Securing your network
What actually is network security?
We would define it is:
The goal of network security is to maintain the Confidentiality, Integrity and Availability (the CIA triad) of the data and services on the network.
Confidentiality ensures the privacy of the data, ie only authorised users and systems can have access to particular information. Authentication, authorisation and encryption are typical mechanisms deployed to implement this, though depending on the sensitivity of the data and exposure of the systems, additional mechanisms can be brought in. There are a number of hardware and software based solutions playing a critical role in ensuring confidentiality in our networks and we will cover them in this course.
Integrity of the data ensures the accuracy and consistency, ie only authorised users and systems can modify the data. Furthermore, we should prevent accidental corruption of the data, either unintentionally by authorised users or due to equipment malfunction. Hashes (or checksums) are often used to verify the integrity of data in transit.
Availability requires us to maintain the normal operation and meet the quality-of-service requirements of our networks. It can be compromised not just by cyber attacks, but also by human mistakes (eg misconfiguration) or equipment failure. A secure network will be protected against all of these. Major effort here focuses on defending against denial of service (DoS) attacks.
Security cannot be delivered by technical measures alone – it is a combination of processes and procedures as well as technical solutions. Security is also not a one-off solution: it should be an ongoing process. One of the fundamental mechanisms in computer network and systems security is the implementation and enforcement of the organisation’s Security Policy. It is a relatively high level document describing the security controls of an organisation. It defines several areas such as:
- User security – what is a secure user behaviour, ie web browsing and email use policies, password policies
- Device security – end-point security such as antivirus, patch application, backup
- Network security – network design and implementation requirements, firewall, VPN, DMZ, wifi policies, etc
The security policy does not need to provide specific solutions and technologies but rather identifies the mechanisms and processes that will be deployed.
Drawing up a good security policy very much depends on the industry sector, location, etc of the organisation. One main principle in today’s network security is defence in depth, that is, in order to gain access to a specific asset, the attacker will have to go through several layers of security controls and monitoring.
Another one is the principle of least privilege, which specifies that access to assets should be granted only to those who need it, where they need it and only for as long as they need it.
We will be coming back to the topic of security policy in several modules throughout the degree. A good set of templates of security policies has been provided by the SANS Institute.
Have a look in the Guidance by topic section of the series of guidelines published by The UK National Cyber Security Centre (NCSC).
Pick an organisation that you work for or are familiar with and read the relevant documents. Try to note down the main points of the security policy of your organisation.
© Coventry University. CC BY-NC 4.0