Not Your Father's Network
When the computer and network space was simpler, you could expect a network to support any IP service. However, most people stuck to the basics of terminal service, file copying and e-mail, with some file sharing thrown in. Fewer services meant fewer avenues of attack.
Today's network incorporates all sorts of wonderful but unsettling services. Voice data travels over the enterprise network. Files are shared. Corporate networks now include travelers and customers, often in the name of e-business and e-commerce. Every new network service represents possibilities for increased sales.
Businesses reach out and touch partners, customers and potential clients, often via the Internet. According to the January 2000 Internet Software Consortium's Inter- net Domain Survey (www. isc.org/ds), there are more than 72 million hosts on the Internet. Given that many organizations do not advertise their internal name spaces, we know that many more computers are connected in some fashion to the Internet. Potentially, perhaps a billion people live in the "network neighborhood."
Between the vastness of this space and the services available, there are countless potential avenues of attack. Attackers don't even have to be particularly smart, skilled or patient to develop an attack. Through the ease of "user friendly" software, and with the ubiquity of methods for simple file distribution, anyone with a computer is a potential at- tacker. No special skills are required. Launching attacks is within the reach of anyone with a mouse.
The New Ground Rules
To meet the challenges of computer and network security, it's crucial to adopt ground rules. Once they're in hand, the rest is easy.
1. Security and complexity are often inversely proportional. Every step taken--whether it's vulnerability and risk assessment, security policy and procedure development, deployment of mechanisms or user education--should be as straightforward and simple as possible. The more cryptic the instructions and procedures, the more room for misunderstanding and misapplication.
2. Security and usability are often inversely proportional. There is no such thing as "complete security" in a usable system. Consequently, it's important to concentrate on reducing risk, but not waste resources trying to eliminate it completely. Such a pragmatic mind-set provides a fighting chance to achieve fairly good security while still allowing productivity.
3. Good security now is better than perfect security never. This is a corollary of the previous axiom, since perfect security doesn't exist in a usable system. Even if it were possible, a usable system is a moving target: Threats change, technologies change and business needs change. The job is never done.
This knowledge should actually free you to shoot for "good enough." Come up with 10 things to do, but only get to four of them now, and you're probably in a better position than if you wait until it's possible to do all 10. The key is to prioritize correctly.
4. A false sense of security is worse than a true sense of insecurity. Knowing where your enterprise is still insecure provides you with the framework for moving ahead. It's critical to know where you've left gaps, what documents and procedures are not quite right and what mechanisms need replacing. A false sense of security does not motivate improvement--or even analysis--of an organization's security posture. It leads to false complacency, which can give rise to disaster, often accompanied by the lament, "I thought we had that covered." It's better to know where you are weak and avoid unquantifiable risks.
5. Your security is only as strong as your weakest link. Therefore, be thorough in examinations and evaluations. For example, if there's a reason to employ VPNs (virtual private networks) to keep connections from home and remote offices to headquarters private, it may be necessary to protect that data while it resides on the notebook PCs of your mobile workforce. It may mean removing modems from desktop computers, requiring all traffic to flow through the firewall.
6. It is best to concentrate on known, probable threats. There are imagined threats, real threats and probable threats. And there are known and unknown threats. We are most interested in real and probable threats, while we continue to expand the set of known threats.
7. Security is an investment, not an expense. The challenge is to get this point across to upper management. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business' viability. Properly secured servers let corporate information be shared with salespeople in the field and with business partners. Improperly configured systems lead to data loss or worse.
Although it's comforting when an attack is put off, it is much better never to have to put security measures to an actual "battlefield" test. As with airbags in an automobile, it's important that they're there, but better never to have to use them. With these ground rules in mind, it's time to do the most important work in securing networks and computers: security management. Keeping the above axioms in mind should help you streamline the process.