The mandatory access control model assigns users’ roles strictly according to the system administrator’s wishes. This is the most restrictive access control method because the end user cannot set any access controls on files. Mandatory access control is popular in highly secretive environments, such as, the defense industry where errant files can jeopardize national security.

Discretionary access control is at the other end of the access spectrum differing from the mandatory access model in that it is the least restrictive of the three models. Under the discretionary access model the end user has complete freedom to assign any rights to objects that he wishes. This level of complete control over files can be dangerous because if an attacker or malware compromises the account then the malicious user or code will have complete control as well.

Role based access control creates permissions by assigning access rights to specific roles or jobs within the company; RBAC then assigns users to those roles, thereby granting privileges. This access control model functions effectively in actual organizations because files and resources are assigned permissions according to the roles that require them. For instance, a system administrator may create an access role for managers only. So a user would need to be assigned the role of a manager to use those resources.

One of the lesser-discussed access control models is Rule Based Access Control (RBAC). It shares the same acronym as role based access control but incorporates top-down management similar to mandatory access control. Rule based access control permissions are only assigned by the system administrator. Rules are attached to each resource, which governs the access levels that will be allowed when a user tries to use it. An example of rule based access control is only allowing a resource to be used at certain times of the day or only allowing specific IP addresses to access the resource.

The term identification refers such things as user names and identification cards.  It is the means by which a system user identifies who they are.  This step is usually performed when logging in.

Authentication is the second step of the access control process.  Passwords, voice recognition, and biometric scanners are common methods of authentication.  The purpose of authentication is to verify the system user’s identity.

After a system user is authenticated they are then authorized to use the system.  The user is generally only authorized to use a portion of the system’s resources depending upon their role in the organization.  For example, the engineering staff would have access to different applications and files than the finance staff, or human resources.

There are more ways to enforce access control besides using software.  Access control can be maintained by something a simple as a locked door.  Only users with the correct key or door card would be allowed to enter.

One of the principles that should be incorporated when establishing an effective access control policy is the practice of minimal access or least privilege.  What this means is that a user should have the least amount of access required to do their job.  The principle of least privilege includes limiting the resources and applications accessible by a user as well as the time access is allowed.  For, instance at times it may not be advisable to allow access to financial records at 3AM in the morning when the facilities should be closed.

A fire can destroy computer equipment and incinerate a building very quickly so some type of fire suppression system is a must. Many commercial buildings have a water sprinkler system. Unfortunately, spraying electrical equipment with pressurized water will short the circuits. Even some chemical fire suppressants can foul electronics.

Clean Agent fire suppressing systems, such a carbon dioxide or Inergen systems, should be used extinguish flames around electric and high voltage equipment. A clean agent system is also non-toxic to people so the after affects will be minimal after work resumes.

Attackers are able to eavesdrop on computer systems, displays, and other similar devices by detecting their electromagnetic emissions. This process is called Van Eck phreaking. Countermeasures to prevent eavesdropping have been put forth by the National Security Agency (NSA) in a study code named TEMPEST, Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. Some of the unclassified measures include special shielding between circuits and equipment or within the building. Other countermeasures including scrambling the signal or installing a Faraday cage, which is a metal mesh structure that stops electromagnetic signals form leaking, around the computer room.

Finally, the HVAC must be controlled to ensure that the environment does not do damage. Humidity levels that are not correct can damage equipment. For instance, air that is too dry can create static that can damage equipment. Temperatures that are too hot or too cold can also degrade a system. Adding to the complication is the dry heat emitted from electronic devices.

Companies need to be protected both legally, and in terms of network and information security. Content filters help to prevent programs and files from being downloaded that may be malicious, stealing company data, infecting systems with viruses, and more. Internet content filters are a necessary evil that actually help security.

Additionally, Internet content filters help to keep both an organization and an individual legally protected. By blocking pornographic websites, organizations are helping to prevent sexual harassment lawsuits against themselves, as well as the individual accessing the website. Hate-filled websites dealing with racism, sexism, and more are also blocked to prevent offending anyone, and leaving an organization and individual open to a hate crime related lawsuit. For the large amount of protection these filters provide, the small hindrance and annoyance they bring about are very minor.

Whether it involves using the internet at work, school, or the library, most organizations utilize IT specialists, such as site administrators or media directors, to assist with the decision of which internet filters to implement. These specialists can also help organizations monitor the daily use of the Internet and create website tracking methods.

For most library institutions, it is up to the local library board to decide which websites are appropriate for their visitors to use. The librarians who work at an individual location may have a significant amount of input towards this decision, as well as monitor the activity of the computer systems while in use.

In an elementary through high school environment, the board of education, principals, teachers, and parents should all have a say in which Internet sites are made available to young students. Most parents filter Internet use for their own children at home, so it is imperative that they contribute their opinions.

At a college level, most universities should allow department deans and campus libraries to determine the appropriate Internet sites allowed in the classrooms, administration facilities, and academic departments. Depending on the specialty of a given department, certain websites may be allowed in one area over another due to the type of research that is required for specific classes.

As for a work environment, executive level management should be involved with the decision, however, department directors should be the main point of contact regarding which websites are allowed and how employees will be monitored.

Unfortunately, there are multiple ways around filters, including proxy websites, and more can be found online.The punishments used against individuals can vary specific to the organization and the severity of the websites used when circumventing Internet filters. In either of the environments mentioned above, the rules and regulations of Internet use should be made clear from the beginning.

Filters are implemented for a reason and for an individual to break the filter, he or she must understand the consequences.  In some cases, the severity of the websites accessed may come into play. Some companies do not allow employees to utilize personal email websites such as Hotmail, Yahoo, or Google. This type of site may be considered a minor offense, however, websites that may involve illegal activity would be considered a severe offense and require an appropriate response.

While this document covers many rules, standards, and guidelines, it is not exhaustive. So, human resource administrators, employees, contractors, and third parties should exercise due care with regard to how employee information technology is handled.

New employees should receive information security training and occasional awareness updates to promote employee vigilance within the company. These activities ensure that employees understand and take responsibility for company information and resources.

The following minimum procedures should be clearly spelled out and enforced.

• The employee is not allowed to download and/or install unauthorized software onto organization computers nor should they connect to the network with unauthorized equipment.
• The employee is not allowed to hinder the proper operation of protection tools including antivirus programs, screensavers, etc.
• The employee is not allowed to access prohibited sites via the Internet.
• Employees must inform their immediate superior and the IT department of any security incident or malfunction they encounter.
• Employee should be instructed in the creation of strong passwords and proper password storage. In addition, the password should expire after a certain length of time depending on the access sensitivity.
• When an employee moves or changes roles within the organization their access privileges must be updated accordingly.
• When terminating an employee, the employee’s access to technology resources should be immediately suspended.
• Once the employee has been informed of the termination, he should not be allowed to return to his office but should be immediately escorted out of the building.
• The IT department should have a list of all user accounts and suspend the appropriate accounts immediately.
• Log files should be routinely scanned to ensure that all employees’ accounts were suspended.
• The supervisor should be responsible for reviewing all employee electronic information and either disposing of it or forwarding it to their replacements.
• The supervisor should be responsible for the return of all the terminated employees access cards, ID badges, and manuals.
• The supervisor should be responsible for the return of all company owned electronic equipment issued to the terminated employee including laptops, wireless cards, cell phones, and PDAs.

A formal disciplinary process concerning any and all users who breach security rules must be developed and published within the organization.

In order to ensure that the organization is not ethically or legally liable for misconduct any employee accused of a malicious activity should be treated equally and not given preferential treatment. Also, any investigation into suspicious employee conduct should examine all material facts.

Email spam that is targeted at individual users can be more than just an annoyance.  Spammers can distribute viruses through email messages sent to your inbox.

There are several ways to stop spam. We have outlined four methods here.

The first method for an organization is to install a corporate spam filter.

A corporate spam filter is installed on the receiving email server.  There are two options for installing a corporate spam filter:

• Install a spam filter with the SMTP server

The SMTP protocol is for sending email SMTP.  This is the most direct and easiest method for installing a spam filter.  The filter is installed on Port 25 where it inspects incoming email messages and then passes them on to the  SMTP server that is listening on another port.  The SMTP server then sends the message to the POP3 server, which forwards it to the email recipient.

• Install a spam filter with the POP3 server

The POP3 protocol is for retrieving email.  When a spam filter is installed on the POP3 server, email messages must still pass through the SMTP server.  This may cause increased costs for data storage and handling.

The second method to stop spam is to contract with a third party organization. Using this method all email is directed to the third party’s spam filter.  Unsolicited bulk mail (spam) is deleted and the clean mail is redirected to the organization’s recipient.  In order for the organization’s mail to go to the third party their MX (mail exchange) record must be changed at the Domain Name System (DNS).

The third method is to install a spam filter on your local computer. The majority of email clients can be configured to filter spam.  Some of the configurations typically include:

• Blacklist Senders

This configuration blocks a list of senders.  Databases of blacklists are available on the Internet.

• Whitelist Senders

This configuration allows the recipient to enter a list of email addresses that are allowed to pass thru.  All others are sent to the junk email folder.

• Block Top Level Domain

Some spam filters can be configured to block email from regions and even entire continents known for distributing spam such as Eastern Europe.

The final method is to install a separate spam filtering software. The software works with your email client to eliminate junk mail.  This software may need to be “trained” meaning that the user must identify the unsolicited messages they receive as spam.  The filtering software then uses the characteristics of the spam messages to identify and block unwanted email.

A comparison and list of spam filters is available HERE.

A user’s fingerprint consists of a number of ridges and valleys on the top layer of skin. A fingerprint scanner plate using optics or capacitors collects a print sample of the pattern of peaks and valleys, converts the pattern to a number or algorithm, and compares it to other stored templates.

There are two basic types of fingerprint scanners, dynamic and static, with the latter being easier to defeat because a print can be extracted from another object and transferred to the scanner. The dynamic scanner uses a small opening or window to capture prints, which makes it much more difficult to defeat.

Circumventing fingerprint scanners is possible because optical scanners can’t always distinguish between a picture of a finger and the finger itself, and capacitive scanners can sometimes be fooled by a mold of a person’s finger. Some scanners have additional pulse and heat sensors to verify the finger is alive but even these systems can be fooled by a gel or silicone printed mold over a real finger.

In addition to threats by posed attackers, fingerprint scanning has inherent problems, for instance in cold climates it might be too cold for fingerprints to register on a heat sensor or a finger may be too dry to close a capacitive circuit. Further, the (FAR) false accept rate and (FRR) false reject rate of fingerprint scanning compared to other biometric standards is somewhat misleading due to the fact that much of the data comes from biased vendors. However, in general fingerprint scanning rates are better than facial recognition rates but less favorable when compared to iris recognition or palm print scanning.

Keep in mind that there is no perfect biometric system and each type has its own advantages and disadvantages, and must be evaluated according to its application.

To make security systems more reliable, it’s a good idea to combine biometric analysis with other means of identification, such as a password, or other multi-factor authentication systems.

We would not recommend the fingerprint scanning biometric technique for locations or objects that require a high-level of security. If a building with highly sensitive information had fingerprint scanning as the only security device, then even a layman could lift a fingerprint from a car door, glass, etc., and gain access to the building.

Like passwords, fingerprint scanning is merely a deterrent from access to information. Fingerprint scanners are used on many laptops today, but the primary security measure is to lock it in the trunk when traveling or keep it locked in the house because with enough time, someone could break through password or fingerprint security.

Drive acquisition is a fundamental process in the field of digital forensics, but the acquisition of an entire hard drive must be a forensically sound image that is a flat file bit stream image. Volatile data is extremely valuable evidence that can easily be lost, as it is data that is stored in RAM, a Window’s page file, or other repository that is wiped clean when a computer is shutoff. Both of these items need to have their accuracy guaranteed through hashing, which is basically a digital signature from the original hard drive or volatile data that is matched to the exact mirror image backup of that data. If these hashes do not match, the copy of the data is not considered to be a true, forensically sound copy of the original data.

The following table summarizes details of a handful of the top forensic tools on the market today.

Based on the various features and types of data searched, if a company were to purchase just one of these tools, it would have to be P2 Enterprise Edition (P2EE) by Paraben Corporation. P2EE offers all of the required functions and features for most forensic teams, while also giving an organization the tools it needs to be proactive in monitoring and storing digital evidence.

However, if an organization truly had no budget limitation, it should purchase:

• P2 Enterprise Edition by Paraben Corporation
• Forensic Toolkit (FTK) by AccessData
• EnCase Enterprise from Guidance Software

FTK provides numerous features that P2EE does not, such as recovering passwords from a plethora of applications, as well as steganography, which many terrorist and child pornography rings use to avoid detection. EnCase Enterprise is very similar to PS Enterprise Edition, so it may simply be overkill to have both, but a larger company should definitely consider it since the cost of running both would be minimal compared to the consequences of one missing something that the other may catch.

By combining these three forensic suites, a digital forensic team would be able to accurately track, monitor, gather, and report digital evidence to any law enforcement or organization that requires it, both proactively and reactively.

Sources:

1. http://www.accessdata.com/forensictoolkit.html
2. http://www.e-fense.com/h3-enterprise.php
3. http://www.guidancesoftware.com/products/ef_index.aspx
4. http://www.paraben-enterprise.com
5. http://www.paraben-enterprise.com/p2es.html
6. http://www.paraben-enterprise.com/p2ee.html
7. http://www.techpathways.com
8. http://www.techpathways.com/prodiscoverin.htm
9. http://www.scmagazineus.com/Forensic-Toolkit-v20/Review/2380/
10. http://www.scmagazineus.com/Paraben-P2-Enterprise-Shuttle/Review/78/
11. http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=369&osCsid=2ba225bcdf31dd81d958f939efd173d3
12. http://www.techpathways.com/order.htm
13. http://www.scmagazineus.com/Guidance-Software-EnCase-Forensic-v-6/Review/159/
14. http://findarticles.com/p/articles/mi_m0EIN/is_2002_August_1/ai_89956939/

In the absence of a wireless probe to monitor the airwaves, security personnel can manually search for rogue access points. An inexpensive but effective method for finding potential rogues is to use a freely available Transmission Control Protocol (TCP) port scanner that identifies enabled TCP ports from various devices connected to the network.

The steps to discover a rogue access point begin with running the port scanner software from a computer connected to the network. The utility uncovers all Port 80 (HTTP) interfaces on the network, which include all Web servers, some printers, and nearly all access points. The access point will generally respond to the port scanner’s ping with the vendor name and its corresponding Internet Protocol (IP) address.

Once an access point is discovered, the network administrator must determine if the access point is or is not a rogue. Ideally, the administrator would use software that would allow a pre-configured authorized list of access points. If the scanning for rogue access points is manual, a list of authorized access points is still necessary. The authorized list can be populated using the following attributes:

• MAC Address
• SSID
• Vendor
• Radio Media Type
• Channel

The aforementioned attributes, determined automatically or manually if software is not being used, will alert the detection tool if access points with differing attributes from the authorized list are present.

When rogue access points are determined, the administrator must have procedures in place to identify their locations.

Perhaps the most difficult step in this discovery process is to determine the physical location of the rogue access point. Router table entries may help. A routing table is present on all IP nodes.

The routing table stores information about IP networks and how they can be reached. Because all nodes perform some form of IP routing then any node loading the TCP/IP protocol has a routing table. When an IP packet is to be forwarded, the routing table is used to determine the physical or logical interface used to forward the packet to either its destination or the next router.

With the information derived from the routing table, a rogue IP address may be located by determining which node the address utilizes. Keep in mind that the location of nodes must be correlated with the addresses in the routing table. The limited operational distance of the RF signal can be useful in narrowing down the physical location of the rogue access point as well.

Perhaps the most fundamental step in protecting against a rogue access point may be having a security policy. A security policy should outline the rules against unauthorized wireless devices and employees should be educated about the policy.  This will help stop the most common users of unauthorized devices, employees.

Sources:

1. http://compnetworking.about.com/cs/wireless/g/bldef_ap.htm

2. http://www.wi-fiplanet.com/tutorials/article.php/1564431

3.http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnbb_tcp_oauc.mspx?mfr=true

4. http://whitepapers.zdnet.co.uk/0,1000000651,260114539p,00.htm

5. http://www.manageengine.com/products/wifi-manager/rogue-access-point-detection.html

6. http://www.smallbusinesscomputing.com/webmaster/article.php/3590656

7. How to Cheat at Securing a Wireless Network, Chris Hurley and Lee Barken

1. Port scanner
2. Network scanner
3. Web application security scanner
4. Computer malware scanner

While it isn’t important to delve into detail about what each of these scanners does, it is extremely important that you understand the weaknesses in your system. The Internet is awash with suggestions about which security scanner would be best for your computer. But don’t worry, these are free! So you can try them all and choose the one you are most comfortable using.

• Let’s start with the Nessus Project. This program provides heavy Internet users a free, powerful, and easy to use remote scanner.  Nessus scanner can be used throughout an entire enterprise, inside DMZs and across physically separate networks.  It is available for a variety of operating systems including: Window, Mac, Linux, FreeBSD, and Solaris.

• Next comes the MBSA or Microsoft Baseline Security Analyzer is a free tool to analyze a Window’s computer security configuration.  This tool points out the weaknesses in your system AND recommends how to fix them.

• GFI LANguard on the other hand analyzes and archives events logs of all machines in a network and alerts you in real time of a security breach.  This network and security scanner addresses patch management, network auditing, and vulnerability issues in one package.

• Next up is the Tripwire. This is software that checks for major changes in your system. It also monitors key attributes of all files that should not change including binary signature, size, expected change of size etc.

• Then there is the Nmap (Network Mapper), which even though is not a vulnerability scanner technically; it helps find potential vulnerabilities that are hiding in plain sight.  Nmap is able to fingerprint a network and tell what types of operating systems, applications, versions, firewalls, etc may be running on a network.

Just picking and running a vulnerability scanner is not enough. You have to take time to evaluate the results of the scan and always apply the appropriate remedies.  Keep in mind that as useful as these tools are for network administrators to assess the security of their systems, they are also useful for attackers.  An attacker uses vulnerability scanners to perform network reconnaissance on a potential target.  Their aim is to determine what weaknesses are present that they may be able to exploit and break-in.

An attacker or malware only requires three elements to exploit the vulnerability:

1. A flaw in the system.
2. An attacker’s access to the flaw.
3. The attacker’s ability to exploit the flaw.

In a recent experiment conducted in the United States, several new Windows XP computers were connected to the Internet using a DSL connection. They had the latest operating system patches but no anti-virus and no firewall. They recorded an average of 300 security intrusions per hour at the end of the first day!

Some of the common yet dangerous computer and network vulnerabilities include:

• Unsupported or unpatched operating systems. Windows 95, 98 and NT Networks are no longer supported by Microsoft. XP Home or Windows Me are never appropriate for office usage. Only Windows XP Professional or Vista Business is recommended for office usage. Make sure that your operating system has the latest service pack updates installed.

• Even though anti-virus software is installed on 95% of the computers, in 90% they are not configured properly. Then what’s the point of having anti-virus SW? Make sure that you download and install periodic updates from the Internet.

• Never go for free or cracked anti-virus software to save a few bucks and expose your computer to serious threats.  Free AV is only recommended for light computer use.

• If you are an Internet junkie that engages in risqué habits (i.e. pornography, black-market, and underground sites) then it is imperative that you install a hardware firewall as opposed to just a software firewall.

• Most of the time it is we who expose our computer or network to vulnerabilities by downloading and installing peer-to-peer file sharing software like Kazaa, Limewire, Morpheus etc.

• Downloading and installing screensavers and playing online games can also be threatening to your computer due to patchy software with vulnerable holes.

• Installing Freeware or software that is free. We do it because…well…they are free! But they can be also dangerous, you just don’t know where it came from or if it is being properly maintained and updated.

• Not backing up your data is a disaster waiting to happen.  All hard drives will eventually fail.  So, unless you are backing up your data regularly, be prepared for it to vanish.  There are companies that can recover your data but they are expensive!

Also, power spikes and outages are also extremely dangerous for your computer and network. So using a UPS will prevent this, and prevent disconnections from the net.

If you have a wireless network, you should be even more careful with your network. It is extremely easy to sneak up on wireless networks and go undetected. And since a wireless connection is popular nowadays, you probably have even noticed, while you are checking your mails sitting in your bedroom; your neighbors network! Some ways to protect your WiFi connection are:

• Use preferred encryption methods in this order:

1. WPA2
2. WPA (been cracked)
3. WEP (been cracked). Use WPA and WEP if you have no other choice.

• Change your SSID code every two weeks and keep it something obscure that is hard to guess.
• Keep the ‘broadcast SSID’ option in your WiFi turned ‘off’.
• Turn off your WiFi when you are not using it and use an alternative.
• Disable DHCP on the entire network.

Install a web filter. This device controls access to certain websites and content. If you have children in the house, you might want to keep this turned on. There are some open source web filters available on the web like:

B Gone

K9 Web Protection

Privoxy

Parental Filter

Install a spam filter, desktop firewall software, and antivirus and make sure that you update and maintain these regularly.

Installing encryption software will prevent prying eyes from gaining access to your personal data. Apple has harddrive encryption functionality built-in. It is called FileVault. However, it does not work with Time Machine.?

There are also various password management software that let you create and remember extremely complex passwords. A useful tip: never use a single password for everything. Never use the password you use for your emails and bank accounts on open source software.

It is also important to install a back-up and recovery system. So that if, unfortunately, your computer crashes, you will still have all the important data and files intact.  These few tips will go a long way toward maintaining a secure home network.  The rest involves staying up to date on the latest security threats and acting accordingly.

Lesson One: InfoSec Fundamentals
What information security is, the current attack trends and basic vocabulary of security professionals.

Lesson Two: Attack and Defense
The basic attacks and basic defenses, cybercrime, security management, and corporate information systems defense.

Lesson Three: TCP/IP
The secrets of TCP/IP, structure of protocols, networks and the Internet.

In addition if you sign up for our full 25 lesson course you will be able to download audio, video, transcripts, definitions, and quizzes to test your understanding.