In Part 1 of this post, we presented a series of questions to stimulate your thought processes about ways to better protect your data. Here are a few more questions to add to that list…
#4 Do you know where your network data is
traveling (internally and externally)?
If you’re not already using a good Network Monitoring Tool,
it’s time to invest in one. You need to
clearly capture all potential points of data infiltration and
exfiltration. You need to know precisely
how data flows through your network, routing, direction of flow, processing
delay, queuing delay, transmission delay, propagation delay, and any other
factor that can affect data integrity and/or throughput.
#5 How do your users behave?
Behavior analysis can play a major part in the success/failure
of any security program. If you don’t
understand how your users interact with the network, it can be difficult or
impossible to create effective access controls and security policies. If you have a solid feeling for the needs and
habits of your typical users, you can implement technical and procedural controls
to maintain good network hygiene while minimizing impact to accomplishment of
your organization’s goals.
Of equal importance, a thorough understanding of typical
user behavior can make it much easier to spot atypical user behavior. This can be key to identifying users who might
pose an insider threat to your network.
#6 Are your control mechanisms tailored to the
sensitivity and importance of the data they’re protecting?
It can be tempting to adopt an across-the-board approach to
security measures. Everything receives
the same level of protection, monitoring, and general effort. This kind of doctrinaire thinking may
simplify the selection and configuration of defensive mechanisms, but it can
result in unnecessary expense and reduction in productivity.
Think of your security measures like Secret Service
Agents. It makes perfect sense to invest
major time, effort, and money into protecting the safety of the president. That same level of protection for a deputy
assistant cabinet secretary would be wasteful.
Extending similar protection to a pastry chef in the White House
kitchens would be ludicrous. All three
of these positions (president, deputy assistant secretary, and pastry chef) are
government employees, but they do not require the same kind of
protection. In fact, the pastry chef
might find it impossible to do his/her job while continually surrounded by an
armed protection detail.
Sensitive information, intellectual property, and similarly
vital types of data need all the protection you can provide. Non-sensitive data that’s easily replicable
(or freely available from other sources) simply doesn’t require the same level
of protection. That’s not to suggest
that operating systems and software on less sensitive network components should
not be properly patched and configured.
You can’t allow weak spots in your ACLs, firewall policies, and other
defensive measures. But non-sensitive
data doesn’t necessarily need high-end encryption, real-time backups,
high-priority restoration mechanisms, or many of the other measures employed to
defend sensitive materials.
No comments:
Post a Comment