Defence in Depth, do you need client/server edge security?

Most businesses understand the need for IT security, and fortunately the level of user awareness is growing as each new virus outbreak hits the headlines.

With this has come a whole new industry providing software and hardware designed to provide a more secure environment and putting enormous pressure on security teams to keep up to date with new threats.

At the most basic level an organisation should have a secure IT perimeter (using technologies such as firewalls) that will keep most intruders out. Many of these defences will be provided as standard by internet services providers or a larger organisation may prefer to manage these technologies in house and build their own firewall structure.

Unfortunately this is where many organisations stop. They have built their perimeter and now sit back in the false sense of security that it gives them.

What they have failed to see is the importance of security defence in depth.

What does this mean? Well consider this scenario.

Mobile computing is now prevalent. The form factor of these devices has reduced over the years such that credit card sized devices have huge computing power and enable users to browse the internet and work with email, spreadsheets and word processor files.

Imagine your CEO returns from her trip around Europe having spent the past week barking out email instructions from her hand held gadget via the wireless enabled restaurants in a variety of capital cities.

Of course the CEO is wowed by the technology and seamless way in which she is able to connect to the internet and makes a note to speak to you on her return to see if you could put the technology in place back at base.

What the CEO does not know, and neither do you the IT expert, is that during one of her email sessions she connected to a wireless network that was insecure and accidentally downloaded some malware onto her device.

Swanning through reception back at the office the next day she pops the mobile device into its docking cradle to resynchronise some files.

Disaster. At that point she has directly injected malware straight into the organisation’s IT infrastructure and the expensively configured firewall was, in this case, of utter irrelevance.

Moving to Defence in Depth

What we have just witnessed is a prime example of the weakness of relying on just the secure perimeter and we now need to actively consider the notion of defence in depth, where each layer in the IT infrastructure is designed and implemented to be as secure as possible.

Security needs to be engineered into all aspects of the organisational infrastructure and efforts made to keep the business as robust as possible.

There are a number of solutions out in the market place to secure an IT infrastructure in depth.

Securing the Desktop

Microsoft have recently announced Forefront, which is the family name for a group of products designed for securing an organisation’s IT systems. Forefront is distinct from other Microsoft security products such as Windows Live OneCare, Windows Defender and the Windows XP firewall technologies as these products are really designed for the consumer market with stand-alone PCs and do not have the scalability promised with Forefront.

It is important that all of an organisation’s user’s PCs need to be running the latest service packs and patches. If you need to test patches prior to deployment do so quickly and efficiently to reduce the threat window for your estate. Don’t forget any handheld devices in this process.

Running Windows Security Center should be a must on each Windows XP SP2 PC unless there are specific corporate reasons such as possible application conflicts that need to be tested prior to a patch deployment. This will also ensure each PC is running a correctly configured firewall and that local anti-virus programs are running with up to date definitions.

Malware management is critical on each PC. With the ongoing development of Microsoft Forefront Client Security, due in beta form towards the end of 2006, it is possible to have a set of tools from Microsoft to address the viruses, Trojans and worms we are all subjected to on a daily basis.

Consideration needs to be given to laptop PCs taken off the premises. Theft might not be a problem, but nearly 6,000 laptops are left in London taxi cabs each year, and you just know that not all the data on these has been encrypted or backed up.

With the increase in flexible working arrangements remote users are very well catered for in many organisations with, for example, secure VPN access from remote sites.

But what happens if the laptop is left insecure whilst still logged in?

Many teenagers (or their friends) would find the temptation to access dad’s laptop at home rather overwhelming. Users need to know the importance of physically securing the entry point into the network everywhere, and that means at home as well.

Securing Servers

Servers are a critical part of many organisation’s infrastructure. A few straight forward measures can make a lot of difference. Ensure that the server software has been fully patched and updated. Check which services have been enabled on the server and check whether you really need them up and running. If not, remove unwanted services as this reduces the server attack surface.

Mail servers are especially vulnerable as they process incoming and out going emails. By beefing up security on the mail server hopefully a lot of problems can be dealt with here rather than at the desktop.

Microsoft Antigen was released in June 2006 and comprises products to secure a Microsoft Exchange Server, Microsoft SMTP Gateway, Microsoft Live Communications Server and Windows Sharepoint Services Server. Content and file filtering is enabled by Microsoft Antigen helping you to reduce the amount of inappropriate content reaching the users desktop.

Out of interest these products are currently being rebranded as part of the Forefront family and will become known as Forefront Security for Exchange Server and Forefront Security for SharePoint respectively

Securing the Edge

Further out towards the edge between our secure zone and the internet we need to place our firewall based technologies.

For a Microsoft based infrastructure ISA Server 2006 is being geared up for release towards the autumn.

This will provide an application layer firewall, VPN and web cache in one go and could prove ideal for those with Internet Information Server, Exchange Server and SharePoint Services providing their application infrastructure.

Security for Free?

Without a doubt there are some very good products available now or in the pipeline to assist in keeping your organisation secure. The good news is that there are some simple measures that can be taken now to help secure your IT estate, many being low cost or free.

The company security policy is the best place to start when defining exactly what you expect of your systems and users to ensure a safe computing environment.

Keep it a live document that will grow with the business and make sure that it is sponsored by a board level executive to maximise the attention it gets. Writing the development and maintenance of a security policy into responsible employee’s objectives will help get it the focus it needs.

Train your users to be fully aware of security related attacks and encourage them to actively challenge socially engineered attacks.

Get them to question the voice of authority on the end of the phone and tell them never to disclose passwords or login details to anyone.

Ensure all passwords used in the organisations are strong – over 8 characters long containing a mix of letters and numbers and no plain words.

Try experimenting with pass phrases to help users remember these stronger passwords and enforce a regular password change policy – maybe every 30 days. Users also need to be fully warned about attempts to “phish” their passwords and the danger of unsolicited email attachments.

Review the systems and services that users can access. Question why a user needs access to a certain system, and if there is no reasonable business justification consider measures to remove that user from such access.

It has to be Defence in Depth
Each measure you undertake to protect your environment is another step a potential hacker will need to go through when mounting an attack. Think of these as obstacles strewn in the hackers way as they pursue you down the alleyway.

Instead of relying on a single dustbin thrown in their tracks get as many barriers in place as soon as you can, each of which will help to build delay and hopefully trip up the pursuer altogether.

Hopefully you will now see the benefits of having security in depth across the organisation.

Far from being an expensive insurance policy a secured IT environment, enabled with appropriate tools and technologies, is a must have in today’s business world.