Managing Network Risk

Oct. 27, 2008

As security technology has continued to change and advance, security directors have been presented with a vast array of choices in designing and implementing a physical security program. The range of options can be a bit overwhelming at times, but you're considered to be a progressive and innovative leader, and you've selected an appropriate set of solutions for your needs. Each component offers functions that meet the security objectives you've determined are necessary. Each component was well researched and successfully implemented. They've all been tested, and every one of them works within your expectations. So you're done, right? Not so fast. Chances are, you have security components or systems that are IP enabled. It is also likely that you use your corporate network to connect these systems as well as to operate and administer them. If this is the case, there are other concerns you need to be aware of.

Whose Network Is It?
If your security systems run over the corporate network, one of the first issues you need to be aware of is that it is no longer your wire. The network has many uses, many populations of internal users, and lots of processes, all on the wire at the same time. Your organization has a network administrator or network operations group that is charged with keeping the wires humming. Your needs are not the only needs these people need to meet. So what does that mean to you as a user of the network?

First, you need to be aware that all networks have capacity or bandwidth limitations. Each use of the network takes a percentage of that bandwidth that is then unavailable to other users. The network administrators monitor bandwidth because overuse will fill up the pipe and slow the responsiveness of the network. Since the network administrators are accountable to all users for uptime, they typically will jealously guard any and all additions to the network traffic. So the cardinal rule in connecting to the network is to communicate your needs to the network administrators early in your process. Better yet, have a network technician on the project team to assist you. Whatever you do, don't surprise your network administrators. Never connect a component to the network without their active participation.

Determine Your Networking Requirements
How much bandwidth do you need? Some processes don't require a great deal of bandwidth, but some clearly do. For example, simple alarm relays and sensors don't typically require a lot of throughput to be effective. However, streaming media such as a direct streaming CCTV system will take a significant amount of bandwidth. If you miscalculate your bandwidth needs, it could end in network outages. Likewise, if another user changes his or her bandwidth use significantly, the picture quality and usability of your CCTV system is degraded.

The solution to this problem is to carefully coordinate your needs with the network administrators. Have them test the throughput impacts of your systems and bench test for impacts to the network. They have many tools to help structure your network use to maximize efficiency and minimize impacts. In some cases, network enhancements or upgrades are necessary to carry all of the traffic.

The next item of concern is availability of the network, or uptime. You need to find out if the network administrators have scheduled planned outages, which they frequently do to accommodate network maintenance and system upgrades. Discover what those planned outages are and whether they conflict with your system needs. Imagine a bank alarm not being received because of a simple system maintenance cycle that you were not aware of. Again, clearly communicate your security requirements when connecting to the network so that you don't get any surprises.

Unplanned network outages are also a concern. Your role is to determine the impacts of a network outage for your security operation. This forces you to consider such features as store- and-forward systems to ensure that no loss of data occurs. Alarms and other critical features should have built-in redundancy. Check with your network administrators to determine if the network itself has built-in redundancy that you can take advantage of. If not, you may need to consider alternate means to get the signals through during system outages.

Finally, you need to manage your system impacts and growth. Ask for network utilization reports showing what your security systems are using. Look for patterns of growth or unusual activity to help alert you to problems before they get serious. For instance, say you have two office locations, the main office and a satellite office. Each of them is covered by streaming CCTV signals for 10 cameras.

The network in the main office is large and has excess capacity along with built-in redundancy, so your use of the network does not present any significant challenges. However, the satellite office is small, and the network there is sized accordingly. It is not a redundant system. You use a good deal more of the network than many of the other users. The impact of adding a new camera in the main office may be trivial, but in the satellite office it could be significant. Bottom line: You need to know what you're using, track it, plan for growth, and manage it accordingly.

Network Security Risks
If you have a background in information security, then the information that follows in this section of our discussion will be a basic review of standard network security risks. If you don't have that background, return your trays to the upright position and hang on to your seat-the ride may get a bit bumpy. The important issue for the physical security director is that if you are using the corporate network to deliver your physical security program, you need to be assured that the following issues are being dealt with appropriately in your company.

The following examples are not intended to be an exhaustive list of network security concerns, but they represent a selection of the issues that should be addressed in a well-constructed information security architecture. The details, components and control options will depend upon the individual business's risk management decisions. Any risk management decision should consider the value of the information protected, the cost to recover or restore damaged or lost data, the cost of downtime, the nature or impact of the exposures, the frequency of the exposures, the cost to customer confidence and public perception, the liability and regulatory impacts associated with losses, the impact on third parties, the impact on customers, and the cost of establishing and maintaining the controls.

User Authentication - Includes logon IDs and passwords. The use of logon IDs and properly configured passwords for access to resources from within the central network is sufficiently secure. Remote access and access over non-trusted (public) networks should require two-part authentication techniques such as RSA's SecurID. The key concept is to have the ability to verify the identity of the individual who has requested access.

Authentication may need to be layered depending on the business risk analysis. Principal layers to consider are network-level access, operating system access, critical network appliance components, application-level access, and hardware-level access.

Data Integrity - Protects the information from unauthorized modification and deletion. Only those with a recognized business need are given access to certain information. Your physical security data should not be accessible to other parties.Data Confidentiality - Involves controlling disclosure of information to unauthorized individuals. Confidentiality can be both a legal requirement and a business expectation. It can become an issue for information that is normally well protected within the computer system or application, but that becomes easily accessible when sent over the network, particularly if any of that information is transmitted over a non-trusted network. In this case encryption standards may need to be employed.

I recall an example recently from an information security conference. We were shown a slide depicting a college student who was obviously in his dormitory room, with his girlfriend lounging on his bed behind him. He had a confused look on his face. The image was taken from the camera he had attached to his computer monitor. He was reading a message indicating that a hacker was currently watching him and his girlfriend through that camera. The message was asking him to move to the side so the hacker could get a better view of the girlfriend! This could just as easily be your camera in your facility if it isn't properly protected.

Encryption - A method of encoding information transmitted across computer systems and networks to ensure confidentiality, integrity, and potentially non-repudiation (in financial transactions). This one is a hot button for me. I frequently ask vendors at security trade shows whether their IP-enabled CCTV or alarm system has an encrypted transmission. For the longest time they look at me like I have lobsters crawling out of my ears. This is changing, however. More of them are realizing the risks associated with unencrypted traffic and are offering encryption at least as an option, if not as the system default.

Whether internal transmissions should be encrypted will depend upon your business risk analysis and regulatory issues. If you determine they should be encrypted, I would recommend you have at least SSL (Secure Sockets Layer) levels of protection. Virtual private network (VPN) techniques are a more robust means of protecting traffic today transmitted between firewalls. Encryption ensures that intercepted messages cannot be readily deciphered by unauthorized parties. Any transmissions over a public network or wireless methods must have proper encryption.

Availability - A set of controls that ensures that information will be available when needed. This includes access controls to protect against unauthorized destruction of stored information or images. It also requires contingency plans for unplanned outages or disasters and response plans to restore normal operations in the event of an outage. Change Control - Ensures that only authorized changes to programs, applications, operating systems, or network architecture components are allowed to occur. These malicious code controls must be capable of preventing computer viruses, logic bombs, Trojan horses, unauthorized encryption for extortion, sexual harassment, discriminatory or defamatory messages, invasions of privacy and fraudulent activities. It must also disallow the use of invalid data to corrupt critical reports and analysis tools used by management or staff to make strategic or customer services decisions.Firewalls - A system or group of systems that enforces access control policy between two networks, or individual users and the network over public or non-trusted networks. Firewalls are also used between elements of your internal networks to properly separate business entities or high-risk environments from your internal production environment. There are a large number of firewall vendors. Consult with your information security group to find out which products are used in your company.

Firewalls include a wide range of potential ports and protocols used for connectivity to components or subsets of the network. Depending on business exposures, you may have your firewall design include a demilitarized zone technique to isolate and compartmentalize the risk to applications and servers. This includes layering firewall design to provide appropriate access and protection to individual business and application servers without exposing other business entities, the central network, the mainframe, or other servers to unnecessary levels of risk.

Intrusion Detection (IDS) - A system that monitors network (or in some cases host application) traffic and responds with an alarm when it identifies a traffic pattern that it deems to be either a port scanning attempt, an unauthorized access attempt, a denial-of-service attack, or any of a number of other forms of attack. Extensive logging is available with this technology. The alarms may generate an e-mail alert, a cell phone alert or a pager alert depending on the level of severity. In a nutshell, this technology effectively informs you that something suspicious has happened, or is currently happening.

Because IDS systems must deal with a wide range of potential attacks, attack signatures must be kept current with release levels provided by the vendor as new attacks are developed. Use of an IDS requires that a response capability is established and maintained so that qualified technicians can be notified and will be able to quickly react to detected attacks. Response levels must be based upon business rules specifically developed for this kind of exposure. An IDS must also be able to separate actual attacks from false or mistakenly identified attacks.

A newer technology in this genre is intrusion prevention, which takes a more active role in monitoring network traffic. This kind of sensor will actively prevent suspicious packets from continuing across the network. Global DataGuard (www.globaldataguard.com) is one company that specializes in IPS. According to Bage Anderson, Media Relations for Global DataGuard, "Detecting an intruder after he enters the house and reacting to an attack is what most (IDS) security companies do. Global DataGuard monitors the street outside of the house, looking for intruders who are casing the joint, identifying them and stopping the attack before it occurs."

Penetration Testing - Proactively evaluates and tests your network defenses to ensure that they are current, well maintained, and support established network security policies. A variety of tools are available to simulate known exposures and detect if your network components are vulnerable to them. An example of this kind of technology is StillSecure VAM(tm) (www.stillsecure.com). This product identifies, manages and repairs network security vulnerabilities.

Penetration testing also ensures that none or your critical network components are improperly configured. It makes sure all default accounts and passwords have been eliminated or renamed. The most common cause of network penetration is improper or faulty configuration of these devices. Penetration testing must be conducted regularly and carefully.

Anti-Virus Program - Keeps you safe from viruses and malicious code. These programs require frequent updates to signature files in a timely manner. You should use an industry- standard and well accepted set of software tools. Your network group should also regularly review CERT alerts, homeland security alerts and vendor alerts to stay current and keep your levels of protection as proactive as possible.

If appropriate, behavior-based controls can be used, and e-mail filtering should be enabled.

Auditability - Allows you to track key records and actions on your information systems. You want to have a principle in place to ensure individual accountability for user actions on your systems. You must be able to demonstrate that all configurations, settings, access controls and rules have been properly requested and authorized by appropriate levels of management. Access must be permitted by the owner of the information or their delegate. We must be capable of automatically dispatching or alerting key staff for those items of a critical nature detected by the audit trail or monitoring systems.

Network security risks can significantly impact your operation. If you are thinking this is a lot of technical stuff, you are correct. In fact, there are more challenges and risks than can be effectively covered in an article of this length. The above set includes many of the basics and is used to illustrate the nature of the risks associated with today's networks. It requires a dedicated and qualified group of information security professionals to provide you with proper assurances that the network will indeed be ready, willing, and able to meet your needs. Get to know these folks as they become key players in the success of your program.

Eduard Telders has security manager for PEMCO Financial Services for 16 years. His responsibilities include physical security, information security, corporate contingency planning and safety programs. Mr. Telders has been providing security management in the banking, insurance and financial industries since 1981.