General Security Information
More topic links at the bottom
Microsoft revealed that it receives 2500 to 3000 electronic attacks every day or almost 100,000 a month.
Internet security firms indicate that you have about 20 to 30 seconds before someone/thing scans an unprotected machine and four minutes before an attack occurs.
We should wait till AFTER someone has hacked the air traffic control network and crashed a few dozen planes,
AFTER someone has hacked medical databases and killed a few thousand patients by messing with their meds,
AFTER someone has caused panic by hacking government sites to add fake disaster warnings,
AFTER someone has hacked the Emergency Broadcast System and evacuated a major city.
Once those things have already happenned, that's the time to fix our computer security. After all, what's the point of locking the door on your house if you haven't been robbed yet?
Survey in 2005 from the world’s top 100 global financial institutions, 35 percent of whom confirmed encountering attacks from inside their organization within the last 12 months (up from 14% in 2004) compared to 26 percent from external sources (up from 23% in 2004).
A company's biggest security threat isn't the sinister hacker trying to break into the corporate network, but employees and partners with easy access to company information.
By Marguerite Reardon - Staff Writer, CNET News.com
1) What's a Strong Password?
1) Require users to change their passwords on a frequent basis (every 30-45 days)
2) Don't repeat old passwords, require 24 different passwords and significantly different than previous ones
2) Minimum password length (9 char) and the longer the better
3) Account lockout - Number of failed logon attempts (5) -Admin is not locked out! (Try PASSPROP below)
4) How LONG to lock out an account after multiple failed logon attempts (45 min.)
5) For newly created accounts, require users to change their passwords at first
logon. (Don’t use Password as a first password)
6) Enforce logon hours and disconnect remote users after the logon hours have
passed. (Not logged off)
7) Set the Minimum Password Age to no less than 2 days by using the Account
Policy
8) Always enable the User must logon in order to change password option. If it Expires before they change it (Vacation) they will have to call you to change it!
9) Should not have local account names that match domain accounts. You rarely need local accounts
10) You should require complex passwords (defined below)
If no group policy in place to reqire complex passwords
- Use Regedt32 (you will need to restart after)
HKey_Local_Machine\System\CurrentControlSet\Control\Lsa
Notification Packages need to add PASSFILT to the list
• Use Upper and lower case and numbers and symbols
• Use an @-sign instead of a, $ for s, ! for I or 1, 3 for E, 7 for T, and 0 for O.
• Do not use words found in a dictionary, words in multiple languages
• Do not use your name or that of family members, pets, address, birthday or hobby
• Try using weird characters like ˝ (ALT Number Pad 0189)
Try a passphrases, which can be easier to remember. Based on the criteria above, the following are examples of strong and memorable passphrase:
• I ate 13 (!!) fruits in Hawaii.
• 3 shoes @ the store cost $92.
• 2potatoes+beans$4
• cOws@the2ndfArm
• Mom&Dad#25Annivers@ry
• ruNNing@NyC4#1teaM
Once you've created strong passwords or passphrase, make sure they remain effective:
1. Always log off (or lock your workstation) when you leave your PC unattended
2. Change your passwords frequently (30 - 60 days)
3. Don't share your passwords with anyone. If you have to when you go on vacation change it after you return.
4. Do not check the box next to "Remember this password" to logon on to websites
5. Do not written down your passwords anywhere
6. Do not use the same password for everything. If someone figures out your password once, they can access everything
7) Run a password detection program periodically to attempt to crack weak or
blank user passwords. Check to see if it is Legal in your company?
8) Observation- Don’t let someone to stand behind you when entering a password. NEVER write your password down.
9) Social Engineering is when Hackers discover your username or password in a deceiving way while
on the phone or in a conversation. NEVER give your password to anyone else EVER.
10) When was the last time you change the local and server administrator account password?
11) Using PASSPROP (from Resource Kit)- Open a DOS Prompt and Type passprop /adminlockout.
You can find passprop in the Netmgmt.cab file in the Resource Kit.
*** Warning 2003 version will also lock out the default administrator account both network and interactive
- See the Knowledge Base article Q151082 for more information
Some Examples of Social Engineering
How offen do you change your passwords?
June 29 2004 voting in Windows & .NET Magazine's
"How often do you require users in your
organization to change their passwords?"
Here are the results from the 426 who responded
- 14% Every 30 days or less
- 24% Every 30 to 60 days
- 31% Every 60 to 120 days
- 4% Every 120 days to 1 year
- 27% We don't enforce a password change policy
1) There are cases in which hackers have set up Web sites advertising a bogus sweepstakes. They then require anyone registering for the sweepstakes to supply a username and password for future access to the site. Soon a database of thousands of usernames and passwords is compiled. Because most people use the same password for everything, the probability is that they will give the password they use for most things at work. A "robot" then systematically attempts to log on to many popular Web sites using the supplied usernames and passwords.
2) Some hackeers have set up websites that look like your company official site. They send emails saying that benifites or something needs to be updated. The web site says that it requires you to log in. The web site is collecting all your employees usernames and passwords.
3) Hacker types have been known to call up but never ask for your password. What they do is gain your confidence and get you to tell personal information like kids nad pet names. Alot of people use their kids names.
4) People will often say it under there breath while on the phone.
5) Hackers may con their way into a phone network by posing as phone company tech employees to get passwords into the network. Hackers will sit there listen in and waiting for valuable information.
6) Security experts monitored one Internet service provider for a 24-hour period and obtained global access to corporate databases. They end up entering the organization as a legitimate user.
6) The attacker relies on human nature of trust. This could be in the form of eavesdropping or "shoulder surfing" (i.e., direct observation practices) to obtain access. It can also include data aggregation through "dumpster diving" (e.g., looking for passwords written on sticky notes) or talking to multiple sources and building on data from each source until the attacker has enough information to commence an attack.
Hackers are after information-passwords, social security numbers and birth dates-that they can sell or use to penetrate bank and credit card accounts
Leakage of sensitive or confidential business information
For years, companies have focused security efforts on keeping hackers out of their networks. But research indicates that insiders-employees, partners and contractors-cause more security problems than the average hacker. Studies indicate that most security breaches are the result of well-intentioned employees inadvertently violating security policies. A partner or a disgruntled employee could download information onto a USB data stick or printing the information and walking out the door.
Remember that employees relinquish any right to privacy when they choose to use the Internet and Email at work
What to do with old Hard Drives?
Do you give your old hard drives still in the computers to resellers, organizations, or other employees? Do you trust these organizations to satisfactorily delete your data? (They Don't!!!) You might consider wiping your own drives before you let them out of your hands. Try some links in my forensics page. Your best solution is to take a drill to the drive or a sludge hammer. Good way to get your frustration out on the think that causes you stress!
Five Worst Security Practices
Regardless of an organization's size, we all face the same security challenges—keeping intruders away from their private information.
1) Failing to enforce security policies
Failing to properly set security policies, and neglecting to train anyone with access to computers, and especially not enforcing an established policy.
Among other things, these policies must define basic usage rules, such as never opening strange e-mails, surfing random sites on personal business, or downloading files from the Web. Even when there are policies in place, there are seldom any real consequences for breaking the rules—or any reward for those who don't. Harvard Medical School and Beth Israel Deaconess Medical Center, if caught being responsible for a single security breach is grounds for termination for anyone at any level. Upper level manager rarely buy into this.
2) Ignoring new vulnerabilities
Failing to take appropriate action when new vulnerabilities surface. Get on a list to receive automatic notification of new patches and/or monitor at least one security Web site. Then you must perform updates to fix the problems that you learn about.
3) Relying too much on technology
Just because you've installed antivirus software or the latest firewall world, your job is not done. Unless you've carefully configured that firewall and maintained the antivirus software, you really haven't done much of anything. You have to keep tweaking the firewall to meet new needs, sometimes even blocking some ports for a few weeks after a new port scanning epidemic surfaces. All these security utilities become worthless if you ignore the reports they generate.
4) Failing to thoroughly investigate job candidates
Failing to properly screen ALL job candidates for criminal records or even poor financial decisions, even for candidates outside of the IT department. Becuase of personal privacy we are often reluctance to investigate the background of job candidates. If people are careless with their own finances, how well will they protect yours? Second, if someone's under financial pressure, he or she is more subject to outside pressures to indulge in activities that compromise security. A recent bankruptcy in someone's financial history is always a big red flag unless there's a very good explanation.
5) Expecting too much from technical skills.
A gut feeling for security along with a healthy dose of paranoia is far more important for the head of security, provided someone on the IT team has the knowledge and skills related to the technical side of software and hardware security. A person having a strong security background can often walk through a company and spot a dozen critical security errors, which render all the best software security practices completely useless. If I wanted to I would either get a job with the cleaning company or fake a UPS or FedEx uniform. I could walk in carrying a big package and simply walk out with what I wanted in the previously empty box.
Final word
Security depends on an old-fashioned cop mentality. On March 11 2005, someone walked into a University of California Berkley office and walked out with a laptop containing personal data about more than 98,000 people, including Social Security numbers. This theft not only highlights the need for simple and basic physical security, but it also emphasizes a misplaced reliance on technology. While they had scheduled the laptop for encryption, no one had yet encrypted the notebook's hard drive at the time of the theft. You have to think like a thief to catch a thief.
block storage devices such as USB
Using Windows Xp SP2 or higher
Open Regedit then goto
HKeylocal Machine\system\surrentcontrolset\control\StorageDevicePolicies
Create a DWORD WriteProtect
1=prevents users from writing 0=write
Some Ports
- PPTP tunnel maintenance traffic, open TCP 1723
- PPTP tunneled data to pass through router, open ProtocolID 47
- To allow Internet Key Exchange (IKE), open UDP 500.
- To allow IPsec Network Address Translation (NAT-T) open UDP 5500.
- To allow L2TP traffic, open UDP 1701.
- SQL Server trafic used port 1433
Email is NOT private
When people email, they often assume that email travelling over the Internet has the same privacy levels as that of regular mail. Nothing could be farther from the truth. The Net was created for people who had an implicit trust between them and no need to pry information not meant for them. Sadly, this is not the situation today. Email, and almost all information travelling on the Internet is visible to anyone who wants to see it along the way, unless steps are taken to protect that speech. I please go to www.pgpi.org and and down load it (or klick on the PGP icon below). It is free and quite painless, especially if all you want to do is encrypt email and are using a popular client such as Outlook, Outlook Express, Eudora, etc.
<< Down Load My Public PGP Key >>
list of security white papers by Techrepublic
More Security Topics
Back To Main Page
Updated October 10, 2007
Copyright© 2007 by Dana Shea
Copyright© All rights Reserved. No part of the contents of this
site may be reproduced
or transmitted in any form or by any means without
written permission.
| Any questions or problem links please email
|
|