Believe it or not, but your organization could be miles away from being secure even if you have a firewall in place. Conversely, you could have already achieved a high degree of security, even without a firewall. In short, securing an organization requires much more than a firewall. It requires a complete understanding of
the security life cycle and how to deploy it.
Securing a legal position |
It is no longer sufficient to simply build a passive defense against hackers. If you intend to get them convicted, then best practices need to be evolved to handle forensic data, incident report and response. Strict guidelines and policies need to be defined to handle such incidents. Additionally, the IT Act 2000 is now enforceable and requires an understanding of the rights and responsibilities for every individual with a networked device. It is also important for organizations to educate their employees of the actions that may violate the act. For example, if you handle customer data and choose to make changes in it, without having formal documented instructions, you could be charged with hacking the customer system. These sections of the Act require you to have a well-documented policy on things such as customer data/network handling, unlicensed software, pornography and using the Internet. |
Open-source security tools |
Firewall: shorewall (iptables) Network Intrusion Detection System (NIDS): snort, snort-webmin Vulnerability Assessment (VA): nessus Port Scanner: nmap Host Intrusion Detection System (HIDS): portsentry, logcheck Anti-virus : Clam Antivirus Content Filter : Dansgaurdian Proxy: Squid Access Control: squid guard Spam Filter: spamassassin Traffic Analyzer: ntop VPN: IPsec, poptop Auto Patching: autoupdate, windows update service |
Most security owners often tend to misinterpret the function of security. Securing an organization does not mean disconnecting all networks and powering down the systems. It is about securing the organization, while enabling it to continue doing its business. The organization provides the business needs based on which the access restrictions/rights are defined. So, whether Internet access and e-mail facility are required or not and to what extent, whether remote connection should be allowed on the network, are all driven by business needs. It is, of-course, assumed that such business decisions are done judiciously and the decision to grant rights or access is based on strict business requirements only. Based on these, a security policy document is created. This doesn't have to be a large and detailed document, so long as it contains the specific areas you would want to address.
Once the policy is put in place, you will want to focus on education, processes, tools, audit and review. Most organizations underestimate the need for user training and education. The best of firewalls and tools can't provide as much security as a well-educated user would. So, spend the resources and time on educating your end users, senior management and IT department. There is a distinct need to turn the security policy into actionable items, which is taken care of by the processes section. Consider creating a SOP (Standard Operating Procedures) for each element of your security policy. The tools required are now a function of the needs specified in the policy. The firewall is as critical as a good proxy with access control and content-filtering capabilities. IS Security is fast evolving into a stand-alone function with expenditures of up to 10% of the total IT spend. However, even today, spending in many Indian corporations hovers around 2-3% of the total IT spend. It is important to realize that most organizations can achieve a high degree of security by actually spending very little on the overall costs. Security tools are expensive is a myth as can be seen from the list of open-source security tools in this article. Needless to say, these are just a few of the options available.
Sun Tzu, The Art of War "The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." |
Auditing is a mechanism of ensuring that all stated needs in the policy are indeed implemented. Once again an audit of tools deployed is as critical as the audit of process deployment. If the policy requires installation of anti-virus on every computer in the company, then leaving out the MD's (or any other) computer will dilute all possible efforts to secure your organization.
Many corporations are also looking forward to conducting social engineering audits. These are conducted with the objective of acquiring company data and the auditors are allowed to use any means-corrupt, trick, please, soften, threaten, scheme-to steal the data from system or employees. These audits are extremely useful and act as deterrents to potential information leakage from your company. However, employee sensitivity and morale should be handled carefully by taking them into confidence, before conducting such audits. Like any other ongoing activity, security also needs regular review. It is suggested that a quarterly review is done to check the progress on the processes, tools and people deployment, besides checking the progress made on the audit recommendations.
Alok Sinha,Chief of Information Security, Bharti Group
The views presented here are of the author and may not reflect the views of the employer
How secure is your organization?
This question has been haunting CEOs and MDs for some time, and unfortunately, there is no right answer to this question. However, you can follow some industry benchmarking that form a sort of reference point for organization to crosscheck their position with respect to others. There are several such standards, such as ISO17799 and
HIPPA. However, achieving such certification does not make your organization or system hacker proof or incident proof. These certifications and audits should be taken as milestones on the road to securing your organization. Yet another method of measuring security is the measure of compliance to the policies. Monitoring the number of incidents (number of times your network has had Trojans, hacking, etc) is perhaps the closest measure (lower the number, higher the security) only if there is a fool-proof process that measures and monitors every incident in the organization.