http://www.informationweek.com/news/showArticle.jhtml?articleID=199905838&pgno=2&queryText=
As I've mentioned many times before, computer security is taken too lightly by too many people. I hope the CIO of DHS doesn't think that way.
First off, we need a CISO *and* a CIO for an organization as complex and as bureaucratic as the DHS. The CIO and CISO should get together to formulate a strategy that will feed the needs of the IT dept (CIO) and balance it or temper it with the security ramifications that come with the needs (CIOSO).
My worry is that while Congress battles the powerful bureaucrats and while the bureaucrats expend energy in defending themselves, the door is left wide open for everyone to do what they want to do. In other words, the utter indifference to real security is what results in trojans, viruses, inappropriate and objectionable content invading the computers.
Another concern is that the computers are allowed to access the Internet! First off, you want to very severely restrict access to the 'Net, and if you must, make sure you have powerful tools to control both access as well as downloads.
Here's what a basic, 20-point policy would look like (for user-terminals/computers at least):
1. Disable floppy drives (or buy computers without them)
2. Disable CD drive (need special code to unlock and use - content to be disclosed first)
3. Disable USB drives
4. Disable any and all controls on the OS that will permit configuration changes (such as IE security level etc)
5. Disable all downloads from the 'Net (incl HTTP/FTP)
6. Disable all uploads to ANY location
7. Internal data transfer should happen through pre-mapped, controlled, and constantly-monitored, network drives - probabaly a departmentalized storage subsystem such as NetApp Filers or EMC CLARiiON etc
8. Use encryption as much as possible, both on disk as well as on the network
9. Use forced authentication at every entry point (no trusted hosts nonsense)
10. Disable installation of any kind of unauthorized programs
11. Use at least 2-factor authentication (password + random key as an example)
12. Go for biometric authentication whenever and wherever possible
13. Use AV software extensively, ensuring prompt and forced updates and reboots as needed
14. Use IDS (pref IPS also) software at every sensitive node
15. Control, monitor, and record ALL communication - IM, email, phone etc
16. Email clients should be tuned to only send mail to internal personnel - no external addresses should be allowed - EVER
17. Scan ALL incoming packets - and outgoing packets at sensitive nodes
18. NO ATTACHMENTS ALLOWED ANYTIME - email/IM - whatever mode of communication
19. Use hardware encryption devices and encrypt all data, everywhere. Use PKI devices to manage the keys
20. Finally, EDUCATE THE EMPLOYEES. Nothing works better than education
Watch this space for more ideas that DHS will probably never implement! Next I'll be focusing on actual employee monitoring details.
Be safe!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment