Network Intrusion and Eavesdropping
 | Firewalls - The risks of network intrusion can be reduced via the use of a properly designed firewall appliance capable of at least stateful packet inspection. DVITS works with Sonicwall and Netscreen firewalls due to their time-proven capability and reliability. These firewalls are capable of providing VPN connections to multiple remote offices, port forwarding, demilitarized zones (DMZ) for public access servers, intrusion attempt logging and numerous other features. With well over 50 successful firewall installations completed, DVITS can easily use these products to help reduce intrusion risk. Dolce Vita routinely works with Sonicwall, Netscreen, and CISCO PIX firewall products. |
| Intrusion Detection - DVITS has experience with a variety of intrusion detection products. The fact remains that it is necessary in every case to do a periodic review of firewall and intrusion detection logs. |
| Virtual Private Network - With leased lines or an open Internet connection between office networks it is relatively simple for an attacker to capture and analyze useful traffic such as file transfers and other data. To secure the Internet connection between multiple offices DVITS uses VPN technology to secure data using encryption and authentication. This goes a long way to secure your remote office data on the Internet |
| E-mail Encryption - DVITS does not overlook the sensitive and critical nature of e-mail. Some of an organization's most critical data travels via e-mail. Via the use of certificates and encryption DVITS helps to secure this data and improve your level of security. |
| Physical Protection - Sensitive documents should be behind a minimum of two locks. Since mechanical locks are generally very simple to defeat, at least one of the locks should be of an electronic or combination type. Critical documents should be kept in a safe. |
| Shredding - It is important that documents that can associate an individual with account information, social security number, patient number, or insurance accounts be destroyed with crosscut shredders. Typical strip shredders are often used due to their lower costs but these may not pass security audits. |
| Proper Controls - To pass security audits it is important that records be kept under personal control. This means that records rooms should be secured at all times. This is one area where electronic or card-swipe locks really shine. |
| Electronic Alarms/Security Monitoring - Rooms or facilities with sensitive and/or critical data should be set up with electronic alarms. If those alarms are not set up such that someone is guaranteed to respond after-hours they should be set up with on-demand system monitoring. |
| Electronic or Combination Locks - numerous models of these locks are available. They go a long way towards defeating thieves and generally they allow for very simple re-keying in the event of personnel changes. In addition, entry is keyless so in a small, secured space re-entry is hassle-free compared to a standard keyed lock. |
| Personnel Policies - Policies should exist to provide for entry and alarm key changes in the event of personnel changes. Unscheduled changes in these key changes also improves security greatly. |
| Centralized Virus Scanning on Servers and Workstations - Depending upon the type of machine the software should be configured to scan boot sectors, Internet and e-mail traffic, and all data files as frequently as hourly. DVITS works with numerous excellent virus scanning products for servers and workstations and we configure them to work well in your business environment |
| Daily updates of virus patterns |
| Service Pack and security patches - These only do their jobs if they are tested and applied in a consistent manner. Remember that patches also apply to workstations. |
| Uninterruptible power supplies (UPS) - These should protect not only servers but all network-attached equipment including high-end laser printers. At a minimum the servers should be remotely shut down in the event a power outage of long duration occurs. All power-related events such as outages, spikes, and brownouts should be logged and reviewed. UPS equipment increases the expected lifespan of connected electronics by absolutely minimizing voltage and current fluctuations. DVITS has experience with American Power Conversion (APC), TrippLite, and Alpha Technologies |
| Proper grounding - Server cabinets and equipment provided with grounding capabilities should be cabled to a common ground buss bar. |
| Cabinets or Racks - All servers and network equipment should be set up in organized racks or cabinets which protects them from static electricity and from contact with non-IT personnel. DVITS works with Great Lakes Cabinet, Mayline, Hubbell, and Belkin products. |
Flood/Fire or Structure Damage
| Cabinetized network equipment - Keeping equipment several inches off the floor is a tremendous help in reducing likelihood of water damage. If equipment is left on the floor the likelihood of water damage in either a fire or flood scenario are enormously high. |
| Off-site storage of back-ups - It makes sense that if all of your data is in one location, then all of your information eggs are in one basket. Make arrangements for secure off-site storage of backups. This may be done via storage area network (SAN) or via tapes, but make sure it is done. DVITS works with Seagate, Sony, and HP tape storage products for smaller tape backup installations. We generally recommend either Veritas Back-up Exec or BrightStor ARCserve for multiple server storage environments. We handle the configuration, testing, and admin of your backup system and perform periodic restoration testing. |
| Workstation Backups - Networks should be set up with personal folders for each user which are automatically backed-up to tape or off-site storage. |
| Disaster Recovery Plan - Even in those circumstances where backups are being done, a business continuity plan should exist which defines how backup/restore testing is done so that administrators have absolute confidence in their ability to rebuild servers should that be necessary. Business continuity planning is an entire discipline in itself. DVITS can provide valuable assistance in development and testing of your plan. |
| Personnel background checks - For anyone who handles sensitive information it is crucial to perform background checks. This may require the prospective employee to sign a release form but with well over 50% of information theft being perpetrated by insiders you can believe that this is a necessary cost. |
| No expectation of privacy agreements - This is another one of those disagreeable HR things, but it is crucial that employees understand that any information held or passing through corporate information systems (including Internet usage) is subject to scrutiny. In addition, they must understand that all e-mails and their contents are subject to use as evidence in legal proceedings. This should be an annually signed agreement. |
| Non-disclosure agreements |
| Network policies and account access - The use of automatically enforced security features such as logon times, account lock-out, user privileges, and user group rights should set up and not only used, but checked periodically. Audit policies on network resources will allow attempts to break into a portion of the system to be logged. Application of these policies is crucial and DVITS works with these issues every day. We configure and test policies to ensure your environment is working correctly and in a secure manner. |
| WEP Encryption - Utilize the highest level of WEP encryption and authentication possible for your environment |
| High transfer speed - Most WLANs provide either 11MBps or 22 MBps transfer rates. By setting the minimum permissible transfer rate on the access points higher the effective range is reduced thus minimizing the opportunities for an interloper to log onto your network. |
| Complex encryption keys - Use combinations of available numbers and letters to set up encryption keys. This greatly minimizes the chances of encryption code being broken. |
| Use of complex access point codes - These codes identify networks in use. Never use the default codes provided as they are already known by those people with criminal intent. Never use the SSID as the basis for your shared key encryption codes...these are easily put into software programs to generate an encryption key. |