Information Security
Perimeter Defense
Physical Access - No matter how good the network design is the ability for someone to gain physical access to computers and network equipment will potentially be enough to defeat many measures. Use multiple physical barriers and when possible protect network infrastructure in a dedicated air-conditioned and locked room. Use combination or keypad locks on the entries to these rooms.
Environmental Protection - Use locking cabinets or air-conditioned enclosures. Ensure equipment is not sitting on the floor (dust, static, flooding damage), and that any electronics are protected by uninterruptible power supplies (UPS).
Firewall - Use only ICSA-certified firewalls, with configuration files backed up at least quarterly. Ensure firewalls are protected by UPS. Software firewalls are generally only used in small installations (ie. residences). For any network of more than 2 workstations, always use hardware firewall appliances.
Network Policies - Ensure that both local and group policies are set up and tested. The local policies prevent a user from logging on locally and gaining network access. The account lockout policies should be applied to both group and local policies.
Multi-Factor Authentication - Despite some misconceptions, the use of multi-factor authentication is becoming more common especially in those organizations wishing to significantly improve access limitations to network resources. Multi-factor refers to the use of factors in addition to "something you know" such as a login/password. An example would be to use an Aladdin eToken as part of a smart-card system. This requires the user to insert their e-Token (something you have) and type in their PIN (something you know).
Document handling is a key source of information risk. It is worthy to note that "going through the trash" is a valuable means of gathering information about a business. Account numbers, phone numbers and addresses, and other information which can be used against individuals or businesses are routinely thrown away without proper document destruction practices. In addition, document storage must be secure from prying eyes during and after the workday.
It is amazing in this day and age, but many businesses are naive enough to believe that a single door with a keyed lock are adequate to protect their premises from intrusion. In addition it is not unusual for personnel to be permitted to leave confidential working documents and records lying out on tables or in cubicles during breaks, meals, and after hours. In these times, information equals power. If all that someone needs to do to gather crucial information is to scratch-pick a mechanical lock and run photocopies of information in unlocked cabinets, then you are not making them earn their money.
Electronic eavesdropping is a relatively simple activity for a knowledgable network technician to engage in. If a few criteria are met, and if your network is not adequately protected, it is possible for an attacker to use eavesdropping to acquire logins, passwords, and other vital data which are then used to exploit the network. This eavesdropping may occur on a continuous basis, or only on an occasional basis. If your LAN uses such features as Outlook Web Access, or you utilize web connections which are not secured by VPN or SSL (Secure Sockets Layer) then you are passing network credentials in the clear. This is very hazardous to the health of your network's security.
It is estimated that over 400 new virus', variants, and worms are released every month according to the International Computer Security Association (ICSA). Based upon current data from Trend Micro typically over 30000 computers are reported to be infected by virus or other troublemakers (malware) every 24 hours. And those are just the reported numbers. If virus scanning is not performed using updated virus pattern files, and if administrators are not notified of problems 24x7, who pays the price?
Walk around the office and take a look at the number of workstations and printers which are connected to the network in your office. How many of those machines are attached to an uninterruptible power supply? Oklahoma, Texas, and Kansas areas are infamous among IT personnel for the poor quality of the power provided to outlets for both residences and businesses. Consider that in northwest OKC, it is rare to pass a single weekend without sustaining power brownouts or even outages due to maintenance on power systems. While power outages are bad enough, brownouts are not perceptible to us but they are to the processors on our computers even if they are connected to surge protectors. This shortens equipment lifespan, increases maintenance costs, and is the cause of a good deal of data loss.
Flood/Fire or Structure Damage
Although flooding seems uncommon, for a water pipe to burst or a hot-water heater valve to stick open is more common than you would think. Are your servers, data equipment, and workstations at least 2 inches off the floor? If not, imagine the good that one inch of water will do all of that electronics.
Fire damage is relatively rare, but where there is fire there is a great deal of smoke. In addition, many businesses have automatic fire sprinkler systems in place. Just imagine, a fire followed by a flood...when the extinguishers go off is all of your critical data onsite, or do you take your back-up tapes off-site? Are they safe and up-to-date?
A depressing thought, but the fact is that well over 50% of the risk of damage or theft of business information lies with insider theft. This means that over 50% of the effort spent securing your data should be spent on securing data from unauthorized access by insiders, and identification of who is accessing (or trying to access) critical information.
Wireless networks (WLAN) are rapidly becoming prevalent in the business world...they are especially helpful in organizations where laptop usage in the office is heavy. The mobility which these networks provide increases productivity...it also increases risk.
WLAN's run on radio systems provided by a network of access points (AP) and wireless network cards. These systems generally come with security systems which are relatively standardized, but which allow for customization of encryption and authentication. Yet the vast majority of business networks do not utilize any encryption at all. This leaves the entire network open to intrusion because in essence the firewall does not touch wireless traffic.
With advanced wireless firewalls such as Sonicwall products, wireless guest access can be configured to force any local wireless guest traffic to attach on the outside of the network where the Internet can be accessed, but private network resources cannot be. This protects the internal LAN from either unintentional or malicious access.