ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Server platforms Toolkit

Security tightened after 'Needlepoint' virus

J.W. McCord

Published: 15 Nov 2002 20:31 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

These are some of the solutions we came up with for our installation. We didn't implement them all because of cost, but they were all very sound approaches.

  1. We started with network protection, focusing on the networks and gateways. We installed a software package that focused on the protection of the network access points.
  2. We installed desktop protection at individual workstations. The package we chose guarded remote and mobile corporate desktops against unauthorised access and a broad array of threats by combining intrusion detection and response with firewall capabilities.
  3. We installed a server logging system. We already had one, but it was geared toward the tech support guys, and it wasn't user friendly for managers. We installed a third-party software package that generated a report with which I could view the access to our server. It even gave me a transaction log for a specific period by individual account. It allowed me to review the log for signs of unusual activity or high transaction activity that could point to problems.
  4. Managers attended a training class given by the security consultant, who explained what had been installed and why.
  5. We didn't do a vulnerability assessment. This would require an outside consultant to evaluate our server, our Internet use, and our database use for a few weeks. The information from this would be used to give us the ultimate in protection. We passed on this because of the cost.
  6. We didn't hire someone to remotely monitor our systems periodically for security problems. We decided not to implement this based on our success with the other procedures we implemented.

Nontechnical solution

We implemented our nontechnical solution next. We derived it from discussions with the consultant and the original policy we had implemented. I immediately had managers place system security on staff meeting agendas and review the firm's policies.

For long-term change, I had managers mention security at least monthly during their staff meetings to keep it on everyone's mind. The security consultant also suggested that we distribute written guidelines, which is the first step in preventing liability if a security problem occurs.

I call this my Needlepoint checklist. I distributed it to my entire staff.

  1. Don't have anything on your computer you don't want management to see.
  2. Don't download anything that isn't 100 percent work-related.
  3. Make sure the latest virus-check software is on your machine.
  4. Don't load or bring in software from home to load.
  5. Let everyone know that you or someone you assigned is going to drop by and check the computer occasionally to see what has been loaded.
  6. Managers should mention security problems at least monthly during meetings. (When I did this in a later staff meeting, a staff member remembered she didn't have virus software on her machine at home, which was the same machine that she used to access our system when she dialed in.)
  7. Ensure backups are made of critical machines and that those backups can be read by another computer.
  8. No one should be on a computer but the employee.
  9. A 90-day password change policy is in effect. Management has the option to do a password change if needed. The new password can't be within three positions of the previous password. Passwords cannot be reused. For example: The password my1son can't be changed to my2son.
  10. Never open e-mail from people you don't know.
  11. Never play or load games on office computers.
  12. If someone is terminated, take his or her computer passwords away immediately.

I let everyone know, in person and writing, the ramifications if they violated these procedures. We'll first give a verbal warning. If an employee violates these rules a second time, they'll be warned in writing and a third warning could be cause for termination. Everyone now knows that management might be looking.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
110 out of 221 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below:











Related Jobs

Electronic & Communications Engineer

Senior Software Validation Engineer

Information Governance Manager - NHS Experience

Microsoft Futures

Windows 7: Mixed reviews from PDC attendees

As developers received their copies of Windows 7 on Tuesday, they offered varied reactions to the Microsoft operating system update More

Microsoft floats clouds on Windows Azure

At the Professional Developers Conference, Microsoft announced the Azure Services Platform, the company's cloud-computing platform More

Ozzie: Success of Azure comes down to trust

In an interview, Ray Ozzie says businesses will be taking a risk by placing core operations in Microsoft's datacentre, but that the software giant has more to lose if things go bad More