[AdvisorBits] GilbertWalker Group AdvisorBits - November 2001
John Walker
john@jsw4.net
Thu, 1 Nov 2001 21:32:10 -0500
This is the November 2001 edition of AdvisorBits, an informational
newsletter published monthly by GilbertWalker Group. Our intent is to raise
your security consciousness, and begin to expose you to new resources to
manage and secure your networks. To this end, each month we will present
recent technology issues that are of interest to people responsible for
technology in a small and medium sized companies.
To find out more about GilbertWalker Group, please visit our web site:
http://www.gilbertwalker.com
****************************************************************************
**
-- This Month's Headlines --
** Privacy Issues - Part 3: Privacy in Public
** We've Been Saying it for Years: A Recent Interview and IT Security
Advisories from the US Government
** Networking tool of the month: Time
----------------------------------------------------------------------------
--
Privacy Issues - Part 3: Privacy in Public
OK, so you've secured your private information when it lives in your LAN.
But what about when it travels on the Internet? The Internet is a very
public place: we all share the same wires out there, and it is possible for
others to intercept traffic without your knowledge.
Whenever sensitive data are transmitted on the Internet, the information
should be encrypted. Cryptographic technology today is fairly mature, and
advances have been made in standardization and interoperability.
For connections between your web server and your clients' (and your own
users') browsers, a secure socket layer (SSL) server is required. Whenever
client data are stored on the server (remember sensitive data such as credit
card information should never be stored on a web server) they should be
encrypted and preferably stored in a directory to which access is tightly
controlled. Most modern mail programs include capabilities that allow you to
encrypt messages containing sensitive information so that they may be
securely sent via e-mail.
For a number of useful free guides on this topic, see:
http://www.verisign.com
A slightly more technical explanation of encryption is available here:
http://www.pgpi.org/doc/pgpintro/
Over the course of the last three months, we have discussed three separate
aspects of privacy, which is only one issue that companies face in securing
their business networks. Through developing an information security policy,
and implementing procedures to support that policy, your company will be
better able to manage its information technology. Ensuring privacy will
encourage clients to provide you with valuable information and inspire
confidence in the company's strategic partners.
----------------------------------------------------------------------------
--
We've Been Saying it for Years: A Recent Interview and IT Security
Advisories from the US Government
There's a really good interview with Richard Clarke, President Bush's new
Cyber Terrorism Czar, published by InformationWeek on October 15th. Mr.
Clarke lays out some very even-handed observations about the current state
of IT security.
##### Excerpt: ######
InformationWeek: How would you summarize the government's message to the IT
industry and corporate IT departments?
Clarke: In the short term what people need to do is increase security
awareness in their companies.
We are all sloppy with access to our systems, with password security. We
don't conduct information security awareness programs very often. We are all
now being more cautious about access to buildings, wanting to know what's in
a truck before it comes near a building, all of the kinds of things we are
doing for physical security.
We also need to be more cautious with information security, virtual
security, as well. Most companies have information security specialists on
staff or a contract [with security firms] that can tell them what to do. The
bottom line is, stop being sloppy.
#####################
Read the whole article at http://informationweek.com/story/IWK20011012S0039
Its also interesting to note that the FBI rates the threat to the National
Infrastructure above the threat to the US Government. See more information
about the "Awareness of National Security Issues and Response" web pages at:
http://www.fbi.gov/hq/nsd/ansir/ansir.htm
The National Infrastructure Protection Center has as its primary mission, to
"detect, deter, assess, warn, respond, and investigate unlawful acts
involving computer and information technologies and unlawful acts, both
physical and cyber, that threaten or target our critical infrastructures".
Among other things, they maintain a list of current International threats
which is of use to systems administrators. Read more at :
http://www.nipc.gov/ .
----------------------------------------------------------------------------
Networking tool of the month: Time
Do you ever wonder why your computer's clock never seems to be quite right?
Computers clocks "drift" at varying rates. One solution is to use built in
features of your operating system to synchronize your clocks to a single
reference clock. The following commands are used to accomplish this on:
Windows 2000
C:>net time /SETSNTP:timeserver
Windows NT and Windows 98 (Must be run each time the computer starts up)
C:>net time \\timeserver /SET
To find a list of publicly available time servers please see the Network
Time Protocol (NTP) page at : http://www.eecis.udel.edu/~ntp/ The NTP site
will also be of use to Unix and Linux users who wish to synchronize their
clocks.
----------------------------------------------------------------------------
A word from our sponsors:
At GilbertWalker Group, we work with our clients to empower them to
effectively manage their own digital voice and data networks. Whether our
clients need assistance developing a sound AUP or privacy policy, help with
specific implementations related to the various privacy and security
concerns, or help developing an overall strategy for using the Internet,
GilbertWalker Group stands ready to help. For more information or to
schedule an introductory meeting, please contact Tom Gilbert at (413)
637-8858 ext. 11 or drop him a line at info@gilbertwalker.com.
If you have comments, questions or suggestions about AdvisorBits, please
send them to John Walker- comments@gilbertwalker.com