5 Simple Steps to Securing Your Network

padlock

At a time when companies are spending more and more on IT security, why is it the breaches seem to be getting worse? Throwing more and more money at the problem doesn’t seem to be helping. The threat has changed and our preventive measures need to adapt.

What is needed is a whole new mindset when it comes to IT security. Rather than trying to keep hackers out with higher and higher (fire)walls, companies need to assume open access to their networks and take steps to minimize resultant damages. Containment in addition to prevention. To use a naval analogy, consider ships with multiple hulls full of individually sealing compartments. Rather than focus on preventing damage to the hull, they assume a mishap will occur and seek to design a ship to minimize the impact of leaks. For example, rather than trying to prevent a password from being guessed by making it super-duper strong, if that password only accesses one tool, app, or file location, damage is minimized when said password is broken.

Along those lines, here are five steps that individuals, companies, and IT departments can take to not just prevent hacks, but also minimize damage, if and when hacks occur.

1.    Isolate network security (encryption key management) from basic network administration

It seems natural to let the same guys who run the IT department also run network security. In reality, many IT departments outsource some tasks, hire temps during peak times, or have high turnover. At a minimum, network security should be a subgroup within IT consisting of trusted superusers. One large cloud services provider recently decided to only let select employees with more than 10 years at the company who were financially sound and had passed psychological tests handle their encryption keys. (An independent investigation had uncovered recent hires who had simply sold keys for cash.)

2.    Limit network privileges to those really needed by employees

The majority of the workforce in companies today need only basic rights. Very few actually need admin rights or the ability to install software. While it is common to run an isolated “guest” network in the company lobby for visitors, a substantial percentage of the employee base could be moved to the same isolated network without impacting their daily jobs or productivity. Then, if and when an employee inadvertently comes upon a website that tries to hack them, or accidently respond to a phishing request, little to no damage is done. Similarly, separate network resources should be maintained for vendors and partners. Rather than give a contract manufacturer access to design file servers, have a separate temporary file server that only serves up the design file they need and auto-deletes after they retrieve it.

3.    Require employees to run a password tool that lets them use different passwords for each application, and rotates the passwords more often

Most phishing and hacking schemes are designed to steal a user’s password. If a single password is used for everything the user has access to, then the damage can be substantial. However, more often than not, a stolen password is not used immediately but quietly held while other user passwords are collected. Then a massive, coordinated assault is launched. If passwords have short expiration periods, the passwords become useless before a coordinated attack can be launched. Most of the high profile celebrity hacks in the news used passwords that were stolen over two years ago from Gmail accounts. A simple password change would have prevented it all.

4.    Move company specific social media and sharing tools to an internal “private” cloud

Companies today use cloud services, whether they realize it or not. Most cloud applications can now be hosted on company servers in addition to the public cloud. For example, Salesforce.com and Google applications can be hosted internally, providing the same value, yet greatly reducing the risk of public exposure. Even if an employee’s public cloud Dropbox password is guessed, info stored on the private cloud will not be visible to the hacker.

5.    Secure the physical transport of data between sites

While VPN is a great tool for securing an employee’s connection to company resources, it should not be misconstrued as a way of securing site-to-site communications. Today’s networks are truly global in scale. No matter how much security goes into a company’s office, the minute the data leaves the building it's vulnerable to attack. Disclosures over the last year show that tapping of fiber optic links between cities is widespread, much more common than previously thought. Fiber optic encryption solutions are available that guarantee data flowing between sites is kept secure.

Times have changed. Simply running virus scan software and a firewall is no longer sufficient network protection. The five steps above are just a start towards a new mindset. Assume your network will be breached and proceed accordingly.

Related articles