networksecurity   

IDS  Response   Policy   Encryption   
Patching  Honeypots  Network Security

 Network Security 

The serious subject of the network security landscape expands across the  juicy areas of risk and reward, consultants and vendors, software and systems, people and processes. No other area in technology is a pervasive in its required inclusion in the strategy, development and operations of technology systems and network security shows no sign of true commodification or opportunity to take off of the executive agenda.

'Can't we just buy something to fix this issue and move on?'

Nope. I'm afraid not.

Whether it is writing a security policy, applying encryption, understanding network security strategy, trapping hackers or detecting intrusion, advice is a plenty - most however carrying in its open arms offering gifts of assistance, comes bias. As you read this information and begin to understand the factors involved in network security the issues discussed here will provide an alternate or at least questioning capability to ensure your interests are protected from those biases

Priority
The single most important priorities in providing network security are to establish what you want to protect, from what and why. Use this discovery process to create a security strategy, set security policy establish further execution priorities and commence the journey.

Remember that this is a journey to be traveled indefinably and not a destination to be reached and signed off as complete.

10 Initial Steps
1. Identify and locate your assets.

This pertains to both information and material goods. Assess the importance and value of these assets. Example: A computer may cost $3000 to replace. The information on that computer might cost $60K to replace. In the hands of a competitor, the losses might be even higher.

2. Perform a Threat Risk Assessment. Categorise the likelihood of these assets being stolen and identify the resulting damage to the organisation if such an occurrence comes to pass. Example: If a company has a public web server which is used to distribute information, the cost of it going down from a "denial of service" attack might be the time required to bring the system back online (e.g. two hours from the MIS department). If this web server is used to perform financial transactions then the cost must also include the number of purchases lost while the server is down.

3. Adopt a "Need to Know" philosophy. Things like Access Control and privilege should not be a measure of rank or importance in other areas. As the number of people with access to restricted areas (or information) increases. Example: The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password (e.g. he uses one password for all systems) it can be misused.

4. Perform an informal site survey of your organisation. In accordance with your asset descriptions (step 1), you can either relocate valuable assets to more secure areas or take extra measures (additional locks, smart cards, security personnel, etc.) to guard these assets. Pay close attention to "drop Ceilings" (a locked door is no deterrent in this case) and assets in very remote or unoccupied areas. Also be sure to look at cable drops and other wiring routes. Example: It’s often a good idea to locate all your important servers in a separate room with physical access constraints. This reduces the possibility of malicious or illegal activity occurring by happenstance (e.g. somebody with no access privileges glancing over and stealing a password while it is being input or making copies of classified information that happens to come out the printer).

5. Institute a standard for classifying all information Is it confidential, private, unclassified, etc., and a means to identify which employees, or group of employees have access to this information. Example: An Advertising Plan might be restricted to specific people in the Marketing and Business Development departments. An Engineering document that details trade secrets would be restricted to specific engineers. It might even be necessary to control and account for each document that is released, i.e. only one person has the ability to print the document and a limited number of photocopies are made and distributed to specific people only. Company policy would ensure that these people do not make unauthorised photocopies.

6. Ascertain who needs access to external resources (via Internet, modem, WAN, etc.) and what resources need to be made available. Ascertain who, amongst external users (employees, partners, customers, the general public), needs access to internal resources and what resources need to be made available. This is an extension of the "Need to Know" philosophy. Although painful, it may be necessary to adopt strict policies regarding the downloading of third-party software form unknown sites. If this can’t be done, then anti-virus software must be run on all network computers on a very timely basis. Example: Not all employees need access to the external World Wide Web. Aside from being a great time waster, it also increases the possibility of malicious software and ties up network bandwidth. A good alternative might be to restrict WWW access to specific times (e.g. lunchtime)

7. Create a disaster recovery plan. This will force you to think of how you do system backups and perform off-site storage. It should address the loss of information and equipment/material. Example: Pick a worst case situation (usually you building burns down) and consider how you would stay in business and service you customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.

8. Appoint a someone to be responsible for security policy enforcement. Can be one person, a group or a group of individuals. Example: The Network Administrator may be the person responsible for Internet access and other IT related functions, while a person in the HR department may take ownership of site security (alarm system maintenance, access card distribution). No two situations are identical.

9. Review the impact of any intended procedural changes on your employees. Will they be capable of shutting off alarm systems, changing passwords every month, locking their drawers every night and using password enabled screen Example: If the employees aren’t reliable, then it may be necessary to institute mechanisms to automatically force password changes and run screen saver programs. Obviously, there will always be a situation where the employees need to be responsible, i.e. education is a necessity and security policy enforcement is a co-operative effort.

10. Understand that the implementation of any security policy needs regular validation. Security audits need to be performed to determine if the policy is meeting it’s objectives. If it isn’t, then the problems must be addressed. Example: Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies. If an assumption was made that only a few people need to access a protected area and this really isn’t the case, a change is in order. Perhaps some of the material in the protected area isn’t really that sensitive and can be moved to another location.

 

 

security ids honeypot policy encryption patch policies

 

Network Security Home - About

IDS  Response   Policy   Encryption Patching  Honeypots  Network Security


©2005 Network Security

IDS  Response   Policy   Encryption Patching  Honeypots  Network Security


This website is hosted for free by Freewebs.com - free website. Get your own Free Website now!