This document summarizes the seven bad things people do that endanger their network security, as presented by SAGE Computer Associates, Inc. The seven mistakes are: 1) having no security policies, 2) using bad passwords, 3) lacking virus protection, 4) not having backups, 5) inadequate protection against hackers, 6) not keeping software patched and up-to-date, and 7) unrestrained email and instant messaging. For each mistake, the document provides explanations of the issues and risks and suggestions on how SAGE can help, such as creating security policies, evaluating passwords, auditing backups, and providing free initial services to assess security problems.

1. The Seven Bad
Things People Do
To Endanger Their
Network Security

2. (…Explained in Plain English)

3. Presented by SAGE Computer
Associates, Inc.
SAGE Computer Associates, Inc.:
– In business for 19 years
– Hundred person-years of experience
– Worked with many businesses
– Certified Security Administrator on staff
– Certified Microsoft Engineers on staff
– Certified Novell Engineers on staff

4. Take away from today‘s talk
Nothing is secure
However, NO HEADS IN THE SAND
Inexpensive steps you can take NOW
Even on your home PC.

5. ―There is nothing more
secure than a computer which
is not connected to the
network ---
and powered off!‖

6. What are the Seven Things?
No Policies
Bad Passwords
No Virus Protection
No Backup
Inadequate protection against hackers
Don‘t keep up with patches/fixes
Unrestrained e-mail/instant messaging

7. Mistake #1: No Policies
• Data Security: Do you know who sees and has access to
what data? And should they have that level of access?
• Termination policies: Disgruntled employees are the second
most common source of network sabotage
• Remote access: A common hole in network security
• Computer usage: Non-business activities that open your
network up to attack
• Internet usage: You know there‘s LOTS of bad stuff out
there – but do you know just how much?
• Confidentiality awareness: Think about what your
employees know about your business
• Hire the right people! It‘s more important than you may
think

8. Internet Usage at Work
Productivity Issues:
– Cyber-loafing accounts for 30% to 40% of
lost worker productivity (Business Week)
– 90% of those surveyed indicated that they view non-work related
web sites during work hours. (Vaultreports.com)
Resource use
– Downloading music/videos takes A LOT of network resources

9. More Reasons to Care
Legal Liability
– One in five men and one in eight women
admitted using their work computers as their
primary lifeline to sexually explicit material
online (MSNBC)
– Since the company is the one that gave
employees access, the company is liable …
unless the company can show it took reasonable
steps to prevent problems (Corporate Politics
on the Internet: Connection without
Controversy)

10. Implement the Policies!
– Appropriate Security on the Network
• Administrative/Supervisor rights
• Appropriate Security for users

11. More Confidentiality Awareness
Training
- particularly to address Social Engineering
―outside hackers use of psychological tricks on
legitimate users of computer systems to get
passwords/user-ids to get access to systems‖
www.morehouse.org/hin/blckcrwl/hack/soceng.txt

12. Mistake #1: No Policies
How can we help?
Request a copy of our sample policies for:
- Internet Usage
- E-mail Usage
- Virus Protection
and get SAGE to help you implement it

13. Mistake #1: No Policies
How can we help?
Internet Monitoring
– Monitor where people go on the Internet
– Create reports
– Block offensive/other sites- list updated 2x/week
– Block specific kinds of traffic (music, photographs,
etc)
– Block specific addresses
– Block specific users
– Block usage during specific times

14. Mistake #2: Bad Passwords
– 40% of all passwords are the word
‗password‘
– Difficult passwords are hard to administer
http://www.slac.stanford.edu/comp/security/password.html

15. Password Guidance
Password No-No’s:
 less than eight characters
 a word found in a dictionary (English or foreign)
 a common usage word such as names of family, pets, friends,
co-workers, fantasy characters, etc.
 Computer terms and names, commands, sites, companies,
hardware, software.
 Birthdays/other personal information such as addresses and
phone numbers.
 Word or number patterns like aaabbb, qwerty, zyxwvuts,
123321, etc.
 Any of the above spelled backwards.
 Any of the above preceded or followed by a digit (e.g., secret1,
1secret)

16. Password Guidance
Password Suggestions (Strong passwords)
 Contain both upper and lower case characters (e.g., a-z, A-Z)
 Have digits and punctuation characters as well as letters e.g., 0-9,
!@#$%^&*()_+|~-= {}[]:quot;;'<>?,./)
 Are at least eight alphanumeric characters long.
 Are not a word in any language, slang, dialect, jargon, Are not
based on personal information, names of family, etc.
 Easily remembered. One way to do this is create a password
based on a song title, affirmation, or other phrase. For example,
the phrase might be: quot;This May Be One Way To Rememberquot; and
the password could be: quot;TmB1w2R!quot; or quot;Tmb1W>r~quot;

17. Mistake #2: Bad Passwords
How We Can Help:
Password Cracking Tool:
L0phtCrack
www.sunbelt-software.com
-Runs in the background
-Can collect all passwords, given enough time
We will run this for you and
help you implement a policy

18. Future Solutions
Security Tokens-Secure Computing solution
Biometrics

19. Mistake #3: No Virus Protection
Different threats under the same name:
– Virus
– Worm
– Trojan horse
– Malicious code
– Blended Threat
– Hoax
– Denial of Service DoS (not a virus)

20. Virus Security
Example of malicious code
From: Microsoft Corporation Security Center
<rdquest12@microsoft.com>
To: Microsoft Customer <'customer@yourdomain.com'>
Subject: Internet Security Update
Attachment: q216309.exe
Microsoft Customer,
this is the latest version of security update, the quot;7
Mar 2002 Cumulative Patchquot; update which eliminates all
known security vulnerabilities affecting Internet
Explorer and MS Outlook/Express as well as six new
vulnerabilities, and is discussed in Microsoft Security
Bulletin MS02-005. Install now to protect your computer
from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
Would have recognized this as a threat?

21. Virus Security
Anti-Virus software
MUST BE UPDATED!!
Home users need it as much as business users
By subscription- TrendMicro, Symantec, other
vendors

22. Virus Security
Business users should be set up to update
automatically without ‗human intervention‘
Training
Many websites, ‗kits‘ available to write your own
viruses
– http://orbita.starmedia.com/~lautaroml/virus.html

23. Virus Security
Turn off the Preview Pane in Outlook
– Click on View, unclick ‗preview pane‘
Turn off disk and printer sharing in Windows
– Start button, click ‗Settings‘, ‗Control Panel‘
‗Network‘ and make sure ‗share disk‘ and ‗share
printer‘ are NOT checked

24. Mistake #3: Virus Security
How We Can Help
Virus Software Audit
Network Audit

25. Mistake #4: No Backup
Most people believe this is covered, BUT
– Data stored on local drives
– Data not restorable
– Tapes not taken off site
– Not enough data backed up
– Open files not handled

26. Mistake #4: No Backup
How We Can Help
Backup Audit

27. Future Solutions
Internet-based backup
Optical Storage

28. Mistake #5: Inadequate
Protection Against Hackers
Firewalls
– Blocks incoming traffic
– From free to millions $$$$
EVERYONE MUST HAVE ONE
www.zonelabs.com – Software (home)
www.sonicwall.com – Appliance (business)

29. Mistake #5: Inadequate
Protection Against Hackers-
If you host your own website
Incoming Web Traffic
– SSL certificates
– Different type of firewall
– Data available for customers on your website has to be
segregated from the rest of the company data
– Outsourcing

30. Internet Security
What to ask your outsourced web hoster
– Power back up
– Internet connection redundancy
– Which firewall?
– Data back up
– Business questions
– How can I make changes?
– Register your URL in YOUR name

31. Mistake #5: Inadequate
Protection- How we can help
Port Scan
– Reports open ports/vulnerabilities

32. Mistake #6: Not Keeping Up
with Patches/Service Packs
Difficult to Keep Pace—But Imperative
– Your lack of patching can help spread viruses to other
networks
– Workstation updates are now part of the problem too

33. Mistake #6: Staying Current-
How we can help
Penetration Testing
– Check for documented vulnerabilities

34. Mistake #7: Unrestrained Email,
Instant Messaging
―E-mail is like sending a postcard on the Internet‖
– Can be read by many people (your ISP, any system
admin at any server along the message path, your
employer, the US Government using
Carnivore/Echelon or other software).
http://www.surfcontrol.com/business/products
– Can be re-sent to someone else, looking like it came
from you.

35. Solution to E-Mail Security
PGP ―Pretty Good Privacy‖
– Download free copy at www.pgpi.org
– Go see Phil at http://web.mit.edu/prz/
Digital ID
digitalid.verisign.com

36. E-Mail Security
Email Gaffes
-BBC sports executive sends ―I think they‘re both crap‖ email
(about two on-camera execs) to entire BBC sports staff (500
people)
-London lawyer forwards message from his girlfriend re:
―intimate act‖- his colleague forwards it to others, in hours,
spread across whole Internet. 6 people suspended from their
jobs.
Email Protocol/Guidance
– http://www.bmcc.cc.or.us/cs/cs125e/notes/etiq.htm
– http://www.cio.com/archive/120100/diff.html

37. Instant Messaging (IM)
AOL Instant Messaging/ICQ/Yahoo
Messenger/MSN Messenger/ other packages
– The good news?
• they‘re free
– The bad news?
• Completely not secure
• People can pretend to be who they are not
• With no policies in place, users have no guidelines on what
they can/cannot say

38. Instant Messaging Security
Centralize it
– Log the traffic
– Encrypt the traffic (PGP has a module for this)
– Establish policies
OR
Block it

39. Steganography
―Embedding secret messages in other files in a way that
prevents an observer from learning anything unusual is
taking place‖
– Greek soldiers tattooed maps on their heads, and then
grew their hair out
– Romans obscured messages by applying layers of wax
onto the tablets on which they were written, then melted the
wax to read the message.
– Osama bin Laden and his associates have been using
steganography to hide terrorist plans inside pornography
and MP3 files freely distributed over the Internet.

40. Resources
Pretty Good Privacy for email: www.pgpi.org
Firewalls
– www.zonelabs.com (free personal firewall)- see this link for
article about it:
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,287
0704,00.html
– http://www.firewall.com/ good general site for tech info
Virus software
– www.symantec.com
– www.trendmicro.com
(don‘t use the free trial-pay for the real software)

41. Resources
Steganography
http://members.tripod.com/steganography/stego
.html
Basic Security website:
http://online.securityfocus.com/infocus/1560
Security Certifications-Information Systems
Security Association
www.issa-intl.org/certification.html

42. Our Offer
When you fill out the evaluation form, you can choose
one of the services at no charge:
Policy creation
1.
Virus protection audit
2.
Backup Audit
3.
Open Port Scan
4.
Patch/Service Pack Audit
5.
Internet Monitoring Pilot
6.
Network Audit
7.

43. Don‘t Let the Perfect Interfere
with the Good:
Download the policies if you don‘t already have
them
Choose one of the free services on the evaluation
form to get started measuring the problem.
Download the free firewall (zonelabs.com) and
the not-free virus software for your home PC

44. For More Information:
jaymem@sagecomputer.com
(518) 458-9300

45. Thank You!
For More Information:
jaymem@sagecomputer.com
(518) 458-9300