We all face it – the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures.
What can you do under so much extreme pressure to make 2007 a better year, not a year loaded with downtime, system cleanup and compliance headaches? I’ve come up with what I would consider some of the best network security practices.
Best practices are things you do – steps you take – actions and plans. Within those plans, I’m certain you will include which security countermeasures to budget for in 2007. Although I thought about going into details about recent security concepts, such as unified threat management or network admission control, it seems more appropriate to focus on the seven best practices instead of the seven best security tools you might consider deploying. For example, I consider encryption a best practice and not a product or tool. I’m sure you’ll find many commercial and freely available tools out there. You can always evaluate those tools which you find most suited for your own best-practice model.
Here’s my best practice list, in order of importance:
1) Roll out corporate security policies
2) Deliver corporate security awareness and training
3) Run frequent information security self-assessments
4) Perform regulatory compliance self-assessments
5) Deploy corporate-wide encryption
6) Value, protect, track and manage all corporate assets
7) Test business continuity and disaster recovery planning
Although I could have made this list a little bit longer, these seven make the cut because if you implement them, you should see a rapid improvement in network uptime, performance and your IT regulatory compliance posture. Let’s take a closer look.
1) Roll out corporate security policies
If you don’t already have corporate security policies, now is the time. There are some excellent models out there for free or for a minimal charge. My favorites are the powerful COBIT model , the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799 . Any of these models would be a great starting point. Once you start working with a model, you’ll need to create, as the U.S. military says, a “simplified English” model, one that an 8th grader can understand. Why? So every individual in your organization can understand these policies. Most employees in any organization are not INFOSEC or compliance experts, so plan out a plain-English roll-up of each section of your corporate security model for all employees to see, acknowledge and support the implementation of throughout your organization. Keep the detailed model available for IT staff, your CIO and anyone who helps you implement network security and IT support of regulatory compliance.
If these models are too overwhelming for you, just remember that good network security always starts with a living security policy. Even if it is one page, it should be an outline of security practices that every executive in the organization agrees to live by. Basic rules should include guidelines for everything from user access and passwords to business continuity planning and disaster recovery planning (BCP and DRP). For example, you should have policies in place for backing up financials and confidential customer records as well as mirroring systems to be better prepared, proactively, in the event of a disaster. In some cases, your BCP and DRP may even require a ‘cold’ or ‘warm’ site where you can quickly relocate your staff to continue operations after a natural disaster or terrorist attack. Implementing a corporate security policy is the first step in achieving proactive network security.
To get some heft behind your corporate security policies, work out with the executives what happens when someone violates one or more of your policies. Was the violation intentional? Was the action criminal? For example, an employee violates one of your eyes-only access policies, copies all of the employee records out of the HR database and posts this information on a public site. If this happens, what would you do? You should let all personnel know the policies and the costs associated with violation.
Take a look at this site to see how many records have been lost or stolen. Did these organizations have the best corporate security policies in place? Did any of these incidents occur because of a malicious insider?
Put some teeth into your policies by getting executive-level support not only for their implementation but also for the consequences of violations. These could include a written reprimand, day without pay, fired with cause, civil suit, documenting the violation with the local authorities and possible criminal suit.
Sharing this information with all employees will give any potential malicious insiders something to think about before they cause harm to your organization. Take a look at this site to see case law and more information on hacker cases and malicious insiders.
By planning on the worst-case scenario, you’ll be better prepared for policy violations. With this information under your belt, let’s try to take the bright side and assume the attack against your corporate security policies will not be from insiders but from external threats. If all employees are on board and help you implement your policies, your network security and regulatory compliance posture should be strong. The best way to get them on board is through corporate security awareness and training.
2) Deliver corporate security awareness and training
How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed ‘inside’ information? It’s happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger tools. You need to educate them about acceptable usage of corporate resources. They also usually don’t know much about password policies or why they shouldn’t open the attachment that says “you’ve won a million – click here and retire now.” It’s time to
