Any security planning process must include establishing guidelines for what is expected of the users of the system. It is absolutely imperative that, at an early stage in the process of developing a security plan, effort be put into developing a set of written guidelines that will be presented to all users of the network, as well as a separate set of guidelines for the administrators of that network. Such a set of guidelines is generally called an acceptable use policy.
Acceptable Use Policies
Acceptable use policies, or AUPs, are the written guidelines given to a user before they are allowed to access a network. Usually, the user is expected to read and sign the policy, agreeing to abide by the policies as written. In addition to making sure that each user is aware of the expected behavior for using the network, the AUP also allows the security administrator to enforce policies much more readily, since he will have documented evidence that the user knows what correct behavior is, and so cannot plead ignorance as a defense of improper behavior.
The AUP should also spell out what disciplinary actions will be implemented should a violation occur; it is absolutely imperative that the system administrator enforce the policy as it is expressed in the AUP. To do otherwise undermines the authority of the system, which in turn undermines the policies themselves. Enforce the policy evenly and uniformly, and users will soon learn to expect fair treatment, as well as the boundaries of their behavior. Check with a competent attorney for assistance with AUP preparation.
Preparing the User Community
Computer security can't be a lone venture. Although every organization that has a computer system have at least one person who stays abreast of computer security issues and initiates security efforts, computer security is every user's responsibility. In fact, most security specialists view themselves as security advisors to the user community, and possibly view each user as his or her own system administrator. This is especially true when an organization has a wide user-base of personal computers running systems such as Windows. Through effective training, campaigning, and notification of new developments, many users can take measures to add to (or detract from) the security of their own system.
Security goes beyond technical solutions. One example of an effective technical solution is the use of passwords. However, this highly effective solution can fail miserably if users are not active participants in making this strategy effective.
Imagine for a moment that you define a controlled set of people that you entrust with access to your various possessions. Each possession-your house, car, boat-has a lock with a key. When you pass out the keys to your trusted individuals, you do not expect them to pass along the original or copies of the keys to other individuals. If they did, that would compromise your entire security plan. When passing out keys, you might be wise to define acceptable use of your possessions and clearly explain your security plan and how important it is that key holders not share the keys with anybody else. You effectively want to enter into an agreement with these people and train them on how to use your possessions safely and properly. It should be no different when you hand over the "keys" of access to a school computer system.
Through training, documentation, and perhaps general campaigns in the form of posters and flyers throughout the school, you must instill in users the importance of security and provide them with the knowledge to help facilitate your security plan.
As you are in the planning stages of a security model for your organization, always consider how your technical security solutions will affect general users and how general users will affect your technical solutions. If neither will affect the other, you can probably quietly move into the implementation stage. However, in many cases, effective implementation will include some amount of consciousness-raising about security issues. Such training might include describing some common scenarios:
- Users should be suspicious of and closely question any person who calls and asks a user for his or her password. Some hackers will try a "social engineering" attack, whereby they call a user saying that they are testing a new security routine, and need the user's password to proceed. Obviously passwords should not be given to any stranger.
- Users should always be careful to enter passwords in such a way that their keyboard can't be seen by others-particularly if strangers are in the immediate area.
- Users should log off of systems when they are going to be away from their desks for any considerable period of time. If the workstation is logged in, the system can be used to perform any task that user is able to do-and that user's name will be on the transactions.
These sorts of examples might sound like common sense, but may not be obvious to people who have never worked before in an online environment. Taking the time to provide security training up front can save a great deal of grief later on.
Providing the sort of use thus described usually takes two forms: start-up training and continuing education. When installation of a new network or equipment upgrade is undertaken, most or all of the users are trained as a group. Such training should cover not only security issues such as those already mentioned, but should also cover such issues as proper network etiquette, also known as netiquette, treatment and proper use of both the physical hardware and the software, the advantages to be gained from the new access, basic issues such as what constitutes a good or a bad password, as well as a variety of other potentially useful issues.
In addition, ongoing training is usually called for. Additional security measures are often added, which require new instruction in their use. New software is installed, requiring updates for the users. Remember, part of a secure installation is having users who understand what they are doing-the quickest route to damage of a system is not the malicious user, but the uninformed user.
Much of the activity involved in making a network as secure as possible involves security on individual desktop computers, rather than anything the network administrator can do centrally.
Part of the training given to new users should include basic desktop security behaviors. Issues to be discussed include physical security measures such as:
- Shutting down systems when not in use
- Locking doors when no one will be nearby
- Locking the computer if it contains, or has access to, sensitive data
The security specialist can influence certain software security issues that are relevant to the desktop, including:
- Installing filtering software
- Installing virus-checking software
- Being aware of what software is installed on each computer.
Physical security is only as good as the behavior of the user-it does no good for a user to have a password on her account if she logs in and proceeds to leave her desk for long periods of time. With that opportunity, anyone could easily walk up to the workstation and in only a few keystrokes steal files or introduce a virus to a system. The behaviors necessary to maintain security are quite simple, but they require the active participation of the user.
Restricting Access to the PC
If you leave, and you don't want anyone to have access to your system while you are gone, lock the door. If you are going to be gone from your system and don't have a lock on the door, log off the computer and log back in when you return. Such security measures seem obvious, but often the more obvious a notion, the more often it is overlooked.
Viruses are small programs that are designed to wreak some sort of havoc on a computer system. Viruses can have a variety of effects-anything from flashing messages on the computer screen, to making the system run slowly, to deleting all of the data from the hard drive. Viruses are transmitted either by infected disks, or by downloading infected software from the Internet. Email, in and of itself, cannot infect a computer with a virus; for your computer to catch a virus from email, there has to be a file attached to a message you receive, and you then must open and execute that file.
The key to effective use of virus-checking software lies in how current the software is. Viruses are written and rewritten on a daily basis, and your software must be able to keep up. All of the major commercial vendors offer frequent updates of their virus databases, also downloadable from the Web. As the security administrator, it is your job to maintain a strict schedule of updating, so that your desktops are always as well protected as possible, with the most recent information available.
There are a number of desktop software packages that are designed to filter and limit the Web sites that a user can access. The intent of these products is two-fold: to protect users from material they, or their parents, might find objectionable; and to keep users occupied with their assignments rather than being distracted by other attractions on the Web. "Content filtering" software such as CyberPatrol, NetNanny, and SurfWatch provide filtering capabilities based at the desktop. Most of them offer trial versions of their software available for download on the Web, so that you can sample them before you pay for them.
Monitoring Network Traffic
Most proxy servers provide extensive logging and reporting either through a native feature of the software or through a third-party plug-in program. In either case, another significant feature of the proxy server is its ability to report on network traffic and on who is doing what. If all Internet applications in a school are configured to pass requests through a proxy server, the proxy server will have the best and most natural vantage point for reporting on network traffic and where people are going on the Internet.
Routers and firewalls can provide similar logging and reporting.
A firewall can be either a hardware device or a software application. Often it is both hardware and software, working together to stand between the outside world and your local area network. A firewall acts as a gatekeeper, deciding who has legitimate access to your network and what sorts of materials should be allowed in and out. Remember, the purpose of a firewall is not only to prevent unauthorized entry into your system, but also to prevent unauthorized exit from your system-in other words, to stop users from sending out things you would prefer they not send out.
Packet filtering is a process whereby a firewall examines the nature of each packet-each piece of information traveling into or out of your network. Some firewalls look only for packets with a forbidden address, and refuse to allow any traffic either coming in from or going out to such addresses. More sophisticated firewalls can actually examine the nature of the packet, and so can filter specific types of traffic.
The most important thing to note here is that administering a firewall can be a highly technical enterprise, and not one to be taken without some serious information-gathering ahead of time. A misconfigured firewall can do more harm than good, even to the extent of opening up more holes in your network access than you might have had with no firewall at all. This is not to say that you should avoid their use; it is merely to emphasize that if you intend to install a firewall, make sure you have the know-how first.