[AdvisorBits] GilbertWalker Group AdvisorBits - September 2001

[John Walker]

This is the September 2001 edition of AdvisorBits, an informational
newsletter published monthly by GilbertWalker Group. Our intent is to raise
your security consciousness, and begin to expose you to new resources to
manage and secure your networks. To this end, each month we will present
some recent technology issues which are of interest to people responsible
for technology in a small and medium sized companies. 

To find out more about GilbertWalker Group, please visit our web site:
http://www.gilbertwalker.com

***********************************************************

              -- This Month's Headlines --

     ** Privacy Issues - Part 1 Privacy in the Workplace
     ** Security is a process; Keep up.
     ** Networking tool of the month: FTP with Windows Explorer 

-----------------------------------------------------------

Privacy Issues - Part 1 Privacy in the Workplace

To whatever degree a company has information it wishes to keep private, the
introduction of technology into business complicates matters. Whether it's
the telephone, voicemail, email, or the web companies must examine the
impact of these technologies on privacy. There are three specific areas of
concern which occur in almost all businesses; keeping information from being
stolen or intercepted, establishing trust with customers with regards to
privacy of their confidential information, and employee privacy concerns. In
order to develop technical specifications, and to provide a framework for
the company to use when making tactical decisions regarding these issues, a
strategic policy statement is invaluable.

It is not unusual for an employee to ask us during the course of an
interconnection project, "Can my employer monitor my mail or use of the
web?" The answer to this is "In most cases, yes." 

The employer pays for the phones and computers, and they pay the monthly
bills for the services. As such they have a right to say how these tools
should be used. Additionally, there are many other reasons an employer might
legitimately need to monitor employee communication. The degree to which
employers actually monitor employee's use of voice and data networks vary,
although most connections on a network should be logged for security
purposes if for no other reason. 

Employers want to make sure that the employees they have are doing a good
job. To avoid any confusion on this point, a well written acceptable use
policy (AUP) should include reference to any monitoring the company actually
performs. A clear written statement by the employer regarding the type of
monitoring if any that the company performs, and the reasons for doing so
should help employees to understand that the policy is for the good of the
company and not an Orwellian restriction meant to imply distrust. A well
crafted policy probably allows for limited personal use of the Internet in a
manner similar to more familiar policies regarding personal use of phones.

Links to many additional articles on this topic can be found at:
http://cyber.lp.findlaw.com/privacy/workplace.html

Next Month: Protecting your client's privacy.

-----------------------------------------------------------

Security is a process; Keep up.

Modern operating systems and software are always changing. While many
manufactures herald the arrival new major versions, frequently much less
fanfare is given to the minor (and arguably more important) upgrades and
fixes released between major releases.

These fixes are important because they frequently fix bugs or security
vulnerabilities found after the product has shipped. When was the last time
you updated your computer's operating system. If you've changed the oil in
your car more recently, you may want to visit one of the following URLs
which contain information about getting your operating systems current.
Please keep these few items in mind before proceeding blindly.

1) If someone else (the network or systems administrator at your company for
instance) is responsible for the computer you're thinking of applying fixes
to, be sure to discuss this with them first.

2) Some specialized programs are known to fail when you upgrade the
operating system. This applies mainly to specialized software not to main
stream applications. If your company uses specialty software you should
attempt to verify that there are no known issues with that package, before
you perform the upgrade. (The manufacturer should have information available
in the technical support section of their web site.)

3) I don't change the oil in my car. I'm not sure if I can, but I know the
risk is not worth the savings. If you feel like this about your computer,
get some help.

Microsoft Windows Operating Systems:
http://updates.microsoft.com

RedHat Linux:
http://www.redhat.com/support/errata/

Debian Linux:
http://www.debian.org/

Remember that just because you're up to date, doesn't necessarily mean your
computer is totally secure. Hackers read these pages and know that most
people don't follow good practice with regard to upgrades. Following the
recommendations will lower your exposure to risk significantly, and assure
that if your network is compromised, it's not through a known problem with
the operating system. (Believe it or not there are thousands of systems
still infected with the Code Red Worm, 10 weeks after the fix was released.)

-----------------------------------------------------------

FTP with Windows Explorer

FTP is probably one of the most reliable methods to transmit files between
different operating systems on an IP network. Other common methods such as
the web and email attachments have serious drawbacks and are subject to
error.

One of the main reasons we don't see more Unix-like operating systems
outside of the Internet is that for many years Windows (by far the industry
standard LAN operating platform) has not played nicely with Unix. Getting
files back and forth between Unix servers required additional software and
possibly configuration. 

Windows 2000 Professional workstation has begun to address this through a
feature in Windows Explorer. By adding a "Network Place" users can make a
window on an FTP site that allows them to copy files back and forth between
two windows, just as if they were on the local system. Windows Explorer
fairly transparently handles the whole process of FTP. It should be noted,
that you should not open a file for editing from an ftp location. Copy it to
your local workstation first, edit it, and copy it back.

1) Open Windows Explorer, click "My Network Places", and double click the
"Add Network Place" icon.

2) In the "Network Location" box type an address in the following format:

ftp://user@host.domain.com/

Where host.domain.com is the server you want to transfer files to and from,
and "user" is your user id, or login, on that host. When Windows tries to
open the location, if a password is required, you will be prompted for that
password.

N.B. If you want to use this feature for anonymous ftp, leave the "user@"
off the location when you type it.

-----------------------------------------------------------

A word from our sponsors:

At GilbertWalker Group, we work with our clients to empower them to
effectively manage their own digital voice and data networks.  Whether our
clients need assistance developing a sound AUP or privacy policy, help with
specific implementations related to the various privacy and security
concerns, or help developing an overall strategy for using the Internet,
GilbertWalker Group stands ready to help. For more information or to
schedule an introductory meeting, please contact Tom Gilbert at (413)
637-8858 ext. 11 or drop him a line at info@gilbertwalker.com.

If you have comments, questions or suggestions about AdvisorBits, please
send them to John Walker- var.run@gilbertwalker.com

-----------------------------------------------------------