The Five Top Network Security Secrets

What is the secret to network security? In the wake of recent high-profile security breaches like at LexisNexis and MasterCard, it's worth asking what it takes to nail down network security --- and what are the secrets not everyone knows?

"There's not really a secret," says Marcus Shields, enterprise product manager at Soltrus, Inc., a Canadian firm specializing in digital trust services. "There are a lot of things that organizations should be doing but aren't. A lot of it comes down to common sense."

The problem with common sense, it has been observed, is that it is not very common. Consequently, some of the basic precautions that any organization can take to secure its network might as well be arcane secrets of the security trade -- at least until you take them and make them a part of day-to-day procedure.

Assess threats and risks: "I'm always amazed at how many companies don't do threat and risk assessments." Shields says. "They don't know what assets they have and, consequently, they don't know where they're vulnerable."

Indeed, security is supposed to mitigate risks and plug holes, but you can't do that effectively unless you know what risks you're facing, and what holes you need to plug. Shields says that enterprises have been getting better, overall, at doing threat and risk assessments, but many -- perhaps a majority -- have no idea what they have connected to their networks, let alone what their biggest vulnerabilities are,The problem is a combination of two things. The first is the way that networks have grown organically. Devices and systems typically proliferate to answer immediate business needs, but with little regard to long-term security issues. The other problem relates to the nature of security itself.

"It tends to be reactive," Shields says. "It's like 'we just got attacked," or 'so-and-so just got attacked and we have to do something. let's get a box.' Organizations concentrate on what they think are the likely risks without knowing exactly what risks they actually face, and that's just not enough."

Develop a security policy: With all the talk about the need for procedures and governance in security, it might come as a surprise that security policies are not all that common. "You'd be really surprised at how few organizations actually have a policy," Shields says. "Most have a acceptable use policy that says 'don't look at pornography or run a business on company systems, but not a real security policy."

The point is that, once your threat and risk assessment finds the holes in your security, you need a policy to keep those holes plugged. "Now that you know what your risks are, you can tell your employees," Shields says. "You might have to hire a company to develop your policy, but it's a low-bucks proposition."

Know the ins and outs: The best security rests on a clear understanding of how your systems work. Once the threat and risk assessment has established how, and by what agency your network can be compromised, organizations have to embark on an ongoing voyage of self-discovery. One of the biggest security secrets -- and it is a secret because it's not explicitly about security -- is that you need to have a clear understanding of and the tools to continue to understand the mechanisms of communication in and out of the enterprise.

"Whenever a new mechanism, like voice over IP (VoIP) or instant messaging, that becomes a vector of attack," Shields says. "VoIP hasn't been highly exploited because it doesn't have a lot of critical mass yet. On the other hand, you can't just say 'I don't have to worry about VoIP security because I haven't deployed it' because that doesn't account for the employee who has downloaded the Skype client."The bottom line is that communications can bring in more than information, and any organization that's halfway serious about security has to look carefully at who's using what means to communicate. Even instant messaging (IM) can be a vector of infection and attack. "IM's are crawling with viruses; they're a happy hunting ground," Shields says.

Take it home: The question of networking self-knowledge has become increasingly complex because one of the deepest darkest security secrets is that the enterprise network doesn't end at the enterprise. What people do at home can't be ignored anymore. You might ban IM's in the office, for example, but that won't help if your employees have IM clients on their home computers logged onto the enterprise network through a virtual private network (VPN).

"IT departments have been saying that they can't look at every home desktop, but that's not good enough," Shields says. "There's no clear answer, but enterprises have to bite the bullet here. In theory, you can say that, if you want employees to access the work network through Citrix, then the company has to subsidize anti-virus and anti-spyware software the same way many of them subsidize cell phones."

Get smart about mobile: The same issues apply to mobile devices, from laptops to smart phones. The problem is that even the dumbest of these devices is getting smarter. "Java phones, for example, are an endpoint that can be a serious security issue," Shields says. "If one of these phones gets infected, how do you get it off, and how do you keep it from infecting other devices?

Shields concedes that mobile devices remain a difficult security issue to deal with. Blackberries have rudimentary e-mail encryption, but few other devices have even that level of protection. So what's the secret to dealing with it all? "There really is no secret," Shields says. "You have to start looking for ways to minimize your risk from this direction, even if nothing is obvious yet. That much is common sense."0