Just as the image of the security wheel implies, network security is a constantly evolving and growing process. This process is driven by the changing and growing nature of the business on one side leading to more and more resources and possibly links to more outside sources. Pressing from another side is the bad guys outside of your network who are constantly gathering better tools, often the same ones you’ll be learning about. They also don’t have a security policy preventing them from trying the latest and greatest hack posted on the Internet. They could also have “cracked” copies of licensed tools and software the company can’t afford. If potential attacks from two growing fronts weren’t bad enough, internal users are becoming savvier about the workings of the network. Economic turmoil can often bring out a side of people that even they might not have known existed under other circumstances.
So what is the company to do? Start by recognizing that what you have today in the form of network security becomes the baseline from which the future is built. There’s no going back to last year, so today becomes the beginning of time. Planning and development must always look at the next level of safety the network security can be moved to. Meanwhile, caution and good practices would suggest the following:
Monitor the security alerts from all network device vendors and install the recommended patches and upgrades.
Stay current on the latest threats, vulnerabilities, and tools by monitoring security web sites and newsgroups, such as www.sans.org, www.cert.org and www.cisecurity.org.
Implement and follow the existing network security policies, including incident investigation and reporting. Lax implementation and enforcement leads to potential vulnerabilities and can undermine commitment to security.
Update the security policy on a regularly scheduled basis, plus any time a new technology is added to the network or an existing technology is removed.
Ongoing security training and awareness should be a priority at all levels within the company.
Encourage a sense of trust and friendliness to encourage employees to “ask first” when in doubt and to encourage reporting of potential security incidents.