How do you deal with network security issues?

David and Ryan have a lot of very good points and they cover a lot of details that must be included in any good security program but I would like to stress that security has to come from the top down. Without management support, it will never get off the ground and it is good to hear that your CEO is behind you in this effort.

This management support comes from your policy and is the stick that allows you to carry out this program from the top down. Policy sets the rules of the road for how your systems are to be designed, setup, and used and makes sure that they are done so in a secure manner. Policy outlines the roles and responsibilities of your employees and your IT staff in their implementation of this security as well as the operational requirements that can be used to enforce best practices across the enterprise. It allows you to move from discretionary enforcement to mandatory action to reduce the risks in your network and your systems. You can have all the best hardware and software controls in the world but without policy to make sure that they are used properly and that your teams operate in a safe, secure, and consistent manner they will go to waste.

I also recommend as does Ryan a risk assessment. The risk assessment can show you how your current systems compare to the policy and where any deviations lie. After the risk assessment, you can rank and prioritize your next steps so that you can carefully tailor your solutions to your environment and budget resources to address them. Over time, you can move your environment from where it is now to where it should be.

However, I believe that you specifically asked for Network Security recommendations. It is important to start in these sorts of cases with least privilege. When you say Network Security, I am going to assume that you are referring to your perimeter. This would mean “Deny” all to start and only allow what is authorized based on your policy. This is why policy is so important. This, of course, is where the firewalls come in. They are used not just at the perimeter but also within the enterprise to separate areas of trust. This “Deny” all applies to not only what comes in but also what goes out. For the traffic that your policy authorizes, it is important to make sure that all this traffic flows through a security device specifically designed to control, inspect, filter, and route this type of traffic. There are many out there for each type: proxies and content filters for web browsing, malware and spam filters for email, and concentrators for VPN connections as well as many others. In addition to these devices you also might want to invest in a data exfiltration protection devices that you drop inline into these flows. This will make sure that no one voluntarily or involuntarily sends anything out that they shouldn’t be sending. In addition, make sure that any device that you buy is capable of being an encryption end-point so that all traffic can be examined. Never allow encrypted traffic to flow in or out of your network without being examined.

Still you can’t allow this traffic to flow without keeping an eye on it, and this is where monitoring and alerts come into play. It is always a good idea to aggregate the logs by sending them to a log sever using a standard protocol such as SYSLOG so that they can be examined and alerts generated based on preset conditions that you define. Also, retaining these logs over the long term on this server provides evidence for investigations should something like a breach happen again. If you then add in an Intrusion Detection System or Intrusion Prevention System, you are about set.

These are just the basics as this setup can become much more complicated should you have servers at your perimeter or anything approaching a DMZ, but you get the idea. This quick run through will give you some ideas and will be a good place to start on your quest to enhance your Network Security. There are many other areas of your security program will have to cover as well such as user education, end-point protections, hardening, and even patching but these can be handled elsewhere in your process. I wish you luck with your effort and should you need any assistance in these areas I would be happy to help.

This is usually the first type of question corporations ask after a breach. To find your answer will require both top down and ground up energy. "Security is a process" the gurus like to say. It is also a commitment.

Your process has had a failure. If the failure is systemic, then to address the failure you need to re-invent your security process. Most probably, your CEO should appoint a group of engineers and management to research the re-engineering of your security process. The policy implementation could then evolve at a more informed level. For example, you might need consultation, configuration, personnel, practices, training, hiring, budgetary changes. Your CEO/IT staff may have existing vendor relationships that will be an important resource. You may need to start with risk assessment and work your way through a process that will end with difficult budget vs. services compromises.

Your staff (with management approval) might be helpful for now in responding to this breach from the ground up. They could form a group that could research best practices for users and encourage each other to engage in well-known security practices identified by organizations like CERT, NIST, NSA, Microsoft, Cisco, and your anti-virus,firewall and remote access vendors. These suggestions would be multivariate: appropriate password policies, software installation policies, browsers script policies, e-mail filtering, avoiding 'social engineering', avoiding stolen laptops, properly securing remote access, etc. The list of such practices is not infinite, just long. Sometimes 'ground up' energy from staff members can drive a process like no IT staff or CEO can imagine. The best solutions often happen when the company as a team is committed to security: understanding as a group what they have to lose.

The "big picture" issue that your office or company faces is that computer networks are the world's newest battleground for identity theft, insider theft, organized crime, industrial espionage, state-based terrorism or some combination of the aforementioned. The more resourced your attackers, the more diligent and expensive your security practices need to be. Risk assessment is often the beginning of the process. Were you penetrated by a rogue black hat, some corporation's white hat or a something in between. Did you suffer data loss that will be sold to a competitor? Are you part of the DIB (Defense Industrial Base)? Did a state-based hackers penetrate your site with APT? Your business model and your assets will help determine your risk assessment. You need to understand what you have to lose so that your office and can value security appropriately.

Here is a link to some papers I recently wrote tailored to small business owners: http://thinking-about-network-security.blogspot.com/p/papers.html . There are plenty of others with thoughts on this subject and lots of information retailers that cater specifically to your needs for business security. My final suggestion: Start your solution with careful, thoughtful research. Let your research conclusions drive your process.

Karen,
Security vulnerability assessment should be performed by a third party security consulting firm to review your company’s current state of information security. The findings and strategy recommendations should then be shared with your IT team as well as the executives.
The good news is that due to recent breach, the executives will not need much convincing to fund new security initiatives.

Jacek