Corporate networks face more security threats than ever before. Whether it's the rampant spread of malware, malicious employees, or plain and simple user error, IT administrators must bend over backward to ensure that intruders stay out and corporate data stays in. Tools abound to help you secure your data, but one simple policy -- regardless of which part of your infrastructure you look at -- will invariably protect you more than any single piece of security hardware or software: Deny all, permit some.
A recent reminder of the value of this policy came to me when an organization I work with was struck by a new zero-day worm. Within a few hours over a weekend, a significant portion of the Windows machines on the network had been infected. It was most of the way through the following Monday before virus detection signatures that would recognize the worm and its payload were made available and real progress was made toward combating it.
[ Effective security at the data level is crucial to dealing with the exponential growth of information. Check out InfoWorld's Enterprise Data Explosion iGuide for more info. ]
Like many worms, the payload was a Trojan that would allow remote control of infected workstations and cause data leakage, but revealed no outward signs of infection or denial of service. Fortunately, the network administrator had made the decision many years ago to configure all of his border security devices to deny all traffic -- inbound and outbound -- unless it had been requested for a business purpose and specifically allowed. That policy had not been particularly popular with users, but in this case it resulted in the inability of the virus to communicate with its control server and prevented any data leakage or subsequent infections.
Though it took a fair amount of work to eradicate the worm after it had dug its way into so many systems, the net effect on users and the organization was very low. Given that the Trojan would have shipped random documents, passwords, and full keystroke logs out into the ether, the ramifications of a completed infection could have been a serious existential risk to the business.
In the end, a raft of security measures involving a well-tuned IPS, content filter, desktop security policy, and anti-virus software were shown up by a simple "deny any any" rule at the bottom of the access list on the inside interface of the firewall. That's some serious food for thought. Sometimes the easiest things you can do to secure your network will have the biggest impact.