Security Concerns 1

[xiong]

I'm sure I'm not the first person here to experience this.

I have a client who has a small network with multiple computers and the dial-up internet connection.

They have the resources, but are still unwilling to invest any money in any type of virus protection, backup solution, firewall, or any other device. They have the "it won't happen to us" mentality. To top it off, they are in the medical industry and house a great deal of confidential data.

Does anyone have any documents, sites, presentations, or anything that might help me during my next meeting to convince them to invest a small amount of money?

Thanks

 

[karmic]

sorry to say it, but don't bother trying to convince them.
The first major infection or hack will change their minds very very quickly. Been in your situation many times.

Do yourself a favor, do a backup to a workstation to cover your arse :O) ~ The day I think I know it all, i'm changing careers ~

 

[vesselescape]

Sorry to have to agree with "Karmic"

Of course if their dial up is a more or less standing connection, and you just happen to get the ip address from ipconfig, and a MS Messaging Service popup were to appear on the entire network advertising their accessability from outside, one of two things might happen.
1. They start to listen
2. They fire you on the spot

Of course, I would never suggest such a thing.

Regards,


P.S. As a medical establishment, remind them of their
patient confidentiality requirements under NIH rules.

 

[fyrewyr]

This does seem to be far too common - I went head-to-head with a couple of strong-willed guys who had this mentality - and it's persistent...even after Chernobyl destroyed several machines and someone repeatedly blue-screened machines with a remote attack; sometimes during critical processes.

I actually got a lot of heat for writing something to catch the guy (be forewarned), but once I had the smoking gun, it was discovered that this wasn't his first offense, and we pressed charges. This was the catalyst for change, but it took another 3-4 years for it to become a serious solution. That's how it goes.

Unfortunately for your client, the first successful hack could ruin them, as well as patient confidentiality. Depending on where they fit, they have until April to obtain compliance, possibly with a year's extension. If it applies, and they don't know this, there's a pattern of being out of date that will ensure their risk level:

Organizations must establish privacy procedures, designate a privacy officer and train employees in privacy compliance in order to comply with HIPAA. Compliance is required by April 2003, with an extension until April 2004 for smaller healthcare organizations. Those that fail to comply can face both civil and criminal penalties.

http://www.scmagazine.com/index2.html

In your presentation, I think your utmost responsibility is to represent the facts properly. Everyone will encounter some form of attack, but not everyone will be affected by it. It's irresponsible to promote scareware, and in the end, when the dire result doesn't happen (even as a result of your actions), you may "cry wolf". Don't allow yourself to get there. But hear this: with a dial-up connection, I can't imagine that someone is going to patch multiple machines in a timely fashion - these patches are HUGE. With the automated programs wandering the Internet, and email worms that exploit unpatched vulnerabilities without user intervention, basic protection is a responsibility.

Security purchasing is a future investment. An invaluable resource (a little higher caliber than SC Magazine IMHO), is CSO - The Resource for Security Executives. An issue that comes to mind is "How to Win at Risk":

http://www.csoonline.com/read/120902/index.html

Further, a couple of questions in the current issue are relavant, if only for simple comparison of opinions:

http://www.csoonline.com/read/020103/counsel.html

Read up.

 

[karmic]

well stated fyrewyr... ~ The day I think I know it all, i'm changing careers ~

 

[fyrewyr]

Sorry, that SCOnline link wasn't good, let's try it again:

"Shackled by the rules" (Cover Story - February U.S. issue)

http://www.scmagazine.com/artframe_art_cs.html

...and P.S. - what I'm talking about in pointing to risk management is that selling security is about selling the risk - or the business gains from the reduction of it. As you get closer and closer to "full security", it gets more and more expensive (and ridiculous) - but the first step(s) tend to cost the least (i.e., an $80 hardware firewall, $45 software), provide the largest gain in basic protection, and have the biggest ROI.

If the dialup is on one computer, just KISS (Keep It Simple, Stupid) start by protecting that gateway. Attach a firewall, and AV. Advise that media is not to be loaded from any machine but the protected one - then share the drive, internally, for remote access. Then realize that many breaches are internal - ideally you would want AV on all machines - Symantec's licensing is reasonable and protects email at the client.

Finally, don't just tell them what they need, give them options. It works on kids; instead of telling them "it's time for bed", ask them if they want to take the bunny or the bear to bed. When adults are presented with several options, shown the reasoning behind each one, and they can work with the features they think are reasonable, they may even choose a combination you never considered, rather than reject the whole thing out of hand...and you end up with something you can use, even if it's not your ideal.

Good luck.

 

[WheeDoggy]

Unfortunately, companies don't want to spend money and don't have the common sense that "an ounce of prevention is worth a pound of cure".

What I really hate is when a company is too cheap to invest and when something goes wrong due to them not following advice, they like to put the blame on the person who gave the suggestion for the mishap.

A sorry combination of needing to hang the blame on someone and sheer ignorance.

 

[Psychoid]

I have one word... er... acronym for your client:
HIPAA

There are many HIPAA references on the web, but here is just one:

http://www.hipaacomplianceguide.com/preview/03-03-00-00.asp

Let them know that they can go to jail if any patient information is leaked.

If that's not enough motivation for them, cover your ass by explaining this to them in an email (and of course, save a copy of it).

Unfortunately, I've seen this many times before and they never take security seriously until something bad happens. ------------
Bill
Consultant / Network Engineer
CNE, CCNA

 

[xiong]

Thanks for your posts. This is probably the third or fourth time I've been in the situation and it never gets any easier.

The articles will be especially helpful. If anyone has any more, let me know.


~Better to be thought a fool, than to speak and remove all doubt (Abraham Lincoln)

 

[BikashPanda]

Hello,
I have a similar situation with a small health care company. But they are convinced that they need to get serious abt the security. As the IT guy where do I start? Any input is appreciated. We have DSL with an in-house server running IIS, plus 3 more desktops connected thru NAT. We need to keep the IIS server available for outside world (it is running now with no firewall installed). What all ports should I block? Or What all application/services I should stop.

Thanks,
Bikash

 

[Grenage]

Well from what I have ready, and done myself I guess I would recommend the following:

2 firewalls ? for a DMZ setup (one between the IIS and the internet, and one between the IIS and your network). This would allow you flexibility with IIS connections while maintaining higher security on your LAN. I imagine you could do quite well with just one mind you.

Anti-virii on your servers and workstations for peace of mind against the latest worms etc.

 

[SgtB]

Grenage -

For a DMZ, you can always just add an extra NIC to your exisitng firewall. One to the internet, one to the LAN, and the other to the DMZ. You can then create an appropriate rulebase to give access to the DMZ like you would any other network(including internet) ________________________________________
Check out

http://www.security-forums.com

 

[xiong]

I currently have a similar configuration as well.

One web server with IIS, LAN, remote users, Citrix Metaframe, and the need to access the web server inside and out.

We run one PIX firewall, with AV protection on all workstations and servers. The PIX is configured to block all traffic except for access to the web server on port 8080, 443, and 21.

It could be better, but it works for now.

Ideally, you would have as Grenage says...two firewalls, or one with two zones, otherwise you will have differnt connection rules for your outside connections vs. the internal connections.

 

[Grenage]

Thats a good idea SgtB, for some reason I'd never thought about a firewall with 3 network adapters.

I've never actually worked with non-hardware firewalls myself, but at some point I guess I will have to

 

[SgtB]

Can you get HW firewalls with multiple ethernet adapters? We're going to be moving our whole network to VPN using PIX at each of our sites, so I'm just a little curious. ________________________________________
Check out

http://www.security-forums.com

 

[xiong]

There are many with this option. Most only have an internal and external interface, but there are models that have two internal interfaces, or a modular design tha allows for multiple ints.

~Only the Educated are Free (Epictietus)

 

[Grenage]

I've never seen any, but I've never looked. One would be ideal in our situation, about to add an exchange server to our local network.

 

[SgtB]

PIX probably has a module/card you can buy to add more ethernet ports. That is if you have any empty slots on your PIX.
________________________________________
Check out

http://www.security-forums.com

 

[williambishop]

Get a pix with multiple slots, and don't buy the nics from cisco, they are generic intel 10/100's. Turn off, insert cards, power on, configure and away you go.

 

[AjayM]

Sonicwall and Watchguard both offer firewalls with DMZ zones on them (or basically a 2nd secured zone). I'm sure there are lots of others as well.

Andrew