Tag Archive for 2005

| June 7, 2005
Comments Off on Anti-Spyware Best Practices

Anti-Spyware Best Practices

·Anti Spy-ware Best PracticesAnti Spy-ware Best PracticesMake a spyware protection company policy. To protect your business’s best interests, anti-spyware protection should be required software on every computer.

Use more than one anti-spyware application

Regardless of what anti-spyware vendors claim, you almost always need more than one program to protect against a lot of adware and spyware. Experts say the best protection you can get is only probably around 70% using a combination of the two leading anti-spyware programs.

Use a centrally managed anti-spyware solution

Centrally managed software usually works best for companies with more than just a handful of computers. Spyware protection is no different. There are several vendors, such as Webroot and CA, which offer such software. If you have roughly 10 or more Microsoft (MSFT) Windows-based computers and want to save time, effort, and money in the long term, you should definitely consider this route.

Use a layered defense

The best defense against any information threat is a layered defense. You have a greater chance of defending against spyware if you use anti-spyware software combined with anti-virus software, personal firewalls, and host anomaly detection/intrusion prevention software. You can even help prevent infections at the network perimeter by utilizing spam and content filtering for inbound emails.

Lockdown your systems

A spyware defense that deserves separate mention is to configure Windows and Internet Explorer to be more secure. There are simple things you can do that will make a world of difference. For starters, make sure your systems are configured to be “hardened” from the elements. Roberta Bragg has written extensively on this topic at SearchWindowsSecurity.com. These hardening tricks are very easy to implement, and you can even push a lot of them out via Active Directory Group Policies.

Also, configure Internet Explorer (or whichever browser you use) to have pop-up blocker protection. This feature is built into most new browsers, and there are several well-known third-party applications for this. A good one for Internet Explorer is the free Google toolbar. It not only blocks most pop-up ads that harbor spyware, it also serves as a quick and convenient way to perform Google queries while browsing the Internet.

Use a more secure browser

Internet Explorer is a huge target for pop-ups, phishing, executable code, and other hacker vectors. If possible, use a more secure Web browser such as Firefox or Opera. These browsers likely have 99% or more of the functionality your users need with less hassle.

Install anti-spyware protection before new computers are deployed

Rather than installing spyware protection and cleaning utilities after you suspect infections, put it on systems before they’re deployed into the wild. For existing systems, simply install your favorite anti-spyware application such as Spybot Search and Destroy, Ad-Aware, or PestPatrol (or a combination of two or more). Let the software clean your systems and simply keep it running full-time in the background to act as a preventative layer to keep your systems protected.

Protect every Windows-based system on your network

Anti-spyware software is no longer just for workstations – it needs to be on servers, laptops, and any system running Windows – regardless of whether or not they are networked. Windows is the OS of choice for most spyware infections (at least for now) so make sure every single Windows-based system has protection.

Remote users might not be receiving updates

If you have remote users, remember that their systems may not be receiving the proper anti-spyware and other software updates.

Educate your users

User gullibility, ignorance, and carelessness are the main causes for infection. People clicking “yes” or “OK” in pop-up windows allowing software to be installed opens up the floodgates. Downloading and running seemingly innocuous programs doesn’t help the cause either. Educate your users on what to do and what not to do. Give them examples of what can happen when spyware infects a computer and how that relates to their everyday job functions. It’s amazing how much buy-in you can get using this technique.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| June 3, 2005
Comments Off on Network Security Layering

Network Security Layering

Network Security LayeringMost companies are prepared for threats to their networks from the outside world. However, security breaches from within the corporation often pose the biggest concern. In this post-Enron world of increased corporate governance, IT managers must deal with both technical and human challenges to meet their companies’ security requirements. New legislative mandates, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Graham-Leach-Bliley Act, also exist.

When considering securing a network, it’s essential to take a holistic approach, from the physical layer to the application layer. Thorough security policies, appropriate authentication mechanisms, and effective user education must complement the technologies implemented within the network.

The security-layering concept allows for variable-depth security. Variable-depth security occurs when each security level builds upon the capabilities of the layer below, resulting in more stringent security moving up through the layers. This can help protect organizations from security breaches that may come from within, as layering provides multiple measures of security controls.

The first security layer: VLANs

At the first layer, essential network compartmentalization and segmentation can be provided by virtual LANs. This allows various business functions to be contained and segmented into private LANs. Traffic from other VLAN segments is strictly controlled or prohibited. Several benefits may be derived from deploying VLANs for small to midsize businesses across the company’s multiple sites. These include the use of VLAN “tags.” VLAN tags allow traffic segregation into specific groups, such as finance, human resources, and engineering. It also prevents the separation of data without “leakage” between VLANs as a required element for security.

The second layer: Firewalls

The second layer of security can be achieved with perimeter defense and distributed firewall-filtering capabilities at strategic points within the network. The firewall layer allows the network to be further segmented into smaller areas, monitors it, and protects against harmful traffic from the public network. In addition, an authentication capability for incoming or outgoing users can be provided. The use of firewalls provides an extra layer of protection that’s useful for access control. The application of policy-based access allows the customization of access based on business needs. Using a distributed firewall approach affords the added benefit of scalability as enterprise needs evolve.

The third security layer: VPNs

Virtual private networks, which offer a finer detail of user access control and personalization, can be added as a third layer of security. VPNs offer fine-grain security down to the personal user level and enable secure access for remote sites and business partners. With VPNs, dedicated pipes aren’t required since the use of dynamic routing over secure tunnels over the Internet provides a highly secure, reliable, and scalable solution. VPNs with VLANs and firewalls allow the network administrator to limit access by a user or user group based on policy criteria and business needs. VPNs give more robust assurance of data integrity and confidentiality, and strong data encryption can be enacted at this layer to provide more security.

The fourth layer: Solid security practices

Best practices by the IT security team are yet another level in a layered network security strategy. This can be achieved by ensuring that operating systems are protected against known threats. (This can be accomplished by consulting with the operating system manufacturer to get the latest systems-hardening patches and procedures.) In addition, steps must be followed to ensure all installed software is virus-free.

Securing network management traffic is essential to ensuring the network. To protect HTTP traffic, it’s preferable to encrypt all management traffic at all times using the IPsec or Secure Sockets Layer protocol. Encryption is a must even if traffic travels on the local-area network.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| May 26, 2005
Comments Off on Vulnerabilities

Vulnerabilities

VulnerabilitiesNetwork edge devices: border routers with their admin interfaces open, so people can manage them from home, but so can anyone else

Networked printers/copiers: have IP addresses without VLANs, making them a convenient and undefended jumping-off point to the whole network.

Web servers and Web applications: With Web servers sitting off the firewall in a demilitarized zone (DMZ), they can often be the ideal gateways to internal company processes. Web servers without patches and passwords are common. Three-quarters of hacker attacks are on Web servers since that’s what’s out there. This is particularly dangerous with the proliferation of Web applications. Attacks have typically moved up into the application layer, and that’s one of the hardest things to protect against because there are no one-size-fits-all solutions. The danger, of course, is that Web applications typically connect attackers into your databases, and that can be a huge problem.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| May 22, 2005
Comments Off on Vendor Speak

Vendor Speak

Vendor SpeakAccording to CIO Magazine article (CIOInsight, May, 2005, p. 20) by David Weindenfled, counsel for McDonald’s.

They say

They mean

“usual and customary”

“Whatever the vendor has been getting away with”

“commercially reasonable”

“Whatever the vendor considers reasonable”

“for internal business use only”

“software may not necessarily be used by your business partners or companies that you merge with or acquire”

“the current or then in effect”

“vendor can change the fees and service levels whenever it wants”

“will perform in accordance with the published specifications”

“product performs according to the vendor’s technical specifications, but not your company’s business needs”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Project Management | Tags: , , , ,
| April 26, 2005
Comments Off on 802.16 vs. 802.11

802.16 vs. 802.11

802.16 vs. 802.11The Institute of Electrical and Electronics Engineers (IEEE) 802.16 protocol is currently the dominant protocol suite for broadband wireless networking equipment used in public deployments. 802.16 is IP, not Ethernet, allowing longer distances than the more widely known 802.11 wireless LAN.

802.11 wireless LAN802.16 has a range of up to several kilometers. 802.16 allows for the strict reservation of bandwidth and QoS. 802.16 uses polling and not the contention access method found in 802.11. 802.16 allows for automatic adaption of radio operating parameters to meet changing traffic loads and interference levels.

The 802.16 protocol suite includes several millimeter microwave frequency secondary standards.

  • 10GHz to 66GHz – 802.16
  • 2GHz to 11GHz – 802.16a

A mobility standard is in the works – 802.16e

802.16 equipment is certified for interoperability by WiMax (Worldwide Interoperability for Microwave Access). So far only a handful of pre-standard products are available and WiMax has not certified any 802.16 products.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »