By Edward J. Hawkins, II
Contributor, InCyberDefense
The relatively short history of information technology (IT) and the lack of its secure implementation require that many new technologies be designed, implemented and installed in existing infrastructures. Unfortunately, adding security to new technologies after the fact is costlier in the long run and ill-advised by today’s web developers and implementers. But how do you design a secure environment from the beginning?
Consider a Secure Environment’s Location and Physical Access
When you’re deciding where to construct your secure environment, location is important. It should provide certain physical security safeguards, such as fences and lights, which can be put in place immediately. The goal is to ensure that your assets do not walk away with the help of thieves.
When a physical location has unrestricted access, anyone has the potential to attack your system. In fact, physical access to a system on a network server or workstation can result in the complete loss of confidentiality or system integrity within minutes of someone gaining access to it.
Determine Where to Put Your Network Equipment
The next step is to determine a location for your network equipment. Some common questions you should ask are:
- Does your space have proper environmental controls for the infrastructure, such as separate heating and cooling units?
- Does your space meet or exceed the recommended system power requirements to create an infrastructure?
- How will access to devices be controlled and monitored?
- How will the cabling be protected?
The answers to these questions will depend on the type and purpose of your infrastructure. Keep in mind that even with wireless networking, wiring is still involved and will need to be protected.
Designing the Logical Environment
Once the physical environment has been securely designed, it’s time to create the logical environment with access points, firewalls, and intrusion detection and response systems. That requires reviewing and mapping organizational policies, your organization’s mission statement and industry regulations.
Many organizations utilize frameworks to map and show adherence to multiple regulations and standards. These frameworks include:
- ISACA’s COBIT
- ISO’s 27000 series
- AXELOS’s ITIL
- NIST Risk Management Framework (RMF), (a collection of publications that covers a wide range of security topics)
By gaining an understanding of what must be protected versus what can be protected, it is easier to determine which controls to use. It is also simpler then to determine how to segment your network and how to apply permissions for users.
Testing Your Infrastructure with IT Employees or External Auditors
Once the selected controls have been decided and incorporated with a given policy, the controls must be tested before the infrastructure is utilized. This testing may be performed by internal IT staff.
However, oversight is required. The results of the tests may not be as thorough as needed or they may hide some vulnerability because of incorrect control implementation or selection.
If an external auditing group conducts the tests, the group needs to sign non-disclosure agreements (NDAs) that include the type of testing being performed. Make sure that your systems do not have any organizational data that could be compromised.
Any scripts or software must be thoroughly tested and reviewed prior to use. Scripts need to be reviewed line by line to ensure that they do not create or exploit any vulnerabilities.
Scripting languages are interpreted languages. As a result, source code is easily read and modified by anyone running the scripts.
Also, only the most trusted persons should run scripts within your environment. The author of the scripts should be knowledgeable about secure coding methods for the language of choice.
All Work Must Be Documented
I can’t stress enough that everything must be documented. The documents created during this process will be used in an audit to provide the logic behind why certain controls were selected rather than others. They will also be used as part of a configuration management (CM) policy, which most of the listed frameworks typically refer to.
Configuration management is critical in identifying cybersecurity-related breaches. Breaking into an environment can raise alarms due to a misconfiguration, such as the installation of unauthorized software. What needs to be documented are:
- The location of servers, network equipment (e.g. firewalls, IDPS, routers, switches), servers and workstations
- The logical and physical environments
- Security cameras (including information on the type of cameras and the directions they face)
- Any other pertinent information
The documents should be dated and signed by those responsible for the most recent update.
With the understanding that every network and environment is different, the implementing organization must develop policies that can balance the function of the environment with the industry’s security requirements. This way, users of the environment will present regulators with a defensible infrastructure.
It’s important to always remember that what is secure today may be unsecure tomorrow.
Comments are closed.