For the domestic Enterprise Security ten vulnerabilities-vulnerability warning-the black bar safety net

The growing dependence on Internet applications in the modern enterprise, evolving security threats and changing regulatory standards so that the maintenance of a trusted network environment becomes a major problem.

In today’s global economic environment, the company enterprise has never been without the Internet-business through the Internet to conduct e-Commerce transactions, and for suppliers, business partners, customers and remote employees to access network resources.

However, although doing business online has become more convenient, to ensure data exchange and communication security, reliability has become more difficult. For large and small businesses, evolving security threats and changing regulatory standards so that the maintenance of a trusted network environment becomes a major problem.

Here are the ten security policies, in order to in inside and outside the enterprise to establish online trust relationships. Although these policies are not comprehensive, but they focus on the corporate face of the ten largest threat:e-mail systems, traditional password security mechanism, authentication, phishing etc.

1. The lack of SSL protection, data integrity will be compromised.

It should be as soon as possible for your entire enterprise deployment of the SSL server certificate. SSL is the world deploying the most widely used security Protocol, it should be deployed on any server to protect from a browser transmitting to the server a variety of confidential and personal information.

Secure Sockets Layer(SSL)encryption is now used to protect Web sites, intranets, extranets, as well as additional server-based application the most important technical one. Without it, through public and private networks to exchange data, its integrity will be compromised, ultimately affecting business continuity and profits. SSL protects network access, Online Contact and digital trading, because it can be on the server between the user and establish a secure channel.

In the past few years, the people of SSL technology has the advantage of awareness and understanding have greatly improved. More and more user attention to indicate that the session uses SSL encryption and the padlock symbol

Nowadays thousands of sites have installed the X. 5 0 9 special Server digital certificate, it can activate the browser and the server between SSL. All modern Web browsers and servers inside has integrated support for SSL functionality, therefore, from a business point of view, as long as installed on the server certificate. Once the browser and server for the exchange of signals, from one transmission to the other party all the data are encrypted, thereby preventing might endanger the transmission of data security or integrity of any eavesdropping behavior.

2. There is no reliable physical and network security, sensitive corporate data is at stake.

The use of firewalls, intrusion detection, client PC virus software, server-based virus checking, and ensure that all system security patches version is the latest, this can prevent most types of threats affect the company’s business, the destruction of sensitive data or threaten business continuity.

Network security relates to computer systems and network access control, detection and response to intrusion events. Security poor would bring a huge risk:data theft, service interruption, physical damage, system integrity is jeopardized, unauthorized disclosure of company proprietary information.

In order to protect the network access channel, it is necessary from the basic aspects, such as not using the computer locks up. In addition to basic aspects, more reliable solutions include:the use of key cards, hardware tokens, and biometrics to control access to particularly sensitive places.

Firewall is Network Security necessary components. Firewall restrictions from one network to another access network, and checks and restrictions by the network to all traffic. The firewall should be restricted from the Internet and an internal network(e.g. application servers)to another network(such as a database). Seriously consider the firewall should be allowed to open and which IP address and port, which is necessary. In addition, recommendations for the network on the function of distinct parts using multi-layer firewall-a firewall for the demilitarized zone(DMZ), the second one forWeb server, a third one for the application server, the first four may be used for the database.

Intrusion detectionthe system can monitor attacks, the analytical review of the log, the time of the attack to the administrator Alarm, protect system files, reveal the hacking techniques, to indicate which vulnerabilities need to be blocked, and helps to track The implementation of the attack of the outlaws.

Another essential tool is to ensure that all client on the virus and Trojan checks the version of the software up to date. Outside there are thousands of viruses, each new virus are than the original kind of virus to get crafty, more destructive. The recent spread via e-mail, global raging a few of the virus has caused huge damage and loss. A particularly reliable solution is that in the e-mail transmission system(such as Microsoft Exchange)to run on server-based virus software, to prevent infected messages transmitted to the user or by a client to infect other clients.

Finally, the most simple is also the most effective method is to ensure that has been marked for all theoperating systemand the application software of each of the latest version of the security patch Ding-a hack against Microsoft IIS Web serverin the presence of the vulnerability clear as day, has been to run IIS the Web serversite as a start target. Over the years, blocking the IIS security vulnerability patch may be obtained free of charge, however online there is still 3 more than 0% of the IIS system is not playing on the latest patch of WNV and therefore, it is necessary to reiterate this point:the immediate hit on all the security patch Ding

3. To develop their own PKI system or to select managed PKI services.

Trusted third-party in expansion of complex, secure, and expensive public key infrastructure(PKI)and for you to manage, using a fully managed security service allows you to concentrate on the promotion of the company’s business development desired application.

Public key infrastructure(PKI)this tool can be in the past impossible to achieve way to use a variety of applications. If the lack of effective methods to issuance, revocation and management of certificates, the company intranet deploying the welfare system, don’t expect employees to use the system only for the query benefits information, if a substantial proportion of the employees in the remote office, then, even more so. Similarly, if the access is unsafe, reliable, sales teams will not be able to fully utilize the company’s critical systems:CRM system. Today many companies limit the use of e-mail, many companies prohibit the use of instant message transfer-and all this is because these systems are also not secure.

On the generation of PKI theoretically good, but actually need to install complex hardware and software, but also the need for specialized IT personnel as well as special security measures to protect the system. Needless to say, all this means large financial costs. However, PKI has continued to Mature, and technically with enough innovation, you can become the application system of an outsourced part. Trusted third-party certificate authority(CA)can build, maintain, and manage enterprise public key infrastructure, and to ensure their safety. Providing fully managed services of the CA in the verification technology and methods in terms of having expertise. Businesses will know that want to implement business rules and to automate business processes need to deploy the application. Integrated point in how the applications use certificates to implement security. Many applications already have a certificate ready feature(certificate-ready), such as browser, email, and virtual private network(VPN);the increasing use of certificates has become a trend.

Fully managed security services there are several important parts:the flexible validation model(how can we know someone is he said that person), Management Interface(The organization in which the person is authorized to make the change, control processes)and user interface(organization of the different groups how to get the certificate).

Most organizations need to outsource to a trusted third-party applications to meet the following one or more of the requirements:secure access, secure Messaging and paperless transactions. For all large organizations, employees can securely access the corporate network such as an intranet, access to critical applications such as CRM systems is an important requirement. E-mail or instant messaging program secure transmission of a message for security to confirm message identity of the sender, protecting the content to avoid people eavesdropping provides a mechanism. Without paper trading can take now need to use the original signature(Wet Signature)to indicate that the content of the paper-based processes completely digitally, thus saving paper-based processes time and cost.

4. Free software can in 3 0 minutes to crack the password.

Password security is very poor, and becoming increasingly poor, resulting in your security system vulnerable. You can enforce strict password rules for use, thereby greatly enhancing this defense capability.

With the computer running speed, crack password, brings the temptation to increase, to those criminals more attractive. As more business critical systems to achieve a networked, crack the password be able to get a large harvest. Use can download the free software, anyone can in 3 0 minutes to crack a 6 character long password, 6 hours to crack an 8 characters long password.

You need to immediately in how people create passwords, and password change frequency of the development of the rules. Password creation rules include:mixed use of uppercase and lowercase letters;at least always have a numbers and punctuation marks;don’t use personal information among the name;length should be at least 8 characters. Most importantly, if you need to constantly use a password, if five times of the input are incorrect, it is necessary to ensure that all passwords are disabled, in order to prevent attempts by means of brute force crack the password behavior. Internally run password cracking programs, find out the security is very poor password. Then, the start switch to low-cost, outsourced authentication and digital SSL Certificate Services, the replacement of these weak password.

5. E-mail will reveal your trade secrets.

For all employees digital client certificates for signed/encrypted email to protect corporate data, and further let the staff of the enterprise all communication sources, authenticity, and confidentiality are feel at ease.

Secure Messaging(think about the initial email and then instant messaging and voice over IP[VoIP], etc.) is intended to ensure that only the message of the intended recipient only can read caries e-mail use more frequently, it is the company’s confidential information is concerned the more important. Sent to the companies outside

Surface of the e-mail is even more so. E-mail in plaintext format, through the public network from one server to another server. Along the way, the server can and does save all messages received, but also have the right to do so. In most e-mail systems, the sender cannot control who receives the forwarded email message, it does not indicate someone to forward the message to review the trail.

Any two employees of the now as long as the simple exchange of client certificates, it can be sent to the other side of the message is signed and encrypted, thus ensuring:these messages have not been tampered with;the sources have been confirmed;for between any system for wiretapping of people are unable to read the message. Confidential company e-mail need to adopt such practices. In addition, the organization should also be the rapid deployment of secure instant messaging(IM)products, prohibit the use of any unsafe IM. Instant messaging has become a company of a common part, played a very important role. However, the company’s key information by the IM system transfer, will likely be no certificate who received caries with secure IM, which will no longer be a problem.** 6. Traditional access control has been difficult to do the job.**

The use of digital certificates instead of using the entry point of the use of weak passwords and costly whenThe time synchronization token to protect the system security. A digital certificate than a password much more secure, cost less than the security token, and if fully managed, easy to deploy.

SSL support at both ends:server and client authentication. If the server provides a certificate to the client, this indicates that the server has been authenticated(has domain over the control of the organization to obtain a certificate, and the identity is verified), the client(browser)to confirm:the certificate domain and the server domain match. If the client provides a certificate to the server, This indicates that the client has been verified. Client authentication involves the user’s identity for authentication, and the user and the certificate with the client-server communication together. These client-side SSL certificate that resides in the browser, and as a result, it replaces with the password to access the secure site.

Certificate than a password much more secure, because stealing another person’s certificate is very difficult, even if stealing it there are certificate computer also to no avail, as it still requires a password to activate the certificate. Because the certificate greatly enhances the security of the system, so that you can safely access the more important applications, such as CRM system and corporate intranet.

Many companies are now or soon will install a VPN so that remote users secure access to important systems. This is a good move, but not by a password to confirm the identity, thus weakening the VPN benefits, but need the VPN to install a client certificate before allowing access.

Time synchronization token is a small device that can generate a number, the user can be used to input to a web page, to securely access the network or application. Unfortunately, the time synchronization token is costly, people will be lost, the battery will go wrong, you also easy to lend it to someone else to use. It should be the implementation of managed security services, which issuing and managing client certificates life cycle.

7. Your website might be phishing the fraud.

You can let the site use of trust marks(Trust Mark)to indicate and protect your company’s identity, both to visitors to show their true identity, to be able to make visitors trust your website.

In processing sensitive data, SSL for encryption purposes is essential. But SSL does not provide for access to the identity of the website–this is“the field of network security disclosure of the secret.” In order to protect your website on the company’s identity, it is necessary to use not copy of the trust mark or secure site icon(Site Seal). The organization, which put an end to the site deceived the possibility;and for customers, it makes them feel confident that your is in access to the legitimate website. Unfortunately, many existing“identity”products(site icon)to not provide protection-they can click on the copy. Access to the above there is the icon or mark of any page, Click the right mouse button, you can see the menu.

On the contrary, should be used to dynamically generate the unable to copy site icon. For example, some company sites icon placed on the page, to indicate that the site is legitimate, real, and has been a trusted third party confirmed. First of all, the site icon think verify the site in all of the person’s identity is the most important. Secondly, the site icon is intended to combat the theft phenomenon. Third, it also provides a“self-regulatory”functions:if you are unable to confirm the sites of all the identity of the person, the icon will simply not appear. Finally, it will link to the collection on the site and all of the authentication information to the huge database, to help users, and ultimately help the site itself. This lets visitors to be able to trust the merchant, which led to many transactions.

8. Tested in a production environment is tantamount to playing with fire.

The establishment of the demilitarized zone(DMZ), in order to put at risk the network activity isolated in your business-critical production network portion of the outside, to simulate the production environment, or let the customer can perform various acceptance tests.

Allowed to pass through the modem to access the secure network of the Central portion, which is the cause of the invasion of the most common causes. Many people today use the so-called war Dialer(War Dialer), trying to by a modem Bank(Modem Bank)to access corporate or government network system. These people are often able to succeed.

The establishment can access the Internet, but only restricted access to the internal network to the DMZ. By carefully setting the firewall to do this:put the DMZ blocked up, from the rest, while still allowing full access to the Internet. A firewall can protect a network of critical section, away from the DMZ.

If the customer acceptance test must be on the company network, only allow this to test in the DMZ.

9. The weakest security link is your staff.

The definition of security specifications. This is perhaps the most easily overlooked, is also the ten guidelines is the most important, but is also the most easily, probably also will bring maximum impact:put the safety norms to be written as text, convey down, and implemented.

The safety effect depends entirely on your organization’s most weak areas. Security is never automatically will be able to achieve, it requires human participation. Personnel for the organization of a safety policy how successful has the biggest impact. A lot of practice has shown that, from the security personnel to start with is breakthrough in the organization of the security system of the most simple method. If the organizations to develop the provision of clear, a clear explanation of the security policies and implementing them, will be able to effectively deal with this little and simple mistakes.

To be explicit about facility access, network access, reasonable use of company systems and network, as well as reasonable use of company email and browser-related processes and rules.

List the supported standard and not to support the standard. Including allows use on the networkoperating system