Last month, we looked at just how easy it is for a hacker to gain entrance to an unprotected network.Helpful tools are everywhere, and common strategies--such as domain naming conventions--actually aid the attacker in his mission. Luckily, however, there is some good news: You still can protect yourself against attacks by all but the most determined and experienced hacker. Now the bad news: Protection lies not in a single hardware or software solution, or even in a single action, but, rather in a tightly interconnected network of policies, procedures and network components. Each part of the solution supports every other part so that no weaknesses can be discerned. The solution is moulded to confront the tactics used to attack at every level.
The procedure that we advocate is the Seven Step Plan to Enterprise Security. This steps are: Define security policies; assess vulnerabilities and threats; collect all data--and monitor everything; define your defense perimeters; prioritise the focus of deployment; employ and integrate your existing security tools; and deploy your security solution and refine as experience dictates.
This is an iterative procedure in which you learn about your security requirements and reinforce vulnerabilities on a continuing basis. It takes into account the inevitable fact that resources are limited, and puts maximum protection at points of maximum risk. It is, in fact, designed to counter attacks that are likely to be launched against your network. It combines protection of critical data with development of a reasonable compromise between data access requirements and security. At the same time, it provides for continuous monitoring of network data and re-evaluation of security needs as the company, its data, and its systems change.
The plan begins with defining security policy--arguably, the most important element of all. This includes such issues as threat response, enforcement for security lapses, configuration and safeguards. Next, comes threat assessment--developing a catalog of risks, including both vulnerabilities and specific threats. This may lead to re-evaluation of policies.
When threat assessment is completed, you need to establish continuous examination of data streams at critical points to determine if and when a break-in is attempted. Incoming data provides the same rich information that the hacker depends upon. It can signal the beginning of an attack, provide evidence of probable source, and yield details of tools that might be in use. Data collection may then lead to adjustment of threat levels.
Next, you need to define defense perimeters--firewall location and operation, and network isolation. What you let in, and where, define the "walls" of your fortress. For some networks, you may choose to eliminate external connections entirely, for example. Generally, however, some level of communication is required with the outside world, or with other networks that might themselves provide access to the outside world. These critical junction points need to be located and protected--with special emphasis placed upon bypass possibilities, such as informal remote modem connections.
Following this, you need to evaluate network security as it exists and, in line with a readjusted threat assessment, set priorities that maximise use of your security resources. When these requirements have been established, you can employ existing security tools to best effect, making certain that they are well integrated and contain no serious gaps. Put the system in place, test it, and add components as required. Then evaluate again.
Security evaluation and testing must be ongoing, since the threat is always changing--as is your company. Change will always have network security implications. Critical information can shift between departments and between servers. Individuals with security clearances and information might leave the firm. A new critical project might be started in a department that has previously required little security. New managers may need a special briefing on procedures.
As you move your way down the list, you will call into question some of the assumptions that you had made in previous steps. These must be corrected before moving down to the next item. By the time you are finished, you will have a good picture of your security requirements and existing protection. This knowledge, alone, is almost worth the effort. But you should also have refined your security infrastructure at each point sot that it performs effectively and efficiently, in an integrated manner and without significant gaps in coverage.
The reason for a policy of this type is this: Every attack begins with a vulnerability assessment and an evaluation of the value of the data (or disruption) versus the cost of obtaining it. Even the script kiddies do this in a juvenile way--what is the value of tampering this site versus the chance of getting caught? If you constantly adjust your security system so that information of value is always out of reach, then you will discourage all but the most determined attacker. If you monitor and test constantly, then you add the risk of exposure as a deterrent. And, if your security is cloaked in clear, unambiguous, and well-enforced business policy, then you can even turn the tables on sophisticated threats involving social engineering, as well as ensuring that procedures are followed every time.
To undertake a security program such as the one we have described requires commitment, and a buy-in at the very highest levels within the company. But the risks of not doing so are obvious and ever-present. The security argument just gets easier and easier to make as we move into the 21st century.
Next month, we will begin to examine the seven steps in detail, beginning with steps 1 and 2--defining security policies, and assessing vulnerabilities.
by Darren Thomas , a security expert at NetIQ Corp.