Step by Secure Step: Network Security Planning
With a little prioritization, setting up a network security plan doesn't have to eat up all your time.
by Joern Wettern
Securing your network can seem like an overwhelming task. After all, it's an ongoing effort and there's always something you could or should do better. Even worse, most of you are faced with new and evolving security threats on a daily basis, while still dealing with management that's often reluctant to pay for additional security projects.
Because there aren't enough hours in the day to get everything done, it's essential to set priorities.
A proper network security plan starts with a formal threat assessment. Developing a plan like this typically takes weeks. If you don't have the time, you may be tempted to skip the formal assessment and focus on fixing the security risks that appear the most urgent.
Skipping the assessment step can result in a disorganized and ineffective security policy that resembles a patchwork of Band-Aids. Fortunately, there's a simple process you can use to develop a coherent security policy without having to invest weeks of your time.
You can make a lot of progress, even in just an hour or two of assessment. Your goal should be to create a list with three columns outlining your assets, the threats they face and countermeasures needed to defend against those threats.
In the first column, enter all the assets you have to protect and assign an approximate value to each one. Make sure you include tangible and intangible assets. If a precise value is difficult to determine, simply assign a low, medium or high value classification.
For each technology asset you identify, try to imagine the threats they face. This information goes in the second column. For an e-commerce site, this may include hackers, loss of connectivity and even data theft from internal users.
Finally, try to determine the defensive measures you could use to protect all the assets listed in the first column against the threats in the second column. These measures could include a firewall for your e-commerce site and updated anti-virus software for all client computers.
Categorize Then Prioritize
The steps you've taken thus far don't differ much from a formal risk assessment. Because of the informal nature of the process, though, you didn't need input from others in your organization and you didn't have to perform a thorough analysis of your asset values and the associated risks.
You'll need to find the most urgent and easy-to-accomplish measures that you can implement immediately. Start by finding items in your list that fall into the following categories:
- Things you've already done: Give yourself credit for what you've already done. For example, if you have anti-virus software installed on all your computers, treat this as an accomplishment. Knowing what you've already done makes the rest of the process less stressful.
- No-brainers: Certain elements of network protection are so obvious, you should do them right away. You should be able to easily convince management to appropriate the required resources for such essential tasks.
- Cheap and easy: There are some things you can do cheap and easy. Before spending too much time and energy convincing management to spend money on a new security initiative, concentrate on the items that cost little or nothing to fix and that you can knock off quickly. For example, if you're concerned about users writing their password on sticky notes that they attach to their monitors, send a well-written e-mail explaining why this is a bad practice and how to create effective and easy-to-remember passwords. That's much easier and more effective than tinkering with your domain's password policy.
- Cutting corners: There are times when it's good to be thorough. There are also times when it's better to do something quickly rather than perfectly. Software updates are a good example of this. Developing an update strategy to patch all your computers on a regular basis involves careful planning, testing updates and careful rollout. An imperfect solution would be to activate Automatic Updates on all client computers. While this can create network problems if a security update doesn't work correctly, that risk is probably outweighed by the benefits of getting computers patched quickly.
- Sneaky timing: Sometimes you can implement security measures quickly by taking advantage of media reports to impress on management the need for a solution. Television and print media frequently concentrate on high-profile cases of data theft and other computer crime. Your management might be more receptive to your pleas for money to protect against these threats. For instance, spyware may not have the highest priority on your task list. If it shows up on the news, though, you're more likely to get the funding, so don't wait. That may be taking advantage of any prevailing fear and it may be sneaky, but if it makes your network more secure, then go for it.
Don't use this approach as an excuse to bypass a real threat analysis, though. Use it as a foundation to create a more formal plan in the future.
Never treat the list you initially developed as a static document. Periodically review it and add more elements. Incorporate new items based on what you learn about security and feedback from your coworkers. Also, you should try to learn more about the value of your company's IT resources, from the value of the data you're protecting to the value of maintaining business continuity.
Investing a little bit of time every once in a while is much easier than setting aside one large block of time. By approaching the most pressing issues along the way, you'll even have completed most of your security upgrades by the time you're ready for a formal threat analysis.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide. You can contact the author at firstname.lastname@example.org.