“Do I need a new firewall?”
This is a frequent question asked by owners of small businesses concerned about growing security threats infesting the Internet.
But rather than relying on a single solution to address security challenges, small organizations instead should adopt a strategy of “defense in depth” — using multiple mechanisms and levels for security.
Begin With Risk Management
This is the best place to start, as the outcome of this process will highlight what needs to be done. Understanding how much time and money to invest in security requires that you first determine what matters most to you. It may be customer design files, accounting data, and so on.
Do not try to protect everything. It simply is not realistic; the focus should be on what matters most. Second, look at how these critical items are threatened. Engage vendors, consultants, colleagues and so on to figure out the best layers of defense to reduce the risk to an acceptable level in a cost-effective manner.
Do not try to eliminate risk entirely. The goal must be to lower the risk to a point that you can live with it.
Layers of Security
The following underscores how various security components can be woven together to create a better security net:
By having a firewall, the risks of attacks via the Internet are reduced. In the event that the firewall is breached or the intruder is inside the building, and possibly even an employee, the systems should require user IDs and passwords to limit access. These basic authentication controls must be overcome by the perpetrator to gain access to the systems and their data.
If passwords are nowhere in sight, are not easy to guess because they contain letters, numbers and symbols, and the account is locked after only three unsuccessful login attempts, the hacker’s options are greatly reduced and the amount of effort and time required to gain access escalate rapidly.
While this is occurring, system and security logs should be tracking the activity. As the log entries are generated, hopefully either automated systems will generate alerts and/or the activity is noticed during the daily access log review process or due to the system administrator(s) detecting an unusual amount of locked accounts.
In the next layer, if the hacker penetrates the system, then hopefully key data is encrypted so that any data theft is a bittersweet triumph for the hacker. In the event that he/she wishes to corrupt the data, there should be backups performed regularly that the organization can restore and have a firm point to recover from.
What the above is trying to illustrate is that even if one layer, or ring, of the defenses is breached, then another one exists to thwart, or at least slow down, the hacker. One thing to note is that the above also is a good example of why regular daily reviews of system access, and security activity in general, is a good idea. Reports can be simplified and the review tasks assigned to someone with a small amount of training. More in-depth review can be outsourced to a security firm or contractor if deemed necessary.
In the next article we will cover some basic technology and process areas that small businesses can consider to include in the IT security arsenal.
Editor’s Note: This article is geared toward smaller businesses that may lack security resources and/or experience with security controls. It is not intended to be comprehensive. For people seeking more in-depth analysis, refer to the various standards that exist such as ISO 17799 and COBIT plus visit industry websites about security such as http://www.astalavista.com/, http://www.cisecurity.org/, http://www.csoonline.com/, http://www.esecurityplanet.com/, http://directory.google.com/Top/Computers/Security/, http://www.isaca.org/, http://www.ntbugtraq.com/, http://www.sans.org and http://securitypipeline.com.