This page contains a Flash digital edition of a book.
FIREWALL THREATS


AS SOMEONE RESPONSIBLE FOR IT SECURITY WITHIN MY COMPANY, HOW DO I THWART THE MOST COMMON INTERNAL VULNERABILITIES?


F


irewalls today do a good job keeping malicious code from infecting corporate networks, but many administrators don’t understand that threats can come from within an organization as well. Below are the


five most common internal threats and how to mitigate them. 1. USB storage devices, which include everything from thumb drives to digital picture frames, are ubiquitous today. Unfortunately, that ubiquity has driven hackers to develop targeted malware that can infect sys- tems when a device connects with an open port. The fix: check each system’s autorun policy. It’s also smart to implement and enforce asset control and policies (with frequent reminders) around what devices can enter the environment and when.


2. Laptops and netbooks are portable and include a full operating system and an Ethernet jack for direct network access. Non-provisioned note- books can already have malicious code running on them and can in- fect a network on contact. Also, provisioned laptops can pose a security risk as well because they’re easy to walk off with. The fix: encrypt all systems that hold sensitive data. Implement control over endpoints that enter and exit the internal system and don’t persistently store sensitive information, such as personnel records, credit cards and financial records on portable devices.


3. Wireless access points are vulnerable to Wardrivers (people in vehicles searching for unsecured Wi-Fi networks). They’re inherently insecure, whether encryption is used or not. Even wireless encryption protocol (WEP) has known vulnerabilities, and wireless protected access (WPA) and WPA2 are vulnerable if strong keys aren’t used. The fix: we rec- ommend WPA2 Enterprise using RADIUS plus an AP capable of per- forming authentication and enforcing security measures. Also, passwords should be mixed, strong and changed frequently.


4. Smart phones and other digital devices today are full-functioning com- puters. They have full wireless connectivity and large storage capaci- ties, enabling them to pose the same level of threat we’ve seen with USB devices. The fix: same rules apply for USB storage devices; it’s im- portant to implement and enforce asset control and policies around what devices can enter the environment and when.


5. E-mail is often misused. Confidential information is easily forwarded outside the company and the messages themselves can carry mali- cious code. The fix: source identification is of utmost importance when it comes to e-mail security. Technology, such as PGP, can help identify a sender and access control to broad alias-based e-mail addresses should be enforced.


Graham Bushkes is the vice president of sales, Canada for Fortinet, a worldwide provider of network security appliances and unified threat management (UTM) solutions.


BUSINESS CONTINUITY


WHY SHOULD COMPANIES TAKE THE TIME AND EFFORT TO PERFORM BUSINESS CONTINUITY PLANNING IF THE LIKELIHOOD OF DISASTERS IS LOW?


natural disaster? What if there are riots and civil disturbances, such as the recent G-20 summit in Toronto? What if my workers go on strike? There is no shortage of potential situations that might require you to alter the way you conduct business. Granted, some depend on your type of business or geographic location. Nevertheless, business continuity planning makes prudent sense and provides some hidden benefits for all organizations. Essentially, business continuity planning


B


requires you to rethink how you run your busi- ness, stimulating improvements and cost sav- ings not otherwise considered. It presents an opportunity to identify who the natural leaders are in your organization. However, confronted with sudden change,


some companies (and individuals) rise to the occasion while others become paralyzed, which is why the business continuity plan is essential – it often eliminates any guessing in highly stressful situations. Furthermore, it encourages business to connect with the larger community, including law enforce- ment, government agencies, business col- leagues and others. In the end, business continuity planning


establishes forums for discussion and mutual planning, ultimately, makes for a more cohe- sive community that may want to engage in productive activities outside the scope of crisis planning. While cynics may scoff at the need to plan


for disasters that might never occur, good business people recognize that the benefits extend far beyond crisis management and help keep businesses healthy and growing.


Guy Cote is chief security officer at Garda.


usiness continuity planning is really a series of exercises in “What if?” What if there is an earthquake, flood or other


WWW.SECURITYMATTERSMAG.COM


FOLLOW US ON


AND


• SECURITY MATTERS 27


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32