As the IT professional in a small or medium-size business (SMB), your company depends on you to protect its network and other vital information assets from harm. In a small or medium-sized business, you may be the only technical support, or you may be the leader of a small group of technicians. Regardless, there never seems to be enough time in the day to get everything done.
One of the most important aspects of your position is to protect your company's vital information. One of the most basic concepts in protecting an information system is the security triad: Confidentiality, Integrity, and Availability, often referred to as CIA. Confidentiality refers to ensuring that only persons properly authorized have access to private and proprietary information. Integrity means to protect information from unauthorized alteration or damage. Availability means that information is accessible when required.
Each leg of the triad is critical to protecting your company's most vital asset its information.
Before planning a strategy to protect your assets, you must determine the information assets to protect. When creating your risk assessment, you should include the benefit derived from the information, the estimated time to recreate the information if lost, the negative impact of data loss or corruption, any regulatory requirements, and the estimated value of the information to external parties. In your role as the systems administrator, you will not be able to determine the answers to most of these questions; therefore, you should work with the business managers responsible for the information (information owners) to complete the risk assessment.
Once the risk assessments are complete, you can plan the appropriate level of security, redundancy and recoverability for nearly any situation. This is where you start to work with the information security triad.
Confidentiality:
Each information system in your company may include data that is either proprietary or private. This information can range from the social security numbers in your Human Resources system to the bank account numbers and balances in the accounting database. This information may cover company owned patents, internal business processes or financial projections. Regardless, if it is proprietary or private, you are responsible for ensuring that unauthorized users do not gain access.
External threats, though usually more sophisticated, are much easier to plan for and address (notice that I did not say stop) than internal threats. The best strategy to resist external threats is through a "defense in depth" strategy. "Defense in depth" means that you should not depend upon a single security measure, such as a firewall, to protect your network. The best way to get a grasp on the challenge is to remember that every security device and/or software in the world has bugs, and that hackers are just as intent on finding and exploiting those bugs as the manufacturer is about fixing the problem. If a hacker gains access to a single system and if that system is your only security, the hacker has effectively gained access to (and control of) your entire network.
To set up a defense in depth, you should start with a firewall placed between your private network and the internet. This firewall should reject all traffic from the internet except for traffic that you specifically allow to enter, such as e-mail. By arbitrarily rejecting all traffic, you are significantly reducing the ways in which a hacker can attack your network. In addition, you should direct the permitted traffic to an appropriate internal address. This means that incoming e-mail traffic should go directly to your anti-SPAM or e-mail server, rather than going to an arbitrary address that may not have the appropriate port security configured.
Additionally, you should segment any computer that must be accessible from the internet into a separate network. This network is commonly referred to as the "DMZ" and is normally separated from both the internet and the company's private network by a firewall. This will ensure that any external attack must penetrate the security of a minimum of two firewalls and the security of a server in order to compromise the internal network.
One last step to help protect your network is to install a corporate level anti-virus, anti-spyware and anti-spam server in your DMZ. All traffic coming in from the internet, even traffic requested by an internal user, should be routed through these security servers. This is especially true of all e-mail and instant messaging traffic as they permit the easy transmission of file attachments that may include viruses, worms, spyware and/or other malicious applications.
Integrity:
The integrity of information is the second leg of the security triad. Data integrity means to protect information from unauthorized alteration or damage. This threat normally comes from internal sources, and much of it is inadvertent.
One of the greatest threats towards integrity comes through the spread of malware. Malware includes different types of applications such as spyware and adware. In recent years, the cost to remedy malware infections has skyrocketed in the global business. In most cases, the malware is downloaded from the internet and installed by individual users that are unaware of the possible impact of what they are doing.
There are several ways to address the integrity of information. The most important method is through end user education. The second most important thing an administrator can do is to ensure that only the appropriate users have access to data, and that the level of access is appropriate. For example, HR policies may be available to all employees on the network, but those employees may not require access to modify or delete the information in those files. One lesser-used method to protect the integrity of data is the usage of file "versioning".
As the network administrator, you must develop and distribute policies to all business users to ensure they are aware of their impact on the overall system. This is normally called an "Acceptable Usage Policy". All employees should be educated on the appropriate usage of their computer for business use only, and the employees should also be made aware of the possible outcome of inappropriate usage. In situations where numerous problems have occurred, and with the concurrence of senior management, you may wish to curtail or eliminate the authority of users to install software packages that may cause issues on the network.
The last way to assist in protecting data integrity is in the implementation of file versioning. Versioning is called "shadow copies" in some systems, "revision control" in others; however, you should look in your server's operating system for the appropriate method to configure. This can save you a great deal of time and effort as you can quickly access earlier information to see if inappropriate changes have been made, as well as reverting to the correct information in the case that illegitimate changes have actually occurred.
Availability:
The most obvious role of the network administrator is ensuring that all servers are running and that the network is stable. Also, nothing is more noticeable to an end user than the message that "Server such-and-such is not available".
To appropriately protect your systems, you should ensure that you have contingencies for all common points-of-failure, and that you implement plans to mitigate a failure. Simple steps include the implementation of an uninterruptible power supply (UPS) system in case of a power outage, a Redundant Array of Inexpensive Disks (RAID) in case of a hard disk failure, and the appropriate type of backup and recovery software and hardware to keep your information safe even if the building itself were to disappear.
The most important of these is the backup and recovery system. If you have multiple locations, then you should ensure that you maintain a copy of your backup at both the local server location and at an off-site location. If you have only a single location, then you may want to obtain a bank deposit box to store your off-site backup. In these days where we must expect the unexpected, having an off-site backup is not just an option, it is mandatory. Imagine losing not just the last few days of work in your company, but all the data ever created/stored there. In many cases, this would result in the bankruptcy and closure of the business.
Summary:
As the network administrator to a small or medium-sized business, you are responsible to keep information safe. By performing a risk assessment, then utilizing that risk assessment to create a plan to address the three legs of the security triad, you are preparing for the worst, and ensuring that your company and your employer are safe from the dangers that we know lurk on the internet. Unless of course you actually like to fight the constant fires. But the best compliment a boss can offer, is the pay raise for doing your job right.