INFOLINK Tech Talk - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

INFOLINK Tech Talk

Description:

Aristotle c. 360 BC 'Knowledge is Power' - Francis Bacon, 1597 'Forbidden Donut' ... Symantec Antivirus Research Center - http://www.sarc.com ... – PowerPoint PPT presentation

Number of Views:184
Avg rating:3.0/5.0
Slides: 33
Provided by: jeffrey78
Learn more at: http://www.infolink.org
Category:

less

Transcript and Presenter's Notes

Title: INFOLINK Tech Talk


1
INFOLINK Tech Talk 3Computer and Network
Security
  • Presented by Jeffrey Bombell, American Computer
    Technologies

2
Why do we need security?
  • All men by nature desire knowledge
  • - Aristotle c. 360 BC
  • Knowledge is Power
  • - Francis Bacon, 1597
  • Forbidden Donut
  • - Homer Simpson, 1989

3
Why do we need security?
  • 70 of all security violations happen from within
    an organization.
  • Of that 70, most attacks are not attacks.
    People make honest mistakes that cause bad things
    to happen.
  • Of outside attacks, targets are normally unknown
    to the attacker.
  • Most administrators are oblivious to the number
    of attacks that are attempted each day.

4
Overview
  • Client Security
  • Server Security
  • LAN/WAN
  • Social Engineering
  • Tools
  • Developing A Security Plan

5
Client SecurityCurrent State
  • Most of the measures in libraries today address
    acceptable use, not security.
  • Anti-virus is only as good as its last update.
    Antivirus program updates are released weekly.
  • Most 3rd party software based security measures
    can thwarted on Windows 9x and ME systems.

6
Operating Systems Laying the ground work
  • Start with an OS that can be hardened easily
  • Windows 2000
  • Windows XP
  • Mac OS-X
  • UNIX (Solaris, Linux, BSD)
  • Windows 2000/XP
  • Always install on a NTFS file system
  • Remove all unnecessary programs
  • Set Group Policies
  • Use PAC from the Bill Melinda Gates Foundation

7
Client Security
  • Secure the computer's BIOS
  • Install the computer with minimal operating
    system features
  • Require user authentication
  • Keep the operating system and applications up to
    date with patches
  • Install anti-virus software - UPDATES!
  • Install desktop security software
  • Securely configure applications
  • Educate and constantly remind staff about the
    need for security

8
Client SecurityLockdown
  • Lockdown software can control the computer at the
    application level and the OS level.
  • WINSelect http//www.winselect.comUsing a
    proprietary non-registry lockdown method.Allows
    for customizable restrictions on most features on
    most programs.
  • Fortress http//www.fortress.comSimilar to
    WINSelect, Fortress monitors each action the user
    performs and determines if it is authorized or
    not.
  • Secure PC http//www.citadel.comSecure PC uses
    registry manipulation as well as direct
    monitoring of application functions.

9
Client SecurityMenu Replacement
  • Menu Replacement / Kiosk Software
  • Menu replacement software replaces the standard
    windows desktop with a third party program. Menu
    replacement programs replaces the Windows
    interface with their own and present the user
    with a different desktop, usually without the
    Start Menu, Task Bar, etc.
  • CARL http//www.tlcdelivers.com
  • WinU http//www.bardon.com/winu.htm
  • CybraryN http//www.cybraryn.com

10
Client SecurityRoll Back
  • Roll Back Gives the ability for users to make
    changes on a system and later revert back to the
    former state.
  • DeepFreeze http//www.winselect.com
  • CleanSlate http//www.fortress.com
  • RestoreIT http//www.farstone.com

11
Server Security
  • Same general guidelines as with Client OS
    Hardening. Enable only what is needed.
  • Not running a web server, get rid of IIS.
  • Limit who has access to Administrator accounts.
  • Impliment strong passwords
  • Change Passwords Often

12
Central Adminitration
  • Terminal Services and Citrix Metaframe
  • Move application loading to the server.
  • Requires full-time trained IT Staff.
  • Implement Active Directory to centrally manage
    group policies on Windows networks.
  • Requires Windows 2000 or XP on the client.
  • Requires client logons to be enforced.

13
LAN/WAN Security
  • Partition the network. Keep the public access
    computers separate from the day to day business.
  • xDSL is cheap and more than enough service for
    public access. Verizon DSL starts at 60/mo for
    768Kbps/128Kbps (that is ½ the download speed of
    a T1) up to 205/mo for 7.1Mbps/768Kbps.
  • The average T1 circuit and service is _at_ 600/mo

14
LAN/WAN Security
  • Firewall
  • Separate DMZs for public and private networks
  • Content Filtering
  • Application Filtering
  • Disallow access to harmful or disruptive internet
    applications.
  • Policy Enforcement

15
Social Engineering
  • What the _at_! is Social Engineering.
  • Social Engineering is generally a hackers clever
    manipulation of the natural human tendency to
    trust.
  • http//www.securityfocus.com

16
True Stories From ComputerWorld Shark Tank
  • Pilot fish quits his county government job but
    still has his e-mail account to help during the
    transition. Then he receives a message from a new
    IT guy, asking all users with remote access for
    their phone numbers, log-ins and passwords. "I
    hoped all the users I had repeatedly schooled in
    security would refuse to respond," says fish. But
    one department head not only e-mails his
    password, but also clicks on "Reply to all," fish
    says -- "so every user in the county got
    themessage."
  • http//www.computerworld.com/departments/opinions/
    sharktank

17
Social Engineering
  • Teach your employees who is authorized to gather
    information about your systems.
  • Teach your employees what information should
    never be released.
  • Employees passwords are for their use only. No
    one else should ever need it.
  • Administrators have their own passwords that
    allow them to do anything you can do.

18
Security Tools
  • TRINUX - http//trinux.sourceforge.net/ -
    Trinux is a ramdisk-based Linux distribution
    that boots from a single floppy or CD-ROM, Trinux
    contains the latest versions of popular Open
    Source network security tools for port scanning,
    packet sniffing, vulnerability scanning, sniffer
    detection, packet construction, active/passive OS
    fingerprinting, network monitoring,
    session-hijacking, backup/recovery, computer
    forensics, intrusion detection, and more.
    Trinux gives you the power of Linux security
    tools without requiring a full-blown Linux
    install or the need to download, compile,
    install, and update a complete suite of security
    tools that are typically not found in mainstream
    distributions.
  • TRINUX is FREE and is on your CD
  • \Network Security\TRINUX

19
Security Tools
  • Internet Security Scanner http//www.iss.net
  • A suite of producs for security assessment and
    active security scanning of clients, servers and
    network.Will evaluate systems for open holes,
    security patches strong passwords, etc.
  • Cost may be prohibitive for a single library.

20
Security Policy Components
  • Objective or Abstract
  • Scope
  • Responsibilities
  • Physical Security
  • Network Security
  • Software Control
  • Disaster Planning
  • Acceptable Use Policy
  • Security Awareness
  • Compliance
  • http//www.infopeople.org/howto/security/basics/se
    curity_policies.html

21
Objective or Abstract
  • The Objective or Abstract should be a mission
    statement that defines objectives of the policy.
    It summarizes what types of assets are important,
    what is the need to protect them, and summarizes
    procedures to be followed to protect assets.

22
Scope
  • The Scope defines the specific assets to be
    protected by the policy, based on the Risk
    Assessment. It also defines who must follow the
    policy, such as members of the public, employees,
    outside contractors, and vendors.

23
Responsibilities
  • The Responsibilities component describes who is
    responsible for protecting assets defined in the
    scope, and how. It generally outlines users'
    security responsibilities, but it can also
    include roles of particular users, such as IT
    department managers and administrators.

24
Physical Security
  • The Physical Security section states how the
    library will physically protect its facility and
    assets. It should also state who has access to
    restricted areas, such as server rooms and
    telecommunications closets.

25
Network Security
  • Network Security states how the library will
    protect data stored on the network(s). It should
    include information on
  • Workstation security
  • Access control and authentication
  • Securing of file systems
  • Backups and restoring backups
  • Remote access
  • Network monitoring
  • Port restrictions
  • Filtering
  • Firewalls, proxy servers and border routers

26
Software Control
  • Software controls should should be in place
    stating how your organization uses commercial and
    noncommercial software. It should describe
  • Procedures for the purchase of software
  • Procedures for installing software,
  • Procedures for downloading software from the
    Internet

27
Disaster Planning - Hardware
  • List all critical assets
  • Complete a detailed hardware inventory with
    hardware specifications needed for critical
    assets
  • Compile a list of the personnel, including
    contact information, needed to restore service.
  • Establish a restore priority.
  • May include vendors

28
Disaster Plan - Software
  • Estabish a data backup plan.
  • Determine need for off-site storage locations,
    contact information
  • Compile information on what is backed up and
    when.
  • Compile a list of personnel, including contact
    information, needed to restore data.
  • Estabish a restore priority.
  • May Include Vendors

29
Acceptable Use Policy
  • An Acceptable Use Policy details the ways in
    which
  • The network can be used, including use of the
    Internet
  • Patrons may use the computers
  • Computer use limitations are imposed (such as
    time constraints or filtering restrictions)
  • Handling violations to the Acceptable Use Policy.

30
Security Awareness
  • Security Awareness outlines what level of
    awareness of security issues staff are expected
    to have. This should include some information
    on new user training of security issues. This
    is one of the most important parts of a security
    policy. This will help stop any social
    engineering efforts before they happen.

31
Additional Information
  • The SANS Institute http//www.sans.org/resources
    /policies/
  • Computer Emergency Response Center -
    http//www.cert.org
  • Symantec Antivirus Research Center -
    http//www.sarc.com
  • Security Focus - http//www.securityfocus.com/

32
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com