Pub. 8 2013-2014 Issue 1

May | June 2013 19 Extraordinary Service for Extraordinary Members. to be manually removed to preclude their use. Manually uninstalling old Java versions only has to be done once. Current versions of Java do stay installed after an upgrade. • For Java version 7 Update 10 and above, disable Java content in the browser. Oracle recently added the capability to disable Java content in theweb browser to counter continuing discovery of vulnerabilities. Disabling Java in the browser will stop the Java plug-in from running in your browser and help defeat drive-by attacks. Dis- abling Java in the browser still allows it to be used with applications in- stalled on the local workstation. Also, if you need to leave Java enabled in the browser, use the Java security level settings to control how the browser runs Java applications. • Don’t place full reliance upon the Java Auto Update feature (available only for 32-bit versions of Java) to keep Java updated throughout your network. While this feature is help- ful, users are often confused about the legitimacy of this process. Some users will run the update and others will not. Users lacking local adminis- trator rights will not be able to install the update anyway. In lieu of Java Auto Update, deploy a centralized patchmanagement product capable of distributing Java updates. Or, at the very least, use an automated software inventory application to periodically check the version of Java running on each system and then manually help the users who are not installing updates. • Utilize a web content filtering system capable of blocking known malicious websites. Some web content filtering systems maintain updated blacklists of known malicious websites. Users will not be able to reach the malicious websites, precluding a drive-by attack. This control is highly dependent upon the web content filtering vendor to update blacklists and also upon the company to implement the control evenly across the network. • Don’t allow Java to run applications where the publisher cannot be veri- fied. Software from unknown pub- lishers could be malware; therefore, it is a good idea to not allow Java to run unknown applications. This restriction can be configured in the Java console under the “Security” tab by selecting either the “Very High” or “High” settings. • Implement aggressive egress filter- ing on your firewall. Egress filtering limits network traffic that is leaving your internal network for the Inter- net. Even if malware gets installed on an internal machine, egress fil- tering may stop the malware from communicating with cybercriminals on the Internet. Only allow the out- bound ports necessary to conduct business—all other ports should be blocked. Z Mark Faske is a security and compliance consultant for CoNetrix. Visit CoNetrix at www. conetrix.com. The EFT You can TRUST NetWorks is the Electronic Funds Transfer (EFT) service provider that Nebraskans have used and learned to trust like family for over 30 years. Our highly experienced staff is extremely knowledgeable and resourceful when it comes to assisting your institution. Give us a call to learn more about our services, you’ll have the opportunity to talk to someone who truly cares about and understands your EFT service needs. www.netseft.com Toll Free 800-735-6833 Local 402-434-8202