hi ho mate! harrybbb here, author of the purple book (Windows Small Business Server 2003 Best Practices) and a fellow Microsoft Small Business Specialist (SBSC). Each day I am posting up some pages from said book for your reading plesure until SBS 2008 ships!
Today we discuss physical security from Chapter 5.
enjoy the read…harrybbbb
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
Physical Security and Management Practices
Just when you thought all security was computer-related in the world of SBS, here comes a paradigm shift wherein we’ll discuss the real, physical world! The reason for broader security discussion is to get you to once again leave the bits behind for a minute and put that business hat back on. As an SBSer, you can’t help but be involved in business matters such as physical security and management practices.
Let’s Get Physical!
After reading this section, walk around your office and see if any of the following don’t ring true or otherwise apply to you:
• Is the server physically secure? Or is it placed in the open where a large gorilla (or heck, in this day and age, a guerilla) could swoop it up and ship it to a chop shop.
• Lock down time. Locking down the disk and disc drives (that’s the floppy and CD/DVD variety) can go along way to preventing the introduction of malware. Don’t forget USB ports!
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
• Assuming the server isn’t sitting out in the open and is placed in a room or closet, are the doors to this area locked? Who has the keys?
• Speaking of key management, how many people have key access to your office space? Any keys still in the hands of disgruntled ex-employees?
Management
• Is there a written security policy for the use of the SBS 2003 network? Refer to Appendix A for SBS resources, such as the Yahoo! Groups that include posted documents such as security policies.
• A traditional bookkeeping matter to think about: Are the company’s business checks secure? There’s nothing like an employee with a gambling problem writing a check to stall Bruno, the mob enforcer.
• How do you feel about employee background checks? Remember some of the biggest crooks are the brightest people and have the most engaging personalities!
• Beware of psychological warfare. Kevin Mitznick and Frank Abagnale, two renowned white-collar criminals, used a form of social engineering to talk their way into profitable illegal activities—hacking into computer systems and stealing money via check fraud respectively. Mitznick would ring an employee of a company and harvest that person’s user name and password to then penetrate the company’s networks. Abagnale used things like wearing pilot uniforms to earn free flights. Both have written well-received books about their exploits and the power of social engineering.
BEST PRACTICE: Perhaps you’ve got a war story about social engineering and psychological warfare yourself that underscores the power of this penetration method and its associated security risks. I’ve got a quick one to share. Traveling home from the WWPC in New Orleans in October 2003, I used my red press pass badge holder (a conference badge holder that hangs around your neck) to
Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.
carry my passport identification and airline ticket. Once I cleared security, I stopped in a restaurant for a bite to eat. When it came time to pay my bill, I received a 10 percent discount because, with my red badge holder, I was mistaken for being an airport employee (in a secure area nonetheless) and granted the employee discount. I took the 10 percent savings and ran and didn’t further cause mayhem in the secure airport terminal with my newfound identity! The point is that you or I could impersonate someone else and gain access and favors we’re not entitled to. And just try having a firewall service setting block that attack!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment