Layered Security is becoming an over-used buzzword for a very simple concept. Let’s say you went to your local bank to cash a check. Think of all the security measures you will interact with for this simple, everyday transaction:
This is, at is most basic level, the concept of layered security. Different safeguards instituted at various levels to mitigate the risk of threats and vulnerabilities. No one safeguard could possibly provide an adequate level of protection by itself, and each needs to be reviewed and maintained as part of the overall plan.
In the IT community, Layered Security provides the same function; a variety of safeguards all working together to provide an adequate level of protection for the information assets of the organization. For example, anti-virus software really isn’t providing much value in a network without a properly configured firewall. Or the best patch management system is significantly weakened if you’re still using the word “password” as the password for the admin account on your server!
Which layers do I protect? Layered Security is all about implementing the safeguards appropriate for your specific environment. Each business has different assets and a different degree of reliance on those assets. To determine the level of security required for your environment, let’s start with a basic understanding of risks.
Risk is the probability (or likelihood) of a threat crossing paths with a vulnerability that may affect an asset. As an extreme example – there is a real threat out there that an asteroid my hit your building and destroy all your computers. The vulnerability is your building is not asteroid proof! However, what’s the probability of this really happening? Probably small enough that you are not going to implement the safeguard of relocating your business to the salt mines of Utah 2 miles underground!
At some basic level, however, there are enough known threats and vulnerabilities that affect virtually all users and businesses on the Internet. The following basic security measures should be considered at an absolute minimum.
Firewalls, today, vary in function, performance and price. At one end, you can purchase a software-based firewall that is installed on each workstation in your environment. These typically run anywhere from $30 to $50 per workstation and would be considered the most basic level of protection. If you run Windows XP, you have a built in firewall called the “Internet Connection Firewall” that will provide a decent level of security – and it’s free!
If you have more than one workstation, or are looking for a greater level of protection, consider a hardware-based firewall. These range from “homeowner” grade equipment in the $80 to $100 range to industrial strength, Common Criteria certified equipment that may start in the $500 range up to tens of thousands of dollars. The price range of this gear accounts for the functional and performance differences. For example, if you are protecting your DSL connection at home that you use to connect into the office, you may purchase a firewall in the $500 to $1000 range (versus an $80 device) that has built-in VPN capabilities and has a secure, external management interface so the your IT staff can support the device remotely.
As your firewall is arguably the most critical piece of security gear, you may wish to consult your trusted IT advisor and do a bit of homework before making the leap.
Patch Management
Regardless of the operating system you use, new vulnerabilities and weaknesses are found everyday – and this trend is expected to continue into the foreseeable future. A patch is the generic term used to describe the software “band-aid” a developer will release to fix a discovered vulnerability.
Microsoft has built a semi-automated utility for the patch management of desktop computers, called Windows Update. This service, either integrated into the Windows operating system or a stand-alone Website, allows any Windows user to determine which patches are currently available for their specific workstation, select the ones they would like to install and allow the system to do the rest. Microsoft also has an Office Update site for users of any of the MS Office products (Word, Excel, Outlook, etc.).
System administrators have a bit more of a challenge. Often, administrators must rigorously test and research a patch before installing it on critical servers. Will the patch work with or conflict with existing software or the server? Will the patch require a re-boot and, thus, downtime? How can a patch be “uninstalled” and is the process smooth? While these are also considerations with the desktop, they are often much more critical in the sever environment.
Anti-virus Software
Today, anti-virus software is pretty much a no-brainer at the desktop level. Everyone agrees it’s necessary. There are only a half-dozen major vendors and all are functionally competitive. But even anti-virus solutions are moving to a layered approach. Today, you can install anti-virus software at the edge of your network or, for example, a mail gateway. This device scans all incoming and outgoing e-mail long before it reaches it’s recipient. It is then forwarded to the real e-mail server for delivery to the end user. Then, most likely, that end user is using desktop anti-virus software that ends up re-scanning the mail before reading.
Most important in the anti-virus discussion is the importance of keeping the virus definitions file updated! Be sure to keep current with your subscriptions and make sure you have the latest definition file downloaded.
Other essential considerations
Outside of firewalls, patches and anti-virus software, you may want to consider the following basic provisions as part of your overall strategy.
Security Scanners/Vulnerability Assessment. If you are a home or small business user, there are various free services you can use to scan your environment to check for unknown vulnerabilities. These services provide only a basic, routine check, but would still be considered extremely valuable in smaller environments. As an example, Symantec offers a “Security Check” that will scan your workstation for network vulnerabilities as well as ensure you have the latest anti-virus protection.
Larger environments will require a real vulnerability scan. These systems are used inside or for outside the environment to check each individual system for known vulnerabilities, missing patches and other weaknesses. This process is essential to the overall security of the environment to test and, more importantly, report on issues discovered.
Notification Service. As with most anything technology related, knowledge is power. Knowing about a specific vulnerability in a timely manner can mean the difference between a well-executed patch or a weekend re-building a server or workstation from scratch. There are several services designed to alert administrators and IT staff of new and breaking security issues.
If you are a home or small business user, consider subscribing to the service (almost always for free) offered by the vendor of your anti-virus software. This way, the alert will match the availability of a fix or updated definitions file.
For larger environments, consider the CERT Advisory Mailing List and the notification service from your OS vendor. As an example, Microsoft has a notification service associated with new Windows vulnerabilities and how to best mitigate against these risks. The trick is, signup for only those services that are necessary and effective for your environment. It is easy to get inundated and overwhelmed with an Inbox full of notifications – all regarding the same vulnerability.
Staff education. It has to be said, you’re only as strong as your weakest link. Often, this weak link is the casual user in the office that simply doesn’t understand the importance of NOT turning their anti-virus software off when they get into the office each morning! Or the one that sees no problem with bringing their PC from home, hooking it up to the corporate LAN to see if the IT staff can help get it fixed – “It’s been acting flaky, maybe it has a virus or something”!
As an excellent primer, educate your staff on the three steps of basic security by pointing them to the Microsoft “3-Steps” site at microsoft.com/security/protect. This site will guide Windows users through the three steps outlined in this article in a step-by-step process based on their specific operating system.
Basic security is an issue that affects all of us. This is one area where a little knowledge can go a long way in protecting your information assets and providing better access to IT resources overall.
Neil Witek, PMP, CISA is a Project Manager with ICS Advantage; a member of the Sikich Group. In this role, Neil is responsible for the coordination of design, planning, implementation and testing efforts on ICSs most complex engagements. Neil’s primary focus is on unique projects regarding IT security and control including local government, e-commerce and secure networking. As a member of the Sikich Group, Neil provides IT audit services for Sikich-Gardner clients throughout northern Illinois. These services leverage his hands-on experience accumulated as a 14-year veteran of IT professional services.
