When I think about our security strategy, I have to ask myself if we've done enough. Have we covered all the bases? If we haven't, do we have a work-around or some other risk-mitigation plan in place?
The best security approach is applied in layers. You can apply the layers from the inside out or the outside in, but most companies start from the outside, putting firewalls at every entry point to the network. At my state agency, though, we work from the inside out.
State systems are sprawling. When I came to work at this agency, the state-level WAN guys assured me that they had adequately protected the state network, including my agency. But when you realize how vast the network is, stretching to every state government office and university classroom, you wonder how secure it can be without assistance from the various agencies. And so we have taken responsibility for the agency's security, working from the inside out.
When you work from the inside out, the most important protection you can provide is at the host level: servers, switches, networked printers and desktop computers. As networks connect around the globe, making it hard to say where they truly begin and end, this may be the smart approach. I can't control the networks we connect to, but I can attempt to control our entrance and exit points and what goes on inside. Here's what we've been able to do:
Servers:We have protected our servers by hardening them: keeping the operating system up to date, turning off unneeded services, not installing unnecessary applications, providing access on a need-to-know basis and making passwords industrial-strength.
Patches:Patching is perhaps the single most important thing you can do in a Windows environment. Because we have a week to test operating system patches before implementing them, that takes priority, and we do it after hours to minimize disruption.
Monitoring: We use software that allows us to cull event-log information from each server and review it in a single location. We can set up alerts based on certain changes in the logs. We also have software that lets us monitor services running on each server. If an unknown service that might be listening in on or sending data over the network starts up, we are alerted.
Access: We use Active Directory's security policies to control access to resources and systems. This includes access to network multifunction devices that provide fax/copy/print capability.
Firewalls: When I first came to the agency, we had no firewalls. We've purchased commercial firewalls for each entry point, and I am drooling at the prospect of getting them installed. We run intrusion detection with sensors attached everywhere possible. We are getting close to total visibility, but it has been expensive. In my last column, I described how I repurposed all-in-one security appliances as single-purpose tools. We paid too much, but it works.
Wireless: Not allowed on the network. Period.
Desktops: The operating system is locked down or hardened. End users can't install applications. We don't use Windows XP's built-in firewall, but we keep all desktops patched around the clock using automated tools. Each desktop system automatically updates antivirus and antispyware protection.
So, what are we missing? Where are we weak? What can be exploited that we have not had the time, energy or funds to address?
Servers: We don't run host-level firewalls or intrusion-detection and -prevention software. I just don't want anything to hinder the performance of production servers. Those ideas will stay on the back burner for a while.
Access: Like many organizations, we have a file-sharing nightmare on our hands. While we control access-level permissions via Active Directory, everyone is approved to access everyone else's documents. We keep stressing the "need to know" concept, but everyone seems to need to know everything.
Access to the systems that house our agency's primary work requires several levels of approval. I'm comfortable with the security access levels, but the systems themselves are outsourced. I have no visibility into the security of the vendor's environment. I worry about that. According to our contract, the vendor must comply with federal security guidelines and regulations. I have to leave it at that.
Network: We're still allowing Telnet to be used to connect to our switches. We ought to be using SSH, which provides an encrypted session as administrators make necessary changes. And the passwords are weak and haven't been changed in some time.
Desktops: I still want to implement some personal firewalls, but XP's firewall can't be managed centrally by the systems administrator.
Encryption: This is the one big hole in our strategy. We don't encrypt e-mail transmissions, traffic between our agency sites, file systems or laptop hard drives. The new firewalls will provide IPsec encryption between our sites. But there is so much more to do in the encryption area. Thinking about it can be overwhelming. I just need to break it down into manageable chunks and attack it.
In the end, we've done a lot from the inside out. We can do more, but we know that. We've given thought to our weaknesses, and in some cases, we have a plan. But I still wake up at night from time to time, thinking about how much more there is to do.