Managing enterprise security is one of the most complex and time-consuming jobs imaginable. However, applying the simplest and most basic security measures will protect companies from close to 90 percent of the threats they might face. Here are the five basic steps recommended by eWEEK Labs.
Security risks in enterprise IT systems have many technical elements, but the magnitude of risk is largely determined by nontechnical factors, including business relationships and IT users attitudes. Vulnerability assessment demands a multidisciplinary approach—especially because risk analysis shapes every subsequent aspect of an IT security process.
Unlike other assets, information can be stolen without being lost. Its not enough, therefore, to ensure that data remains available to those who are authorized to use it. Data access also must be denied to others, not just in the course of transactions but also during archive storage and even after disposal.
Every aspect of software availability must be scrutinized and addressed. Specific risk assessment steps include the identification of all software and hardware elements—perhaps including license files or authentication tokens—that need to be present for a particular application to be usable, followed by preparation of contingency plans for any disruption of those resources.
Managers also should discuss with risk-management professionals the extent of an organizations network interactions with suppliers and customers, and should participate in drafting appropriate agreements that limit liability for consequential damage not directly caused by the organizations own actions.
Security plans should also work hand-in-hand with regulatory-compliance mandates such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. Many security applications and monitoring systems can serve double-duty in enforcing and monitoring regulatory compliance.
The first major principle of preventing intrusions is to minimize risk by making it harder to crack into existing systems. To do this, IT managers must first shrink the problem domain—cutting down on the number of systems that need to be secured. Otherwise, its just too big a problem.
With assessment results in hand, install all available system updates—but only after all needed components are installed, so that update agents will download the right patches. This is tricky to do safely because systems are highly vulnerable when freshly installed.
Next, start trimming fat from the systems that matter. Cut deep, leaving only enough functionality for critical systems to work and not a bit more.
Also, change system defaults. Attackers infer knowledge about attacked systems based on their own copies of the same software.
Its important to install server- or client-side tools that actively work to block anomalous behavior, on the principle that it might be harmful. Anti-virus software, local network firewalls, application firewalls and trusted operating systems all apply this principle.
When developing applications, use secure programming practices. Applications that accept user input are potential security risks, and externally facing dynamic Web applications are especially high-risk. Tools that look for vulnerabilities in the development phase help coders avoid mistakes in the first place.
All systems are vulnerable—to highly skilled outside attackers, accidental misconfigurations, momentary lapses of attention or an internal attack. Managers should therefore plan for failure, with the level of protection matching the value of the assets being protected.
Prevention also requires ensuring minimal operational disruption should a successful break-in occur. Regular backups allow individual destroyed or corrupted files to be restored, provide a way to track changes made to key system files, and are a quick way to roll systems back to “good” configurations.
Next Page: Step 3: Detection
To detect a breach, there are tools and services ranging from firewalls to intrusion-detection systems to log-analysis programs to managed-service providers. Thats the science. But detecting the actions of a motivated, inventive attacker takes human detectives who are just as ingenious and relentless as their opponents.
The best place for a detection plan is a quiet conference room with a big whiteboard and every IT manager in attendance. Make a rough map showing the entire network. List every supplier, partner and customer in the margin. By the end of this exercise, you should know—intimately—how, where and when each of these networks connect and is secured.
To detect attacks, managers also must know what normal behavior looks like. Examine network protocol analyzer captures and log files from applications and servers. Hardware and software probes are useful, but much more expensive to deploy in areas where long-term monitoring of high-volume nets is required.
Products that rely on log data to track user activity are good additions to a detection tool kit. They can quickly reveal what consititutes normal behavior and often just as quickly highlight potential problems.
Intrusion-detection systems can be programmed to look for a limited range of anomalous behavior to identify attacks. The intent of many of these tools is to probe for weaknesses, and, in the process, they can block access to needed ports on a Web server or can cause applications to break. It almost goes without saying that these tools should not be used on a production network during business hours.
An alternative is to set up a lab that mimics your organizations IT environment. Practice using the intrusion-detection system and fine-tune it so that it sends as few false-positive alerts as possible.
Next Page: Step 4: Response
Responding to security breaches involves not only stopping attacks but also learning from the experience to prevent future attacks.
The technical steps required to respond to any attack are essentially the same, no matter what the business or what the purpose of the attacked system.
- Stop It: An infected system needs to be taken off the Internet immediately to prevent further spread.
- Learn From It: Before you clean up an infected system, find out how it was compromised. Log files are a big help in detecting what happened. System snapshot tools also can be extremely useful.
- Remove It: After youve figured out how a system was compromised, you need to remove worms or exploit programs and possibly even wipe the system clean. Some worms can be removed by deleting a single file, but others infect a large number of files on a system. Look to the Web sites of security vendors and organizations such as The SANS Institute for detailed information on removing worms or security holes.
- Fix It: Patches must be applied or workarounds implemented to prevent future attacks.
- React to It: The toughest part is dealing with the internal management and external agencies involved. Draft a written policy on how intrusions will be handled and who should be notified after one takes place.
Next Page: Step 5: Vigilance
The sad truth is, the task of securing an IT system can never be complete. As Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., warned in his book “Secrets and Lies,” systems have four devastating properties that combine to make vigilance a permanent concern: theyre complex; interactive; emergent with unpredictable behaviors; and bug-ridden.
And systems today are actively threatened, compounding the hazards created by the other four traits.
Administrators can install layer after layer of protection, but theyre not really doing their jobs if the result is an error-prone environment. They cant simply deploy every available security tool; its their job to assess the balance between degree of protection on the one hand and likelihood of consistent and correct use of systems on the other.
One of the strongest weapons is the growing awareness of security issues among even casual IT users. The challenge for security service providers, for security product vendors and for enterprise general managers is to translate users awareness into meaningful behavior change.