Use risk management to balance functionality and security
Locking down a network is a balancing act among security, user functionality, and speed. In order to justify a reduction in operational ability — such as turning off ActiveX — you must identify specific results that will produce a more secure environment for corporate assets and users.
Companies of all sizes can and should use the principles of risk management to identify threats, determine vulnerabilities, and implement courses of action. IT budgets for many organizations have clearly been shrinking recently. You owe it to your employer to stretch those IT dollars: Identify security risks and demonstrate how eliminating or mitigating that risk will positively impact the bottom line.
The cornerstone of risk management (in this context) is a security risk assessment. A risk assessment has three steps: determine network value, define the threat, and determine vulnerability.
Risk assessment process
Many people agonize over the vulnerability assessment. My advice is to think in practical terms.
Determine network value
When assessing the value of your company's network assets, remember to consider both the tangible and intangible costs. Ask questions such as:
- How does system failure impact revenue?
- What staffing costs are associated with network restoration?
- How much would it cost to recreate the information stored on your network?
- What is the financial liability if the information on your network were compromised?
Your network and its data are vulnerable to environmental, internal, and external threats. You must address each type of threat and identify as many possible risks as you can.
Most admins are fairly aware of environmental threats; they don't put their data center in a flood zone or place critical servers underneath a sprinkler system. Insider threats are often well defined as well. These types of threats are common and readily identifiable.
When defining external threats, determine who would gain by destroying the confidentiality of data--whether it's patient records or credit card numbers—through unauthorized access. Perhaps a competitor is seeking information on your customers, or an exploring hacker decides to modify or change your data and destroy its integrity and/or availability.
Determine vulnerability
Vulnerability is the likelihood that a threat you've identified will occur. Categorize your level of vulnerability to each identified threat.
- How likely is the threat? (Are you a high profile target within your industry?)
- How feasible is the threat?
The final step in the risk management process is implementing a secure solution. Your solution might involve a major effort such as user or admin training, network redesign, or an investment in security hardware. Or your solution could be as simple as turning off unneeded services on the vulnerable system(s) or testing and implementing a needed service patch. As you consider assessing the threat against your network, you might find a sample helpful so that you can see how a risk assessment works within the network security framework.
So, let's say that the security admin for a nationwide auto body repair shop decides to do a network risk assessment. The repair shop's network primarily maintains employee time and attendance records and customer car repair information. Connections to the Internet are for e-mail and Web traffic only. The repair shop's finished risk assessment might look like this:
Determine network value—If the network were eliminated, mechanics could still fix cars and customers wouldn't suffer if a hacker learned their tires were out of alignment. However, without the network, it would take an additional four hours per pay period, per site to calculate time and attendance.
Define the threat—Beyond environmental and insider threats, the most likely threat is from a passing black hat or script kiddie.
Determine vulnerability—The network is vulnerable to hostile Web traffic and e-mail-borne viruses.
Solution—The simple, low-cost solution is to implement an antivirus solution for workstations and restrict ActiveX, Java, and scripting at workstations. Additionally, restrict outbound traffic to http, https, DNS requests, and SMTP at the network boundaries. Inbound traffic should consist only of established traffic, return DNS queries, and SMTP.
Final thoughts
If a solution lies within your job responsibility, take action. If the solution has a price tag, move the decision to someone who has financial responsibility for the network, but make sure you think it through first. Don't expect a manager to approve a million-dollar solution to protect $50,000 worth of data and hardware.
The risk management process is an important part of designing and operating a secure network. In conducting a risk assessment, you might discover that your network is underprotected, and you need additional hardware, software, or admin and/or user training to defend it. At the very least, your analysis will prove to management that you're protecting your network with due diligence.
TechRepublic originally published this article on 4 November 2003.