Solving Common IT Security Problems

an

Security eBook

Contents
Solving Common IT Security Problems
This content was adapted from Internet.coms eSecurity Planet and Enterprise IT Planet Web sites. Contributors: David Strom, Michael Horowitz, Sonny Discini.

2 4

What to Do When a Laptop is Stolen

PC Security Tips for Corporate Executives

8 10

The 20 Most Effective Controls to Protect Your Enterprise

Seven Simple Wireless Security Tips

10

12

12

Five Advanced Wi-Fi Network Security Tips

Solving Common IT Security Problems

What to Do When a Laptop is Stolen

By David Strom

had my laptop stolen once, about five years ago, from the trunk of a locked car parked at a shopping mall. You never forget that experience of being violated, of being stupid. (And it seems to be getting more common, according to a story in the LA Times about thieves who follow customers home from Apple Stores.) So what can users do to be more proactive, given the number of laptops that go missing every month? One way is to use one of a growing number of recovery software tools that automatically phone home (in the Internet sense of the word) and help you and the authorities, should they be interested, in trying to track it down. Think of what LoJack does for locating cars, with the added information that having an Internet connection can bring (indeed, the company is one that offers a laptop tool). While it sounds like a great idea, there are several issues with using these tools. First, most of them are designed for individuals, not corporations. Absolute Softwares Computrace has an enterprise version called Complete in their LoJack for Laptops line, which has tools that offer more asset tracking and remote hard disk destruction that arent found in an individual product. zTrace Technologies zTrace Gold, MyLaptopGPS for Windows, and Brigadoons PC/Mac PhoneHome products all offer quantity pricing for business customers, but not much else in terms of added features over their individual versions.

Turn the Tables

A second alternative is to look at central monitoring and image automation tools, such as Symantecs Altiris and Kaseya that can be used in a stolen laptop situation. Greg Hemig, a Sacramento Kaesya VAR, did exactly that and was able to recover two independently stolen laptops by using the remote control features. I was able to find out not just an IP address, which is what a typical anti-theft product like LoJack would provide, but an actual physical address, the names of the users girlfriend and family, how to access their bank accounts, and even turn on the microphone on the laptop and listen to what they were saying while they were typing, says Hemig. Scary stuff, but within two weeks of contacting law enforcement, he was able to get back both machines to their original owners.

OS-Based Options
Third, the versions that are offered differ as to features between Mac and Windows, with the Mac (if it is supported at all) usually being a poor cousin. If you have a mixed network, this could be a determining factor as to which product you end up deploying. Taking Computrace as an example again, the Mac version doesnt include the special embedded BIOS agent that comes with their Windows product.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Phoenix Technologies offers something similar for its OEM BIOS customers called FailSafe, but not for the general public. And GadgetTrak has software for both Mac and Windows, but prices them differently.

Well-Rounded
Next, these tools are just part of an overall laptop security solution that should also include disk encryption and password-protecting the boot drive. If these tools live on the hard disk and if you havent enabled a firmware or disk password, any intelligent thief can just reformat your hard drive and remove this protection, or just remove the hard drive itself. So it makes sense to start by putting password protection on all of your machines as first line of defense. Disk encryption is especially important if you need to protect confidential corporate or business data, not to mention personal data, such as bank account passwords as well. That brings me to my last point: Do you really need a vendor-operated central monitoring station, or can you set up your own central place where alerts can be sent? GadgetTrak, Oribicules Undercover for Macs and iPhones, Prey (for Mac, Windows, and Linux), and PC/Mac PhoneHome

are all tools that dont make use of any central monitoring station. Instead, the software sends info to your e-mail (and for GagetTrak, to Flickr) accounts directly. With some of these products, upon booting they look for the presence or absence of a special URL that indicates the laptop has been stolen. If so, they send information, such as the current IP address, a snapshot from a Webcam, screenshots, and other details to your e-mail address. One user of Undercover had his laptop stolen about two years ago, also from his car. (Have you realized never to leave a laptop in a vehicle now?) Within a few days, we had screenshots and camera images of the thief and working with local authorities, we were able to recover the laptop within a week, said Lenny, a friend of mine who has run several major corporations and is a big fan of their software. While options vary depending on need, OS, and budget, the ideal approach to protecting laptops is to cover your bases: use password protection and disk encryption, and employ a collection of tools, including a monitoring product with a corresponding tracking piece on each laptop and remind users to never leave a laptop in a car.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

PC Security Tips for Corporate Executives

By Michael Horowitz

he recent attacks against Google and other companies highlighted spear phishing attacks. The term refers to scam e-mail messages designed to trick the recipient into infecting his or her own computer with malicious software (malware). The end result of the phony yarn, spun in the body of an e-mail message, is that the duped user visits an infected Web page, opens a maliciously crafted document, or runs a malicious program. Unlike regular phishing e-mails that are blasted out to millions, spear phishing, as the name implies, is specifically targeted. Anyone that works with secrets that the bad guys want may be sent an e-mail message targeted specifically at them. The message will appear to come from someone they know and the topic will be something that the sender would normally discuss. Everything about the message is fraudulent, including the From address. The fraud is successful, in part, because people trust the From address of an e-mail message. No one should; forging the From address is childs play. But, since the From address is correct 99 percent of the time and many dont know that it is easily forged, this gets the spear phishing message in the door, so to speak.

As I recently wrote, the most important aspect of Defensive Computing is skepticism. Corporate executives may be skeptical when dealing with people, but lack awareness of common online scams. Just a few days ago, Roger Thompson of AVG described the hacking of the Oklahoma Tax Commission Web site. To be infected, the end user simply had to agree to an Adobe license agreement. The agreement looked legit, but it was from bad guys rather than Adobe, and agreeing to it installed malware. Here I assume we are configuring a computer for someone with access to corporate secrets, someone whose lack of technical know-how makes them an easy target for online scammers. What steps can we take to protect this person from themselves?

Restricted Users
Running as a limited (a.k.a., restricted or standard) user is job one. For the sake of backward compatibility Windows users, by default, run as Administrators, which lets them change anything, anytime, anywhere. Despite this default behavior, Microsoft recommends, and all techies agree, that people are safer running as limited users.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Windows Vista and Windows 7 users may feel that UAC protects them, even when logged on as an administrator. It does not. Ive been testing life as a restricted user for a while on both Windows XP and Windows 7. It works better on Windows 7; XP has a number of quirks in the implementation. But regardless of any quirks, this is perhaps the biggest weapon in the Defensive Computing software arsenal. Barring severe bugs in Windows, it should prevent the installation of any software (assuming the bigshot is not given an Administrator password). If, for whatever reason, running as a limited user is not an option, Windows XP users can still get most of the protection it offers with the free DropMyRights program. This Microsoft program is used to front-end another program and drop its rights. For example, an Administrator class user can click on an icon for the Adobe Reader, which actually runs DropMyRights. It, in turn, runs the Adobe Reader, but only after dropping the rights down to those of a limited user. Thus, if an infected PDF file tries to install software, it fails. Running as a limited user however does not prevent malicious software from running, just from running out of certain folders (and from being permanently installed). More steps are needed.

Other browsers are updated with bug fixes when they are needed. IE has to live in a huge bureaucracy that dictates it only gets updated once a month. It makes headlines when IE is patched when needed, as opposed to on schedule. Not good for security. In addition to the slow IE patching imposed by the once-amonth schedule, Microsoft has a history of just being slow. For example, the IE bug that was exploited recently to attack Google and others was initially called a zero-day vulnerability; techie terminology for a newly discovered bug. It turns out not have been zero day at all, more like 120 days. Microsoft was alerted to the problem four months before it was exploited on Google. And, were still not done with IE issues. Computerworld reports that design flaws in the browser can let it expose the entire C: disk. There is no such thing as removing Internet Explorer, but we can hide it. First, lock it down as best as possible. On the Security tab (of Internet Options) set the Internet and Local intranet zones to high security. Turn on protected mode and DEP (note that DEP requires companion support in both the processor and BIOS). Then get rid of all visible signs of Internet Explorer. Remove it from the desktop, task bar, and the Start button. Its still there, only now the only way to run it is to navigate to C:Program Files/Internet Explorer/iexplore.exe

Internet Explorer
It took security expert Steve Gibson a while to come around to my Defensive Computing posture, but he finally did. No more Internet Explorer. Just say no. Friends dont let friends use Internet Explorer. In part this is unfair to Microsoft, as IE is not necessarily any buggier than competing browsers. But it is buggy enough, and it has a huge target painted on its back. Plus, Microsoft makes a bad situation worse by being slow to fix bugs. If for no other reason than this, any other Web browser is safer than IE.

Firefox and Adobe Reader

In place of Internet Explorer, I suggest Firefox; no news here. But, it does need some work out of the box. A great security tweak to Firefox is to force the address bar to turn green on all secure HTTPS Web pages. It shouldnt be hard to train anyone that green is safe and anything else is not. This tweak is done by editing a file called userchrome.css.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Another possibility is using the portable version of Firefox rather than a normally installed copy. Not only does this allow a limited/restricted/standard user to update the browser with new patches, it also makes the software harder to find by any malware looking to infect it. Another program that Id ban from the computer of anyone involved with corporate secrets is Adobe Acrobat Reader. Like Internet Explorer, the Adobe Reader has a big target painted on it. It has also been rather buggy over the last couple years. At one point, Adobe thought it was a good idea to only issue bug fixes every three months. And the procedure for updating the software is harder than it needs to be. In addition to the Reader itself, Adobe installs two programs that run every time Windows starts, which is an accident waiting to happen. In fact, simply hovering the mouse over the name of a PDF file causes an Adobe program (AcroRd32Info.exe) to run, no clicking required. This is true even if the Adobe Reader is not the default program for opening PDFs (tested on Windows XP with Adobe Reader 8.2.0). Its all just too intrusive for my taste. There are many other PDF readers, any one of which will be a lesser target. I use the one from Foxit Software. It doesnt do everything that Adobe Reader does, but it should be enough for almost everyone. If, for some reason, Adobe Reader cant be uninstalled, then at least dont make it the default program for opening PDFs, and be sure to turn off Javascript.

While Internet Explorer and Adobe Reader are the most frequently targeted applications, bad guys also exploit other popular software. Thus, the less software installed the better. With this in mind, I would uninstall QuickTime, Java, Shockwave, Real Player, and any other popular software that is not absolutely needed. Flash is a difficult choice. Because its popular, you can expect bad guys to exploit known vulnerabilities as they are discovered. But, its also needed frequently. As a compromise, consider the Flashblock Firefox extension. It works by blocking Flash objects on Web pages and replacing them with placeholders. If a particular Flash object is needed, all you need do is click on it to run it. As I write this, the Flashblock extension has been downloaded nearly 8 million times. Perhaps the king of popular software is Microsoft Office. Consider replacing it with Open Office, the theory being, again, software that is a lesser target. Open Office is not as functional as Microsoft Office, but for non-techies, such as corporate bigshots, it should be functional enough. Did you know that the recent bug in Internet Explorer, the one that was so critical that Microsoft released an immediate fix without waiting for the second Tuesday of the month, also affected Microsoft Office? This didnt get much press. In Microsofts own words:

We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation. To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.
Support for ActiveX controls in Office documents is a security accident waiting to happen. I read the instructions for disabling ActiveX controls in Microsoft Office 2003. They were so confusing, I couldnt follow them. The safest thing to do is replace Microsoft Office with competing software.

Other Software Issues

For years viruses have spread on USB flash drives (a.k.a. pen drive, thumb drive, etc.) and they continue to do so. Windows 7 is more locked down in this respect than XP, but it is not bullet-proof. The good news is that with a simple update to the registry, you can offer 100 percent protection from all Autorun/ AutoPlay vulnerabilities.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Hardware Encryption
On the hardware side, I have two suggestions. First, set a password for the hard drive in the computer. This should be a simple thing to do and hard drive passwords are more secure than both BIOS level startup passwords and operating system passwords. The best encryption is, arguably, full disk encryption and if an executive has sensitive files on his or her computer, this might make sense. But sensitive files should not be kept on a laptop or desktop computer. They are best stored on an external hard drive, one that can travel with the bigshot to places that a computer cant go. Two encrypted hard drives, the Lenovo ThinkPad USB Secure Hard Drive and the Aegis Padlock, stand out for not needing any software running on any computer; thus they can work with computers running Windows, OS X, or Linux. Each has built-in buttons that are used to enter a password. Until a valid password is given, the computer cant see anything on the drive. After the password is validated, the drives work like normal unencrypted hard drives. The computer is totally unaware of the encryption. For the user, there is no learning curve, just a password.

Another big advantage to an external encrypted hard drive is that it can be easily and quickly locked just by unplugging it from the computer.

Exploiting Friends
Is all this too much trouble? Am I over reacting? The operation that Google uncovered at the end of 2009 was very sophisticated. The Financial Times reported that personal friends of employees at Google, Adobe, and other companies were targeted by hackers. Friends? The article, by Joseph Menn, says

...the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.
Yikes.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

The 20 Most Effective Controls to Protect Your Enterprise

By Sonny Discini

ecuring the enterprise against cyber attacks has become one of the highest priorities of corporate leadership. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against a variety of threats, both internal and external. Furthermore, for those attacks that are successful, defenses must be capable of detecting, thwarting, and responding to follow-on attacks on internal enterprise networks as attackers spread inside a compromised network.

What this really means is that offense and defense must keep each other informed, and as such, the overall foundation of security is built on this flow of communication. Enterprise security teams have struggled with this, but now they may have an effective model to apply.

The Path to Effective Controls

Before we list specific technical controls, its important to understand that because organizations do not have unlimited funding, the only rational way they can hope to be successful is to establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms. When devising controls, the following guiding principles should be considered. Defenses should focus on addressing the most common and damaging attack activities occurring today and those anticipated in the near future. Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.

Following in the Footsteps of the Feds

For inspiration and guidance in how to combat these threats, look no further than the U.S. government. The federal government revamped The Federal Information Security Management Act (FISMA) to address the needs of securing Federal computer systems. FISMA, the U.S. ICE Act of 2009, specifically addresses the same issues many corporate security practitioners face. If you read through the legislation, you come across an interesting snippet of verbiage, monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations and continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented.

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Now, when tailoring your controls to be enterprise-specific, consider the following sub controls. Low Hanging Fruit: The intent of identifying low hanging fruit areas is to highlight where security can be improved rapidly. That is, to rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. Improved Visibility and Attribution: Improving the process, architecture, and technical capabilities of organizations so organizations can monitor their networks and computer systems, gaining better visibility into the IT operations. In other words, these controls help increase an organizations situational awareness of its environment. Hardened Configurations: This type of control focuses on protecting against poor security practices by system administrators and end users who could give an attacker an advantage in attacking target systems. Hardened system configuration aims to reduce the number and magnitude of potential security vulnerabilities as well as improve the operations of networked computer systems. There are 15 controls that can be handled via automation and five that require manual application. The SANS Institute provides specific details about each of these controls. The 15 that can take advantage of automation are:

8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and
Services

14. Wireless Device Control 15. Data Loss Prevention

And the five that must be done manually are:

16. Secure Network Engineering 17. Penetration Testing 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training
The consensus effort to define critical security controls is an evolving effort. In fact, changing technology and changing attack patterns will necessitate future changes, even after the current set of controls has been finalized. In a sense, this will be a living document moving forward, but the controls described in this version are a solid start in the quest to make fundamental computer security defenses a well understood, repeatable, measurable, scalable and reliable process throughout the federal government. Although there is no such thing as absolute protection, proper implementation of the security controls identified will ensure an organization is protecting against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, it is critical to review these controls and make changes as needed. Treat this list as a living document with frequent evaluations to ensure that the most effective practices are indeed in place.

1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers

4. Secure Configurations for Network Devices such as Firewalls,

Routers, and Switches

5. Perimeter Defense 6. Maintenance, Monitoring, and Analysis of Security Audit

Logs

7. Application Software Security

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Seven Simple Wireless Security Tips

By eSecurity Planet Staff

hese days wireless networking products are so ubiquitous and inexpensive that just about anyone can set up a WLAN in a matter of minutes with less than $100 worth of equipment. This widespread use of wireless networks means that there may be dozens of potential network intruders lurking within range of your office WLAN. Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network:

extremely convenient since you can locate a WLAN without having to know what its called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbors and passers-by (though it will still be detectable by WLAN sniffers).

3. Enable WPA Encryption Instead of WEP

802.11s WEP (Wired Equivalency Privacy) encryption has well-known weaknesses that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. A better way to protect your WLAN is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is also easier to use, since your password characters arent limited to 0-9 and A-F as they are with WEP. WPA support has been built into Windows since XP.

1. Secure Your Wireless Administration Interface

Almost all routers and access points have an administrator password thats needed to log into the device and modify any configuration settings. Most devices use a weak default password like password or the manufacturers name, and some dont have a default password at all. As soon as you set up a new WLAN router or access point, your first step should be to change the default password to something else. You may not use this password very often, so be sure to write it down in a safe place so you can refer to it if needed. Without it, the only way to access the router or access point may be to reset it to factory default settings, which will wipe away any configuration changes youve made.

2. Dont Broadcast the SSID

Most WLAN access points and routers automatically (and continually) broadcast the networks name, or SSID (Service Set IDentifier). This makes setting up wireless clients

10

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

4. Remember That WEP is Better Than Nothing

If you find that some of your wireless devices only support WEP encryption (this is often the case with non-PC devices, such as media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because, in spite of its flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, dont use an encryption key thats easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often preferably every week.

6. Reduce Your WLAN Transmitter Power

You wont find this feature on all wireless routers and access points, but some allow you to lower the power of your WLAN transmitter and thus reduce the range of the signal. Although its usually impossible to fine-tune a signal so precisely that it wont leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN.

7. Disable Remote Administration

Most WLAN routers have the ability to be remotely administered via the Internet. Ideally, you should use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Otherwise, almost anyone anywhere could potentially find and access your router. As a rule, unless you absolutely need this capability, its best to keep remote administration turned off. (Its usually turned off by default, but its always a good idea to check.)

5. Use MAC Filtering for Access Control

Unlike IP addresses, MAC addresses are unique to specific network adapters, so by turning on MAC filtering you can limit network access to only your systems (or those you know about). In order to use MAC filtering you need to find (and enter into the router or AP) the 12-character MAC address of every system that will connect to the network, so it can be inconvenient to set up, especially if you have a lot of wireless clients or if your clients change a lot. MAC addresses can be spoofed (imitated) by a knowledgeable person, so while its not a guarantee of security, it does add another hurdle for potential intruders to jump.

11

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

Five Advanced Wi-Fi Network Security Tips

By Eric Geier

f youve ever Googled Wi-Fi security, (or youve been reading this eBook) you probably have the basics down: dont use WEP, use WPA or WPA2; disable SSID broadcasting; change default settings. If youre looking for more advanced security tips for your WLAN, consider these the following five tips for bringing enterprise-level protection to even the smallest of networks.

is especially useful when employees leave the company or a laptop is stolen. If youre using the Personal mode, youd have to manually change the encryption keys on all the computers and access points (APs). The special ingredient of the Enterprise mode is a RADIUS/ AAA server. This communicates with the APs on the network and consults the user database. Consider using the Internet Authentication Service (IAS) of Windows Server 2003 or the Network Policy Server (NPS) of Windows Sever 2008. If you want to go vendor-neutral, try the popular open source server, FreeRADIUS. If you find setting up an authentication server requires more money and/or expertise than you have, consider using an outsourced service.

1. Move to Enterprise Encryption

If you created a WPA or WPA2 encryption key of any type and must enter it when connecting to the wireless network, you are only using the Personal or Pre-shared key (PSK) mode of Wi-Fi Protected Access (WPA). Business networks no matter how small or big should be protected with the Enterprise mode, which adds 802.1X/EAP authentication to the wireless connection process. Instead of entering the encryption key on all the computers, users would login with a username and password. The encryption keys are derived securely in the background and are unique for each user and session. This method provides central management and overall better Wi-Fi security. Instead of loading the encryption keys onto computers where employees and other users can recover them, each user logs into the network with their own account when using the Enterprise mode. You can easily change or revoke access when needed. This

2. Verify Physical Security

Wireless security isnt all technical. You can have the best Wi-Fi encryption, but have someone plugging into an Ethernet port thats in plain sight. Or someone could come by and hold in the reset button of an access point, restoring it to factory defaults and leaving your network wide open. Make sure all your APs are well out of the reach of the public and out of sight from employees, too. Instead of sitting an AP on a desk, mount it on the wall or ceiling better yet, put them above a false ceiling.

12

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.

Solving Common IT Security Problems

You might consider mounting the APs out of sight and installing external antennas where youll get the most signal. This will let you confine the AP even more while taking advantage of the increased range and performance of an aftermarket or higher gain antenna. APs arent the only piece of equipment to be worried about. All networking components should be secured. This even includes Ethernet cabling. Though it might be a little farfetched to some, a determined hacker could cut an Ethernet cable to tap into the line. Along with mounting, you should keep track of the APs. Create a spreadsheet logging the AP models used along with the MAC and IP addresses, and note where the APs are located. This way you know exactly where the APs should be when performing inventory checks or when tracking down a problem AP.

List devices authorized to access the wireless network: Its best to deny all devices and explicitly allow each desired device by using MAC address filtering on the network router. Though MAC addresses can be spoofed, this provides reasonable control of which devices employees are using on the network. A hard copy of all approved devices and their details should be kept to compare against when monitoring the network and for inputting into intrusion detection systems. List of personnel authorized with Wi-Fi access to the network: This could be regulated when using 802.1X authentication (WPA/WPA2-Enterprise) by only creating accounts in the RADIUS server for those who need Wi-Fi access. If 802.1X authentication is also being used on wired side, you should be able to specify whether users receive wired and/or wireless access by modifying the Active Directory or using authorization policies on the RADIUS server itself. Rules on setting up wireless routers or APs: For example, that only the IT department can set up more APs, so employees dont just plug in an AP from home to extend the signal. An internal rule for IT department might cover defining acceptable equipment models and configuration. Rules on using Wi-Fi hotspots or connecting to home networks with company devices: Since the data on a device or laptop can be compromised and the Internet activity be monitored on unsecured wireless networks, you may want to limit Wi-Fi connections to only the company network. This could be controlled by imposing network filters with the Network Shell (netsh) utility in Windows. Alternatively, you could require a VPN connection back to the company network to at least protect the Internet activity and to remotely access files.

3. Setup an Intrusion Detection/ Prevention System (IDS/IPS)

These systems usually consist of a software program that uses your wireless adapter to sniff the Wi-Fi signals for problems. They detect rogue APs, whether a new AP is introduced to the network or an existing one is reset to defaults or doesnt match a set of standards youve defined. These systems also analyze the network packets to see if someone might be using a hacking or jamming technique. There are many different intrusion detection and prevention systems out there that use a variety of techniques. Open source or free options include Kismet and Snort. Commercial products are also available from vendors, such as AirMagnet, AirDefense, and AirTight.

5. Use SSL or IPsec on Top of Wi-Fi Encryption

Though you might be using the latest and greatest Wi-Fi encryption (on Layer 2 of the OSI model), consider implementing another encryption mechanism, such as IPSec (on Layer 3 of the OSI model). In addition to providing double encryption on the wireless side, it can secure the wired communication too. This would prevent eavesdropping from employees or outsiders tapping into an Ethernet port.

4. Create Wireless Usage Policies

Along with other general computer usage guidelines, you should have a specific set of policies for Wi-Fi access that should at least include the following items:

13

Back to Contents

Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.