Security-related maintenance

You cannot have security without security maintenance. Many security efforts go wasted, because a year after deployment, the system is exposed to a number of vulnerabilities because security was never maintained. A predominant number of systems that are compromised through known, patched vulnerabilities. Through security maintenance, an organization can proactively manage the security of its systems. The importance of regular system maintenance should not be underestimated. Good, timely maintenance procedures can keep your systems running at optimum performance. Avaya recommends that you implement proper maintenance procedures in accordance with your corporate security policies and guidelines. See system maintenance for more information on Modular Messaging maintenance procedures.

Who is responsible?

You must define who is responsible for maintaining the security of your system. Security information must be distributed throughout the organization. It is the role of the information security department to communicate and validate that systems are being maintained. It is the role of the systems administrator to test and apply patches and maintain the security of the system.

If the security department is given the role of maintaining security, and validating and communicating security policy, then a conflict of interest would exist because the auditor and validator would also be the maintainer. Security staffs are often faced with limited personnel. It would be an impossible task for many security departments to take on the responsibility of maintaining system security throughout the enterprise. The task of maintenance needs to be distributed to all the system and application administrators. It is job of the security department to communicate and train the system administrators to secure systems according to the security policies, standards, and procedures of the organization.

Following are some of the general guidelines for defining a security maintenance program for your system:

Systems Backups

Backups are necessary to ensure that critical system data can be recovered in-case of an emergency or a system failure. As part of system maintenance activities, it is important that you do the following:

• Test system backup procedures at regular intervals.
• Test the system facilities to ensure that critical data can be fully recovered.

• Test the backup media to ensure that it can be restored.

• Test the restoration procedure regularly to ensure that the procedures are appropriate, restoration systems are adequate, and the restoration process can be completed within the time allotted in the recovery procedures.

Maintain and review activity logs and store them in a secure location. Activity logs can be used to trace system activity and errors.

Security Patches

System administrators should keep themselves updated on the latest security patches that are released. The frequency of application will vary, based on the exposure of the system involved and the risk it brings to the business. Patches for vulnerabilities that pose a significant risk to the enterprise should be applied as soon as possible. Before being deployed, patches should be tested for stability and reliability. System Availability is one of the important objectives of security. It is not advisable to apply a patch to protect a system, if the system goes down because of a that patch. Avaya recommends that you install any security related upgrades or patches only after consulting with Avaya. See patching for more information.

Monitoring and Alarming

System monitoring involves ongoing review of system reports and audits of the system and its logs. Review the security configuration on the system regularly to validate that changes made through maintenance do not weaken system security. It is also advisable to scan your system for vulnerabilities on a regular basis. Popular tools are NAI’s CyberCop Scanner and ISS System Scanner. For those that prefer a free, but comparable product, there is the Nessus scanner.

Avaya S3400 Message Servers support a variety of security monitoring features. Web sessions are automatically disconnected after a period of inactivity. Accounts are automatically locked out for a period of time as a consequence of consecutive failed login attempts. All failed attempts to login are also logged for tracking user and administration activities. Security-related, critical events are reported in two ways: events are logged in the Windows Event Viewer, and a maintenance alarm is called out to an Avaya Maintenance Center through an analog telephone call. See Diagnostic and Reporting tools for more information. See Overview of event, error, and alarm logs on the MAS for more information on the logs generated by the MAS. See Logs for more information on the logs generated by the MSS.

You can use the Reporting Tool to generate reports for monitoring and tracking system security. The system provides reports on login failures, port statistics, and user mailbox statistics. See Reports for more information.

Security Audits

You can conduct a security audit of your system on a quarterly or an annual basis, as defined in your corporate security policies. Ensure that the security audit addresses the following components:

• Operating systems. The security controls and configuration settings of the operating systems should be reviewed.

• Application security. A secure operating environment can be compromised by using an insecure application.

• Third-party application security. Ideally there should be no third-party applications running on the Modular Messaging servers. Plug-ins, scripts, and third-party components that may have been installed should be removed or reviewed for security vulnerabilities.

• Content. Review the security of the contents on the system. Often you need to address the security of items, such as passwords stored in HTML files.

• Network security. Review the security configuration of your network on a regular basis.

Top of page