformation designed to create fear, uncertainty and doubt (FUD).

FAQ

Q. Why do spyware, adware and viruses keep affecting my PC? Surely, it is impossible for these programs to get past the firewall and anti-virus software.

A. Not so. You need to control your world wide web surfing habits in order to prevent reoccurrences of this nature. You should also manage your email policy and not blindly open attachments.

Q. I still get viruses and spyware, even with anti-virus software installed.

A. If you do not keep your virus definitions up-to-date, then your anti-virus software will fail to do its job. If you do not enforce a security policy, viruses may compromise your machine, even if virus definitions are up-to-date. Only risk management will prevent security compromises. You must tackle the causes and not the symptoms.

Q. Why do I need to back-up my files?

A. Good security practice is to back-up your data, program files and system files in case of a system-wide failure.

External Links

"The truth about computer security hysteria" (http://www.vmyths.com)

Site devoted to debunking media security charlatans (http://www.grcsucks.com)

Sans.org Top 20 Security Vulnerabilities (http://www.sans.org/top20)