Securing Systems

In protecting individual workstations, including mobile computing devices such as laptops, notepads, and personal digital assistants, there is an old saying that the best defense is a good offense.

Having proactive procedures will help ensure security and privacy, and minimize the risks associated with computer operations. Workstation security can be assured by having standard hardware and software configurations, maintenance, and disposal policies and procedures. The following steps are general while course deviations should be addressed on an individual basis:

- Install the most-recent operation systems and application security patches. Regrettably, some popular operating systems and applications have notorious security and operating flaws, making them easy prey for intrusions and the installation of malicious software (malware). To make sure your systems are protected, download and install updates as they are made available. It is the responsibility of the users and maintenance staff to ensure these updates are installed and documented. Documentation should reflect the individual device, identified by unique name or serial number, the type of update installed, date of installation, and by whom.

- Do not allow the installation of unauthorized software. Have a procedure where there is a list of authorized software that can be installed. Use software from recognized companies and install all update patches. Do not allow the installation of shareware or freeware programs. No one knows what these programs contain in the way of allowing damage to occur to your system. Besides, recognized companies generally have some kind of quality controls, and there is a performance expectation of a packaged product. In the event there is a problem, there is a viable party from whom to seek civil recourse for damages.

- Do not allow any unauthorized configurations. As an example, if file or printer shares are disabled, employees must not be allowed to enable them.

- Do not allow employees to install any hardware. Only authorized employees are allowed to install authorized hardware. For example, no employee is permitted to install modems in their workstations. This action creates a monumental security risk to the network.

- Keep all configurations the same. Regardless if there are network services, the organization should follow a standard configuration procedure for those applications. This facilitates auditing and security testing. Develop and maintain a standard installation and configuration procedure for all authorized software.

- Keep your workstation off-limits. Workstations should be physically secured when not in use. If the workstation is located in an office, the door should be locked when the workstation is not in use. If the workstation is used for very sensitive work, having a removable hard drive that is secured at the end of the workday is a good idea. Laptops may be secured by having software that encrypts the hard drive. In this fashion, if the hard drive was removed from the laptop and installed in another computer, it still would not be easily accessible.

- Other workstation security measures include using a BIOS password. The basic input/output system (BIOS) is a special piece of software incorporated in most computers. BIOS controls the startup of the computer and has the ability to be configured for a password before the computer may be started. In the event someone forgets their password, there are ways to circumvent the process but they usually require some time and specialized knowledge. BIOS passwords are similar to locks in that most locks will thwart a casual thief, but they will not stop a professional.

- Create a password-protected screensaver activated after a few minutes of inactivity. This feature is usually incorporated as part of the workstation's operating system. When activated, the screensaver continues to block anyone from seeing behind it. A password is required for deactivating the screensaver. If a malicious user attempts to restart the computer, depending on the operating system, it may require a password to restart the computer; if this is not the case, when a BIOS password is installed, it will prevent any system restart.

- Install operating systems that create individual password-protected user profiles. Many operating systems, such as Windows NT or XP and Linux allow individual password-protected user accounts to be created. In this fashion, the system boots and as it launches the operating system, it requires a password before the user may access the operating system, applications, and data.

- Install biometric devices, which is equivalent to installing a deadbolt on a door. Biometric devices restrict access to systems based on the unique physiological characteristics recognized by the device. Examples of effective biometric devices are fingerprints, iris and retina scans, and voice.

- Disconnect from open-ended networks such as the Internet when you are not actively using them. As long as you have an active connection to an insecure open-ended network, malicious persons have a channel to access your workstation. These can be minimized by disconnecting from the open-ended network. This means disconnecting your dial-up modem, DSL (Digital Subscriber Line) connection, or ISDN (Integrated Services Digital Network) terminal emulator when you finish each session. If attackers cannot reach the system, they cannot do anything malicious.

- Install personal workstation firewalls to protect your workstation while it is connected to the network, whether the network is closed or open ended. Many employees think their computers are protected by the network firewalls, and indeed they are. Having a personal firewall installed is another layer of protection against attackers. Individual workstation firewalls are usually inexpensive.

- Disable cookies for privacy. If cookies, small bits of code sent from Web sites to your browser and stored on your hard drive for identification and tracking purposes frighten you, then disable them. Most browsers have security features allowing you to be prompted for accepting cookies and you have the choice of accepting them or not. Regardless, it is prudent to delete cookies on a regular basis. Within most browsers there are methods to delete cookies. It is important to note that cookies are not generally malicious in themselves, but they are read by some Web sites and used to track the Internet browsing habits of the workstation's users.

- Avoid spyware. There are small applications that are somewhat malicious in that they track your Internet browsing habits and are considered more intrusive than just ordinary cookies. Some spyware lodges itself in the operating system's registry and lettered drives. Scanners are readily available that search the workstation's drives and remove the offenders. Users should scan for spyware at least weekly.

- Protect the user's identity. Applications offer to save your login name and password so you do not have to enter them each time you visit the site. By activating his feature, you are allowing the login name and password to be stored in the workstation's hard drive and anyone with access to your hard drive can capture these bits of information.

- Some word processors incorporate the user's registration information in the content of the document. Of course, this information will not be displayed by the word processor, but can be viewed when displayed in a simple text editor. Be mindful of this feature when you enter application registration information.

- Install and update your antivirus software. This is a matter of good business sense. Antivirus software must be installed on all workstations, must be activated upon the system's startup, and must be updated regularly. Most antivirus programs look for viruses and other types of malware. Fortunately, most antivirus developers sell update subscriptions and their applications can be configured to retrieve updates automatically. With the amount of malware circulating on open-ended networks, it makes sense to activate the antivirus shielding while using the Internet and scan for malware at least weekly.

- Disable file and printer sharing features in the workstation's operating system. This is a favorite vulnerability permitting attackers to gain unauthorized access. If you must allow this type of sharing, be sure to enable the password feature with a very strong password. Regardless, it is strongly recommended that unless there is a very compelling reason, disable file and printer sharing on all workstations.

- Collect all sensitive trash daily for burning or shredding. There has been more than one active password collected from unburned trash.

- When it is time to dispose of computer-related equipment and media in the form of floppy disks, hard drives, CDs, CD-Rs, and the like, it is important to have very specific procedures. All computers should have their hard drives removed before disposal. All media, including hard drives, should be burned in the incinerator. Commercial burning at very high temperatures is the only reliable way to be assured of media destruction

Information Systems Support Policies

Workstations, servers, and mainframes require many of the same support policies. Work areas must be clean and air conditioned. On a daily basis, housekeeping resources must enter all work areas except the data library, server, and mainframe rooms for cleaning. There must be policies eliminating the presence of food, beverages, and smoking in the vicinity of computer equipment and media. This may be a harsh idea but more than one laptop/desktop has met its end by a spilled café grande.

Data libraries where real-time and backed up data are stored are perhaps the most critical areas of the workplace. Generally, data libraries store magnetic tapes, optical disks, magnetic disks, application media, and paper-based documents. Often, there are data libraries required for ready access on the office site, while remote data libraries store materials in the event of disaster.

There should be policies governing the conduct of data libraries and the duties of the data librarian. The primary duty, of course, is to support the business' computer operations. Following is a list of data librarian duties for policy consideration:

- Upon receipt of new media, the librarian compares quantity received with the original order and billing information. If incorrect, the librarian notifies the operations manager.

- Inspects all media for physical damage. If any media is damaged, the librarian notifies the operations manager.

- Logs all new media and assigned identification numbers.

- Acknowledges all receipts and deliveries with the operations manager.

- At no time is the librarian to have access to applications or information systems of any kind, preserving separation of duties and least privilege.

Data Entry
Many senior managers have forgotten that data entry is still a vital part of business operations. There is a need to convert raw, bulk data such as credit card applications into a familiar format for use by information systems. Many companies utilize both centralized and decentralized data entry systems. In fact, it is becoming very popular to package and ship forms to foreign countries with relatively low labor costs for data entry. In most cases, the equipment of choice is the online monitor and keyboard; there are others consisting of bar code readers, optical or magnetic character readers, and voice recognition. Policies and procedures for online data entry are as follows:

- All employees and terminals are identified by proper codes to ensure that only authorized equipment and employees enter data.

- When the data is displayed on the monitor correctly, the operator keys in the proper code to transmit the data to the computer.

- All data is checked by the computer system, ensuring that the correct data is being entered. For example, if a field is no more than seven numerical characters in a specific range, the computer will not allow the operator to enter incorrect characters.

- All data entered are logged by terminal number and the data entry employee.

- At no time are the data entry employees to have access to computing hardware outside what is necessary for them to enter data.

- At no time are the data entry employees to have access to applications other than what is necessary for them to enter data. These last two steps help preserve separation of duties and least privilege.

Technical Support
The primary purpose of the technical support units is to provide technical services to computing equipment and software users. There are basically four sections for which they have responsibilities:

1. Communications. The communications support unit is responsible for hardware, software, wiring, cabling, maintenance, and lease services for the operation of all business communications. Included here are the local area networks (LANs), wireless networks, and wide area networks (WANs). They also are responsible for telephone communications, including cellular and wireless, and their respective billing.

2. Database administration. The database manager is responsible for a number of administrators who are responsible for maintaining and controlling the processing related to the company's databases. Their related duties include:

- Selection and maintenance of database software

- Control database access and employees who can create information, read specific information, change information, add information, and delete information

- Maintain file and database backups

- Provide consultations to relevant database users

- Provide disaster-planning procedures and test them

- Report immediately any security breaches or data corruption

- Maintain directory services

The latter duty, depending on the organization's size, can constitute a sizeable part of the database administrator's duties. A directory is a collection of information for a given application. It may hold all the information relating to each application such as user access and logons. They are responsible for the directory's integrity and security. It is important to maintain a division between database support unit employees and production applications so separation of duties and least privilege are observed.

3. Software support. These are the program engineers responsible for supporting the operating systems, applications, and in-house developed and purchased software applications. Some of their responsibilities include but are not limited to:

- Make approved changes to the operating system software when directed by senior managers in writing.

- Document all changes to any production software.

- Report immediately any security issues in any production software.

- Report immediately any physical security breaches.

- Inform computer operators of programming changes in written form.

- Test new software before introducing to a production environment.

- At no time should any programmer have access to live data in any form. Further, at no time should any single employee, programmer or otherwise, have the ability to change the operating system code or any of the production applications. These restrictions will help maintain an atmosphere of least privilege and separation of duties.

4. Workstation/server help desk. These are the employees responsible for affecting the majority of the organization's computer users. They generally address issues such as:

- Workstation and server configurations. They establish standard operation procedures, ensuring that all workstation and server configurations are the same from machine to machine and platform to platform. With standard configurations observed, they can readily identify security or abuse issues and handle them.

- Provide service to employees having difficulty with their equipment and software.

- Service and maintain peripheral equipment.

- Make recommendations of equipment and software.

- Monitor performance and provide feedback to senior managers.

- Train users to maximize equipment and software use.

- Maintain inventory of hardware and software.

- Maintain hardware and software licensing.

- Provide and maintain list of approved software applications.

- Test and approve software and equipment for security and place into production.

- Approve installation of specified software applications.

- Report any security violations involving users.

As with other employees, there must be a separation of duties in that these employees must never have the ability to access live production data, operating system code, or application programming.

The Auditors Are Coming. The Auditors Are Coming.

Audit policies and procedures are needed to ensure that employees are meeting management objectives, legal and regulatory requirements, and addressing risks. Auditing is covered in the next post, so it is only going to be lightly addressed here. Management audits assure that resources are being properly utilized and monitored:

- Develop and implement policies addressing human resources management, data, and facilities.

- Ensure that projects are completed on schedule and within budget.

- Ensure that projects have been completed utilizing quality models such as the SDLC.

- Develop and maintain business priorities and long-term strategies.

- Assure that controls are in place for risk detection, prevention, and correction.

Systems Development and Programming Policies
These audits are more technical than management audits and require more knowledge and detail. Frequently, organizations do not have policies governing operations, so employees are left to their own devices, making decisions they are not qualified to make. Systems development involves activities ranging from purchasing commercial off-the-shelf software systems, to developing in-house systems, to purchasing turnkey systems. All systems development must be considered in the light of confidentiality, integrity, and availability.

Organizations must have written policies and auditing programs for:

Systems design and development through quality models

Systems selection and procurement criteria

Systems application development

Program testing

Systems implementation

Systems monitoring

Systems disposal

Systems change controls

Systems documentation

Systems quality assurance

Data Controls
Data control policies have the objectives of addressing confidentiality, integrity, and availability of data. These features are audited in the following areas:

Input controls to any operation must be addressed by policies and procedures. Because input varies considerably, so will policies.

Output controls address electronic and printed media.

Database management controls must be established by policies with compliance assured by audit activities.

Database information backup and storage policies.

Disaster Recovery and Business Continuity
Disaster recovery audit policies also address business continuity. Audit policies must require that auditors obtain evidence that these are in place and combined with regular unannounced testing. Audits of this nature address the existence of the following policies:

Establishment of a Risk Management team

Critical asset identification and prioritization

Threat: impact analysis

Existence of critical asset safeguards

Disaster recovery plan

Establishment of Disaster Recovery team

Designated employees to address public and press inquiries

Business continuity plan

Plan testing

Workstation Audit Policies
These audits address the use of workstations and all company-owned equipment and facilities, including:

Access restrictions to workstations

Inventory of software and hardware reconciled with licensing and purchase documents

Evidence of policy and individual compliance for the procurement and installation of software and hardware

Evidence of individual compliance with policy regarding official use

Evidence of individual compliance with policy regarding network and workstation security

Policy and individual compliance with regular data backup

Evidence of policy and individual compliance with workstation housekeeping