Internal Net Policies part 2

Internal Company Network Policies

Part 2: A framework for your IT procedures.

In our last edition of the journal, part 1 touched on the need of your company to have a good internal network policy for your employees and the need to enforce it. In this part we will touch on just how you go about doing that.

Is it a Policy, a Standard or a Guideline?

We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. We are focusing in on “policy” for our discussion.

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

This is different from a standard which is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows workstation for placement on an external (DMZ) network. A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

A Security Policy indicates senior management’s commitment to maintaining a secure network, which allows the IT Staff to do a more effective job of securing the company’s information assets. Ultimately, a Security Policy will reduce your risk of a damaging security incident.

What is right for me?

The most important thing to remember when starting the process of developing a Security Policy is that there is no “right” or “wrong” way to go about it. No one policy will work for every organization. There is no generic template that will meet every need. A fantastic policy for Company ABC might be useless to Company XYZ. That being said, a Security Policy must be a custom document that reflects your company’s specific security needs. In fact, a useless Security Policy is worse than no policy. Companies that boast of Security Policies thicker than a ream of paper are often the ones that have no idea what those policies say. The false sense of security provided by an ineffective policy is dangerous. The point of a Security Policy is not to create “shelfware” that will look good in a binder, but rather to create an actionable and realistic policy that your company can use to manage its security practices.

A Great Framework

Having an Information Technology framework for your company is an essential first step in how your technology is being handled internally. Thankfully there is a great framework to help companies accomplish this. The Information Technology Infrastructure Library, called the ITIL, is a tool that can help you. It is a customizable framework of good practices designed to promote quality computing services within your company. ITIL provides a systematic approach to the provisioning and management of IT services. The core parts of this framework include Service Strategy, Service Design, Service Transition and Service Operation, including incident management and security management.

Stay tuned for part 3.........

Nick Hitchcock

OSCP, CEH, CHFI, MCP

NHT Consulting

www.nhtconsulting.com

Internal Net Policies. Part 1

I thought a good start to the "re-invigoration" of this blog would be to post a couple articles that have been written for other publication. Enjoy...

Internal Network policies

Part 1: File Sharing

Your company has the convenience and accessibility once thought to be science fiction. Files can be transferred to the other side of the planet within seconds. Communication is a snap. Even within the past five to ten years the speeds available in certain areas for Internet have doubled, tripled or even more in speed. But with this convenience as with anything comes abuse. Could your network at this moment be being used for something other than what you intended it?

Does your company have an internal network policy?

A recent national survey of U.S. white-collar workers commissioned by ISACA found that more than one-third (35%) of employees have violated their company’s information technology (IT) policies at least once and that nearly one-sixth (15%) of employees have used peer-to-peer file-sharing at least once at their place of business, opening the door to security breaches and placing sensitive business and personal information at risk. Do you have a policy in effect to prevent this?

What exactly is the risk?

Many file sharing programs are just that, they “share” files. How so? In many popular easy-to-use file sharing applications, during the initial setup the application may look for files, primarily media files, to allow other users of that particular file sharing network to access. With that in mind think of the following scenario:

Bob wants to install a file-sharing program on his computer at work for something relatively harmless. He just wants some music to listen to at work. During the setup of the file-sharing application the program installs wonderfully and Bob is ready to get some music and get productive at work. But, there is a problem. During the setup, the file-sharing application found a few media files in a directory to share, one is named “widget-demo.avi” and another is “jingle-music.mp3”. The major problem in this is not the fact that it may have shared your commercial video or jingle music, but that, when this file-sharing program shares those files, it shares the entire contents of that file folder. What else could be in that folder? Perhaps “Q4-earnings.xls”, “Board_of_Dirs_minutes.doc” or maybe “CompanyFinancial.qbb”. You get the point, this can be very dangerous.

Conclusion

File sharing is very useful in some aspects of legitimate business. But, this is only one of the various security risks in allowing a file-sharing application to be installed on an unattended client machine. The fact is most file sharing applications can bypass any firewall security you may have in place negating any steps or investments you may have made to stop network attacks.

This is one of the many parts of a full network policy that your company should have. In upcoming articles we will discuss other aspects of a network policy and how to enforce these without restricting productivity.

Nick Hitchcock,

OSCP, CEH, CHFI, MCP

NHT Consulting

www.nhtconsulting.com

Amazing how things stay around on the net

So here I am thinking to myself while redesigning my website, "man I should have one of them there blogs to post hack/sec stuff." So I do what everybody else seems to have done and I go to blogspot.com
I start to sign up and dang! someone already used "nhtc"! I proceed to follow the link and low and behold its ME from 2005. Wow I have a short memory.

/me proceeds to smack himself in the head with a large trout
(irc folks will get that one hehe)

Stay tuned for more.