A security program based on technology

A security program based on technology
In today's digital economy, the high value of integrated software and hardware form a vital part in the success of a business. Looking at this technology from a network perspective, components of software and hardware enable a channel of communication, by which an organization operates and integrates with other businesses: partners, suppliers, customers, managed service providers and others.

In turn, the organization seeks a spectrum of return on their network technology investment: greater efficiency reduced expenses and expanded global reach. This reliance by businesses on operating with a networked infrastructure introduces a dependency on technology. The net result is a need to manage risk associated with technology. The solution is to deploy more technology to achieve the desired level of protection-network security products.

A comprehensive network security program comprises incident prevention, detection, response and management. Many vendors address these needs through a wide variety of network-security solutions, but the challenge of choosing an appropriate solution falls to the organization. Budget considerations tend to be the most critical factor when implementing a security plan.

Most organizations have difficulty calculating the security costs associated with technology adoption, as there are many unseen costs compiled from peripheral factors-for example, product refresh-programs, patch management, employee education and the like.

Given the array of options one could employ when developing a secure network, an ideal place to begin is to develop a list of requirements. Reviewing business and product requirements can serve as a good baseline.

Business requirements

A review of business requirements when developing a secure network helps a company to clarify data. Keeping in mind that security expenditures should not exceed the value of what is being protected, an organization that has developed a classification taxonomy for its digital assets is better positioned than one that has not.

The classification model enables a company to prioritize security levels based on how critical the asset is. For example, a business could use a scale of 1 to 5 for asset classification, where 5 is the most critical classification and 1 is the least. When looking at level 5 assets, like corporate financials, the company would invest a greater amount in security, commensurate with the importance of level 5 assets-24/7 security monitoring, separated network segment, strict firewall rules, host- and network-based intrusion detection, encrypted access control and the like.

When looking at level 1 assets, such as the internal Web page, the company might only require operating system hardening, network intrusion detection and access logging.

Some questions designers should answer during the classification development process are: What are the company's digital assets? Intellectual property, corporate data, brand and image are just several considerations in this category. Next, determine why the assets merit protection. Are they a good source of revenue? Do they ensure a competitive advantage? Do they enhance the customer's perception of the company's value?

It's also necessary to decide who needs to access these assets. Should all employees have that ability? What about customers, partners and home users?

Next, consider where the assets are stored. For example, can they be found in a corporate infrastructure, managed service provider or even a user's machine? Finally, ask how technology enables business with these assets. Is it through transport, access, storage or the presentation of the digital asset?

In addition to developing a digital-asset classification model, many companies use attack-simulation and penetration testing to identify their security needs. By simulating an attack, companies can evaluate their risk posture and measure their attack detection, prevention and response capabilities.

Penetration testing reveals existing vulnerabilities, at a given point of time, while also exemplifying the outcome of potential threats. Businesses often use this type of assessment to help calculate the scope of security investment required to erase existing vulnerabilities and prevent future exposures.

The use of attack-simulation and penetration testing also helps companies to develop an attack tree, which identifies potential attack vectors. This modeling exercise lets the company identify the breadth of protection required. Organizations often have difficulty calculating the monetary impact of security incidents compared to other losses, which leaves a question mark on the security budget sheet. Vulnerability testing helps establish a realistic budget to address comprehensive security needs.

Product requirements

Product vendors must find ways to provide security solutions that do not disrupt business. In parallel, vendors must figure out how to include rich features within a product set, while offering a painless implementation process. These themes are easier to recognize than they are to address.

When looking at security products from an attacker's point of view, the power of turning a defense solution into a hacker's tool makes the product an ideal target. When looking at security products from a vendor's point of view, providing a default configuration that offers all features and services already enabled means customers will be able to run the features they need out of the box.

Yet, security practices suggest that all services not used by the system should be disabled. Leaving them enabled provides attackers with additional opportunities for mischief.

Despite the opportunities for attack, many security products ship with secure-implementation guides, while other organizations have production systems that run default configurations and still have the factory default passwords enabled. Hence, it is important for an organization to have adequate product and usage knowledge before deploying security solutions. It's also important that businesses understand the potential threats they could introduce if the wrong party took control of the product. In addition, product solutions need to recognize the various levels of security or data classification required by organizations and then architect solutions that can adapt to the various levels of security within an environment.

When defining an appropriate security solution for the different levels of data classification within a company, the following factors often figure in the decision-making process:

Security Posture: Is security proactive security or reactive? Organizations might embrace a proactive posture for network zones that are classified as level 3 to 5, whereas with level 1and 2 zones the organization finds that a reactive posture is adequate.

Operation Capabilities: What skill sets and operations teams are required to administrator or maintain the product? Using a virtual private network as an example, an organization might plan to deploy VPN clients to all their employees for remote access. Upon further investigation, the organization recognizes that supporting the client-software install on an array of employee operating systems would require ramping up the current support staff. In place, the organization investigates SSL solutions to provide clientless encrypted access to a limited set of remote services.

Integration Dependencies: Ease of integration with existing technology and critical business functionality requirements will determine if a security solution is a disruptive or a seamless initiative.

Attack Vectors: Where are the attacks most likely to come from? Internal employees, customers or Internet attackers? Answers to these questions will outline what an organization needs to protect itself against.

There are two classifications of attacks that should be considered:

Target of chance. This develops when an organization is not targeted specifically, but rather the technology employed by the organization is targeted. The attacker might not even know who was victimized by the attack he or she triggered; examples of this genre would be viruses and denial-of-service attacks. Target of choice. This occurs when an organization is selected for attack. Common reasons attackers target a specific company are financial gain, intellectual property theft, corporate espionage, and revenge by disgruntled employees.

The network

The benefits an organization receives for deploying network security solutions are better reflected when viewing each sector of network security individually. Those sectors include prevention, detection, response and management.

When investigating network security, one should also consider related facets of security that could influence an organization's overall security posture, including: - Application Security: Included in this group are application architecture, coding practices and cryptography. -Secure Operations: This encompasses policies, procedures and accountability. -Corporate Security: Count the hiring/firing process; roles and responsibility; and training and awareness as factors in this group.

In order to develop a thorough security posture, companies often manage their overall security posture like a portfolio, dispersing energy and investment to prevention, detection, response and management needs based on a risk-vs.-return formula. In addition to purchasing network security solutions, organizations also need to architect the network in a fashion that enables security.

Leveraging a strategy similar to the data classification discussed earlier, many secure network deployments build on zone architecture or network segmentation. The benefits of creating network security zones include: ease of management, reduction of potential attack vectors, ease of monitoring limiting cascading exploits and log consolidation. In short, a segmented network infrastructure breaks the notion of having a hard perimeter and a soft inside.

One key goal of network security is to limit unneeded access to network infrastructure. Thorough zone architecture should break up the internal network into segments based on criticality or types of user that need access. Limiting access to network segments in a granular fashion creates an environment that can be bastioned and isolated if an incident did occur. Such a strategy allows an organization to place adequate security where it is needed and limit expenditure where it is not required.

Security is a process best described as both an art and a science. The science is what an organization can plan for; the art is how an organization responds to what it did not plan for.

Samir Kapuria is director of strategic solutions for @stake Inc. (Cambridge, Mass.).