Best Practices for Network Security

Best Practices for Network Security
 
Abstract

One of the most overlooked areas in today's world of modern business is that of Network Security. This shows a pointed weakness at a deeper level in where teams in management constantly battle to properly align the goals and mission of the company with their I.T. infrastructure.

To be successful in implementing network security within a business, teams in management must provide for two key fundamental points. One is to know how deeply rooted technology is in every piece of their business. Secondly, these management teams must also understand how important it is for this very alignment to take place. Business must be practiced to in a manner that includes successful alignment of the business model and strategy with the I.T. strategy.

Introduction

There are many reasons that network security is so very important to a business. It can mitigate the risk involved from unauthorized access to company data as well as protect a company's network resources while simultaneously providing the highest up-time, availability and integrity of data possible. There are many areas where companies struggle to provide proper network security and this paper will provide a deeper look into those areas.

Associated Risks

Businesses today face many threats to their company data and network resources. These threats are very real and they are out there in great number. An example of this would be to take a look at compromised data. Company data can be labeled as an asset and this asset can be exploited to be put to use for the benefit of a competitor. This destroys a company’s strategic advantage. If it is personal data that is compromised then the legal liability to a company can cripple it to the point of going out of business. Types of personal information that could be compromised include social security numbers, driver’s license numbers, birth dates, etc. In fact, more than 158 million personal data records have fallen to exposure since February 2005 (Vanhorn 2007).

This critical data can also be attacked and destroyed. This results in loss of productivity in the manpower necessary to deal with the issue as well as any systems that may be rendered inoperable from the attack.

Attack Methods

There are many ways in which a network and the data it contains can be attacked and become compromised. These include back-doors; Distributed Denial of Service attacks (DDoS), spoofing, password attacks and other forms of penetration or intrusion exploitation. Other forms of compromise can include browser hijackers, viruses, Trojans and even spyware/adware. These "other forms" are known as malicious code.

Support & Teamwork in Management

When running a company, everyone wants to see their business grow as much and as quickly as possible. This often presents the need for some kind of Enterprise level system to keep it all in order. An example of this type of system would be a CRM or Customer Relationship Management system. Another example would be an ERP or Enterprise Resource Planning system.
These types of systems move a company from doing things manually to a more robust and efficient electronic way of doing the same steps. When a company has grown to a point that their resources are too numerous and cumbersome to track manually, this need to convert to a technological solution is absolutely required to proceed in its own growth. This increases the day to day ability to produce the company’s product or provide its service to a greater customer base with less wasted manpower on antiquated manual processes.

Most management teams within a company should agree that change is necessary. The successful transition to an Enterprise level system will depend largely on how well the company is setup to handle such key changes. If a company’s management teams are not setup to plan, acquire and follow through with these types of changes, success can almost be guaranteed not to happen and failure being imminent.

An example of this would be when a company’s I.T. Department staff has a great deal of lee way and authority to influence which systems are chosen. This puts the business strategy in such a position that it has to match the strategy of its I.T. Department. Some would call this a train wreck waiting to happen.

This leads to a system being chosen and implemented that does not match the direction and goals of the business strategy. This results in the degradation of inter-departmental relationships, dissention & fighting between I.T. and other departments. In this position, the company is forced to move forward with the mis-aligned solution due to all of the time and finance spent putting it in place. This can cause the need for special consulting from vendors to make it work as the new systems short comings are discovered further wasting time & money.

If you consider all of these internal issues, losses in productivity and expenditures (time, material & manpower) in making the system work right, the solution would be found to have cost a great deal more than the properly aligned solution would have been in the first place.

A second example happens when a given company does not understand or realize the importance and potential of their I.T. department. Executives may see I.T. as a source of unnecessary spending, or as nothing more than a place to go for technical support when they cannot send an email for some reason. It is not realized how much I.T. affects both organizational and business strategy. This ignorance and misconception often causes an I.T. department to avoid getting involved in management decisions causing management to decide on systems and put decisions in place with absolutely no input from I.T. I.T. will be expected to make anything work that does not post-purchase.

This can cripple a business things are found such as system incompatibilities; the need for more equipment to handle the greater requirements on the systems, the list truly goes on and on. Between delays in overcoming the short comings that could have been addressed in planning with the input from I.T. and the wasted money spent on tackling incompatibilities, it would have been much cheaper and more successful to have been aligned with I.T. in the first place and had them involved in the process.

All of these things combined can hinder or flat make impossible a company’s ability to protect their resources from attack, thus, opening them up to liability and loss of productivity. The solution to this problem is to have a management team comprised of highly educated team players that are all aligned with a common purpose and direction both inside and outside of I.T. and the corporate network infrastructure. Decision making needs to involve everyone involved to facilitate greatest collaboration and decision making.

Corporate Computing Policy

One of the greatest things a company can do to protect itself is to implement a corporate policy that addresses the use of computers and network resources. It should explicitly define what appropriate or allowed behavior is and what types of use are expected within the companies I.T. infrastructure. Having this policy aids the company in addressing and mitigating the many security risks that could potentially be brought to light. This places the most basic level of responsibility on each end user.

By following this policy, many things are inherently improved such as uptime, integrity of data and availability of network resources. Not having a policy or failing to enforce a policy in place can often lead a company into failure as well. Details of a computing policy might include, giving a user a username and password or that the user can only use the resources assigned them.

When a company issues a computer to an end user, it is direly important that a policy is defined stating what is acceptable use of that system. Some rules might include keeping a user from installing software, stipulating a system is not to be used for personal reasons, defining what qualifies a user to be terminated, or simply making a legal statement that the company is in no way responsible for how a user utilizes a company’s systems or that the company is in no way responsible for any personal data stored on company systems.

There are also many physical safeguards that can be addressed such as utilizing a password protected screensaver that activates after a certain period of idle time as well as stating ownership of any programs or databases developed on company property or during company time. Guidelines regarding user authentication can also be established in the policy stating such things as never sharing usernames and passwords, never write down authentication data & password complexity enforcement.

Email usage is a critical factor to consider also when designing a policy. Users need to know that company email usage is meant for business use only and not for personal communication. If a company wishes to retain the right to examine or investigate a user’s email, it should be clearly defined in the policy. Something addressing accessing others email should be included in the policy as well.

A successful corporate computing policy should also address company data and what is acceptable use. It should state that data should never be transmitted or removed without authorization nor should it ever be copied to a personal device. With the number of personal devices growing exponentially, the responsibility needs to be placed on the end user to follow all expectations and guidelines involving the use of personal devices.

In the end, the more detailed the corporate computing policy is, the more motivated an end user is to follow it thus, inherently, increasing the security of the corporate computing environment.

Continuity & Disaster Recovery

Corporate network security involves many areas; however, one area stands out as the "most overlooked". That area is known as business continuity and disaster recovery. So many businesses today have never addressed or implemented a Disaster Recovery plan, nor do they have any plan for the continuity of their business in the event of disaster. These disasters could include such catastrophes ranging from viral outbreaks to the company’s physical building burning to the ground.

A good recovery plan is stated as one that simply exists and addresses a backup system as well as a procedure for using that backup system. It should include password protecting all media used in the backup plan as well as implementing some level of encryption on said backups. There should be a very clearly laid out procedure that anyone can follow to restore data and resources by anyone in the company in even of disaster recovery with the least amount of time involved as possible. This means that backups should be all inclusive and require as little configuration of systems and software in post-recovery operation.

The disaster recovery plan should be tested regularly and at minimum quarterly or bi-annual. Restoring data from any off site backups should also be tested thoroughly. In fact, restoration details should be clearly documented and tested for all mission critical systems and functions.

Without a recovery plan in place, often companies have to learn their lesson the hard way. There are many reasons that a company might not have addressed this issue such as being under educated or simply being ignorant enough to assume that disaster will not affect them. Regardless, the devastating reality will strike when disaster comes knocking. It is not a matter of if, but, when. A great example of this would be to look at how long it took NASDAQ come back online after the September 11 terrorist attacks. It only took them 6 days to be back up and running at full capacity. This is a modern miracle for those who are all too familiar with the intimacy of the Disaster Recovery plan.

Tools & Methodologies

There are many security practices, technologies and procedures that a company can implement to attain the greatest security possible. In PC Magazine, Russell Morgan says "I.T. security professionals often like to talk about 'layers of security.' What they mean is that one way of protecting yourself isn't enough." (Morgan, 4)

Network security, of course, begins with the act of simply logging into a system, or, end user authentication. By the I.T. department implementing password policy and making sure that users can only choose passwords that meet complexity requirements, they are effecting end user authentication. By adding a lockout feature after a specified number of failed login attempts, they are greatly improving the prevention of unauthorized access. Some I.T. departments will even require frequent password changes that prevent so many previous passwords from being used.

Finally, end user authentication is rounded out by placing the proper security permissions on network resources that allow only authorized access to data by the desired group of users. By doing this, a company assures itself that only those needing to utilize company data to perform their jobs will be able to do so.

Another tool used to secure a network's perimeter is known as a Firewall. Firewalls operate by filtering the flow of inbound and outbound packets of data. They also hold control over which ports are open to internal systems, which application protocols can be active and provide very limited routing features. They can also provide enhanced security in network access by the use of VPN or Virtual Private Networking. Such things as internet access, secured tunneling between hosts and DMZ are also addressed by the Firewall. The DMZ, or De-Militarized Zone, allows a device to be accessed without penetrating the internal LAN. It should be noted that many companies fail to regularly scan their network's perimeter.

Strong Anti-Virus applications are also used to prevent the spread of malicious code. Most companies will choose a package from such providers as McAfee or Symantec and create a company wide solution. The many threats that can come from the Internet include not only viruses, but spyware, Trojans, back-doors, adware and many other forms of malicious code. Due to all of these threats, anti-virus products must be used on end user systems and servers alike. It is imperative to have these tools configured correctly and frequently updated to provide the greatest protection from harm. Sometimes updates even occur multiple times in one day.

System Patching & hardening is another approach used by I.T. departments to minimize the potential for catastrophe. Updates are frequently released for operating systems and devices that address new exploits and vulnerabilities. The most common and familiar of these would be 'Windows Updates'. These updates include patches for the Windows operating system specifically and address those new exploits and vulnerabilities found. Even software running on the system can contain exploits or holes in the code that need to be patched on a regular basis. This includes such software as Internet Explorer, Mozilla Firefox, RealPlayer, QuickTime, MS Office, Adobe Photoshop, etc. Sometimes, even Firmware updates are released for the hardware devices on a system such as the NIC or video card.

Also of great importance is the actual physical security of systems and resources. By practicing such techniques as disabling USB ports and CD ROM drives, the potential for company data to leave the company is minimized. I.T. rooms where servers are stored should be locked and accessed by authorized personnel only. Keeping a server room cool by utilizing some form of air conditioning is also considered a security practice and is often combined with some form of sprinkler system in event of fire.
Monitoring software also plays a key role in physical security by limiting what users can access over the network such as web sites visited or blocking the use of instant messaging or peer to peer software. This is known as content filtering. Content filtering can manipulate bandwidth available to a user using prioritization and traffic management to allow or discard packet travel into the network from the perimeter. It also plays a great role in keeping users from accessing known malicious sites preventing infection and spread of malicious code.

Spam filters are used to filter content out of a user’s email inbox by analyzing incoming messages for known malicious attachments, code or advertisement language. Many systems operate on a point system where a certain amount of points are given for each "positive" found in a message. The higher the score, the more likely a message is to be considered spam. Spam is a rampant problem in this day and age due to its nature of utilizing vast quantities of bandwidth and resources while providing absolutely no viable business use whatsoever.

There are many anti-spam solutions out there that range from software running on a local system to web based configurations that require no internal resources be used to process and filter email messages. The content control feature of spam filtering can also keep company data from being sent out in the first place. Any messages that contain data matching a pre-configured list can be denied transmission outside of the network.

Intrusion Detection and prevention is one of the newest up and coming filtering technologies in the industry that work hand in hand with a Firewall. These systems monitor network traffic and will notify an administrator when any strange set of activities take place. When these anomalies are discovered, the data in question can be stopped in its tracks before it can spread to any other systems on the network. This technology is under great research today and great things are expected in the future.

Rounding up the Tools & Methodologies section, there is wireless security. Wireless is a technology that is quickly gaining popularity both in and out of the workplace. It is highly convenient not to have to use wires; however, wired networking is far ahead of wireless when discussing bandwidth. 802.11x standards do not have the strongest encryption values in the world. A technology known as MAC spoofing can make it very simple to penetrate even the most hardened wireless network. Hackers can use readily available tools to crack a WEP key in 15 minutes or less.

WPA offers a bit more protection but is not that much more encrypted than its WEP counterpart. The safest wireless protocol to use is called WPA2 and offers the greatest encryption possible. It should be noted that a wireless network can easily be brought to its knees with an effective DDoS attack. It is best practice to utilize an isolated subnet when using a wireless solution. This prevents access to devices on the wired network from wireless clients. Some wireless routers and AP's actually offer this as a feature that can be turned on and off.

Securing Mobile Workforce

In this modern day and age, there are an increasing number of users that work on mobile devices remotely from their corporate location. This is done through the use of laptops and PDA's. The greatest threat here is in stolen devices and the data stored on those devices. The rate at which this is happening is increasing at an alarming rate.

One way to combat this is to use a VPN system to access a network's resources. Great care has to be taken that if a device is stolen; the VPN access is not automated in any way. This prevents unauthorized use of the VPN tunnel. It is common practice to never allow a user’s home system to be configured to access the company network via VPN. VPN should always be setup on company owned equipment. This prevents malicious infections on the user’s home network to infect the corporate network and wreak havoc on internal resources or company data.

VPN access should also utilize original user authentication information and should never duplicate the users login information used internally when on site. Split-tunneling should also be avoided as this allows Internet access while connected to the corporate network, opening it up to infections and malicious code found on an infected website.
When addressing physical security on mobile devices, using such things as boot-up passwords, GPS tracking software & Biometric access can greatly reduce the chance of data becoming compromised. Of course, the strongest method to prevent data being compromised on a stolen mobile device is to encrypt the entire system drive and its contained data. This renders the device useless to unauthorized personnel.

Conclusion

It can be said that there are some companies that are well prepared but there are far more that are not. Some lack a sense of importance when it comes to network security and still others fail to build and staff their I.T. infrastructure correctly and have no policy regarding the use of company systems. Those that do have policy in place need to work harder at enforcing those policies at every turn. Updates and patches must be kept up on to block new exploits and holes in systems, in order to prevent unauthorized access to company data.

Companies need to have strong access control as well as properly aligned management teams to assess upcoming projects and how they fit into the goals and direction of the company. Without a disaster recovery plan or continuing education of the I.T. staff, total loss can occur in the event of catastrophe. Disaster recovery plans should be well documented and practiced on a regular basis.

As we look to the future, technologies such as Intrusion Detection and Prevention, web monitoring and filtering services will be the focus of greatest benefit to corporate network security and the protection of sensitive data. A balance between total lock down and absolute freedom to roam must be realized before an effective policy can be put into place.

References

Acceptable Use Policy. (n.d.). Acceptable Use Policy. Retrieved May12, 2015, from http://education.illinois.edu/wp/www.sjfschool.net/whitepages/acceptableusepolicy.htm

Access Control Lists. (n.d.). (Windows). Retrieved May 13, 2015, from http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx

Galante V. Practical Role-Based Access Control. Information Security Journal: A Global Perspective [serial online]. March 2009;18(2):64-73. Available from: Academic Search Premier, Ipswich, MA. Accessed May 12, 2015.

Hood, Ernie & Ross, Doug & Bhasin, Puneet & Boyd, Lloyd. ( © 2011). The future of it security: how to protect the next generation of information infrastructure. [Books24x7 version] Available from http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?bookid=37573.

Kumari, S. (2005). Adopting Information Technologies for Instructional Environments. Hershey, PA: Health Press

North Central Regional Education Laboratory. (1999, updated 2005). Critical Issue: Using Technology to Improve Student Achievement. Retrieved from http://www.ncrel.org/sdrs/areas/issues/methods/technlgy/te800.htm

Otto, Paul N, Anton, Annie I, & Baumer, David L. (2006). The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information. Retrieved from http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf

Poole, Owen. (2012). Network Security. Routledge. Retrieved May 10, 2015, from http://www.myilibrary.com?ID=102429

Solomon, M. (2011). Security Strategies in Windows Platforms and Applications. Sudbury, MA: Jones & Bartlett Learning, LLC.

SonicWALL Gateway Security. (n.d.). About Gateway Security. Retrieved May 11, 2015, from http://www.sonicwallsecure.com/gateway-security

Swan, C. (2013). Being Social. Tech & Learning, 33(7), 30-33. doi: 1288336245

Vacca, John R.; Vacca, John R. (2009). Computer and Information Security Handbook. Retrieved from http://www.eblib.com

Wenglinsky, H. (2005). Using Technology Wisely [Electronic Resource]: The Keys to Success in School. Boulder, CO: Teachers College Press.

Wilson, Mark & Hash, Joan. ( © 0). Building an information technology security awareness and training program (nist special publication 800-50). [Books24x7 version] Available from http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?bookid=10225

What is encryption? - Microsoft Windows Help. (n.d.). windows.microsoft.com. Retrieved May 10, 2015, from http://windows.microsoft.com/en-us/windows/what-is-encryption#1TC=windows-7