Sun Tzu, The Art of War
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."
Get Ready for the Intruder
Security is not about simply investing in equipment; it's about putting in a security life cycle that's driven by your business needs. Believe it or not, but your organization could be miles away from being secure even if you have a firewall in place. Conversely, you could have already achieved a high degree of security, even without a firewall. In short, securing an organization requires much more than a firewall. It requires a complete understanding of the security life cycle and how to deploy it.
Most business owners often tend to misinterpret the function of security. Securing an organization does not mean disconnecting all networks and powering down the systems. It is about securing the organization, while enabling it to continue doing its business.
Hence, this involves the human factor, and the machine factor. We address the first by laying down policies, educating users, implementing the policies and finally conducting audits. The second part is addressed using proper tools, both hardware and software, and procedures.
The Human Factor
The organization provides the business needs based on which the access restrictions/rights are defined. So, whether Internet access and e-mail facility are required or not and to what extent, whether remote connection should be allowed on the network, are all driven by business needs. Based on these, a security policy document is created. This doesn't have to be a large and detailed document, so long as it contains the specific areas you would want to address.
Once the policy is put in place, you will want to focus on education, processes, tools, audit and review. Most organizations underestimate the need for user training and education. The best of firewalls and tools can't provide as much security as a well-educated user would. So, spend the resources and time on educating your end users and senior management.
Turn the security policy into actionable items, which is taken care of by the processes section. These include standard operating procedures (SOP) - which detail what is to be done in what situations - and, acceptable usage policies (AUP) which are like do's and don't for various sections of the security policy.
Auditing is a mechanism of ensuring that all stated needs in the policy are indeed implemented. Once again an audit of tools deployed is as critical as the audit of process deployment. If the policy requires installation of anti-virus on every computer in the company, then leaving out the MD's (or any other) computer will dilute all possible efforts to secure your organization.
The Machine Factor
Security breach can happen from either inside or outside your network. Outside threats can come in either through your Internet gateway or e-mail. Inside threats can be from a disgruntled employee or an imposter gaining access to a vulnerable system-the imposter could be a human being or a malicious code like a worm or Trojan that infects an unpatched system. Given the sources of threats, you need to consider four aspects when implementing network security.
- Firewalls. To protect your network from threats coming from the Internet.
- Systems management. To eliminate vulnerabilities from servers, desktops and networking hardware such as firewalls and routers.
- Anti-virus/anti-spam. To protect all systems from viruses and threats entering through spam.
- Intrusion-detection System (IDS). To do timely detection of suspicious activity on your network.
Security starts within. But, to understand the last level of security (that is physical security) lets suppose: Tom Cruise of Mission Impossible 2 comes inside your server room suspended from the roof. Then opens up you machine's cabinet and takes out or short the battery in your motherboard and sets your BIOS password to default. And then sets the boot devise priority to CD-ROM. After that he boots up the machine with a standard Knoppix CD, mounts your partitions and copies all the important data into a USB pen drive and goes away with his chopper. So now what you will do? And the answer is very simple. After all the effort you have taken for securing your machine over the network.
It is also very important to keep a very tight watch on the physical security of your servers. Well, the concept is quite away from the scope of this article but still you should have security guards and keys and locks at the door of your server room and don't leave any room at the roof top so that Tom Cruise can not climb down from there and hack into your server.
Having a sound IT policy for your enterprise goes a long way to minimizing if not eliminating the risks. Grounding these policies with a good implementation firms up the confidence that your infrastructure will be safe and your data secure for a reasonably long time.
After all, it is not necessary to get a virus attack to lose all your data... You need a little bit of everything - some preventive, some cleaners, some disaster management, a little protective storage-in our management recipe for an optimistic synergy between both technology and requirements.
The total cost of survival does always outweigh the cost of ownership or operation. And that's the way the cookie crumbles!