Years ago, when my grandfather came home from work, he would set his black lunch box on the counter, empty the remains of his thermos, throw on some slippers, read the newspaper and watch old John Wayne movies until it was time to feed the dogs and head to bed. Those days are gone.
In the digital age, the line between personal and private, work and play, have become extremely blurred -- and that will forever impact network security. We have shifted from working hours to working moments with breaks in between to pick the crops in our virtual farm, trade players in fantasy leagues, and catch up with what our kids are doing on Facebook and Twitter. We have laptops, desktops, tablets and PDAs, and we want to use them all on the enterprise network.
As we've evolved in our digital use, so have hackers in their methods of attack. Back in the '80s we had self-replicating code, password guessing and password cracking. You really had to know what you were doing to do some damage. It reminds me of one of my favorite movies, "Hackers" where everyone had a cool hacker name and were considered legit if they could do some damage. Today there is easy access to a plethora of tools that allow one to easily craft packets to subvert some of the most complex security implementations. The truth is, we don't know what the next step will be, but we have ideas. We are constantly reacting.
Yet many attacks can be mitigated, not by security devices and configurations alone, but by educating staff members on enterprise security policy do's and don'ts.
Let's examine the structure of a security policy. Security policies have many moving parts. To begin with you must identify what is being protected. Figure out your assets, your threats and then devise a list of safeguards you can employ.
Once this has been accomplished you can devise a governing policy that addresses your various audiences -- users, management and even external audiences. Policies must inform them of rules, expectations and allowed behaviors. It's important to implement consequences -- such as the ability to monitor, probe, and investigate users who violate policy.
Read more Fast Packet bloggers
Fast Packet blogger Michael J. Martin demands session-based application-aware routing.
Fast packet blogger Josh Stephens wants to know if you're really prepared to manage the distributed enterprise network.
Fast Packet blogger Ivan Pepelnjak says no way to ATA over Ethernet.
Fast Packet blogger Jennifer Huber finds out the hard way that a WLAN vendor is purposely avoiding customer questions.
Governing policies come from the top and define the corporate position. Think of this as a high level policy where the specifics will be defined in other, more focused, policies. There are a number of policy categories that need to be addressed:
Technical policies: This policy will define the responsibility of the security staff. They should include all forms of electronic communication, remote access, network policies and telephony rules.
End-user policies: This policy must be in plain English. We cannot assume that the general population knows what our technical terms mean. They don't care!
Tying it all Together: A good security policy is brought to realization with standards, guidelines and procedures. In my next post I will detail each aspect of these areas and how your headache will be minimized with a little thought and planning.
About the author:
Brandon Carroll, CCIE # 23837, is a full-time insructor with Ascolta with a focus in network security and business development. He is also the author of the GlobalConfig blog.