Systems security program To begin with, identify the systems that must be protected for business to continue or trust to be maintained. Where does a company direct its personnel, hardware and monetary resources? Then you must realise that levels of protection are informal processes for most companies. These informal security steps must be documented, defined, and firmly established formally as part of the corporate culture. The key is not to react, as most of the companies are doing, but rather to be proactive, establish standards and policies and document where the company is supposed to evolve in a systematic process. This is possible by creating a systems security program. This program, if designed correctly, will stop intruders from entering into the sensitive area of corporate organisations. Equally important is that this security program must be a living model (real life); it must be continuously evaluated and updated. Finally, the executives must "buy" this process or it is destined to fail. Following are some of the common practices that needs to be remembered and more importantly implemented, however they are often overlooked by the system administrators and security personnel and the bizarre consequences are left to be borne by the CEOs of the corporate. Define perimeters First and the foremost, for any model to succeed, the perimeter must be defined. It is not only a question of where are the servers, switches, hubs and routers located, but also where are the doors and windows located that individuals can access to obtain "local control" of these devices? Are there metrics to validate entrance into those rooms and devices? A company’s physical security program must include actively monitoring all personnel entering and exiting these physically protected spaces. Additionally, routers must be configured to provide both passive and active defences against hacking and Denial of Service (DOS) type attacks. Update patches Patching up the Operating System (OS) and applications is the fundamental layer of the security. Without patch updates and fixes, even the most physically isolated computer can be compromised in minutes. Statistically speaking, every computer will be probed at least 6 times during its life cycle. Reports about servers being compromised have also become a common occurrence. Where does the problem lie? In all cases, system administrators forgot to install the updates and patches. These updates can provide protection against software related vulnerabilities and hazards. One must implement the latest applicable patches, remove or tighten unnecessary services, and tighten system settings on each host operating system. These simple steps will solve two-thirds of a company’s problems. Active monitoring There are many programs and processes available that can provide a lot of valuable information about the health of a network to system administrator. These processes should be included as an indications and warning network. MRTG, HP OpenView and a multitude of other programs provide information on bandwidth monitoring, CPU utilisation, disk space usage, application usage and other such valuable information. As system administrators intuitively know what is considered "normal activity" for their networks, any "out of band" increases are readily noticeable. Incorporating this raw information into a central area will allow security and systems administrators another means to detect something going amiss. Auditing Every authorised systems administrator and system security personnel must continuously audit the internal networks. Firewall logs, switch and router activity, computer system logs, and read/write permissions should be reviewed on a weekly or twice monthly basis. These audits may provide critical information on the activities occurring not only on the network, but also on each system. Once these items are audited, and logs archived for forensic purposes, the activity of each system cannot just be tracked and monitored but changes immediately noticed during the audit. Detection program One needs to carefully select an Intrusion Detection System (IDS) software program that will allow the system security team to determine when critical software files and programs on all systems are changed, added, or deleted. This program must be tiered and cover network and operating systems issues. Further, it should be understandable and yet robust. The selected program must be able help the system administrator in assessing how does the hacker view your network. It should be able to implement a file integrity (cryptographic fingerprinting) system to ensure you can tell which files were changed in an attack. Finally it ties in database type scanners with the system type scanner. These two programs allow you to know what the read and write permissions are for every file/executable program with the system and who has to access which files. Inducement Be warned of the danger that no matter how well protected your system is, you must assume it will be penetrated someday. If the attack and system compromise does not originate from an outside source, it will be from a disgruntled employee, systems administrator’s fault or internal intruder. Therefore, a dummy LAN-generating enticing data patterns, promising folder descriptors and other such fronts can lure an intruder or a hacker away from the actual network and systems and provide you time to recover from a successful network penetration. This dummy LAN should be equipped with probes, operating system sensors and tracking software to identify the intruders who "mistakenly" negotiate through the outer layers. This inducement will give you a real chance to trace the intruder. However, this may not be feasible for small corporate players. Restriction Under no circumstances you should allow unrestricted, unencrypted and unvetted access to the operating system. Simply stated: never conduct sysadmin processes from an unvetted link. It is as easy as never transmitting clear text passwords and ensuring a trusted relationship is established between the two systems. Documentation Nearly every informal process will fail without proper documentation during a critical phase. Documenting security policies and procedures will provide an integral standard that guarantees efficient, reliable, and responsive security practices to meet all security requirements for safeguarding the facility, personnel, and your customers. System administrator This is a fact that no one knows the
network and system devices like the security and system administrators,
who are continuously monitoring the network health and current status of
IDS activity. These individuals will often know something is going wrong
before a sensor or probe will provide an alert. Additionally, they often
provide early warning to management that "something" is wrong.
While this is an informal by product, the system security engineer and
systems administrator needs to have a means to provide these symptoms to
management for evaluation as a situation is developing and to the
security incident response team if
warranted. |