[AdvisorBits] GilbertWalker Group AdvisorBits - October 2001
John Walker
john@jsw4.net
Mon, 1 Oct 2001 21:39:36 -0400
This is the October 2001 edition of AdvisorBits, an informational newsletter
published monthly by GilbertWalker Group. Our intent is to raise your
security consciousness, and begin to expose you to new resources to manage
and secure your networks. To this end, each month we will present recent
technology issues that are of interest to people responsible for technology
in a small and medium sized companies.
To find out more about GilbertWalker Group, please visit our web site:
http://www.gilbertwalker.com
****************************************************************************
**
-- This Month's Headlines --
** Privacy Issues - Part 2: Protecting Your Clients' Trust
** Know Your Enemy: A Book Recommendation
** Networking tool of the month: Microsoft Security Notification Service
----------------------------------------------------------------------------
--
Privacy Issues - Part 2: Protecting Your Clients' Trust
One part of a company's strategic privacy policy must deal with how you
safeguard the information you keep about your clients. This information may
be as innocuous as an email address or it might be more private/sensitive: a
social security number, or financial or medical information. Possible
results of disclosing this information range from the mild inconvenience of
junk email to actual damages through theft or, as becomes increasingly
common today, "identity theft." Your clients entrust you with this private
information for better service. By informing clients of the uses you will
make of sensitive or private information and following through with your own
staff and systems, you will earn the client's trust and promote return
business.
How electronic data are stored and transmitted is of critical importance to
IT professionals. Companies must have a clearly stated and well-developed
policy on sensitive data. In less complex corporate networks, data will
typically reside on a server; access to this server will be controlled by
appropriate security measures. These will include physical security of the
server, backups, and only allowing access to data via the network to
properly authenticated and authorized users. If the corporate LAN is
connected to the Internet, additional layers of security will be required.
Firewalls are available at a variety of prices, and even the smallest
Internet-connected network shouldn't be without one. A firewall can be
anything from a small appliance, to an old PC with two network interfaces,
right up to large dedicated devices for more extensive control over, and
monitoring of, network traffic. Firewalls protect networks by allowing only
certain network traffic to pass through them. Some firewalls allow virtual
private networking (VPN) connections for access to LAN resources from remote
networks and dial-up users.
In certain businesses, such as the health care industry, these privacy
issues may be impacted by government regulations. All businesses should have
a privacy and security policy, no matter how simple. These policies should
be clearly defined and communicated to all users of the company's networks.
And finally, these policies should be reviewed periodically to ensure that
they account for changes in the nature of the information or the threat to
that information.
Next Month: Protecting and securing private data on the Internet.
More Information:
FTC - Government Information on Privacy
http://www.ftc.gov/privacy/
Center for Democracy & Technology Guide to Online Privacy
http://www.cdt.org/privacy/guide/refer/
----------------------------------------------------------------------------
--
"Know Your Enemy": a book recommendation
A part of every security plan must assess risk to systems and networks. Part
of this risk assessment includes knowing who poses the risk. "Know Your
Enemy: Revealing the Security Tools, Tactics, and Motives of the BlackHat
Community," a new book from the HoneyNet Project, comprehensively explains
this aspect of risk calculation. The HoneyNet Project is a group of 30
security professionals, presumably part of the 'WhiteHat community', who
donate their research and resources to researching the "enemy." Much of the
book's information is available online as white papers. Any company that
connects to the Internet faces a threat from one such enemy: the "Script
Kiddie."
The Honey Net Project
http://project.honeynet.org/
White Paper: Know Your Enemy - The Tools and Methodologies of the Script
Kiddie
http://project.honeynet.org/papers/enemy/
Link to the book at Amazon.com
http://www.amazon.com/exec/obidos/ASIN/0201746131/jsw4net
----------------------------------------------------------------------------
--
Networking tool of the month: Microsoft Security Notification Service
In our first issue, we told you how to protect yourself from the Code Red
worm, by using a security update available several weeks before the worm
surfaced. This month we sent an urgent advisory about the NIMDA virus
advising vulnerable users to apply the patches Microsoft made available over
a month ago. The moral is, by applying security updates as they become
available you significantly reduce your exposure in such events. Microsoft
offers email notifications of updates when they occur. This is a low volume
list (usually less than 100 messages per year) and relieves you of the
burden of continuously searching the Microsoft web site to check for
updates. The address for instructions on how to subscribe is:
http://www.microsoft.com/technet/security/bulletin/notify.asp
Please note that our recommendation regarding keeping up-to-date applies to
all operating systems, not only Microsoft products. We do not recommend
programs that automatically update systems; you should do this through an
interactive process under your control.
----------------------------------------------------------------------------
A word from our sponsors:
At GilbertWalker Group, we work with our clients to empower them to
effectively manage their own digital voice and data networks. Whether our
clients need assistance developing a sound AUP or privacy policy, help with
specific implementations related to the various privacy and security
concerns, or help developing an overall strategy for using the Internet,
GilbertWalker Group stands ready to help. For more information or to
schedule an introductory meeting, please contact Tom Gilbert at (413)
637-8858 ext. 11 or drop him a line at info@gilbertwalker.com.
If you have comments, questions or suggestions about AdvisorBits, please
send them to John Walker- comments@gilbertwalker.com