It may sound strange but the best way to protect the company network is to keep it off the internet, but since this is not possible there must be ways to keep security at level that provides for both protection from the outside and connectivity for company users. The industry standard for doing so is broken down into a seven layer model of security. There is also the need for clean-up after an incident which is why an eight layer has been added.
Company systems are only as secure as the locks on the doors and whether employees use them. Alarm systems and video surveillence systems provide even further enhancements to the company’s physical security platform. Remember that once an intruder has physical access to a network the game is over and the compromise of information will be almost unstoppable.
Based on the premise that an intruder has gained physical access to company computer systems, the last line of defense is to have data encrypted where it is stored. Encryption is also vital on any data that leaves the company which contains client information to keep prying eyes out of this private information. Included in this layer of security is backup because data is not truly secure if it can be lost due to natural disaster, hardware malfunction, malware or user error.
Like any other territory worth protecting there needs to be guardians in place that watch the perimeter and police what the citizens are doing inside the walls. Effective setup of the network firewall policies, Internet content filtering, email spam filtering and network segmentation can be utilized to restrict access into, out of and around the network. Time should be taken to review vendor best practices to determine what unneeded points of access can be turned off to harden the network against the current threat landscape. All these systems should be actively maintained to insure that they are effective against the latest threats that have emerged.
Least privilege model is utilized to make sure that only those employees who need access to network resources are the only ones who will be able to connect to them. This is done via splitting the network into security zones, creating an organizational structure with proper security groupings, and complex password policies. Reporting on these levels of access also allows responsibility to be placed where it is due when unauthorized access occurs in the network.
Who would have thought that Human Resources would be part of the discussion on security? Company policy as defined in the signed “Acceptable Use” portion of the employee manual will set forth the expectations to the employees of how they are to securely access network resources and what internet edicate they should be using as a member of the organization. Showing this information to clients will give them a confidence in the way that business is done and that their information is safe in the company’s hands.
As time goes on, there is guaranteed to be new bugs found that require patches to be applied to both software and hardware around the network. The status these updates should be checked upon at a regular intervals with automation being ideal to avoid human error. Antivirus software is also key to protecting the computer systems from accidental infection by phishing emails or drive-by downloads from websites.
Ideally there will be full audits done of all systems on the network to determine where the company stands overall on metrics like vulnerability, patch management, configuration best practices and change monitoring policies. Once the audit is done and all needed changes have been made then proper monitoring of company systems can be put in place to provide alerting for any new issues that arise. This allows for a proactive approach to network security.
When all other layers of the security model have failed and an incident has happened, it is time for computer forensics to take over. Computer forensics is a discipline that combines elements of both law and computer science to collect and analyze data from computer systems, network devices, wireless communications, and storage devices in a way that is admissible as evidence in a court of law. Computer systems need to have their persistent and volatile data analyzed properly with high levels of documentation by forensic professionals. If computer forensics policies are ignored then valuable evidence might be ruled inadmissible in a court of law and the perpetrator walks away without paying for what they have done.