At the New England Information Security User Group, operating system security is just a piece of the big puzzle. IT administrators, business leaders, consumers and others come together with a common interest: securing systems on all levels. Bradley Dinerman is an MCSE in Windows NT and 2000. He is also the group's founder and current chairman. Not everyone in IT has experience with best practices in security, so Dinerman provided some of his best tips, chosen based on what members chat about at the group's monthly meetings.
Everyone is talking about spam. Is there really any way to stop it?
Bradley Dinerman: There is no one answer.
You've got to get some good spam-blocking software, which takes what it thinks is spam, puts it in a special folder and outright deletes it. If you use Outlook or Outlook Express, or anything with a preview page, don't use the preview page. A lot of spammers use a tactic called beaconing. If you get a spam message with a graphic, the graphic isn't actually embedded in a message, it's on a Web server at the spammer's site.
When you open the message, it makes a call to the spammer to download the graphic. The site records what message opened that graphic, and then it knows it has a live one on the other end, and you will be added to the 'real recipient' database of spammers.
Some of the new products use a technique called Bayesian filtering, where software can learn from your habits. You get your messages, select the message that you think is spam. The software categorizes the message and learns your habits by subject lines or patterns. After two or three days, it really learns, and the amount of spam you get is reduced.
What new security products are you seeing that are truly useful?
Dinerman: Well, there's a firewall that includes a wireless access point that requires a VPN level of authentication to access the network. SonicWall's Soho TZW is an ICSA-certified, hardware-based firewall. It allows various levels of wireless access, either to your network or to a kiosk setting, such as Starbucks might have. You can enforce security access or you can relax it if you want.
Wireless networks are hot, so if you can provide wireless access in a secure way, then those types of products will do well. There are plenty of products that may profess to be a firewall, or be truly secure, and they are not.
What's the job market for information security looking like these days?
Dinerman: Most of the opportunities out there are for IT administrators with some security experience on their resume. That's going to make a difference with an employer, particularly if they have Microsoft-level security experience.
How do you lock down a Web server? How do you secure an FTP server for a firewall, even if it's not Microsoft's [software]? They don't necessarily have to have CISSP certifications, don't need to know every level of encryption or secure ID technology out there. But they need a general feel and general experience in locking down a system.
Will it take regulatory laws like HIPAA (Health Insurance Portability and Accountability Act) to get enterprises to install stringent security measures?
Dinerman: Laws like HIPAA will impose the situation a little faster. These companies will have to go out and buy security hardware or set up procedures and policies internally that suddenly make them secure corporations.
Earlier this month, InstallShield Software Corp. accused Wise Solutions Inc. of stealing proprietary information off of InstallShield's corporate FTP server after illegally obtaining InstallShield passwords. A lot of companies have FTP servers that touch the Internet. How do you make them as secure as they can be?
Dinerman: The best place for an FTP server is one where the general public needs access. One example might be Symantec [Corp.], where they want the public to go in and download virus definitions. Obviously, the public is meant to come in, but if you are a company that puts its treasured data on an FTP server, on the Internet, and you don't have the most stringent security measures in place, then you are asking to have that data taken.
There are a number of companies that sell FTP servers, and each has its own benefit. Microsoft's is free, and if you lock down the operating system, then you can rest relatively assured that the FTP will be secure.
What seems to be the most frequent area of weakness in an enterprise IT infrastructure?
Dinerman: The user is the weakest point. If a user doesn't set up a strong password, you open up your network to whoever can discover that password with whatever tools they are using. A smart company will enforce strong passwords through server policies.
What steps can users take to secure their Web server?
Dinerman: Is it a publicly accessible Web server? You need antivirus software on there. Make sure the underlying operating system is secure. If you fail to patch or apply regular updates to the operating system, then [the] whole system is compromised. Make sure there is a firewall in front of the server. And the Web server should only be running the minimal number of services. If it's meant to be a Web server, then don't run FTP.
What are some of the easiest things you can do to keep your data safe?
Dinerman: Have secure passwords that are a minimum of seven characters, and don't let it be the name of your sailboat or your cat. Have a good antivirus product and an antispam product. As a company, you should have all of your requirements in writing. Have acceptable use policies, like, don't access your Hotmail from work, or don't use certain words for a password.
It's hard to stop employees from doing what they're going to do. All you can do is scare them sufficiently with consequences if they are caught.
FOR MORE INFORMATION:
Best Web Links: Security policy management
Advice: Hardening Windows NT against attack