Security Management in Intranet

|
|



 j at is Intranet?

R A network based on TCP/IP protocols (an internet)

belonging to an organization, usually a corporation,
accessible only by t e organization's members,
employees, or ot ers wit aut orization. An intranet's
jeb sites look and act just like any ot er jeb sites, but
t e firewall surrounding an intranet fends off
unaut orized access.
R Like t e Internet itself, intranets are used to s are
information. Secure intranets are now t e fastest-
growing segment of t e Internet because t ey are muc
less expensive to build and manage t an private
networks based on proprietary protocols.
Security
 Security Management in Intranet

An intranet security strategy begins wit a risk

assessment t at includes t e following:

‡ understanding t e security vulnerabilities in an

organization
‡ identifying t e t reats t at face your organization
‡ assessing t e risk of eac t reat
‡ identifying appropriate steps to reduce risk to an
acceptable level
‡ verifying t at t e system meets t e security
benc mark appropriate for a particular organization
 Top Security Issues

R Encryption
R Access Control
R Passwords
R Content Publis ing and Management
R Firewall Set Up
R Remote Access
R Manage E-Mail
R Viruses and Rogue Code
 Encryption

R Have encryption and aut entication options suc as

Secure Socket Layers, Secure HTTP, or proprietary
solutions from t ird-party providers implemented?
R Encrypting intranet traffic for user name and passwords
is a minimum. Ot er traffic can be encrypted as required
in t e security policy. Aut enticated log on to t e
intranet is a first line of intranet security. All or parts of
an intranet can be protected using encryption and
aut entication.

R |


 Convert all log on and aut entication

functions to Kerberos, NTLM, SSL, or equivalents.
(T e Network Aut entication Protocols)
 Access Control

R Are t e server or servers protected by bot ardware and

software defenses?
R Is access to t e intranet sites limited to internal locations?
R Is secured remote access made available?
R Are access controls tied to job function, specific employees,
and specific content?
R T is means t at t e manager of department as access via a
specific mec anism to certain information specified in t e
access control table.
R |


 Make certain t at t e information in t e
security policy as been communicated to appropriate
individuals. Verify t at access controls are in place as part of
t e security audit, item 10 below.
 Passwords

R Are employees required to c ange t eir passwords on a

cycle, for example, every 60 days or more frequently?
R Is t is process automated and enforced?
R A bad password is t e name, a pet's name, or a single
c aracter suc as d. A good password is a combination of
letters and keyboard symbols; for example,

pp7bo$car.
R |


 Enforce password c anges, lengt , and
a combination of letters and keyboard symbols. (Make
certain users do not tape user names and passwords to
t eir keyboards or laptops.)
 Content Publis ing and Management

R j o is responsible for making c anges to marketing-

related jeb pages?
R j o as t e of deleting and posting new pages on an
intranet portal?
R T e intranet is intended to facilitate t e exc ange of
information and applications among colleagues.
Nevert eless, servers and jeb pages s ould ave
designated "owners"²t at is, people w o ave specific
permission to add, remove, and c ange content.
R |


 Verify and update t e table t at s ows
eac job function, owners ip of data and jeb pages for
t at function, and t e specific rig ts accorded t at job
function.
 Remote Access

R Does t e organization allow users dial-up access be ind t e

firewall?
R Does t e organization support wireless access from any
location?
R Special steps are necessary to andle remote access. Ot er
precautions are necessary for wireless access, including t e
use of jEP security. Restricting remote-access users to t e
same access offered to t e rest of t e Internet in front of t e
firewall denies t em valuable services. A virtual private
network (VPN) allows an aut orized user to establis a secure
connection to t e intranet. An employee w o is careless wit a
user name and password can compromise t e system.
R |


 Test t e organization's remote access
system. Make certain t at t e security audit analyzes and
addresses any weaknesses in t e virtual private network.
 Manage E-Mail

R How easy would it be for t e organization to give up

electronic mail?
R Many professionals perceive e-mail as a variant of
traditional paper-based mail. It is not. Organizations
need to ave an active approac to e-mail security.
Anyone wit access to an organization's e-mail will need
some education about t e vulnerability of unencrypted e-
mail. Not only is clear-text e-mail easy to intercept, but e-
mail messages reside in multiple servers and mac ines in
a network.
R |


 Verify t at t e ISP supports S/MIME
(Secure Multipurpose Internet Mail Extensions). If it
doesn't, ask w en t e ISP will.
 Viruses and Rogue Code

R Most organizations know to ave antivirus software installed.

T ere are different sc ools of t oug t about w ic antivirus
system is optimal and t e use of antivirus software on t e
user's mac ines. Part of t e antivirus security procedure
includes settings in t e mail client, settings in t e browser
wit regard to executable on jeb pages, and t e types of write
protection implemented for various users. Rogue code²t at
is, Java or ot er executable embedded in a jeb page or
document opened by an application²is an unfortunate fact of
life in organizations today.
R |


 Ensure t at t e organization's security
policy addresses antivirus programs and settings for w at
executables are automatically launc ed by an application.
 Remember

«T e only secure computer is one wit no power,

locked in a room, wit no user.»