In the First part of Network Security we had a brief overview of the areas that are to be considered on accessing a network's security and also we looked into a few points in each of Management and Administration areas.

Mean while the article titled "Security Scanning is not Risk Analysis" by Laura Taylor on 14th July 2002 is a good article and deals in depth with what an Organization's management has to know about Security.

Now lets continue and look into some of the finer points in each of the other areas. i.e., LAN Security, Access control, Operations.

LAN Security:

  1. Is the LAN secured from viruses? The extent of virus protection can be gauged by looking into the Anti viruses programs installed in the Network. Things like:
    • Does the Mail gateway to the network have an online antivirus?

       

    • Do the Servers in the network have an online antivirus (having antivirus only on the servers will suffice if the end user has no external net access and has no access to hardware to install new softwares like using a floppy, etc.)

       

    • Is the third party media (such as Floppy/CD-ROM) access controlled (like check for viruses, etc.)

     

  2. Is the communication between systems controlled?

    Are the systems being properly isolated (Like in cases the Production systems should be separated from the development systems etc.) or are they provided with proper gateway access (setting of Firewall for control of access between intra-networks, etc.)

     

  3. Are software/hardware acquisitions/disposals controlled?

     

    • Check whether there is an established procedure for acquiring any new software/hardware requirements (Usually its required to get proper clearance and a proper channel for acquiring any new software/hardware required).

       

    • Even the disposal of the hardwares should be done with due permissions and through proper channel ( Improper disposals of Hardware like harddisks etc. can prove to be a great security risk).

       

    • Check for unauthorized software/hardware installed on the LAN. This check should be done manually on each of the systems in the network.

       

    • Check for Trojans/Root kits etc.

     

  4. Check for the ports that are open in each of the system.

    Use a port scanner to detect any unwanted services running on the network. Any unwanted service/port open on the network is bound to pose a serious threat for security, usually its because it may be a backdoor/Trojan or since the administrator isn't aware of this service he may not be monitoring the secure/insecure usage of the service.

    This (point 4) is what is usually mistaken for a vulnerability assessment. Hope this article produce some awareness on real vulnerability assessments made by professionals and organizations give a serious thought of vulnerability assessment.

     

  5. Firewall and ACL Configuration

     

    • Are the Firewall policies and Access Control Lists properly maintained/updated when changes are made to the network access.

      Usually when any changes are made to system access (in case of removal of a system from network) most of the administrators fail to cross check this change with the firewall ruleset (in case this system has access to a classified server, this ruleset still exists ) and this may be misused. Similarly the Access Control Lists should be cross-checked when any changes are made in the user/group accounts.

       

    • Does the firewall contain rules to prevent denial of service attacks, rules to prevent spoofing ( eg: requests coming from outside network has IP originating from local internal LAN). These are some of the most basic rules that should be present in any firewall.

       

    • Check for existence of backup firewall incase of failure of the primary one.

     

  6. The upload/download process should be monitored. (The user should be notified about his upload/download process and mails being monitored if it is being monitored).

     

  7. Does the source and destination of the data transfer authenticate each other or are the source/destination traceable (Use DHCP for LAN address allocation usually based on Mac addresses).

     

  8. Check that the software license compliance exists. (i.e., make sure that the users are using legitimate software and aware of software licensing).

    Do checks for accounts holding privileged rights, unused accounts, is there adequate support staff for providing user support and is there any backup administrator in case of his absence. Is data being transported in encrypted mode whenever necessary.

Access Control:

Check that the user access is controlled appropriately. There are various guidelines to be followed when checking for user access. Each user's privileges must be defined, documented, and controlled with appropriate access controls.

 

  • Look for the user name and password policy.

    Each user should have a unique user name. The password set for (by) the user should be of a minimum length of 6 characters, should contain a combination of alpha and numerals and one special character (such as * # % ^ & $ etc.). Users/Admins should avoid having passwords which are easily guessed like the same as username, username backwards, etc., The password should be changed regularly (a password expire period should be set).

     

  • Check for guest user access rights and ex-staff accounts (should not be present).

     

  • Accounts should be disabled on 4-6 unsuccessful login attempts and systems disconnected on certain time of inactivity after the connection is established to a particular system (this requires settings to be done on the servers being accessed).

     

  • Dial-up access should have another level of access control apart from user id and password (like callback)

     

  • The access should also be time controlled

Operations:

It is not necessary that there should be an operations department in each of the organizations. Some organizations suffice with only one IT department which handles all of these areas discussed. The organizations structure is not so important. But when implementing/assessing security, due care is to be taken on describing the duties for each of the concerned department personnel.

 

  • The physical transmission media like LAN cables, Routers, Switches, etc. should be adequately protected.

     

  • The LAN servers should be secured from physical access too. Unauthorized personnel shouldn't be able to get near it.

     

  • Are the Systems, Peripherals, and devices being protected from fluctuations/disturbances in electric power supply. (Usually the network should contain an online UPS system to protect against electric power fluctuations and backup). The setup should also ensure non-stop working of these devices. Hence there should be a backup power supply.

     

  • The data backup should be taken regularly according to a schedule (full, incremental backups) and tested for restoration and backup errors.

     

  • The backup media should be physically secured. A weekly backup should be placed at a different physical location (different branch office) under safe custody in case of calamities like fire, flood, etc.

     

  • The recovery process should be tested periodically.

     

  • The organization should ensure an adequate staff capable of supporting the users and performing backup and recovery operations. Also ensure their availability at any time required. The user should know whom to contact on what kind of problems and how to reach them, for this the users should be briefed about their actions in such situations.

     

  • Checks should be performed to adequate availability of resources (backbone, traffic on the file server and the ability of the file server to handle these loads). This check is to be performed on each of the generally accessed systems and the critical servers.

     

  • The access to critical systems (not necessarily limited to this) should be restricted with proper tools like keys, badges, electronic sensors, movement sensors, biometrics identification.

     

  • Are the keys to important cabinets and rooms in safe custody.

     

  • The system rooms should be properly protected against fire, so existence of Fire alarms, Fire extinguishers are all good signs of proper security.

     

  • The computer systems should be periodically maintained, cleaned and a log of the same done kept for cross checks.

     

  • The users/admins should be adequately trained for the duties to be performed, reporting problems.

     

  • The users should be informed/warned about their intrusive activities (if any) and a procedure described for actions taken against them.

Literally speaking everything listed in these parts are only guidelines to consider. An actual assessment depends on the kind of organization, their use of Information Technology, number of systems, kind of data storage, type of business the organization does. Some of these points may prove to be too much to consider in some situations (and I consider this to be too little). A security audit should take into account anything that's potential threat for disclosure of data, providing access to any unauthorized persons, improper use of resources, or the inability to handle breakdown of systems.

I hope this article is of some help to someone somewhere in the globe.