This is a big subject, and the detail could easily fill several
books. Here I am going to discuss (very briefly) some of the ingredients that
should be used to protect most corporate networks.
Some of these get forgotten about, so, "Calling all Sysadmins
and Security Managers!" - Worth checking this list to see if you have
these appropriate controls.
People enforcing Security
The first thing you need is reliable and trustworthy people in the
IT Security team.
These people need a good understanding of the risks and
vulnerabilities.
I would also say that one of the most important attributes is that
these enforcers of security need to be process-driven. A lot of the ingredients
outlined below are repetitive processes and procedures, checks and balances.
Some of them are boring after a while, (backups and patch management for
example) but thoroughness and attention to detail are key.
Physical Security
This is the second thing you need. If you don't have security in
the physical world, it doesn't matter how many processes, procedures, and
technical controls you put in place. No point deploying all the things we
discuss below if criminals can simply walk in off the street and walk out with
your server under their arm, or if a fire burns down your building because your
extinguishers don't work, or you didn't detect the fire.
Review your physical security. If you were a criminal, how would
you steal some of the companies equipment or data? What disasters could happen,
what would be the impact and what controls can be put in place for reasonable
cost?
Key things to think about:
· Building
Access Control
· IT area
Access Control
· Laptops,
iPhones/Blackberry theft
· Fire,
flood, hurricanes, earthquakes, pestilence and plague
· Power
outages
Laptop encryption
Though a technical control, I would consider laptop hard-disk
encryption as part of your physical controls. What you are protecting the data
from, is the situation of someone having physical access to a stolen laptop. If
you don't have HDD encryption, gaining access to the data on a laptop is
trivial.
Operating system login controls do NOT protect the data on the
hard-disk from being accessed. If you want to protect the data on laptops you
must have hard-disk encryption.
Backups
This is fundamental data security. If you don't have effective and
USEABLE backups of your data, you basically don't have any data security.
Think that all data and systems are transient and temporary, and
every piece of hardware will fail eventually. Also, upgrades, configuration
changes, and user errors, can easily wipe-out your precious data.
These days, a vast amount of the "value" of a company is
in the data they hold. Many companies would fail as a business if their IT
systems were not available for a week.
Regularly review and test your backups, and have reliable off-site
storage for your data.
Also remember that, just because you can recover files from a
tape, does not mean it will be quick, easy, or even possible to get that data
back into your live systems.
I have had experience of situations, where backup data was on
tape, but it was not possible to recover into the live environment, because of
the time involved, or because of complex database replication issues. Bear
these issues in mind, and practise data recovery.
Documentation and change control
These often get forgotten about or done poorly, especially in
small to medium businesses. If you don't have documentation, how are you going
to put things back together "WHEN" they break? Is your documentation
secure, structured, backed-up and stored off-site?
Change control is there to help the documentation update process,
and protect you from breaking your own systems.
Additionally this helps to communicate changes to extended teams
and end-users. You don't have to have full ITIL processes, but you do need
appropriate processes to offer the correct level of protection for your
business.
Do the appropriate levels of change control. This will often be a
little more than you feel you have time to do, but do it anyway because it will
save time in the long run.
Firewalls
This is the cornerstone of logical security on the network. Rules
need to be regularly reviewed. Port scanning and network scanning should be
performed to ensure that the rule set is correctly enforced, and that there are
no accidental loop-holes or inappropriate access.
Don't forget that outbound rules are just as important as inbound
rules, especially since the increase in client-side attacks over recent years.
It is as important to protect your DMZs and backend systems from
the outside, as it is to protect them from potentially compromised systems on
the LAN.
Anti-Virus
All systems should have appropriate virus protection.
Are the AV definitions up-to-date on all your systems? If not,
then this protection is not effective, and arguably useless.
Choose a good vendor, as there are vast differences in the
regularity of updates, and the scope of protection. Some of the largest IT
Security vendors have products that are surprisingly weak. Review third-party
comparisons and choose appropriately.
Email and Web content filtering proxies
These are the biggest and fastest vectors for malware and virus
infection. Choose good solutions, and update your policies regularly.
Block executable code on Email and Web proxies, because viruses
WILL get through. Most virus and malware detection is signature-based, which
means that it cannot be detected until it has already been seen in the wild.
That in turn means that, somewhere in the world, systems have
already been infected hours before the Anti-virus companies can offer detection
signatures to their customers. If you get new malware before the signatures are
published, your AV-tool will offer you no protection at all. Block exes on your
proxies.
Patch Control
This is often a problem area for many companies. It is time
consuming for IT Departments, can introduce new problems, and is largely hidden
from the rest of the business as a "benefit".
However, the risks are high, and unpatched systems are easily
compromised by attackers and viruses.
Regularly patch both operating systems and applications. Put in
place a regular patch management program, and produce metrics to monitor how
up-to-date your systems are.
Don't just rely on WSUS to tell you that your systems are
up-to-date, scan your subnets with a vulnerability scanner, and don't forget
about non-Microsoft systems.
Don't forget about applications on Servers or Clients. Out-of-date
client software, such as old versions of Microsoft Office or Adobe Acrobat
Reader can be big weaknesses.
Vulnerability scanning
This assists your patch management and configuration management
processes.
You may think you have all your systems up-to-date, but unless you
have done some vulnerability scanning and analysis, you are probably wrong.
Vulnerability scanners can be expensive, but they can also be free
(openVAS for example). Regularly scan your systems, and review the scans to
remove false positives and act when systems have real vulnerabilities.
Intrusion detection
Detecting attacks, in both the physical and logical world are
important.
This may not be a standalone system. It may be built into your
corporate firewall, or firewalls on individual systems, or part of your
Antivirus tool.
I would recommend deploying dedicated intrusion detection in many
cases. This can be done relatively cheaply (with something like snort).
Review logs and alerts, as there is no point spending money and
time setting up monitoring systems if you don't do anything about it when
alerts happen.
0 comments:
Post a Comment