Your network infrastructure is a vital company asset and the information it carries is increasingly attractive to criminals. To make sure your network’s performance is maintained and it is protected from security breaches, you need to make sure the appropriate security controls are put in place.
In this article will show how ISO 27001 controls, such as network segregation and use of encryption, can improve network security and resilience and increase stakeholder confidence in your business.
Network Security Management
Network Security Management is the process of identifying risks such as unauthorised access, misuse, malfunction, modification or deletion, and applying controls to protect your network data from those risks. The use of controls should also consider that authorised systems, users, and applications should not be unduly hindered. Also, the security of both internal and external (internet) networks should be evaluated and controlled.
It is typical for a range of controls to be applied including policy, physical and technical. The best practice approach is to create a strong security posture based on a layered approach. The components or layers should support and complement each other to increase the overall security.
A common way to categorise network attacks is to think of them as passive and active attacks.
A passive attack is a network attack where the target system is monitored and sometimes scanned for open ports and vulnerabilities. The purpose of this attack is purely to gain information about the target no data is changed on the target. Examples of active attacks include: –
War Driving: where vulnerable Wi-Fi networks are scanned from nearby locations with a portable antenna. The attack can be carried out from a moving vehicle, sometimes with GPS systems, that attackers use to plot out areas with vulnerabilities on a map.
Dumpster Diving: where intruders look for information stored on documents or discarded computer equipment. This information may then be used to facilitate covert entry to a network or system.
An active attack is where and attacker attempts to changes to data on the target or data en route to the target. Examples of active attacks include:-
Masquerade Attack: where the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorised for. A masquerade may be attempted through the use of stolen login IDs and passwords, by finding security gaps in programs or by bypassing the authentication mechanism.
Session Replay Attack: where the attacker uses an authorised user’s authentication information by stealing the session ID. The intruder gains access and the ability to do anything the authorised user can do.
Message Modification Attack: where the attacker alters packet header addresses to direct a message to a different destination or modify the data on a target machine.
In a denial of Service (DoS) Attack: where users are deprived of access to a network or application. This is generally accomplished by overwhelming the target with more traffic than it can handle. In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems (often called a botnet) attack a single target.
ISO 27001 Network Management
Like all ISO management system, ISO 27001 is based on the Plan-Do-Check-Act model. This works well with a standard network security management approach i.e. planning, implementation, verification, and adjustment of network controls.
With regard to network management planning activities, it is necessary to define your network security objectives. Examples would be confidentiality, integrity and availability of the network and data. Once network security objectives are defined, you would then need to determine the controls to be implemented, based on an assessment of the risks.
According to ISO 27002, certain network security management controls must be considered:
Network Controls (A.13.1.1): General controls should be implemented, such as definitions of responsibilities and procedures for network equipment management, segregation, use of cryptographic solutions to protect data in transit (e.g. VPN), monitoring and logging of network activities performed e.g. by using an Intrusion Detection systems – IDS, authentication and other means to restrict access to and use of networked resources.
Security of Network Services (A.13.1.2): The expected performance and security levels should be defined e.g. by creating service level agreements, as well the means by which the organisation can verify whether the service levels are being met e.g. by status reports or audits. Service levels should be considered for both in-house and outsourced services.
Segregation in Networks (A.13.1.3): Servers, users, workstations, and servers should be separated into different networks, according to defined criteria like risk exposure and business value. Strict control of data flowing between these networks should be established e.g. by using firewalls and router configuration.
Network security management can also make use of other ISO 27002 controls to enhance its effectiveness, such as Access Control Policy (9.1.1), change management (12.1.2), protection from malware (12.2.1), and management of technical vulnerabilities (12.6.1).
The network controls should be verified for suitability and effectiveness by periodic audits and management reviews. Over time this will lead to improvements through corrective actions.
Benefits of Implementing ISO 27001 Network Security
There are a number of benefits you can achieve by adopting network security management:
- Increased productivity. A more reliable network and fewer business disruptions.
- Regulatory compliance. Network security is a common requirement in many regulations, like PCI and SOX, etc.
- Reduced risk of legal actions. The efforts made to protect customers’ data will demonstrate due diligence and due care.
- Enhanced reputation. Efforts made to protect customers’ data show the organisation’s commitment to security