The Scoop
WHAT IS INFORMATION SECURITY?
By Mimi Carpenter
I work in the field of Information Security. What this means is that I protect my company, or the customers of my company, from people outside or inside that might want to steal or compromise their proprietary information.
Information Security, or Infosec as we call it, can be complex, but what it boils down to is putting devices or functions in place to prevent people from seeing things they shouldn't. For instance, you don't want people on the outside, using the Internet, to see all the machines you have on the inside (such as people's desktops or in your server room). So to begin, you'll erect a firewall on the perimeter of your network. A firewall is just a computer with two network connections – one to your Internet router and one to your inside network – that stops people from getting inbound or, in some cases, outbound, while still letting the people that have to get in and out do their work. You can also monitor what it is that people are accessing, to see if anybody's trying to bend the rules.
Sometimes a firewall is not enough. Say you have people who are on the outside but who need access to proprietary information inside – a partner, or a field engineer, or some such. You want to give them the access, but you don't want to do so in such a way that would compromise the information or your company, or let anybody else get at it.
To solve this problem, you'd set up what's known as a Virtual Private Network (VPN), which essentially means setting up a relationship between the remote users' computers and your own network. Traffic between the two points is encoded in such a way that anyone trying to electronically eavesdrop wouldn't be able to understand it. The outside users, depending on how you set it up, would seem to actually be on your corporate network, but their activity would essentially be invisible to any outside spies. There are other ways to accomplish this same task, but setting up a VPN is the traditional way.
A firewall will cut down heavily on the probability of unwanted people getting into your corporate network, but it's not designed to tell you a whole lot about who may be trying to get in, and the types of attacks they're using. Therefore, many Infosec specialists recommend what we call an Intrusion Detection System (IDS). An IDS is a computer (or set of computers) that monitors traffic and analyzes it according to attack signatures – patterns of network activity that may indicate that someone is attempting to compromise your network. Some attacks are very complex and can be mounted over time, and the IDS will pick up on this and compile a report of what is happening so that you can take appropriate action. It can also be set up to email or page you to alert you to an emergency situation. Of course, your IDS is useless unless someone takes the time to read the reports that it is generating.
Information Security doesn't stop at the perimeter of your network. It's not just about what's happening outside; it's also about what's happening inside. Statistics vary from year to year, but at any given point about half of a company's attacks originate from inside. There can be many different reasons for an employee deciding to poke his virtual nose where it doesn't belong, and there are just as many tools available to help him do it. It's useful, therefore, to have an internal IDS set up, in addition to the one on the perimeter, that will monitor your vital servers and report on any attacks from within. In addition, it's important to have some sort of file auditing mechanism in place on your file servers, so that you can be informed if someone is trying to read a file that he shouldn't have access to.
Two more important tools to have if the internal IDS doesn't include them, is a network monitoring device to make sure that important servers are up, and a packet sniffing tool. The packet sniffer essentially reads network traffic at its most basic level and helps you determine if an employee is trying to use a resource that he should not be using.
All of these systems and precautions do nothing for you if you have no physical security in place. All servers, including the firewall, VPN hardware, and IDS themselves, should be behind lock and key and physically accessible only to the employees who administer them. The security system servers should be physically accessible only to the employees who need to administer them. Likewise, mail, file, ftp, web servers and the like should be physically accessible only to their administrators. Also, accounts on these systems should be given only to the persons who need them, and passwords should be rotated (or aged) every few months.
Beyond server security, the company should make an effort to police site security, and train staff regarding what type of information not to give out on the phone. A determined outside spy can easily prey on a naïve employee who is only trying to be helpful, or attempting to comply with what he's being told is policy. If employees know what they're up against they will be less likely to let outsiders into areas where they don't belong or give proprietary information over the phone.
Again, however, all this will avail you little in the event of a disaster, if you are not prepared for it. One very important task of the Infosec engineer is to prepare his client for disaster recovery by making sure that all important systems are backed up, and, where possible, duplicated at another site. Often he will recommend a failover system such that if a server goes down, it will immediately be replaced with an identical server without the physical intervention of an administrator.
One very important thing that I do with my clients is go over what the current corporate security policy is, if there is one, and either update it or create it if it does not exist. I do this by asking questions about the company's assets, what threats they are currently being presented with, what potential threats they see, who currently has access to what systems (including Internet access), what network and physical security they already have in place, and what their plan is in the event of a disaster, to begin with. Then together the person in charge of IT, the network administrators, and I will formulate a policy that the company can implement and maintain. This formulation period may, at the company's request, include test attacks against the perimeter and internal networks to demonstrate the need for more security systems.
All in all, my job is a very rewarding one, as I work to create and implement the security structure of a company, and watch it all unfold. My task is to help create a system of safety for a company, its employees, and its proprietary information, and in my opinion, that's one of the best and most rewarding jobs in the IT industry today.