Aug 12, 2009
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
Q. What are some good security defense practices?
A. In the last column, we talked about creating an information security compliance program. Reminder: Information security is a lot like the common cold–statistically, everyone catches the cold. Some people avoid it for years, while others get it yearly, and every year a surprisingly large number of people die from untreated colds and seasonal flus. A breach or break-in is a question of when, not if. You will be broken into, you will get infected–the only questions are when it will happen and whether you’ll be able to deal with the infection. Now, let’s look at some good information security defense practices.
Good security consists of using several tools to do the job properly. Use a good spam firewall or service to prevent junk from getting into your mail servers, desktops, et cetera. Use a good UTMS (Unified Threat Management System) to automatically scan network traffic (both inbound and outbound) for infected packets. Deny malicious packets from entering your network, and investigate all PCs, laptops, et cetera that originate garbage from your network. After all, you do not want the rest of your company’s email to be affected, or to have your Internet connection terminated because your network is accused of spamming the Internet.
Use good, managed switches, firewalls and routers. Switches come in two varieties: managed and unmanaged. Unmanaged, or dumb, switches are what you get at your local megamart. They’re cheap, and, like your first car, will do a decent job of moving traffic from one device to another. Managed, or smart, switches, on the other hand, are not usually sold at your local big-box retailer (they’re available online at PCMall.com, CDW.com, NewEgg.com and Amazon.com). They cost a bit more, but can give your network abilities you never knew you needed. Capabilities include VLANS (which split one physical switch into multiple, isolated virtual switches), logging traffic and analyzing traffic.
And then there is anti-virus software. Most desktop-based anti-virus software is junk. According to av-comparitives.org, an independent lab that tests all major anti-virus/anti-spyware tools regularly, even the best tool has a 69 percent success rate. So if you used the latest product and configured it properly, there’s a good chance almost a third (31 percent) of the malware could still come in. Thus, you still need to use an AV/AS product, and we recommend using multiple tools simultaneously–or switching to Macs or Linux and ditching windows completely.
Furthermore, it would be wise not to put all your eggs in one basket. For decades, the military has successfully used the concept of network isolation. Everyone has two or more workstations, one for general purposes (in the corporate sector these might include emails, Web surfing and proposal writing) and one for sensitive purposes(such as financial planning, budgeting, accounting and R&D).
In the consumer space, we tend to use our PCs for everything from video games to solitaire to online banking to emails and shopping. Imagine living in a one-room house that combines the kitchen, bathroom, bedroom, living room and dining room. Not very appetizing, is it? Now apply that to your PC or laptop: Start separating higher-value or highly sensitive activities from general-purpose activities. PCs are cheap. Using a KVM, or virtual machine, you can give people access to classified resources without compromising security.
Finally, when and where possible, look at alternative operating systems and browsers. Replace Internet Explorer with Firefox or Opera. Disable/uninstall Outlook Express, and use Thunderbird or webmail for email. If you can, move more of your applications onto Web-enabled platforms (for instance, use an accounting system that can be managed by a secure Web browser, or move your applications-submission process to online forms). Then you can really ditch Windows on the desktop and move toward Mac OSX or Linux desktops.
If you must use Windows (and yes, we live on Exchange, Outlook, Quickbooks, et cetera), then consider virtualising it. There are huge benefits to a properly virtualized server and desktop farm. We’ve reduced help desk and desktop support costs by 50 to 90 percent by moving to VMs.
Remember: The best defense is defense in depth.
Rajesh Goel is chief technology officer at Brainlink International Inc. (or the Technologist), which assists companies in selecting and managing their mobile workforce, including PDAs, email integration and new mobile applications development appropriate for the real estate and commercial property markets. Send him your technology questions via Suzann.silverman@nielsen.com.