Frequently Asked Questions
How do you set up a network security design strategy?
Start with these four strategic principles to improve your network security architecture: compartmentalization, the weakest link, vulnerability assessment, and layering. Implementing individual cybersecurity elements such as encryption and firewalls in an ad hoc manner will not be enough. They must be cohesively tied together.
What is network segmentation and why is it important for security?
Through network segmentation, the entire network is partitioned into smaller sub-networks. If an organization has a flat and open network, once that network is infiltrated, the attacker can establish a foothold to move across the network, potentially stealing data and infecting key assets. The key step for segmentation is setting up 'demilitarized zones' (DMZs) between sub-networks.
What is the Principle of Least Privilege and how does it apply to network security?
Individuals within the organization should only have the privileges/access within the system that is necessary to perform their job. Users that have no need to access customer personal data, for example, should have their user access restricted from networks containing that data. If a particular sub-network has no need to communicate with another sub-network it should not be able to.
What is the difference between automated vulnerability scanning and penetration testing?
An automated vulnerability scanning tool will identify all the systems (e.g., servers, desktops, laptops) connected to the network and then use a checklist of known vulnerabilities and check if any of these are present. This is distinct from penetration testing (Control 18) which looks at specific weaknesses in the network that could be exploited using an individual 'impersonating' an actual individual or attacker.
What are the key layers needed for a defense-in-depth network security strategy?
Key layers for network security include: perimeter and network controls such as firewalls, email protections including filtering and encryption protocols, web filtering, data encryption of important financial and personal information, and device management to ensure all devices connected to the network meet organizational security requirements. The idea is that if any intrusion or attack gets through one layer of defense, another layer of defense will catch the attack.
