www.club-mgmt.com Club Management / February 2005 — CMAA Conference Issue 1

20 percent of the clubs surveyedwith this tool get a clean bill ofhealth. In many cases, we mustserve up a lengthy list of “Manage-ment Letter Comments” with ouraudit report, pointing out seriousdeficiencies in the club’s networksecurity.

To assist you in measuring yourown club’s network securityhealth, we’ve included below ouractual checklist for your use, alongwith the explanations provided toour audit staff for each checklistquestion. We recommend that you

apply the checklist at your ownclub, and where appropriate, takeimmediate corrective action.

PC-Based Computer NetworkSecurity Checklist

1. Is the client’s network connectedto the Internet via DSL, cable modem,or some other “always on” connec-t i o n ? DSL and cable modem arethe most popular methods used byour clients to achieve a high-speedconnection for Internet and e-mailaccess. If the client is using DSL orcable modem, they are vulnerableto hacker attacks — especially

Many of you may know thatour affiliate firm, McGladrey &Pullen, LLP, performs financial au-dits each year for more than 150private clubs. As part of our serv-ice to those clients, the audit staffadministers a “Network SecurityChecklist” designed to quicklyidentify any significant security is-sues associated with a particularclient’s PC-based computer net-work. Each year we review the re-sponses from our private clubclients — and the results are noth-ing less than shocking! Less than

2 Club Management / February 2005 — CMAA Conference Issue www.club-mgmt.com

5. Has an independent source beencontracted to test the network’s vul-nerability from outside intrusions?Periodic security testing of the net-work is the only practical way toknow if the network and relatedsystems on the network are reason-ably protected. Such testing is car-ried out by network security spe-cialists using some of the sametools employed by hackers. Re-markably, a large percentage ofclients who believe they are ade-quately protected are rather easilycompromised through this testingtechnique. Once the testing is com-pleted, appropriate recommenda-tions can be implemented to insurethat satisfactory security is imple-mented. Because of the complexity,sophistication, and ever-changingnature of network security testing,

since their connection is “alwayson.” These connections place all ofthe clients computers on the Inter-net unless the client has imple-mented other appropriate securitymeasures discussed below.

2. Does the network have a firewallproduct (software or firmware) in-stalled and operational at all times?Firewalls can take the form of asoftware program such as BlackIceor ZoneAlarm, or as an electronicappliance such as Watchguard,Sonicwall, Nokia/Checkpoint, orCisco PIX. Firewalls are designedto keep outside intruders (hackers)out of the client’s network. Onceinside the network, hackers can dogreat damage to the client’s sys-tems. They can steal or destroy in-formation, crash the network, oruse the system to attack other net-works. We need to assure that ourclient networks are secure fromhacker damage, and firewalls arean important part of that security.

If so, what brand and version? Weneed to know specific informationabout the firewall in use. Differentfirewalls provide different levels ofprotection. To make sure the clientis adequately protected, we needto know the following: the name offirewall’s manufacturer (e.g.,Cisco, Nokia, Watchguard, etc.),product name (e.g., PIX, Firebox,etc.), model number (e.g. 515, 330,etc.), version, date installed, anddate last updated.

3. Does the network have an intru-sion detection/prevention system in-stalled and operational at all times?Intrusion detection/preventionsystems represent an additionalstep above firewall protection.These systems look closely at allnetwork traffic, seeking to identifyany suspicious files or activity asthey occur. They pick up wherefirewalls leave off, helping to iden-tify attacks that may have alreadybreached the firewall. Most of ourclients can be adequately protectedwithout the need for intrusion de-tection/prevention. However, forsystems that store highly sensitivedata (e.g., credit card numbers, so-cial security numbers, etc.) or forsystems that have been repeatedlycompromised, intrusion detec-tion/prevention may be needed.

4. If so, what brand and version?(Same as question 2 above.)

outside organizations are inherent-ly more capable of conductingsuch testing.

If so, how recently and what werethe results? Network securitychanges on a daily basis, as hack-ers learn new ways to compromisesystems and vendors react withupgrades and fixes. If outside test-ing has been performed, we needto know how recently the testingwas conducted, to assure that thenetwork and systems are satisfac-torily protected. The more outdat-ed the testing report is, the higherthe risk that the client’s systemscould be susceptible to attack.

6. Has the client’s network or sys-tems been attacked or compromised? I fso, please describe the attack orcompromise and the outcome. It isespecially important to know if theclient’s network or systems haveever been attacked or compro-mised, when they were attacked orcompromised, what was attackedor compromised, and what wasdone to prevent future attacks andcompromises. Often clients maydiscover an attack, install a firewall(or enhance an existing firewall)and assume they are safe - only tofind out later that the attacker hasleft a “back door” open for unau-thorized entrance at a later date.Networks or systems that havebeen attacked, and especially thosethat have been compromised,should have a security assessmentto assure that they are satisfactoryto operate.

7. Have network devices such asrouters, switches, and servers been se-curity hardened as per their vendor’spublished security guidelines? C i s c o ,Microsoft, Novell and other ven-dors offer detailed specificationson how to security “harden” theirdevices — making them harder tocompromise. Failure to followthese guidelines puts a client’s net-work and systems at much higherrisk.

8. Are passwords required and arethey periodically changed? P a s s-words are a relatively simple —and surprisingly effective — secu-rity measure. Unfortunately, mostclients do not use an effective pass-word system. Many clients assignthe same password to multipleusers, or allow users to keep pass-words in use for many months or

DSL and cable modem are the most popular

methods used by our clients to achieve a

high-speed connection for Internet and E-mail access.

www.club-mgmt.com Club Management / February 2005 — CMAA Conference Issue 3

years. We need to know the statusof the client’s password usage todetermine if enhancements areneeded.

9. Does the system maintain a useraccess log that tracks user access to thecore applications and network servers?Advanced networks can track alluser activity if system logging isenabled. Unfortunately, mostclients do not review these reportsand are thus not aware of obvioussecurity breaches - from within oroutside the organization. We needto know if these reports are beingreviewed regularly, and by whom.

10. Are the critical data and appli-cations backed up on a daily basis?This is another area where manyclients do an inadequate job. Allcritical data should be backed upevery day, using a 30-day tape ro-tation system.

Are back-up media taken off-site? A copy of the backed-up datashould also be stored offsite everyday. Generally, the offsite media isfrom the previous day. There is noway to predict when a disastermight strike, so a daily offsitebackup routine is an importantmeasure to safeguard the club’sdata.

Are the on-site backup mediasecurely stored? All back-up mediakept on site should be stored in afire/water proof cabinet or safe.Access to this media should be lim-ited, and the cabinet/safe shouldbe locked.

11. Is the operating system softwareof all network devices such as routers,switches and servers periodically up-dated to be current with the latestpatches released by the devices’ ven-d o r ? Cisco, Microsoft, Novell, etc.continually release updates to theiroperating system software. Manyof these updates are security-relat-ed, designed to strengthen the se-curity of the network. Often clientsare remiss in applying these up-grades in a timely manner, andthus their networks are at a higherthan acceptable risk to the threats.We need to know that the client iskeeping the network software upto date.

12. Does the client have anti-virussoftware installed on all servers andP C s ? Viruses are the most commonsource of attacks on networks andtheir systems. Viruses can damage

ployees to execute their own scanson a periodic basis. Delays in scan-ning are just what viruses andworms are counting on as they sendthemselves to attack networks.

14. How often are anti-virus defini-tion files updated? As stated above,the world of computer securitychanges daily. It is estimated thatabout 10 new viruses appear eachday to attack unwitting systems,the majority of which are focusedon Microsoft Windows. Anti-virussoftware includes a library of virusdefinition files, which are usedduring scanning to identify anddestroy viruses. Obviously, if thesedefinition files are not regularlyupdated, they will present oppor-tunities for newer viruses to slipthrough the scanning.

Is it a manual or an automaticp r o c e s s ? Most clients require em-ployees to update their virus defi-nitions on a regular basis. Unfortu-nately, such a volunteer processtypically means that anti-virus def-initions are not updated oftenenough to ensure reliable protec-tion. To eliminate this problem,virus definitions should be updat-ed automatically from the anti-virus software provider at a mini-mum of once per day.

15. Does the network use a wirelessmethod of communications to attachPCs and printers? If yes, is WiredEquivalent Privacy (WEP) or Wi-FiProtected Access v2 (WPA2) con-figured and fully operational?Wireless technology is becomingmore popular with organizations.Some examples of wireless usesare: to connect one or more userslocated in the main clubhouse tothe main computer server, withoutinstalling cabling; to connect golfor tennis shop PC’s to the mainnetwork server, when the shop isin a separate building nearby; toconnect hand-held POS devices tothe main network server. Wirelesscan be a great tool for connectivity,but it brings with it significant se-curity risks. In essence, wirelesssystems broadcast a signal out-wards 150 to 300 feet in every di-rection.

If this signal is not protected, itcan be picked up by any nearbywireless PC. Once the signal is ac-quired, the outsider can attach tothe club’s network and operate as a

We need to assure that our client networks are secure from hacker damage,and firewalls are

an important part ofthat security.

or delete data, copy sensitive infor-mation, and send it to an outsider,or crash the network altogether.Anti-virus software is an impor-tant part of a network’s securitydefenses, and should be installedon all servers and PCs.

If so, what brand and version? Weneed to assure that the client isusing the latest version of a recog-nized anti-virus product such asSymantec (Norton), McAfee, TrendMicro, or Computer Associates(CA).

13. Does the anti-virus software au-tomatically scan all files added to thesystem — including e-mail? A u t o-matic scanning is the key to earlyidentification and eradication ofviruses. Unfortunately, manyclients do not employ automaticscanning, but instead rely on em-

normal user. Hackers dubbed “wardrivers” drive through office parksand neighborhoods looking forwireless networking signals. “Wardrivers” then post their lists ofwireless networks for others to useand abuse. To eliminate this threat,Wired Equivalent Privacy (WEP)or Wi-Fi Protected Access v2(WPA2) should be used. WEP andWPA2 configure the wirelesstransmitter to only accept PCs thatuse an assigned system identifierand key, thus keeping unautho-rized persons off the wireless net-work. Properly configured, WEPand WPA2 also encrypt wirelesscommunications. WPA2 was intro-duced in late 2004 and is designedto be significantly more securethan WEP. It is recommended thatclient’s implement the WPA2 stan-dard in place of WEP to ensure thehighest level of wireless security.

16. Is a formal disaster recoveryplan in place for critical systems ando p e r a t i o n s ? Most of our clients donot have a formal disaster recoveryplan — not even a simple one —for their computer systems. Oncedisaster has struck (in the form of

hacking, theft, vandalism, or natu-ral disaster), it’s too late to startthinking about what can be doneto recover. We need to know if aplan is in place to assure that ourclients are prepared to handle adisaster if it occurs.

If yes, has the plan been tested re-c e n t l y ? Some clients have disasterrecovery plans that are many yearsold, and are no longer applicable tocurrent conditions. Disaster recov-ery plans should be tested on a pe-riodic basis to assure they are stilladequate to the task. C

Bill Boothe is director of club/resorttechnology consulting for RSMMcGladrey, Inc., one of the nation’slargest business services providers. Hehas assisted more than 300 privateclubs and resorts with the planning,evaluation, selection, and implementa-tion of computer technology in allfacets of their operations. Bill has pub-lished numerous articles, is a frequentspeaker at hospitality conferences, andis the author of the national newsletterPrivate Club Technology Update.He can be reached at bill.boothe@rsmi.com, (561) 682-1638, or at www.rsmmcgladrey.com/privateclubs.

4 Club Management / February 2005 — CMAA Conference Issue www.club-mgmt.com

Because of the complexity,

sophistication, andever-changing natureof network security

testing, outside organizations are inherently more

capable of conductingsuch testing.