People, procedure and technology Featured

11:26am EDT December 21, 2004
There are three keystones that create a solid foundation for a safe network -- people, procedure and technology -- and it is necessary to have all of these factors in place.

Internet security risk is evolving at an alarming pace. Hackers no longer need vast programming knowledge to cause severe damage. Hacking tool kits are easy to find online and come complete with a how-to manual. Spyware, malware, smart viruses, bot viruses and phishing scams are marching their way across our corporate networks and through our e-mail, forcing IT professionals to scramble for patches and fixes.

Even hindsight would not have helped, as some of these threats have little or no resolution. Even worse, as stated in The Wall Street Journal, "Increasingly, viruses are becoming part of the modern criminal's toolbox."

People

One of the biggest vulnerabilities networks face is the people who use them. There is a saying that, "A good education is the best prevention." Support from upper-level management in a corporation is critical to the success of any security program.

Management should also be knowledgeable about any current security issues. For years, IT professionals have been scolding novice users on the use of the network when they could have been educating them on how to be part of the security solution.

Education is a low-cost alternative that can alleviate risks within any network. Rather than keeping users in the dark, IT professionals should be enlightening them through education about new risks such as phishing scams, which lure you in by posing as a bank requesting that you update your information via e-mail.

Many common vulnerabilities go undetected because they are holes in applications that are attacked by hackers to bring down your network. Virus propagation, e-mail viruses and education on attack techniques help users understand how they can prevent your network from being attacked.

Procedures

Along with education, setting policies and standard operating procedures is necessary.

* Set expectations for users, vendors and visitors that access your network.

* Screen or segment visitors from your network.

* Do not allow outside machines (laptops, PDA, etc.), which are not subject to your scrutiny or control, to use the network. Most networks do not have countermeasures for a computer that gets connected behind the firewall.

* Allow your users a way to report incidents immediately, without repercussions.

* Create a written policy so users have an understanding of acceptable Internet usage.

* Control your liability by having users acknowledge in writing that adverse or unexpected things can happen while using a network or the Internet.

Technology

Technology is the last key part of creating a solid security base for your network. The following are ways of maintaining your technology knowledge.

* Become familiar with the four pillars of network security -- firewalls, VPNs, antivirus software and intrusion detection systems.

* Investigate potential risks and test your procedures. Don't depend on the hardware or software alone.

* Enlist help for things beyond your expertise; a misconfigured security device or software program can be more dangerous than none at all.

* Monitor activity in front of and behind your security devices.

These three keystones of Internet security combine to create a layered security model that is tough and resilient to new security risks as they are unleashed. Proactive network security begins with good security policies and proper implementation of these policies.

You need to be knowledgeable of the current and updated viruses, hackers, cyberterrorists, malicious insiders and worms. Also, having modern technology is vital in providing the necessary protection against risks to your network.

Alex Desberg (adesberg@i-trap.net) is the director of marketing for I-Trap Internet Security Services, www.i-trap.net. Reach him at (888) 658-8727.