Managing Network Risk

As security technology has continued to change and advance, security directors have been presented with a vast array of choices in designing and implementing a physical security program. The range of options can be a bit overwhelming at times, but...

I recall an example recently from an information security conference. We were shown a slide depicting a college student who was obviously in his dormitory room, with his girlfriend lounging on his bed behind him. He had a confused look on his face. The image was taken from the camera he had attached to his computer monitor. He was reading a message indicating that a hacker was currently watching him and his girlfriend through that camera. The message was asking him to move to the side so the hacker could get a better view of the girlfriend! This could just as easily be your camera in your facility if it isn't properly protected.

Encryption - A method of encoding information transmitted across computer systems and networks to ensure confidentiality, integrity, and potentially non-repudiation (in financial transactions). This one is a hot button for me. I frequently ask vendors at security trade shows whether their IP-enabled CCTV or alarm system has an encrypted transmission. For the longest time they look at me like I have lobsters crawling out of my ears. This is changing, however. More of them are realizing the risks associated with unencrypted traffic and are offering encryption at least as an option, if not as the system default.

Whether internal transmissions should be encrypted will depend upon your business risk analysis and regulatory issues. If you determine they should be encrypted, I would recommend you have at least SSL (Secure Sockets Layer) levels of protection. Virtual private network (VPN) techniques are a more robust means of protecting traffic today transmitted between firewalls. Encryption ensures that intercepted messages cannot be readily deciphered by unauthorized parties. Any transmissions over a public network or wireless methods must have proper encryption.

Availability - A set of controls that ensures that information will be available when needed. This includes access controls to protect against unauthorized destruction of stored information or images. It also requires contingency plans for unplanned outages or disasters and response plans to restore normal operations in the event of an outage.

Change Control - Ensures that only authorized changes to programs, applications, operating systems, or network architecture components are allowed to occur. These malicious code controls must be capable of preventing computer viruses, logic bombs, Trojan horses, unauthorized encryption for extortion, sexual harassment, discriminatory or defamatory messages, invasions of privacy and fraudulent activities. It must also disallow the use of invalid data to corrupt critical reports and analysis tools used by management or staff to make strategic or customer services decisions.

Firewalls - A system or group of systems that enforces access control policy between two networks, or individual users and the network over public or non-trusted networks. Firewalls are also used between elements of your internal networks to properly separate business entities or high-risk environments from your internal production environment. There are a large number of firewall vendors. Consult with your information security group to find out which products are used in your company.

Firewalls include a wide range of potential ports and protocols used for connectivity to components or subsets of the network. Depending on business exposures, you may have your firewall design include a demilitarized zone technique to isolate and compartmentalize the risk to applications and servers. This includes layering firewall design to provide appropriate access and protection to individual business and application servers without exposing other business entities, the central network, the mainframe, or other servers to unnecessary levels of risk.

Intrusion Detection (IDS) - A system that monitors network (or in some cases host application) traffic and responds with an alarm when it identifies a traffic pattern that it deems to be either a port scanning attempt, an unauthorized access attempt, a denial-of-service attack, or any of a number of other forms of attack. Extensive logging is available with this technology. The alarms may generate an e-mail alert, a cell phone alert or a pager alert depending on the level of severity. In a nutshell, this technology effectively informs you that something suspicious has happened, or is currently happening.