Ten Vulnerabilities and Solutions for Domestic Enterprises

For modern enterprises that are increasingly dependent on Internet applications, changing security threats and changing regulations and standards make maintaining a reliable network environment a major challenge.

In today's globalized economic environment, companies have never been able to do without the Internet as they do now-companies conduct e-commerce transactions through the Internet and provide suppliers, business partners, customers and remote employees with easy access to network resources.

However, although it has become more convenient to do business online, it has become more difficult to ensure the safety and reliability of data exchange and communication. For large and small enterprises, changing security threats and changing regulations and standards make maintaining a reliable network environment a major challenge.

Here are ten security strategies to establish online trust relationships inside and outside the enterprise. Although these strategies are not comprehensive, they focus on the ten biggest threats facing enterprises: e-mail systems, traditional password security mechanisms, identity authentication, phishing, and so on.

1. Without SSL protection, data integrity will be compromised

An SSL server certificate should be deployed for your entire enterprise as soon as possible. SSL is the most widely deployed security protocol in the world. It should be deployed on any server to protect various confidential and personal information transmitted from the browser to the server.

Secure Socket Layer (SSL) encryption is one of the most important technologies used today to protect websites, intranets, extranets, and other server-based applications. Without it, the integrity of data exchanged through public and private networks would be compromised, ultimately affecting business continuity and profits. SSL can protect network access, online contact and digital transactions, because it can establish a secure channel between the server and the user.

In the past few years, people's understanding and understanding of the advantages of SSL technology has greatly improved. More and more users pay attention to the padlock symbol indicating that the session uses SSL encryption

Thousands of websites now have X.509 special server digital certificates installed, which can activate SSL between the browser and the server. All modern web browsers and servers have integrated SSL support, so from an enterprise perspective, just install a certificate on the server. Once the browser and the server have exchanged signals, all data transmitted from one party to the other is encrypted, thereby preventing any eavesdropping that may jeopardize the security or integrity of the transmitted data.

2. Without reliable physical and network security, sensitive corporate data will be at risk

Use firewalls, intrusion detection, client PC virus software, server-based virus checking, and ensure that the latest security patch versions on all systems prevent most types of threats from affecting company business, destroying sensitive data, or threatening business continuity.

Network security involves computer system and network access control, detection and response to intrusion activities. Weak security will bring huge risks: data theft, service interruption, physical damage, system integrity is compromised, and unauthorized disclosure of company proprietary information.

In order to protect the network access channel, we must start with basic aspects, such as locking up unused computers. In addition to the basic aspects, more reliable solutions include the use of key cards, hardware tokens, and biometrics to control access to particularly sensitive places.

A firewall is an essential part of network security. The firewall restricts access from one network to another, and checks and restricts all traffic passing through the network. The firewall should restrict access from the Internet and an internal network (such as an application server) to another network (such as a database). It is necessary to carefully consider which IP addresses and ports the firewall should allow. In addition, it is recommended to use a multi-layer firewall for parts with significantly different functions on the network-one firewall for the demilitarized zone (DMZ), the second for the web server, the third for the application server, and the fourth one for database.

Intrusion detection systems can monitor attacks, analyze review logs, alert administrators when an attack occurs, protect system files, reveal hackers' tricks, indicate which vulnerabilities need to be blocked, and help track down the perpetrators of the attack.

Another indispensable means is to ensure that the virus and Trojan horses on all clients are checked for the latest software version. There are thousands of viruses outside, and each new virus is more cunning and more destructive than the original virus. Several viruses that have spread through email recently and have raged around the world have caused tremendous damage and losses. A particularly reliable solution is to run server-based virus software on an e-mail transmission system (such as Microsoft Exchange) to prevent infected mail from being delivered to users or infecting other clients through one client.

Finally, the easiest and most effective method is to ensure that the latest version of all operating systems and application software has been patched. The hackers are aware of the vulnerabilities in Microsoft ’s IIS Web server and have been running IIS Web The server's site serves as the starting target. For many years, patches to block IIS security vulnerabilities have been available for free, but more than 30% of IIS systems on the Internet have not been updated with the latest patch. Therefore, it is necessary to reiterate this: immediately apply all security patches.

3. Develop your own PKI system or choose a hosted PKI service

When a trusted third party builds a complex, secure, and expensive public key infrastructure (PKI) and manages it for you, using a fully managed security service allows you to focus on the applications needed to promote the company ’s business.

Tools such as public key infrastructure (PKI) can use various applications in ways that were not possible in the past. If there is no effective way to issue, revoke and manage certificates, after the company deploys a welfare system on the intranet, do n’t expect employees to use the system only to query welfare information, especially if a large percentage of employees work remotely . Similarly, if access is not secure and reliable, the sales force cannot fully utilize the company's important system: the CRM system. Many companies are now restricting the use of e-mail, and many companies prohibit the use of instant messaging—all because these systems are not yet secure.

The previous generation of PKI is very good in theory, but in fact it requires complex hardware and software installation, as well as specialized IT personnel and special security measures to protect the system. Needless to say, all this means huge financial expenses. However, PKI has continued to mature and has been technologically innovative enough to become an outsourcing part of the application system. A trusted third-party certification center (CA) can build, maintain, and manage the public key infrastructure required by the enterprise and ensure its security. CAs that provide fully managed services have expertise in verification techniques and methods. Enterprises must know the business rules they want to implement and the applications they need to deploy in order to automate business processes. The integration point is how to use certificates in the application to implement security. Many applications already have certificate-ready functions (certificate-ready), such as browsers, e-mail, and virtual private networks (VPN); the increasing use of certificates has become the trend.

There are several important parts of a fully managed security service: a flexible verification model (how can we know someone is the one he calls), a management interface (who is authorized in the organization to make changes, control processes), and an operation interface (How do different groups in the organization obtain certificates).

Most organizations need to outsource applications to trusted third parties to meet one or more of the following requirements: secure access, secure messaging, and paperless transactions. For all large organizations, it is an important requirement for employees to have secure access to corporate networks such as intranets and critical applications such as CRM systems. E-mail or instant messaging programs securely deliver messages to provide a mechanism to securely confirm the identity of the sender of the message and protect the content from eavesdropping. Paperless transactions can completely digitize paper-based processes that now require Wet Signature to indicate content, thereby saving time and cost in paper-based processes.

4. Free software can crack passwords within 30 minutes

Password security is poor and getting worse, making your security system vulnerable. Strict password usage rules can be enforced to greatly enhance this defense capability.

As computers run faster, the temptation to crack passwords increases, making them more attractive to criminals. As more critical business systems are networked, cracking passwords can yield even greater gains. With free software that can be downloaded, anyone can crack a 6-character password within 30 minutes and an 8-character password within 6 hours.

You need to make rules immediately about how people create passwords and how often they change passwords. The rules for creating passwords include: mixing uppercase and lowercase letters; at least always have a number and punctuation; do not use the name in the profile; at least 8 characters in length. The most important thing is that if you need to use the password continuously, if you enter it incorrectly five times, make sure that all passwords are disabled to prevent attempts to crack the password with brute force. Run a password cracking program internally to find out passwords with poor security. Then, began to use low-cost, outsourced authentication and digital SSL certificate services to replace these weak passwords.

5. Email will reveal your business secrets

Issue digital client certificates for all employees to sign / encrypt emails to protect corporate data and further reassure employees of the source, authenticity and confidentiality of all corporate communications.

Secure messaging (think of the initial email and subsequent instant messaging and Voice over IP transmission [VoIP], etc.) aims to ensure that only the intended recipient of the message can read the caries. The more important the words are. Sent outside the company

This is especially the case with e-mail. The e-mail is transmitted in clear text from one server to another through the public network. The server along the way can and does save all messages received, and has the right to do so. On most email systems, the sender has no control over who can receive the forwarded email message, nor does it indicate that someone has received a censorship trail of the forwarded message.

Any two employees can now simply sign and encrypt messages sent to each other by simply exchanging client certificates, thus ensuring that these messages have not been tampered with; the source of the message is confirmed; Nobody can read the message. The company's confidential e-mail needs to adopt this approach. In addition, organizations should quickly deploy secure instant messaging (IM) products and prohibit the use of any unsafe IM. Instant messaging has become a common part of the company and plays a very important role. However, the company's key information is also transmitted through the IM system, which may be obtained by people without certificates. With a secure IM, this will no longer be a problem.

6. Traditional access control is already incompetent

Use digital certificates to replace the weak passwords and costly time synchronization tokens used at entry points to protect the system. Digital certificates are much safer than passwords and cost less than security tokens, and if fully managed, they are easy to deploy.

SSL supports both ends: server and client authentication. If the server provides a certificate to the client, it indicates that the server has been verified (the organization with domain control authority has obtained the certificate and the identity is verified), and the client (browser) confirms that the certificate domain matches the server domain. If the client provides a certificate to the server, this indicates that the client has passed authentication. Client authentication involves verifying the user's identity, and the user and certificate are combined with the client communicating with the server. These client-side SSL certificates reside in the browser, which replaces the mechanism for accessing secure websites with passwords.

Certificates are much safer than passwords, because it is difficult to steal another person ’s certificate, and even stealing a computer with a certificate in it wo n’t help, because it still requires a password to activate the certificate. Because the certificate greatly improves the security system, you can safely access more important applications, such as CRM systems and corporate intranets.

Many companies will install VPNs now or soon, so that remote users can safely access important systems. This is a good measure, but do n’t confirm your identity with a password. This will weaken the benefits of VPN, but you need to install a client certificate on the VPN to allow access.

The time synchronization token is a compact device that can generate a number that users can use to enter on a web page to securely access the network or application. Unfortunately, the time synchronization token is expensive, people will lose it, and the battery used will also be a problem. You can easily lend it to others. Hosted security services should be implemented to issue and manage the life cycle of client certificates.

7. Your website may be spoofed by phishing

You can show and protect your company's identity by letting the website use a trust mark (Trust Mark) to show visitors their true identity to enable visitors to trust your website.

When dealing with sensitive data, SSL is critical to encryption. But SSL does not provide the identity of the visited website-this is "an open secret in the field of cybersecurity". In order to protect the identity of the company on your site, you must use a trust mark or a site seal that cannot be copied. For organizations, this eliminates the possibility of being scammed on the site; for customers, it convinces them that they are accessing legitimate websites. Unfortunately, many existing "identity" products (site icons) do not provide protection-they can be clicked to copy. Visit any webpage with icons or marks on it and click the right mouse button to see the menu.

Instead, use dynamically generated site icons that cannot be copied. For example, some company's site icons are placed on web pages to indicate that the site is legal and authentic, and has been confirmed by a trusted third party. First, the site icon considers the most important thing to verify the identity of the site owner. Second, site icons are designed to combat misappropriation. Third, it also provides a "self-regulation" function: if the identity of the site owner cannot be verified, the icon will not appear at all. Finally, it will link to a huge database of verification information about the site and its owners, helping users and ultimately the site itself. This allows visitors to trust the merchant, thereby facilitating numerous transactions.

8. Testing in a production environment is tantamount to playing with fire

Establish a demilitarized zone (DMZ) to isolate risky network activities from your critical business-type production network, simulate the production environment, or allow customers to perform various acceptance tests.

Allowing access to the central part of a secure network via modem is one of the most common causes of intrusion. Many people today use so-called War Dialers to try to access corporate or government network systems through modem banks. These people often succeed.

Establish a DMZ that can access the Internet but can only access the internal network with limited access. This can be done by carefully setting up a firewall: block the DMZ away from the rest of the network, while still allowing full access to the Internet. A firewall can protect critical parts of the network away from this DMZ.

If the customer acceptance test must be conducted on the company network, only this test is allowed to be conducted in the DMZ.

9. The weakest security link is your personnel

Define security specifications. This is perhaps the easiest to overlook and the most important of the ten guidelines, but it is also the easiest and may have the greatest impact: the safety regulations are written, communicated, and implemented.

The security effect depends entirely on your organization ’s weakest link. Security has never been achieved automatically, it requires human participation. People have the greatest impact on how successful an organization's security strategy will be. Many practices have shown that starting with security personnel is the easiest way to break through an organization's security system. If the organization formulates a clear and well-defined security strategy and implements it, it can effectively deal with this and simple errors.

Clearly stipulate the procedures and rules related to facility access, network access, reasonable use of company systems and networks, and reasonable use of company emails and browsers.

List the standards that are supported and those that are not. Include operating systems that are allowed on the network, and explain why another operating system is not allowed. If visitors are allowed to enter your organization ’s meeting room, and there is a network tap in the meeting room to connect to the Internet, then this very common method of breaking into the network is no less than the "Trojan horse".

10. Unable to bypass authentication

Start to use fully tested and mature verification technology to identify the identity of anonymous online users. Simplify your company's business through paperless transactions.

"No one knows that you are a dog on the Internet" is a well-known comic in "The New Yorker" magazine, which is now cited by many websites, newsletters and even T-shirts. This is precisely the biggest threat facing the use of the Internet for important exchanges. A standard procedure for verifying a person is to ask them a series of shared secrets that only you and the other party know. However, the difficulty in conducting an online exchange is that the merchant does not know the individual, so there is no shared secret.

Many organizations that require customers to subscribe, register, or fill out forms are expecting to eliminate manual paper processes and manual approval processes. In order to launch an online application, the merchant must be able to verify that the consumer is the person he said and has the ability to generate an electronic signature.