So what does this combination miss? Level 1 -------
1. Use a firewall with a DMZ and reverse lookup so only designated client PCs can access specific systems (and audit) 2. User Public Key based application level authentication between VALID client applications and the server to permit valid connects only with UOLOGIN 3. Stop any software being loaded on any PC except by IT admin staff (to stop keyboard snoopers grabbing IDs and passwords). 4. After repeated invalid access attempts block the ID. Level 2 ------- 5. Use SSL to stop IDs and Passwords being sent in plain (network sniffers etc) if you are that twitchy / unsure about local PC lockdown or hardware devices being introduced into the network. 6. Use fixed IP addresses and MAC addresses - directly associate BOTH with the specific ID and Password that can use that workstation at the application level (UOLOGIN). 7. Use a magnetic eraser for all tapes and FDDS that are to be dumped 8. Use secure disposal of all old HDDs (heating above Curie point / destroying etc). There are reputable companies that offer this service. 9. Make all offensive verbs REMOTE verbs and positively authenticate using credentials in a named COMMON block. Level 0 - yes "0" - I have seen ALL of these ------- 0.1 Stop stringing Network cables between Windows outside the building just because it is easier than re-routing. (Gosh - look at that handy network access point...) 0.2 Lock the office doors to stop people wandering into the computer room and walking off with the kit (really ! Honest!). (And they did it to the same site 2 weeks on the trot). The (old) kit from week 1 was found dumped, when brand new kit was installed in week 2 they stole that for resale. 0.3 If you are using a Wireless network then please, please encrypt it properly, use decent authentication, and check the log files.....(use email authentication of invalid access attempts). It is AMAZING what wireless LANS I pick up when out and about. 0.4 Shoot the guy who added a wireless repeater to the LAN to work from outside when it was hot. 0.5 Use real IDs and passwords - not names, birthdays etc. Oh yes - don't change them so often that people HAVE to write them down to remember them (death by password). If you have a BIOS password, a HDD password, a Windows ID & password, a Network password, an application login ID and password, a screen saver password and force regular changes and prevent re-use/duplication and stop anything that even LOOKS like a word then you can't tell ME no-one writes them down and sticks them next to a screen somewhere... 0.6 Remove the following: 0.6.1 Root password written on wall next to computer room light switch (visible through window) 0.6.2 Administrator login written on back of office calendar (can be found 1st working day in New Year in the trash can). In Attorneys offices it usually has the safe combination written on the back of it as well (handy). 0.6.3 Don't leave the computer room door / window open to the street because it gets hot (which is why there was no-one in there at the time). 0.6.4 Dumping old HDDs after an upgrade in boxes outside "to be collected" 0.6.5 Dumping old magnetic tapes in the trash BONUS: For those who know me personally: It is AMAZING how many people are good enough to open secure doors when I walk up to them. Not just folks who know me (thanks folks!) - but also lots of other kind and friendly people. They will also carry all sorts of stuff after helping me unplug cables and even load up. I am looking for someone who will help me with all that heavy cash in the safe (drop me a line - I am willing to come and collect). I have only seen hacking twice - both times by insiders. Regards JayJay ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
