Friday, 8 May 2009

IT Security for the non-technical user

IT Security for the non-techie.

People often ask me why we should worry about IT Security, particularly as an SME.

The simple fact is that the illegal hacking industry is now starting to target SME business more and more. This is because blue-chips are wising up to where their security holes are, and shoring up their defences. Therefore the next easy targets are SMEs because they don’t have the budget or know how. The so-called ‘low hanging fruit’.

So what can you do (other than paying people like me a lot of money)?

Well the aim of this blog is to give you an overview of what you can do in simple terms. Obviously you'll need some idea of how to use a computer (or you can opt for the most secure method - leave it in the box switched off!).

Your security all stems down to what we call 'attack surface'. Which is just a fancy way of describing your exposure to risk (you must know by now that us techy types have to have our own language so everyone else has no idea what we are talking about! – it’s the modern day equivalent of Thieves Cant).

In English this means the amount of exposure your IT system has to an attacker (aka hacker). IT Security is, in essence, about reducing this 'attack surface' to the smallest possible size that still allows you to do your business, and for the remaining 'attack surface' to be as secure and robust as possible.

If you think about your office building, all your doors and windows are locked and you have keys for those. You might also have CCTV and an alarm system. The same applies to your IT systems. You don't leave the door open, and you give each staff member that needs it a key. They might not get a key to the Stationery Cupboard or the Safe.

You can easily draw parallels with IT Security - your keys represent passwords, doors and windows represent ways into the network, CCTV and alarms represent monitoring software and intrusion detection systems, spyware is unauthorised personnel.

Before we move on a warning about TLA's (Three Letter Abbreviations). For some reason the IT industry is awash with these. I've tried very hard to make sure I expand them on first use, and I'll put a glossary at the bottom as well. Nothing is more annoying to a non-techie than to have no idea what WPA stands for. Unfortunately you can’t avoid these in IT…

Moving away from the metaphorical world, usually there are several key points in your network you need to protect:

1. Any wireless devices you have
2. Any internet or public network facing devices you have
3. Defend against viruses and spyware that have already got in

Externally you have to worry about:

1. Your website
2. Mobile users

However there are other attack points in your network - also known as your staff. These are usually exploited through:

1. social engineering
2. malicious use
3. stupidity

For this first article I'll look at your network security - where the weak points are and how you can easily secure them. At this point we are operating system independent - it doesn't matter if you are Mac, PC, Linux user or ZX Spectrums (!), you'll still need to use the same rules.

Let’s now look at each of these in turn, describe how it's usually weak and then how you can secure it.

Wireless

Wireless Technology is fantastic as it means your laptop / Mac / PDA users can sit where they want and can roam the office without having to worry about cumbersome cables. It also means you can improve the look of offices by removing ugly cables, sockets etc. You can now get wireless enabled printers, wireless access points that only require a single network cable to work and your wireless can extend to support mobiles, iPhones and PDAs.

However, this is a common access point for a hacker (just ask TK Maxx…), although does require proximity (i.e. you need to be close to the office/warehouse/whatever to gain access). Almost all access points are shipped with no security or filtering enabled, so a common mistake is to just plug them in and hey-presto, wireless access!

I've been to countless security audits for customers to find an access point still in this configuration. What it means is that anyone can park in your car park, switch on their laptop and connect to your network. Sure, they might not be able to log into your servers at this point, but they've done the hard work already (getting into your network).

The next most common mistake is to use WEP (Wireless Encryption Protocol). This is one of the first security standards for wireless networks and it's close to useless. There is a flaw in the way it works that means that anyone with the right software can crack the password in a matter of time - that time depends on the level of traffic on the network.

Even WPA (WEP's successor - Wi-Fi Protected Access) isn't that much better as this can also be cracked (it takes a little longer, and requires more know how, but it’s still possible)

So what can you do?

You have a few options - either you can use WPA2 which is a more secure version of WPA and the password can't be cracked. For most users this is reasonable unless you have certain types of data you need to keep really secure (e.g. credit cards).

You can also filter devices by their MAC address (each network device has a unique Media Access Code (MAC) which you can filter by). This is like having a guest list of computers allowed in (and your wireless router is the large bloke on the door...).

The best option is to treat your wireless network the same way as internet users - i.e. totally untrusted. That means they will need authenticate into the network somehow (e.g. VPN (virtual private network)), and anyone who gets into the wireless network is no closer to hacking in that being plugged into the internet.

Internet Connection

You need to be connected to the internet to browse it, send/receive email and do other line of business work. So what is the risk?

To put it simply, the internet is akin to the wild west - it's full of people trying to crack into your network. This is not an exaggeration.

I've seen reports of people plugging a fresh server into the internet without anyone know who or what it is and it being attacked several hundred times within a few hours. That's without people knowing what’s behind it!

Your public internet address may be unchanging (a.k.a. static), which means once someone knows it, it's always there. And every time you send an email you are probably giving it away (it’s usually in the email route information contained in the email headers).

So how can you be safe?

Firstly, you need to NOT connect a computer direct to the internet via internal or external modems unless you know what you are doing. You should use some kind of router/firewall (hardware device) to do this. Technically routers route traffic (i.e. act like a little police person with the white gloves pointing each little bit of traffic in the correct direction), and the firewall is the bouncer - only letting in traffic you want to know about.

You can get both in one box, however they tend to have less features than separate boxes (we tend to decide based on the customers size - larger customers want the added security of a separate router and firewall).

Most firewalls and/or routers support something called NAT (Native Address Translation). This is like a one-way valve that lets traffic from your network out to the internet but doesn't let it back in (unless you tell it to). Generally this makes everything a lot safer.

Secondly if you need to publish services onto the internet you should be very careful how you do this - work on the principle of least privilege where you only allow access to certain addresses at certain times. For instance if you receive mail from an internet server, restrict the traffic to only being from those addresses (this will also cut out spam). Don't just allow full access to one server from the firewall - there is no point having the firewall. This bit gets technical so it's best getting someone who knows what they are doing for this!

Thirdly, if you have budget for it, make sure your firewall has some kind of IDP (Intrusion Detection and Prevention). This will look for suspicious activity and cut off any communication from that address regardless of innocence level or other rules.

This doesn't require massive budgets or a dedicated IT team - there are mid-range products from manufacturers such as DLink, Linksys and ZyXEL that will do this. Publishing services (e.g. mobile email, inbound email, web servers, VPN) is a little more complex.

You probably want home workers to be able to dial in - so how do you do this securely? Well you need them to use a Virtual Private Network which is fairly secure. Again if you have budget you use two factor authentication (e.g. a password and a token - a key fob that gives you a number (also called a one-time password (OTP)) every 60 seconds).

This is the same principle behind chip and pin (something you know, something you have), with the something you know being your PIN number and the something you have being the token (or credit card).

Don't give each user the same username and password, make sure the password is complex (see more below on this) and make them change it regularly!

DO NOT expose services such as VNC (Virtual Network Client - a 'freeware' remote access tool), Remote Desktop, PC Anywhere or telnet if you can possibly avoid it - some of these only require a single password to gain access to the computer. It might be convenient for you to use VNC to connect to your office server from home, but it's really insecure.

A quick word about desktop or software firewalls – these do have a use, which is to block access from inside the network, however these aren’t best at defending from internet facing attacks – a hardware firewall does a much better job. Also software firewalls can fail (unusual, but possible) or be disabled by users (more on this in the next issue!).

Passwords

People often talk about having a 'strong password policy' but a lot of people have no idea what this means.

Complex passwords need to be long (at least 7/8 characters), not dictionary words ('password' is not a good password...) and also contain uppercase letters, symbols or numbers.
Ideally all of the above.

Complex passwords are simple if you educate the users in how to create them. I usually offer two methods - character replacements and acronyms.

Character Replacement is where you take a memorable word or two (at least seven characters) and replace a few letters with symbols. E.g. 'software' becomes 's0ftw@re'. You can combine words for this approach.

Acronyms are where you take a favourite movie, song track or whatever and encode it somehow. For instance, if your favourite single is Stronger by Britney Spears then you can have a password of O!idia.2 (for Oops! I did it again track 2 - which just happens to be Stronger for the non-Britney fans out there).

Glossary

For all the people terrified of TLA's - here's a list again with some more detail:

IDP - Intrusion Detection and Prevention - the ability of a firewall to pick up dodgy looking traffic and stop it. Comes in various forms, some of which look inside the network protocol to see what is going on and prevent unauthorised commands.

NAT - Native Address Translation - a technology that lets lots of private computers share one public address and also acts as a valve - requests can go out for data, but requests can't come in

OTP - A One-Time password - generated password that is only valid once, and for a certain time period

RSA - A company name and also Random Sequential Algorithm - the technology that generates OTP's

TLA - Three Letter Abbreviation - one of these!

VNC - Virtual Network Client - a freeware tool to control your PC from another location

VPN - Virtual Private Network - a 'secret tunnel' between your office and another computer/office

WPA - Wi-Fi Protected Access - a security model for making wireless networks secure. Version 2 is the best at the moment

WEP - Wireless Encryption Protocol - an old security model for making wireless networks secure that is flawed.

For the next article I'll be discussing making your website secure, and then what you can do to make your users secure!

Regards,





Russell.