Are you protecting data (proprietary, confidential or otherwise), are you trying to keep certain services up (your mail server, www server, etc.), do you simply want to protect the physical hardware from damage? What are you protecting it against? Malicious damage (8 Sun Enterprise 10000's), deletion (survey data, your mom's recipe collection), changes (a hospital with medical records, a bank), exposure (confidential internal communications concerning the lawsuit, plans to sell cocaine to unwed mothers), and so on. What are the chances of a "bad" event happening, network probes (happens to me daily), physical intrusion (hasn’t happened to me yet), social engineering ("Hi, this is Bob from IT, I need your password so we can reset it… .").
You need to list out the resources (servers, services, data and other components) that contain data, provide services, make up your company infrastructure, and so on. The following is a short list:
- Physical server machines
- Mail server and services
- DNS server and services
- WWW server and services
- File server and services
- Internal company data such as accounting records and HR data
- Your network infrastructure (cabling, hubs, switches, routers, etc.)
- Your phone system (PBX, voicemail, etc.)
- Physical damage (smoke, water, food, etc.)
- Deletion / modification of data (accounting records, defacement of your www site, etc.)
- Exposure of data (accounting data, etc.)
- Continuance of services (keep the email/www/file server up and running)
- Prevent others from using your services illegally/improperly (email spamming, etc.)
- Network scans – daily is a safe bet
- Social engineering – varies, usually the most vulnerable people tend to be the ones targeted
- Physical intrusion – depends, typically rare, but a hostile employee with a pair of wire cutters could do a lot of damage in a telecom closet
- Employees selling your data to competitors – it happens
- Competitor hiring skilled people to actively penetrate your network – no-one ever talks about this one but it also happens
Once you have come up with a list of your resources and what needs to be done you can start implementing security. Some techniques (physical security for servers, etc.) pretty much go without saying, in this industry there is a baseline of security typically implemented (passwording accounts, etc.). The vast majority of security problems are usually human generated, and most problems I have seen are due to a lack of education/communication between people, there is no technical ‘silver bullet’, even the best software needs to be installed, configured and maintained by people.
Now for the stick. A short list of possible results from a security incident:
- Loss of data
- Direct loss of revenue (www sales, file server is down, etc)
- Indirect loss of revenue (email support goes, customers vow never to buy from you again)
- Cost of staff time to respond
- Lost productivity of IT staff and workers dependant on IT infrastructure
- Legal Liability (medical records, account records of clients, etc.)
- Loss of customer confidence
- Media coverage of the event
