Viruses. Spam. Malware. Spyware. Adware. Porn.
It’s all out there and it can throw a serious monkey wrench into church operations and can have that volunteer IT person literally pulling hair out of their head trying to rectify the problems.
Most churches do not have the financial strength to hire a full time IT staff, and many churches do not have the staff knowledgeable enough to implement the tools needed to help keep your local infrastructure and computers free from attack.
In this 3 part series, I am going to cover security from a:
- An infrastructure standpoint
- An individual standpoint
- Other best practices for security
The best part is, the solutions involved don’t require a certified security expert to implement and maintain.
Ready?
Infrastructure
Spam and Viruses
Think of your church network as your home. You take care to lock the doors and windows of your home. You may even put an alarm system in your home and/or have a dog to help keep those not welcome out. The first line of defense in keeping your church network secure is the starting point: your Internet connection.
If you have a mail server the easiest way to protect your church against spam and viruses is with an appliance. This attaches itself to your internal network and sits between your Internet connection and your mail server.
Many appliances are difficult to configure but Barracuda Networks has an anti-spam and anti-virus device that is very easy to configure. There is no software to install and updates are made automatically to keep up with the latest spam bots and viruses.
Better yet, you can try out one of the devices free of charge for 30 days.
Wireless Security
If you employ wireless on your network, it is critical to make sure that secure your network to keep out intruders. All wireless routers allow you to create security in different ways. Three ways to secure your wireless network is:
A. Change the network name. Most wireless routers come with the manufacturers name as the default (Linksys, D-Link, Netgear) network name. Change it to something unique.
B. Do not broadcast the network name. This is referred to as the SSID. Most wireless routers allow you to turn this feature off and you should do so.
C. Use password protection in the form of WPA security. Don’t use WEP as it as not as secure (the reasons don’t matter at this point. This isn’t for security experts, remember?).
These changes are easy to make and most can be implemented when installing your router.
Password Security
John covered this briefly in an earlier post but in addition to the guidelines he provided, it is critical as well to change system based passwords not just those for individual accounts. Servers and other devices come with built in users such as “Guest” and “Admin” which are ripe targets for hackers.
Hackers use a technique known as “brute force” repetition (randomly generated passwords) to attack, sometimes making 1000 attempts per minute to do so. So as John’s post pointed out, make sure such passwords aren’t left where anybody can get to them. Make sure they are changed often and are not given out. In addition, make sure they are strong (10 characters long with a mixture of numbers, letters and symbols).
People are for whatever reason, shocked when they learn that a person had their car broken into during a service. People will leave their computers, phones, wallets etc. inside their car thinking, “Well this a church.” They learn the hard way.
Don’t be careless with your network infrastructure. Make that small investment of time and money to see that it’s protected. Don’t learn the hard way.
In the next part of this series we’ll get into the process of protecting individual computers and servers.
[Images from Juan, Max(T), DaveBleasedale, and Marcelo Alves]
Jamie Miltenburg says
Great post indeed!
John Saddington says
love it. jay did a great job.
JayCaruso says
Thanks guys!
Stuart says
Jay – great start and I’m with you most of the way …
However disabling SSID broadcasts does nothing to enhance network security. Why? You see, to locate a wireless network name one needs to know the SSID and if the AP doesn’t broadcast it then no-one can connect – whether you know the SSID name or not.
OK – so in reality it only “hides” the SSID broadcast from casual “I wonder if there are any wireless networks around here” browsers but it will not and can not hide it from any one sniffing for SSID’s as every AP broadcasts their SSID in every packet in plain text.
So hiding the brioadcast is akin to a magic trick I perform on my 7yr old. It might amaze him but it’s all a sham really π
You’ll not be surprised to know I did a little bit on securing wi-fi here: http://www.churchtechy.com/2009/07/wi-fi-security/
JayCaruso says
Stuart, I hear you and from an IT security standpoint, I understand what you’re saying. However, not broadcasting the SSID does offer a measure of security from the very people you described: the casual users. They’re not going to be the ones walking around with a copy of AirMagnet but they will be the ones like you said who will take their notebooks or other wireless devices and check for a signal. Most of them wouldn’t know how to configure a wireless connection manually so it’s just an easy step to take as they’ll just assume there is no wireless.
Remember the target audience for this series are those churches that don’t have access to people who know these things. Your link has great suggestions, but ask the average person what it means to install a mac filter on their wireless AP device and you’ll get the deer in the headlights look. My goal here was to simply the process as much as possible but still maintain a good level of security.
Thanks for the comment!
Stuart says
No problems Jay … I realise the article (series?) is like a gentle introduction but my approach to security tends to be a little more direct. As in, if you’re going to do it then do it properly π
Eric says
Love this post – especially since I’m trying to push some of these things here. Also, (though it’s alluded to) #1 rule of user management is to change the default Administrator username. That is the first thing I learned in my security class! Well that and when you write a login screen, hide the password as you type it… lol.
JayCaruso says
It’s always a battle. People like things easy.
Of course, they’re the first to say, “How could that happen?” when somebody compromises their stuff.
Eric says
My favorite is that people aren’t required to change their default passwords currently. We’re hopefully redoing our server this summer and upgrading to 2008 R2 at which time I will have to recreate each Active Directory user. They will then have a default password and be required to change it on the first login. (Or at least that’s what I’m dreaming of right now…)
Kevin says
Just to add, you can also use external services for Spam. We use MXLogic. Long story short, you set your MX Records to point to whichever service you pick, then your mail server to pull mail from there. It’s usually just as effective, and might be a little cheaper than a physical device.
JayCaruso says
Good tip! Thanks!
benrwoodard says
I have a hard time keeping track of passwords and usernames so I tend to make them as simple as possible. Obviously not the best security method for the church π . Are there any tools, besides a pen and notebook, that you employ to keep track of passwords and usernames? Thanks for the article.
Stuart says
Ben – there are lots of tools.
On the paid side there is Roboform which is without equal and I happily stumped up my $30 (I think) for it.
On the free side there is Lastpass and Keypass.
If it’s just passwords you wish to maintain then any of the fre ones will dobetter and probably Keypass at that.If it’s webstes and more then I’m a huge roboform fan.
Nick Shoemaker says
great resources here Stuart!
PhillipGibb says
great post series – applicable to everyone.
One of the considerations for passwords is the whole password safe thing, but the two problems with that:
1. single point of failure
2. the problem with transferring the ‘safe’ between computers.
Viruses and Spam is another thing. If you use a Mac then you could argue that you are safe, but maybe not from Trojans. We were using an anti virus program at work for our windows PCs called eTrust but that just consumed too much cpu – so now we have switch to MicroSoft Security Essentials. Which gives me a BSOD every time I run a scan – I’ll give it a few days.
Stuart says
Phillip,
I don’t see “password safes” as a SPOF.
Roboform and LastPass offer you the ability to store your details “in the cloud” which also means you can take your passwords anywhere that has internet access. Keypass offers automated backups and using that along with something like Mozy free you get no SPOF.
As to your AV issue – I’ve never used eTrust but that sounds very much like an old McAfee problemor you’ve got a low level driver / kernel problem. I’ve always liked an dbeen a fan of (and my church has ued for 6rs now) Nod32. It has a small footprint and is always near the top in AV tests.
Nick Shoemaker says
Great post Jay. Looking forward to the next two!
Dave says
After managing several small church IT operations, I’ve given up on managing mail in-house. Barracuda is a good appliance, but better – for me – is Google Apps. Nothing beats Google’s spam and virus filtering. So I’ve started moving email out to Google. It’s free for small orgs, and free for 501c-3 orgs (many churches don’t formally file a 501c-3, but many do).
Just my take on the email section. Thanks for the post.
BenJPickett says
Good start to the article and nice to see someone focus on the network itself rather than locking users down and preventing them from enjoying what they do. I have some ideas for people to look into for additional security and below is a response to the passwords topic in the comments. I apologize ahead of time for the lengthy post.
Don’t forget some of the most simple things that you can do to help keep your network clean. After all if you don’t have internet access then all the viruses in the world can’t steal your data and have little effect anymore other than bog down system performance, and you would only get one if someone brought it in on a thumb drive. Check out OpenDNS for an inexpensive way to help keep your network clean, it’s simple to set up, requires no extra hardware, 99% of routers support the technology and it does so much more. You can use it to filter out website categories such as shopping, adult (several categories there), sites known to contain adware and other forms of malware, you can also setup your own blacklist. Open DNS will also speed up most internet connections by handling your requests better than the typical ISPs DNS servers, and best of all there’s a free version.
As for passwords, something I’ve been seeing more and more enterprise networks bring into play, not policy, is sentence structure. Keep your policy intact but talk to your users and have them use complete sentences, including spaces, that mean something to them. This makes it very easy to remember and very secure (20+ characters easy) if you are just now bringing password policy into the mix you shouldn’t have half of the password lockouts. And what’s great for those users that question their own ability to remember a password is that they can put it on a sticky note on their monitor and no one would be the wiser. How many people walking through that see ‘My anniversary is August 10th.’ are going to think that’s a password? They’d just think I’m doing my best to be a good husband. Set the GPO to have them change it 3 times a year instead of 6 and it’s less headache around the board.
Don’t make things a bigger headache for yourself than they have to be. You will always have those users that are resistant to change and need their hands held the whole way through. If you avoid change and progression for the select few, or majority, you passively enable the idea of becoming obsolete.
John Saddington says
oooooh. sentence structure, you’re right. i’ve seen that too…!
great thougth here ben… or are you benj…? i think ben j pickett… right?
π
BenJPickett says
Ben J Pickett would be correct. But Ben works just as well. Sentence structure, IMO, is plain and simple a win-win. It’s secure and easy to remember. That means IT get’s peace of mind with less headaches over password resets and the users don’t have some overly complicated mess of random characters to not forget over the next weekend.