Most security incidents occur because system administrators do not implement
available countermeasures, and hackers or disgruntled employees exploit the
oversight. Therefore, the issue is not just one of confirming that a technical
vulnerability exists and finding a countermeasure that works, it is also
critical to verify that the countermeasure is in place and working
properly.
This is where the Security Wheel, a continuous process, is an
effective approach
. The Security
Wheel promotes retesting and reapplying updated security measures on a
continuous basis.
To begin the Security Wheel process, first develop a
security policy that enables the application of security measures. A security
policy needs to accomplish the following tasks:
- Identify the security objectives of the organization.
- Document the resources to be protected.
- Identify the network infrastructure with current maps and inventories.
- Identify the critical resources that need to be protected, such as research
and development, finance, and human resources. This is called a risk
analysis.
After the security policy is developed, make it the hub upon which the
four steps of the Security Wheel are based. The steps are secure, monitor,
test, and improve.
Secure
Secure the network by applying the
security policy and implementing the following security solutions
:
- Threat Defense
- Stateful Inspection and packet filtering – Filter network traffic to allow
only valid traffic and services.
- Intrusion Prevention Systems – Inline intrusion detection systems (IDS),
which is better termed intrusion prevention systems (IPS), can be deployed at
the network and host level to actively stop malicious traffic.
- Vulnerability patching – Apply fixes or measures to stop the exploitation
of known vulnerabilities. This includes turning off services that are not
needed on every system. The fewer services that are enabled, the harder it is
for hackers to gain access.
- Secure Connectivity
- Virtual Private Networks (VPNs) – Hide traffic content to prevent unwanted
disclosure to unauthorized or malicious individuals.
- Trust and Identity
- Authentication – Give access to authorized users only. One example of this
is using one-time passwords.
- Policy enforcement – Assure users and end devices are in compliance with
the corporate policy.
Monitor
Monitoring security involves both active and passive
methods of detecting security violations
. The most
commonly used active method is to audit host-level log files. Most operating
systems include auditing functionality. System administrators for every host on
the network must turn these on and take the time to check and interpret the log
file entries.
Passive methods include using intrusion detection system
(IDS) devices to automatically detect intrusion. This method requires only a
small number of network security administrators for monitoring. These systems
can detect security violations in real time and can be configured to
automatically respond before an intruder does any damage.
An added
benefit of network monitoring is the verification that the security devices
implemented in Step 1 of the Security Wheel have been configured and are
working properly.
Test
In the testing phase of the Security Wheel, the security of
the network is proactively tested
. Specifically,
the functionality of the security solutions implemented in Step 1 and the
system auditing and intrusion detection methods implemented in Step 2 must be
assured. Vulnerability assessment tools such as SATAN, Nessus, or NMAP are
useful for periodically testing the network security measures at the network
and host level.
Improve
The improvement phase of the Security
Wheel involves analyzing the data collected during the monitoring and testing
phases, and developing and implementing improvement mechanisms that feed into
the security policy and the securing phase in Step 1
. To keep a
network as secure as possible, the cycle of the Security Wheel must be
continually repeated, because new network vulnerabilities and risks are created
every day.
With the information collected from the monitoring and testing
phases, intrusion detection systems can be used to implement improvements to
the security. The security policy should be adjusted as new security
vulnerabilities and risks are discovered.