The Official Word
There are several organizations and
agencies that deal with computer security
issues. Perhaps the most widely know is the Computer
Emergency Response Team (CERT) at Carnegie-Mellon University. They serve like a clearing house for
problems for most common operating systems. They regularly issue CERT Advisories that
detail the steps necessary to correct security
problems, without revealing too much about how to use
the problem to break in. For details, check out their web site: www.cert.org.
organization that is vital for the security
of your system is your own management. They have to take
an active, if not pro-active stance in promoting security
on your system. It is up to them to define
means for the company and how important it is. In addition, the must give you, as
all the tools necessary to put these goals into
Security and Network Policies
policy is a
set of decisions, that collectively determines organizations posture toward security
This not only
includes what is and what is not acceptable behavior, it also defines what actions are taken when
the policy is violated. A network
policy defines what is acceptable when using the Internet. They
cover different areas, but are very much intertwined.
Before you define a security
need to define your security
stance. This is more or less decided by your company's attitude on
security. If you believe that everyone should have access to everything and nothing will be limited,
policy will be significantly different than if you want security above all, no matter
how inconvenient it is for your users.
It's often difficult to define what is considered
a "acceptable" behavior. Some companies give their employees the freedom to hang
themselves. That is, they have complete access to the Internet, including email, WWW,
and so on.
If the company discovers that they spent all their time downloading games and not working, they get
a warning, a reprimand and finally termination. On the other end of the scale some companies say
that a computer is for company business and will not be use at all for personal use, even if
it means you can't get email from your brother.
One thing I feel should be in there not
matter what end you are on is that you must clearly state that employees' activity on the
Internet should present the "proper" image for the company. I had to put the word
"proper" into quotes, because this will obviously be different from company to company.
I worked in two places that were very similar on the surface. Father-Son businesses, both
with about 1500 people worldwide. One was very rigid and formal ("Good morning, Mr. Smith) and
the other was very laid back ("Mornin' Tom, how's it going?") What was proper in
one place was not in the other. On a business trip to Australia, I was told that when you call
someone Mr. or Mrs. you are angry or upset or want to be sarcastic.
The first step in defining either your security
or Internet policy is to define what is and what is not permitted. Spell it
out in clear text,
so that everyone know what it means. In order to make things easier and perhaps
the list smaller, you could simply defined the "don'ts." Define what is
not permitted. This could include the hours during which Internet
activity is not allowed and the types of material cannot be brought into the
company (i.e. pornography, pirated software).
of the security
policy should be what protocols and programs you are going to allow. If you are only
going to allow outbound connection, then the policy should state this. If inbound connection are
okay, what protocols can be used? Are incoming ftp
connections okay, but not incoming
telnet? If so, this needs to be spelled out in the security
A key aspect of your
security policy is your stance on passwords. If you have decided that passwords are to be a specific
length and cannot have specific contents (such as the user's first name or spouse's name)
this needs to be spelled out.
The policy should also define the system administrator's
responsibility. On a Linux system it's a simply matter to change the source code to the passwd
program to check a list of unauthorized passwords or do some manipulation of the password so as not
to use unauthorized passwords, but spelled backwards. If necessary, the security
policy can state
that it is the system administrator's responsibility to ensure that such password cannot
be used. This can be easily accomplished by using the npasswd program.
Have your company
management sign a password security
policy and make all employees sign it as well. This policy
should specifically define what is unacceptable behavior when dealing with passwords. Make sure that
the employee is aware of the consequences of violating this policy such as letters of reprimand and
even immediate termination. Users must be told that they will be held accountable for action taken
by anyone using their account.
At first, termination might seem a little harsh for a person
who gives is password to someone else in the same department, for example. However, there is no need
to. If that other person really needs access to the data, either the permissions
on the file should
be set or the file should be copied to a common area. If access to the account
is necessary, have their supervisor or someone else who is known to the system
administrators call. The sysadmin will either
copy the file, change permissions
or change the password to something known (in accordance with the
company password policy). This password will them be changed again when the account
is no longer
Users must keep their passwords to themselves and must never be written down anywhere.
This includes blotters, calendars, post-its and especially in files on the computer. The hacker in The Cuckoo's Egg scanned email files and found one where the user was telling a co-worker his password.
Users must change their password from time to time. Certain dialects
can force users to change their passwords. If the version of Linux you have cannot, you
could implement a program that checks for specific dates and then notifies users. One possibility is
to send mail to half the employees one month and the other half the next month.
must know to never reset passwords to specific values based on email they have received. This
would prevent a hacker from compromising the mail system and send a message to an unsuspecting user.
Would your users be able to recognize mail if it doesn't come from a real administrator.
your mail should do is say that the password time has expired and that it should be changed. If the
user gets a message to change it to a specific password, then it didn't come from an