Keeping Your Organization's Security Current
Security is one of the most dynamic issues in all of computing. Just because a system is secure today, doesn't mean that the system will be secure tomorrow. New exploits are constantly being discovered, and it's important that you secure your network against those exploits as they are made known.
I have known a lot of administrators who take a "set it and forget it" approach to network security. They do their best to make sure that a system is secure, test the security, and then never touch the security again. It isn't that these administrators are lazy (well, maybe a few of them are), it's that being a network administrator is an extremely demanding job. If someone isn't screaming at you to get a project done, then that project will almost take a back seat to higher priority projects. At the end of the day, there just isn't time to constantly monkey around with improving security unless upper management makes security one of the highest priorities.
Microsoft has done a lot to help overworked administrators to maintain a secure environment. Utilities like the System Update Service and Windows Update allow security patches to be automatically downloaded and installed. This insures that all of the servers and workstations are kept up to date with all of the latest security patches.
Unfortunately, automatically downloading and installing security patches does not guarantee a secure system. It simply makes those administrators who are forced to use the set it and forget it technique less vulnerable to a security breach. Fortunately, there are some things that you can do to make your organization more secure, even if you are too strapped for time to take a really hands on approach to security.
Obviously, I would be extremely negligent in my duties as a technology author if I didn't tell you that you should examine your security logs and look for ways to enhance your network's security every single day. Having said that though, I am realistic enough to admit that many companies lack the resources to administer security in such granular detail. If you are the type who never touches security because you simply don't have time, then I recommend following my six month plan.
The nice part of the six month plan is that you only have to address security once every six months. Again, this isn't ideal, but it's infinitely better then never doing any security work at all. With my six month plan, there are three things that you need to do every six months; reexamine your corporate security philosophy, check your network for known weaknesses, and attend a security training event.
Reexamine security philosophy
Reexamining the corporate security philosophy on a periodic basis is an important, yet commonly overlooked step. The idea is that you must determine if your security policy still matches well with the corporation's needs and culture.
A good, but rather extreme example of this is a place where I used to work. During my first few days on the job, I was told in no uncertain terms that the company didn't believe in cyber security (remember, this was the early 1990s). The users weren't assigned passwords and the servers were kept in an unlocked closet.
Although this was my first network administration job, I knew enough about networks to know that this total lack of security was very unusual. When I asked why security was so lax, I was told that the company was small (less than a hundred employees) and that the president of the company believed that strict security rules, passwords, locked doors, and things like that took away from the casual atmosphere that he wanted to create.
A few years went by and the company grew to well over a thousand employees. One day, there was a change in management. The new manager absolutely blew a gasket when he realized that there was basically no security on such a big network.
If this organization had stopped to reevaluate the security philosophy a couple of times a year, then there surely would have come a point when someone said "this network is starting to get pretty big, maybe we should start thinking about adding some security". Better security could have then been implemented before the lack of security became a huge problem.
Check Your Network for Known Weaknesses
The second step in my six month plan is to check your network for known security weaknesses. I realize that you are probably keeping your operating systems up to date with Windows Update or something similar, but that isn't enough. You need to take a look at the rest of your network's security a couple of times a year. Remember that things that are considered to be secure today might not be secure tomorrow.
A good example of this is wireless networking. A few years back, the WEP protocol was considered to be secure. Today though, WEP encryption is a joke because it is so easily cracked. Now imagine that you implemented a wireless network several years ago and used WEP as your only line of defense. Your wireless network would have been secure for a while, but would be considered extremely insecure by today's standards. That is why it is so important to look for those types of weaknesses at least a couple of times a year.
Attend A Security Training Event
The third piece of the six month plan is that you should attend at least two security related training events each year. I know that it's difficult to make time for class and that classes tend to be really expensive and really boring. Even so, I believe that staying current with your security training is an absolute must. Otherwise, you may not know what to look for when it comes time for the semi-annual network security check.
If you are worried about breaking the bank with your security training, you don't have to sweat it. Microsoft provides free training classes on a variety of topics throughout the year. Just visit http://www.microsoft.com/events and you can search for free training events in your area.
Shortcuts to the Shortcut
Addressing your network's security twice a year is a huge shortcut compared to what should ideally be done in the way of security. Even so, I am one of those people who is always looking for shortcuts to shortcuts. There are a few tips that I can give you that can make your life a lot easier.
The first trick is to delegate and sub-contract when necessary. Like I said, the six month plan is less than ideal and I know plenty of people who really don't even have time to follow that. If you are that busy, then it's time to get some help. Ideally, you should hire someone whose job it is to handle security. If you don't have the budget for that, consider having a consultant come in a few times a year and give your organization a security check-up.
Another shortcut is to subscribe to security related Web sites. There are lots of sites out there that will send you E-mail messages explaining all of the latest security issues. One of my personal favorites is the Relevant Security News (http://www.relevanttechnologies.com) The Relevant Security News is a free security related newsletter.
Although I think that subscribing to various security related Web sites is a great idea, I recommend limiting your subscriptions to no more than five. The reason is that if you subscribe to too many newsletters, then you won't read them. After all, if you don't have time for proper security, how will you have time to read all of that material?
Perhaps the best advice that I can give you though is to win management's blessing for better security. Unfortunately, this can be really difficult to do. Many top level executives see cyber security as an expensive endeavor for which the company gains nothing in return. If you can win management over though, you will have a much easier time getting the resources that you need to keep the organization secure.
If you can convince management that security is something to be taken seriously, then your first goal should be to find out how much input you have in planning the IT budget. Ideally, it would be nice if you could allocate enough funds to hire someone to handle security for the company. That would relieve you of the burden.
If you are able to create a new security position, then it's important for you to convince the top level decision makers at your company that a security manager's position needs to be structured very differently from that of other employees. In order to be effective, the security manager needs to have direct access to the company's top executives. The person must also have the authority to take what ever actions are necessary to enforce the company's security policy.
Of course selling management on the idea of hiring someone to handle security in an organization where security hasn't been a concern previously is a tall order. It might be necessary to take baby steps. Even if you can't get enough budget money to hire someone, maybe you can get enough money budgeted to invest in some security tools that will help to automate security for you.
Although security should be a high priority, in many companies, it is neglected due to lack of resources. In this article, I have discussed methods that you can use to keep your company semi-secure even if you lack the resources to aggressively pursue a secure network.