Network Protection (Part 2)

In Part 1 of this post, we presented a series of questions to stimulate your thought processes about ways to better protect your data.  Here are a few more questions to add to that list…

#4  Do you know where your network data is traveling (internally and externally)?

If you’re not already using a good Network Monitoring Tool, it’s time to invest in one.  You need to clearly capture all potential points of data infiltration and exfiltration.  You need to know precisely how data flows through your network, routing, direction of flow, processing delay, queuing delay, transmission delay, propagation delay, and any other factor that can affect data integrity and/or throughput.

#5  How do your users behave?

Behavior analysis can play a major part in the success/failure of any security program.  If you don’t understand how your users interact with the network, it can be difficult or impossible to create effective access controls and security policies.  If you have a solid feeling for the needs and habits of your typical users, you can implement technical and procedural controls to maintain good network hygiene while minimizing impact to accomplishment of your organization’s goals.

Of equal importance, a thorough understanding of typical user behavior can make it much easier to spot atypical user behavior.  This can be key to identifying users who might pose an insider threat to your network.

#6  Are your control mechanisms tailored to the sensitivity and importance of the data they’re protecting?

It can be tempting to adopt an across-the-board approach to security measures.  Everything receives the same level of protection, monitoring, and general effort.  This kind of doctrinaire thinking may simplify the selection and configuration of defensive mechanisms, but it can result in unnecessary expense and reduction in productivity.

Think of your security measures like Secret Service Agents.  It makes perfect sense to invest major time, effort, and money into protecting the safety of the president.  That same level of protection for a deputy assistant cabinet secretary would be wasteful.  Extending similar protection to a pastry chef in the White House kitchens would be ludicrous.  All three of these positions (president, deputy assistant secretary, and pastry chef) are government employees, but they do not require the same kind of protection.  In fact, the pastry chef might find it impossible to do his/her job while continually surrounded by an armed protection detail.

Sensitive information, intellectual property, and similarly vital types of data need all the protection you can provide.  Non-sensitive data that’s easily replicable (or freely available from other sources) simply doesn’t require the same level of protection.  That’s not to suggest that operating systems and software on less sensitive network components should not be properly patched and configured.  You can’t allow weak spots in your ACLs, firewall policies, and other defensive measures.  But non-sensitive data doesn’t necessarily need high-end encryption, real-time backups, high-priority restoration mechanisms, or many of the other measures employed to defend sensitive materials.