What should be stressed right away: security is not a technical problem, as most people tend to proselytise. Security is, and always has been, about people.
Perhaps, since both parts of this article are written non-technically, your upper management will learn something that will help you get more of the budget that you need to do your job.
1 - Policy
At the top of any list has to be policy. You have to know what you are trying to protect and why. People holler 'policy-policy-policy' and there is good reason for that: because it is so essential.
One policy could be so Draconian that everyone's pockets and purses are searched going and coming in and out of the building. A company could choose to monitor every single e-mail, read its contents and then forward it. Effective? Maybe, but there are ways around these techniques, too. But what sort of message does that send to your employees?
The policy is your call, and part of developing policy is knowing where the goodies are; what servers are they on? What about backups? Who has those? Are there copies of the critical files and how are they disposed of? Who is responsible for that process? Who protects the company from the flood or the hurricane or the lightning strike?
Developing policy is hard and implementing it is even harder, but it has to be done. Moreover, like your business, security and policy development is a process. One that must evolve and be adjusted to meet the needs of your organisation as it grows and changes.
2 - Know your employees
Security is a people problem, and all of the technology in the world, unless you engage in it 100%, is not going to solve your security problems.
A significant percentage of successful attacks against networks involve insiders - your trusted employees - in any of a number of ways:
* They develop an anti-company attitude and decide to steal from you or hurt your business.
* They leave the company but still have a back-door entrance into your critical systems.
* They get recruited by or work in tandem with outsiders for some profit-oriented motive.
The most common problems are simple errors that can cause devastating damage to the unprepared company. It is a sad commentary, but we are getting to the point where we need to know more about our employees than they tell us on an application form. In areas of mission criticality and network administration, consider using psychological profiling of staff hopefuls to learn about their ethics, morals, tendencies and proclivities. It is far better to know how someone might act in a tough security situation than to find out the hard way. Of course, this might limit your potential hiring pool if you give the impression you do not trust your employees. Remember that your systems and security administrators have the keys to your electronic kingdom. They can make your systems work, or come to a grinding halt based upon their skill or their attitude. Caveat Emptor applies to employees, too.
3 - Train your staff
Employee education and awareness training remain at the top of any best security practices list, too. Keep your staff updated regularly on all aspects of company security and how they can be part of it. 40% of internal security events are not malicious; they are accidents, errors, omissions or lack of knowledge.
Your goal is have your staff on your side; to be part of the solution and not part of the problem, and it is your responsibility to train them in best practices, corporate policy, and security efforts.
You want them to be alert to events and people that might have a security relevance, recognise them and know how important it is to report them to the right people - promptly.
4 - Perimeter security
Perimeter security prevents people from gaining access without permission.
Perimeter security, such as a firewall or router is the first line of defence for a network, and should be used for all connections from the outside world. Strong user authentication is essential, too. Whether it is long easy-to-remember passwords that are changed regularly, or token-based ID such as with a smartcard, you want to be able to know who is trying to gain access to your networks.
Many companies insist on establishing secure remote connections to their network. For more secure remote connections to the network, consider using encryption and VPNs, or virtual private network, for remote access.
Part of perimeter security is management and proper configuration. Disable all unused services and network protocols. Change 'Default' settings from the manufacturer and periodically assess the privileges and rights of users. Also, make sure that you have a policy and procedure for deleting old employees' access rights to anything within your networks, and use some sort of intrusion detection system, examining the results frequently.
5 - Defence in depth
The technical aspects of security do not end at the Internet nexus or the perimeter. They expand to wherever your staff travels and then dials into your network as well as from the homes of your telecommuters. Your network becomes a part of your partners' networks, too, and their security problems can become yours.
You need to have security tools dispersed throughout your organisation. Perhaps firewalls to isolate critical departmental or campus resources; access control mechanisms on hosts; intrusion and anomalous behaviour detection throughout the network.
Do not forget about keeping your anti-virus software completely up to date, and having your security administrators install security patches on hosts, operating systems and applications as soon as they are ready. Attackers can quickly identify or develop exploits against vulnerabilities in software products. Personal firewalls have a place in the corporate environment, too.
Periodically test the security of your networks. Your business models change; your networks evolve, remote access increases. Spot check security aspects of your enterprise, examine the security impact of new applications before they are installed, and perform an enterprise-wide security analysis at least once a year. But, just because the results look good, do not get complacent. A security test is a mere snapshot in time of your network.
Also, it should go without saying, but backup procedures for critical data, files and applications are an essential component of good security. Users will have a tough time backing up large files on floppy disks, so using network based archive servers with automatic backup in off-hours is an easy way to get the job done without relying upon your staff.
6 - React to security events
A security event can be a group of hackers trying to break into your networks or a denial of service attack by hactivists. It could be an insider hacking a former employer from your networks, and in your name.
No matter the security event brought to your attention, the worst thing in the world you can do is to ignore it. What you do need is a policy extension to react to security events. You need to create a Computer Emergency Response.
Your CERT should be a team of people from your organisation who work together to resolve the event and should coordinate with security organisations around the world and within your industry to maintain constant, global vigilance on events around that might have some relation to each other.
Strong procedures need to be established so that you are working 'by the book' and not making up reactions as you go along. This also ties into the forensics problem: if you are not very careful, you can destroy evidence, harm a formal law enforcement organisation and let the bad guys get away.
7 - Physical security
Physical security is a key part of information security, too. Do not forget about the simple things. Who has access to your electrical closets, telephone rooms basements where your critical network wiring hubs may co-exist?
Guard the physical security of sensitive systems. How do you know the phone man is the phone man - just because he is dressed like the phone man?
If there is insufficient physical security guarding hardware containing mission-critical systems, then these systems are vulnerable to theft or malicious destruction on the premises, thus affecting all other security. Keep your garbage under your physical control (as above) until it is properly hauled by a reputable company for proper disposal. Consider using mag stripe or smartcards for additional physical access control to critical network areas of the organisation.
8 - Examine non-technical components
Look at the smaller, non-technical things that will help your overall security. Too many hungry product vendors would have you believe that a product solution is the answer to your security prayers. Here are some suggestions to protect yourself, many of which cost little or no money to implement.
* You are a networked company and you do not want employees bringing in programs to use at work, infecting your systems with viruses, or taking home sensitive proprietary company information. Consider removing the floppy drives from most PCs and watch your problems start disappearing. Do not forget that loose floppy disks on desktops are an attractive target.
* Shred or burn the important stuff: personnel lists, employee ID, human resources information, manuals and descriptions of current MIS installations and processes, customer files, internal memorandum and anything else of potential value to an outsider.
* Add 'Sensitive' tags to critical electronic media.
* Define different levels of security sensitivity for data, label it, and handle it accordingly.
* Make sure people lock their offices, file cabinets and do not leave sensitive documents strewn around desks.
9 - Stay on top
It is critical to always be aware of everything that is happening 'security-wise' on the Internet.
There are dozens of lists on the Internet that report security vulnerabilities, but there is so much more.
Security weaknesses occur for lots of reasons:
1. An application was improperly designed and is subject to attack through simple scripts available on the Internet.
2. A new piece of equipment is installed and as a result, an error is made so a security hole appears.
3. Your network grows and changes every day. When you connect new systems, you need to understand the version numbers and the potential risks you face. When you tie to a partner's network, how well is that security implemented and how will it affect yours?
4. New applications come out every day and we do not know the security implications until someone successfully attacks the application.
Routers, e-mail servers and other innocuous hardware and software all have security implications. Visit the vendor's website, get on their mailing lists and when an update or a patch is made available - install it!
If you do not the bad guys can figure that out pretty quickly (insiders, too!) and your risk goes up again.
10 - Build security in from the beginning
Too many organisations do not think about security from the beginning of a project.
If you are building in-house applications, security should not be an afterthought; it should be part of the initial design criteria and functionality of the software. Think about developing security by using existing standards so that you can achieve greater interoperability between applications - and security functions.
At the very end, though, security is really about people as is obvious from much of our discussion. So, for a final Top-10, here is a popular list for your staff to follow:
1. Never, ever, give out or share User IDs or passwords to any company system. Ever.
2. Be careful not to accidentally give away or lose any company proprietary information.
3. Do not connect any computers, modems or other equipment to the corporate network without permission.
4. Only use licensed and authorised software.
5. Protect your workstation: use screen savers and always remember to log off.
6. Back up your files on a regular basis, and store the backups in a secure location.
7. Always check e-mail attachments, as well as any new or downloaded software with anti-virus software.
8. Treat e-mail messages with the same care you do using company stationary. You cannot 'unsend' e-mail and it has got your company name on it.
9. Always shred or destroy sensitive information on paper, disk or tape.
10. Report security incidents promptly to your corporate information security department.
Winn Schwartau is the President of Interpact, ( www.interpactinc.com) a security awareness consulting firm, the founder of Infowar.Com and the InfoWarCon security conference. He can be e-mailed at [email protected]
© Technews Publishing (Pty) Ltd | All Rights Reserved