100 3.1 Preventative Measures for Information Security Managers
be used in combination with other strategies. For example, risk trans-
fer can also refer to shifting a physical risk, or part thereof, elsewhere.
3.1 Preventative Measures for Information
Security Managers
The preventive measures for information security (or InfoSec) managers
to implement as a part of the continuity planning are very important.
They can be organized in terms of Virtual Private Networks (VPNs) and
remote access, firewalls, encryption, intrusion detection and prevention
systems, antivirus, anti-spyware, and anti-spam software, all of which will
be discussed in the following paragraphs.
3.1.1 VPNs and Remote Access
Virtual private networks (VPNs) are “tunnels” between two endpoints that
allow data to be securely transmitted between the nodes and, in many cases,
an extension of a private network. A private network is one where all data
paths are hidden from everyone except a limited group of people, generally
the customers or employees of a company. In theory, the simplest way to
create such a private network would be to isolate it entirely from the Inter-
net. However, for a business with remote location needs, this is clearly not a
practical solution. While it is technically possible to create a private net-
work using frame relay, ATM, or some other leased-line solution, that solu-
tion could easily become cost-prohibitive. Also, that solution may not even
provide the required degree of security needed for the organization’s remote
access users.
When using leased lines to establish a private network, another consid-
eration to factor into the mix is what happens when (not if) the line goes
down. This outage situation would cause all connected nodes in the private
network to go “COMM OUT” until the leased line came back up. Clearly,
this is not a practical solution either. What if we wanted to share resources
on the private network with customers? That would not be possible over a
physically separated or isolated network. A remote dial-up server may solve
the problem, but then we would have to question the very concept of “vir-
tual” in our virtual private network.
In today’s environment, a VPN makes use of existing infrastructure,
public or private. This may encompass the use of both LANs and WANs.
The transfer of data over a public network is accomplished by using what is
referred to as tunneling technology (further explained below) to encrypt