Any information security strategy must be defined to support the growth and direction of the organisation. This strategy should look at all the risks that may impact the organisation and implement a strategy to mitigate those risks. Today, these risks are far more diverse and varied, and as such a mix of technical and non-technical controls to safeguard the business, its data and its ability to operate. It is critical to develop a strategy that mitigates or transfers as much risk as possible while keeping the cost and disruption as reasonable as possible. As a result, a mix of multiple different security measures need to be taken to mitigate the relevant risks as efficiently as possible. Every measure will naturally have its blind spots and weaknesses, and each of these must be covered by another system to mitigate those weaknesses. Understandably then, when setting up a network security system, the risks, threats and impact must be understood with as much detail as possible and controls applied only where it makes financial sense and/or there is a regulatory demand.
So we have a multi-product, layered approach to network protection, but there are still some serious questions that must be asked when deploying these solutions across physical security, technical security, and administrative measures. This article was written to collate some of those questions that might be forgotten during this process.
Physical controls are a first line of defence and range from access controls such as doors, locks, passwords, signage, and security guards to site facilities such as power, HVAC, and resilient services to ensure that service remains uninterrupted.
Do I know who is accessing my physical network?
It is all too easy in many businesses to be able to walk in to a room and just plug in to a spare RJ45 network connection box on the wall, this could potentially give a vantage point in to your network. It is important to understand what is patched where and also to properly disconnect or limit access to physical connections. In some cases a physical audit may be necessary to ensure that you have ensured what you think is plugged in is actually plugged in.
Do I have a way of controlling access to my physical network?
It seems nearly every IoT device seems to have a connection to the internet these days and many devices have a physical RJ45 network connection. Smart TV's for example we find often beacon back to home with potentially sensitive information. It is important to ensure you have some form of policy on the connection of new devices on your network, which may include a risk assessment of what the device has access to and whether it should actually be allowed.
How would I know if physical security measures have been breached?
This is a difficult question to answer, but the best way to test how prepared you are is to ‘red team’ your site, inviting teams of people in to the business to see how much of the business they can access, what information they can get out of the organisation, and how far an unauthorised person can get within your site before you are alerted to their presence. Even beyond these tests, it is important to understand how you could tell if someone is on your site who shouldn’t be, whether it’s by detecting them accessing your IT infrastructure, or physically detecting them walking around.
Technical controls, whether active or passive can be implemented to enforce, monitor and understand an environment. In modern businesses, the biggest risk if often loss of data or service on its IT systems which means businesses will focus on IT related technical controls such as firewalls to protect the perimeter, IPS/IDS to identify attack, proxy servers to monitor and control internet usage and endpoint protection to prevent the user devices, whether it be loss, attack or intentionally deviating away from the policies.
How many technical controls do I really need?
The quantity of technical controls is vast and the degree of active enforcement is dependant on the risk and the policies of each organisation. How many are deployed largely rests on balancing risk and investment, the best way to approach this is to deploy more than expected initially, before reviewing the deployment and seeing how much value each system is delivering, and working backwards from there.
Which layers of security require technical controls?
Technical controls can be used at all layers of security the network from active preventative controls which stop a detected threat, containment which may identify a threat and quarantine it, detection and reporting to allow for analysis and reporting and recovery and restoration should it be necessary. Network monitoring systems can complement these technical controls by offering passive detection and monitoring of network behaviours. This allows analysts to use this data to better understand the actions of a device or user, using this data to identify risks and proactively mitigate them but also to understand what has happened should an incident occur.
Administrative controls can have a massive effect on the effectiveness of information security strategy, but how effective these controls are varies greatly across organisations based on how they are implemented.
To what extent can administrative controls remove the need for technical controls?
Deploying policies can remove the need for a number of technical controls, however some can be pervasive and enforced using technical measures such as group policy (change password every 30 days) where others are not enforced with technical systems (no system changes during Xmas shutdown)
Do I have a way of understanding when administrative controls aren’t being effective?
Deploying solutions that can understand how many users are not adhering to training, or how many policies are being breached and how regularly can point you towards simple measures such as retraining or policy renewal to improve information security. Network monitoring systems that can tell the user how many people are breaching policy, for example, can inform a system admin that they may need to deploy systems to stop these policy breaches from happening. A good example of this particular issue is monitoring the use of cloud storage solutions that breach policy, if this is happening often, perhaps it’s time to deploy a private cloud storage solution?