Hacking: Guide To Basic Security, Penetration Testing And Everything Else Hacking (2015)
Chapter 4: Security Guidelines For Offices And Organizations
The threat of hacking is an all pervasive one and the big scale corporations and organizations are equally affected by it. This is especially so in the case of banks and financial institutions where a huge quantum of personal and financial information of the clientele is stored. An attack on such networks can wreak havoc of scale beyond imagination. In this chapter we shall deal with how offices and organizations can take precautionary measures to avoid such instances and neutralize an external threat to their computer network.
Safeguard the points of entry
The first and foremost step is to identify and mark out the points of entry between the internet and organization's network. This is not as easy as it sounds. There will be numerous interfaces where the internal network is exposed to the internet and these need to be monitored because any external attack on the network can only originate from these points. Once these entry points are identified, steps should be taken to ensure that these are well protected.
Various diagnostic tests can be run on the network to ascertain the points of weakness. These tests must be run keeping in consideration the fact that the threat can emanate from both external as well as internal sources. The results of the tests will provide a clear picture as to where the organization is lacking in terms network security. The faulty lines can then be addressed by patching up the lacunae or by adding an extra layer of security or by eliminating such faulty areas completely. The diagnostic tests should be run on regular intervals based on the level of exposure to external sources.
Merely having a firewall system installed in your network is not enough. The firewall should be configured in such a way that it is aware of the nature of threat that your network can face. It should be able to let through such communication which is relevant and conducive and block traffic that appears to be having malafide intentions. The configuration must be in tandem with the security requirement of the network and should complement its functionality.
As mentioned in the earlier chapter, passwords are an integral part of any network of computer systems. They are one of the main areas of human-machine interface. In case of a large corporation or organization, where are a large number of employees, the risks of the network coming under attack also increasing manifold. In such large scale operations, the network administrator should devise properly outlined policies for generation, alteration and periodical change of passwords. The passwords should mandatorily consist of alphabets, characters and numbers. They should have a minimum length of seven to eight characters and should be in a jumbled fashion.
Strict guidelines should be introduced with respect to sharing of passwords or providing authentication to a person other than to whom the password is issued. In the higher levels of the organization, the nature of data accessible is of a more confidential variety, both qualitatively and quantitatively. In such situations non-disclosure agreements may be put in place binding the higher level managerial staff.
Another key step to be taken is to introduce a system where the passwords are automatically changed every two weeks and fresh ones are generated in its place.
It is a given fact that no matter how many safety measures you install in place, when it comes to passwords, the threats can never be completely ruled out. Many computer security specialists believe that the best way to deal with this situation is to minimize the use of the passwords and in their place, establish other forms of employee specific security measures such as smart cards to access individual computer systems and finger print scanners and retinal scanners to gain entry into server rooms, data storage rooms etc. These devices are not as prone to breaches as passwords due to the simple fact that a second party cannot impersonate the actual user and enter the system.
Anti-virus and anti-spyware software
The basics of safeguarding against malicious virus attacks and spyware are the same when it comes to a personal laptop or a large network of systems. It is only the scale of operations that differ. In case of large organizations, efficient anti-virus and anti-spyware software having a wide ambit of operations must be installed. The software must be able to tackle threats of a wide variety from simple reconnaissance bugs to all-out hacking codes. In addition to detection of viruses, it must also be capable of quarantining infected files and keeping them isolated from the other files.
Physical security of the premises
When it comes to computer security and protection against hacking, corporations tend to ignore the very simple fact that unless the office premises are properly guarded and secured at all times, all the internal software security measures shall be in vain. If the system is exposed to threats from inside due to lack of proper hardware security, the network can be easily breached.
There should be continuous monitoring of people who have access to computers anywhere in the organization. The inflow and outflow of people into the premises should be recorded and documented. Care should be taken to ensure that, visitors should not be allowed access to computer systems under any circumstances. And last, it should be ensured that the office premises are under round the clock security.
All the precautions taken by the organization and the safety measures and procedures set in place shall not prove to be effective unless the employees, right from the high level ones to the low level maintenance are aware of the gravity of the threat posed by hacking, viruses and other malicious activities. Employees from all levels of security clearances must be aware of the importance of secured and breach free systems and their role in ensuring the same.
Awareness campaigns and drills must be held on a regular basis, where the employees are trained on the basic security measures to be observed and abided by them. They should be acquainted with the anti-virus and anti-spyware software installed by the organization. And more than everything, as a result of the campaigns, they should realize that they all play an important part in making sure that their systems and in turn the network does not come under the threat of being hacked.