printer friendly version

Security begins with the basics

Whether your infrastructure is designed to support data, security or anything else, IP technology is under attack and you need to ensure it is protected to facilitate business and security operations.

Whether the threats are from hackers, 'hacktivists' or, more commonly, from within the organisation itself, infrastructure needs to be protected if the business tools that rely on it are to function correctly.

Hi-Tech Security Solutions asked a few industry players for their view on what is required to secure your infrastructure effectively. The answer boils down to starting with securing the basics and working outwards. And our respondents all agree, while there are endless products available to do specific tasks, security is not a product, it is a process of understanding your environment, ascertaining where the vulnerabilities lie and developing a solution to mitigate the risks.

We started out with a generic question most business leaders will ask when faced with the realisation that their infrastructures are at risk, hopefully before they suffer some form of loss.

Hi-Tech Security Solutions: So what can a business do to protect its infrastructure?

Chris Sutherland, brand manager for Miro Distribution: Firstly, decide exactly what type of traffic you need and want on your network. Thereafter, make use of a proper firewall system to block all of the traffic you do not want. In addition, manage what employees do in your network. Hours can be spent protecting the network from Internet attacks, but one virus filled flash drive from an employee’s home could jeopardise your entire infrastructure.

Chris Sutherland

Make use of a domain controller to ensure that only relevant PCs have access to the network and do not use cheap switches in large infrastructures. When large volumes of data are flying through the network, switching is a key point of failure when not implemented properly.

It is also good practice to segment your network into different subnets, ie, one subnet for your sales department and a completely different subnet for your accounts department. Sufficient routing will ensure that communication can still take place, but with this routing you will be able to control exactly what type of communication takes place. Doing this ensures that if there is a virus or duplicate IP etc, in your sales department, it will not affect the rest of the company.

Greg Griessel, consulting systems engineer, security solutions, Cisco Systems, South Africa: Cisco advises companies to protect their infrastructure from the basic equipment right to the edge, you cannot focus on only one area and hope the rest are covered automatically.

Greg Griessel

Starting with the basics, you need to ensure all your software is up to date and patched, while ensuring everyone abides by the company policy of using passwords according to set standards – passwords should be a minimum length, a mixture of characters and numbers, and changed regularly, etc. Then you need to look at a firewall and intrusion protection system and so forth, right up to policies governing the use of Webmail applications.

Chris Schaaf, regional sales manager, Sub-Saharan and South Africa: HP Enterprise Security Products, HP TippingPoint: First, we provide a deep understanding of your vulnerabilities from your applications down to the underlying infrastructure in the context of your business processes, so you can proactively address the weaknesses that matter most.

Second, increase your visibility: From a single platform, we give you the confidence to drive more informed risk management decisions by correlating security data with relevant context. For your CISO, it means better visibility into the most relevant information and performance metrics needed to illuminate current operational risk across traditional, mobile and cloud infrastructures and applications.

This increased visibility and vulnerability awareness means you can now be proactive about security. Most companies are tired of being reactive to security threats.

HSS: Are IT managers and CIOs aware of the risks out there?

Sutherland: Unfortunately, no. Most managers and CIOs only realise there is a problem, after the problem has occurred. This should be tackled with training and continuous monitoring of your systems and external connections. The more reports you can pull on your network, the better equipped you will be to spot issues before they occur

Griessel: Security is definitely top of mind among enterprise leaders today. The Cisco Annual Security Report 2011 (downloadable here: www.securitysa.com/*cisco5594a demonstrates that security is a crucial aspect of leaders’ thinking these days.

Some of the issues that are top of mind are BYOD (bring your own device), where staff want to access their work infrastructure through any device they prefer. The Cisco report found, for example, that 81% of college students believe they should be able to choose the devices they need to do their jobs. The report also found that many people see social media as productivity tools and not merely as novelty sites.

HSS: What risks do you need to mitigate?

Sutherland: Three key points spring to mind immediately:

* A properly configured firewall (of a decent brand) is key.

* When using VPN connections, make sure you use encrypted tunnels.

* When making use of wireless networking devices (which is commonplace nowadays) make sure you set effective passwords and change the default manufacturer’s settings.

Griessel: One area companies need to be aware of both in terms of security and reputation is ‘hacktivism’. There are protest groups out there that try to disrupt business operations or deface websites as a protest action. We are also seeing attacks on industrial control systems and data collection systems increasing.

Increasingly, the insider threat is coming under scrutiny. You need to know what is on your network and what people are supposed to do with it. By focusing on visibility over your infrastructure based on set policies, companies will be able to identify anomalies before they cause a problem. Additionally, securing and managing your wireless network is crucial.

Schaaf: These are just a few of the common risks facing the enterprise today:

* Vulnerabilities.

* Malicious code (virus, trojans, worms, spyware).

* Denial of service.

* Protocol anomaly.

* Policy (attachments, common password, etc.).

* Scada (supervisory control and data acquisition), utilities like power, water and infrastructure.

HSS: Where do you start?

Sutherland: Start with the need. What does your network need to achieve, what types of traffic should be allowed and is there a requirement for wireless etc. Once you have planned your network according to its requirements, take a step back and place yourself in the shoes of someone who wants to get into your network. By doing this you will easily discover the possible loopholes you may have left open, and be able to secure them.

Schaaf: Imagine you are sitting in front of a CIO or a CISO in a major Fortune 1000 company and he or she asks you “How secure is my business?”

This would by my answer: “HP ESP (enterprise security products) provides the only security intelligence platform that gives you deep insights to proactively manage your specific enterprise threats and risks. We help you manage those risks by providing a centralised platform to orchestrate application security assurance, security data correlation and adaptive network-level defence mechanisms.”

Griessel: The Cisco annual security report offers 10 action items for enterprise security:

* Assess the totality of your network. Know where your IT infrastructure begins and ends and know what your normal is so you can quickly identify and respond to a problem.

* Re-evaluate your acceptable use policy and business code of conduct – avoid the ‘laundry list’ approach with security policies.

* Determine what data must be protected. You cannot build an effective DLP (data leakage prevention) programme if you do not know what information in the enterprise must be secured.

* Know where your data is and understand how (and if) it is being secured.

* Assess user education practices. Long seminars and handbooks are not effective.

* Use egress monitoring. You should not only monitor what is coming in, but also what is being sent out, by whom and to where.

* Prepare for the inevitability of BYOD.

* Create an incident response plan. Businesses need to have a clear plan in place to respond quickly and appropriately to any type of security event.

* Implement security measures to help compensate for lack of control over social networks.

* Monitor the dynamic risk landscape and keep users informed.

Share this article:

Further reading: