Home » Data Protection » Network Security

Industry View

How to Combat Five Network Security Compliance Risks

By Atchison Frazer and Brian Dennis

October 17, 2007 — CSO —

By Atchison Frazer & Brian Dennis

In the contemporary enterprise, the responsibilities of executives in finance, legal, information technology and, most important, those with a special duty of care and loyalty to the best interests of shareholders, the so-called "fiduciaries" of a publicly traded corporation, have become quite blurred. The threats to a corporation’s security are changing so quickly that it is difficult to determine what steps are required to ensure a company is both secure and legally compliant.

Even a corporation that has a mature security program, including several levels of security, strictly enforced policies, and regularly scheduled audits, still faces a number of potential threats that can either bring down the network, or increase security risks and create legal liabilities. An important factor to remember is the delta between the loss of business value as a result of an attack versus the savings from taking all imaginable precautions.

The Gramm-Leach-Bliley Act (GLBA), for example, compels corporations to conduct risk assessments that identify "reasonably foreseeable internal and external risks…." While monitoring the efficacy of IT systems agility in "detecting, preventing and responding to attacks, intrusions or other [vulnerabilities]…."

The following five areas are some of the most important risk factors companies must address to maintain compliance and a security-hardened risk posture:

Risk One: Constant change in the nature of attacks and windows of vulnerability from mash-ups and other Web 2.0 apps.

Every component or device (hardware/software) deployed is not scrutinized in three key areas before becoming part of your infrastructure circumference.
a. Augmentation: Can the device work transparently to provide an additional feature without radical changes in the current network architecture? Can the device functionality be virtualized without exposing interfaces to attack? Are data from disparate devices captured, aggregated and analyzed for event correlation defenses?
b. Ease of Use: Every device takes time to learn, but the cost of additional training mitigates the savings incurred by the additional functionality the device is perceived to bring to your environment. In other words, do the complexity and redundancy of devices increase human latency and the possibility for error that hackers and ’social engineers’ can subsequently exploit?
c. Flexibility: Implement modularity in terms of what services can be placed on the network to mirror the nature of the latest threat, as well as the ability to do so quickly by simply activating incremental features and functionality on demand.

Risk Two: Weak links in the security value chain and business process activity monitors.

a. Departmental Edges: Department edges are vulnerable to users in other departments, especially if the network segmentation strategy calls for deploying a router at the edge internally between executive departments and the Internet, and other primary subnet domains.
b. Hoteling Areas: Temporary naked access to internal networks is generally a forgotten area that presents a security loophole for remote employees who have recently plugged into lodging or WiFi broadband networks.
c. Extranets: Giving partners, contractors, and remote users access can infect a network within minutes, or create denial of service via a blended spam/email/virus attack. This is especially acute among smaller, mid-market firms that act as suppliers to large, public enterprises.
d. Remote Locations: Tunnels for VPN communications can get overly extended and become difficult to manage. Conventional remote access servers cannot protect against incoming attacks caused by business users coming from other websites and infecting the network.
e. Automated Policy Enforcement/Monitoring: Instituting automated abilities can help restrict a user from gaining access until a policy is enforced, such as what is possible by deploying GRC (governance, risk, compliance) automated controls in the network.