Securing your networks.
Protecting your
data.
What can we do?
As the Internet continues to
expand, and more users are receiving, storing, and sending
personal and confidential data of their own, and of their
clients, security becomes more of a concern. While the number
of attacks to these systems are on the rise, so are
many safeguards that can be implemented to help
prevent unauthorized access to this crucial data.
The
following list is provided as a basic checklist of some of
the more common services that are available, and that may be
relevant to your particular application or situation.
Network Level
Firewall Protection
A firewall is a set of related programs, located at a network
gateway server, that protects the resources of a private network
from users from other networks. Basically, a firewall, working
closely with a router program, filters all network packets to
determine whether to forward them toward their destination. A
firewall is often installed away from the rest of the network so
that no incoming request can get directly at private network
resources. There are a number of firewall screening methods
and they come in both hardware and software forms. A
simple one is to screen requests to make sure they come from
acceptable (previously identified) domain names and IP
addresses. For mobile users, firewalls allow remote access in to
the private network by the use of secure logon procedures and
authentication certificates.
Some
clients use a common form of addressing known as NAT, short
for Network Address Translation, an
Internet standard that enables a
local area network (LAN) to use one set of
IP addressed for internal traffic and a second set of
addresses for external traffic. A NAT box located where
the LAN meets the Internet makes all necessary IP address
translations. This is the
standard for home environments.
NAT serves as:
- Provides a type of
firewall by hiding internal IP addresses (but
not a true firewall!)
- Enables a company to use
more internal IP addresses. Since they're used internally
only, there's no possibility of conflict with IP addresses
used by other companies and organizations.
Internet Connection Firewall
Windows XP includes Internet Connection Firewall (ICF)
software. Windows Firewall, previously known as Internet
Connection Firewall or ICF, is a protective boundary that
monitors and restricts information that travels between your
computer and a network or the Internet. This provides a line
of defense against someone who might try to access your
computer from outside the Windows Firewall without your
permission.
If you're running Windows XP Service Pack 2 (SP2), Windows
Firewall is turned on by default. The service definitions that
permit services to operate across Internet Connection Firewall
also work on a per-connection basis. If your network has
multiple firewall connections, you must configure service
definitions for each Internet Connection Firewall connection
through which you want the service to work.
You do not have to use Internet
Connection Firewall if your network already has a firewall,
and in some cases multiple firewall protection levels would not
serve you well.
System Security—Virus Protection
Viruses, worms, and Trojans are malicious programs that can
cause damage to your computer and information on your computer.
They can also slow down the Internet, and they might even use
your computer to spread themselves to your friends, family,
co-workers, and the rest of the Web. The good news is that with current
anti-virus subscriptions and common sense, you are less
likely to fall victim to these threats. Think of it as locking
your front door to protect your entire family.
Before opening attachments, you
should always scan them
for viruses with an anti-virus application. You can configure
most anti-virus applications to scan e-mail messages
automatically.
Virus Protection
in Microsoft Outlook and Office
File attachments in e-mail messages you receive can
contain worm viruses such as the ILOVEYOU virus and the Melissa
virus. When you open the attachment, the virus activates and
sends copies of the e-mail message and attachment to people
listed in your Address Book, "worming" its way through the
e-mail networks in an organization or across the Internet. In
addition to spreading quickly, worm viruses may contain code
that can irreparably damage data stored on your computer.
To help prevent the spread of worm viruses, Microsoft Outlook
compares the file type of each attachment in a message you
receive or send with the file types on the e-mail security
attachment file type list. If an attachment is a file type that
can contain code that can run without warning, it is treated in
one of two ways, depending on the file type level.
Level 1 - Level 1
file types, such as .bat and .exe,
are blocked by Outlook, and you cannot see or access the
attachment. Your Inbox will display the paper clip icon in the
Attachment column to let you know that the message has an
attachment, and you will see a list of the blocked attachment
files in the InfoBar at the top of your message. In addition,
when you send an attachment that has a Level 1 file type
extension, you will see a message warning you that other Outlook
recipients may not be able to access this type of attachment.
Level 2 - If the
file type is Level 2, you can see the icon for the attachment,
and when you double-click it, you will be prompted to save the
attachment to your computer. Once you have saved the attachment,
you can decide whether to read, execute, or otherwise use the
file or not.
To help protect against viruses that might be contained in HTML
messages you receive, scripts won't run and Microsoft ActiveX
controls will be deactivated regardless of your security zone
setting. By default, the Microsoft Outlook security zone is set
to Restricted Site. The Restricted Zone is significantly more
secure and restrictive than the Internet Zone. Most scripting
and ActiveX downloads and plug-ins are disabled by default.
Cookies and file downloads are also disabled by default.
Additionally, you can configure Outlook to read HTML messages
only as plain text. This prevents any scripting from running.
Therefore, it may be more secure.
To help protect against any harmful macro viruses that might be
contained in Microsoft Office files, your macro security level
is High by default in Microsoft Outlook, Microsoft Word,
Microsoft Excel, and Microsoft PowerPoint. You will be able to
run only digitally signed macros from trusted sources. Unsigned
macros will be deactivated.
To provide
enhanced security, Microsoft Office Outlook 2003 is designed to
prevent you from unblocking attachments.
Because Outlook is so widely used, it has been the target
of several virus attacks in the past that have affected millions
of people. Microsoft has acted to protect people from files,
such as .exe and .bat files, that are often used to run
malicious scripts when opened. Unfortunately this makes file
sharing less convenient for many people, but security must take
precedence. Microsoft
Office 2003 file types most commonly shared between people, such
as .doc, .xls, and .ppt files, are not blocked.
If you need
to share files that have file types blocked by this feature, you
have several options, including the following:
- Rename the
files to include a temporary file type that is not on the list
of blocked file types. For example, you might rename
MyFile.exe to MyFile.exe_EXTRA, and then attach the file to
the e-mail message. You can include instructions in the
message to save the file with the correct name, for example,
MyFile.exe, when the recipients save the file to their
computers.
- Use a
program, such as WinZip, to package files before you attach
them to your e-mail message. In your message, you can include
instructions explaining how to extract the files from the
package to make it easy for recipients to access the files.
- Post the
files to a secure network share. In your message, you can
include a link to the share that you have given the recipients
access to.
Wireless Security—Wi-Fi Protected Access™ (WPA) Security
Wi-Fi Protected Access (WPA), the latest
high-security standard for wireless networking, increases the
level of data protection and access control for wireless
networks. WPA provides several benefits to enhance security. It
keeps out unwanted users by checking for the proper permission
and password before allowing network access. It is also more
robust than the security standard it is replacing, Wired
Equivalent Privacy (WEP), which provides basic protection for
home networks and limited protection on public networks. WPA
improves data encryption so attackers will not be able to view
or alter any data traveling to or from your wireless network.
WEP uses 64- or 128-bit encryption keys, but WPA offers up to
256-bit encryption keys, which are exponentially harder to
decode. Also, while the WEP key is static, the WPA key is
dynamic—it automatically changes as often as you want it to (the
Linksys default interval is 50 minutes). This foils would-be
hackers' attempts to figure out the WPA key by eavesdropping on
your network traffic. By the time they can decode your old WPA
key, your network has already switched to a new WPA key, so WPA
is significantly better than WEP, which uses the same WEP key
repeatedly.
Note: If you do not properly
encrypt your wireless network your data is exposed to
unauthorized outside traffic.
PDA Security—Virus
Protections
Real-time
defense against PDA viruses. Your PDA holds information you
use every day, so safeguard it with virus protection for
Pocket PC and Palm OS®-based devices.
Encrypting data between your
company web site forms and your visitor's computer
Make
sure sites you visit (and enter personal data) utilize SSL
technologies (look for the padlock!). When using SSL
certificates on your web site forms you are enabling
encryption within Internet Explorer and your web sites which can
help provide increased security against unauthorized viewing
of personal or confidential
data. The collected
data is encoded only during transmission.
The data can then be stored on the server, or sent in an
regular or encrypted message to your Outlook mailbox.
Encrypting data between Outlook and Exchange server
When using a Microsoft
Exchange Server e-mail account
you can enable encryption which may help provide
increased security against unauthorized viewing of your data.
The email is encoded
only during transmission to the
exchange server.
Encrypting data between Outlook
and your recipients
Encrypting a message protects the privacy of the message by
converting it from plain, readable text into cipher (scrambled)
text.
Some third party resources are coming to market
that are intended to be more user friendly than traditional
means that are more cumbersome in nature, and more difficult to
implement. Secured eMail
provides a secure, simple to use (according to their site),
affordable e-mail security solution for all Microsoft Outlook
users. The software is integrated into Outlook, and can help in
eliminating the need for extensive staff training. All e-mail
and attachments are encrypted from desktop to desktop. Extra
features include private and master passwords enabling the user
to encrypt secured e-mail on their hard drive.
The traditional means to handle
encryption require you and your recipients to swap
certificates (A digital means of proving your identity).
This can be much more difficult to implement on your end, and
not very practical.
Prevent Impersonation,
Tampering, and Eavesdropping of Email
Impersonation occurs when a hacker (someone who illegally gains
access to a computer system or network with the intent of
causing damage.) sends e-mail messages and pretends to be
someone else. Tampering occurs when a hacker intercepts your
e-mail messages and changes the message without the recipient
knowing. Eavesdropping occurs when a hacker intercepts and reads
your e-mail messages.
Using a digital signature (An
application of an algorithm to the message data used to prove to
the recipient that the message is from the sender (not an
imposter) and that the message has not been altered) to sign
e-mail messages helps prevent both impersonation and tampering.
Digitally signing a message provides nonrepudiation — that is,
it proves to the recipient that the message is from the sender
and not an imposter. Additionally, e-mail messaging software
that supports S/MIME will alert the recipient if the message has
been altered in any way.
Attach security policies by
using security labels on message headers
A security label (A secure e-mail feature that lets you add
sensitivity labels, such as Internal Use Only, to the message
header. Security labels in your organization are controlled by
security policies set up by your e-mail administrator.) lets you
add to the message header information about the sensitivity of
the message's content. A security label might also restrict
which recipients can open, forward, or send a specific message.
Prevent unauthorized
access of email
Change email
passwords on a routine basis. Passwords that do not change are
easier to break, merely due to the extended periods of time that
they are in place. Use alphanumeric passwords, and mix up lower
and upper case to make them more secure. Don't make them
obvious, and don't share them with anyone.
Prevent unauthorized downloading/installing
of applications to computers
Institute a company-wide approved list of
applications for company owned systems.
Preventing users from downloading or installing any program can
save you endless hours of troubleshooting and repair.
Prevent unauthorized
access of your computers
Change user
account passwords on a routine basis. User Account passwords
can prevent or minimize eavesdropping from office visitors and
fellow employees when your away from your station. Good example
would be the payroll system.
Provide routine backup of your
computers
Backup data on all office and home systems, to
removable media, to safeguard your data in the event of
catastrophic failures. A network level protection is best, but
inexpensive local options are available with some Operating
Systems (i.e. Windows Me, XP Professional).
Provide same level of
protection to your home computers
Most
folks do not take same steps in preventing data loss in their
home environments due to cost and time involved. As a result
many issues originate from their home computers. Protect all of
your systems.
Finally, double check everything!
No system is perfect, regardless of all these hardware
and software protections in place.
Run routine diagnostics to verify that the firewall continues
to operate properly (being connected to your network is not
synonymous to functioning properly), ensure latest OS and Virus
DAT files are downloaded and installed automatically (in both
office and home environments, and in PDAs), run full virus scans
on all systems each month.
Sources:
Microsoft®, Linksys®, Symantec®, Secured eMail AB®, Gannett Road
Technologies LLC®. Gannett Road Technologies LLC is not related
to any company mentioned, and products or services
referenced are not necessarily recommendations as certain
restrictions may apply. Contact Gannett Road Technologies for
additional information. Not responsible for typographical
errors.
|
