Tech 101: Basic Network Security ConceptsTim Weidman
The question I am often asked during the review of a new client’s network is, “Is my network secure?” Security is a many faceted concept. It is also a relative term and a matter of degree.
I am not looking to go into advanced aspects of network security, so if you are the administrator or responsible party for a corporate network with measures already in place, this is not for you. On the other hand, if you are a small to medium-sized business owner wanting to have a handle on your technology risks, it is my goal to present a useful list of technology security basics.
I have often seen small businesses invest in a more advanced firewall or other security measures without first covering basic security concepts, which if left out will easily circumvent your investment.
Below are 7 concepts that should be established for you to cover the “basics.” While you may not be able to implement all of these yourself, you have the ability and obligation to know the status of each. Question your internal or external technology staff on where you stand with each concept. The answer, “It is all taken care of” is not sufficient. You should know how, when and by whom. These same concepts can be applied in some degree to a more secure home computing environment.
1. Backup. Yep, that is not really a security function. Tricked you right off the bat. You need to know what is being backed up, how and where. You also need to have a plan of how you can retrieve the backup. There are threats out there which simply cannot be stopped 100%, so in this case the only remedy is to restore from backup.
2. Firewall/Router. There are many opinions on what is the best equipment for a firewall; here is one guideline for the smaller network. If you have more than a couple of machines in your network, anything available at the local computer store is probably not the right solution for you. Those may work at home, but for even a small network you are going to want some of the advanced features which are not provided in retail store equipment.
3. Content filtering. One of the best ways to fight security threats is not to encounter them. Even the best intentioned employees accidentally click on content containing malware. A decent content filter will let you block these sites entirely. If employees have free reign and access to all internet content, you may also be opening yourself to HR and legal issues. For home use, there are software driven solutions, some of which are no cost to you. While these will not be as effective as blocking content on the firewall level, it is much better than open access to all the Internet has to offer. This includes effective spam filtering if that is not already in place.
4. Operating System Updates. This is most commonly an issue with Windows, but can also be problematic with Mac or Linux. Yes, that popup at the bottom of your screen which says you need to update is important. There are hundreds of Microsoft updates every month, and many of them are critical to the point that without being applied, no other measures will protect you. If you have more than a few machines and any type of Windows server, these can be controlled through Windows Server Update Services (WSUS), which is a free component from Microsoft. WSUS also allows you to only download the updates once and distribute them to your network on your own terms.
5. Other software updates. Right now this is mostly Java and Adobe products. These popup on a regular basis. Unfortunately, so does malware, which claims to be these products and is crying for you to click that button. Once clicked, you will receive notice that you are in desperate need of an urgent update — and if acted on, you will find you are installing bad stuff on your computer. The way around this is to go straight to the source. If you have a popup which says Java needs to be installed, close all of your browsers completely, then open a new browser session and go to http://java.com and check for updates that way.
6. Who is an Administrator? The answer is: Nobody should be. I do not work on my computer as an Administrator. If I do and I encounter a virus, the virus has the same rights as I do. This includes the ability to disable and go around any anti-malware measures I have in place. Even if you have only one computer in your office, you can run it without administrative functions. Just create a new user which is of the administrator type, and make yours not the administrator type. It’s that simple. This means that if you want to make or allow changes to your computer, you will either need to log out and log back in as an the administrator account you created, or on a Windows machine, enable something called UAC (User Account Control) which allows you to “OK” changes as an administrator without logging out and back in. Yes, this is a bit of a hassle. But it is also absolutely necessary if you want to maintain any type of protection against threats.
7. Anti-Virus/Anti Malware software. Yes, this is last on the list, and if you have followed the above concepts, then what you choose becomes less critical. I am not going to recommend a specific program, as anti-virus / anti malware program effectiveness changes. Like antibiotics, the effectiveness varies over time. New threats emerge which have the ability to circumvent the latest security programs; security programs update and enhance to fight the new threats, and round and round it goes. Regardless of the effectiveness of your protection software, it will be more successful if you take the proper steps to curtail trouble from the beginning.
Security is an ongoing process and must be reviewed on a regular basis.
If you do not know the status of these concepts in your organization, ask your technology staff or an outside technology company. Document the answers and review them on a regular basis. If you do not have technology resources available, then seek assistance from a company who can provide these answers to you. For many networks, once these measures are in place, they are able to be maintained easily and inexpensively.
Tim Weidman is the Director of Information Technology at Frankel Zacharia Tech Services, a department of Frankel Zacharia, LLC. Tim has a technology career spanning nearly 25 years and holds professional certifications in Microsoft and Novell technologies, as well as A+, Network+, Security+ and Apple technical certifications. For more information visit: fztechservices.com.