Defense in Depth: Protecting Your Business Network
Today, our entire lives are stored on computers. Your bank’s computer has your financial history, your credit card company knows where you shop and what you bought, Google knows every website you have ever searched for, and the pharmacy down on the corner has your family’s medical records stored on their computers. What about your business? What kind of information is stored on your company’s computers? There are client records, financial information, trade secrets, private e-mails, customer contracts.
It is so important to practice what is called defense in depth. Defense in depth is basically just covering your assets and your computer networks with several layers of different types of physical and virtual security. The more layers of protection between the outside world and your private data, the more likely you are to keep that data safe and secure.
There is no sure-fire, absolute, guaranteed way to protect digital information in a connected world. Information locked up so tightly that nobody can ever access it is of little use to anyone.
Information and data are only worthwhile and productive when they can be accessed by those who need that information. So, the trick is to make the information available to those who need to access it, and restrict those who don’t.
The layer most people are familiar with is physical security. If you want to keep something safe, you put it behind a locked door and make sure you are the only one with the key. The same goes for digital information. The first way to protect it is to limit who has physical access to that data. This is why a company’s servers should be locked in a room with restricted access.
But all the desktop computers sitting around the office have access to that server you locked in the server closet. So the second layer of protection is authentication (usernames and passwords). Everyone knows they need usernames and passwords, but this is the most easily hacked part of many companies security policies. Without a strong password policy that is enforced, people will use passwords like their address, 123456, password, their birthdate or even their name. To be secure, make sure all your company’s passwords are nine characters or longer, contain upper and lower case letters, numbers and symbols. Also make sure that users are forced to change their passwords frequently.
Antivirus, antispyware and spam blockers are another layer of protection. If you are surfing the Internet and download a virus, your antivirus software is what tracks down that virus and eliminates or quarantines it so that it can’t spread throughout the entire network.
Years ago, if you owned a bank, you knew that there was only one way that people could rob your bank. They would need to walk through the front door, get someone to open the vault, put the money in the bag, and walk back out the front door. So, cameras and metal detectors were installed, armed guards were at the front door with more at the vault entrance. You knew where your security was the weakest, so you did everything you could to strengthen those weak points.
Today, people steal money from banks that they have never even seen before. They can be sitting in their basement in Iowa and write a virus that empties a company’s pension fund in California. That same virus could infect your network and steal the Social Security and account numbers from your client database.
So how do we protect our business from a threat that can literally come from thin air? The first step is to have a strong firewall in place on your network. Firewalls are the first line of defense between the Internet and your business and act like the guards standing in front of the bank doors. They examine every piece of information that comes into your network and look at all the information leaving your network. By default, a good firewall will block all traffic coming from both directions. When configuring a firewall, a technician will open only those ports that are absolutely necessary for the business to work. Going back to the bank scenario, the more doors you have (open ports), the more guards you have to hire.
Behind the firewall you can install an intrusion detection system (IDS) to make sure that the firewall is doing its job and to alert someone if some bad packets slip by. The IDS can be used in either active or passive mode. In passive mode, it’s just leaning against the wall taking notes whenever the firewall lets something pass that it shouldn’t have. In active mode, it snaps into action when the firewall drops the ball and scoops up the bad packet and either quarantines it to be examined later or it drops that packet.
Encryption is a layer of protection intended more to make any stolen information useless, rather than stopping the theft in the first place. It’s like your last line of defense. Encryption is especially important with e-mail and laptops. By default, e-mail is sent unencrypted; so if your e-mail is intercepted before it reaches the intended recipient, it is trivial to read that e-mail. Many times, not only is your e-mail sent unencrypted, but your username and password can be sent in plain text as well. With laptops, you need to make sure that if there is company data on the laptop, the entire hard drive is encrypted. That means that if I steal your laptop and try to pull information off it, but I don’t have the password that decrypts the hard drive, that entire hard drive is just full of random characters. It is all just worthless unreadable data until you enter the password when you boot the computer, which then turns the random characters back into your company data.
The last layer I want to mention is the Virtual Private Network (VPN). It seems like everyone has a laptop today and more and more people are working away from the office, whether that is from home or the corner coffee shop. If you want to connect to your office computer from your house, one of the most secure ways to do it is to connect through a VPN. Basically, a VPN is a point-to-point secure tunnel from your computer to your office network. Once you establish the VPN connection, all traffic that travels over that connection is encrypted, so it makes it secure against someone intercepting your traffic. VPN connections are more secure not only because of the encryption, but also because they are protected by a secure password, so only those who know the password can connect to the office from the Internet. VPNs are especially important if you are using a public Wi-Fi network. On Wi-Fi, it’s easy for someone to capture all the information flowing through your computer to the Internet. Connecting to a VPN from a public Wi-Fi connection puts all your activities in a secure, encrypted tunnel that is secure from Wi-Fi eavesdroppers.
In today’s connected world, you never know where the next potential attack to your network could come from. Defense in depth helps you be more prepared for whatever threats may come your way. None of these ideas alone is a silver bullet, but with several layers of protection between your business data and the Internet, the better you will be able to sleep at night knowing that your network is secure. .
| || |
Mark Williams is the field services technician for PTD Technology, assisting commercial, nonprofit and residential clients. He holds certifications in A+, Network+, Security+, and is a Microsoft Certified Professional. Williams can be contacted via e-mail at Mark.Williams@PTDtechnology.com.