Southeastern News Online - May, 2004 - A Look at SENYLRC's IT Security Policy

Southeastern News Online
May, 2004
Vol. 2 No. 1

View from the Perimeter Fence: A look at SENYLRC's IT Security Policy

As I write this, yet another major virus (W32.Sasser) is worming its way through the annals of the Internet. Everyone from your average Joe User to corporate Manager Jane are scrambling to keep the new virus at bay or worse, stop the virus from causing further havoc and infecting more machines at their sites. Some will have an easier time with this than others. Here at SENYLRC, I’m not worried. Vulnerabilities in Windows’ Local Security Authority Server Service, which are used by the new virus to spread itself without the need of the user to open anything, were fixed in a Critical Update that has been posted on Microsoft’s web site since April 13th. That same update was applied to SENYLRC systems about a day after its introduction. Thus, as my regular network scans and checks of SENYLRC systems have proven, we have weathered the storm.

Because of threats like this, the IT security policy I adhere to for SENYLRC systems is strict. Security of my systems is my number one focus, above any other project or goal. The reason for this is simple: A SENYLRC system that’s providing a service (a web site, for example) can’t provide that service if it has been infected with a virus or compromised by a cracker who has prevented the server from performing its function. That same server will not perform any function at all if it must be taken down so that damage from infection or compromise can be repaired. A little time spent performing preventative maintenance pays off in the end. So how do I keep SENYLRC systems as safe as possible?

Patch It!

A very picky firewall (on which I shall not elaborate) and persistent patching. Each day, I scan websites of various pieces of software we run. This includes Microsoft’s Security web site (http://www.microsoft.com/security), Windows Update (http://windowsupdate.microsoft.com),the web sites for various open-source packages that we run, and web sites dedicated to keeping systems people up to date with what’s happening in the security world. I’m also a member of a few of the SecurityFocus listservs (http://www.securityfocus.com), which provide reports of various vulnerabilities in almost any program imaginable. But that’s not all. Simply reading about this stuff and being concerned isn’t nearly enough. Each program on our Linux and UNIX systems has its own set of vulnerabilities. Patches to upgrade each piece of software are released constantly, which means that half of my security time is spent patching this software as well as patching the Linux and UNIX operating systems themselves. As for the SENYLRC systems running Windows, each has been set up to check for critical security patches daily, and install them without intervention. In the case of a staff PC, the staffer using it may be asked to reboot when the patch has been finished, but the user is always given the choice to reboot later. I also manually install fixes which do not appear as critical but are deemed to be important. In the case of a server, updates are tested on one server for a period of time. Thereafter, assuming that the patch didn’t disrupt the test server at all, the patch is applied to the remaining servers immediately. Though the preceding may not seem like much, it still amazes me that most people are not current with their Windows Updates. Many aren’t even aware of the need to apply these fixes and that yes, that they do actually matter. Some don’t bother to check at all. This bothers me the most, since Windows has built-in updating functionality and Internet Explorer often takes users to Windows Update instead of their homepage when they start it up. Most users click away from it without even reading it. The most recent virus, which was fixed by an update that was released two weeks before the virus itself, could be prevented with just a few minutes of users’ time spent using Windows Update. Fortunately, Microsoft is thinking about changing the way that Windows updates itself with the next major update to Windows XP. Windows XP’s Service Pack 2 is slated to change Windows’ default behavior from “update when the user says so” to “update first, then tell the user”. It’s a policy of which I am a huge fan. The proliferation of the cable modem, which has helped speed the spread of the viruses immensely, is another reason I am looking forward to Windows XP Service Pack 2.

Anti-Virus Software

Of course, patches aren’t all. An equally important measure is good, reliable anti-virus software. And contrary to popular belief, just installing the software and leaving it alone is not enough. You need to update your anti-virus software, too! SENYLRC’s anti-virus software updates itself daily. All machines are also scanned for viruses daily. This scan is done in the background as the machine is used for other tasks. Even in a “non-personal” (not-for-home-use) environment such as a library or a business, this can be achieved without spending too much money. Grisoft’s AVG (http://www.grisoft.com) is an excellent anti-virus tool that is available to non-profit organizations and schools at a decent discount. Even without the discount, it’s an excellent deal. Of course the best thing about AVG is the fact that if you’re going to use it at home (for personal use only), you can get it for free. That’s right…free! Both the Free Edition and the licensed versions scan files on-the-fly as well as scanning your entire hard disk at regular intervals. They scan e-mail messages as they are received and sent, and both versions can update themselves at a user-specified interval. Here at SENYLRC, AVG has been very effective. If you don’t have anti-virus software, or you have anti-virus software with an expired subscription, it’s time to either pony up the dough and pay the subscription, or move to another anti-virus solution. The money you’ll spend now is well worth it when you consider the headache from which you’ll save yourself later. You can find information on various viruses as well as free tools for their removal at Symantec’s Security Response web site: http://securityresponse.symantec.com/.

Firewalls

Yes, I know. Many of you hate them. But firewalls are a fact of life. A well-configured firewall will stop Sasser in its tracks. SENYLRC does have a firewall in place. SENYLRC’s firewall is configured to be as safe as possible while allowing the users behind it to have as much flexibility as possible. How much flexibility they have depends on who is actually trying to use the Internet. Servers and staff have much more leeway than someone who is using our wireless network during a training session. And although all of SENYLRC’s machines were patched to protect them from the Sasser worm, I was still comforted by the fact that the firewall was there to help prevent infection should patches fail or undisclosed vulnerabilities allow infection from other sources.

In Summary

Security is not something that should be taken likely. Both IT professionals and end users must make an effort to keep their systems patched and as secure as possible. All users of computer systems have a responsibility to keep their computers safe, just as those who own a car have a responsibility to keep that car’s brakes, tires, and other equipment in good order to ensure that it’s safe to drive. If you can’t do it yourself, hire someone to come in and keep you secure. It’ll be worth the money and you will benefit from it later when Bob down the street is complaining of computer problems related to a new virus and you are able to sit back and know that you are as protected as possible.

Next time, we’ll look at SENYLRC’s wireless network, why it’s not a public “drop-in” network, and talk a little about e-mail spoofing.

By Christopher Hyzer, Systems Manager

Contents | People in the News | Calendar of Events | Job Opportunities | SENYLRC Home