How to set effective security policies at your organization
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

How to Set Effective Security Policies at Your Organization PowerPoint PPT Presentation


  • 42 Views
  • Uploaded on
  • Presentation posted in: General

How to Set Effective Security Policies at Your Organization. David Strom VAR Business Technology Editor June 20, 2002. My background. Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill Founding Editor-in-Chief, Network Computing

Download Presentation

How to Set Effective Security Policies at Your Organization

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


How to set effective security policies at your organization

How to Set Effective Security Policies at Your Organization

David Strom

VAR Business Technology Editor

June 20, 2002


My background

My background

  • Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill

  • Founding Editor-in-Chief, Network Computing

  • Tested numerous networking and security products


Things to know before you can set effective policies

Things to know before you can set effective policies

Problems with existing network and applications infrastructure

Issues with products and protocols

Ways around the various tools that you are trying to use to lock things down


Who is in charge anyway

Who is in charge, anyway?

Do you have a chief security officer?

Does s/he have any real authority?

Does s/he have control over corporate directories, network infrastructure decisions, and internal applications development?


Look at your exposure from within

Look at your exposure from within

Network admins who have rights to everything

Applications that have access to other applications

Users who temporarily gain access outside of their normal departments


So let s look at the following

So let’s look at the following:

VPN policies and choices

Email policies and issues

eCommerce issues

Firewalls don’t protect you all the time


Role of integrators with vpns

Role of integrators with VPNs

  • Help with their rollout and configuration

  • Help with remote support and troubleshooting

  • Recommend equipment and configuration

  • Include as part of overall telecommuting application


Vpn issue 1 ease of use

VPN Issue #1: Ease of use

  • VPNs still vexing

  • Matched pair problem

  • Hardware or software choices not always obvious


Vpn issue 2 cable providers don t like home networks

VPN Issue #2: Cable providers don’t like home networks

  • Getting static IPs can be a problem

  • Changing MAC addresses is an issue

  • Administering and supporting a home network is sometimes beyond their abilities or interest

    … Yet all cable modems come with Ethernet!


Vpn issue 3 providers hate vpns

VPN Issue #3: Providers hate VPNs

  • Well, maybe they are more ignorant than hate them

  • Some don’t include VPNs in their TOS

  • Some do everything they can to discourage their use (frequent IP changes, for example)


Vpn issue 4 remote support

VPN Issue #4: Remote support

  • Coordinating a VPN roll out for telecommuters can swamp a small tech support department

  • Variations in Windows OS, and non-Windows PCs can be difficult!

  • What if users require more than one tunnel?


State of vpns

State of VPNs

  • Software now comes included in residential gateways like Sonic and Netgear

  • Still too hard for the average consumer, and the average business computer user

  • But wider support is inevitable

  • Costs too much and requires some careful justification

  • VPN.net: A new way of establishing VPNs


Email policies

Email policies

How accurate is your employee directory?

Do outsiders have access to your email system? And for how long?

Do terminated employees have access still?

How often do employees copy all by mistake?


Making email secure

Making email secure

Use Notes or Groupwise

Don’t run Outlook, Outlook Express

Use PGP or SMIME products


Ecommerce issues

eCommerce issues

  • Make sure you protect your enterprise network from intrusion

  • Limit user access, isolate servers, lock down scripts, harden servers

  • See www.nwfusion.com/netresources/0202hack1.html


Web database issues

Web/database issues

  • Understand security weaknesses and access controls of local database users

  • Understand web/database interaction from security perspective

  • Understand proxy server attacks (ala Adrian Lamo)

  • Block them CGI scripts!

  • Who is root and what can they really do?


Common mistakes with payment processing

Common mistakes with payment processing

  • Provide too few or too many order confirmation pages

  • Confusing methods and misplaced buttons on order page

  • Make it hard for customers to buy things

  • Don’t make your customers read error screens


Coned bill payment issue

ConEd bill payment issue

  • Claim they needed 100,000 customers to break even

  • https://m020-w5.coned.com/csol/main.asp

  • Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006


Preventing credit card fraud

Preventing credit card fraud

  • Don't accept orders unless full address and phone number present

  • Be wary of different "bill to" and "ship to" addresses

  • Be careful with orders from free email services

  • Be wary of orders that are larger than typical amount

  • Pay extra attention to international orders


Ways around firewalls

Ways around firewalls

  • Uroam.com

  • GoToMyPC.com

  • Neoteris, other appliances

  • Remote control software (PC Anywhere, Ccopy, etc.)

  • Wireless LANs!


Remote control loopholes

Remote control loopholes

  • Do you even know if they are running?

  • Do port scans for common ports that are used:

    • PC Anywhere: 5631-2

    • Control IT: 799

    • Carbon Copy: 1680

    • VNC: 5900


Wireless lan loopholes

Wireless LAN loopholes

  • Do you even know if they are running?

  • NetStumbler.com: good resource

  • Read this article too.


Wireless vpn firewall appliances

Wireless VPN/firewall appliances

  • BlueSocket

  • ReefEdge

  • Vernier Networks

  • Mobility from Netmotion Wireless


Conclusions and questions

Conclusions and questions

David Strom

Technology Editor

VAR Business magazine

[email protected]

(516) 562-7151


  • Login