Network Security is never far from the mind of some corporate executives and certainly not far from the mind of the head of IT. Every day we read or hear in the media of another security failure in the corporate world, a failure that certainly hammers the corporate profile and asset value of the unfortunate company and could in some cases lead to business failure.
At the same time, IT is being asked to do more with less to ease corporate budgets, and this will include network security. How to balance this dilemma is the $100K question.
Here are six suggestions.
The greatest danger to any network is, according to the FBI, the person who sits between the keyboard and the back of the chair. More security breaches have been caused by users not doing what they should or doing something they shouldn’t than by any other means.
Phishing is a major threat.
User education in identifying potential threats and what to do if they suspect they see one should start at onboarding and be regularly reinforced. Remote users must be included.
Firewalls and Anti-Malware
There must be comprehensive anti-malware and firewall defences against network-borne threats. As far as is possible servers should not be exposed to the Internet outside the firewall.
The FBI also states that criminals will go for the easiest targets, so if presented with a site with an excellent firewall and comprehensive anti-malware defences they tend to move on and look for another site with poorer defences.
Hide your Network ID (SSID)
Broadcasting to the world out there that you have a corporate WiFi network is inviting people to try to use it. If they can use it, you will find a car-park full of freeloaders surfing the Net on your dollar.
Either don’t broadcast your network ID or change it to something that doesn’t identify your organisation. Best not to display it at all.
It seems to be an unfortunate tendency not to need authentication to connect to a WiFi network and rely on network and application authentication. Implement authentication with the same rigor as for wired network access.
If you need guest access make sure that it is time-limited and passes straight through to the Internet with no access to corporate network and systems.
Password Management is one of the more neglected essentials in the overall security environment. All network equipment, including servers, routers, switches, network management software, applications systems and so-on comes with a default password.
The fist and a vital step are to change the default password to prevent unauthorised access to the device. Passwords should also be changed when a network technician, particularly one with admin access leaves the organisation.
Password usage profiles need to be created and ruthlessly applied. Some password criteria include a minimum length and composition. If passwords can be automatically disabled to force a change, even better.
Desktop devices are often neglected. They must have standard fixed systems and applications software configurations, centrally managed and not able to be altered by the user. Users must not be able to alter the system’s configuration.
This implies that software upgrades and general maintenance are push delivered from a central location.
It is a similar situation with anti-malware and anti-spyware applications. The application itself and Its data files must be centrally managed in a push environment to keep them up to date. Users must not be able to switch them off or alter their operating environment.
In some environments where there is a potential for IP theft, USB ports should be disabled to prevent attachment of external storage devices like flash drives and external hard drives that could be used to deliver viruses or steal information. DVD/CD drives should also be disabled.
In case the worst happens, it is absolutely essential to have up to date backup copies of all your systems and operational data held securely, ideally offsite.
The quickest way, and often the only way to recover from malware, especially a ransomware attack is a total back to the metal reinstallation of everything. So, you will need complete and usable backup copies of everything. Preferably these will be offsite but easily accessible.
A complete record of all your software licence information will also be needed.
For peace of mind and to cover for staff unavailability, keep up to date and accurate lists of key suppliers, their representative with you and their contact details. Other key individuals, for example, the company communications unit should also be included.
If you are operating a hosted solution, make sure that your hosted service provider complies fully with these requirements.
It has been said that the only secure network is one that hasn’t been hacked yet, so while not losing too much hair over network security, do not be complacent.