Vanuatu IT Users Society

This online document was authored by IT professionals in Vanuatu at the IT Best Practices Works, held June 24 2005 at the Freswota Computer Resource Center (CRC)

Attendees/Authors:

Dan McGarry

Ken Henjo (VIT)

Tom Nako (VIT)

Jack Nato (CRC Staff)

George Keithson (CRC Staff)

Simon Hilton (AYA - Vanuatu Financial Service Commission)

Noeline Bule (Save the Children)

Andrew Moli (Vanuatu Financial Service Commission)

George Petro (Wan Smolbag)

Marianne Berukilukilu (Laho Ltd.)

Craine (CRC Staff)

Dan Ken Hinge (Habitat for Humanity Vanuatu)

David Otto (Customs)

Alex Nganga (National Bank of Vanuatu)

Jackson Miake (National Bank of Vanuatu)

THE Vignetenator (?)

What is security?

* Protection against unauthorised access

* This includes access to all important information (including documents, email, databases etc.)

* This includes protection against internal and external threats

* Threats can come from a number of places: Environment, Automated threats (like viruses, trojans, spyware), Direct human threats (hacking/cracking),

* Ensuring a safe computing environment includes making sure that equipment is not likely to fail, or if it is, a plan exists to ensure that data is lost. This is known as Fault Tolerance.

* Security is a (wholistic) process

Who is responsible for security?

• Everyone is responsible for security. Everybody needs to understand their role in ensuring security. This includes backups, system maintenance, information management and site security. All the good planning in the world doesn’t help if the cleaner pulls the server’s plug out to run the vacuum!

How do we approach security?

Security needs to be approached methodically, but it requires a wholistic view. It’s not safe, for example, to decide on an anti-virus software package in isolation. Does it work with the firewall? Is it easy to use? What are the staff training requirements?

Reference Materials

The best way to stay secure is to stay informed. Here are a few sites that offer useful information on computer-related security issues.

• http://slashdot.org/ - Lots of talk and analysis on all kinds of tech-related news
• http://isc.sans.org/ - The Internet Storm Center is one of the best sources of breaking news on new Internet-based security threats.
• http://www.securityfocus.com/ - Home of the bugtraq mailing list, this is often the first place where important security issues are reported.
• http://www.ntbugtraq.com/ - A bugtraq devoted entirely to Windows exploits.
• http://www.cert.org/ - Home of the Computer Emergency Response Team, this website is a compendium of important security-related information. Recently, they’ve been rather slow to issue reports, however. They’ve become better known as a source of vendor-specific information about existing exploits.

Network Security

This section deals with network-specific security issues. It covers both the physical and logical aspects of network configuration.

Threats

• Planning

Poor planning can cause significant problems in implementation. This is especially true in terms of the logical layout of a network. Sometimes, planners don’t anticipate ways in which the network could be breached or abused. For example, a decent firewall might not stop someone from connecting a modem to their computer and gaining access to the Internet through it. USB drives and CDs are also vectors that is often forgotten when looking at information flow.

Planning requires research and consultation. The Internet community (and VIGNET!) can be very valuable in helping to anticipate problems and take advantage of features that you might not have been aware of.

• Unauthorised access

Access levels can cause problems if they’re not set properly. See also comments below on understanding and formulating a Trust Model

File systems have permissions that can be set. This needs to be done very carefully, as it can block people from accessing resources that they need, as well. Through testing is critical in this regard.

Folders and files should also be organised carefully. Unless you are a single user on an unconnected computer, My Documents is probably ‘not‘ the best place to store your files. Input is required from management and staff to create a proper file and folder structure.

Users should be organised into groups, and permissions assigned on the group level. This is very important. Managing individual user accounts is time-consuming, prone to error, and can result in problems accessing critical information.

• Viruses, Spyware, Spam, Trojan Horses (Malware)

External mail and net-based sources of damage, unauthorised access and abuse of computer infrastructure.

Words of Wisdom: There Ain’t No Such Thing As A Free Lunch Educate your users that if something looks too good to be true, it probably is.

Consider a policy which does not allow ‘anyone‘ to install software from the Internet, unless it’s been checked by and approved IT staff and management.

• Standards-compliance

Sometimes people make decisions based on features or performance, without considering whether the product they have chosen conforms to accepted standards. This can cause problems with interoperability - that is, the ability of different systems to communicate effectively and efficiently.

• Fault tolerance

Choosing reliable, standards-compliant equipment to protect against and hardware and software failure.

It would be good if VIGNET users could compile a list of reliable hardware products available in Vanuatu.

Network Security Measures

• Planning
• Consistent and Workable Network Topology

Networks have two aspects: the physical collection of wires, devices and computers that connect computers together, and the logical collection of pathways and storage points where information flows. We therefore refer to physical and logical network topologies. Both must be designed together - it’s important to understand how the one affects the other.

• Network Acceptable Use Policy

As far as we know, there’s no AUP in use anywhere in Vanuatu (with the possible exception of the TVL client agreement). VIGNET should consider drafting one example for its members.

• Security Software Tools

Being able to view and interact with the network is a critical ability for systems admins. We’ll update this section with a list of useful tools and links in the future.

• Physical Network Security

If you can, put critical network apparatus into a locked ‘box’, off the ground and out of the way. It can save innumerable headaches.

• Systems and hardware backup
• Maintenance and Repair

Software Security

Threats

• Pirate software

Only install software from trusted sources. This is a particular challenge here in Vanuatu where licensed software is hard to find and pay for. VIGNET should consider helping to build and maintain a trusted software ‘library’.

• Unpatched/insecure software

Software that starts secure often becomes insecure with time. It’s important to remain up-to-date with patches and fixes.

Some software needs to be updated regularly. It’s not enough to simply install anti-virus and/or anti-spyware software. You must keep it up-to-date.

• Restricted software

Some software can be a powerful systems admin tool and a threat at the same time. It depends on who is running it and for what reason. Access control is important. In Linux and Unix, this is accomplished by storing certain program files in areas that are not accessible to all users. In Windows, access rights are defined on a file-by-file basis using the security tab accessed through the context menu. Right-click on the program file itself, choose properties, then click on the security tab.

• Buggy Software

Software needs to be tested before it’s deployed. Small problem can become big ones when they happen often, or damage valuable data.

Buggy software that has access to the Internet is especially dangerous. Examine your web browser, email client, music player, chat software and anything else that gets access to the Internet. If it’s a vector for viruses or exploits, consider choosing another one.

• Malicious Software

Some kinds of malware (especially spyware) often pretends to be nice, or funny or sexy. It’s not. Users need to be educated about the dangers of running software. Consider insisting that users log in to accounts that do not have the right to install software at all.

See also Network security above.

• Bloatware (software that is too resource-intensive)

Software Opportunities

• Security Software

Software firewalls, anti-virus, encryption tools all enhance data security.

We should include a list of software that VIGNET users have found useful and reliable here in Vanuatu.

• Efficiency - Automation Tools

The single biggest benefit of software is its ability to automate processes that would otherwise be time-consuming and expensive.

• Information Management Tools

Properly organised information gives greater efficiency than a new processor, a bigger hard disk or a more power server. The tools that we use to manage our information need to be well understood.

(Joseph Toara is running an iManage workshop tomorrow (Monday 27 June 2005) Hopefully he will add some useful information about the software here. In the mean time, you can check out http://www.imanage.com)

Note that where software is concerned, there is a direct relationship between ease-of-use and security. There are some things which should *not* be easy to use - or at least not easily accessible. In software, one person’s opportunity is another person’s threat.

Human Security

Threats

• Physical Threats

People can steal or damage unprotected computers and devices - especially laptops! Access needs to be balanced with physical security.

Consider creating a secure space for storing laptops, external CD drives, backup disks/tapes, projectors etc.

Also, store at least one backup offsite. Remember: Data that doesn’t exist in two places… doesn’t exist.

Remember that physical threats include environment as well. Ask yourself, will my equipment be damaged by earthquake, cyclone, volcano? How about rats? You may laugh, but consider this:

http://slashdot.org/article.pl?sid=05/06/24/0249231&tid=95&tid=133 - Rats ‘Cripple’ NZ Web Access

• Hacking/Cracking

Many of the major incidents related to network security are caused by ‘inside jobs’ - that is, staff and/or people with physical access to computer systems are responsible for security-related incidents.

• Carelessness

Failures have been caused by things as simple as pressing the wrong button. It sounds amusing, until it happens to you.

• Computer Literacy

Ignorance of how computers and networks work can often cause significant problems.

Opportunities

• Create a safe working environment for people and equipment

Keep the place neat and orderly. It benefits both staff and equipment.

• Create and enforce strong security policies

It’s not sufficient to write a password once. Passwords must be changed regularly, and they should be unique to each person.

Consider using keys instead of passwords (i.e. PGP, SSH)

• Training

Training is not a one-time event. Staff should conduct regular training as their work environment requires.

If your organisation has full-time Internet access, consider using online training. There’s a ton of material available, and it’s there when you have time, so you don’t have to change your schedule or plan down-time just to use it.

One good example: http://www.itrainonline.org/

• Trust Model

Before any new system is put in place (no matter how small or simple) you should be able to clearly describe the trust model - that is:

‘Who‘ has access to ‘What‘ data, at ‘What‘ times and for ‘What reasons. ‘How‘ will they access the data?

Network Protocols

• HTTP and CGI Explained - http://www.garshol.priv.no/download/text/http-tut.html

A clear, simple explanation of how web servers actually work.