THE BEST THING about standards, it's said, is that you can choose from so many of them. Unfortunately, the same holds true for security best practices. Strong passwords, software updates, system hardening, encryption, anti-virus software, vulnerability scanning, intrusion detection, baselining and log analysis -- the list goes on and on. It's a complex game that IT managers try to simplify by focusing on that convenient choke point, the firewall. But every network-connected device and every user can be the proverbial weak link in the chain.
The security industry offers a range of useful products that can help you implement a variety of best practices. Study, acquire, and deploy these according to the same cost/benefit analysis that governs any IT purchase. At the same time, because security is many-layered and you can never have too much of it, be on the lookout for simple, inexpensive ways to enhance your best-practices stance. Begin by implementing these often-overlooked strategies.
Add an encrypted password database
The universal recommendation in favour of strong and frequently changing passwords runs smack into a basic fact about human beings: We can't remember gobbledygook. Users choose simple passwords when they can get away with them, reuse them where they can, and if forced to choose strong passwords, they write them down on cheat-sheets posted on their monitors, or stashed in their wallets.
Counterpane Labs offers a free solution to this dilemma. At http://www.counterpane.com/passsafe.html users can download a free Windows utility called Password Safe. It's an encrypted database, protected by its own passphrase, in which users record any number of name/password credentials. Simple to install and use, and easily transported (say, from a desktop PC to a laptop), Password Safe makes strong passwords practical. Here's a way to do the right thing until single sign-on finally gets real.
Use digital IDs to authenticate and encrypt
Another kind of single sign-on has been available for years: client certificates, aka digital IDs. These can be stamped out by commercial certificate authorities or self-generated for companies' intranet/extranet use. Browsers store certificates in a database that, as with Password Safe, is protected by a single passphrase. When challenged by a Web server, the browser presents a certificate as an access credential. The certificate, or an attribute of it, is the authentication token.
Client certificates have historically been nonstarters, and that's especially true for ones that encode special access tokens. But the administrative overhead can be simplified. Thawte (http://www.thawte.com),, a VeriSign company, includes a strong extranet module with its Starter PKI offering. Using it, administrators who outsource PKI to Thawte can enable employees and partners to acquire certificates that embed identity tokens to serve as access-granting credentials.
A second major benefit to using client certificates is that they unlock the S/MIME (Secure MIME) capabilities of mainstream e-mail programs, including Outlook, Outlook Express, and Netscape/Mozilla (Eudora doesn't support S/MIME directly, but plug-ins are available.). Any two people who have installed client certificates and have traded email once can subsequently encrypt future messages. Given the vast amount of confidential data routinely sent in the clear via e-mail, it's a shame that this powerful end-to-end encryption -- which requires only a free or inexpensive digital ID -- is so rarely used.
Yet digital IDs may fall further from favor. Only 25 per cent of respondents to the 2002 InfoWorld IT Security Survey use a PKI infrastructure and 36 per cent use certificate authority services; those numbers fall over the next 12 months to 21 per cent and 19 per cent, respectively. Whatever its benefits, a technology that can't be easily understood and applied will surely wither. Survey respondents overwhelmingly value ease of implementation and ease of use, neither of which digital ID purveyors have yet managed to deliver.
Once activated with a client certificate, S/MIME also enables users to sign messages. A digital signature binds a legitimate identity to a message, guards against forgery, and attests that the contents are unaltered. In this era of corporate scandal, such accountability looks more attractive with each passing week.
Encrypt mailbox access
Another overlooked strategy is to encrypt the pipe from the desktop to the mailbox; only 8 per cent of respondents cited encryption as necessary to security. The standard mailbox access protocols -- POP (Post Office Protocol) and IMAP (Internet Messaging Access Protocol) -- operate in the clear. That means passwords and data are visible to anybody sniffing the wire, or, in Wi-Fi situations, sniffing the air. Popular mail clients, including Eudora as of Version 5.1, can protect mailbox traffic using SSL variants of POP and IMAP. For this to work, the mailbox server has to be able to listen for SSL. If yours doesn't, you can use stunnel or sslwrap -- utilities based on OpenSSL -- to add SSL capabilities. Wrap your SMTP traffic this way as well, and you can effectively create a virtual private e-mail network for internal corporate messages.
Finally, consider using Groove, a collaborative tool whose value as a pure security solution is often overlooked. The preview edition is free and will encrypt all of your messages and documents, both on disk and on the wire, without requiring any PKI or S/MIME or SSL gymnastics.
EXECUTIVE SUMMARY Security-conscious IT leaders, facing a bewildering array of product choices, may overlook basic best practices. Inexpensive or free tools and common-sense strategies belong in every company's security arsenal.
TEST CENTER PERSPECTIVE Giving users a secure place to record passwords is an easy solution, and digital-ID-based authentication and encryption are also potential big wins. Security technologies are more available than many IT managers realise, but they're still not as easy to understand and use as they need to be.