Security Basics mailing list archives
RE: "It's ok we're behind a firewall"
From: Ben Schorr <bms () hawaiilawyer com>
Date: Thu, 20 Feb 2003 16:49:59 -1000
1. Still a large majority of computer crime (data theft, damage etc) is caused by people who have access to internal systems ... is there anywhere that I can get facts and figures to support this?
Check with the FBI.
2. In an average company it's not so difficult to gain physical access - how closely are the staff vetted let alone third-party contractors. Stick a boiler suit on and carry a big toolkit and many people will hold a door open for you!
It's an old axiom that if you carry a clipboard and act like you know where you're going you can get into a lot of places without any questions being asked.
3. Firewalls can be breached or misconfigured ...
Indeed.
I'm keen to apply a greater level of security to internal systems. 1. Caution against moving to the 'cutting edge' OS or latest 2. Regular patching for security issues. Given the number of vulnerabilities being posted I think it may be unreasonable to expect patches to be installed as soon as they're posted - each change will require a degree of administration (testing etc) but perhaps scheduled quarterly updates...
Quarterly may be too slow, though. It seems obvious that people writing exploits are jumping on the announced exploits with the full realization that many if not most companies will not install the patches right away. Slammer, for one good example, was preventable by installing a patch that had been released well before the actual attack was unleashed. I'd have to have a patch in my lab for 5 weeks while my production servers get taken down by the exploit. It's a tough call, no doubt. You have to balance two old proverbs: "Fools rush in where angels fear to tread" vs. "He who hesitates is lost."
reported 6 months ago) Do you schedule patch updates (what's the preferred frequency)?
We update fairly urgently, though we do try to aggressively monitor the community to see if the first people to install it had any problems. We have backups and try to be prepared to roll-back if we need to, but if the patch fixes what we consider to be a serious vulnerability we'll usually try to be the 2nd or 3rd to install it; in a manner of speaking.
3. Control the build of internal systems so that unneeded services are disabled.
Another good point. As I understand it, Windows 2003 ships with that philosophy as well; little used services are turned off by default and must be explicitly enabled by admins who want them. As opposed to the way it was done in prior versions of the OS.
4. Raise staff awareness of security issues (this is actually the most important factor of all).
Education, education, education.
The question is, how to approach the staff who've got their heads buried in the sand.
Depends upon how far they're buried. If they're unretrievable then perhaps you need to approach them with a pink slip in hand. Otherwise it comes back to education and some of them will require more than others. -Ben- Ben M. Schorr, MVP-Outlook, CNA, MCPx3 Director of Information Services Damon Key Leong Kupchak Hastert http://www.hawaiilawyer.com
Current thread:
- "It's ok we're behind a firewall" John Brightwell (Feb 20)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)
- Re: "It's ok we're behind a firewall" Gene Yoo (Feb 24)
- Re: "It's ok we're behind a firewall" Alessandro Bottonelli (Feb 22)
- Re: "It's ok we're behind a firewall" Chris Travers (Feb 24)
- <Possible follow-ups>
- re: "It's ok we're behind a firewall" H C (Feb 20)
- RE: "It's ok we're behind a firewall" Ben Schorr (Feb 22)
- Re: "It's ok we're behind a firewall" David Vertie (Feb 24)
- RE: "It's ok we're behind a firewall" James Liddil (Feb 24)
- RE: "It's ok we're behind a firewall" Chris Santerre (Feb 24)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)