July 09, 2007
How secure is your network? (luncheon)
Visionpace-IT is proud to present a unique opportunity to learn whether your network is either too secure or not secure enough.
Attend our FREE lunch and learn on July 31, 2007
Travis Davies, Network Architect, will discuss the following:
- Learn why you might be bolting down your network too much!
- Learn about "Social Engineering". What is it? Are you guilty?
- Be Password Savvy.
- Learn what you might be doing to compromise your network.
- Are you giving away your Intellectual Property?
- Become educated on these topics and more...
The luncheon will be on July 31, 2007 from 11:30 - 1:00 at Visionpace (17501 E Hwy 40 Suite 218 Independence, MO 64055). Please call Kelly by July 27th at 816-350-7900 to make a reservation.
Posted by Doug Bliss on July 9, 2007 | Permalink | Comments (1)
July 06, 2007
Non Technical Common Sense for Network Security
Network Security, the topic is extensive and gets very complicated and cumbersome and sometimes downright scary. What I tend to find most though, is that common sense is rarely used. Network security can be a burden in your organization either with too much, or too little. Each time you add a level of complexity you take away functionality and ease of use. You can do very little and they become less productive due downtime slow performance, etc.
You have to find the middle ground to keep your network secure and productive. It takes some thought and planning, but once you have the common sense taken care of; you have a good solid base to work from.
Basically high level if you:
- keep all your systems patched with the latest security patches
- have a current standardized firewall
- have current standardized anti-virus/spyware protection
- have common sense password/user policies and procedures
- have a clear understanding of what you have that is sensitive/valuable
- have all sensitive data encrypted
- make your users aware of the Social Engineering aspect of hacking
It will be hard for a hacker to obtain the information they would need to "get" you without a little luck and some social engineering. To put all the pieces together would take a lot of time, effort, and resources. Think like a hacker/thief. What do you have that someone would put forth an extra concentrated effort to "steal" or "cripple" your network? A lot of hackers want your resources not your data. They want a place to store/share data, or use your network to hide their attack on someone else, etc. The common sense steps should protect you from this random opportunistic type of hacker so you can concentrate on the ones that want to cause you specifically harm.
Here is a short topic list of common sense for network security
Social Engineering
One of the best things to do is not computer related but people related. If you have the common sense things taken care of the hackers will have use some aspects of Social Engineering to complete their "puzzle" so they can get what they want. User education is a vital if not crucial part of this.
The good news about hacking today is that many security mechanisms are very effective against most hacking attempts. Firewalls, IDSes, IPSes, and anti-malware scanners have made intrusions and hacking a difficult task. However, the bad news is many hackers have expanded their idea of what hacking means to include social engineering: hackers are going after the weakest link in any organization's security—the people. People are always the biggest problem with security because they are the only element within the secured environment that has the ability to choose to violate the rules. People can be coerced, tricked, duped, or forced into violating some aspect of the security system in order to grant a hacker access. The age-old problem of people exploiting other people by taking advantage of human nature has returned to bypass modern security technology. Protection against social engineering is primarily education. Training personnel about what to look for and to report all abnormal or awkward interactions can be effective countermeasures.
(Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.)
Public Information
A lot of companies give the CEO elevated privileges. Of course he is the boss, the owner! His name, bio, and email address are all over your website, mailings, public records, etc. Most companies use a username convention of first initial, last name or initials. Now the hackers can guess jboss or jqb as the username and he has half the info he needs to obtain access with elevated privileges. You just did half his work for him. Most organizations freely give away too much information that can be used against them in various types of attacks.
Here are just a few common examples of what anyone can learn about your organization:
• The names of your top executives and any flashy employees you have by perusing your archive of press releases.
• The company addresses, phone number, and fax number from domain name registration.
• The Internet service provider for Internet access through DNS lookup and other tools.
• Employee home addresses, phone numbers, employment history, family members, previous addresses, criminal record, driving history, and more by looking up their names in various free and paid background research sites.
• The operating systems, major programs, programming languages, specialized platforms, network device vendors, and more from job site postings.
• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type, Web server platform, scripting languages, web application environments, and more from Web site scanners.
• Flaws in your products, problems with staff, internal issues, company politics, and more from blogs, product reviews, company critiques, and competitive intelligence service.
Passwords
We have been discussing the problems with password security for years. If your IT environment controls authentication using passwords only, it is at greater risk for intrusion and hacking attacks than those that use some form of multifactor authentication. A password is just a string of characters which a person must remember and type when required. Unfortunately, a password that is too complex for a person to remember easily can be discovered by a cracking tool in a frighteningly short period of time. Dictionary attacks, brute force attacks, and hybrid attacks are all various methods used to guess or crack passwords. The only real protection against such threats is to make very long passwords or use multiple factors for authentication. Unfortunately, requiring ever longer passwords causes a reversing of security due to the human factor. People simply do not remember numerous long strings of chaotic characters.
Problems facing password-only authentication systems:
- People who use the same password on multiple accounts.
- People who write their passwords down and store them in obvious places.
- The continued use of insecure protocols that transfer passwords in clear text, such as those used for websites.
- The problem of shoulder surfing or video surveillance.
Password theft, password cracking, and even password guessing are still serious threats to IT environments. The best protection against these threats is to deploy multifactor authentication systems and to train personnel regarding safe password habits.
Default Settings
Nothing makes attacking a target network easier than when that target is using the defaults set by the vendor or manufacturer. Many attack tools and exploit scripts assume that the target is configured using the default settings. Thus, one of the most effective and often overlooked security precautions is simply to change the defaults. To see this problem, all you need to do is search the Internet for sites using the keywords "default passwords". There are numerous sites that have all of the default user names, passwords, access codes, settings, and naming conventions of every software and hardware IT product ever sold. Use standardized customizations, configurations, and settings.
Inside
Majority of security violations actually are caused by internal employees. When someone on the inside decides to attack the company network, many of the security defenses against outside hacking and intrusion are often ineffective. Instead, internal defenses specific to managing internal threats need to be deployed. This could include keystroke monitoring, preventing users from installing software, not allowing any external removable media source, disabling all USB ports, extensive auditing, host-based IDS/IPS, and Internet filtering and monitoring.
This is a very short and high level viewpoint on common sense network security. Like I mentioned at the start it is a very complex and tedious subject. Basically, try using more common sense mixed in with your technology and procedures. .
Travis Davies, MSCE NT 4.0, MCSE 2000, MCSE 2003, MCSA 2000, MCSA 2003, CCNA, CEH, CSSA
Senior Network Architect
Posted by Travis Davies on July 6, 2007 | Permalink | Comments (2)
May 22, 2006
Windows Rights Management Tips
Windows Rights Management Tips
I have done a couple of RMS implementations recently and wanted to share my thoughts and some tips.
I can definitely see the pros for using RMS for ANY organization. Whether it is for confidential e-mail to customers or clients over the Internet using Microsoft Passports or in your domain for HR issues. The setup is straight forward and you do not need a lot of resources. You may not use it all the time, but it is a must have asset/tool for every Windows 2003 domain.
Here are the Microsoft links for RMS:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/rm.mspx
RMS GPO setup for auto install of RMS client
Here is a generic procedure I have on how to create a GPO for RMS SP1. You can use it as a guide to compare to.
1. Create a new organizational units (OU) named RMSSP1.
2. Right-click the RMSSP1 OU and choose Properties.
3. Select the Group Policy tab.
4. Click New to create a new Group Policy object (GPO).
5. Click Edit to edit the new GPO.
6. In the console tree, expand Computer Configuration, Software Settings and then select Software installation.
7. Right-click on Software Installation and select Properties.
8. On the General tab, select "Assign" for New Packages and "Uninstall the applications when they fall out of the scope of management." Then click OK.
9. Right-click on Software Installation and select New, Package...
10. Provide a path to the MSDRMclient.msi file on a network shared folder that the client computers can access.
11. Click OK to assign the package.
12. Repeat steps 10 through 12 to create a Package that installs the RMClientBackCompat.msi file.
RMS when reading e-mail offline
What happens when you are on a plane reading your e-mail offline? You cannot view the RMS e-mail sent to you from you boss?
Here is the solution. If you use Outlook 2003 in cached mode, you can set the Outlook client to automatically license all RMS-protected emails during sync. This way you can ensure that all protected emails in your Inbox have corresponding use licenses downloaded and hence can be viewed.
Outlook in cached mode should do the above automatically. If not, here is the Registry key you will need.
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Office\11.0\Outlook
Type: REG_DWORD
Entry: UserData
Value: 0x00000001
If this is not set, or the entry doesn’t exist, create it.
I would be interested if anyone has any more tips or comments.
Travis Davies
Sr Network Architect
Visionpace IT
Posted by Travis Davies on May 22, 2006 | Permalink | Comments (0)
