Identifying a Security Methodology for Your Network Operation

Enterprise Networks & Servers, Apr 2004 by Shacklett, Mary

Different sites have varying requirements for the security of their networks, but one thing is certain. Everyone needs security checkpoints to some degree, given the number of intrusion attempts and viruses that are flourishing in today's IT environment. This article reviews the different security approaches that can be adopted for network safeguards, and how to fit those approaches within the daily scope of network operations.

The most tightly regulated industries for security are defense, healthcare, finance and high technology. For some, there are regulatory pressures for the safeguarding of customer information. Others run the risk of losing irreplaceable intellectual capital if there is a break-in to their data banks.

In sharp contrast, industries like retail, distribution and manufacturing have fewer security pressures from regulators. Regardless of the business environment your network is operating in, there is still a "best practice" mandate to have some type of security bulletproofing in place, and most sites recognize that they don't have the products and services in-house to provide them with the security protection that is needed.

For most companies, security protection begins with the purchase of firewalls, security and authentification software and hardware. For a significant subset of these businesses, the security effort stops there. However, the liability for security breaches does not end with the purchase and installation of commercially available security packages, a fact even businesses with minor regulatory pressures should consider.

The question then becomes, what is the right security solution for the network, based on needs, responsibilities and budgetary constraints?

Types of Security Solutions

Some excellent security schools, such as the SANS Institute, are available for staff training in security practices. However, this does not take the place of having independent reviews of your network by a security specialist. An independent security review will reveal network vulnerabilities that even a highly trained staff will not catch. One recent site example is a network staff that had been fully trained in security methodologies, but had missed the fact that their network routers came pre-configured from the manufacturer with many security exposures. An outside security auditor pointed this out in a separate report, and the problem was immediately remedied.

With the value of a third party security evaluation established, the next step is to determine what types of third party evaluations are available, and which is most appropriate for your situation.

The most common third party onsite security evaluation is the network security audit. This audit can take one of two forms: it can be conducted as a pre-audit, before industry examiners take their own look at your network security; or it can be conducted as the audit itself. In both cases, the site receives a security report from the security evaluator that details security vulnerabilities and exposures, and prescribes corrective measures.

Some organizations may elect to not perform a full audit. Instead, they might contract for a smaller scope Vulnerability or Penetration Assessment. These security tests also can be performed by third party security firms.

The last major category of security testing is the Risk Assessment study. A study of this nature includes networks, but it is more far-reaching. A security risk assessment looks at security risks from a total, corporate standpoint. This includes networks and enterprise computing, but also risks to other forms of information assets, employee sabotage, financial loss scenarios, reputation loss scenarios, and so forth. Full risk assessments are almost always authorized by upper management.

Selecting the Correct Security Approach

As mentioned earlier, selecting an appropriate third party security evaluation methodology varies widely by industry. Here are some general guidelines based on industry practice.

* If you are operating a network in a tightly regulated industry, such as insurance, finance, defense or healthcare, it is often prudent to begin with a total risk assessment of the organization, including technology assets such as networks and enterprise computers. These industries are expected to function at the highest levels of security to protect the information they are entrusted with. Any security breach can have significant impact on reputation and business.

Once the risk assessment is complete and the management team has been briefed on its results, further corrective actions can be taken, including the initiation of other security audits that look more closely at specific areas. It is at this time that network-specific security audits with vulnerability and penetration testing might be authorized.

* If you are in high technology, or other industries in which information is highly proprietary but perhaps less formally regulated, it is good to start with a full security audit. This can be done in one of two ways: you can either authorize a full audit, or you can request an outside security firm to perform a pre-audit.