Implementing Security to network/workers.

[Internexus]

Hey everyone, new here... I was recommended by a friend and have been browsing for a little while.

I have just recently taken the position of Network administrator for a small business with 8 sites total over the US.

When a problem arises and I need someones account information I can literally call up these sites and say "this is so and so I need your login/password for xx program" and these people don't even KNOW of my position or anything and they will give me this information!

What is the best way to go about raising the security bar for this company? So far this place only has a firewall that I can tell as security. What should I start looking into in order to start locking this place up so that I don't have to worry about any kind of outside problems and also internal stupidity? Thanks for your help everyone!
-sean

 

[kHz]

A company security policy is needed, specifically, for the problem of users giving an ID and password over the phone. Most security problems are internal and need to be addressed at a high level. The policy could state that any user giving out private information, including IDs and passwords, will be terminated.

 

[MichealC4]

Well, you can start by setting in place some policies, namely, not giving out their account information to anybody, including someone from the company. I realize this is a pain in the butt, but it will save your rear in the end. What you just demonstrated, even on a small level, is social engineering, which I'm sure you are well-aware of.

Some very basic, incomplete policies I think benefit pretty much everybody:

1. Don't ever give out your password to anybody, including someone from this company. If an administrator needs access to your account, they can reset your information, and will contact you with further details.
2. Make sure you lock your computer when you leave, even if it is just a run to the water cooler.
3. Lock your doors, again, even if it just a run to the water cooler. It takes only a few seconds for someone to slip in.
4. Have some sort of software standard. For example, if you want everybody to use only IE or Mozilla/Firefox, say so. This cuts down on support for your techs, and will cut down on someone using lynx, and someone else using some homegrown browser (okay, a bit extreme, but you get the idea). Also, have a standard for Antivirus. Some people may go out and buy Norton when your company is using Macafee, or vice versa. Set the guidelines (but not too strict), and make sure your users understand them.

Like I said, basic, incomplete. As far as network security, might I suggest pen testing (there is free software out there, like Nessus that can get you started), firewalls at all campuses, content filtering, and an email gateway (if email is handled inhouse, of course). Also, private IP addresses.

Now, on the other end of the spectrum, as security professionals/network admins, we want to lock things down so tight, you can see your reflection ... But your users will rebel if you do that, which could prove rather fatal, as far as security goes. Instead, talk with your users, get feedback on things they expect, make sure they know and understand things you expect, and work out something. Sometimes there may be things you cannot budge on (for example, using a certain printer), make sure they know this, understand it, and you implementing it as smoothly as you can.

Does that get you started at least?

----------------------------
"Security is like an onion" - Unknown

 

[Internexus]

Excellent responses. I also forgot to mention that I can literally sit down at anyones desk and hold my arms out as far as they go and within that area I can find that users password. It hasn't failed yet. Currently there is NO IT for all of the locations outside of mine except for ONE. I could try to send out this policy via e-mail and have workers get a meeting together to explain everything being implemented.

As for the e-mail section that is all covered by a host currently. We are setup as a domain, and we have a large 3600 cisco router currently but I do not believe it is 100% completely configured correctly for security at all. This is my first IT job and I am just trying to get an idea as into what kind of goals I should set for this place.

The way the local network is like: We have about 16 total users. Various OS' ranging from windows 98 to windows 2000/XP. We have about 5 machines running ME also which are nothing but problemsome machines. We have implemented 5 brand new computers so far, but still obviously have 11 more to go if we were to completely get everyone up to par. The only machines I have to play with and implement out into the network to replace ME/98 machines are 333mhz which are rather a waste of my time.

We then have 4 local servers, one as a domain controller and 3 running applications for users. They also house the network printers for the domain. From there we go straight to the Router which is connected to a frame relay network for all of our other sites. All local machines utilize 1 program for the WWW, 1 program for AV, specific application for phone system, etc... I am only aware of a couple of users I think I may need to somehow restrict their web access as I find a lot of crap on their system like goofy screen savers and programs running.

We also have a VOIP setup which I am 100% ignorant about.

So far for security/upgrades we have:

Setup some form of policy amongst users.
Try to implement some standards on program use.

What else would you guys suggest? What about for furthering the functionality of the network? Thanks for all of the help guys!
-sean

 

[MichealC4]

kHz: I think we both need some tinfoil hats.

Internexus: Welcome to the scene.

This is just my personal opinion, but I think I would start with user pc's. As you have _a_ boundary, which may or may not be setup correctly, in the meantime, users are running on 333's, if that makes sense. Once users are squared away, you can concentrate on locking things down. Also, getting users up to par helps to track down network issues, based on my experience at least.

----------------------------
"Security is like an onion" - Unknown

 

[Internexus]

Thanks for the welcome!

I am thinking that might be the best idea is to start with getting everyone's system up to par, it's gonna be a large pain in the butt if I have to play with some 300mhz machines vs new machines. Especially when it comes down to security b/c of what's on them and the like. Thanks a lot! Anyone else have any other thoughts/oppinions they'd like to add?
-sean

 

[grrrime]

Hi

there are lots of things to do when we speak about security for a network. i recomend you to look over HIPAA it has very good things you can get from there that you can use at your site or sites.

i've gone through 2 security implementations already here and i'm still working on them. i'm not very new on this so i can't really tell you much on what to do but here are some things we have been doing:

1. The first thing we did was getting domains set up, give every one a user and password to log into the system.
2. Antivirus protection. the sw had to have a centralized place where you can receive logs and manage the Antivirus at each pc autormatically if possible, it should have a place from where you can download updates we use mcafee here epolicy orchestrator to handle the antivirus it can take norton as well.
3. Software review monthly automatically.
4. We got a network equipment monitoring system
5. Security handling procedures. Levels on security problems, flow charts of how to report them and who to report them
6. Account and password administration. We had to give trainning to the full site on how to log into the pc, the type of password they should use, how often it will be changed, etc
7. we blocked all traffic that was not necesary leaving just the ports requiered at each department and for each application
8. stopoing services we don't require at each server or process computer
9. a proxy server its important when it comes to internet access, get lists of the people who has internet access.
10. information classification. this is another thing you need to have a classification for all the information you are handling at your site.
11. you mention you have a problem with people giving out passwords just because they were asked about them well you need to make a culture of not giving out passwords and if they do you need to take appropriate measures agains the person that gave out that type of information, otherwise they will keep doing it; one: because they were not aware they could not give out that type of inforation, second; they do it and they have no problems with the company if they do it, there is no punishment.

Not last but part of what i learn with audits is that papers are very important because you can have a full security system that works pretty good but if you don't have a way to proove you have it then its a big problem. I've been working on forms, procedures, diagramas, flow charts for every policy i got for security and HIPAA.

we can help each other a little more with this. my hotmail address is grrrime@hotmail.com

Saludos from Chihuahua Mexico

 

[Internexus]

What is this HIPAA you are talking about? Do you have a link for it?

So far we have the Domain implementation up and running, once we do away with the ME machines that part should be secure for the login/pass section and access of the network.

We have a uniform AV software that is in use currently which is Etrust Antivirus which I am not really familiar with how well (or lack thereof) this product does.

What is the network monitoring system you are talking about also? Is this a program that just monitors to see that all programs you have chosen are properly running and ones that aren't to be are disabled?

 

[MasterRacker]

http://www.hipaaplus.com/abouthippa.htm

Jeff
The future is already here - it's just not widely distributed yet...

 

[Internexus]

Alright so far I have implemented a client/server setup for the antivirus software and now have it setup to automatically download virus signatures each night, each week in the middle of the night it is set to make each system scan and report to my machine.

I have just setup the active directory to auto log everyone off after 20 minutes of inactivity.

Do you guys usually have it so that after a certain time period you are required to change your password?

I am currently getting ready to test out a demo version of tripwire to see how that program fairs out for what I am looking for. Thanks for all of the help guys. Anymore ideas shoot them my way please! Thanks!

 

[JoeBloggssss]

Hi

1. You stated that you have an existing firewall in place, I assume that its configuration is the resule of a security policy at some stage draft, perhaps out of date. I agree with everyone so far you need to draft one. You should always have everyone which should be involved, givng input. This may help generate user awareness of the concerns. I would not send the policy by email, I would have hardcopies ensuring each employee signs in and commits to following it.

2. Your users may need to user awareness training, although, they may be to far gone and you may need to considered another form of identity management, which removes risk.

3. The number of differing operating systems you are using makes it impossible for you to implement a proper update policy. You should consider conforming all your systems to a standard version and build, bespoke software permitting, this will also aid in reducing business downtime by having standard builds. Look at phyiscal security also.

4. In regards to your cisco equipment, you can pickup a copy of SAFE best practices for securing your equipment, ie latest IOS, utilising IOS firewall, ACLs, disabling services, etc. Note if you do not have experience of this kit don't run the risk. Get someone else to do it.

5. You have provide little information about your domain setup. Although again there are best practices.

6. Regardless if user do not have a requirement for web filtering, you do... By not being proactive with your security it is only a matter of time. Consider using a proxy behind your firewall. And I wouls wipe all systems currentlym you don't knwo what damaged has already been done.

7. Make more use of Group Policy if you use it, and provide more granular security over file/folder access.

8. Who manages your firewall???? And what provider slolution is it.

It sounds an interesting challenge, this is what happens when you take over a shit network, where security has not been a pre deisgn thought. Good Luck

 

[ntco]

I second the notion above in that, software permiting, you get all your machines on the same OS (& hardware if possible--but that's asking a lot)--because, as you mentioned most of your users are located at other campuses right? That will be a magnificent step forward in all depts of IT as well as in security, especially when you have to deal with these things remotely.
And you are right, WinME is utter crap.

As far as the rotating password change, being that your network is small, you could do a bulk change quarterly (or bi-annually). At my friend's company (over 200+ users) she did it by department bi-annually. But they never really had an issue with passwords as the admin passwords were the only thing worth hacking for and of course, as admins they guarded those well.
The biggest problem, hands down that I've had recently is malware and relaying (if you have that inhouse). But by far, malware/spyware is just everywhere. Much of that is also social engineering ("look, I can have the temperature outside sitting right next to my clock in the system tray! isn't that neat?")
Currently I can't go all gestapo-like & take away browser access/program installation at the level i'd like, but oh how I covet it one day.

 

[ntco]

I forgot to add-- before you invest big $$$ into any sort of spyware/malware protection/detection software, remember that if you're using Windows, Microsoft is coming out with free "Anti-Spyware" software for all licensed users.

this might alter what hardware/software you put into policy for you network--or it may not. either way, it's good to keep that in mind (though Microsoft's free anti-spyware software might turn out to be crap anyway).