Tech News United Way of New York City
 
Fundraising & Grants     Innovations     Internet Resources     Interns & Volunteers     Government     Special Populations     Community Resources     Training     Troubleshooting     Planning & Management    
Tech News is proudly supported by IBM
Troubleshooting

Defending Systems and Managing Risk
By Jason Hutchins
 Director of Business Relations, NonprofitSolutions.Net


On November 12, 2003, United Way of New York City, in collaboration with the TechFoundation hosted an IT Security Conference in which I presented the TechConnect Security module. The event was sponsored by IBM and covered security elements ranging from physical assets and staff policy to issues with web-based systems. During the workshop emerging trends like security service switches that drop suspicious packets throughout the network were discussed at length.

This article builds on the research that was put together for the presentation at the conference and addresses some of the issues raised by the attendees. To suggest follow up articles on this topic or other areas of interest please contact us at technews@uwnyc.org

  Some Simple Security Steps at a Glance
  • Patch all systems regularly
  • Install a true firewall
  • Check firewall, router, switch and system logs periodically
  • Use complex passwords and change them frequently
  • Have a clear and effective written Security Policy in place


    • Unique CBO Challenges
    Small to mid-sized community based-organizations often find themselves:
  • Maintaining old and outdated systems
  • Working on multiple platforms with limited personnel
  • Using donated/undocumented equipment that is often unsupported and insecure
    		•   
    Patches
    Security updates or patches are released to correct a discovered vulnerability in source code that presents a risk to a product that is already in use. Due to the nature of the software industry, application developers are rewarded for "speed-to-market" (rush) and "operating performance" (size). One cannot expect these trends to change, but understanding the factors that create security risks can place you in the driver's seat.

    Patching systems is a top priority and methodology should not be limited to operating systems. Some factors that are driving current risks include:
  • the ever-increasing size of software packages
    • , and
  • unprotected home users with Always-on high-speed connections.
    • Once compromised, these machines serve as super spreaders broadcasting malicious code to the rest of us.

    Source code that runs software and operating systems has expanded from hundreds of thousands of line of code to millions of lines of source code. This can be broken down into a simple formula: more code = more potential problems.



    When a security vulnerability becomes known, the time to patch is relatively short. Once advertised, known security vulnerabilities are typically attacked within 26 days.

    Remote Security Issues VPN
    For convenience and hectic work schedules, many organizations use Virtual Private Networks (VPN) which allow authorized users the ability to securely transit fire-walls through a virtual private tunnel.

    Remember those movies from the 80's where a young skateboarder hangs on to that bumper to move through traffic? That is a great visual image of how VPNs are often compromised. Regardless of the VPN solution your organization employs, risks are typically associated with the fact that you do not own the home computers of your users, nor can you always monitor changes they make to those home configurations. I think we can all admit that we have clicked 'remind me later' to those security updates.
    Laptops
    Laptops love travel and adventure!
    We love them. Yes, but is that love returned?
    Most organizations have Laptops in the field, but startling statistics are earmarked for Laptops. The FBI reports that 57% of corporate crimes can be traced to stolen Laptops. More than three quarters of computer theft is perpetrated by employees or contractors of the organization that experiences the loss.
    Inventory is Key for all Assets
    Tech News understands that many of our readers are working on shoestring budgets and suggests that an organizational inventory is a great place to start your security process. After all, an organizational inventory may take time...but will not cost you a dime.

    Some basic questions every institution should be asking.
  • What information is most critical/valuable to your organization?
  • Who has access to this information and does a backup copy exist?
  • Do you have backup procedures in place, and if so, when did the last backup occur?
  • Do you have an Internal Security Policy?
  • What software is running on your desktops, laptops, and servers? When was the last time this software was upgraded, patched, or scanned for viruses?

    Tips and Tools
    People tend to limit patch updates to operating systems rather than looking at the entire suite of applications running on the desktop or server. When it comes to the desktop, major cumulative patches exist for many common applications such as Microsoft Office, Quickbooks, and lest we forget those pesky web browsers that require constant updates and attention.

    Common Updates for the Windows Operating system can be found at:http://v4.windowsupdate.microsoft.com/en/default.asp

    If you are a MS Office user simply visit the following link and select 'Check for Updates' from the following page.

    Always-On Connections
    A recent Yankee Group report, "Always On, Always Vulnerable" is quoted on many UK online news sites as saying that Broadband connections increase your security risk by five fold. This multiple appears to be understated considerably when applied to the US market. As online pioneers, Americans have the distinction of using over 80% of the assigned IP addresses worldwide.

    Once a luxury, affordably priced Broadband Cable and DSL Connections are available to most home users throughout the country who all too often elect to save a few dollars and forgo the subscription expense of a personal firewall.
    Increasing Sophistication
    Of greatest concern is that increasingly, attacks are automated. Scanning for open ports can be constantly observed on the user interface of most firewall logs.

    The small screen shot below is from a personal McAfee Security log from an Always-on connection.



    SPAM
    Software viruses and worms remain the chief source of network hacks. However, SPAM e-mail messages are now more frequent than viruses.

    By some accounts the efficient tool of e-mail is quickly losing its value due to SPAM. Some SPAM filtering providers have already advertised that during the month of November 2003, SPAM accounted for 56% of all email traffic.

    Besides being a downright time-consuming nuisance, SPAM remains a potent method of injection for Worms, Trojans, and other malicious bugs that seek to do harm. Recently, Tech News highlighted some great work from the folks at Consumer Reports who reviewed SPAM filtering tools. Consumer Reports quick recommendations for non-subscribers.

    The top three products out of nine low cost add-on packages reviewed by Consumer Reports were:
  • Stata Labs SAProxy
  • Mailshell SpamCatcher Universal
  • Blue Squirrel Spam Sleuth


    • Policy
    One of the top issues raised at the morning workshop was how a clear Information Security Policy empowers an institution's ability to improve security.

    Stay tuned for a future Tech News article in which we delve into this matter in great detail.
    		 
     
      Search     Home     About Tech News     Events     Link Library     Feedback     Site Map     Subscription      


    Copyright © 2003 United Way of New York City - All Rights Reserved.
    Privacy Policy