The consequences of losing confidential, customer data are significant both in terms of dollars lost and the ability to run your business include:

1. Lost business – Following a security breach, businesses experience higher rates of customer turnover and lower new customer acquisition.

2. Notification – Businesses contacted affected customers (in many cases, required by law) to notify them of the breach.

3. Detection & escalation – The identification, investigation, and auditing of a breach are some of the first steps organizations take immediately after a breach.

4. Legal – A variety of interested or affected parties including government prosecutors or agencies, shareholders, and affected individuals may seek criminal or civil action in the courts.

5. Regulatory – An organization may be compelled by law or corporate governance to take actions, including remediation, paying fines, or discontinuing services.

6. Remediation – An organization may be compelled to or voluntarily take corrective actions, including fixing the breach vulnerability, notifying and supporting affected individuals or organizations, and mounting a public relations campaign.

7. Brand equity – Other consequences may have long-term implications on brand equity. Brand damage may subsequently lead to a reduction in pricing power, diminished marketing effectiveness, and other competitive disadvantages, for example.

Organizations considering hard drive encryption should evaluate solutions based on four requirements:

1. End-user productivity – The solution should remain transparent at all times and not interfere with end-user productivity.

2. Enhanced data security – Beyond full disk encryption, the solution should provide options for protecting and controlling USB flash drives by policies as wells as files stored on shared systems and files and directory archives shared with

3. Centralized management – The solution should allow for central management that enables administrators and help desk staff to easily support remote users.

4. Business continuity – Encrypted data needs be accessible (according to policy) not only today, but for years to come

Identify Easiest Hard Disk Encryption Options

While there are a number of product options, there are one or two that are most likely to be right for you. The products in this category cover a wide range of prices and features — all are standalone software packages — independent from the underlying operating system (OS). SC magazine, just completed an excellent
overview of Hard Drive Encryption, including product reviews. In this article they identify
PGP Whole Disk Encryption as “Best Buy” and “Easiest to Install.”

Understand the Risk to Your Business

Each industry and business is subject to different risks. The excellent Ponemon study “2006 Annual Study: Cost of a Data Breach” inidicates that the cost per lost record can vary from $50-2500.

Introduction
You’ve just been asked by your manager to install a hardened bastion host. The company needs
to strengthen the security between the Internet and the company’s internal network. You
unsuspectingly accept the challenge and tell your manager you need to do some research. How
hard could it be?
Management often likes to use technical jargon even when they might not know what it means.
Your manager and a peer from another company were discussing how the other company had
just installed a hardened bastion host. They had gotten a dedicated circuit to the Internet
installed just a few weeks before your company did. The peer says how well it’s working for
them when your manager suddenly decided your company needs one since it’s working so well
at the other company. That’s where you come in.
What is a bastion host?
Now you’re probably asking yourself, “What is a bastion?� I’d never heard of a “hardened
bastion host� before I researched this paper. In fact, several of my peers hadn’t either. You
probably know what it is but didn’t know it by that terminology.
“Bastions are the highly fortified parts of a medieval castle; points that overlook critical
areas of defense, usually having stronger walls, room for extra troops, and the occasional
useful tub of boiling hot oil for discouraging attackers. A bastion host is a system
identified by the firewall administrator as a critical strong point in the network’s security.
Generally, bastion hosts will have some degree of extra attention paid to their security,
may undergo regular audits, and may have modified software.� (Steves, Kevin)
Bastion hosts are typically designed with one function in mind: to allow information to flow
securely between the Internet and the internal network without directly exchanging packets. It
can be a single system or there can be multiple systems in the firewall. It is wise to remember
the more systems the firewall is made with, the greater the risk of compromise. You can have a
bastion host in the firewall configuration, but without hardening it, the probability of a successful
attack increases. The process called “hardening� will allow these hosts to resist attacks from
external sources thus protecting the internal network.
There are numerous considerations when it comes to bastion hosts: roles, design, documentation,
installation, and verification. I will briefly describe each of these in general detail since it is
impossible to cover every facet of each section.
Roles
The most common roles of bastion hosts to be used as: router, DNS, FTP, SMTP, News, and/or
Web servers. A bastion host can be as simple as a router or as complex as a SMTP and DNS
server. Bastion hosts are typically a gateway, on the perimeter network, between the Internet and
the internal network. Whatever the use, its main function is to protect the network behind it.
The more roles the host has to play, the greater the likelihood of overlooking a security hole.

“Much of what the bastion host does is act as a proxy server for various services, either by
running specialized proxy server software for particular protocols (such as HTTP or FTP), or by
running standard servers for self-proxying protocols (such as SMTP).� (Zwicky, Elizabeth D.,
Simon Cooper and Brent D. Chapman. Page 131.)
What role will this host play in the overall network? Is there a genuine need for this function or
is it merely pressure from users? Pressure from the users can result in a way around security
because of the inconvenience the security policy causes.
Now you need to identify what the host will be used for and verify whether or not it meets your
network security policy specifications.
“A network security policy identifies the resources that need protection and the threats against
them. It then defines how they can be used and who can use them, and stipulates the actions to be
taken when the policies are violated.� (Firewalls and Virtual Private Networks. Page 2.)
If you don’t have a network security policy, you can find a guide to writing Security Policy and
other documentation at: http://www.sans.org/infosecFAQ/policy/shelfware.htm. You can also
find a Security Policy checklist at: http://queeg.com/~brion/security/secpolicy.html.
Design
You must ultimately decide which services need to be on a bastion host. Ideally you would have
one service per host but this does not usually work since the cost alone is typically prohibitive. It
is easier to secure a single service on a single host. If your company can afford the costs of
multiple bastion hosts, you must decide if you are willing to maintain multiple points of attack.
“Only the services that the network administrator considers essential are installed on the bastion
host. The reasoning is that if a service is not installed, it can’t be attacked.â€? (Semeria, Chuck.
Internet Firewalls and Security.)
The Department of Defense defines Defense in Depth as “The sitting on mutually supporting
defense positions designed to absorb and progressively weaken attack, prevent initial
observations of the whole position by the enemy, and to allow the commander to maneuver his
reserve.� (U.S. Military with Rod Powers.) A way to use the Department of Defense’s Defense
in Depth strategy is to design a Screened Subnet Architecture. In a Screened Subnet
Architecture, the bastion host sits between an exterior router and an interior router.

Full Article: http://www.sans.org/rr/whitepapers/basics/420.php

An overview of 802.11x, WEP, WAP, and WTLS, their strengths, operation, and vulnerabilities as well as various related wireless security attacks and security technologies.

Read: http://www.securitydocs.com/go/2570

This document sets forth the guidelines for using wireless technologies for data connectivity and identifies responsibilities for the deployment of wireless connectivity services and the administration of the wireless radio spectrum. These guidelines describe how wireless technologies are to be implemented, administered and supported at the University of Arizona campus. It supplements the guidelines in the CCIT Computer and Network Usage Policy by adding specific content addressing wireless data connectivity and the resolution of interference issues that might arise during use of specific frequencies. The guideline couples the desire for campus constituencies to deploy wireless technologies with a central administrative desire to encourage all constituents to deploy such systems with an acceptable level of service quality and security.

Wireless Ethernet systems and interface cards can be deployed at University of Arizona to support both administrative and academic applications. This document guides such deployments. Guidelines for deployment of these systems are essential to:

1. Prevent interference between different departmental implementations and other uses of the wireless spectrum

2. Safeguard security of campus network systems

3. To ensure that a baseline level of connection service quality is provided to a diverse user community.

Scope of the Guideline

Telecommunications is responsible for providing a secure and reliable campus network to support the mission of the University. Under this broad responsibility, Telecommunications must foster campus-wide network standards (wired and wireless) to meet the networking requirements of all campus constituencies and limit access to network connections which do not conform to generally accepted standard network protocols and security measures. The guidelines stated below deal with known concerns and in aggregate do not necessarily form a comprehensive guideline statement. Electronic communications is changing rapidly both in terms of technology and application, and additional guideline questions will surely arise in this area. This guideline, other relevant University of Arizona and system policies, and all applicable laws govern the use of electronic communications resources.

Scope of Service: This guideline defines the roles of the campus units and Telecommunications for deploying and administering the wireless infrastructure for the campus.

Network Reliability: In a wireless environment, network reliability is a function both of the level of user congestion (traffic loads) and service availability (interference and coverage). In efforts to provide an acceptable level of reliability, this guideline establishes a method for resolving conflicts that may arise from the use of the wireless spectrum. The campus approaches the shared use of the wireless radio frequencies in the same way that it manages the shared use of the wired network. While the Center for Computing and Information Technology (CCIT) does not actively monitor use of the airspace for potential interfering devices, CCIT will respond to reports of specific devices that are suspected of causing interference and disrupting the campus network. Where interference between the campus network and other devices cannot be resolved, Telecommunications reserves the right to restrict the use of all wireless devices in university-owned buildings and all outdoor spaces.

Security: The maintenance of the security and integrity of the campus network requires adequate means of ensuring that only authorized users are able to use the network. Wireless devices utilizing the campus wired infrastructure must meet certain standards to insure only authorized and authenticated users connect to the campus network and that institutional data used by campus users and systems not be exposed to unauthorized viewers.

Support: This guideline defines the responsibilities of campus units and centralized support organizations for the planning, deployment, management and development of wireless network equipment and services. The guideline describes the responsibilities for Departments that want to provide wireless network facilities and the role of CCIT and Network Managers for ensuring the overall integrity of the campus network. Guideline statements herein generally provide for Telecommunications to support the public accessible wireless environments on the campus and departments providing support for wireless networking within campus buildings used by departments. However, Telecommunications may delegate responsibility for public accessible wireless environments where the public area is used exclusively by a campus department and may at the request of a department to provide support to the department under negotiated terms and conditions.

Definitions

Access Point: An access point is a piece of wireless communications hardware, which creates a central point of wireless connectivity. Similar to a “hub�, the access point is a common connection point for devices in a wireless network. Access points can be used to connect segments of a LAN, using transmit and receive antennas instead of ports for access by multiple users of the wireless network. Similar to standard wired “hubs�, access points are shared bandwidth devices that can be connected to the wired network via a Network Access Medium (NAM), allowing wireless access to the campus network.

Baseline Level of Connection Service Quality: The baseline level of connection service quality is determined by factors that can affect radio transmissions, such as distance from the access point, number of users sharing the bandwidth, state of the environment from which the transmission is taking place, and the presence of other devices that can cause interference. Acceptable throughput levels should be specified within service level agreements.

Coverage: Coverage is the geographical area where a baseline level of wireless connection service quality is attainable.

Interference: Interference is the degradation of a wireless communication signal caused by electromagnetic radiation from another source. Such interference can either slow down a wireless transmission or completely eliminate it depending on the strength of the signal.

Privacy: Privacy is the condition that is achieved when successfully maintaining the confidentiality of personal, student, and/or employee information.

Security: Security not only includes measures to protect electronic communication resources from unauthorized access, but also includes the preservation of resource availability and integrity.

Wireless Infrastructure: Wireless infrastructure refers to wireless access points, antennas, cabling, power, and network hardware associated with the deployment of a wireless communications network.

Guideline
Responsibility for Wireless Access Points: Campus responsibility for electronic communication resources resides with Telecommunications. Telecommunications must approve all installations of wireless access points used on the campus.

1. Wireless equipment and users must follow general communications guidelines. Wireless services are subject to the same rules and guidelines that govern other electronic communications services at UA.

2. Abuse or interference with other activities is a violation of acceptable use. Interference or disruption of other authorized communications or unauthorized interception of other traffic is a violation of guideline.

3. Radio communication, due to its dependence on a scarce-shared resource, is subject to additional rules concerning interference and shared use.

a. Wireless access points must meet all applicable rules of regulatory agencies, such as, the:

1. Federal Communications Commission

2. Arizona Corporation Commission

b. Wireless access points must be installed so as to minimize interference with other RF activities described below.

4. Only hardware and software recommended by Telecommunications shall be used for wireless access points. All implementations should meet Wi-Fi standards.

5. Deployment and management of wireless access points in common areas of the campus must be coordinated with Telecommunications and Network Manager(s). Common areas of the campus include, but are not limited to,

a. Public access area and general conference room areas

b. Open seating areas where members of the community may sit and work

c. Cafes

d. Lounges

e. General Lecture halls

f. Where wireless networks installed by two or more campus units might interfere

g. Outside space where people meet/gather/study

6. A department head or designee (i.e. Department Network Manager) is responsible for wireless access points within campus buildings used by the department. Where more than one department share a common building, the department heads or designees may jointly share the responsibility for wireless access points in that building.

7. Department heads or designees shall register any installation or changes, including moves, of wireless access points with Telecommunications. This registration shall provide information requested by Telecommunications.

a. Registration can be performed via a web form at http://wireless.arizona.edu

b. Information about registered stations will be available to system administrators at http://wireless.arizona.edu

8. Installation of Access Points

a. Installation of antennas must comply with all federal and state regulations for antennas

b. The installation of access points and bridging devices must be consistent with health, building, and fire codes.

c. Equipment mounted on external structures must be approved prior to installation.
Security: General access to the network infrastructure, including wireless infrastructure, will be limited to individuals authorized to use campus and Internet resources. Users of campus and Internet resources shall be authenticated. Exhibit A contains further information on security architectures for wireless networks.

1. Physical Security of wireless access points will be maintained to protect the access point from theft or access to the data port.

2. Password and data protection is the responsibility of the application. The wireless infrastructure may not provide specialized encryption or authentication that should be relied on by applications. In particular, no application should rely on IP address based security or reusable clear text passwords. It is expected instead that service machines will expect/require their own general or applications authentication, authorization and encryption mechanisms to be used by clients entering from any unprotected network.

3. Access points should enforce user authentication at the access point before granting access to campus or Internet services. Wireless network interfaces should support authentication to access the campus wireless network.
Interference: Wireless networking equipment is a shared medium technology that uses the unlicensed frequency bands to create small local area network cells. These cells can be further linked together over an underlying wired network to create an extended wireless network covering whole buildings or wider areas. The success of any wide deployment wireless networking requires that all equipment that operate in the frequency spectrum to be carefully installed and configured to avoid physical and logical interference between components of different network segments and other equipment.

1. In the event that a wireless device interferes with other equipment, Telecommunications shall resolve the interference as determined by use priority.
2. The order of priority for resolving unregulated frequency spectrum use conflicts shall be according to the following priority list:

a. Research

b. Instruction

c. Administration

d. Public Access

e. Personal

Suitability: Wireless networks are not a substitute for wired network connections. Wireless should be viewed as an augmentation to the wired network to extend the network for general purposed to common and transient areas.

1. Wireless is appropriate for “common areas� where students, staff, and faculty gather. Common areas most appropriate for wireless use include but not limited to, instructional labs, public areas, and research labs.
2. Wireless networking is most applicable for uses such as email and web browsing. Unless using encrypted protocols, wireless devices should not be used for connecting to campus business systems such human resources, payroll, student information, financial information systems, or other systems that contain sensitive information or are critical to the mission of the University.
3. Wireless access points provide a shared bandwidth. As the number of users increase the available bandwidth per user diminishes. Before deploying wireless networking in common areas, the advice of Telecommunications should be sought regarding the ratio of users to access point.
4. New plans for buildings and gathering areas should consider the need for and use of wireless networking, similar to the planning done currently for wired networking.
5. Users of wireless should consider all unencrypted communications over the network as insecure and available and all content as clear text.

Responsibilities

Telecommunications

· Responsible for creating/maintaining/updating wireless communications guidelines and wireless security standards.

· Responsible for maintaining a registration of all wireless networks and access points on campus.

· Responsible for resolving wireless communication interference problems.

· Responsible for coordinating and approving wireless communications systems in common areas of the campus.

· Responsible for recommending wireless communication hardware and software used by campus depts.

· Responsible for coordinating departmental installations of wireless communication systems/access points.

· Responsible for creating/maintaining/updating wireless communication network security guidelines.

· Responsible for informing wireless users of security and privacy guidelines & procedures related to the use of wireless communications.

· Responsible for monitoring performance and security of all wireless networks within public common areas and maintaining network statistics as required to prevent unauthorized access to the campus network.

· Responsible for monitoring the development of wireless network technologies, evaluating wireless network technology enhancements and, as appropriate, incorporating new wireless network technologies within the University of Arizona network infrastructure.

Campus Units

· Responsible for adhering to Wireless Communications Guidelines.

· Responsible for managing access points within departmental space and assuring proper network security is implemented.

· Responsible for registering wireless access point hardware, software & deployments with Telecommunications.

· Responsible for informing wireless users of security and privacy guidelines & procedures related to the use of wireless communications.

· Responsible for monitoring performance and security of all wireless networks within departmental control as required to prevent unauthorized access to the campus network.
References
1. The University of Arizona Manual of Design and Specification Standards
2. CCIT Computer and Network Usage Guideline
3. NFPA 70, National Electrical Code
4. Federal Communications Commission Regulations, Part 15

** This policy document is subject to review and changes as technology in wireless communications changes over time.
Exhibit A
Draft Wireless Security Standards

1) Introduction

The use of wireless network technology must not reduce the availability, integrity and confidentiality of critical and essential applications and/or the University of Arizona computing network. Accordingly, any implementation of wireless network systems at University of Arizona should comply with the security standards described below for authentication, monitoring, reporting and user awareness. Due to the lack of privacy of network communication over existing wireless network technology, all wireless traffic is presumed to be insecure and susceptible to unauthorized examination.

2) Authentication
Access to wireless network connectivity should be limited to authenticated users and authorized wireless client devices. Authentication may be performed based on the following requirements:
a) All authorized wireless network users will be required to be authenticated and operate through the campus VPN.
b) All authorized wireless network users must register the MAC address of the wireless network interface card (NIC) to the local or campus Dynamic Host Configuration Protocol (DHCP) service.
c) Wireless NICs and user accounts are not to be shared. (See Network Usage policy)

d) Users are prohibited from using wireless network technology to access critical and essential applications without the wireless network connections being appropriately encrypted.

3) Security Awareness

All wireless network managers should be aware of the following issues:

a) Authentication for wireless network access and protection of passwords

b) Authorized use of wireless network technology

c) Wireless interference issues

d) Privacy limitations of wireless technology

e) Report wireless network service problems

f) Respond to a suspected privacy violation

g) Revoke DHCP registration due to termination of an affiliation with University of Arizona

4) Monitoring and Reporting

The use of wireless network technology is to be monitored on a regular basis for security and performance.

· Authentication, authorization and usage and wireless network performance reports are to be made on an individual basis

· Any unusual wireless network event that may reflect unauthorized use of wireless network services will be immediately reported by the wireless system administrator to the campus Security Incident Response Team (SIRT) for review and, if appropriate, investigation.

Implementing a wireless networking system can result in serious security problems if the system is not properly secured. This is true of a wireless network deployed at home or one deployed in the office. In fact, some residential Internet service providers have clauses in their agreements that indicate that service is not to be shared with people outside of those covered by the agreement. If you deploy an insecure wireless network, it could result in a loss of service, or in the use of your network as a launching pad for attacks against other networks. To help you close these security holes, here are six quick wireless networking tips.

Why do I want to close the loop?

The point of properly securing a wireless access point is to close off the network from outsiders who do not have authorization to use your services. A properly secured access point is said to be “closed” to outsiders. A wireless network is more difficult to secure than a typical wired network due to its nature. A wired network has a limited number of fixed physical points of access while a wireless network can be used at any point within the range of the antennas.

Plan antenna placement

The first step in implementing a closed wireless access point is to place the access point’s antenna in such a way that it limits how much the signal can reach areas outside the coverage area. Don’t place the antenna near a window, as the glass does not block the signal. Ideally, your antenna will be placed in the center of the area you want covered with as little signal leaking outside the walls as possible. Of course, it’s next to impossible to completely control this, so other measures need to be taken as well.

Use WEP

Wireless encryption protocol (WEP) is a standard method to encrypt traffic over a wireless network. While it has major weaknesses, it is useful in deterring casual hackers. Many wireless access point vendors ship their units with WEP disabled in order to make the product installation easier. This practice gives hackers immediate access to the traffic on a wireless network as soon as it goes into production since the data is directly readable with a wireless sniffer.

Change the SSID and disable its broadcast

The Service Set Identifier (SSID) is the identification string used by the wireless access point by which clients are able to initiate connections. This identifier is set by the manufacturer and each one uses a default phrase, such as “101″ for 3Com devices. Hackers that know these pass phrases can easily make unauthorized use of your wireless services. For each wireless access point you deploy, choose a unique and difficult-to-guess SSID, and, if possible, suppress the broadcast of this identifier out over the antenna so that your network is not broadcast for use. It will still be usable, but it won’t show up in a list of available networks.

Disable DHCP

At first, this may sound like a strange security tactic, but for wireless networks, it makes sense. With this step, hackers would be forced to decipher your IP address, subnet mask, and other required TCP/IP parameters. If a hacker is able to make use of your access point for whatever reason, he or she will still need to figure out your IP addressing as well.

Disable or modify SNMP settings

If your access point supports SNMP, either disable it or change both the public and private community strings. If you don’t take this step, hackers can use SNMP to gain important information about your network.

Use access lists

To further lock down your wireless network, implement an access list, if possible. Not all wireless access points support this feature, but if yours does, it will allow you to specify exactly what machines are allowed to connect to your access point. The access points that support this feature can sometimes use Trivial File Transfer Protocol (TFTP) to periodically download updated lists in order to prevent the administrative nightmare of having to sync these lists on every unit.