|Public Wi-Fi networks are everywhere today. The nearest hot-spot in your city is probably only a block away. With so many employees on the road and working out of the office today, IT departments are finding the need to provide external access to network resources. The need to stay productive while out of the office is crucial.
Anytime an end-user is accessing corporate data on a public network, security is a big concern. You never know
|when your confidential data may be compromised. If your company provides access to data from outside of the corporate environment, you must make sure that you take the necessary steps to ensure that data is secure.
When on a public network, any data that is sent to and from an end-user’s laptop is generally visible to anyone else that is on that same public Wi-Fi network. What this means is that those traffic streams are open to what is called a man-in-the-middle attack. A man-in-the-middle attack utilizes a natural security flaw in the Address Resolution Protocol (ARP). The flaw allows an attacker to secretly respond to an ARP request of a computer initiating a connection with another node. The attacker then makes private independent connections with the two nodes. Once this is done then all traffic is relayed through the attacker’s computer and the end-user will be unaware that this has occurred. If this attack is done between a laptop and an internet gateway, then that attack is able to sniff every packet that the end-user sends out to the internet, including confidential corporate data.
So how do you protect your private data from attacks like these? Encryption is one of your biggest defenses. However you decide to provide access to network resources to employees on the road, whether it be via a VPN or a web portal, encryption is a must. If your company uses VPN software to provide access to the network from outside it, then once the VPN tunnel is negotiated all traffic that is passed between the laptop and the corporate network is encrypted. This means that even if the attacker were to sniff out those packets sent, they will be encrypted and the attacker will find it nearly impossible to gain access to that data without knowing the key used to encrypt it.
If your company uses a secure web portal to provide access to network resources, then there are a few things that should be known. First off, most web portals that are secured using the HTTPS protocol use certificates to authenticate the encryption process. If the attacker is using the right tools, he or she can send a spoof certificate to the end-user. If the end-user accepts this certificate, then they will be opening secure communications with the attacker. The attacker then sends the real certificate request on to the corporate web server and opens secure communication with the web server. Once this is done, then the attacker is able to see all traffic that the end-user sends before it is encrypted and sent on to the corporate web server. To prevent this, it is important that you use certificates that are generated from trusted sources such as Verisign or Geotrust. Then if the end-user receives a certificate that is from an untrusted source, the end-user will be alerted to this.
It goes without saying that any end-user that is going to be accessing corporate data from outside the internal network should be trained on basic security. With the proper security infrastructure in place and users trained, then the IT staff should be able to rest easy knowing that corporate data is safe.
The Sarbanes-Oxley Act (SOX) is one of the most comprehensive compliance acts to ever affect corporate business. Because today most information in a business is stored and sent electronically, the IT department must create an encompassing security policy to ensure that their company is compliant with SOX.
The security policy must govern everything from network security, to access controls, logging, encryption, and alerting. These policies and guidelines must be documented and the IT department must be able to display these documents and show that these policies are in place and being used in the event of an audit.
Because a lot of data today is transferred via email, it naturally plays a very large role in ensuring that your company is compliant with SOX. So much data is transmitted via email network protocols today, yet it remains one of the most insecure realms of the network. This is why IT professionals must pay close attention to how emails are sent and received on their network.
SOX requires that all malicious emails are seized both inbound and outbound on the network and removed before any internal data is compromised rather than just alerting IT staff as violations occur. Email security compliance includes every aspect of your email system and email must remain secure at all points of transmission. This means that emails that contain financial information must be encrypted during transmission to the recipient as well as have access controls in place while the emails reside on a local system for storage.
Anti-spam and anti-phishing systems must be in place and integrated with your email system. The system must be configured to prevent emails detected as malicious from reaching workstations on the network.
Email archiving is also required for Sarbanes-Oxley Act compliance. All emails must be archived so that any email received by the company’s system can be retrieved at a later date. Emails should be archived prior to being received by the client to ensure that information is not deleted or removed from the system before archiving can take place.
It is important that if the Sarbanes-Oxley Act affects your company, then not only should your IT staff become familiar with SOX, but the whole staff should be trained on the basics of what SOX compliance is required of them. As an IT professional, your network security policy should be well documented and enforced.
Social engineering is the term used for manipulating company employees to gain access to unauthorized areas. Whether those areas are physical locations in the building or they are network file storage locations or network access, it does not matter. A social engineer attack is every bit as dangerous and can even be much more crippling than a computer virus or network hack. Some of the most dangerous attacks thefts have used have been based around social engineering. One of the reasons why social engineering works so well is because IT experts spend most of their time patching systems and securing their network rather than taking time to train the employee base on the basics of information security. The idea behind information security covers much more than just network and computer security, but also covers employee training and physical security as well.
Below are common flaws found in many corporate environments today and things that can be done to fix those vulnerabilities.
1) Website Information: When it comes to gathering information about a company, the first place that just about anyone will start at is the company’s website. Many companies post valuable information on their website not realizing that it is in fact a security risk. Things like phone numbers, employee names, and email addresses can all be found on these websites. These things should all be limited to outsider access. Phone numbers that are listed should always be to just main number call center numbers and not individual direct dial numbers. One common major mistake is to have active links to employee email addresses. For most companies, the user name in an email address is the same as their network logon. The theif already has half of what they need for network access.
2) Outside Contractors: Workers from outside companies visiting the premises to do temporary work should always be accompanied by a security liaison. Security liaisons should be told what the contractor is there to do and be familiar with what it takes to complete the task. This is so that they know when the contractor is completed with their work and that they don’t enter areas that don’t need to be entered to get the job done. The security liaison should also be aware if the contractor is removing items from the premises.
3) Telephone Scams: Phone scams are common as it is an easy way to make contact with company employees without being in face to face contact. Employees need to be trained to be helpful to callers, but at the same time cautious. A common phone scam is when the caller poses as a computer salesperson. They inquire about what type of systems the company uses, if there is a wireless network, and what type of operating systems are used. All this information is used to plan out a network attack. Employees need to be trained to always forward any type of network related questions or calls to the IT staff.
4) Dumpster Diving: A common way of getting any information about anyone or company is to go through the trash. Companies should always have private information shredded. Service companies that handle the shredding of documents and computer data should be hired. The trash dumpsters should never be left in an open unsecure area and surveillance cameras should be kept on the dumpsters on a 24 hour basis.
5) Password: It is imperative that there is a company policy regarding passwords. An IT tech should never call another employee and ask them for their username and password and all employees should know that. Passwords should also never be placed on sticky notes or anywhere else visible and written down. A password rotation should also be in effect so that old passwords get phased out.
6) Logging Off: A thief can use social engineering to gain access to buildings and there they can usually find workstations that are still logged in with a user account. Many times these user accounts will have access to a lot of confidential information. It should be a company policy that whenever someone leaves their desk, they must lock or log off their computers. IT should also enforce the issue with network security policies that automatically lock a computer after a short period of inactivity.
7) Employee Training: Finally, when all is said and done, it all comes down to training. It is important to hold annual or bi-annual training sessions regarding the network security policy of the company. Everything from the physical building security to how each workstation is configured to email policy should be covered.
The more layers you add to your security policy and the more your employees are trained on all their aspects, the harder it will be for a social engineering thief to steal information.
Firewalls are commonplace now within corporate and even residential network environments. It is important to understand them and take a deeper look at firewalls. Corporations create a set of rules based on their security enabled network policy that determines what information can be accessed on the corporate network by all end users.
Firewalls have several ways of controlling traffic to and from the internal corporate network. Packet filtering is one method that firewalls use to process traffic in and out of the secure network. The firewall has a rules base that it matches the packet’s header information again to decide whether or not that traffic stream is allowed. If those packets match a set of rules that the firewall allows, then that traffic is allowed to pass through the firewall. If it not specifically allowed, (again, depending on the rules base) then generally the firewall denies the traffic.
Another way that firewalls can filter traffic is by using a proxy service. In this way, a firewall retrieves information from the web on behalf of the internal network nodes and then passes the information to the requesting computer.
A more advanced method that most modern firewalls now use today is called stateful packet inspection. This method is like packet filtering on steroids. It looks at the packet deeper and examines data within the actual packet and compares that data from trusted sources on the internet to ensure that the data does not have malicious intent. If the packet data is known to be malicious, then the firewall blocks the packet stream regardless of whether the packet matches the rules base of the firewall.
The methods that you choose to put in place in your network all depends on your security enabled network policy. Regardless of what method you decide on, be sure to take all aspects of network security into consideration and close off any open holes that are not required to be open on your firewall.
Thank you for visiting this new site that is filled with quality information for anyone involved with network security. Network security is one of the hottest topics today in the IT industry. Here you will find anything from news, security information, tips, how-to guides, product reviews, videos, discussions, and much more; all of which relates to network security.