Gary Miliefsky's seven strategic best practices for network security, including rolling out security policies, deploying corporate-wide encryption, tracking assets and performing self-assesments.
We all face it - the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures.
What can you do under so much extreme pressure to make 2007 a better year, not a year loaded with downtime, system cleanup and compliance headaches? I've come up with what I would consider some of the best network security practices.
Best practices are things you do - steps you take - actions and plans. Within those plans, I'm certain you will include which security countermeasures to budget for in 2007. Although I thought about going into details about recent security concepts, such as unified threat management or network admission control, it seems more appropriate to focus on the seven best practices instead of the seven best security tools you might consider deploying. For example, I consider encryption a best practice and not a product or tool. I'm sure you'll find many commercial and freely available tools out there. You can always evaluate those tools which you find most suited for your own best-practice model.
Here's my best practice list, in order of importance:
1) Roll out corporate security policies2) Deliver corporate security awareness and training3) Run frequent information security self-assessments4) Perform regulatory compliance self-assessments5) Deploy corporate-wide encryption6) Value, protect, track and manage all corporate assets7) Test business continuity and disaster recovery planning
Although I could have made this list a little bit longer, these seven make the cut because if you implement them, you should see a rapid improvement in network uptime, performance and your IT regulatory compliance posture. Let's take a closer look.
1) Roll out corporate security policies
If you don't already have corporate security policies, now is the time. There are some excellent models out there for free or for a minimal charge. My favorites are the powerful COBIT model, the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799. Any of these models would be a great starting point. Once you start working with a model, you'll need to create, as the U.S. military says, a "simplified English" model, one that an 8th grader can understand. Why? So every individual in your organization can understand these policies. Most employees in any organization are not INFOSEC or compliance experts, so plan out a plain-English roll-up of each section of your corporate security model for all employees to see, acknowledge and support the implementation of throughout your organization. Keep the detailed model available for IT staff, your CIO and anyone who helps you implement network security and IT support of regulatory compliance.
If these models are too overwhelming for you, just remember that good network security always starts with a living security policy. Even if it is one page, it should be an outline of security practices that every executive in the organization agrees to live by. Basic rules should include guidelines for everything from user access and passwords to business continuity planning and disaster recovery planning (BCP and DRP). For example, you should have policies in place for backing up financials and confidential customer records as well as mirroring systems to be better prepared, proactively, in the event of a disaster. In some cases, your BCP and DRP may even require a 'cold' or 'warm' site where you can quickly relocate your staff to continue operations after a natural disaster or terrorist attack. Implementing a corporate security policy is the first step in achieving proactive network security.
To get some heft behind your corporate security policies, work out with the executives what happens when someone violates one or more of your policies. Was the violation intentional? Was the action criminal? For example, an employee violates one of your eyes-only access policies, copies all of the employee records out of the HR database and posts this information on a public site. If this happens, what would you do? You should let all personnel know the policies and the costs associated with violation.
Take a look at this site to see how many records have been lost or stolen. Did these organizations have the best corporate security policies in place? Did any of these incidents occur because of a malicious insider?
Put some teeth into your policies by getting executive-level support not only for their implementation but also for the consequences of violations. These could include a written reprimand, day without pay, fired with cause, civil suit, documenting the violation with the local authorities and possible criminal suit.
Sharing this information with all employees will give any potential malicious insiders something to think about before they cause harm to your organization. Take a look at this site to see case law and more information on hacker cases and malicious insiders.
By planning on the worst-case scenario, you'll be better prepared for policy violations. With this information under your belt, let's try to take the bright side and assume the attack against your corporate security policies will not be from insiders but from external threats. If all employees are on board and help you implement your policies, your network security and regulatory compliance posture should be strong. The best way to get them on board is through corporate security awareness and training.
2) Deliver corporate security awareness and training
How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed 'inside' information? It's happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger tools. You need to educate them about acceptable usage of corporate resources. They also usually don't know much about password policies or why they shouldn't open the attachment that says "you've won a million - click here and retire now." It's time to start training them.
Training Sessions
Invite employees to a quarterly 'lunch and learn' training session. Give them 'bite-sized' nuggets of best practice information.
For example, teach them about the do's and don'ts of instant messaging. If you are logging e-mail for legal purposes, which in some cases is required by law (SEC requirements for financial trading firms), let them know that you are doing it and why you are doing it. Give them some real-world examples about what they should do in case of an emergency. Teach them why you've implemented a frequent-password change policy and why their password should not be on a sticky note under their keyboard.
Let these sessions get interactive with lots of Q&A. Give an award once per year to the best INFOSEC-compliant employee who has shown an initiative to be proactive with your security policies. If you can keep them interested, they will take some of the knowledge you are imparting into their daily routines. That's the real goal.
Campaigns
You should begin a campaign to educate all employees in your organization to join your mission to protect corporate information. Create your own 'security broadcast channel' via e-mail or Really Simple Syndication (RSS), and get the message out to your corporate work force. Let them know that these messages are important such as a warning about an upcoming storm and what to do in case of a disaster.
You can also give them 'security smart' tips or alert them to a new phishing scam or tell them that the corporation had to let go of an individual who was attempting to steal corporate information. Keeping the entire team in the loop will help bolster the corporate security posture.
Posters and other awareness tools
See if you can get some INFOSEC awareness posters from one of the security-awareness training companies - usually they'll give you some free posters with the hopes that you might hire their firm to conduct the training for you. There are other tools you can use like little postcards with do's and don'ts of best practices for the employees that they can pin up in their offices as reminders.
The bottom line: Knowledge is power, so start empowering your fellow employees to gain a basic toehold in what they should and shouldn't do to help you in your mission of more uptime and less compliance headaches - which all results in more productivity, possibly more revenues and job security for everyone.
3) Run frequent information security self-assessments
When did you last look at your firewall or IPS to make sure it is patched and up to date? Most IPS systems have automatic updates for their signature tests, but what if you forgot to turn on this feature? Have you checked to make sure there are no rogue wireless routers or devices attached to your network? How many laptops come and go from your enterprise on a daily basis? How many are running a firewall and have anti-virus software up to date with a full system scan?
MITRE is funded by the U.S. Department of Homeland Security to continue to develop the Common Vulnerabilities and Exposures (CVE) system. It's eight years old this year and accepted worldwide as the de facto international standard for vulnerability tracking on all computers and networking equipment. How many machines on your network have one of the top 20 CVEs? You can find the list here and then find more details at the National Vulnerability Database hosted by NIST.
Speaking of NIST, it has best-practice guidelines for setting up servers and systems, called STIGs. The Cyber Security Research and Development Act requires NIST to develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the federal government.
Why not take advantage of this resource? DISA now provides the public with direct access to its STIGs and Checklists. On the DISA Web page, you may sign up for the "STIG-News Mailing List" to be notified when the latest STIGs are available.
Do a search for a Windows Server STIG and see if you can find some hardening tips that you never thought to apply to one of your critical Windows servers. Also, the NSA offers a best-practice guide to setting up a Windows Server, along with many other free and useful security resources. If it's good enough for federal government network security, it should be good enough for you.
Perform your own security self-assessment against these best practices recommendations of the U.S. government. Find all of the holes in your INFOSEC environment so that you can, document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find.
4) Perform regulatory compliance self-assessments
Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today. Not only are they charged with increasing employee productivity and protecting their networks against data theft, but they are also being asked to document every aspect of IT compliance.
Due to all the extra work necessary, many organizations have been tempted to hire consulting firms, such as Accenture or Deloitte & Touche. However, these third-party groups also come with a disclaimer waiving them from any legal responsibility if the results of their audits are examined for legal purposes. Compliance requires the acceptance of legal responsibility. So why would you spend so much money on external auditors who are supposed to help you in this process, when they won't accept responsibility for their work product or your audit?
I recommend, whether or not an outside firm is performing IT compliance audits, that you begin performing measurable compliance self-assessments. You'll need to review those regulations which affect your organization. In the United States, these range from GLBA for banks to HIPAA for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to SOX-404 for public companies.
Some states have their own regulations. In California, for example, if there has been a breach in confidentiality due to a successful hacker attack, companies are required by law to publish this information on their Web sites. The California Security Breach Information Act (SB-1386) requires the company to notify customers if personal information maintained in computerized data files have been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account.
If you are a federal government agency, you need to comply with Executive Order 13231, to ensure protection of information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems. Also, if you are a non-profit organization, you are not exempt from the reporting requirements of regulations in your industry (banking, healthcare, etc.). Please make sure to seek legal counsel if you are not sure of which regulations you'll need to address.
The easiest thing you can do to prove you are in compliance is to document your steps of protecting data. You should be able to prove that you have in place all the best policies and practices as well as the right tools and INFOSEC countermeasures for maintaining confidentiality, availability and integrity of corporate data. By frequently assessing your compliance posture, you'll be ready to prove you "didn't leave the keys to the corporate assets in the open." If your network is ever hijacked and data is stolen, you'll have done your very best to protect against this event and it will be less of a catastrophe for your organization.
5) Deploy corporate-wide encryption
There's an old saying: "Loose lips sink ships." If you take a look at all the identity theft that's occurred, much of it was done against systems that were not encrypted. For example, an e-commerce Web site of a public company was hackable not only because it had CVEs, but also because the company did not understand the importance of encryption. They thought that an encrypted SSL session was enough.
However, their shopping cart system took this encrypted credit card information and stored it, unencrypted in plain text on a database server that was attached to the Web server.
These two servers were like putty to the hackers - one SQL Injection attack and thousands of consumer records were grabbed, sold and used for siphoning money from the credit cards. You can buy lists of Social Security numbers, names, addresses, phone numbers, bank account records and credit cards on the black market. It's now an industry. Don't let your organization be one of those added to the list.
The best practice is to look at all aspects of electronic communication and data manipulation throughout your enterprise. That should include all instant messaging, file transfer, chat, e-mail, online meetings and webinars, plus all data creation, change, storage, deletion and retrieval.
How are customer records stored? How are electronic versions of other confidential information protected? Backing up the data is not enough.
You should setup a VPN for those who have access to your network from the outside. Make sure the systems that access your network through the encrypted tunnel are also not the weakest links in your infrastructure. Don't let them in if they aren't fully patched, up to date, scrubbed for malware and authenticated. If you let go of an employee with a laptop, get the equipment back - and in the meantime, close their VPN tunnel.
You can encrypt everything from your hard drives to your e-mail sessions to your file transfers. There are numerous free tools out there, for hard drives; for Web, e-mail and instant messaging; plus the grand-daddy of free encryption, PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.
But encryption is not to be taken lightly. You'll need policies in place for key storage and password access so if ever the keys and passwords are lost by the end users, you'll have a way back in to decrypt the information, reset the keys or change the passwords.
You might find out that some of the servers and services you are running already offer encryption if you simply check the box and turn this feature on. If a laptop with confidential records is stolen, but the thief doesn't have the password or key to decrypt the data, it will be useless to them. If someone is eavesdropping on your new VoIP phone system using a tool like Ethereal and the voice-over-misconfigured-internet-telephony (VOMIT) attack, they won't get very far if all the data stream is encrypted.
I recommend you encrypt your communications and data whenever and wherever possible.
6) Value, protect, track and manage all corporate assets
You should take a close look at the value of all of your IT assets. This includes all the equipment - from your new VoIP phone system to your laptops, desktops, servers and all other networking equipment. How valuable are they to you? If someone stole a corporate laptop, what would it cost to replace? If the laptop contained all of the trade secrets of your corporation, now how valuable is that laptop?
Do an inventory assessment on all corporate assets that come within your domain. If engineers are storing code on your file server, how valuable is that code? The file server might only cost $3,000 to replace, but the code might take 20 person-years to re-engineer.
By placing a value on all corporate assets, you'll be able to determine how to better protect these assets. Justifying a storage area network or a daily backup is much easier if you know where the important assets are located and how valuable they are to your organization. What if the sales team chooses a free tool like SugarCRM for their customer relationship management (CRM) system? Does SugarCRM offer a backup service for your sales team? You might find out that the salespeople placed an entire customer list on their own Web server that they are managing without telling you. Then, when the server they are using crashes, you'll get a wake-up call to restore probably one of the most valuable assets in the corporation.
If you did a physical security and asset inspection walk-around, you might have found this 'new' server and taken control of it - enabling encryption, setting up a daily backup schedule and getting it on your maintenance program.
You can't protect what you don't know about. It's very important to have a handle on all corporate assets. You can quickly build a spreadsheet that includes the value of each asset - from an IT standpoint, not necessarily from the CFO's. Then, you'll be able to consider what INFOSEC countermeasures such as encryption, strong authentication, separate subnet, quality-of-service provisioning, backup plan, etc., you'll need to put in place to reduce the risk of downtime, data theft or loss of a critical asset.
7) Test business continuity and disaster recovery planning
Business continuity, in layman's terms, means "keeping the lights on," while disaster recovery means "what do we do when the lights go out" and we need them to stay on.
You should perform tests against your business continuity and disaster recovery plans as often as reasonably possible, no less than once per year and as frequently as four times per year.
Doing it off-hours such as on a Sunday evening might be best so that you don't disrupt the operations of your organization. The best way to create your first BCP/DRP is to think up a list of "what if" scenarios.
You can make this fun and interesting for your IT fellows by asking them to come up with a list that's at least 10 times longer than my sample list that follows. Whoever comes up with the longest credible "what if" list should win a prize. Some of the tests you should perform include the following:
What if:
a) the power went out
b) the router went down
c) the phone system went down
d) the Internet went down
e) a critical server went offline
f) a hard drive became corrupt
g) an application crashed
h) a malware outbreak occurred on your network
i) the heating/air-conditioning system stopped working
j) a natural disaster occurred
k) the flu spread throughout your organization
I'm sure you can think of other problems that might disrupt your organization. Write these all down. In the COBIT and ISO 27001/17799 models, you'll find a wealth of information about BCP and DRP planning. See if there is anything you missed that you think would affect your operations.
Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can't afford one, could you create a 'virtual' office telecommuting situation where your organization could continue to operate virtually until you've resolved your emergency situation?
Making 2007 a Great Year for IT
Knowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security in 2007. Hackers, malicious insiders and cyber-criminals have had their field day in 2006 - hijacking our corporate LANs and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale - placing most of us in the passenger seat on a runaway Internet. By taking a more proactive approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers’ seat of IT Security in 2007.
Gary S. Miliefsky is founder and CTO of NetClarity, Inc., and a founding member of the U.S. Department of Homeland Security.