More basics

The Secure Network Lifecycle

I won’t go into all the details of this as the information exists in a myriad of places, however these are the five stages of the lifecycle:

•    Initiation
•    Acquisition and development
•    Implementation
•    Operations and maintenance
•    Disposition

More details can be found out here: http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=4
or here: http://honim.typepad.com/biasc/2014/10/secure-network-life-cycle.html
Risk Analysis
One of the most important tasks in laying out your network security policy is to determine the impact of risk on our assets.  This is no simple tasks as we need to evaluate the costs associated with a failure of our security.  This includes not just downtime and loss of data, but a company’s reputation, potential legal liability, loss of customers etc.  The analysis is usually performed by a combination of qualitative and quantitative methods.  We do this to ensure that adequate security exists for the value of our assets, we wouldn’t spend $50,000 protecting a $10,000 asset, but we might spend $100,000 protecting a $10,000,000 one.

Here are 5 points to consider when you are analysing the risk of a certain asset:

•    Asset value
•    Vulnerabilities
•    Potential threats
•    Compliance issues
•    Business requirements.

Whilst compliance issues are only one of the 5 points considered above, it should be noted that this is generally a non-negotiable aspect and must be factored in at all times.

If we have a detailed risk analysis in place for our assets then adding new assets shouldn’t be a big job, because most of the points above will be able to be transferred from other assets.

Security Policies

What’s the deal with security policies you ask.  Well they’re generally set by senior management as they are responsible for the whole company, including the data and networks which it owns.
Typically they will set a high level policy which the management teams and staff will interpret and put into the place the technical controls to achieve what the high level policy is aiming for.  Then it is down to the end users to abide by that policy.

There are a few reasons as to why we have security policies.  The number one goal for them is to effectively manage risk throughout the organisation.  Without an overall policy then security will be haphazardly managed and hard to enforce in a large organisation.  They are also used for education and awareness, so that staff and users are aware of the risks and what expectations are on them.

Testing

Now that we’ve got our security in place, we need to be able to verify that it is acting in the manner which it should.  We can achieve this in a multiple of ways:

•    Network scanning
•    Vulnerability scanning
•    Password cracking
•    Penetration testing
•    Social Engineering

Of course, the key element to testing is to use the results to rectify any problems raised and identify potential weaknesses that need improving on.

There are a couple more things to explore in this area of network security but they are fairly self-explanatory and will be covered later on anyway so I will just list them here:

•    Incident response
•    Evidence collection
•    Liability
•    Disaster recovery and Business continuity planning