Step by Secure Step
With a little prioritization, setting up a network security plan doesn't have to eat up all your time.
Securing your network can seem like an overwhelming task. After all, it's an
ongoing effort and there's always something you could or should do better. Even
worse, most of you are faced with new and evolving security threats on a daily
basis, while still dealing with management that's often reluctant to pay for
additional security projects.
Because there aren't enough hours in the day to get everything done, it's essential
to set priorities.
A proper network security plan starts with a formal threat assessment. Developing
a plan like this typically takes weeks. If you don't have the time, you may
be tempted to skip the formal assessment and focus on fixing the security risks
that appear the most urgent.
Skipping the assessment step can result in a disorganized and ineffective security
policy that resembles a patchwork of Band-Aids. Fortunately, there's a simple
process you can use to develop a coherent security policy without having to
invest weeks of your time.
You can make a lot of progress, even in just an hour or two of assessment.
Your goal should be to create a list with three columns outlining your assets,
the threats they face and countermeasures needed to defend against those threats.
In the first column, enter all the assets you have to protect and assign an
approximate value to each one. Make sure you include tangible and intangible
assets. If a precise value is difficult to determine, simply assign a low, medium
or high value classification.
For each technology asset you identify, try to imagine the threats they face.
This information goes in the second column. For an e-commerce site, this may
include hackers, loss of connectivity and even data theft from internal users.
Finally, try to determine the defensive measures you could use to protect all
the assets listed in the first column against the threats in the second column.
These measures could include a firewall for your e-commerce site and updated
anti-virus software for all client computers.
Categorize Then Prioritize
The steps you've taken thus far don't differ much from a formal risk assessment.
Because of the informal nature of the process, though, you didn't need input
from others in your organization and you didn't have to perform a thorough analysis
of your asset values and the associated risks.
You'll need to find the most urgent and easy-to-accomplish measures that you
can implement immediately. Start by finding items in your list that fall into
the following categories:
Things you've already done: Give yourself credit for what you've already
done. For example, if you have anti-virus software installed on all your computers,
treat this as an accomplishment. Knowing what you've already done makes the
rest of the process less stressful.
No-brainers: Certain elements of network protection are so obvious,
you should do them right away. You should be able to easily convince management
to appropriate the required resources for such essential tasks.
Cheap and easy: There are some things you can do cheap and easy. Before
spending too much time and energy convincing management to spend money on a
new security initiative, concentrate on the items that cost little or nothing
to fix and that you can knock off quickly. For example, if you're concerned
about users writing their password on sticky notes that they attach to their
monitors, send a well-written e-mail explaining why this is a bad practice and
how to create effective and easy-to-remember passwords. That's much easier and
more effective than tinkering with your domain's password policy.
Cutting corners: There are times when it's good to be thorough. There
are also times when it's better to do something quickly rather than perfectly.
Software updates are a good example of this. Developing an update strategy to
patch all your computers on a regular basis involves careful planning, testing
updates and careful rollout. An imperfect solution would be to activate Automatic
Updates on all client computers. While this can create network problems if a
security update doesn't work correctly, that risk is probably outweighed by
the benefits of getting computers patched quickly.
Sneaky timing: Sometimes you can implement security measures quickly
by taking advantage of media reports to impress on management the need for a
solution. Television and print media frequently concentrate on high-profile
cases of data theft and other computer crime. Your management might be more
receptive to your pleas for money to protect against these threats. For instance,
spyware may not have the highest priority on your task list. If it shows up
on the news, though, you're more likely to get the funding, so don't wait. That
may be taking advantage of any prevailing fear and it may be sneaky, but if
it makes your network more secure, then go for it.
Don't use this approach as an excuse to bypass a real threat analysis, though.
Use it as a foundation to create a more formal plan in the future.
Never treat the list you initially developed as a static document. Periodically
review it and add more elements. Incorporate new items based on what you learn
about security and feedback from your coworkers. Also, you should try to learn
more about the value of your company's IT resources, from the value of the data
you're protecting to the value of maintaining business continuity.
Investing a little bit of time every once in a while is much easier than setting
aside one large block of time. By approaching the most pressing issues along
the way, you'll even have completed most of your security upgrades by the time
you're ready for a formal threat analysis.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.