A three layer approach to Internet Security

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Internet Security ist jedermanns Sorge, ob Sie ein SMB sind oder ein großes Unternehmen, die e-Commerce-Dienstleistungen anzubieten, Sie gefährdet, sind wenn Sie nicht zu sichern und Ihre Web-Anlagen zu überwachen. Internet-Sicherheit ist eine vielschichtige Aufgabe, wo viele Organisationen hoch qualifiziertes Personal Security Governance widmen; Allerdings können Schwächen in Ihre Web-Infrastruktur finden Sie noch oder möglicherweise ignorieren bestimmter Aspekte der Sicherheit. Eine Organisation muss deshalb, um einen ganzheitlichen Ansatz zu finden, wenn für die Sicherheit. Welcher, Ansatz, eine Organisation nimmt; Es muss Internet-Sicherheit mit ihren logischen und physischen Grenzen und Aktivitäten beziehen. Der folgende Artikel erläutert einen drei-Schicht-Ansatz, Internet-Sicherheit für eine typische Organisation, die Dienste für Web-Kunden bereitstellt.

Die Organisation-Kunden

Aus geschäftlicher Sicht Kunden sind die wichtigsten Beteiligten und als solche eine Organisation muss einen Faktor Vertrauen aufzubauen, der seinen Kunden übertragen wird.Wenn Kunden davon überzeugt sind, dass Sie eine zuverlässige und sichere Entität dann das Geschäft sich um gedeiht.Die äußere Schicht befasst sich mit Sicherheitserwägungen im Zusammenhang mit der Business-Kunden:

Die Notwendigkeit, die Ihre Kunden, Trends und deren Features kennen, da dies hilft, dass Sie nicht-Kunden oder besser CriminalsMonitoring-Techniken zu identifizieren (automatisierte Prozesse), die flag anormale Trends oder IrregularitiesCompliance mit behördlichen Auflagen – Ex finden: PCI, ISO und OthersCustomers Authentifizierung Überlegungen – das berühmte "etwas Sie haben" + "etwas wissen Sie" ConceptStrong Daten-Verschlüsselung-Techniken, SSL-Zertifikate, Security Dichtungen (Hacker Free Site), etc..

Die Organisation Web-Präsenz

Wie Sie unten zu inneren Schichten Bohren, verschiebt die Sicherheitsansatz seine Aufmerksamkeit auf die technischen Anforderungen in Bezug auf Ihre Web-Dienstleistungen. Beachten Sie, dass einige dieser Anforderungen werden durch die äußere Schicht definiert und daher, benötigen Sie eine Wechselbeziehung zwischen den Schichten zu halten.

Sicherheitsüberlegungen für Web-Server-Web-Service beginnt mit einem Benutzer mit eingeschränkten Rechten-Acct, ungenutzte Accts und Dienstleistungen sind Behinderte, Admin starke Kennwörter, SSL-Zertifikat von einer Top-Zertifizierungsstelle wie VeriSign, protokollieren und Patchmanagement, etc.Monitor Web-Verkehr für böswillige Aktivitäten wie z. B. DDOS und hacking-Versuche.Führen Sie ausreichend hohe Techniken wie Seite Ladezeiten, etc.Web Anwendungen Überlegungen – Datenbank Konto Verbindungseinschränkungen für Schreib- und Lesevorgänge, Cross-scripting Site-Überwachung und SQL Injection Bedrohungen – Überprüfung und gehärteten Anwendung CodeWeb-Load-Balancern & DNS-Überlegungen – beide Pose eine ernsthafte Bedrohung insbesondere für Banken und Finanzinstitute – Phishing, DNS-poisoning, Zonenübertragung, EtcRemote Admin & Daten Transfer Überlegungen ein – stark verschlüsselten Kanal mit öffentlichen und privaten Schlüsseln wenn möglich.

Die Organisation

Den Kern der 3 Schichten finden wir die Organisation physischen, logischen und Personal-Sicherheitsaspekte.Kurz, wir finden alle Sicherheitsmaßnahmen, die eine Organisation normalerweise implementieren würde, aber, wie zuvor beschrieben müssen Sie jede Ebene in Bezug auf seine äußeren Schichten Elemente durchzuführen und bauen auf Ihnen zu.

Ein Verbrecher kann die Organisation EmployeesThe große Bedrohung wird e-Mail, wie es Viren verbreiten abzielen, Spyware und malware.Employee Fahrlässigkeit kann infizierte Workstations – Mitarbeiter führen Schulungen! eine andere Bedrohung, die großen wird ist social-Networking-die Notwendigkeit einer guten Internet-Traffic Überwachung & blockieren Tool ist ein muss! eine praktische E-Mail- und Web-Nutzung-Politik muss in Ort und FollowedSocial engineering Gegenmaßnahmen z. B. Richtlinien & Prozeduren

Organisation 's Physical & logische Sicherheit in Bezug auf äußeren Schichten Elemente

Wie sind remote-Standorten verbunden?– Sicherer Kanal über das Internet (ex: VPN), Verbindung zu überbrücken (Mietleitungen, SAT, andere) – jede Methode hat ihre eigenen Schwächen hinsichtlich der Leistung und SecurityOffice/s Internet-Verbindungsaufbau benötigt, doppelte Perimeter oder einer DMZ, eine Anwendung, die auf der Grundlage-Firewall und ein IDS oder IPSEmployees' Workstations – Patch-Management, antivirus, Anti Spyware/Malware mit Gruppe Richtlinien, die Benutzer vom solche Überlegungen ServicesWireless stoppen nicht zulassen – tut das drahtlose Brücke im interne LAN mit dem externen Netz?-Geräten im allgemeinen – ersetzen, Standard-Benutzernamen & Kennwörter und Konfiguration.Geräten wie Netzwerk-switches Pose eine ernsthafte threat.The wichtigsten Vermögenswerte sind die internen Server, die Verbindung zum Internet z. B., e-Mail, Web-Proxies, DNS und Web-Anwendung-Backend-ServersDetermine alle bekannte Schwachstellen für jedes System und minimieren mögliche Bedrohungen mit angemessenen controls.Configuration Bewertungen und best Practices müssen FollowedAdequate-Protokoll-Management – sammeln, analysieren, & ReportProtocols, Betriebssysteme, Anwenderbrowser, Tools, Applikationen – an einen kompletten und ausführlichen Warenbestand für Hardware & Software

Schließlich ist die beste Sicherheitsmaßnahme sicherzustellen, dass eine Alternative Option immer verfügbar, ist für den Fall alle Fail Sicherheitsmaßnahmen.Ich beziehe auf Business Continuity (BCP) mit getesteten Daten-Backups, angemessenen kabelredundante Systeme, DR und Notfallpläne.

View the original article here

Prevent threats to the security of your network online backup

Error in deserializing body of reply message for operation 'Translate'. The maximum string content length quota (8192) has been exceeded while reading XML data. This quota may be increased by changing the MaxStringContentLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader. Line 1, position 8701.
Error in deserializing body of reply message for operation 'Translate'. The maximum string content length quota (8192) has been exceeded while reading XML data. This quota may be increased by changing the MaxStringContentLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader. Line 1, position 9095.

BACKUP AND RECOVERY

Kevin Beaver
10.25.2010
Rating: -3.33- (out of 5)




What you will learn in this tip: Online or cloud backup services are seen as a quick and easy way to back up personal files. But more and more employees are using these services to back up their personal data on work computers. Learn about how to prevent these online backup security threats in your organization.

Online computer backup services such as Carbonite, EMC Corp. Mozy and Dropbox are all the rage these days. These services are appealing because they solve the problems of having onsite backups or not having the resources to manage backups altogether.

You may be thinking that these online computer backup services don't affect your business. But you may not know that users are running these programs on their work computers to back up their "systems," including personal and business data. And until you know for sure that these programs aren't being used in your environment, there are numerous security and compliance risks as shown in "Figure 1: Security and compliance risks related to online computer backup" below.

Figure 1: Security and compliance risks related to online computer backup usage

The online data backup services themselves aren't the problem. It's the simple fact that they're being used on your network without anyone's consent. IT is often out of the loop. Ditto for internal audit. I've even spoken with backup administrators who've said they had no idea their users were performing backups on their behalf. Perhaps worst of all, management is often oblivious to the business risks that include confidential customer data mishandling, intellectual property exposure, and quite possibly contract and compliance violations.

Online computer backup services: Important questions to ask

Here are a few questions to ponder regarding the personal usage of online computer backup services in your environment:

Does your business have an acceptable usage policy that covers the installation and use of such software/services?Are your employees qualified to review the privacy policies and other terms and conditions regarding the handling of your business information that's undoubtedly shipped off-site? Is your legal team plugged into information security and privacy enough to know that business information covered under contract or compliance regulations is being handled this way?How does data labeling, data retention and data destruction play into all of this?Should you provide an alternative? Do you back up locally stored files, especially for mobile or remote workers?

I bring these issues up to point out the risks associated with users sharing sensitive business information with these third-party data backup and file sharing services. You have to consider the situation of a data breach and subsequent investigation. Good lawyers and expert witnesses will know to ask questions around how information is managed in your organization and the specific steps you've taken to keep it reasonably secure.

Gain control of online backup security

You cannot secure what you don't acknowledge. As the person in charge of managing data backups and ensuring the whereabouts and integrity of this data, you're going to have to get plugged into these cloud backup and file sharing services. Even if it's a security-centric problem, it still affects how you manage backups. Here are four things you can do right now to gain control of online backup security:

Work with your network administrator to monitor traffic patterns going to these vendor sites.Work with your desktop administrator to perform a software audit to see which of these applications are running on each of your computer systems and your mobile devices (Dropbox, for instance, runs on iPhone, iPad, Blackberry and Andriod).Work with management and legal -- ideally a formal security committee that includes these people -- and determine how you're going to handle this.Based on your risks, put the appropriate policies in place and use the necessary technologies to keep things in check.

The solution may seem obvious to just block these applications at the network perimeter or on the desktop. However, if you've ever gone down the path of blocking such applications you know how painfully difficult it is. Even if you provide backup services at the workstation level (something rarely done because of the storage requirements and the inherent difficulties of doing so with a mobile workforce) users are still going to use such backup and file sharing services. After all, in many cases they're doing this for themselves and not for the betterment of the business.

Some people may argue that many of these applications are for personal use and don't really affect the business. I believe that if these services are running on computers that store or process business information (including personal smartphones and computers at home) then it's a business problem that needs to fall under the umbrella of business oversight and control. Otherwise, you're going to have a Wild West-like environment that's treading on thin ice. As Ayn Rand said, "We can evade reality, but we cannot evade the consequences of evading reality." Something needs to be done before something bad happens.

About the author: Kevin Beaver is an information security consultant, expert witness, author and speaker with Atlanta-based Principle Logic, LLC. With over 21 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and minimizing information risks. He has authored/co-authored eight books on information security including the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.

To rate tips, you must be a member of SearchDataBackup.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Protection of the environment - example IT security checklist

Protection of the environment is not a task that is defined for the lifetime of the environment but it is an ongoing process of adaptation, (update items) during routine inspections.  Whether you need a senior executive or security officer in a large organization or an IT Manager in a small business you a checklist of security which is dynamic.  While that uses such a checklist you, say to check that all parts of the environment be treated, would the same checklist that certain areas have become obsolete while others need more hardship. Check these reviews with the IT staff responsible would to new areas that may be missing from the list, also rotate. A high-level security checklist as she should deal one security controls implementation details below with, but it can be expanded or linked to other documents. It is a sample checklist that can be used as a starting point!

Physical security:

1. Access to the server room
2. Access procedures and guidelines
3. Redundant and memory hardware - ex: RAID, backup drives, etc..
4. Disable unused network points
5. CCTV control / theft and fire systems
6. Mobile workers guidelines for handhelds/laptops - ex: terms of use
7. Inventory of all hardware
8...

Network security:

1. Network switches configuration - ex: Replace default settings
2. Monitoring of network traffic - ex: performance problems due to malicious scan tool
3. Monitor Internet traffic (company policy!)
4. Allows protocols - ex: SNMP, community strings settings and permissions
5. DMZ Setup - ex: server in the DMZ should save not internal IP addresses
6. Firewall configuration - ex: allowed/blocked ports, secure VPN access, etc.
7. IDS or IPS configuration if implemented
8...

Wireless network:

1. WAP configuration - ex: Replace default settings such as SSID name
2. Shared key management - ex: centralized, process rules, complexity
3. Additional security - ex: disable SSID broadcast, use HTTPS, Mac filtering, etc.
4...

Application server:

1. Mail server configuration - ex: open relay!, antivirus solution, etc..
2. Web server configuration - ex: disable unused services/accounts, etc..
3. Database server configuration - ex: DB admin account, logs, etc..
(4) DNS server configuration - ex: zone transfer, cache settings, etc.
5. File server - ex: ACL, file shares, antivirus, etc.
6. AD configuration - ex: group security policies, ACL, etc.
7. Update mechanism - ex: systems and applications, updates, notifications, etc.
8. Protocols - ex: protocols are enabled, collect and review protocols
9. Remote admin-ex: Secure SSH, RDP, etc.
10. Admin scripts - ex: passwords in plain text!
11. Monitoring mechanism - ex: notified if services down
12...

Client workstations:

1. Software updates distribution – ex: car vs manual updates, central distribution
2. Anti-virus solution - ex: can not be disabled automatic updates, etc.
3. Computer policies - ex: disable idle workstations installation permissions, etc..
4. Hardware usage guidelines - ex: unused ports, media usage, etc. to lock.
5. Software inventory - ex: applications installed with version numbers
6. User access permissions - ex: DIS / allow administrator privileges!
7. Password policy - ex: strong, but not too complicated
8...

Others:

1. Staff training - ex: ethics, security awareness, etc.
2. Staff training - ex: training program
3. Data non - disclosure Agreement-
4. Social media use policy - ex: Facebook, personal blogs, etc.
5. Other policy.

The above checklist is not complete, but should you a Vorsprung.Daher be any additions you important begrüßt.Sie can keep you may submit as comments.

View the original article here

The new suite of support services, security, and online backup provides client Qwest "" @ ease ""

Qwest "soulageur Stress" includes the leader in security, home network installation, improved support

DENVER, April 20, 2010 BUSINESS WIRE - Qwest Communications makes easier to control, protect and connect digital devices with the Qwest

View the Original article