• Confidentiality — making sure that private data stays private
• Integrity — ensuring that data and systems have not been altered in an unauthorized manner.
• Availability — ensuring that systems and data are there when needed
The Sans Institute (www.sans.org) a cooperative research and education organization through which more than 156,000 security professionals, auditors, system administrators, and network administrators share lessons and findings, recommends the following steps to increase network security:
1. Identify and protect your most valuable assets first. One of the first areas that you want to focus on is to identify and protect those systems that maintain your most valuable assets in terms of data.
2. Secure the perimeter and core systems. Make no mistake about it: You are being probed, so make sure that you identify all of the access points to your network and protect them. While technology will never guarantee 100-percent security, using a combination of appliances like firewalls, intrusion detection systems and anti-virus programs will at least make things difficult for any hacker to break into your systems.
Once you have protected both your most critical systems and your perimeter, the next step is to provide protection for your core/internal systems. The main point to remember is that the default installation of any Operating System is not secure. Always be on the lookout for the latest patches and hot fixes available.
3. Write the security policy. Probably the single most important tool for network security is the Security Policy. This is a well-written and signed document that has been approved by management and is mandatory reading for everyone who has access to the network. The Security Policy will dictate exactly what the security parameters will be for the given network: Will the server be in a locked room, and who will have access to it? Will dial-up modems be allowed? What type of auditing will be done, by whom, and when? What constitutes a good password? When will back-ups be performed and by whom? What is the disaster recovery plan? Self-assessment is a very important part of this plan. The procedures that are put in place must be tested regularly to ensure that they are being followed and are effective.
4. Simplify. As a rule, the simpler network is easier to manage and secure than the more complex one. Some people say that having a complicated network helps to confuse a would-be hacker. Still others say that since they are not a big company, then no one would be interested in gaining access to their network.
Keep in mind that "security through obscurity" does not work. The simpler your network is, the better you will be able to understand, manage and protect it.
5. Continue learning. The information covered here does not even begin to show the tip of the iceberg. Security is such a vast subject and covers so many different areas that it is impossible for any single individual to know everything.
6. Get professional help. Don’t try to do it alone; get professional help. If no one in your company has any security experience then do not try to tackle the problem alone. There are just too many vulnerabilities and the tools that can be used against your network can be easily used, even by inexperienced people (i.e. script kiddies). But beware. You want someone who is going to take the time to understand your organization, your network configuration, and your current processes before they bring out some fancy tools.
While these steps are not the final destination, still they will be a good start to establishing a secure network environment. – Carla Paras-Sison