Change Management

Change should be introduced in a managed fashion. For this to occur, an organization must have a formal change management process in place. The purpose of this process is to ensure that all changes are approved by the proper personnel and are implemented in a safe and logical manner. Let's look at some of the key items that should be included in these procedures.

Incident Response Plan

Often, when an attack or security breach occurs in the network, valuable time and information are lost in the critical first minutes and hours after the incident occurs. In some cases, evidence is inadvertently destroyed, making prosecution of the offending party impossible. In other cases, attacks that could have been interrupted and prevented before damage occurs are allowed to continue.

An incident response plan or policy is designed to prevent this by establishing in advance the procedures that should be followed when an attack occurs. It may categorize incidents in such a way that certain event types (such as an active port scan) may require a response (such as disabling certain services) within 10 minutes while other events (such as an attempt to access a file without proper credentials) may only require a notation and follow-up in the next few days. The point is to establish these rules ahead of time to ensure that events are handled in a way that minimizes damage and preserves evidence.

Disaster Recovery Plan

A disaster is an emergency that goes beyond the normal response of resources. The causes of disasters are categorized into three main areas according to origin:

• Technological disasters (device failures)
• Manmade disasters (arson, terrorism, sabotage)
• Natural disasters (hurricanes, floods, earthquakes)

The severity of financial and reputational damage to an organization is largely determined by the amount of time it takes the organization to recover from the disaster. A properly designed disaster recovery plan (DRP) minimizes the effect of a disaster. The DRP is implemented when the emergency occurs and includes the steps to restore systems so the organization can resume normal operations. The goal of a DRP is to minimize or prevent property damage and prevent loss of life.

Business Continuity Plan

One of the parts of a DRP is a plan to keep the business operational while the organization recovers from the disaster; this is known as a business continuity plan (BCP). Continuity planning deals with identifying the impact of any disaster and ensuring that a viable recovery plan for each function and system is implemented. By prioritizing each process and its supporting technologies, the company can ensure that mission-critical systems are recovered first and systems that are considered luxuries can be recovered as time allows.

One document that should be created to drive this prioritization is the business impact analysis (BIA). In this document, the impact each system has on the ability of the organization to stay operational is determined. The results list the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization.

System Life Cycle

The steps in the system life cycle are defined, including acquisition, implementation, maintenance, and decommissioning. The life cycle specifies certain due diligence activities to be performed in each phase.

Asset disposal is usually a subset of the system life cycle and prescribes methods of ensuring that sensitive data is removed from devices before disposal.

Standard Operating Procedures

Once your business is launched, each department leader will need to develop practical methods to implement their assigned tasks using the specific part of the business model's blueprint that relates to their branch. These practical methods, or protocols, must be compiled into a standard operating procedures manual and followed closely. The procedures in your manual will have been included for different reasons and have varying degrees of importance and implementation. If you form a partnership or acquire another company, it will be crucial for its business protocols to either match or be compatible with yours.

Acceptable Use Policy

Acceptable use policies should be as comprehensive as possible and should outline every action that is allowed in addition to those that are not allowed. They should also specify the devices and websites that are allowed and the proper use of company equipment.

Password Policy

The password policy defines the requirements for all passwords, including length, complexity, and age. Password management considerations include, but may not be limited to, the following:

• Password life: How long a password will be valid. For most organizations, passwords are valid for 60 to 90 days.
• Password history: How long before a password can be reused. Password policies usually remember a certain number of previously used passwords.
• Authentication period: How long a user can remain logged in. If a user remains logged in for the specified period without activity, the user will be automatically logged out.
• Password complexity: How the password will be structured. Most organizations require upper- and lowercase letters, numbers, and special characters.

  The following are some recommendations:

  • Passwords shouldn't contain the username or parts of the user's full name, such as their first name.
  • Passwords should use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
• Password length: How long the password must be. Most organizations require 8 to 12 characters.

Bring Your Own Device (BYOD) Policy

Increasingly, users are doing work on their mobile devices that they once performed on laptops and desktop computers. Moreover, they are demanding that they be able to use their personal devices to work on the company network. This presents a huge security issue for the IT department because they have to secure these devices while simultaneously exercising much less control over them.

The security team must have a way to prevent these personal devices from introducing malware and other security issues to the network. Bring your own device (BYOD) initiatives can be successful if implemented correctly. The key is to implement control over personal devices that leave the safety of your network and return later after potentially being exposed to environments that are out of your control.

Educating users on the risks related to mobile devices and ensuring that they implement appropriate security measures can help protect against threats involved with these devices. Some of the guidelines that should be provided to mobile device users include implementing a device locking PIN, using device encryption, implementing GPS location services, and implementing remote wipe. Also, users should be cautioned on downloading apps without ensuring that they are coming from a reputable source. In recent years, mobile device management (MDM) and mobile application management (MAM) systems have become popular in enterprises. They are implemented to ensure that an organization can control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.

Remote Access Policy

Remote access policies define the requirements for all remote access connections to the enterprise. This may cover VPN, dial-up, and wireless access methods. One method of securing remote access connections is through the use of Network Access Control (NAC), which you will learn about in Chapter 19.

Onboarding and Offboarding Policy

Every new user that is hired undergoes what is called an onboarding process that should be guided by a consistent onboarding policy. This policy prescribes the way in which users are assigned accounts and access to resources as well as the issuance of equipment to them. The following items should be defined and standardized by the onboarding policy:

• Required training
• Account creation
• Resource access

Also, several documents should be executed and signed prior to starting work:

• Acceptable use agreement
• Nondisclosure agreement

There also should be an offboarding policy that defines what actions take place when a user leaves the organization. Special items of concern are as follows:

• Proper recovery of all equipment
• Secure removal of all resource access
• Deletion or disablement of account

Security Policy

So what, exactly, is a security policy? Ideally, it should precisely define how security is to be implemented within an organization and include physical security, document security, and network security. Plus, you have to make sure these forms of security are implemented completely and solidly because if they aren't, your security policy will be a lot like a block of Swiss cheese—some areas are covered, but others are full of holes.

Before a network can be truly secure, the network support staff should post the part of the security policy that applies to employee conduct on bulletin boards. It should, for example, forbid posting any company and/or employee information that's not absolutely necessary—like, believe it or not, sticking Post-its with usernames and passwords on computer screens. Really clean desks, audits, and recordings of email communications and, in some cases, phone calls should also be requirements. And don't forget to also post the consequences of not complying with the security policy.

Data Loss Prevention

The data loss prevention policy defines all procedures for preventing the egress of sensitive data from the network and may include references to the use of data loss prevention (DLP) software.

Data leakage occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. For example, it might allow printing of a document but only at the company office. It might also disallow sending the document through email. DLP software uses ingress and egress filters to identify sensitive data that is leaving the organization and can prevent such leakage.

Another scenario might be the release of product plans that should be available only to the Sales group. A security professional could set a policy like the following for that document:

• It cannot be emailed to anyone other than Sales group members.
• It cannot be printed.
• It cannot be copied.

There are two locations where a DLP can be implemented:

• Network DLP: Installed at network egress points near the perimeter, network DLP analyzes network traffic.
• Endpoint DLP: Endpoint DLP runs on end-user workstations or servers in the organization.

Physical Network Diagram

A physical network diagram contains all the physical devices and connectivity paths on your network and should accurately picture how your network physically fits together in glorious detail. Again, I know it seems like overkill, but ideally, your network diagram should list and map everything you would need to completely rebuild your network from scratch if you had to. This is actually what this type of diagram is designed for. But there's still another physical network diagram variety that includes the firmware revision on all the switches and access points in your network. Remember, besides having your physical network accurately detailed, you must also clearly understand the connections, types of hardware, and their firmware revisions. I'm going to say it again—you will be so happy you have this documentation when troubleshooting! It will prevent much suffering and enable you to fix whatever the problem is so much faster!

If you can't diagram everything, at least make sure all network devices are listed. As I said, physical network diagrams can run from simple, hand-drawn models to insanely complex monsters created by software packages like SmartDraw, Visio, and AutoCAD. Figure 14.2 shows a simple diagram that most of us could draw by hand.

For the artistically impaired, or if you just want a flashier version, Figure 14.3 exhibits a more complex physical diagram. This is an actual sample of what SmartDraw can do for you, and you can get it at www.smartdraw.com. In addition, Microsoft Visio provides many or possibly more of these same functions.

Don't throw anything at me, but I need to bring up one last thing: Never forget to mirror any changes you make to your actual network in the network's diagram. Think of it like an updated snapshot. If you give the authorities your college buddy's baby picture after he goes missing, will that really help people recognize him? Not without the help of some high-tech, age-progression software, that's for sure—and they don't make that for networks, so it's better to just keep things up-to-date.

Rack Diagram

My next example, also courtesy of SmartDraw, includes diagrams of hardware racks, as revealed in Figure 14.4.

Intermediate Distribution Frame (IDF)/Main Distribution Frame (MDF) Documentation

The main distribution frame (MDF) connects equipment (inside plant) to cables and subscriber carrier equipment (outside plant). It also terminates cables that run to intermediate distribution frames distributed throughout the facility.

An intermediate distribution frame (IDF) serves as a distribution point for cables from the MDF to individual cables connected to equipment in areas remote from these frames. The relationship between the IDFs and the MDF is shown in Figure 14.5. This should also be clearly documented and continually updated.

Logical Network Diagram

Physical diagrams depict how data physically flows from one area of your network to the next, but a logical network diagram includes things like protocols, configurations, addressing schemes, access lists, firewalls, types of applications, and so on—all things that apply logically to your network. Figure 14.6 shows what a logical network diagram could look like.

And just as you mirror any physical changes you make to the network (like adding devices or even just a cable) on your physical diagram, you map logical changes (like creating a new subnet, VLAN, or security zone) on your logical network diagram. It is important that you keep this oh-so-important document up-to-date.

Wiring Diagram

Wireless is definitely the wave of the future, but for now even the most extensive wireless networks have a wired backbone they rely on to connect them to the rest of humanity.

That skeleton is made up of cabled physical media like coax, fiber, and twisted pair. Surprisingly, it is the latter—specifically, unshielded twisted-pair (UTP)—that screams to be pictured in a diagram.

When you're troubleshooting a network, having a diagram is golden. Let's say you discover a connectivity problem between two hosts. Because you've got the map, you know the cable running between them is brand new and custom made. This should tell you to go directly to that new cable because it's likely it was poorly made and is therefore causing the snag.

Another reason it's so important to diagram all things wiring is that all wires have to plug into something somewhere, and it's really good to know what and where that is. Whether it's into a hub, a switch, a router, a workstation, or the wall, you positively need to know the who, what, where, when, and how of the way the wiring is attached.

Site Survey Report

Site surveys are covered extensively in Chapter 24. Please see that chapter for in-depth information.

Audit and Assessment Report

When audits and assessments are performed, there should be reports created that organize the collected information in a format that can be understood by those who are charged with making security decisions based on the reports. The language should be clear and all terms used should be defined. Keep in mind that decision makers do not always have the same security skills as those they manage.

Baseline Configurations

In networking, baseline can refer to the standard level of performance of a certain device or to the normal operating capacity for your whole network. For instance, a specific server's baseline describes norms for factors like how busy its processors are, how much of the memory it uses, and how much data usually goes through the NIC at a given time. A network baseline delimits when a bandwidth is available and the amount of that bandwidth. For networks and networked devices, baselines include information about four key components:

• Processor
• Memory
• Hard-disk (or other storage) subsystem
• Wired/wireless utilization

After everything is up and running, it's a good idea to establish performance baselines on all vital devices and your network in general. To do this, measure things like network usage at three different strategic times to get an accurate assessment. For instance, peak usage usually happens around 8:00 a.m. Monday through Friday, or whenever most people log in to the network in the morning. After hours or on weekends is often when usage is the lowest. Knowing these values can help you troubleshoot bottlenecks or determine why certain system resources are more limited than they should be. Knowing what your baseline is can even tell you if someone's complaints about the network running like a slug are really valid—nice!

It's good to know that you can use network-monitoring software to establish baselines. Even some server operating systems come with software to help with network monitoring, which can help find baselines, perform log management, and even do network graphing as well so you can compare the logs and graphs at a later period of time on your network.

In my experience, it's wise to re-baseline network performance at least once a year. And always pinpoint new performance baselines after any major upgrade to your network's infrastructure.

Nondisclosure Agreement (NDA)

A nondisclosure agreement (NDA) is an agreement between two parties that defines what information is considered confidential and cannot be shared outside the two parties. An organization may implement NDAs with personnel regarding the intellectual property of the organization. NDAs can also be used when two organizations work together to develop a new product. Because certain information must be shared to make the partnership successful, NDAs are signed to ensure that each partner's data is protected.

While an NDA cannot ensure that confidential data is not shared, it usually provides details on the repercussions for the offending party, including but not limited to fines, jail time, and forfeiture of rights. For example, an organization should decide to implement an NDA when it wants to legally ensure that no sensitive information is compromised through a project with a third party or in a cloud-computing environment.

Service-Level Agreement (SLA)

This is an agreement that defines the allowable time in which a party must respond to issues on behalf of the other party. Most service contracts are accompanied by an SLA, which often include security priorities, responsibilities, guarantees, and warranties.

Memorandum of Understanding (MOU)

This is an agreement between two or more organizations that details a common line of action. It is often used in cases where parties do not have a legal commitment or in situations where the parties cannot create a legally enforceable agreement. In some cases, it is referred to as a letter of intent.

1. The way to properly install or remove software on the servers is an example of which of the following?
   1. Plan
   2. Policy
   3. Procedure
   4. Code
2. Which of the following is a plan for reversing changes and recovering from any adverse effects from the changes?
   1. Backup
   2. Secondary
   3. Rollback
   4. Failover
3. Which of the following is the amount of time a system will be down or unavailable during the implementation of changes?
   1. Downtime
   2. Maintenance window
   3. MTBF
   4. Work factor
4. Which of the following is not a device hardening technique?
   1. Remove unnecessary applications.
   2. Deploy an access control vestibule.
   3. Block unrequired ports.
   4. Disable unnecessary services.
5. Which policy automatically logs a user out after a specified period without activity?
   1. Password complexity
   2. Password history
   3. Password length
   4. Authentication period
6. BYOD policies apply to what type of device?
   1. Mobile
   2. Desktop
   3. Server
   4. Firewall
7. Which tool can prevent the emailing of a document to anyone other than Sales group members?
   1. SSS
   2. STP
   3. DLP
   4. VBA
8. Which of the following connects equipment (inside plant) to cables and subscriber carrier equipment (outside plant)?
   1. IDF
   2. MDF
   3. Plant rack
   4. Access control vestibule
9. Which of the following is not part of the Information Gathering step of a site survey?
   1. Determine the scope of the network with respect to applications in use.
   2. Verify optimal distances between prospective AP locations.
   3. Identify areas that must be covered.
   4. Assess types of wireless devices that will need to be supported.
10. Device baselines include information about all but which of the following components?
    1. CPU
    2. Memory
    3. Hard disk
    4. Display