Don't take shortcuts when it comes to security
For more than a year now, you've heard the buzz about "Homeland Security," "cyberterrorist attacks," and speedy Internet worms such as Code Red, Nimda and January's SQL Slammer. After sober reflection, you've decided it's time to ensure the security of your business' computer network.
Here's what many businesses do next: buy a firewall or two, maybe improve the physical security around their computers and perhaps update their anti-virus software. Wham, bam, done. The network is now "secured," right?
My recommendation is that you'll get much better security results for a much better price if you walk through three processes before you buy a firewall:
1. Analyze your business requirements
2. Assess the risks
3. Write a corporate security policy
These processes are often outsourced. But if you want to get the most value from a consultant or save the consulting fees altogether, you can follow the guidelines below to ensure your security investment pays dividends.
During this phase, you discover what is required for the business to accomplish its mission and then dig deeper and figure out how those things required can be provided. Beware. The hard part is distinguishing wants from needs.
Ask questions like, "Sure, every employee wants Internet access, but does everyone here need it to accomplish our business mission?" In this phase, you try to list every activity your business has to do in order to do business well. This list will steer you away from a security solution that hinders employees from doing their jobs.
Assess the risks
This phase (also called vulnerability analysis or threat assessment) is where you identify the value of the things you want to protect. These include highly tangible things (Web sites, personnel records, product plans), as well as the less tangible (corporate image, branding, credibility).
Postulate threats, assess vulnerabilities and decide if the cost of protection is worth the benefit. This phase will prevent you from spending $50,000 on security to protect $25,000 worth of assets.
If quantifying "risk" is new to you, here's a quick primer: Risk = threat x vulnerability.
Risk (the amount of damage to your business) can be estimated as the damage a given threat can do, multiplied by the vulnerability (likelihood that the threat will really happen to you).
If the threat damage potential or the vulnerability equals zero, risk is zero. Professional risk assessment, then, often focuses on identifying and listing the threats.
For computer network security, the threat vectors include outsider attack from the Internet; outsider attack from a telephone or modem; insider attack from a local network; attack from a malicious virus and so on. If you feel you can't think of all the threats, take a look at http://www.antionline.com/fight-back/ for a list. You can also find statistics on the likelihood of computer crimes at http://online.securityfocus.com/library/category/63.
Think like a hacker: if I wanted to attack my organization, how would I do it? Concentrate on known and probable threats.
Most businesses skip this phase. I urge you not to, for many reasons.
The biggest wild card in computer security is the end user. A corporate computer-use policy paves the way for training and restraining the user. For example: A senior reporter left a local newspaper and shortly thereafter, the newspaper had trouble because the competition consistently beat it on their scoops. An investigation of the firewall logs revealed that the former employee had been consistently accessing the company's computer to get ideas for stories at his new employer.
Why was this possible? Because the newspaper had no policy requiring the termination of user-ID and password privileges for ex-employees. For more real-world nightmares caused by lack of a security policy, check out http://secinf.net/info/policy/realworld.htm.
Write a policy, but don't do it alone. Select a policy development team made up of people who work with your network and the Internet, but come from different functional areas of the company.
Each manager in your company has a unique view of the needs and the risks. You need people who know something about the technology, but also some who know about business. Include some people from the trenches, too. There is nothing less useful than a painstakingly documented security policy that, when implemented, makes the shipping department unable to track packages.
Here's the great part: You can shortcut this process drastically. n the Internet, 90 percent of the possible threats are the same for everyone. The Code Red worm doesn't distinguish between the widget company and a nonprofit organization promoting literacy.
All those security holes in Microsoft Outlook and Internet Explorer don't become more or less vulnerable depending on who you are. The vast majority of possible threats you face are identical to the threats every other company faces.
This means that you can copy a lot from sample or existing policies. Where can you get these samples? Start here: http://www.sans.org/resources/policies.
Tailor them for your organization using common sense, adjusting by some fudge factor that takes into account things such as likelihood of a targeted versus random attack, the cost to secure and so on.
For example, a site like www.CIA.gov can expect more intentional attacks than you. An e-commerce site should add extra reinforcement to the server that holds customer credit card records, because that is the company's crown jewels. Leveraging existing policies will not only save you time, but will also help unsure that your list is complete.
Start your policy with an introduction that states what you are protecting and how. It should contain a general, or top-level, policy. Other documents might include the incident response procedures (a.k.a. "What We Do If We're Hacked"), acceptable use policies ("Eliminating Employee Abuse of E-mail or Web Privileges") and system administration procedures.
In addition, your policy must state how to change the policy, how often it will be reviewed and by whom.
The Introduction then becomes your "to do" list. The first thing to do is, assign people to write the drafts. Next to each section, you write, "To Be Written By ." The responsible individuals write the individual documents, the group reviews them and management approves and implements them.
Strategy empowers tactics
You've addressed a lot of security issues that technology cannot resolve, such as employees who send one another inappropriate e-mails. Now you can feel confident that you're getting the most from your investment in security technology.
You've likely learned that your marketing efforts are more powerful when you have a strategy, not merely a random grab bag of tactics. Security works the same way.
Web Page Designed By