What are the important issues I should consider with regard to protecting my IT network and computers?
Protecting a computer network can be a very daunting task. Although we do not attempt to list all conceivable challenges, here we identify some of the more important items that a police chief should consider. These issues will apply whether the chief maintains and operates her own network, or simply wants to be informed about the critical issues. For example, below we discuss the following:
• Separating the Data and Segmenting the Network
• Protecting the Network
• Educating Users and Protecting the Host
• Planning Ahead for a Cyber Incident
• Policies and Procedures
Please see Cyber Security FAQ’s for basic terminology and information on cyber topics.
The LECC Cyber Report Card covers fundamental questions in assessing your cyber security
How does your agency measure up when it comes to cyber security? Law enforcement information systems and resources are increasingly at risk of attack, intrusion, ransomware, and denial of service. In order to assist chiefs in assessing their cyber security, the LECC Cyber Report Card was designed with the Canadian Association of Chiefs of Police (CACP), the Computer Crime & Digital Evidence (CCDE) Committee of IACP, chiefs of small and mid-sized agencies, and the LECC strategic partners. It is designed to be completed by chiefs and their information technology (IT) professionals. In addition to basic questions regarding fundamental IT security issues (e.g., password management, confidentiality, policy and procedures), the LECC Cyber Report Card also provides references to key tools and resources to aid chiefs and IT service providers in assessing their current security profile, and in building robust, resilient information systems. Access the LECC Cyber Report Card to assess the security of your networks and information systems, and enhance the security of your systems.
Separating the Data and Segmenting the Network
An agency must first determine the types of data that are stored on computers throughout the network before deciding the most appropriate way to protect them. Understanding which kinds of data exist where on the network will also help the agency determine which employees should have access to the systems.
To separate data and segment a network, an agency should:
- Catalogue the types of information (employee records, crime information, email accounts, etc.);
- Differentiate the information according to sensitivity. One way to think about this is to ask, “What are the harmful consequences that would occur if this information were lost, corrupted, stolen, or destroyed?”
- Once identified, the data and all related applications should be segmented into separate network environments, which are then protected with appropriate network and user access restrictions, including data encryption, if necessary. While segmenting networks can be tricky, to be truly secure, segments should be separated by internal firewalls. Firewall rules and access controls will determine what information passes between segments and how staff move from one segment to another.
More information on network segmentation can be found in the Security Week article, Improving Security via Proper Network Segmentation Whenever possible, rely on security and network professionals to design and implement network segments.
Protecting the Network
The next step is hardening the computer network perimeter. Please note that these tasks require a high level of computer and network understanding and should be performed by a licensed security management agency. This process involves:
- Identifying and reducing the total number of computers that are exposed to the public Internet. This number should be as small as possible.
- Building a firewall that isolates the majority of agency computers from the Internet
- Staff computers should only be able to access web sites on the Internet through a proxy server
- Isolating computers that process highly sensitive information and providing more restrictive access controls
- Deploying a security monitoring system that monitors networks, servers and staff computers (e.g., endpoints) for suspicious events, and detects malware and cyber threats
- Scanning all computers for vulnerabilities, including malware and other more intrusive threats
- Identifying vulnerabilities, prioritizing them by severity (intrusiveness, loss of data, etc.) and patching them as quickly as possible.
For more information on vulnerability management, please see NIST’s Special Publication 800-40 rev3.
Educating Users and Protecting the Host
Proper security does not stop at the network. Every computer connected to the network, whether a web, email or database server, or employee laptop or desktop, should also be configured to minimize the number of applications installed. Oftentimes it is seldom-used applications that serve as conduits into an organization’s network, so they need to be updated and patched routinely.
In addition to uninstalling or disabling unnecessary applications, employee workstations and laptops should also be equipped with anti-virus software. This will reduce the number of opportunities attackers have to use malicious software to steal information or corrupt data. This software is available from many reputable security agencies.
But of course, humans can also be used to attack networks. Many data security incidents are caused by tricking employees into opening or executing corrupted email attachments. It is therefore critical for law enforcement executives and managers to communicate the harms that can occur by opening email attachments. Anti-virus software can detect and prevent harmful outcomes in many cases, but they are not fool-proof. Effective information security awareness training that discusses threats and safe computing practices is essential.
Similarly, phishing scams (fake emails soliciting confidential information from the user) are a common and sometimes successful method used by fraudsters and cyber hackers. An employee clicking on a spear phishing email message will render useless the best perimeter defenses, and it is unrealistic to expect that no one will click on a phishing message. Therefore, your information security strategy must be able to account for the fact that some phishing attacks will be successful. For example, there will be intrusions into your network. Email hosting providers can help reduce the amount of spam and phishing email received by a department, but as with anti-virus software, are not fool-proof. Employees of all ranks must be diligent and never respond over email with one’s personal information (such as username, password, or social security or credit card number). Only an effective monitoring capability that can detect and respond to malware introduced through phishing provides the degree of protection most organizations require.
It is critical to backup any important information. The easiest way to accomplish this task is to copy all relevant data to an external hard drive, network file server, or dedicated backup server. These drives are easy to use and serve as a way to restore information if it becomes lost, corrupted, or stolen. In traditional organizations, the protocols for backing up data are part of a disaster recovery or business continuity plan. Of course, any backups created should be appropriately secured against unauthorized access.
Precautions also must be taken when employees work remotely. Employees who access agency servers from a remote location may be doing so from an unsecure network. Additional security measures, such as two factor authentication and encryption, should be used to provide added security. Departments may also want to consider only granting remote access to specific users (for example, command staff) and/or to specific computers or networks.
Planning Ahead for a Cyber Incident
Once the network perimeter is hardened and individual computers are secured, the next step is to prepare for a cyber attack and develop a Cyber Incident Response Plan (CIRP).
The CIRP should establish procedures to help reduce the impact of a cyber attack and prepare to recover after an attack. It should be formalized in writing and include the following components:
- Detail the roles, responsibilities of each stakeholder, clearly identify those who are in charge
- Define lines of communication, both internally and externally (e.g., fusion centers, US-CERT, other state or federal agencies)
- Develop a staffing plan. You may need to bring in addition incident response expertise from outside vendors depending on the severity of the incident
- Determine reporting requirements to federal agencies. This may include reporting requirements if sensitive data is lost or released to the public
- Define and prioritize the severity of an attack
- Define the procedures for containing and investigating the event, as well as returning IT systems to their fully operational state
- If necessary, restore data from the backup file
- Test or practice the plan annually, including a post-incident activity.
More information on incident response plans can be found with NIST SP 800-61 Incident Handling Guide (PDF) from the National Institute of Standards and Technology. Complete information on contingency planning for system recovery can be found in the NIST publication Contingency Planning Guide for Federal Information Systems (PDF).
Policies and Procedures
Developing and implementing strong policies and procedures is essential to mitigating many of the risks outlined above, and to ensuring information systems security. Policies and procedures should address:
Access and Use
- What constitutes authorized access/use of data (including digital evidence)?
- Who will be authorized to access/use different types of data?
- Who will be authorized to approve access/use of data?
- What records/logs will be kept to identify who accessed data, when it was accessed, and how it was used?
- Clearly specify that all data generated, received, collected, and/or stored is the sole property of your agency, regardless of where it is stored.
- Even data and evidence stored on off-site servers (such as cloud-based systems or other external servers) must be included.
- Ensure that your agency has the ability to audit the physical location where any hardware hosting your data is located.
- Specify what type of information can be shared with other agencies and under what circumstances.
- Who can authorize sharing information and how will that authorization be provided?
- How will information that is shared with other agencies be tracked/logged?
- What type of physical security (restricted access rooms) and digital security (encryption or password) will be placed on agency data, information, and evidence?
- How will your agency protect electronic devices (including mobile devices)?
- Work with your IT provider to ensure that the appropriate firewall, anti-virus program, and security settings are placed on all agency devices.
- Require training for all employees (sworn and civilian) about the importance of abiding by all department policies related to information systems security, device use, and Internet browsing.
- Establish procedures for enforcement if employees are suspected of being, or have been found to be, non-compliant.