While i think a lot of companies hide their head in the sand when it comes to understanding and deploying network security, it is something that will eventually bite you in the bum and can have severe consequences.
Securing the modern business network and IT infrastructure requires an end-to-end
approach and a clear understanding of vulnerabilities and how to protct against them.
While such knowledge cannot prevent all attempts from hackers, it can empower network engineers to reduce your risk by eliminating certain general problems and quickly detect breaches. With the ever-increasing complexity and number of attacks, a keen approach to security in both large and small enterprises is critical.
Having a good think and strategy about your security policies can significantly increase the security of a network. While policies can be very complex and generally annoying to end users, it is often the simple aspects that prove most useful.
A centrally managed anti-virus update system should now be common place but consider adding a host scanner facility to detect new or out of date systems and have complete control of all your assets on the network.
In general, policies and automatic enforcement tools help reduce the obvious security flaws so that network engineers can concentrate on the more complex issues.
Here are some ideas of what a security policy should consist of:
• Scan and lock down unneeded network ports on all network devices, turn off unnecessary services
• Centrally managed anti-virus software on entire network
• Utilize central security updates, i.e. Windows Update Server
• Secure central authentication for example, Radius, Windows/Kerberos/Active Directory
• Firewalls at all public-private network transit points
• Version controlled and centrally deployed firewall rule sets
• Set-up DMZ protected zones to protect externally facing servers
• Password policy (i.e. must change every 3 months and must be “complex password”
• Proactive network scanning for new and out of date hosts
• Network monitoring systems for suspicious activity
• Incident response procedure (policies, process, etc.)
• Web Browser protection from malicious software downloads
The above list represents the key items one should have in your security policy. There are probably a lot of other items one could have in a policy. It’s important to balance factors such as company size, risk analysis, cost and business impact when determining the items to include in a security policy.
Start with understanding what exactly is on your network (especially mobile devices accessing files and email) and then what you actually need. You could have an extremely locked down and secure network but one old Windows 2000 computer that lets hackers directly into your internal network in 2 minutes flat.
Every company regardless of size should have a security policy as all computers are a potential target for a security breach.
Do you have any policy ideas to add to the list?