Donald Pipkin's Security Tips for the Week of December 16th
Security Tip for Friday, December 20th, 2002Two Factor Authentication
Implement two-factor authentication for users with privileges and for access from untrusted networks. Two-factor authentication requires additional equipment for each user or at each access point. This can be a biometric device, like a fingerprint reader, or a smart card that contains encrypted credentials. As the additional costs in two-factor authentication may make it unattractive to deploy for all users, two-factor can be limited to those "high risk" areas. Access from an untrusted network, such as the Internet or a wireless network, should use a two-factor virtual private network and users who have special privileges, such as system administrators or database administrators, should be required to use a two-factor access method. This can dramatically reduce the number of two-factor devices needed and supply added security where it is necessary.
Security Tip for Thursday, December 19th, 2002Run Security Scans
Security scanners should be run regularly to ensure that your systems remain in compliance with security policies. Continual evaluations provide checkpoints indicating when changes are made that weaken the security of a system. There are a large number of security scanners available. Many are free. Some are purchasable products; others are only available as part of security monitoring service. Whether you choose a service or to do it yourself, you want a scanner that is specific for your system. Generic scanners will scan for common issues and may not have vendor specific tests. Changes in the security configuration of the system must be investigated and accounted for. The results of these scans should be consolidated into a security management system. This can be part of your network operation.
Security Tip for Wednesday, December 18th, 2002Install Appropriate Use Banners
Every interactive connection to a system should present an appropriate use banner and require an active confirmation of acceptance before the session begins. The acceptance of appropriate use has become central to the ability to prosecute both employees who are abusing their privileges and outsiders who access systems without authorization. The appropriate use notification needs to include an active acceptance, which requires the user to actively click on the "accept" button or enter "accept" before being able to use the system or access information.
Security Tip for Tuesday, December 17th, 2002Reduce Information Leakage
Many services provide unnecessary information about the type of hardware on which they are running, the operating system version and patch level, and the revision of software providing the service. Much of the software that provides these services has the ability to limit the information provided or offer the ability to configure what information is disclosed. The telnet daemon allows you to disable the banner message and sendmail allows you to specify what information is displayed in its greeting banner. Recent versions of the Apache web server allow you to specifically define the banner message. The default information provided by the services can be used to profile the system to determine the most effective attack scenario. Check your system manuals to determine what the specific options are to limit this information leakage. Setting these services so that they do not disclose any information can reduce the odds of being compromised, and if your company policy allows for it, these banners can also be used to supply misinformation.
Security Tip for Monday, December 16th, 2002Disable PAN Services When Not in Use
Personal area networks are networks that connect devices that are in the immediate proximity. They can be implemented with wires or with wireless technologies, such as infrared, Bluetooth, and Wifi. Generally, PANs are used to connect systems to peripherals, such as printers, or to transfer information between PDAs, phones, laptops and other devices. When these devices are on, they will generally connect with any PAN-enabled device that they are able to locate. With today's wireless technology, these PANs can reach across a crowded room and into the next. With the widespread use of PDAs and cell phones, which support wireless PANs, it is easy to detect systems that are looking for a partner to connect with. You should disable automatic connections, such as active sync, and only run the connection software when you are actively attempting to connect systems.