General Best Practices for Network Security and Survivability
Information Note Number: IN03-003
8 October 2003
Purpose
OCIPEP is releasing these general best practices as an update to the OCIPEPInformation Note IN01-005 entitled "Computer and Network Security Preparedness." Information Note IN03-003 provides up to date security protocols required by the rapidly changing network security environment.
Audience
This OCIPEP Information Note is intended for network security administrators and cyber security personnel.
Background
Since the beginning of 2003, OCIPEP has released 42 Advisories, 10 Alerts, one cyber-related Information Note and one cyber-related Incident Analysis. A number of highly publicized worms and viruses have heightened public awareness of the necessity of properly securing corporate networks and terminals, as well as personal computers.
Introduction
OCIPEP has developed this best practices document to assist organizations in identifying the steps required to improve their security posture. The best practices are divided into six sections:
- Security and Acceptable Use Policies;
- Multi-Layered Security Approach;
- Internal Defense;
- External Defense;
- Remote User Management; and
- General Practices.
Best Practices
Security and Acceptable Use Policies
In order to properly defend and protect networked systems, organizations must develop and enforce rigid security and acceptable use policies that in turn are stongly endorsed by senior management. An awareness program to ensure all employees adhere to the policies should also be implemented.
Multi-Layered Security Approach
No single security device is sufficient to completely protect systems and networks. OCIPEP recommends a multi-layered approach, using multiple security devices, that is well integrated with the business requirements of the organization. Security devices that should be considered include firewalls, networking monitoring devices, patch management software and anti-virus software. Other security devices may also be considered where warranted.
Internal Defense
OCIPEP advocates a patch-management policy that addresses imminent threats. Patches should be tested in a test environment. Patching priority should be given to critical servers. Automated processes to push the applicable patches to systems should be deployed whenever possible. Organizations should prevent the installation of unauthorized hardware and software.
External Defense
Many organizations leave ports to the Internet open which are not essential. OCIPEP recommends that organizations review their external access points and related open ports to determine their purpose. The general rule of thumb is to close all non-essential ports.
All unnecessary file attachments should be blocked at the e-mail gateway. Anti-virus signature files must be kept up-to-date as well.
It is important that organizations regularly review their external access policies to address new threats, as well as emerging business needs. In some cases, an organization will have to weigh its business needs against potential security risks.
OCIPEP recommends that organizations conduct regular and thorough threat and risk assessments, as well as vulnerability assessments such as periodic port scans. This practice will help identify security holes and lead to an improved security posture. It is recommended that organizations regularly review their external access logs to identify potential malicious activity.
Remote User Management
OCIPEP recommends that organizations develop a security and acceptable use policy for users who connect to the network via remote access.
- If computers/laptops are maintained by the Inofrmation Technology (IT) section, set a policy of having the anti-virus and software patches on the laptop updated on a regular basis.
- If computers/laptops are not maintained by the IT section, develop a policy and rigidly enforce all rules and regulations with respect to home access.
- If laptops return to the workplace, they should go through a quarantine area to be checked for malicious code before they are connected to the network. This area can be used to update the laptops with the latest anti-virus signatures and applicable operating system patches.
OCIPEP suggests that remote users be prompted upon connection to the organization's network to update their anti-virus software and apply the applicable patches. If they decline, the connection should be automatically terminated.
General Practices
- Maintain an up-to-date inventory list of all network equipment, operating systems, revision levels and any applicable patches that have been applied.
- Develop a disaster recovery plan. Test your ability to restore from backups. Due to the connectivity between physical and cyber threats, it is recommended that business continuity plans be closely integrated with cyber aspects. For example, critical systems should have their own secondary power supply in the event of a power outage, as well as protection from the Internet. Other things to consider are having back-ups of critical systems, perhaps in an offsite location, and having a policy in place to disconnect from the Internet if necessary in order to contain a security issue and prevent future propagation.
- Implement public awareness programs to educate end-users on how malicious code spreads and what they can do to help prevent further propagation.
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca