The Organization Customers

From a business perspective, customers are the main stakeholders and as such, an organization needs to build a trust factor that is transmitted to its customers. If customers are confident that they are dealing with a reliable and secure entity then the business prospers. The outer layer deals with security considerations related to the business customers:

• The need to know your customers, their trends and features as this will help you identify non-customers or better criminals
• Monitoring techniques (automated processes) that flag abnormal trends or find irregularities
• Compliance with regulatory requirements – Ex: PCI, ISO and others
• Customers’ authentication considerations – the famous “something you have” + “something you know” concept
• Strong data encryption techniques, SSL certificates, Security seals (Hacker Free Site), etc.

The Organization Web presence

As you drill down to inner layers, the security approach shifts its attention towards the technical requirements with respect to its web services. Note, some of these requirements are defined by the outer layer and hence, you need to keep an interrelationship between the layers.

• Web server security considerations – web service starts with a restricted user acct, unused accts and services are disabled, admin strong passwords, SSL certificate from a top CA such as, VeriSign, log management, patch management, etc.
• Monitor web traffic for malicious activities such as, DDOS and hacking attempts. Introduce adequate high level monitoring techniques such as, page load times, etc.
• Web applications considerations – Database connection account restrictions for writes and reads, cross-site scripting and SQL injection threats – review and hardened application code
• Web Load balancers & DNS considerations – both pose a serious threat especially to banks and financial institutions – phishing, DNS poisoning, zone transfer, etc
• Remote admin & data transfer considerations – strong encrypted channel with Public/private keys if possible.

The Organization

At the core of the 3 layers, we find the organization physical, logical and personnel security aspects. Briefly, we find all security measures that an organization would normally implement, however, as described earlier you need to undertake each layer with respect to its outer layers’ elements and build on them.

• A criminal may target the organization employees
• The major threat being email as it spread viruses, spyware and malware.
• Employee negligence can result in infected workstations – Employee training!
• Another threat which is becoming major is social networking – the need of a good Internet Traffic monitoring & blocking tool is a must!
• A practical Email and Web usage policy needs to be in place and followed
• Social engineering countermeasures such as, Policies & Procedures

Organization’s Physical & Logical Security with respect to outer layers’ elements

• How are remote offices connected? – Secure channel over the Internet (ex: VPN), bridge connection (leased lines, SAT, others) – Each method has its own weaknesses in terms of performance and security
• Office/s Internet connection setup needs double perimeter or a DMZ, an application based firewall, and an IDS or IPS
• Employees’ workstations – patch management, antivirus, anti spyware/malware with group polices that disallow users from stopping such services
• Wireless considerations – does the wireless bridge the internal LAN with external Net?
• LAN devices in general – replace default username & passwords and configuration. Devices such as, network switches pose a serious threat.
• The most critical assets are the internal servers that connect to the Internet such as, email, web proxies, DNS and web application backend servers
• Determine all known vulnerabilities for each system and mitigate possible threats with adequate controls.
• Configuration reviews and best practices must be followed
• Adequate log management – collect, analyze & report
• Protocols, Operating Systems, user browsers, tools, applications – in need of a complete and detailed hardware & software inventory

Finally, the best security measure is making sure that an alternate option is always available, in case, all security measures fail. I am referring to business continuity (BCP) with tested data backups, adequate redundant systems, DR and contingency plans.

What are the new challenges introduced with virtualization? As opposed to the traditional environment, we can hardly define a control structure for a virtualized environment. With the greater flexibility and rapid provisioning there is a risk of sprawl management and with the decentralized unrestricted access management, there is a risk of non-compliance or security breaches – virtualized control management needs to take a new form! The challenge is to create a structure that is dynamic, portable and accurate.

Implementing a control structure to an existent uncontrolled environment may be painful as it may requires configuration changes! As regards to implementing best practices and procedural controls the tasks is somewhat less painful. Therefore, securing and controlling the virtualized environment should take into consideration both the technical aspects and human factors. The best approach would be to plan ahead all controls before implementing the virtualized environment.

There are various areas to consider when designing a virtualized environment. One concept often ignored by IT stuff is to separate the management network traffic from the data services network through separate subnets. Another common trend is to group Virtual Machines by performance levels instead of trust/criticality level first. Is the IT including the hypervisor (virtualized platform) in its patch management exercise? There may be even tougher design decisions at the network level.  As the network components in virtualized environments are all virtual, such as, vnics, virtual switches, etc. special attention is required to design the network layout. The environment may require a firewall or DMZ within the hypervisor or enabling virtual MAC protection. Remember, that certain vendor specific products enable nics in promiscuous mode and disable MAC protection!

If the company backup strategy is based on images and snapshots, then apart from the well defined procedures and policies one needs to test recovery procedures. In a Windows Active Directory environment, restoring an outdated or out of sync AD server will cause problems! Images of Virtual Machines are easily copied to external devices and taken off the premises. Are there any controls in place or detection mechanisms to monitor such movements?

Once, the virtualized environment is up and running, guidelines, procedures and policies need to be put in place. These should include segregation of duties, identity and access management, asset and log management. As it is very difficult to track incidents, access restrictions to logs need to be established. While restricting access to virtualized resources is important, make sure that logs are enabled and collected from all components, including the hypervisor logs. Educating stuff about policies and procedures is essential, however, auditing such procedures on regular basis is vital!

1. To start the backup utility, go to the Start menu, All Programs, Accessories, System Tools, and Backup
2. The backup main window opens, by default the wizard loads first if this is the first time you are running the utility. I suggest that you uncheck the Always start in wizard mode option.
3. From the backup main window, click the Backup tab
4. From the left-hand side pane, expand your data drive by clicking the + sign and searching through the folders structure find the data you want to back up
5. Select the data by checking the respective check box – I suggest you include the System State check box from time to time as to have a backup of your system important files
6. From the Backup media or file name: Browse button, select the destination backup location- I suggest using removable media such as, a USB drive or a network share if available
7. Click the Start Backup to load the next window
8. From the Backup Job Information window, select the Replace the data on the media with this backup radio button and click the Advanced… button
9. From the Advanced Backup Options window, it is important to select the Verify data after backup check box and click OK - for info about backup types see – Data Backup Types
10. Click the Schedule… button if you want to perform the job later – you are ask to save the options selected and to enter the admin password
11. Click the Start Backup button to initiate the backup job – the Backup Progress window loads and you can click the Report… button to view the status of the backup job
     
    Note: It is important to check the log files for errors – for example, the number of backed up folders and files should match that of the Verify section and the value of the Different: element is 0. By default, all log files are saved in C:\Documents and Settings\’your username’\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data