Part II

6. Redefine the LAN, Secure the VPN – VPNs do two things – they authenticate machines/users, and they encrypt traffic based on that authentication.  So, when remote VPN users authenticate, they now have a secure encrypted tunnel for their data – and also their malicious code – to travel through.  The bad news is that your LAN has now extended to include every home and remote computer that VPNs in, and you need to manage security now at each and every one of those points.  The good news is that there are tools to help you do so – though they take time and effort and cost to deploy.  It is critical that all VPN users have current, auto-updating antivirus software, that they have personal firewall software, and that they be currently patched.  Network security is only as good as the weakest link, and in a modern network, the weak links are usually uncontrolled home computers.

A very smart alternative is what is being called “Clientless VPNs” – by using remote control technology such as Citrix MetaFrame, and leveraging SSL for encryption (preferably with a digital certificate from a trusted Certificate Authority), it is possible to set up a remote access solution where it is totally client-independent.  If the client is simply receiving screens and sending keystrokes, and nothing is passing back from the client to the network except keystrokes and mouse clicks, the state of the client computer isn’t critical to security.  This can save IT organizations a TON of work, and we’ve deployed it effectively several times.  Use strong authentication, such as RSA SecurID tokens, for even better security.

7. Know What’s Going On – Most IT people don’t ever review logs for their firewalls and servers.  Some do, rarely.  Very few do so daily.  Yet these logs tell you what’s really happening on your network.  If you don’t have time, or don’t know what to look for, then outsource it (that’s why we developed our QuikSecure ASM offering).  Otherwise, make the time to review them and understand them – a cursory review of meaningless data doesn’t accomplish anything.  Your logs (firewall, web server, other server) contain the history of access to these systems (if configured properly), the proverbial “smoking gun.”   Not reviewing them is like buying a surveillance system, then not hiring guards to watch the cameras.

8. Train Your Users – This is one of the biggest omissions we see when we review an organization’s security posture.  Often, it is because user training takes time, is hard to do, and IT has little leverage to make sure they comply.  This is where an organization’s Security Policy comes into play – if an organization has mandated certain security rules as part of its business policy, and the rules come from senior business management, rather than the IT Department, then the rules need to be followed – period.  It is no longer a turf war, it is no longer optional, it’s a matter of business policy.  IT can now effectively enforce necessary policies such as strong passwords and password expiration/rotation, which do inconvenience users, but which serve a purpose.  Users need training in this to understand its importance, and also need to understand the risks and considerations inherent in web surfing and Internet mail.  It still amazes me how I hear about viruses propagating, in spite of current antivirus software, because people open attachments from unknown senders.

9. Really, Truly Secure Your Data – Many organizations set up some basic rights on their network shares or directories, and that’s the end of it.  True security is well thought out and goal-oriented.  The principle of Least Privilege should always be applied – give people the minimum level of rights they need to do their job.  If they only need to view data, don’t give them “write” rights. If someone doesn’t need access to files, don’t provide it.  For sensitive data, such as customer information, sales databases, service history, etc., properly secure the system, then consider adding Host Intrusion Detection software if it allows for prevention of unauthorized file copying – I still hear situations where a salesperson leaves a company, and takes the entire customer/prospect database with him, without the company knowing it.

It takes some effort to protect the proprietary data assets of a business, but it is well worth it.  A good exercise to start is to identify your organization’s physical and data assets.  Then for each asset, identify why it is important, and what the impact of loss is.  Then you can devise a plan, or appropriate rights, to protect it.  Also, look at your Information Classification policies, if you have them.  If the President of your company makes something as confidential, what does it mean to them?  Does it mean the same thing to an operations manager?  To the IT Department?  To a normal user?  Information Classification is about clearly defining business rules for how classes of data, paper or electronic, are to be handled – storage, transmission, access, destruction.

10. Audit Annually – It is important to checkpoint your organization’s security posture against best practices, and against known vulnerabilities and issues.  On an annual basis, you should have an outside, objective party perform a review of your business’ security, at a “strategic” level (What is your security posture?  Do you have the right technologies?  Are they being used properly?  What are the “people” and “process” elements?) and at a “tactical” level (What specific vulnerabilities do each of your systems have?  Remediate against them).  Both elements are important – I often speak with people that want to skip the strategic review and get right into the tactical stuff – scanning software is after all cool stuff.  However, think about this – if you have a world class alarm system for your house, does it really do you any good if your family doesn’t bother to turn it on when they leave the house?  A great security system can be defeated by a single password on a single post-it note, and most security breaches, with the greatest financial loss, still occur from inside a network.  An annual review of security, in both of these areas, is critically important.

You will notice that many of the above items are not about technologies, but rather are about the “people” and “process” elements of security, which are usually more important.  These are also areas that are often neglected, since people often think in terms of “products” rather than the hard work that goes into a successful security effort.

There are certainly elements here that I have not covered.  I could have written “20 points” for securing your network.  Our Security Assessments normally result in a 35-50 page report, with hundreds of distinct, prioritized recommendations.  But these, I feel, are the top 10 areas where one should focus at the outset in evaluating your security strategy and aligning it with your business.

As always, feel free to email me your comments or thoughts at nrosenberg@QTSnet.com. Thank you.

Neil Rosenberg
President & CEO
Quality Technology Solutions

Back to Top