Network security threats vary by industry, but whether you work in financial services, manufacturing, education, government or healthcare, chances are that some best practices can help prevent security threats from bringing your business to its knees.
SearchNetworking.com recently canvassed readers to discover their worst security woes. We grouped the responses by industry, and security expert and author Michael Gregg responded to some of the most common concerns. Here, as in his new book "Hack the Stack," Michael offers some sage step-by-step solutions to help lock down the network, whatever your business sector.
INDUSTRY: Government / Military
THREAT: Wireless security
The primary threat in my line of work concerns the proper setup and security of wireless networks. With mobile data systems currently being deployed throughout local and state law enforcement, all types of data are being transmitted via wireless networks.
Local law enforcement is typically being forced to employ enhanced information-sharing practices, and with the rush to provide these services, the agencies are often restricted in the time and funding needed to protect this information. In short, information is being shared in a "just make it work" fashion, while the concept of securing the data is commonly ignored or minimized.
We provide network and security support services for local, state and federal law enforcement agencies, and we have seen many poorly deployed, wide-open wireless networks.
- Philip Propes, Program Director, IT
You bring up some really good points. What seems to be lacking here is some overall control. Some type of structure needs to be applied here to overcome these problems. I suggest applying the following five-step approach:
Look at the organization's resources and determine their value (monetary or non-monetary). Analyze possible threats and calculate the likelihood of those threats being realized. Finally, examine the impact of those threats. The idea behind this first step is to determine what the organization has that is of value and what measures should be put in place to protect those assets.
With an understanding of the value of specific assets and information, the organization can now start to develop policies that dictate how these assets are handled. In your policy, detail what controls must be used to protect critical assets. As an example, policy might dictate that you use encryption. With some guidelines in place, the organization can move to the next step.
Follow through and implement what is dictated in your policy. It's great to have a policy that dictates that all wireless access points must use WPA, but the policy is useless unless it is enforced.
Employees need to be trained to make sure they understand the new policies. Employees also need to be trained in good security. Although some may think the process stops here, there is actually one more step.
The best policies in the world are useless if users don't comply with them. An audit is nothing more than a systematic evaluation of the security controls to see how well they conform to a set of established criteria.
I realize that this is a broad answer to your question, but the problem here is structural and will require the support of senior personnel.
THREAT: Smart student hackers
Working at a school, we face the reality each day that the students have the ability to absorb the latest advances in technology faster than both the ICT support staff and the teaching staff. It is becoming increasingly difficult to keep up with the pace of security threats from enthusiast hackers. Keeping a locked-down network while allowing and encouraging freedom to learn is a huge challenge.
- Neil Cross, grammar school network administrator
Working with children can be rewarding but can also be a challenge. Responses in this category focused on a theme of how the staff is constantly challenged by a user base that is comfortable with technology and not afraid to push the boundaries. Administrators here are in a tough situation because students don't have the same reservations or fear of legal repercussions (or losing their job) that an adult has. Administrators are also dealing with a limited budget and staff who may not all have cutting-edge computer skills.
My best answer here is to apply the principle of least privilege. This concept is that employees or users should have access to execute programs or use resources only as needed to complete their assigned duties. If the school is a homogenous Microsoft environment, administrators can use group policies to lock down systems so that only required activities can be performed. If needed, group policies can lock down the PC to the point where it cannot be shut down. Group policies offer many configuration options, depending on the needs of the specific users or the area in which the computer is to be used.
For schools in a mixed operating system environment or those using Novell, tools that protect computer systems from change or unauthorized software use are also valuable. DeepFreeze is an example of such software. DeepFreeze prevents users from making permanent changes to operating systems or applications. Other programs, such as Anti-Executable, offer additional protection to help restrict the programs that can be run or installed.
One additional step that must be performed is education and response. Schools need to take action against student hackers. Tampering with school computers is a serious crime and needs to be treated as such. Many schools are addressing this by reviewing the Ten Commandments of Computer Ethics with students and educating them about the potential penalties of computer crime. As more schools provide students with laptops, security education becomes even more important. Other resources to help teachers and administrators with this task include CyberCitizenship.org and Education World.
INDUSTRY: Financial / Insurance
THREAT: Deciding where to draw the line
The No. 1 security threat in any industry, as I see it, is the overzealous in-house data security team. These guys have no idea of "risk versus effort to secure" calculations and, if they had their way, would have all hard disks erased to make the environment as secure as possible -- the business be damned. They think they know best on policy and configuration, not taking into account WAN latency or resilience to any solution implemented.
- Mark Woods, manager, Technical Solutions
What was interesting about the entries in this category is that several of them seemed to focus on opposing sides of the debate over "how much security is enough and how you find a balance."
To address the above issue directly, I think one thing that could help get everyone on the same page is to have the organization go through a formal risk assessment. Here is a broad list of items that would need to be completed.
- Start with an inventory and compile a list of the organization's assets. There is no way you can secure the organization if you do not know what assets it has.
- Once the list is complete, the company should establish a risk assessment team. This team should start to examine all existing risks and categorize the types of threats that could affect the organization. The team should examine natural threats such as hurricanes, man-made threats such as terrorist attacks, and technical threats such as equipment failure.
- Next, the risk team can start to look at the cost of each of these contingencies and what the probability of occurrence is. This should make it easy for the team to bring high-risk, high-impact concerns to the top of the list. These calculations can be performed by either qualitative or quantitative means. Tools such as Cramm and RiskWatch can be used to help automate this process.
After completing these steps, the team should be able to agree on what's considered high risk and work toward putting reasonable controls in place to secure these valuable assets. After all, the goal is to balance security and usability so that resources are secured while still providing the access needed to perform duties successfully.
THREAT: Data security
End-user security is our biggest challenge. Most of our end users have their workstations in open areas where co-workers as well as passers-by could conceivably extract data or intrude into the network. This could include hacking into the wireless networks recently established in many floors of our campus.
- Bill Woods
The clear concern for the healthcare industry is data security. The best place to start in this situation is with a privacy impact analysis (PIA). The purpose of the PIA is to look at different types of personal information handled throughout the business process. A PIA should determine the risks and effects of collecting, maintaining and distributing personal information in electronic systems. The PIA should also ensure that appropriate privacy controls exist. Existing controls should be examined to verify that accountability is present and that compliance is built in every time new projects or processes are set to come online.
The PIA is tied to three items:
Any time you add new systems or make changes, you'll need to review the technology.
Business processes change, and even though your company may have a good change policy, the change management system may be overlooking personal information privacy.
Companies change employees with whom they do business. Any time business partners, vendors or service providers change, the impact of the change on privacy needs to be re-examined. These issues are especially important within the healthcare industry because they fall under the Health Insurance Portability and Accountability Act (HIPAA). Per section 1177 of HIPAA: "If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both." That sentence alone should be enough to get anyone's attention.
Our worst threat is disgruntled employees. The system administrators have the "keys to the kingdom" and with (massive) layoffs announced, several will be leaving -- most against their will. It only takes one ticked-off SA to wreak havoc.
- Former telecom services worker, currently unemployed
So often, companies are concerned only with outsider attacks. This thinking is unsound -- studies have shown that insiders are actually the bigger threat.
This is based on a concept known as "MOM," which stands for: motive, opportunity and means. Insiders have the means and opportunity to launch an attack, whereas outsiders may have only the motive. Stated another way, insiders have two of the three things needed for an attack. Add to this an event such as a layoff or reduction in force, and there can be real problems.
To address these issues, companies need to have good operational controls in place. This means that when employees are hired they are made to sign acceptable use policies (AUPs) so they clearly understand what is and is not allowed. Controls such as job rotation and mandatory vacations can be used to strengthen security. Also, the minimum required access should be provided to employees. It's interesting to note Gartner has reported that access creep is a big problem for most companies. Finally, when employees leave the company, all access -- including keys, badges and physical access -- should be terminated. Just applying a few controls can greatly increase the security of the organization.
In closing, I would like to say that this was really a fun contest. Reading the contestants' entries made one thing perfectly clear: We all face common challenges. These findings highlight the need for communication. Talking to people in similar industries and fields is a good way to find best practices that can be used by your organization. You can meet these people at the many network and security events that take place each year -- Information Security Decisions, RSA Conference and others. Thanks to all who participated in this contest -- and stay secure!