• Choose a category
• All
• Classic-Fiction

Finally, try to answer similar questions, but instead of imagining that you’re an outsider to the company, use the perspective of someone from accounting who didn’t get the promotion they thought they should and now wants to hurt the company. They have already gained access to much of the building—what keeps them from carrying out the crime?

Some vendors use the acronym NAC to signify network admission control rather than the more commonly accepted network access control.

The issues you address in an operational capacity can seem overwhelming at first. Many of the areas you’ll address are vulnerabilities in the systems you use or weak or inadequate security policies. For example, if you implement a comprehensive password expiration policy, you can require users to change their passwords every 30 or 60 days. If the system doesn’t require password rotation, though (it allows the same passwords to be reused), you have a vulnerability that you may not be able to eliminate. A user can go through the motions of changing their password only to reenter the same value and keep it in use.

From an operational perspective, the system described has weak password-protection capabilities. There is nothing you can do, short of installing a higher-security logon process or replacing the operating system. Either solution may not be feasible given the costs, conversion times, and possible unwillingness of an organization—or its partners—to make this switch.

Such dependence on a weak system usually stems from the fact that most companies use software that was developed by third parties in order to save costs or meet compatibility requirements. These packages may require the use of a specific operating system. If that operating system has significant security problems or vulnerabilities, your duties will be mammoth because you’ll still be responsible for providing security in that environment. For example, when your secure corporate network is connected to the Internet, it becomes subject to many potential vulnerabilities. You can install hardware and software to improve security, but management may decide these measures cost too much to implement. Again, operationally there may be little you can do.

Much of this book discusses the technologies and tools used to help ensure operational security. Figure 1.2 illustrates the various concerns you face from an operational perspective.

FIGURE 1.2 Operational security issues

Working with Management and Policies

Management and policies provide the guidance, rules, and procedures for implementing a security environment. Policies, to be effective, must have the full and uncompromised support of the organization’s management team. Management directions can give security initiatives the teeth they need to be effective. In the absence of support, even the best policies will be doomed to failure.

Information security professionals can recommend policies, but they need the support of management to implement them. There is nothing more ineffective than a self-proclaimed security “czar” who has no support from management. Not only is their tenure often short-lived, but so too is the security of their network.

Real World Scenario

Survey Your Operational Environment

As a security administrator, you’ll need to assess the operational environment of your network by looking for “doors” that an outsider could use to gain access to your data. Securing the network involves far more than simply securing what exists within the four walls of your building. Look for openings that intruders can use to enter your network without walking through the door. Don’t think of the safeguards that may currently exist, but rather focus on ways someone not on your network might join it.

See if you can answer these questions:

1. How do users on your network access the Internet? Do any users use dial-up connections within the office? Do they use dial-up access when they take their laptops home with them? Are proxy servers in use? Do you