10 keys to effective network security
DESCRIPTION
While nothing is ever "completely secure," and there is no magic product to make every organization immune from unwanted attackers,this Razorpoint document outlines 10 keys to consider seriously regarding effective network security.TRANSCRIPT
10 Keys To Effective Network Security
[ WHITE PAPER ]
™
Author:Razorpoint Security TeamVersion:1.3
Date of current version:2006-10/05
Date of original version:2001-04/04
Copyright © 2001-2006 Razorpoint Security Technologies, Inc.All Rights Reserved.
10 Keys To Effective Network Security
The following 10 keys outline a foundation in building an effective security policy for your network operating environment. They explain the realities of network security and how to apply corporate resources toward the ongoing effort of securing a network environment.
KEY 1: Executive level needs to be responsible (Establish accountability).Think of network security in terms of system survival and business continuity. As such, accountability should be shouldered at senior levels much like a company’s financial position falls upon a CFO or CEO. Effective security policies should be implemented and maintained by a skilled and experienced technology staff directed by a senior company officer or director (CTO, Director of Technology, etc.). Technology departments should be empowered with the resources (skilled staff, budget, hardware, software, etc.) and autonomy to react effectively on an ongoing basis. The senior company director must ensure the availability of these resources, while the entire senior management maintains accountability.
KEY 2: Educate staff and promote awareness.People are almost always the weakest link in any organization’s security chain. It is for this reason that proper education and awareness of network security and security policies be understood by not only technology staff, but all employees. While more detailed technology expertise should be mandatory within technology departments, awareness and training must be provided to all company employees. Company employment documents should include a detailed explanation of the company’s policy on technology usage including, but not limited to, computers (laptops, desktops, servers), network access, Internet access, email, the worldwide web, and remote access to company resources.
KEY 3: A process, not a product (Security is ongoing, never ending).There is no single answer. As part of employee security awareness, the fact that security is never realized by a single product or technique should be stressed. The myth of “You just install this one shrink-wrapped package and you’re done” is a dangerous pitfall many firms fall into. The overall security posture of a company needs to be part of the business decision-making process. Security is a process, not a product.
KEY 4: Exhibit cautious, but prudent, spending (Don’t “just throw money at it”).Security is not just “having a firewall.” Many of the “all-things-to-all-people” products are not sufficient. These general tools (firewalls, VPNs, packet filters, etc.) can still leave company-specific systems vulnerable. A solution of this nature can end up costing an overwhelming amount due to an unforeseen security compromise. Purchasing and properly deploying tools such as firewalls, intrusion detection systems, VPNs, etc. as part of an overall security policy is an excellent way to promote a secure operating environment. Regular maintenance of these security tools should be a mandatory exercise in enforcing a company’s security policy.
KEY 5: Regular assessment of the “threatscape” – Be proactive.Hire a security firm to regularly audit the security of your network infrastructure. This is similar to an outside accounting firm auditing a company’s financial records. As a proactive security measure, a qualified, third party should be retained to regularly audit the state of a company’s security. Security firms test, externally as well as internally, the true strength of an infrastructure’s security. An audit of this type provides a “hacker’s eye view” of a network operating environment.
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 1 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | [email protected] Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
™
KEY 6: Deploy and maintain a balanced, flexible security policy.An effective security policy should also include physical security, disaster recovery and user training. A “one size fits all” approach should be avoided. Design a security policy, or “process,” that is geared toward your current technology infrastructure as well as future iterations. It should evolve as your organization evolves. A balanced and flexible security policy should encompass firewalls, VPNs, good password usage, remote access procedures, security of physical resources (file cabinets, computer rooms, network access points, confidential documents, etc.), disaster recovery scenarios and provide for the ongoing effort of keeping all company employees aware of changes as they occur.
KEY 7: Incorporate security early.It is always more efficient and effective to design security into an infrastructure from the beginning. Imagine only after finishing a bank realizing you needed a vault, alarms and security glass. Because of the lack of security consciousness at the outset, everything must now be redone. Similarly, security must be a primary focus when designing and maintaining an technology infrastructure. While security components can certainly be added afterward, incorporating security early yields better results. When necessary, hire an outside firm to perform a security design review of existing or upcoming technology rollouts. If nothing else, this “extra set of eyes” can provide another perspective on your needs, your technology and your security choices. Be sure to choose a firm with a proven track record performing security audits and services.
KEY 8: Outsource security maintenance as necessary.In some circumstances, it makes business sense for firms to outsource their security needs. Understaffed or undertrained technology departments may not be equipped to adequately maintain effective network security. In these cases outsourcing can be an answer. Some or all of a company’s network security can be given to a security firm whose sole responsibility is securing your environment. Firewalls, VPNs, remote access, and other security-related necessities can be facilitated by an outside firm. This can also help a company to more slowly, and effectively, grow their own in-house staff. With security maintained by an outside firm, CTOs and CIOs can take more time staffing in-house teams with the appropriate, qualified personnel.
KEY 9: Staff your technology team correctly.Be sure your technology staff is well-rounded in terms of technology expertise (network infrastructure design and management, security implementation, multiple operating system experience, etc.) and is trained in all necessary areas of your company’s technology. In addition to necessary certifications (CISSP, Check Point CCSA & CCSE, Cisco CCNA, etc.) security technology professionals must be able to demonstrate previous experience with relevant technology and provide references that can support previous career successes.
KEY 10: Maintain vigilance.No one ever asks “When can we stop doing sales or marketing?” It is the same with security; it is never ending. Y2K was perceived as a business issue, security is even more so. It needs to be fully understood at the most senior levels why security is as large a business concern as sales or marketing. A security breach of financial records, confidential company data, client information or other sensitive material could be disastrous. Security compromises can destroy relationships with customers and investors. Financial liability, lost revenue, damage to a company’s brand and reputation could prove irreparable. Security concerns should extend well beyond “stopping a virus” or “installing a firewall,” it should be viewed as a business continuity issue and, as such, funded, staffed and maintained accordingly.
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 2 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | [email protected] Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
About Razorpoint Security.Razorpoint Security Technologies, Inc. specializes in researching and analyzing security vulnerabilities and conducting comprehensive security assessments. These assessments provide business leaders and corporate clients the necessary security services and solutions that help keep corporate networks secure. Razorpoint Security has exceptional expertise in network security, attack/penetration testing and identifying security vulnerabilities especially as they relate to Internet solutions and web applications. Razorpoint offers all sectors of business the services necessary to maintain a firm grasp on the evolving state of network security.
For more information, Razorpoint Security Technologies, Inc. can be reached at their headquarters at Madison Avenue and 32nd Street in New York City.
Razorpoint Security Technologies, Inc.31 East 32nd StreetSixth FloorNew York City, NY 10016-5509t: 212.744.6900f: 212.744.6344e: [email protected]: www.razorpointsecurity.com
™
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 3 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | [email protected] Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.