Security Best Practices
Pam:
Welcome to today's TechNet Chat. Our topic is Security Best Practices. Today we are live at Networld + Interop in Atlanta, Georgia, USA. This will be a little different than our previous chats. We will be taking questions from our live audience as well as from those of you who are online.
Welcome to our host:
Doreen:
Greetings! I'm Doreen Galli, a Director of Technologies at USWeb/CKS from the Atlanta Office and I'll be the host for this Q&A on Security Best Practices. For general security background you can read my chapter on distributed security from my book on Distributed Operating Systems with Prentice Hall which is currently featured on TechNet. http://www.microsoft.com/technet/community/chats/trans/default.mspx
Doreen:
To start things off, let me ask you a question. Do you know whom to contact at your organization if there is a breach in security and if that is you, does everyone in your org know how to contact you?
(Live audience had a mix of those who knew whom to contact and those who didn't, but many who were the contact themselves didn't know if anyone knew who they were or not. Few knew the actual process within their companies for reporting security breaches.)
Laura (Will be typing in all the question from the live audience):
Q: What business justification is there for spending money on security measures?
Doreen:
An important justification is that if you are dealing with customer info, and that info is breached, it is obviously not good for that relationship. Also, if you don't take appropriate measures for security, you can be held legally accountable. Both of these scenarios can cost your business far more than taking a few security measures.
Laura
Q: What are the biggest security problems facing corporations today?
Doreen:
Finding enough qualified security professionals is a challenge, and readily available home access is too. Many breaches come from the inside, on-site as well.
Laura:
Q: How do you determine the appropriate security policies for a corporation?
Doreen:
Rules of thumb – the cost should be proportional to the measures you need to take and to the importance of what you're protecting.
ranga_:
well, in my company it is not so much as who breaks into the system, but it is who has access to what!
Doreen:
You're right – you need to make sure you know people don't have access to anything they don't need to.
Laura:
Q: What are your recommendations for user education about security?
Doreen:
User Ed is very important- when someone is given a system, they need to know the Best Practices for that system and for your company. Teach them how to use it and how to stay secure. Also teach them your company policies and impress upon them the importance of staying secure.
Laura:
Q: What are some of the key things to remember when there is a breach?
Doreen:
Don't send e-mail to everyone saying there is a breach! Everyone should know whom to call when they suspect there is a problem, and should know how to preserve their files, etc.
Laura:
Q: What would be the top best practices?
Doreen:
Top 4 –
1. | have people who know security |
2. | have a regular outside audit |
3. | make it part of the corporate culture |
4. | ensure you have a corporate mission statement with regard to security. |
Laura:
Q: Is there a security difference between cable modem and ADSL for high-speed home access?
Doreen:
Cable modem goes into everyone's home in your area – it may not be as secure, even though there are some security measures. The problem is that the physical wire is available to others. ADSL is more secure - from home to phone company – no network of surrounding homes, no physical wires available in other's homes with your data traveling on them.
ranga_:
i think the users should not be required to learn anything about security -- the programmers and network admins should enforce sound application security and network security (IPSec)
Doreen:
It's true that the more you can do at the admin level, the better – but to use an analogy - if you have an alarm system at your home, you don't have to know how it works, but you still have to know how to turn it on.
Laura:
Q: If you are suspicious about a security breach in your organization, should you announce it to aid your investigation of the breach?
Doreen:
I don't recommend doing unauthorized hacking of any system. Find out top security stories - look on the TechNet Web site, among others for scenarios - use these stories as examples to get permission from management to look into the possibility of a similar issue at your company.
Laura:
Q: What is the best way to secure a Web site?
Doreen:
Physical security of the server is #1. Second, any services that are not needed on that server should be moved elsewhere. Any that have to be there should be secure and locked down. Third, have a complete security audit of the code – this is best to do during the architectural stage.
Laura:
QLA: What are the top mistakes made on a server?
Doreen:
Mistakes include trying to have too many different services on one server, and not enough limits on access. Again, only have what you need on that server and be sure the only people who have access are the ones who need to. You should also prevent interactive logons.
Laura:
Q: If you were not going to host your own Web site and would rather use an ISP how do you make sure that the ISP is using secure practices?
Doreen:
Best thing is to specify what you expect.
Laura:
Q: Why is there a shortage of security experts?
Doreen:
It's difficult to find experts in anything, and with security, you have to have intuition as well as technical knowledge. They have to constantly keep up to date as well.
Laura:
Q: How to configure DCOM to be most secure.
Doreen:
There is always a trade-off between how secure your system is and full functionality. You need to ask - what do we care about the most? Learn to keep the keys in the appropriate manner, watch every aspect.
Laura:
Q: What other resources are available about distributed security?
Doreen:
Distributed Security - check out the chapter on the TechNet Web site. There are a lot of links within that chapter, as well as on the TechNet site.
Laura:
Q: What resources are available for security testing and audits?
Doreen:
There are a lot of companies available - check references. Can't recommend one over another in this forum.
ranga_:
Can you suggest a good security strategy for win32 based clients -- saving userids and passwords in tables won't be a robust solution.
Doreen:
I would have to know what the org is trying to protect. There will be different requirements for different companies. Security is only as good as the weakest link – you have to look at the whole picture, not just a product. NSA has a great whitepaper on this topic.
It's more than just securing the services. It has to be a culture at your org. Those who don't need to know your policies, shouldn't know them.
ranga_:
Assume that that the org wants to control who can delete customer related info -- can you suggest a strategy here ?
Doreen:
This policy comes from the security audit in your org. Should be a limited # of people - determine who that would be from the audit.
ranga_:
I am writing a vb apps and even to do simple things like view/update/delete -- i have to think of security -- who can view/who can update etc -- is customizing the gui based on the user's role a good approach ? As an user's role changes, they will see a different gui -- without having to reinstall the application !!!
Doreen:
There are lots of benefits to this – the difficulty with this is "exceptions" to the rule. And be sure people belong to the right groups. When roles change, the infrastructure must change. If you do this, it will work. Must be vigilant.
Pam:
ranga - be sure to check out the resources available on TechNet and MSDN regarding your COM+ and Windows 2000 questions that did not get answered here. There is a lot of info on both sites.
Pam:
Thanks for joining us today! This has been a lot of fun for us. Unfortunately we are going to have to end this TechNet chat now. Here at N + I, we have to end a little early to give time to the next presenter.
Be sure to check out Doreen's chapter on security at http://www.microsoft.com/technet/community/chats/trans/default.mspx
You can find the transcript of this chat within a week or so on the TechNet Web site at http://www.microsoft.com/technet/community/chats/default.mspx