The Impact of Network Security in Corporations Today: · Web viewThe Impact of Computer and Network...

Network and Computer SecuritySteve Mallard

© - 2007

The Impact of Computer and Network Security in Corporations Today:

Understanding the Impact and Solutions of Computer and Network Security in Today’s World

bySteve Mallard

Computer and Network Security

Copyright © 2007 Steve Mallard

All rights reserved. No part of this book may be used or reproduced by any means, graphic,

electronic, or mechanical, including photocopying, recording, taping or by any

information storage retrieval system without the written permission of the publisher except in the

case of brief quotations embodied in critical articles and reviews.

Printed in the United States of America

The Problem

In today’s world of the internet and ecommerce, many companies lack the expertise and training to secure their critical network infrastructure and data. Because of this fallacy, many companies’ infrastructures are subject to being compromised. With extortion, cyber theft, malicious attacks and internal theft occurring at an unprecedented pace, many companies are just becoming aware of the aforesaid problems. While a few companies and corporations awaken to a new world of problems, many continue to sleep, totally oblivious to what is happening as they go about their daily work. This research gives terminology and briefs from the Information Technology industry. This research provides an in-depth understanding of what network and infrastructure security problems are present and what will be required from companies and corporations in order to protect themselves from malicious activities.

Research Method and Design

The research behind this paper combines information from industry experts, national publications, the Internet, technology college textbooks and a large school system (A higher education facility) implementing a strategy for the ongoing development of a security plan for protecting their network infrastructure and data. The use of information from the latter was most beneficial to discussions of internal network infrastructure,

interpretation of friendly vs. malicious and how to implement compliance for Computer and Network Security. The implementation plan outline is provided in Chapter 2, followed by the methodology used and a detailed plan in use at the researcher’s place of employment (A higher education facility) in Chapter 3.

Findings

As the study concludes, the primary requirement for compliance with network and infrastructure security is a strong and robust internal policy and procedure for the infrastructure of companies with continual training. Companies with no policies or weak policies will continue to fail with their compliance of security initiatives and the costs for repairing or troubleshooting their network will be far greater than that of a company within compliance. Ultimately, those companies with a strong policy and procedure that includes disaster recovery and failure will excel. Individual users, including the main hierarchy of the Information Technology Department will have more assurances that they are protected as well as their individual client’s data. Companies and corporations must support Computer and Network Security initiatives along with meeting the budgetary needs of their department in order to maintain a healthy profit margin for the end product produced by the business. The lack of security in today’s infrastructure could result in the demise of the corporation.


The Impact of Computer and Network Security in Corporations Today:

Understanding the Impact and Solutions of Computer and Network Security in Today’s World

CHAPTER 1Introduction

Problem Statement

Since the advent and infancy of the internet, many U.S. companies and corporations have functioned and operated with very little Computer and Network Security in place in their network infrastructure. Although many of these companies and corporations have hardware firewalls and intrusion detection systems in place, many of these businesses do not have policy and procedures to guide

- 1 –Steve Mallard


and govern their infrastructure security. Policies along with personnel are the backbone of the Computer and Network Security. This backbone is the fragile structure that keeps companies secure in today’s digital world. These directives (Policy and Procedures) insure that companies and corporations will be in compliance as long as the CIO or IT manger enforces them.

Although a definite and structured compliance has not been put in place, directives and training are the true tools needed to help companies maintain a form of security within their organization.

Until now, computer security and locking down the network infrastructure has been on the back burner with most companies and corporations because of cost. According to a corporate poll in A nationally recognized information technology magazine, 99% of U.S. companies now use some type of preventive antivirus technology with 98% of these companies now using firewalls. This electronic security poll was based on compiled information from larger corporations and their practices and does not include small to midsize companies found throughout the United States. The recently released polls in this research paper show are usually focused on larger companies and corporations in the United States. The main reason for this was found by interviewing several midsized and smaller companies locally. These smaller companies and corporations usually have outsourced their Information Technology infrastructure to private organizations that do not have



written policy and procedures written for these smaller companies. Normally, these companies do not have any type of policy and procedure in place for their current clientele. Because of this practice, these companies and small corporations do not look at industry related security trends, security issues or any relevant areas of computer security. Although it was found that <10% of the companies offer a service related plan that pushed security issues for their clientele.

This complacency can have an enormous impact on consumers and customers of the companies and corporations. With no or very little money or funding for a technology budget, these entities often use friends, family or small computer companies to fix or repair their computers or network. This results in a huge security gap between a professional information technology department and someone who is not trained in basic security needs.

With this gathered statistical information, numerous private and public corporations can appreciate the need for network infrastructure security, and are beginning to put in place multiple phases of internal and external protection for their digital and electronic assets. Small to mid-size organizations are hesitating due to simple inadequate funding and the rising cost and expenses of security of digital assets found in the modern workplace. Companies often miss the importance of the cost of a security breech vs. the cost of preventive security measures. This unintended hesitation of



implementing network infrastructure security is causing more and more companies to be violated or exploited by malicious hackers and crackers. With this exploitation, companies subject themselves to lawsuits from their own customers. These companies often are ignorant of the simple fact that they have been exploited until customers report the issues to these companies and corporations. Many times, more than thirty days goes by before someone alerts the company of a possible security breech.

Cost of an electronic exploit can be greater than a million dollars per incident as reported by the FBI. This information is found in the FBI’s (Federal Bureau of Investigation) report of cyber threats in the United States. In order to help counterbalance this, smaller to midsized companies could spend less than $5,000 to harden their systems and operating systems to put a statefull firewall in place. As stated in this paper, these companies often lack the resources, materials and funds to do so. With the FBI report showing reported incidents, there are thousands of incidents that go unreported. Often these incidents are yet to be discovered.

With this number of small to mid-size corporations ignoring or slowly implementing security measures, more and more electronic computer crimes are beginning to take place throughout the U.S. With extortion now moving into the digital age, many corporations do not report intrusions to law enforcement in order to avoid negative publicity. Reports of an intrusion could directly have a negative



effect on the company’s sales and position in a global competitive market. Approximately 35% of corporations don’t report electronic intrusions to keep their competitors from gaining any type of advantage. Today’s modern bank robber can be a hacker thousands of miles away hidden behind spoofed ip addresses or behind a zombie computer. Reports are also withheld to avoid embarrassment with the general public. This withholding of information often leads to a band-aide fix.

Other means of protection include standardizing policy and procedures within corporations to help protect the network infrastructure of corporations. Policy and Procedures rely on the initial implementation along with annual or semi annual follow-ups. Without these policy and procedures in place, a company’s survival in the security race to protect their infrastructure is compromised.

Smaller and mid-sized companies very rarely have these policies in place and often operate their network by the “seat of their pants”. These companies rely and trust their computer vendors to make them as safe as possible. Poorly trained personnel with these computer vendors can have a negative impact on the overall security of the organization.

Medium size companies often have the budget but the Information Technology manger is often stretched too thin to prevent or react to security needs of the company. These IT Mangers often work



longer hours and tend to miss early warning signs of network lapses. Through no fault of their own, breeches can occur and not be discovered for weeks.

Outsourcing information technology teams to other countries can have another form of negative impact with companies. With third world countries competing in a global market, the confidential information of clients and internal data can be jeopardized by these companies. Using third world countries for technical support can lead to disastrous consequences when relying on someone over a world apart to secure your network. CIOs (Chief Information Officers) and IT Mangers found in larger companies and corporations usually have these operational policies in place with a system for disaster recovery and planning. The logistics alone in larger corporations can be a double edged sword. With these policies in place, the arduous task of changing the policies can take weeks or even months as management goes through several meetings with committees and sub-committees. Agreement among industry professionals on the correct internal computer security is usually lead by a trained security analyst in the corporation who may or may not have proper certifications or security training. CIO’s have to put raw faith and trust into the company’s security analyst in hopes that their knowledge is on the cutting edge in a technology that is changing daily. These analysts have to make decisions on how and when to implement protection within minutes of finding out vulnerabilities. The



communication by the analyst must be thorough and accurate. The Computer and Network Security analysts have to look into the immediate future for growth of their business and often they have to try and foresee changes before these changes come about.

Smaller companies and young corporations, on the other hand, usually do not have policies or disaster recovery and planning policies in place. With limited budgets, these companies may have a limited number of IT (Information Technology) personnel within their ranks or may outsource all of their network or technology personnel. This limit in resources may cause a lack of compliance with industry standards and conformity to security standards. With laws in effect such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLB (Graam Leech and Bliley) and the U.S. Patriot Act, these companies may not be conforming to U.S. laws or rules imposed in their industry.

Therein lies the problem: Companies have to understand that setting internal policy and procedures on security (along with proper disaster recovery and planning) have to be put in place in order to protect their assets and the consumers they serve. With ecommerce growing by leaps and bounds each year, more and more companies from small to large are accepting credit cards, debit cards and electronic checks on line. With over two million dollars in lost annual revenue in the United States, they must ensure that their initial investment will be worth the protection of their data and their client’s information.



This act alone can help to prevent the breech in security of their corporate network. Setting and maintaining an information technology budget along with policies can help to insure the protection of the company’s network.

Purpose of the Study

This study has multiple purposes: 1) to discuss the necessity of policy and procedures related to disaster recovery and planning and security; 2) to discuss the advances in security to include intrusion detection systems; 3) to discuss the impact of security in the business environment along with legal ramifications in the event data is stolen or destroyed ; 4) to present and to validate the necessity for security. This study will review the history of security and the ways it has grown to a multibillion dollar business over the past decade. Flaws in Operating Systems and applications, the history of the internet and the development of policy and procedures will be examined for a critical understanding of the importance of protecting corporate clients and assets.

The research will define policy and procedures and security across local area networks, metropolitan area networks and wide area networks to include the internet. It will provide an in-depth discussion of the potential impact on today’s



corporations in terms of planning, cost, implementation and legal cost in the event of a breach. With consumer assets growing on the internet, a consumer puts trust in the company’s hands that their credit card or debit card is being protected. Consumers are often undereducated in finding reliable security oriented companies.

The aforesaid research, when implemented, is vital to the future of not just ecommerce; but to the survivability of companies today. With consumers spending more money on the internet than ever, companies have to protect their infrastructure. This study will present a plan for policy and procedures and how they outline good security practices and will illustrate the necessity for predicting the future of security in the information technology industry.

The fictitious names “Allen Corporation”, “Neill Corporation” and “Taylor Corporation” will be used to reference several companies known by the researcher along with a higher education facility. These references setup an example of small, medium and large businesses, and allow for the confidentiality of real operating businesses the researcher has worked with. This is needed in order to protect the anonymity of each entity and protects the operational and confidentiality of each business. These businesses represent the medical industry, a retail industry and a large production corporation.

Importance of the Study



It is very important to understand security with regard to the world’s economic infrastructure and how it is now based on the globalization of ecommerce. With billions of dollars based in virtual monies on the internet in databases worldwide, extortion, theft, identity theft and other malicious activities are becoming more wide spread. The FBI’s security survey shows an increase to over $93 million dollars this year (2004). This report shows the following information about security losses this year alone:

o $26 million dollars – denial of service o $11.5 million dollars – thefto $55 million dollars – viruses

Identity Management to help prevent the security losses reported by the Federal Bureau of Investigation are deployed nationally in less than 50% of companies with less than 5000 employees. Identity Management alone for companies shows the following information about the deployment of networking sessions:

With this amount of profits being lost by businesses and corporations, companies are looking at electronic security to maintain a competitive edge over other businesses in the U.S. Companies are also looking at the cost of an electronic breech and the amount of money it would cost through damages lost by consumers or a client.



Information Technology professionals today struggle with keeping up with technological changes throughout the information technology industry. Often security patches and updates are produced by software vendors on a daily basis. With this in mind, Chief Information Officers try to keep their employees up-to-date on the operating systems, computer applications and proprietary software. This often leads to a “surface skimming” of security if CIOs and security analyst do not study and focus on current and past security issues.

“Surface skimming” covers the basics of security and is not in-depth enough to help companies adequately protect their networks.

Long meetings on the exact effect of missed software updates or patches results in lost monies by companies. Briefings often have to do for meetings on security and protection of the network infrastructure. These meetings often cover the releases and very rarely a description of the exact security problem.

Because these problems can be quite technical, often trainers or IT mangers inform their colleagues to get the updates or patches and never explain the reasons why.

With internet oriented viruses and “hackers” and “crackers” out on the internet, the challenge now becomes ‘how to’ train these professionals who protect your infrastructure and how to protect your client and company assets.



Training young information technology professionals becomes a tedious never ending task for information technology managers. Often the IT departments are understaffed and overwhelmed by the amount of work they have to contend with. This leads to missed meetings, inadequate training or other related items being put off due to long hours of work. With training at the aforesaid companies, security becomes a priority for not just the IT department but also all of the other departments throughout the corporations.

Scope of the Study

This study encompasses many areas and a broad-based research of relevant materials from industry leading experts. The implementation of security in stages across organizations is of the utmost importance. The study uses research materials collected through November 2004 and will draw on the professional position of the researcher to observe the impact of security on organizations today. With over twenty years of experience, this research has gone through many implementations of new security trends. This study looks at the implementation of security of organizations from the CIOs viewpoint.

Security among organizations today has several parts that need reviewing and updating. This



study will identify why and how organizations are not meeting the demands of industry as ecommerce grows globally. This research paper provides research into all aspects of companies whether the company is small or big. Companies who the feasibility of how industries today could take precautionary measures to protect themselves if the companies would provide policy and procedures for all members of the company’s information technology team. With cyber crimes increasing every year, the research materials and written analysis of this study could encompass an enormous amount of material. Included in the appendixes of this study are such laws that have gone into effect over the past several years.

An implementation plan for security in a modern company covers both physical and cyber security. A look at the example companies and how they used modern methods for “locking down” their networks and clientele data will be discussed. The following steps have been used to gather the analysis for this paper:

1. Collected data to support the weakness and underlying causes of security collapse.

2. Used professional experience from the researcher’s company to look at analyzing and confirming research materials.

3. Consulted with Allen Corporation, Neill Corporation and Taylor Corporation to gather information relevant to the



discussion on security in modern infrastructures.

4. Analyzed and collected data based on the scope outlined in these sections.

5. Made the final analysis.

Rationale of the Study

Protecting a corporation’s network is no longer an option. Many different opinions across the nation exist on how to protect a company’s assets. CIO’s now hire security managers and security analysts just to review current policy and procedures and to look at the business’s infrastructure. In order to survive without a disruption of business or without having assets stolen, businesses today must meet industry requirements and look at their implementation strategies for long term protection.

This research will investigate several experts’ views on what is needed in order to protect internal data. From these materials researched, this study will present the Computer and Network Security infrastructure in place at the Allen Corporation, Neill Corporation, Taylor Corporation, and A higher education facility. Using the expertise of industry leading experts who have implemented, or utilized skills to protect their company is the best way to present a recommended security plan.



Overview of the Study

Every magazine listed in the bibliography contains information regarding to security. With this tremendous amount of media press surrounding security, industry experts are beginning to agree and acknowledge the need for security. Every field in the information technology industry, including experts from consulting, auditing, financial, medical, government and technology venders are giving their opinions and interpretations on the broad subject of Computer and Network Security. Many of these experts have turned this subject matter into a lucrative business. This study will narrow the broad range down to discuss the impact on companies and provide a summary of recommendations based on the given companies within this paper.



To look at all of security as a whole would be impractical. Security is constantly going through a metamorphosis. Because of these changes, this paper will be outdated if all security measures, programs and threats were outlined. As a result, this study will focus on the most critical and initial requirements for protection in the workplace.

In conclusion, the researcher’s professional background in the Inforamtion Technology field with over 20 years experience will contribute to the significance of this study.



CHAPTER 2Review of Related Information

Introduction



As the internet came to be, security was low profile and on the back burner for most corporations. Connectivity was a primary concern for Information Technology Professionals as the internet began several years ago. With this beginning, malicious users began to infiltrate and modify systems and data. Sending out viruses and hacking through weak unprotected networks, these users became an immediate threat to legitimate business that wanted to expand and grow globally.

Many Chief Information Officers state that the ever growing concerns of security is one of the biggest tasks facing the information technology field today. With spyware/malware, worms, viruses, internal threats and hackers, companies today face their most challenging time for ecommerce growth. With customers all over the globe, the protection of local assets as well as the customer’s accounts information is of the utmost importance.

The historical events that have caused such a concern with computers began with the simplex hacking of phones by “Captain Crunch” and the adding of boot sector viruses to floppy disks. The growth of these malicious activities now can affect millions of users within a matter of minutes. The historical events for malicious and non malicious activities are as follows:

1960 Students become the first hackers 1970 Phone Phreaking and Captain

Crunch



1980 Hacker Boards on BBS (early ways to chat)

1983 Kids Begin Hackingo Note: Los Alamos National

Laboratory, which helps develop nuclear weapons was hacked this year.

1984 Hacker Magazines 1986 Computer Fraud and Abuse Act 1986 Boot sector viruses

1987 File infecting viruses 1988 Fist Antivirus solution – Encrypted

viruses 1988 Unix Worm 1989 Cyber Espionage with Germans

and KGB 1989 Credit Card Theft Goes

Mainstream 1989 Date oriented viruses 1990 Stealth, Polymorphic, Multipartite

and armored viruses 1991 Stealth, Polymorphic and

Multipartite 1992 Code change viruses 1993 Viruses that attacked viruses 1993 Hacking used to cheat phone

system to win contest 1994 Hacking Tools Become Available 1994 Encoded Viruses



1995 Kevin Mitnick Hacks the Government

1995 First Macro Viruses 1996 Macro viruses affecting Microsoft

Excel 1997 AOL (largest) ISP Hacked 1998 The Cult of Hacking Takes Off 1998 Spyware/malware begins to

download to machines globally 1999 Macro viruses affecting Microsoft

Word 1999 Software Security (Windows

begins providing updates 2000 Service Denied 2000 Worm viruses 2001 DNS Attack

Many other significant events have happened over the past forty years. This timeline is a brief listing of major events that took place.

As the timeline above shows, malicious activities have been around for forty years and are growing by leaps and bounds every day. With government laws on cyberterrorism being put into place all over the globe, the continual infection of machines along with hacking is at an all time high. The research materials presented show because of ecommerce and the growth of the internet, there is no end in site to the growth of these activities. This study will present research materials to give several



opinions on the recommendations to protect your network infrastructure.

Importance of Internal Company Security and Auditing Controls

This section discuses several categories of Internal Company Security and Auditing Controls. Included is a discussion on the general importance and purpose of having these controls in place and their relevance to protecting the internal and external infrastructure by the information technology department.

It is important to understand that the control of every aspect of the network infrastructure (out to the client side) is very important, and the lack of such controls by the company or the information technology department could be catastrophic

General Internal Company Security and Auditing Controls

General Internal Company Security and Auditing Controls are being applied today so that companies can have a standard approach to bring together different opinions and ideas. These Internal Controls are generally brought together by a consortium of management and other personnel to achieve objectives by the company. Internal Controls



allows companies to maintain several of the following areas:

Efficiency of operations. Compliance with laws and regulations.Several documents have also been released to

suggest ideas about Internal Company Security and Auditing Controls:

Company controls should be built into operations currently in place.

All departments and personnel within a company have input to Company Controls.

Company and Internal Controls help to govern companies currently operating.

According to policies of a higher education facility, companies should have a continuous program in place to put together and assemble training and implementation through several avenues:Risk Assessment The identification of key weaknesses in computer

systems, nodes on a network, clients, connectivity and training.

Security Control Activities Policies and Procedures that ensure all levels of

the company are within compliance with standards set by the company.

Activities include hierarchal structure, authorization, implementation, disaster recovery and planning.

Information and Communication Information from vendors is archived.



Information from customers (clients) is logged. Communication along internal paths of the

company to insure all areas of protection are available.

Monitoring/Auditing Assessment of hardware firewall. Assessment of Software Patches and Service

Packs. Management of all personnel. Auditing of logs and change orders. Monitoring of performance of all nodes on the

network. Monitoring of security alert sites of government

and for profit sites.

The research paper at this point has focused on the importance and makeup of generalized Internal Company Security and Auditing Controls. Weaknesses in this structure follow:

Communication Poor or lack of judgment Lack of training Lack of concern Disgruntled employees Lack of review Lack of training

It is up to management at all levels to monitor company security and auditing controls.

General Information Technology Controls



Certification vendors have tried to measure the general knowledge of information technology professionals by providing tests in vendor and vendor neutral areas. These certifications are used to show the competences of IT professionals. It is important to understand this information when looking at the internal controls of your information technology department. The strength of these certifications are indicated by the exposure to the conceptual material of the subject matter. The weaknesses of these certifications are the fact that materials and testing materials can be gained anywhere on the internet. Therefore, it is important to qualified personnel who have certifications and the “hands on” experience of working with different operating systems and hardware.

With general controls of security and auditing at the company level, an adherence to controls at the IT department level is of the utmost importance because this department is at the front end of the network protection strategy

In many networks, the company has an intricate complex infrastructure of local area networks, virtual LANS, virtual private networks and security policies in place. However, many networks today lack the expertise and trained personnel to provide maintenance. .

Miscellaneous Laws Defined



Computer Fraud and Abuse Act of 1986

Versions of this Act intended solely to protect confidential information contained in government and financial industry computers from criminal theft by hackers, or to prevent conduct that actually "damaged" a computer’s programming.

Internet Security Act of 2000

Jurisdictional and Definitional Changes to the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is the primary federal criminal statute prohibiting computer frauds and hacking. This bill would amend the statute to clarify the appropriate scope of federal jurisdiction. First, the bill adds a broad definition of “loss” to the definitional section. Calculation of loss is very important both in the company determining whether the $5,000 jurisdictional hurdle in the statute is met, and, at sentencing, in calculating the appropriate guideline range and restitution amount.

Gramm Leech Bliley

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial



institutions. There are three principal parts to the Gramm-Leach-Bliley Act’s privacy requirements: Financial Privacy Rule, Safeguards Rule and pretexting provisions. With this act in place, many non financial institutions and business may be covered by this act. A higher education facility has posted this act because of the financial aid provided to students.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The United States Congress called for regulations promoting and advising administrative simplification of electronic healthcare transactions as well as many regulations ensuring the security and privacy of a patient’s information. The Act required Congress to enact laws implementing these goals by 1999. When Congress failed to do so, the Department of Health and Human Services stepped in and began promulgating regulations. The regulations apply to what are called "covered entities:" health plans, healthcare providers and healthcare clearinghouses that transmit any electronic health information in electronic transactions. The regulations are made up of three distinct parts: transaction standards, privacy and security.

U.S. Patriot Act



This law dramatically expands the ability of states and the Federal Government to conduct surveillance of American citizens and corporations. The Government can monitor an individual's or company’s web surfing records, use roving wiretaps to monitor phone calls made by individuals "proximate" to the primary person being tapped, access Internet Service Provider records, and possibly monitor the private records of the general public involved in legitimate protests. All companies are governed by this law after the September 11 tragedy.

Impact of Laws on Companies

Several laws have been put into place to include the Computer Fraud and abuse act of 1986, Gramm, Leech and Bliley, HIPAA, the U.S. Patriot act and others which commonly affect some if not most companies.

Medical facilities are governed by all of these and especially by HIPAA. With this law in effect, companies (health organizations) are especially affected by this due to the strict regulation of privacy and the protection of patient records.

Impact on Operations and Organization



Security can have a direct impact on organizations by creating an infrastructure that is often slowed by taking security measures. These measures on appearance may “hinder” the day to day operations of the facility. Personnel may complain of the “hardened” security measures put into place, however, these measures are needed.

Impact on IT Infrastructure

The information technology department can often be under manned a lack of trained displayed personnel may be in place when trying to conform to industry standards for security. This can lead to poor or inadequate protection of data. Databases such as SQL, MySQL, SAP or Oracle can contain millions of customers and demographic information which needs to be protected. With this much data, the overall risk becomes greater because of the loss that can occur.

With databases such as those listed above, multiple servers can be used for redundancy creating a twice the workload on IT personnel. This researcher along with industry experts agree that logs on all servers should be in place for an adequate auditing system. Industry leaders also agree that just because security logs are in place and if the internal controls are not in place for auditing (the reading of logs) this can lead to disaster and loss of data.

Larger companies have a distinct advantage over smaller companies because of the minimal work required to keep their network infrastructure secure.



A small list of duties below is required to keep data protected:

Periodic changes of passwords Updating of policy and procedures Auditing server logs Auditing firewall logs Researching new malicious threats at third

party information sites Physical security Applying patches Applying service packs User management Monitoring spyware/malware Monitoring new installs Monitoring performance Monitoring IDS systems Monitoring anti-virus protection

Password policies are often overlooked after the inception of the computer network. Network administrators can use the group policy editor in workstations or rules in active directory to set password rules. Minimal, complex and history settings can greatly increase Computer and Network Security.

Companies should look at the update of policy and procedures in order to keep up with changes across its infrastructure. These regulations help to guide all levels of information technology professionals. The consistent and concise update is critical to security in a network infrastructure.



The auditing of logs at all levels is critical and cannot be stressed enough. These logs provide accurate details on the access and changes requested and made during a session. All of the companies mentioned in this study review logs on a frequent basis. This becomes one of the single most important processes in looking for patterns and breeches of security.Research should be done on a daily basis at third party security sites. This action falls hand in hand with the monitoring of IDS systems, service packs and updates, antivirus suites, firewall and security logs along with the overall “health” of the network. This research becomes important to “not missing” information that can be critical to a company’s survival. According to Juniper Networks, 93% of companies who lose data center access for 10 days or more file for bankruptcy protection within a year of the loss and a breech can cost an average of $475,000 in losses and the recovery of the data . Physical security is likely caused by employees of companies. Over 76% of companies surveyed by Juniper networks reported physical security and hacking was more than likely caused by internal resources. Often companies overlook user management and fail to restrict access as needed and the companies fall short on maintaining an archive of users and former users/employees of a network infrastructure .

All of these items are found in the policy and procedures at the Allen Company, Neill Company,



Taylor Company and a higher education facility. Because of these standards, a distinct “upper hand” is given to the companies. Each of the above items are looked at on a daily basis and these companies review the overall standards set by third party vendors

Smaller companies, on the other hand, may not have the financial or physical resources to comply with these standards. These companies may outsource their work to small firms or “mom and pop” companies that may not be properly trained in any of the above areas. Often small companies have no policy and procedures in place and when violations or breaches of security take place. These companies may not have any idea that data has been compromised. Larger companies often recommend an internal policy for small companies. The research found through the interview of experts at the Allen, Neill and Taylor companies indicates that small companies should hire reputable outside companies that have certifications in the area of security.

Policy and procedures are a set of directives used to outline the hierarchy of the Information Technology personnel department and their day to day procedures. The importance behind these directives can not be stressed enough. Included in these procedures is the “what ifs” for disaster recovery and planning. With millions of records in place, disaster planning becomes an integral part of Computer and Network Security. The mentioned companies have all of implemented policies and procedures to protect the assets in their companies .



Information technology departments often become stressed with the day to day activities of monitoring security and an air of complacency can fall over the staff. Management needs to have an internal auditing process available for the IT department to be sure that the department stays with in compliance of industry related security procedures .

Auditing teams and committees need to be formed to review and to govern the actions of the information technology department .

Summary of Chapter 2

This chapter presented discussion and cited expert opinions on how Computer and Network Security can affect both managerial and IT personnel. Companies wishing to be secure must meet strict guidelines as outlined in order to protect their personal and client data.

The ability for companies to protect their network through Internal Company Security and Auditing Controls and to understand new laws and technology will have a dynamic impact on the company’s survival. This research shows that larger companies and corporations have a direct advantage of small companies. It could take small companies months to gain strict guidelines and regulations to conform to what industry experts call “in compliance”. Initial startup cost could be several thousand dollars along with several thousand dollars to train information technology personnel.





CHAPTER 3Methodology

Approach

The approach used in this study uses the research of relevant information along with filtering of the available information. The approach also used interviewing of internal associates in the Information Technology field. These information technology experts are responsible for the compliance of Computer and Network Security with a background of professional knowledge and previous experience in the field of Information Technology security. During the developing of this study, there was a specific focus on the collecting of information needed to accurately look at the problem of protection of network infrastructure and data. This allowed for the presentation of discussions found later in this paper found under “Review of Related Information”.

Discussion was provided for several of the subjects relating to Policy and Procedures and Internal Company Security and Auditing Controls. The



impact of network infrastructure is discussed, along with the impact of breeches of U.S. companies.

These findings of several of the companies along with the researcher’s first-hand experience in protecting network infrastructures at a higher education facility are examples in this research paper of related information concerning Computer and Network Security.

Data Gathering Method

The primary method used by this study was the typical and historical method of research. This research method uses the interpretation of a collection of materials and facts in order to present all of the discussion materials. The many experiences of the researcher with a higher education facility along with the interviews of associates of a higher education facility were also used to gather the material needed for this study. Several of the appendices have extracts of publications found on the world wide web and are used as factual backups to many of the discussions listed in this research paper. These appendices contain relevant articles and excerpts from several laws.

The secondary method used by this study is actual case studies. This method allowed the researcher to challenge and interview many industry experts in the Information Technology field. This along with first-hand experience, internal interviews and resources allowed the researcher formulate the



validating and presenting of Policy and Procedures along with methods and methodologies of protecting a network’s infrastructure.

The secondary method used by the study is the case study. This method allowed the researcher to “observe” the predictions and theories of industry experts, along with utilizing the first-hand experience and internal interviews to formulate the basis for presenting and validating the security implementation plan. The paper itself is based on looking and studying the mentioned companies and the gathering of specific subject matter related to information technology security.

Database of Study

This study collected related information on Understanding the Impact and Solutions of Computer and Network Security from external publications such as newspapers, Internet websites, corporate publications, etc. Magazines which offered the most relevant information included Information, A nationally recognized information technology magazine, Networking, Automation Notebook and TechNet. These various publications target security related information in the full scope of Information Technology and their target audience is all levels of IT, and their focus is on all areas of the technology field. The researcher’s approach was to use “Google.com” and search for “Computer and Network Security”, “protecting your network” “viruses”,



“spyware/malware”, and “hacking”. This research method presented many direct hits and resources. All of the information had to be filtered for relevant information on the topic of Computer and Network Security in order to get direct related hits on the topic of Computer and Network Security.

To prove discussions on Policy and Procedures and Internal Company Security and Auditing Controls, various sources were used including the Policy and Procedures of a higher education facility and policy and procedures from the companies named in this study. These many sources of information along with board and entry level policies are vital in establishing the outline and importance of Policy and Procedures.

Several areas of the research contained different surveys which are used in the context of this research paper. Results of these surveys help to contribute to the overall discussion of the impact of companies in terms of finances, operations and organizational structure. Surveys are an important contribution for this paper in that they show what organizations are doing country and worldwide.

The appendices were used to show many of the laws going into place along with the Federal Bureau of Investigation’s annual report. Due to their length, many of the laws have been summarized because of the amount of content found in laws such as the U.S. Patriot Act. Actual content is used in some of the laws to provide valuable information to readers of this research paper.



Validity of Data

Much of the research was garnered from reputable and leading industry sources. These resources represent a diverse group of Information Technology professionals. The discussions on the setup of their individual networks came from CIO’s and Information Technology Managers with a combined time in the IT field of over 65 years. Much of the information on Policy and Procedures came from the author’s place of employment. The updates and service pack information, along with spyware/malware information came from sources on the internet including Microsoft Corporation and Lavasosftusa.com Other sources included magazine periodicals from CMP and other publishers to include Microsoft.

Finally, the implementation plan used to outline security in the workplace is a compilation of interviews through the Allen, Neill and Taylor Corporations. The cumulative efforts of the researcher’s association with these companies contributed greatly to the outline given in this research paper. The information technology mangers and CIOs from these organizations provided key input and knowledge from several personnel who have more than sixty five years of combined expertise.

This outline provides input from local industries with adequate reputations and leadership foresight and to obtain could be used to show the most cost-effective approach while providing the best



security for industries today. This outline provides guidance used by leaders in the information technology industry.

Originality and Limitations of Data

There has been no study done companywide for the Allen Company, Neill Company or Taylor Company on infrastructure security until this research took place. A higher education facility has undertaken a study several times and does quarterly reviews of security policy at least twice each year within their own facility. This study has revolutionized the importance of network infrastructure security by bringing security into focus across these Middle Tennessee companies and corporations. Because the Information Technology field has very few standards in place for Computer and Network Security, this study has limitations based on the ideology and philosophy of sources. While CERT.ORG and other institutions, including CompTIA set standards for the “what to check” and security certifications, there are no industry wide guidelines concerning Computer and Network Security. No in-depth research was done to uncover the reason for this situation. Many companies use the following companies and organizations as references and resources for Computer and Network Security and advice.



Techrepublic www.techrepublic.com

Carnegie Mellon www.cert.org United States Computer Emergency

Readiness Team www.us-cert.gov The Center for Education and

Research in Information Assurance and Security www.cerias.purdue.edu

National Security Institute http://nsi.org/compsec.html

Microsoftwww.microsoft.com/security/default.mspx

Outline of the Implementation Plan at a higher education facility

The outline below is provided to illustrate and show how Computer and Network Security has been implemented as a plan to a higher education facility. This basic outline targets the infrastructure of companies through which the bases of protecting internal assets are most critical. It shows the effectiveness of the school’s control, auditing and implementation.

A. Periodic control of Operating System Patches

B. Virtual Private networking to Domain Servers with Student Information Systems Software from staff workstations



C. Periodic control of Operating System Service Packs

D. Anti-virus software installed on each workstation to include student work stations

E. Spyware/malware / Malware control measures

F. “Pop up” control measures

G. Application updates (i.e., Microsoft Office and related)

H. Software Update Services Server installed to push updates approved by administration

I. Documented Policy and Procedures school level

J. Documented Policy and Procedures board level

K. Active Directory Server login for staff to establish IT Policies

L. Applications with logging of activities (customized)

M. Application and Security Logs running on Servers



N. Network Address Translation used at firewall level

O. DMZ (demilitarized zones) used on web server

P. Hardware firewall (three honed) used with logs and specific port number restrictions.

Q. IDS (Instruction Detection Server) in place and monitored

R. Traffic monitor in place to monitor inbound, outbound and intranetworking packets

S. Disaster recover plan in place Control of patches and updates becomes one of the most important aspects of Computer and Network Security. With operating systems flaws being one of the most critical needs to identify when operating a network, control of pushing service packs or updates to computers becomes extremely important. Companies should have this in their plans and someone in the information technology department should be assigned to check SUS (System Update Services) servers daily. This IT person should also check security and operating system websites for alerts. Often these sites have email alerts to alert end-users of a security problem.

Virtual Private Networks or VPNs should be created between workstations and servers that contain critical data. By using PPTP (Point to Point Tunneling Protocol), this ensures the data is encapsulated as it travels across the internal network.



While packet capturing software can be installed on a network, this will help to encrypt the data and prevent loss due to network sniffing.

Antivirus software must be installed on every workstation and the software should be updated daily. This control of updating can come through push services through a server to insure the virus pattern or signature is up to date.

Spyware/malware control is becoming an issue at all companies. Spyware/malware is software download automatically be some websites to track a user’s internet surfing habits or to track software use on the end user’s computer. Often computers become burden by spyware/malware loaded in the operating system and become nonfunctional or extremely slow. Control of spyware/malware and the protection of workstations fall on the information technology department. Control of spyware/malware helps to prevent pop-ups which in turn helps to keep productivity high.

Application updates should be controlled by the information technology department and periodic updates checks should be performed by personnel assigned to the IT department. Because security

Without the above recommendations in place, companies can have a breech in their network infrastructure by hacking, virus infestation or physical security violation. Breeches can cause the loss of consumer or customer data. This loss can involve the loss of credit card data, personal demographic information, or other valuable data. Breeches can cost



the company an insurmountable amount of money and public embarrassment. To large universities were recently hacked and the embarrassment and possible lawsuits that could follow could jeopardize the integrity of the universities.


The methods used and sources utilized for conducting this study are simplex. Supporting data from leading industry resources that has been supplemented with internal interviews along with the researcher’s personal experience provide the supporting data as stated.

These methods no matter how simplex are the basis and foundation needed to support the Computer and Network Security and guard the infrastructure of computer and data assets from within a company or corporation. Research was also guided by magazines, textbooks, corporate policies and the Internet along with industry leading experts’ advice.

With the aforesaid resource information available, the researcher had to “weed out” and screen undesirable information and utilize documentation that offered the greatest benefit to the research paper. This “weeding out” of information helped to keep valid data within the scope of this research paper.

The above outline of a higher education facility provides a basic outline and framework for a moderately detailed plan to support and implement



need for security of the information technology department network infrastructure in the modern workplace.

This security plan is a basic example of a “case study” for companies and corporations desiring to “lock down” or secure their network infrastructure.



CHAPTER 4Data Analysis

Introduction

The Scope section of Chapter 1 explains the outline of Chapter 2 with a primary focus of security in the corporate infrastructure. The majority of companies of any significant size practice what this research paper has found. Internal Controls and Auditing inside the infrastructure of the company along with the Controls in place for the Information Technology Department are reviewed in this paper based on the four companies outlined in previous chapters.

Implementation Methodology Used at Neill, Taylor, Allen Companies and a higher education facility



Senior management at all of the companies under consideration constantly looks at the need to protect sensitive data. During the initial stages of protection, each of these companies followed the same pattern of implementing Computer and Network Security.

Each of these companies developed policy and procedures to guide and deliver procedures for all technology professionals at all levels within the companies. With these members of the IT department looking at securing the data within the company, this became the starting point and first layer of securing information. The development of these policy and procedures created a foundation for the practices delivered by the companies. These companies developed the policy and procedures to guide their information technology professionals as a direct entry in the company wide policy and procedures. The Allen Taylor and Neill companies along with a higher education facility maintain an active and dynamic set of policy and procedures that can be changed on the “fly”. Each of these changes are passed through a former form of communication in order to get a level and uniform understanding of the policy and procedures that are put in place.The following steps are from integral studies of these companies:

Policy and Procedureso Committees and Subcommittees

used to monitor changes, constant



updates and reviews by all members of the information technology team.

Risk Assessmento Value of product and client data,

cost of breach. This assessment can give the company an idea of the risk of a breach.

Inventoryo Inventory of software and hardware.

Inventory allows for control of products and control of sensitive information.

Needs Assessmento Users and applications “Need to

Know Basis Only”. This form of assessment allows for securing data at different levels based on rank or a hierarchal structure in the company.

Structureo Physical security and ideal

topologies to meet performance needs and environmental controls.

Levels of Protectiono Workstation

Antivirus software, operating systems updates and patches, application updates, VPN to servers, strong password protection

o Private Servers



Antivirus software, operating systems updates and patches, application updates, VPN from workstations, Kerberos security, tokens and certificates, strong password protection

o SNMP nodes Password Protected SNMP

manageable deviceso Wireless Access Points

Wireless Encryption Protocols (128 bit minimum)

MAC filteringo Routers

Acceptable ports and siteso Firewalls

Acceptable ports and siteso IDS Systems

Backend for internal and external NIC cards used to monitor all traffic within the organization

o Network Address Translation Needs Public to Private ips for

internal networks with few public ip addresses

o Public Servers



Located in DMZ areas all patches updates and only necessary ports open

o Training programs New software New hardware

The methodology used by the Allen, Neill and Taylor companies along with a higher education facility also includes consideration of company growth and changes in security needs.

Policy and procedures provide the guidance for the IT department to use as a guideline in their day to day operations. These policies also supply the personnel from the IT department with directives for what to do in a breech and disaster recover and planning for catastrophic events.

Risk assessment provides the protection vs. breech cost. Risk assessment looks at the hardware, software, physical security and other areas defined as a potential risk. It is this assessment that can act as a guide for the CIO when protecting the company’s network infrastructure.

CIO’s also have to look at the ever changing inventory of wireless devices, tablet PCs, PDAs, servers, workstations, and other nodes on the company’s network. The importance of inventory is often overlooked by junior Information Technology professionals. These personnel often overlook this important topic because of the changing out of antiquated equipment with new equipment. Often newer nodes placed on a network are not hardened.



This negligent act is usually because of the “rush” to replace the old node and to get the newer node operational to save money and time.

The needs assessment found above is based on personnel security and the relevance behind restricting personnel from specific applications or areas within the corporate infrastructure .

The physical structure of the network layout becomes important to the security analyst for several reasons. Wireless devices too close to outside walls can broadcast beyond the companies physical boundaries. Location of the server room may leave it in a location that physical security becomes an issue. Switches or hubs in areas located in any business can leave the network infrastructure vulnerable to internal security violations. Looking at these vulnerabilities, it is easy to understand how structure of a network can become an important issue with companies.

Companies today need to look at the level of protection needed for different nodes on the company’s network. Because servers may contact the outside world, these nodes may need to be harden more than a typical desktop. Although all nodes need to be protected, it becomes an issue of where in the network infrastructure the node is placed.

Simple Network Management Protocol is used to manage many devices on networks. Some of these devices include items such as routers, switches, wireless devices and printers. With this protocol in place, unwary companies could leave this



management tool open and have their network reprogrammed by a malicious individual.

The gateway to most networks to the internet is via a router. Misconfigured routers can lead to intrusion to a company’s network.

Firewalls are the bodyguard of most networks. Properly configured firewalls can protect corporate infrastructures. Firewalls must be dynamic enough to change with the ever changing world of security. Corporations need to look at the individual port numbers often used by viruses or hackers to gain access to internal networks.

Leading the FBI’s security survey, antivirus infiltration in a corporation leads the survey in monies lost by corporations. Security covers a broad spectrum of areas and antivirus protection is a form of protection security. Corporations who do not deploy updated antivirus definitions, could open up Trojans or viruses that open ports or send documents to malicious individuals. Deployment often relies on Enterprise level software to protect the entire local area network.

In order for security analyst to monitor possible network violations, many companies have put in intrusion detection systems to monitor network traffic and use alarms and logs to alert appropriate personnel of possible intrusion.

Because public ip addresses are accessible by the public, hackers have easier access to servers or computers within corporations’ networks. Network address translation provides private ip addresses



behind a public ip address to help protect a company’s network infrastructure. This ip address manipulation allows for many servers and workstations to hide behind proxy servers or firewalls. The only fallacy to this is some servers may need public ip address to be seen from the outside. Working hand in hand with firewalls, public ip addresses can stand behind the DMZ (demilitarized zone) section of the firewalls.

As stated in the previous chapter, training of personnel helps corporations protect their valuable assets and their clients’ assets. Training of personnel should take place at a minimum of twice annually.

Companies spread across a metropolitan network or a wide area network often unintentionally neglect branch offices or outlying offices. CIOs and IT mangers need to focus on the entire corporation as a whole. Neglect of branch offices can result in infiltration into a vulnerable section causing an infiltration throughout the entire network.

Policy and procedures should cover these issues so that these areas are not overlooked. A copy of the policy and procedures should be kept at each location with scenarios for disaster recovery.

The overall strategy for the initial phase of protection involves the publishing of Policy and Procedures. The publication of Policy and Procedures includes the hierarchal structure of the information technology department and all tasks associated with it. The following approach is used to monitor the updating of the Policy and procedures:



Document changes to existing Policy and Procedures.

Identify weaknesses Test disaster recover portion of Policy and

Procedures Test auditing procedures Rewrite when significant amount of changes

takes place On going training This strategy is being used by all of the companies in this research paper. Each of the companies uses primarily the same software, but has different database backends that keep the entire mission critical and protected demographic data. Each of the companies uses different virus protection, but has the same update policies in place for this malicious activity.

These companies use their policy and procedures to look at backup strategies for their data. This form of security is one of the most important aspects of Computer and Network Security. Companies use backup DLT tapes and rotation schedules for the tapes to ensure tapes are carried offsite daily. Many companies are looking for and some are using offsite backup strategies through third party companies. This action alone can be a risk if a thorough background check of the company is not performed and if the company does not follow internal policies of security.



Training is in place from the lowest level of help desk to the Information Technology manager and CIO. Training updates are given to all employees outside of the IT department so that security can be maintained throughout the company. These companies use the following training methods:

o Memos to all staff on new viruseso Memos to IT Personnel on new

viruseso Memos to IT Personnel on

opportunities to train at seminarso Seminars (Mandatory)o Seminars (Voluntary)o Webcasts/Podcastso In house training by security

personnelo In house training by outside

resourceso College reimbursemento New product training o Policy and procedure reviewo Proper use of the interneto Proper use of email and best

practices

Memos provide a written form of communication for IT professionals. Whether in email format or in written document format, memos provide a backbone for communication in information technology security.



Email memos can be used with a collaboration of emails used in software programs such as Microsoft Outlook and used in conjunction with the calendar feature. This feature allows for reminders to be set and the collaboration allows for all team members to see the reminders.

Seminars are an excellent resource for learning security and new product features and updates. With Microsoft Technet briefings quarterly in many major cities in the United States, this allows the IT professional to network with Microsoft’s professionals. This networking allows for audience reaction and discussion on issues found in industry today.

Setting seminars as voluntary allows team members the freedom of attending these events as they choose while mandatory insures the members gather information that can be used in the organizations. This selection should be both voluntary and mandatory to insure the IT professional achieves a diverse knowledge of areas needed for the true protection of networks.

Webcasts/Podcasts provides the training of organizations on-site and is offered by large organizations and software vendors. Webcasts can be prerecorded or live. These forms of training allow the IT manager or CIO to be present to answer questions for junior IT professionals or help desk personnel.

In-house training allows for security directors or outside industry leading experts to come on site and



educate personnel on topics involving security. This form of training ensures personnel are present and communication gets through to all in-house personnel.

Outside experts coming into facilities allows for a variety of topics and a third party view of what security practices are being used by other industries.

College reimbursement provides motivation for employees to educate themselves. This allows employees to gain higher education at no or little cost. This becomes a valuable tool for not just the employee but for the company or corporation. The payoff of reimbursement becomes the knowledge of the employee.

Because the technology field in the world of computers changes at the drop of a hat; new products are introduced at a record breaking pace. This introduction is not only for totally new products to the industry but can be for updates or version changes on software. It is very important for CIOs to have this training for new products available to all levels of information technology.

With policy and procedures being one of the largest keys in the solution of protecting a network, the introduction of all aspects of network management change daily. Once these items are put into place, it cannot be stressed enough to review and update these assets of your company as often as possible. Communication of these updates falls back to written and email memos to peers as mentioned in this chapter.



With IT personnel trained in security it becomes very important to have other members of an organization to be aware of Internet and email use policies to cut off problems before they occur.


Chapter 4 presented the methodology and detailed plan of the Allen, Neill, Taylor companies and a higher education facility. From these discussions, it is evident that each of these companies has distinct policy and procedures in place with an overall approach of the following keypoints:

Employ certified and experienced personnel All are focused on standards set by

CERT.ORG and other security industry leaders

Strong Policy and Procedures in place Communications among internal company

and internal information systems. Committees and Sub-committees in place for

compliance issues





CHAPTER 5

Summary, Recommendations and Conclusions

Introduction



To support the Conclusion and Recommendations, it is import to understand and to restate the problems of Infrastructure Security. “Companies must put all means of security in place both internally and externally”. This chapter will discuss whether this study supports the problem statement and it will provide a conclusion concerning what companies need to do in order to protect their assets. It will also provide additional recommendations related to the research findings.

Conclusions and Recommendations

“Companies must put all means of security in place both internally and externally”

The research has been abundantly clear that the initial requirements to meet standards set by the industry should include policy and procedures and guidelines to effectively protect internal assets as well as ecommerce assets from companies or individuals doing business.

With the FBI’s cyber report on crime and related organizations producing reports on cyber related security, businesses should keep a parallel focus on security as well as staying on focus with their main product(s). “Companies will have to stay ahead of the game and should not question or wavier away from protecting their internal assets.”



With guidance and support of peer companies, companies should network with software and hardware vendors, other non competitive companies and with organizations that specialize in security. Past examples of hackers, and thieves on the internet should awaken sleeping companies.

In answering “why security is needed and how to implement security”, companies should look at past examples and the ever increasing number of companies who have had security violations throughout their infrastructure. This provides a learning basis for all companies. This is one area companies do not want to lead by example. The problem statement components of “when security is needed, and how to implement it” are answered as follows:

Industry wide compliance of recommendations by industry leading experts.

Restating the key elements from previous chapters include: Employ trustworthy Information

Technology workforce to protect assets from within the companies as though assets were their own.

Focus on industry statistics and separate fact from fiction for the best protection of the security infrastructure.

Utilize all means of security including beta based security tools, physical tools



and update policys and procedures as necessary. Document all deficiencies and follow thorough with any and all short comings to insure the best and most adequate protection from thieves, whether internal or external

Ongoing communications between all levels of employees from help desk to the CIO (Chief Information Officer).

CIOs cannot lose touch with reality of the “real” world of security.

A quality control program should be put into place to maintain site wide integrity.

Policy and procedures must be reviewed. Internet usage policies should exist and

all employees should review and sign acceptance letters.

Email usage policies should exist and all employees should review and sign acceptance letters.

Systems must be tested in order to ensure quality.

Ongoing training must be put into place for IT professionals and accurate records must be maintained in order to verify training and training needs.

o “Companies must provide high level training to meet the needs of industry growth while maintaining a balanced budget and customer security”.



In the early stages of security and ecommerce, the selected companies and corporations had to have the foresight to look at the “What ifs” of protection and hold onto paranoia for the “just in case” scenarios that crop up with business forecast and predictions. These companies in the early years of ecommerce were beginning to provide SSL (Secure Socket Layer) protection of their websites along with early Cisco firewalls and web servers. The Allen, Neill, Taylor Companies and a higher education facility all provided above average protection for their clients and the exchange of data along their local area connections and their extranets. This protection provided customer reassurance and customer growth that in turn provided growth for the revenue of the company.

With this electronic protection in place, the Allen, Neill and Taylor companies along with a higher education facility all provide digital certificates and SSL encryption for their clients or consumers. This extra protection allows for the companies to exchange critical demographic and financial data including credit card numbers and personal account information.

Each of the above listed companies use web databases that “dump” the client information to a printer and purges any critical data. This practice is becoming a trend for companies. By purging data, the database is empty and in the event a breech is successful by a hacker, no data will be lost.



During a recent event, the A local technical college in Middle Tennessee accepted over 200 credit card orders for a regional conference and the data was accepted, purged to a printer and the database emptied for security reasons.

This type of transaction allows for the security of the corporate infrastructure to remain intact even in the event of an ecommerce breach.

Although many companies use databases on the web, the above practice is new in the industry and allows the company to reenter the data into an internal server that has been NATed behind a firewall, thus adding an extra layer of security.

This practice requires more work on the company side of taking and automating orders but helps keep hackers at bay. An empty database discourages these individuals from returning to an empty nest.

Since the Internal Company Security and Auditing Controls of security infrastructure throughout the companies under consideration were compliant with industry standards the impact on the companies’ operations was minimal. The operations and organization of the companies’ functionality prove to be industry leaders in setting industry examples. With the ever changing world of security, and with ecommerce and the precarious balancing of performance of business, these companies along with other companies have to look at performance and new technologies to protect their business without sacrificing customer demands from their business.



Budget constraints within the economy of 2004 cannot sacrifice the cost of loss due to neglecting the protection of customers and internal assets. The companies used in this study have to balance the monies available for security while looking at the cost of loosing customers due to possible security breeches.

In conclusion, the emphasis on strong Internal Company Security and Auditing Controls with the area of security for companies is vital. These controls should be dynamically flexible throughout the company, from the help desk employee to the Chief Information Officer. These controls encompass from the overall operations of the Information Systems department throughout the entire organizational structure and should be in place to help companies stay on the leading edge in protection of their assets.

The recommendations from this study are as follows: Companies should do extensive background

checks on their Information Technology employees. Checks should include financial, criminal and past employment checks.

Companies should put Policy and Procedures into place to make sure that all aspects of disaster recovery and planning are covered including hardware failure, software failure, network setup, personnel hierarchy, team responsibilities, deployment of all software and appropriate licensing and other mission critical objectives.



Companies should have a consistent audit practice in place for server logs, firewall logs, patches, service packs and updates.

The network infrastructure for companies needs a consistent quarterly overview committee to look at security needs and challenges. This would provide quarterly updates of mission statements and policies as needed.

Companies need training programs in place for Junior as well as Senior level analysts to understand the challenging environment of security. These training programs need to include industry leaders and seminars from software vendors.

Companies need consistent and open forums within their infrastructure for communication of daily changes affecting the security environment.

The hierarchal level of the internal department of Information Systems/Technology needs to be dynamically flexible to meet the needs and challenges facing the ever changing world of information technology security in the workplace.

Small Ecommerce servers should “dump” data to a printer and be reentered as a precautionary measure in case of a breach on an internal file server.



Large ecommerce servers should have multileveled security in place and should require re-registration in the event a consumer does not frequent the site. Records should be archived off of the server for non-returning or one time customers.



Appendices

CSI/FBI SurveyThe Computer Security Institute over the past several years has produced a survey with the Federal Bureau of Investigation. Below is an excerpt form the website. The survey is available for free download from the Institute's Web site at GoCSI.com. Much of the context below is verbatim and in its original format as found on the internet.

Computer Crime Survey

Highlights of the 2004 Computer Crime and Security Survey include the following: -- Overall financial losses totaled from 494 survey respondents were$141,496,560. This is down significantly from 530 respondents reporting$201,797,340 last year.-- In a shift from previous years, the most expensive computer crime wasdenial of service. Theft of intellectual property, the prior leadingcategory, was the second most expensive last year.-- Organizations are using metrics from economics to



evaluate theirsecurity decisions. Fifty-five percent use Return on Investment (ROI),28 percent use Internal Rate of Return (IRR), and 25 percent use NetPresent Value (NPV).-- The vast majority of organizations in the survey do not outsourcecomputer security activities. Among those organizations that dooutsource some computer security activities, the percentage of securityactivities outsourced is quite low. Based on responses from 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the 2004 Computer Crime and Security Survey confirm that the threat from computer crime and other information security breaches is real. Chris Keating, CSI Director, believes that the Computer Crime and Security Survey, now in its ninth year, suggests that organizations that raise their level of security awareness have reason to hope for measurable returns on their investments.

"Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security. Their average dollar losses per year have dropped in each survey for four straight



years. Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage. We don't believe that all organizations maintain the same defenses as our members -- financial damages for less protected organizations are almost certainly worse. And hackers won't become complacent anytime soon -- new attacks are devised every day. So we still have our work cut out for us. The message here is that it makes sense to continue our focus on adherence to sound practices, deployment of sophisticated technologies, and adequate staffing and training."





Definition of Terms

Abuse of Privilege: Users who performs actions that they should not have, according to company policy or law.

Access: The ability to enter an electronically secured area. The process of interacting with a computer system.

Access Authorization: Permission granted to users, programs or workstations or shared objects.

Access Control: A set of procedures performed by hardware, software and administrators to monitor access, identify users requesting access, record access login attempts, and grant or deny access to computer objects while creating administrative logs.

Access Sharing: Permitting two or more users simultaneous access to files or objects on servers or for objects on a workstation.



Application Level Gateway (Firewall): A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address network traffic so that outgoing packets and traffic appears to have originated from the corporation’s firewall, rather than the internal host.

Audit: The collection of records to access their completeness and veracity. Audit Trail: In computer and data center security systems, a chronological record of when users log in, how long they are engaged in various activities. An audit trail may be on paper or on disk.

Authenticate: In networking, to establish the validity of a user or an object.

Authentication: The process of establishing the legitimacy of a node or user before allowing access to requested information.

Authorization: The process of authenticating successfully.

Availability: The portion of time that a system can be used for productive work. Server rules fall under the rule of five 9’s or a desired uptime of 99.999%.



Back Door: An entry point to a program or a system that is used to gain normally unauthorized access to an area within a network.

Bandwidth: Capacity of a network, dial-up or data connection, measured in kilobits per second (kbps) or megabits per second (Mbps).

Biometric Access Control: Any means of controlling access through human anatomy measurements, such as fingerprinting, iris or voice recognition.

Business-Critical Applications: Vital software needed for specific companies such as databases. (Microsoft Office, SQL, MS Exchange, etc.)

CERT: Computer Emergency Response Team established at Carnegie-Mellon University. (www.cert.org)

Challenge/Response: A security procedure in which one computer/user requests authentication of computer/user after which the host sends a response.

Clustering: Groups of servers working together as a single host.

Computer Security: The assurance of availability, integrity and confidentiality of data.



Computer Security Audit: An evaluation of logs, procedures and policies to insure the infrastructure of companies is maintained.

Data Encryption Standard: An standard for encryption developed by EBM and later adopted and used by the National Bureau of Standards. Used in private and government standards.

Decode: Conversion of encrypted text to plain text through the use of a code.

Decrypt: Conversion of encoded or enciphered text into plaintext.

Defense in Depth: The security approach whereby each system on the network is secured to the greatest possible degree. May be used in conjunction with firewalls.

DES: Data encryption standard.

DNS Spoofing: Emulating the Domain Name Services of another system.

Encryption: The process of scrambling files through an algorithm (such as the DES algorithm).



End-to-End Encryption: Encryption at the point of origin within a network, followed by decryption at the destination site.

Extranet: Internet access to partners and affiliates outside your organization.

Fault Tolerance: A design method to ensure continued systems operation by providing redundant system resources.

Firewall: A hardware or software program used to provide boundaries between networks.

Gateway: A bridge between two networks, normally a router (Cisco).

Hack: Software that has had a significant portion of the programmer’s code rewritten and modified from the original code.

Hacker: Usually a malicious individual or group of individuals who breach networks.

Information Systems Technology: The protection of a corporation’s information assets from unauthorized disclosure or modification which in turn prevents the corporation from loosing data.



Intrusion Detection: Detection of breaches in security. Systems using this are commonly called IDS (Intrusion Detection Systems).

IP Sniffing: Reading the packets of data released from a network.

IP Spoofing: The use of an internal IP address to emulate a legitimate user.

ISO: International Standards Organization.

ISSA: Information Systems Security Association.

Local Area Network (LAN): An interconnected system of computers and peripherals. Usually found in a star topology.

Logging: The process of storing information about events that occurred on systems or the firewall.

Log Retention: The holding of logs from systems.

Network Computer: A computer or host found on the Local Area

Network Worm: A program designed to move or channel across a network.



One-Time Password: A password used only one time during an initial session.

Operating System: System software that controls computers. Commonly used OSs today are Windows 2000, Windows XP Professional, Windows 2003 Server, Linux and Unix.

Password: A secret word, numbers, phrase or combination that is used in authentication.

Performance: The speed at which data is processed. Computers, network, etc.

Perimeter-based Security: The control of entry and exit points on network(s).

PIN: Personal Identification Number.

Policy: Organizational based rules and procedures that establish “how processes should take place.”

Private Key: In encryption, one key (or password) .

Protocols: “Languages” of computers.

Proxy: Computer that acts on the behave of other computers. Common proxies are ISA server or Analogx.



Public Key: In encryption, two key system.

Remote Access: The accessing of computer systems or nodes in a network from a different geographical location.

Risk Analysis: The analysis of an organization's information resources.

RSA: A public key cryptosystem.

Scalability: The ability to add on or to expand systems resources to support large numbers of users without impacting performance.

Server: A computer used to control other computers or to share resources or objects.

Server-based Computing: A computer that delivers critical business applications to end users.

Server Farm: A group of servers.

Smart Card: A credit card sized electronic device that controls access to restricted areas or systems.

Social Engineering: To deceive users and gain access by false means.



State Full Inspection: Firewall inspection of packets to search for data such as IP information, content and port numbers.

TCO: Total Cost of Ownership.

Token: A authentication tool.

Trojan Horse: A malicious program that disguises it harmful intent by emulating another program.

User: Any person who interacts directly with a workstation or personal pc.

User ID: Often known as the “username”. Use can be alpha or numeric.

User Interface: The part of an application that the user works with. User interfaces can be text-driven, such command line driven, or graphical.

Virtual Private Network: A network providing no outside contact using the protocols L2TP or PPTP. A link between one network and another providing a secure connection of data using the aforesaid protocols.

Virus: A self-replicating code segment. Viruses may or may not contain attack programs.





Country Code Extensions (Internet): ac – Ascension Island

.ad – Andorra.ae – United Arab Emirates

.af – Afghanistan.ag – Antigua and Barbuda

.ai – Anguilla.al – Albania

.am – Armenia.an – Netherlands Antilles

.ao – Angola.aq – Antarctica.ar – Argentina

.as – American Samoa.at – Austria

.au – Australia.aw – Aruba

.az – Azerbaijan.ba – Bosnia and Herzegovina

.bb – Barbados.bd – Bangladesh

.be – Belgium



.bf – Burkina Faso.bg – Bulgaria.bh – Bahrain.bi – Burundi.bj – Benin

.bm – Bermuda.bn – Brunei Darussalam

.bo – Bolivia.br – Brazil

.bs – Bahamas.bt – Bhutan

.bv – Bouvet Island.bw – Botswana

.by – Belarus.bz – Belize.ca – Canada

.cc – Cocos (Keeling) Islands.cd – Congo, Democratic Republic of the

.cf – Central African Republic.cg – Congo, Republic of

.ch – Switzerland.ci – Cote d'Ivoire.ck – Cook Islands

.cl – Chile.cm – Cameroon

.cn – China



.co – Colombia.cr – Costa Rica

.cu – Cuba.cv – Cap Verde

.cx – Christmas Island.cy – Cyprus

.cz – Czech Republic.de – Germany.dj – Djibouti.dk – Denmark

.dm – Dominica.do – Dominican Republic

.dz – Algeria.ec – Ecuador.ee – Estonia.eg – Egypt

.eh – Western Sahara.er – Eritrea.es – Spain

.et – Ethiopia.fi – Finland

.fj – Fiji.fk – Falkland Islands (Malvina)

.fm – Micronesia, Federal State of.fo – Faroe Islands

.fr – France



ga – Gabon.gd – Grenada.ge – Georgia

.gf – French Guiana.gg – Guernsey

.gh – Ghana.gi – Gibraltar

.gl – Greenland.gm – Gambia.gn – Guinea

.gp – Guadeloupe.gq – Equatorial Guinea

.gr – Greece.gs – South Georgia and the South

Sandwich Islands.gt – Guatemala

.gu – Guam.gw – Guinea-Bissau

.gy – Guyanahk – Hong Kong

.hm – Heard and McDonald Islands.hn – Honduras

.hr – Croatia/Hrvatska.ht – Haiti

.hu – Hungary.id – Indonesia

.ie – Ireland.il – Israel



.im – Isle of Man.in – India

.io – British Indian Ocean Territory.iq – Iraq

.ir – Iran (Islamic Republic of).is – Iceland

.it – Italy.je – Jersey

.jm – Jamaica.jo – Jordan.jp – Japan.ke – Kenya

.kg – Kyrgyzstan.kh – Cambodia

.ki – Kiribati.km – Comoros

.kn – Saint Kitts and Nevis.kp – Korea, Democratic People's Republic

.kr – Korea, Republic of.kw – Kuwait

.ky – Cayman Islands.kz – Kazakhstan

.la – Lao People's Democratic Republic.lb – Lebanon

.lc – Saint Lucia.li – Liechtenstein

.lk – Sri Lanka.lr – Liberia

.ls – Lesotho.lt – Lithuania

.lu – Luxembourg



.lv – Latvia.ly – Libyan Arab Jamahiriya

.ma – Morocco.mc – Monaco

.md – Moldova, Republic of.mg – Madagascar

.mh – Marshall Islands.mk – Macedonia, Former Yugoslav

Republic.ml – Mali

.mm – Myanmar.mn – Mongolia

.mo – Macau.mp – Northern Mariana Islands

.mq – Martinique.mr – Mauritania.ms – Montserrat

.mt – Malta.mu – Mauritius.mv – Maldives.mw – Malawi.mx – Mexico

.my – Malaysia.mz – Mozambique

.na – Namibia.nc – New Caledonia

.ne – Niger.nf – Norfolk Island

.ng – Nigeria.ni – Nicaragua

.nl – Netherlands



.no Norway

.np – Nepal

.nr – Nauru.nu – Niue

.nz – New Zealandom – Oman

.pa – Panama.pe – Peru

.pf – French Polynesia.pg – Papua New Guinea

.ph – Philippines.pk – Pakistan.pl – Poland

.pm – St. Pierre and Miquelon.pn – Pitcairn Island

.pr – Puerto Rico.ps – Palestinian Territories

.pt – Portugal.pw – Palau

.py – Paraguay.qa – Qatar

.re – Reunion Island.ro – Romania

.ru – Russian Federation.rw – Rwanda

.sa – Saudi Arabia.sb – Solomon Islands

.sc – Seychelles.sd – Sudan

.se – Sweden.sg – Singapore



.sh – St. Helena.si – Slovenia

.sj – Svalbard and Jan Mayen Islands.sk – Slovak Republic

.sl – Sierra Leone

.sm – San Marino.sn – Senegal.so – Somalia.sr – Suriname

.st – Sao Tome and Principe.sv – El Salvador

.sy – Syrian Arab Republic.sz – Swaziland

.tc – Turks and Caicos Islands.td – Chad

.tf – French Southern Territories.tg – Togo

.th – Thailand.tj – Tajikistan.tk – Tokelau

.tm – Turkmenistan.tn – Tunisia.to – Tonga

.tp – East Timor.tr – Turkey

.tt – Trinidad and Tobago.tv – Tuvalu.tw – Taiwan

.tz – Tanzania.ua – Ukraine.ug – Uganda



.uk – United Kingdom.um – US Minor Outlying Islands

.us – United States.uy – Uruguay

.uz – Uzbekistan.va – Holy See (City Vatican State)

.vc – Saint Vincent and the Grenadines.ve – Venezuela

.vg – Virgin Islands (British).vi – Virgin Islands (USA)

.vn – Vietnam

.vu – Vanuatu.wf – Wallis and Futuna Islands

.ws – Western Samoa.ye – Yemen.yt – Mayotte

.yu – Yugoslavia.za – South Africa

.zm – Zambia.zw – Zimbabwe


Date post:	19-May-2018
Category:	Documents
Upload:	duongmien
View:	216 times
Download:	2 times

The Impact of Network Security in Corporations Today: · Web viewThe Impact of Computer and Network...

Documents