Opinion: Network Security-Best Practices

by Marcia J. Wilson, CCSP Staff Writer
March 9, 2004

"Reprinted from January 27, 2k3"

Advice by Marcia J. Wilson

Believe it or not, best practices in network security begin with a top-down policy. Policy begins with understanding what it is you need to protect and what it is you need to protect against. The levels of responsibility need to be understood, and that implies that security is everyone's job, as each employee understands how he or she contributes to the organization. Best practices in network security are more about the what and why of securing the organization's information assets than about the how.

The security policy is a formal definition of an organization's stance on security, meaning what is allowed and what is not allowed. IT executives and managers faced with a myriad of technology choices become quickly overwhelmed at the daunting task of securing the enterprise. It is possible to unmuddy the waters by starting with a three-step framework that will aid in establishing a "best practices" network security program: Prepare, organize and execute. Let's take a look at each piece of this framework in more depth.

STEP 1: Prepare

The preparation stage is three-pronged and involves creating policy statements, conducting a risk analysis and establishing a security team structure.

The policy statement
To create policy statements, the organization needs to assess what levels of security are appropriate and achievable by taking into consideration the organizational structure, individual roles and responsibilities, policies already in place, service level agreements between the IT department and other departments, and even corporate politics. For instance, is the CEO exempt from enforcement of a strict password policy? Is it OK for a manager to request access to an employee's e-mail? Should employees be restricted from accessing the Internet altogether or from accessing particular sites? Are system administrators outside the law?

Policy statements, in particular "Acceptable Use" statements, define users' roles and responsibilities and can be stated as general high-level statements that cover all network systems and data within the organization. The statements should include acceptable use of systems and data for all categories of users including the system administrator. The intent of this policy is to clearly define the purpose, providing guidelines and responsibilities. The policy should also identify specific actions that could be taken in response to a violation of security policy, including disciplinary action. Put it in print and post it on the walls.

Senior management should use either an internal HR or marketing department to make sure the word gets out to all employees. Some companies require the signature of every employee on a copy of the acceptable-use statement. Security awareness training, sometimes included in new-hire training, can include a review of the policy and employee signatures gathered at that point.

The risk analysis
Conducting a risk analysis is a way of baselining the organization's security posture. Many companies hire an outside network security audit firm to provide this. The purpose of a risk analysis is to identify points of entry to the network and possible means of attack from both an internal and external perspective. This requires identifying all network resources and assigning a risk level. For instance, if a core router or firewall was compromised, what would the risk level be? The next step in risk analysis is to identify who has access to those resources. There are users, power or privileged users, administrators, partners and others. This can be a painful process for some organizations depending upon what type of authentication and authorization methods are in place. Some risk analysis methods include running a password cracking utility on the network in privileged mode to uncover not so obvious privileges.

The security team
The security team needs to be a cross-functional team with participants from every operational area. The team is responsible for policy awareness and enforcement as well as being informed on the technical aspects of the security architecture. The team is also responsible for responding to security breaches and reporting to senior management. The security team should also be responsible for approving security changes, or alternatively, a security team member should sit on the change management team. Monitoring the security of the network, creating an incident response process that includes being part of the restoration team when a loss occurs -- they are all responsibilities of the security team.

STEP 2: Organize

Once armed with policy statements, a risk analysis and a security team, it is important to define individual information assets as either a resource or a domain. A resource is a particular computing platform, operating system, application, database or network device. A domain is a business function. The cross-functionality of the security team ensures that priorities can be quickly defined and levels of difficulty related to remediation understood. Breaking down the work into manageable chunks facilitates moving forward. Go after the high-risk categories first and move down the list.

STEP 3: Execute

Once prepared and organized, executing is not as overwhelming as you might think.

Remember that it is impossible to completely secure distributed systems. The goal is to create security awareness, minimize risk and maximize the use of technology.

Best practices in detail
There are several organizations and vendors that have published detailed guidelines for securing individual computing platforms. CERT Coordination Center at Carnegie Mellon University provides Security Improvement Modules that detail how to secure Unix, NT and other technologies. Cisco Systems Inc. provides detailed security white papers on securing its network devices. Microsoft provides endless patches and security briefs pertaining to its operating systems and applications. The SANS Institute provides a wealth of information on forming policy and securing systems, and provides comprehensive training programs. The point is that there are numerous resources, or rat holes, to explore. Understanding what and why before understanding how is critical to a successful implementation of network security best practices.

*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC , a company focused on providing independent network security auditing and risk analysis. She can be reached at .