Think you've secured your office well? Time to put your money where your mouth is
If you’ve been following these pages closely (and we hope you have), you’ll have noticed that we’ve talked a lot about security—it’s a huge concern for any organisation, and it’s something that requires constant attention. If you’ve been taking our advice then, you ought to have an effective security solution in place for your office. Or do you?
You see, implementing security solutions and policies is only the first step. Every once in a while, you need to verify that you’re security solution is doing what it’s supposed to. Perhaps more importantly, you also need to know whether everyone in your team is following the security policies you’ve so lovingly prepared.
To ensure that everything’s all right with your security arrangements, you need to conduct a security audit. There’s no strict definition for the term, but like any other audit, the basic idea is to examine the truth of a claim—the claim, in this case, being that you’re safe from security threats. You might think that “Security Audit” is just a glorified term for sitting with a checklist—to a certain extent, it is. However, the seemingly mundane task of checking items off your list will let you know where you’re going wrong with security, and help you formulate a better solution.
In the corporate world, security audits are carried out by a crack team of experts, who usually come at a fee that can run close to a lakh for a single consultancy. While some aspects of an audit can only be performed by security experts, you can do a fairly effective—and very cheap—audit yourself, too.
So how does one go about a security audit, anyway? Simply put, it’s like we mentioned—knowing how your security solution should work, and checking to see if that’s how its working. It’s very important, then, to put your security policy down on paper—which programs are allowed to run on PCs, which users get access to which resources on your network, and so on.
Then comes the risk assessment—figuring out how important a security issue is. Consider the scenario that a laptop is stolen. On a scale of 0 to 10, the probability of this scenario is, say, 3. Now, on a scale of 0 to 10 again, the damage this scenario could cause is, say, 8. The risk of a particular scenario is the product of the probability that it occurs and the damage it could cause if it did. The higher the risk, the more measures you’ll need to take to bring it down. The numbers expressed here are random—you’ll have to assess your own situation (how scatterbrained is the employee with the laptop, and so on) and arrive at your own values. There’s no formula involved here, and it’s far from an exact science. The idea of the risk assessment is more to help you prioritise tasks.
But we get ahead of ourselves here. First, we need to prepare for the audit.
This is where we prepare our checklists, starting with the company’s assets—PCs, printers, laptops, cameras, e-mails, passwords and so on—pretty much anything that can be threatened by unnamed malicious forces. This list should be detailed—model numbers, serial numbers, and so on.
Once you’re done cataloguing your assets, it’s time to assess the threats you might face. Common threats are stolen passwords, falling prey to a phishing e-mail, stolen or misplaced laptops and PDAs, and so on. If you can think of a threat, put it on the list—no matter how silly it sounds (once you start calculating risks, the less likely threats will find themselves low on your priority list anyway).
You should also know your security history—when was the last time you faced a security issue? How much damage did it do? Have you taken appropriate measures to ensure it doesn’t happen again? Keep tabs on security trends in the small business / SoHo sector as well—they’ll give you an idea of currently prevalent threats, and will likely lengthen your threat list.
Finally, take your threat list and calculate the risk of each threat. Now, you can begin your audit. We’ll only go through some of the more common threats here.
When you’re not controlling who has access to what data, you’ve got yourself a problem. A visitor could walk away with your list of clients, for example, and you’d be none the wiser. An ideal situation would be to set up a domain controller (Digit February 2007). Failing that, you should ensure that all shared folders are password protected, and are accessible only by specific users—this means turning on Advanced Folder Sharing under Tools > Folder Options > View in Windows Explorer, and editing the permissions on shared folders. Furthermore, use dollar-shares—append a “$” at the end of the share name.
Another thing you want to look out for is automatic logins—while convenient, it’s more than unadvisable to allow a PC to automatically log in to a user’s account. Should the wrong person be seated in front of that PC, it could possibly give him administrative access. In the same vein, network passwords shouldn’t be saved on a PC—go to Start > Run. Type control userpasswords2 and press [Enter]. In the Manage Passwords tab, make sure the list is empty. Ditto e-mail passwords—both in the e-mail client and on the Web. Finally, ensure that when a PC is left unattended, it’s screen is locked ([Windows] [L]).
The next threat comes from installed applications that shouldn’t really be installed. Most often, these are instant messaging (IM) clients, and should be uninstalled. These programs run services that are prime targets for malicious code, which usually hijacks the service to wreak all sorts of havoc on your network. And, of course, there’s the lack of productivity that IM clients encourage so much.
Bottom line: if you don’t need it for work, it shouldn’t be installed.
Auditing The Network
Here’s where things get tricky. Network security isn’t something you can learn very easily, so you might have to spend a lot of time reading up on the Internet, or solicit the help of an expert. But first, let’s get the easy stuff done with...
If you use the Squid proxy server to control access to the Internet (and you should), you can start with blocking social networking sites, among others that could affect productivity. You can also block most popular banner advertisement servers and replace the ads with a message.
Now comes the tricky part—scanning the computers on your network for open ports. Network Ports let PCs—more specifically, services running on PCs—access the network and the Internet, and also act as ways into your PC. Usually, most ports on your PC are closed, and don’t accept incoming connections. That doesn’t really mean that open ports are an invitation to hackers—they just accept incoming requests for data. Running a port scan on a PC (using a tool called nmap, which has Windows-based GUIs too) gives you an idea of which services are using which ports. You can then go about disabling services that could potentially be exploited—like those pesky IM services. If you’ve been compromised before, a port scan is essential, but if you’ve had no security problems thus far, you could just install firewall software on each PC and be done with it.
You also need to check up on your backup solution—the frequency of backups, and so on, and perhaps build some redundancy by storing some critical data on an online backup solution —just in case.
Your e-mail server needs to have proper anti-spam and anti-phishing measures built into it— just one successful phishing attack can become a slap in the face of all you’ve done so far.
Failing An Audit
If you’re done with an audit and have passed with flying colours, chances are you didn’t do it right. Around 99 per cent of companies who undergo a security audit fail, but it’s a part of life. What you need to do now is start addressing issues immediately. Based on your audit, you’ll be able to figure out the probability of a scenario more accurately, so you need to make your risk assessment calculations with new values. Once that’s done, you’ve got yourself a prioritised list of the problems you should be attacking.
With the laptop problem we saw before, there’s plenty of potential for damage if it were to get stolen or misplaced. To mitigate this risk, encrypt the laptop’s hard disks. This way, even if the laptop does fall into the wrong hands, it’s virtually useless in them, and more importantly, none of your data can be read.
Once you’re finished with a security audit, make sure you keep the results handy for your next audit. The results of the audit will give you enough food for thought, and will help you correct flaws in your security policy. Share an overview of the audit with your team, so they too can know what they can do to reduce your risks. If you found a lot of critical flaws in this audit, make sure you schedule a new audit as soon as you’ve addressed these flaws. If this is your first audit, schedule another one very soon, and ensure that you’re auditing your security at least thrice a year.
Finally—and we’ve mentioned this many times in these pages—there is no substitute for an informed and educated team. Therefore, security shouldn’t be just your concern—it should be everyone’s.