My department’s budget was slashed by 40% in response to the current economic crisis. Do I really need to implement those controls? That will never happen to us, what would a hacker want with my company? Thank you for the ideas, but we are simply going to accept the business risk of not locking down our IT environment.
These are a small sample of the comments I regularly receive when consulting on IT security. Business risk profile and budget concerns play a large part in information security strategic planning for companies, but we often focus on all the reasons why we cannot improve instead of discovering the various ways a business can improve their IT security risk profile without investing large amounts of cash. This section of the Protect Your Business series will focus on a selection of perimeter and internal controls that can be implemented and layered to provide greater security for your business.
While there are numerous approaches I could delve into, I will only be discussing the following as related to IT security:
- Perimeter defense
- Internal controls
The most common defense at a network’s perimeter is the firewall. A properly configured firewall can greatly reduce a network’s vulnerability to external threats. For instance, many firewalls I see are implemented ‘as-is’ directly out of the box. Sure, you have a wall around your kingdom, but how many metaphorical doors in the form of network ports have been left open. The internet is the digital equivalent of the Wild West and you wouldn’t want just anyone waltzing into your business. A common best practice for firewall configuration is to start with the firewall completely locked down. Then, after taking inventory of which applications need external network resources, open only the necessary ports. By only allowing necessary traffic in, you have effectively limited external attack vectors (from a network perimeter perspective) to those few ports. The above step actually encompassed two important exercises:
- Locking down the firewall
- Taking inventory of applications requiring external network resources
This first item should be very low cost to implement as most companies will already have a firewall in place. Many modern firewalls will come with a feature set that will allow you to customize firewall rules and provide complimentary security features. However, some older firewalls might not provide the security and operational features that your business needs and thus might require an initial capital investment for a modern firewall along with the corresponding hardware and software maintenance plan.
The second item is very important. The phrase “You don’t know what you don’t know” might be familiar to some readers. It is a dangerous position to outline your network security without knowing the environment you are protecting and the applications operating therein. Take the time to perform proper discovery of your IT environment (hardware and software) and outline how the systems are connected and which enterprise goals they are supporting. Here are some questions you should be asking:
- Which applications are dependent on which servers and/or databases?
- Which firewall ports must be open for our applications to operate?
- Is our network topology updated? If not, verify that all communication paths are outlined and relevant hardware present.
- Is there a guest network? If so, is it properly segregated from our internal network?
Knowing this information ahead of time will empower you to properly plan your IT security strategy.
From an internal controls perspective, I only am going to touch on a few basics. I would offer up that the following controls should be present in any business environment.
- A management steering committee charged with oversight of IT, information security, and enforcing accountability for those tasked with managing the IT environment.
- Limited access to perform administrative functions on the network, including:
- Firewall configuration, user access rights management, server management, etc.
- Limited access to server room or data closet.
- Formal process for authorizing, configuring, and reviewing employee access to IT resources.
- Annual IT security training:
- This could take the form of IT security awareness training and presents the perfect opportunity to re-educate employees on proper password management and use of business resources.
- IT security policies and procedures (lightweight and useful documentation) for items such as:
- Change management
- Risk assessments
- User access rights reviews
- Major system upgrades
I was speaking with a good friend the other day and the conversation turned to the (often dangerous) assumptions we make on a daily basis. Avoid making assumptions when it comes to the security of your business. For instance, do not assume that because you require your employees to read and sign off that they read the employee handbook (including the section on IT security and acceptable computer use) that they actually understand what is expected of them and why. When in doubt, communicate! The management steering committee actively works with the IT staff to evaluate business risks and ensure that employees are properly trained and empowered to protect the company’s interests. Don’t assume that a security breach will never happen to you. Proactively work with your IT staff to ensure that administrative access (physical and logical) is properly restricted to authorized personnel and reviewed regularly.