Just because you have firewalls in place, and perhaps even a couple of IDS appliances behind them, it’s risky to be overly confident that you don’t have any unwanted visitors on your network. Security is a full time occupation, and one of the proactive jobs you should be doing is regularly auditing your environment to determine and assess any vulnerabilities.
Before you start, you have to identify the following: • What is at risk? • Who is it at risk from? • What is the damage potential if that risk is manifested?
What is at risk?
Know your data. Do you work in the IT department of a government agency, an online retailer or utility, or a manufacturer? In each case the type of data — and its value — will be different. Are you responsible for national secrets, or the latest order shipments? Is the data important to anyone outside your company, on its own merits, or would its loss be merely an inconvenience — albeit perhaps a significant one? This allows you to determine the answers to the next questions.
Who is it at risk from?
If you do work in some sort of government department, it’s conceivable that you might be targeted by foreign powers. For most of us however, there will be less of a James Bond scenario to worry about. You might, however be attacked by competitors, people who disagree with your company’s ethical position, or just a hacker trawling around for some disruption to cause. The level of security — and the amount of time you have to spend trying to proactively second guess the perpetrators — decreases with the expertise of those you believe might be trying to do you harm.
Of course, that’s assuming that the danger is from outside. In fact for most of us the main area to worry about is other, legal, users of the network. Not necessarily disgruntled employees either, just people doing silly things and being careless. This is a major risk that you can’t afford to ignore.
What is the potential damage?
So what if someone does hack in and copy some of your data? Or a user accidentally deletes all the data on a server drive? Is it life-threatingly critical, severely business-affecting, or merely a pain? This is what governs the amount of resource (time, money and people) you can spend identifying possible security holes.
Once you have highlighted the risks of NOT auditing your system for holes and vulnerabilities, what do you actually have to start looking for?
Let’s start with the most obvious — the physical threats. Is all your equipment secure, or is it an easy matter for anyone to get into your building or your comms room? Are servers sitting under someone’s desk, or locked away? Do you have a published policy that tells staff not to install modems — or wireless access-points — and do you do anything to check whether they do?
Look at your password policy (let’s assume you have one). Assuming that you force users to change passwords at regular intervals, do you make sure they change them to something completely different? Do you use software that forces them to use a mix of alphnumerics, and does dictionary checking to ensure it’s not an easily hackable phrase? Does anyone wander round and look for little yellow post-its stuck to the screen?
Make sure that when someone leaves the company all user ids are removed, including telephone extensions. And that holds doubly true for IT staff. It isn’t done as a matter of course in a surprisingly large number of big companies that really should know better.
Scanning software can investigate your network, looking for the same sort of information (by doing ping sweeps, checking for services such as finger or whois on routers or servers) that hackers might. A word of advice; if you do have IDSs on your network, you might want to warn the people who look after them if you’re going to do this sort of thing, before they go berserk with alarms.
Make sure user rights are appropriate to their needs, not their wants, to minimise the chance of a mistake having more far-reaching consequences than it should.
Enforce automatic PC backups and anti-virus signature and OS updates. If users can choose not to run them, they normally will, just to stop it bothering them while they’re in the middle of something. One user could put your whole network at risk.
And in the end if your resources are limited (and you’d be in an unusual situation if they aren’t), focus on the areas of greatest potential impact determined above. Maybe it doesn’t matter if you lose the server that holds the staff canteen menus quite as much as the one with the blueprints of your company’s next great invention or idea.