Donald Pipkin's Security Tips for the Week of December 2nd
Web Security Tip for Friday, December 6th, 2002Report Internet Utilization to Reduce Abuse
Most employees who are misusing systems will stop this behavior if they are aware that their misuse is known. Regular reporting of resource utilization can be an effective means to this end. When users regularly receive usage reports, they are less likely to be doing something wrong, since they know that someone is aware of what they are doing. These reports can contain a list of websites the employee has visited and the amount of bandwidth utilized or megabytes downloaded, or how many e-mails were sent to whom. (This information is available in the web-proxy and e-mail logs.) This information can be used as a reminder of what is appropriate work-related behavior.
Security Tip for Thursday, December 5th, 2002Use Out-of-Band Management Channels
Wherever possible, use out-of-band management channels. A separate network for all administrative communications may add a slight increase in costs, an additional network interface in systems and some more network cable, but it can dramatically reduce the risk of misuse. It is easy to control access to an isolated administrative network and it reduces the concern of monitoring or misusing management protocols (i.e. SNMP), as well as removing the management and monitoring traffic from the production networks.
Security Tip for Wednesday, December 4th, 2002Add Security Monitoring to your NOC
If you have a network operations center or even a network management system, it should be augmented to monitor security events. Most popular network management systems have add-on products or third-party plug-ins that will enable the management console to receive and display security events. This provides a centralized location from which to monitor and respond to security events. Intrusion detection systems, both host-based and network-based, should forward alerts to the NOC. If you run regular security scanners to check compliance, the errors and alerts from these systems should be also routed to the NOC.
Security Tip for Tuesday, December 3rd, 2002Expand Your Lunch Circle
In the case of a security incident, there are a number of people you will be dealing with. These include people from the human resources department, the legal department, the corporate security division and law enforcement, to name a few. It is very valuable to find out who you will be working with and to get to know them before there is an incident. Take them out to lunch and find out their view of how a post-incident process should work. Determine what information will be valuable to them; when they want to be brought into the incident; and how they want to be involved with the management of the incident. This will streamline the recovery process and lead to a more effective response. It will also expand your circle of professional contacts.
Security Tip for Monday, December 2nd, 2002Audit the Root User Account
Most administrators do not enable auditing because they believe it produces too much information to process and provides little help when there is an incident. However, auditing can be invaluable when it comes to the root account. Without auditing, on Unix systems there is no distinction between different users who have used the "su" (switch users) command to get root privileges. Auditing provides an audit ID which does not change when a user uses the "su" command, so that the user's actions are always attributable to the actual person. If you limit your audit events to only those that are performed by the root user, the amount of audit data is considerably reduced.