Dec 29 2008

Network Access Control and Security

Category: Access ControlDISC @ 4:24 am

Wireless Internet Access Global Map

The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organization’s assets.

Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.

Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they don’t practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Today’s threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Today’s technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We don’t have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either don’t have time and training to pursue these crimes vigorously or don’t have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.

Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.

1. Create a network access control policy: policy on use of network services
2. User authentication for internal and external connections
3. Enforce access control policy
3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
3b. Up-to date patches
3c. Equipment identification in network
3d. Backup access control logs remotely and review regularly
3e. Multihome firewall installed which segregate networks
3f. Harden system configuration
3g. Network connection control
3h. Network routing control
4. Assess the posture of your network regularly to redefine policies
5. Gartner MarketScope for Network Access Control, 2008
6. The Forrester Wave™: Network Access Control, Q3 2008

“In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.”

Nortel Secure Network Access and Microsoft NAP integration
httpv://www.youtube.com/watch?v=rqu88yx4FGc

Reblog this post [with Zemanta]

Tags: Cisco Systems, Forrester, Gartner, iso 27002, Juniper Networks, jurisdiction, Law, Law enforcement agency, Microsoft, Microsoft Windows, NAC Policy, Network Access Control, Police, Security

Dec 16 2008

Unstable economy and insider threats

Category: Information Security,Insider ThreatDISC @ 2:42 am

State of affairs
Image by Pulpolux !!! via Flickr
During the current unstable economy, organizations face increased threats from insiders during tough economic years ahead. During hard time organizations not only have to worry about outsider threats but will be facing an increased threat from disgruntled employees who might see no future with the organization during unstable economy. During these circumstances, when new jobs are hard to come by, revenge or financial need might play a motivating factor for a disgruntled employee.

In July 2008, San Francisco city network administrator (Terry Childs who hijacked the city network) was arrested and charged with locking his own bosses and colleagues out of city network. Basically his bosses got caught sleeping on their jobs because they were not monitoring this guy who happens to have the key to their kingdom. San Francisco city network controls data for its police, courts, jails, payroll, and health services. After 8 days in jail cell Terry Childs finally relinquished the password to Mayor Gavin Newsom in his jail cell. Why San Francisco’s network admin went rogue

Here are some considerations to tackle insider threats

Manage and monitor access
Manage your users through single sign on source like Windows active directory or Sun single sign on directory, which not only enable control access to sensitive data but also let you disable access to all resources when employee leave the company from a single location. Single sign on solution also provide comprehensive audit trail which can provide forensic evidence during incident handling.

Limit data leakage
Intellectual property (design, pattern, formula) should be guarded with utmost vigilant. Access to IP should be limited to few authorized users and controls should be in place to limit the data leakage outside the organization. Protect your online assets, and disable removable media to prevent classified data being copied into USB drives, CDs, and mobile phones.

Principle of least privilege
Which requires that user must be able to access to classified information only when user has legitimate business need and management permission. Sensitive data should be distributed on need to know basis and must have system logs and auditing turned on, so you can review the access is limited to those who are authorized. Proactively review the logs for any suspicious activity. In case suspicious activity is detected, increase audit and monitoring frequency of the target to detect their day to day activity. Limit access to critical resources through remote access.

Conduct background check
Conduct background check on all new and suspicious employees. All employees who handle sensitive data must go through background check. HR should conduct background verification, reference check and criminal history for at least 5 years. What type of checks will be conducting on an individual will depend upon their access to classified information.

Risk assessment
Conduct a risk analysis of your data on regular basis to determine what data you have, its sensitivity and where it resides and who is the business owner. Risk analysis should determine appropriate data classification based on sensitivity and risks to data. Regular risk assessment might be necessary, due to passage of time data classification might change based on new threats and sensitivity of the data.

Digital Armageddon – The Insider Threat
httpv://www.youtube.com/watch?v=FQ4bvCPwFMY

Reblog this post [with Zemanta]

Tags: Background Check, Detect activity, Gavin Newsom, Intellectual Property, Manage access, Monitor access, Online assets, risk analysis, San Francisco, Security, Tough Economy

Dec 05 2008

Telcos and information privacy

Category: Information PrivacyDISC @ 2:26 pm

Mobile Phone
Image via Wikipedia

With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

“Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

Presidential Phone Compromised

Privacy Debate: Shouldn’t Public Demand High Threshold?
httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

Reblog this post [with Zemanta]

Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon