Saturday, January 13

Firm: Seven steps for a more secure network

Combine New Years resolutions and this SC magazine article and what do you get? Questionable advice.

The article starts out great.
IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007.
Sounds good. Yes to vigilance and yes to method. Just buying things is bad. Nice work.

Now for the fun.
1. Change every password before the year's end. By taking this first step, you will enhance the security of every online commerce site visited, every computer, and every other password-protected device or website in use. Avoid easily discovered passwords, such as names or numeric series. Change your passwords at least quarterly in 2007.
Sound advice, except he didn't mention anything about pass phrases.
2. Download patches and updates. Even some off-the-shelf computer security programs offer downloadable updates or "patches" capable of detecting the newest viruses and closing "backdoors" that hackers have discovered. Operating systems should be patched and upgraded at year-end, and regularly as well.
Nice work. Patch your systems. Someone send this guy a check.
3. Hire a hacker. The holiday lull is the perfect time to conduct a "penetration test" to pinpoint weaknesses in a network's security. These tests emulate a hacker's invasion of a network; but rather than attacking databases and network tools, these scans identify specific vulnerabilities and propose solutions.
Hire a hacker? Not even going to touch the hacker versus cracker definition. A pen test over the holidays is not a bad idea, however it would depend on what type of test you are running. Blackbox, Whitebox, or something in between? At times you want ops around to assist and they can't do that while eating honey ham seven states away.
4. Conduct regular e-security check-ups. Automated, monthly remote risk assessments can be conducted for less cost than a single onsite review. These tests assure that confidential data is as secure as possible from external attack. In a hacker prone era rife with data theft, high levels of spam, and increasingly innovative computer fraud, waiting a full year between assessments is no longer a viable option.
What the hell is this guy talking about here? Isn't that our goal to protect data --- each day? And what exactly does he mean by "Automated, monthly remote risk assessments"? "Make sure things are good" would have been just as powerful. Sigh. I assume he is talking about using a service such as Qualys to scan and report on your external facing. These results can then be compared against preexisting baselines or standards to evaluate compliance and document change.

While I agree with looking at your risks from the outside in, what about from the other direction? What is being sent outbound? How about monitoring / measuring that?!? Aren't these guys an email security company?
5. Communicate your data security policy. All personnel should be briefed on the importance of protecting confidential customer data. Disseminate a policy on how and when, if ever, this data should be included in unsecured email correspondence with customers and others. Implementation of an encrypted email system would be a major security step forward.
Yes. Finally something I can agree with. I would also like to add that one should begin looking at mail filtering outbound. It helps to know how your customer service reps, execs, and IT professionals are sending their electronic communications (primarily for the unencrypted mail).
6. Keep your network virus-free. A thorough evaluation of your network is essential to protect entry points (such as email attachments, shared files, infected websites, downloads), and to minimize infection. Simply installing anti-virus (AV)software is not enough. The AV system still needs to be monitored to make sure the most recent definition files are updated on all devices and you are alerted when a device is not "up-to-date." Look to providers which offer a full suite of AV services that can keep current with fresh outbreaks.
10-4 good buddy. Also think of reporting. Metrics mean money! Remember that. When you need head count, funding, or a promotion --- you must have metrics. Also remember that one vendor for all the environment isn't always the answer. What is best for clients is not necessarily what is best for servers. Moreover, AV vendors differ greatly from platform to platform.
7. Consider "giving up" on do-it-yourself security. The New Year is a good time to consider outsourcing network security to a company dedicated to keeping up with the latest demands of computer network security.
Depending on the size and nature of the company, I agree. Small shops should think about getting some help. If noting else, a plan for security with periodic checkups. Larger shops need IT Security professionals (even if just a few) to check up on the outsourced work.

No comments: