In these days of all-out combat in Afghanistan, terrorist attacks in New
York and Anthrax in Washington, it's easy to lose one's perspective. I know
I've become addicted to checking the major news web sites several times a
day. I now listen to the news radio stations on the way to and from work
instead of my normal rock and roll station. It seems like something might
happen at any moment, and I want to know immediately.
Something that seemed to be mentioned in every IT related publication for
the last year or so is the possibility of cyber warfare. This is the concept
of attacking a country through it's information systems (specifically the
internet).
Since the attacks I've seen the number of articles go from a few per week
dozens per day. Warnings about security risks seem to be popping up all over
the place. It is important that these warning be taken seriously - it's time
to wake up folks and get your systems locked down.
What could be attacked? Just about every company has an internet connection
these days. Many of those companies do not have good security, as is proven
by the recent Nimda and Code Red outbreaks, as well as numerous penetrations
by hackers.
If you are an IT manager you probably need to ask yourself some important
questions to be prepared for the possibility of attack. In fact, it is your
patriotic duty to be sure your systems are safe and secure. To do otherwise
not only puts your company in danger, it actually threatens, even in a small
way, the security of your country.
Does your organization really need to be attached to the internet at all? -
This is the first question to ask yourself. I know it seems like every
workstation at every company must be attached to the internet, is it really
necessary? Does it add to the company bottom line? For many companies, the
answer is yes, for others no.
Is the information that you provide to the internet community appropriate? -
This question has come up on a large number of government and utility sites.
Is it really necessary, for example, to include a map of a power plant? I
know this might seem useful to, say, schools for educational purposes, but
it may also be even more useful to terrorists and other evil-doers.
Is your backup and archive strategy sound? - The most important single task
that you perform is backups. Do them regularly and check the data
occasionally.
Are your password policies good enough? - The weakest link in most security
schemes is the user and his or her passwords. If your management will allow
it, make sure your users have long, complex passwords which they change
regularly. Enforce best practices with their passwords.
If your front line security adequate? - Have you got firewalls installed?
Regardless of whether you've got a home computer or a hundred million dollar
complex, you'd better install a firewall if you have not done so already. A
hardware firewall is the best solution, but a software one will do for a
home system if money is tight.
Have you defined a DMZ? - If you manage a network for a company, you should
reexamine your firewall strategy to ensure that you have a proper DMZ. What
is a DMZ? To simplify it a bit, it's a way to protect your application
servers even if your web servers are compromised. You have your core
application systems behind a firewall. On the outside of that firewall you
place your web servers. Then to protect them you put another firewall.
Is your virus protection adequate? - If you haven't installed antivirus
software by this time, shame on you. It does not matter whether you run a
network of ten thousand computers or a cheap home system, you'd better have
this basic application not only installed, but regularly updating.
Is your system patched properly? - All vendors release software with bugs.
It is the responsibility of all system managers to periodically review
operating system and applications patches and releases and update them as
needed. Remember, even the Apache web server is ridiculously insecure if not
properly patched.
Are you educated on security? - If you haven't already, look around and find
some books, classes or information about security. Become educated as fast
as you can. Once you understand security, then propose, plan and implement
what you have learned.
Do you perform background checks on IT related positions? - All new hires
into IT should have thorough background checks before they are hired. You
should also check the backgrounds of all of your IT consultants. It's best
to know who you are hiring before you hire.
Is your user community educated about security? - Perhaps one of the best
tasks you can perform is to educate your users on good security practices.
Emphasize the reasons why security is important and how it protects your
users. I usually stress that security penetrations are a direct threat to
their employment. Spend some time explaining and demonstrating how social
engineering works - this is the number one way break-ins occur.
Do you have a working disaster plan? - To be perfectly prepared, ensure that
you have a working, tested, debugged disaster plan ready at all times. That
way if for some reason your primary systems are rendered useless you can
still have a running company.
Is your security plan confidential? - The less information you have
available to evil-doers the better. Keep any information about how your
systems are secured confidential - treat it on a need-to-know basis.
Remember this important fact. As of September 11th the United States and all
of the free nations are in a war. And when your country is in a state of war
you had better be prepared to be attacked. It's the only sane thing to do.
About the Author
Richard Lowe Jr. is the webmaster of Internet Tips And Secrets
at http://www.internet-tips.net - Visit our website any time to
read over 1,000 complete FREE articles about how to improve your
internet profits, enjoyment and knowledge.