Network and Computer Security

smileybloatΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

79 εμφανίσεις









Network

and Computer

Security

Steve Mallard
























©
-

200
7

















































The Impact of
Computer and Network

Security

in
Corporations Today:

Understanding the Impact and Solutions of
Computer
and Netwo
rk

Security

in Today’s World

by

Steve Mallard

























































Computer and Network Security


Copyright © 200
7

Steve Mallard


All rights reserved. No part of this book may be
used or reproduced by any means, graphic,
e
lectronic, or mechanical, including
photocopying, recording, taping or by any
information storage retrieval system without the
written permission of the publisher except in the
case of brief quotations embodied in critical
articles and reviews.






Printe
d in the United States of America

















































The Problem



In today’s world of the internet and
ecommerce, many companies lack the expertise

and
training to secure
their
critical
network infrastructure

and data
. Because
of this

fallacy
, many companies’
infrastructures are
subject to being
compromise
d.
With extortion, cyber theft,
malicious
attacks and

internal theft
occurring at an unprecedented pace
,

many companies are just becoming aware of the
aforesaid problems. Whi
le
a

few
companies and

corporations
awaken to a new world of problems,
many continue to sleep
,

totally oblivious to what is
happening as they go about their daily work.

This
research gives terminology and briefs from the
Information Technology industry.

T
his research
provides an in
-
depth understanding of what
network

and infrastructure

security problems are present and
what will be required from companies
and
corporations
in order to protect themselves from
malicious activities.


Research Method and Design



The research behind this paper combines
information from industry experts, national
publications, the Internet, technology college
textbooks and a large school system
(
A higher
education facility
)
implementing a strategy for the
ongoing
development of a

security
plan for protecting
their network infrastructure

and data
. The use of
information from the latter was most beneficial to
discussions of internal network infrastructure,

interpretation of friendly vs. malicious and how to
implement compliance for

Computer and Network

Security
. The implementation plan outline is provided
in Chapter
2
, followed by the methodology used and
a
detailed plan in use at the researcher’s place of
employment

(
A higher education facility
)

in Chapter
3.



Findings




As the
study concludes, the primary
requirement for compliance with network

and
infrastructure

security

is a strong

and robust

internal
policy and procedure for the infrastructure of
companies

with continual training
. Companies with
no policies or weak policies
will continue to fail with
their compliance of security initiatives and the costs
for repairing or troubleshooting their network will be
far greater than that of a company within compliance.
Ultimately, those companies with a strong policy and
procedure
that includes disaster recovery and failure
will excel. Individual users
,

including the main
hierarchy of the Information Technology Department
will have more assurances that they are protected
as
well as

the
ir

individual client’s data.

Companies
and
cor
porations
must support
Computer and Network

Security

initiatives along with meeting the budgetary
needs
of their department in order to

maintain a
healthy profit margin for the end product produced

by
the business
. The lack of security in today’s
infrastr
ucture could result in the demise of the
corporation.






























































Computer

and Network

Security

-

1



Steve Mallard








The Impact of
Computer and Network

Security

in
Corporations Today:

Understanding the Impact and Solutions of
Computer and Network

Securi
ty

in

Today’s World





CHAPTER 1

Introduction






Problem Statement



Since the advent

and
infancy

of the internet,
many U.S. companies
and corporations
have
functioned
and operated
with very little
Computer and
Network

Security

in place in

their
network

infrastructure. Although many
of these
companies

and corporations

have
hardware
firewalls and
intrusion detection systems in place, many
of these
businesses
do not have policy and procedures to
guide
and
govern their
infrastructure
security.

Policies

Computer

and Network

Security

-

2



Steve Mallard


al
ong with personnel are the backbone of
the
Computer and Network

Security
.
This backbone is
the fragile structure that keeps companies secure in
today’s digital world.
These directives

(Policy and
Procedures)

insure that
companies and corporations

will be

in compliance as long as the CIO or IT manger
enforces them.


Although a definite and structured
compliance has not been put in place, directives and
training are the true tools needed to help companies
maintain a form of security within their organizatio
n.


Until now,
computer
security
and locking
down the

network

infrastructure
has been on the back
burner with
most companies and
corporations

because
of cost
. According to a
corporate
poll in
A nationally
recognized information technology magazine
,
99
% of

U.S. companies now use
some type of
preventive
antivirus technology with 98% of the
se

companies
now using firewalls. This

electronic
security

poll was
based on
compiled
information from
larger
corporations

and their practices
and does not include
small t
o midsize

companies found throughout the
United States.

The recently released polls

in this
research paper show are usually focused on larger
companies

and corporations in the United States
. The
main
reason for this was found by interviewing
several
mids
ized and
smaller companies

locally
.
These smaller
companies and

corporations
usually
have outsourced their Inform
ation Technology
infrastructure to
private
organizations that do not have
written
policy and procedures written for
these

smaller
companies.
Normally, these companies do not have
Computer

and Network

Security

-

3



Steve Mallard


any type of policy and procedure in place for their
current clientele.
Because of this

practice,

these
companies
and small corporations
do not look at
industry related
security trends
, security issues or any
relevant a
reas of
computer
security.

Although it was
found that <10% of the companies offer a service
related plan that pushed security issues for their
clientele.


This complacency can have a
n enormous

impact on consumers and customers of the companies

and corpor
ations
. With no or very little money

or
funding
for a technology budget, these
entities

often
use friends, family or small computer companies to fix
or repair their computers

or network
. This results in a
huge security gap between a professional informat
ion
technology department and someone who
is

not
trained

in basic security needs
.


With this

gathered

statistical
information,
numerous
private and public
corporations
can
appreciate the need for
network infrastructure
security, and

are beginning to
put in

place
multiple
phases of
internal and external
protection for their
digital
and electronic
assets. Small to
m
id
-
size
organizations are hesitating due to
simple
inadequate
funding and the rising cost
and expen
ses
of security

of
digital assets

found in the

modern workplace
.

Companies often miss the importance of the cost of a
security breech vs. the cost of preventive security
measures.
This
unintended
hesitation

of
implementing
network infrastructure
security

is
causing more and more companies to be viol
ated or
exploited by malicious hackers

and crackers
.
With
Computer

and Network

Security

-

4



Steve Mallard


this exploitation, companies subject themselves to
lawsuits from their own customers.
These companies
often are ignorant of the
simple
fact that they have
been exploited until customers report the

issues to
the
se companies and corporations
.

Many times, more
than thirty days goes by before someone alerts the
company of a possible security breech.


Cost of an
electronic
exploit can be greater
than a million dollars per incident

as reported by the
F
BI
. This information is found in the FBI’s
(Federal
Bureau of Investigation)
report of cyber threats

in the
United States
. In order to

help

counterbalance this,
smaller
to midsized
companies could spend less than
$5,000 to harden their systems
and operati
ng systems
to
put a
statefull

firewall in place.

As stated in this
paper, these companies
often
lack the resources
,
materials
and funds to do so.

With the FBI report
showing reported incidents, there are thousands of
incidents that go unreported. Often
these incidents are
yet to be discovered
.


With this number of small to mid
-
size
corporations ignoring or slow
ly

i
mplement
ing

security

measures
, more and more
electronic
computer crimes
are beginning to take place

throughout the U.S
. With
extortion now mo
ving into the digital age, many
corporations do not report intrusions to law
enforcement
in order

to avoid negative publicity.
Reports of an intrusion could directly have a negative
effect on the company’s sales and position in a global
competitive market
.
Approximately 35%

of
corporations

don’t report
electronic
intrusions to keep
their competitors from gaining
any type of
advantage.

Computer

and Network

Security

-

5



Steve Mallard


Today’s modern bank robber can be a hacker
thousands of miles away hidden behind spoofed ip
addresses or behind a zombie
computer.

Reports are
also withheld to avoid embarrassment with the general
public. This withholding of information often leads to
a band
-
aide fix.


Other means of protection include
standardizing policy and procedures within
corporations to help prote
ct the network infrastructure
of corporations.
Policy

and Procedures rely on the
initial implementation along with annual or semi
annual follow
-
ups. Without these policy and
procedures in place, a company’s survival in the
security race to protect
their

infrastructure

is

compromised.


Smaller

and mid
-
sized

companies very rarely
have these policies in place and often operate their
network by the “seat
of their

pants”. These
companies rely and trust their computer vendors to
make them as safe as possible
.

Poorly trained
personnel with these computer vendors can have a
negative impact on the overall security of the
organization.


Medium size companies often have the
budget but the Information Technology manger is
often stretched too thin
to prevent

or rea
ct to security
needs of the company. These IT Mangers often work
longer hours and tend to miss early warning signs of
network lapses.

Through no fault of their own,
breeches can occur and not be discovered for weeks.


Outsourcing information technology

teams to
other countries can have a
nother form of negative
Computer

and Network

Security

-

6



Steve Mallard


impact with companies. With third world countries
competing in a global market, the confidential
information of clients and internal data can be
jeopardized by these companies. Using third world

countries for technical support can lead to disastrous
consequences when relying on someone over a world
apart to secure

your

network.


CIOs (Chief Information Officers)

and IT
Mangers

found in larger
companies and
corporations
usually have these

operational
policies in place

with a
system for disaster recovery and planning
. The
logistics alone in larger corporations can be a double
edged sword. With these policies in place, the
arduous task of changing the policies can take weeks
or even months

as management goes through several
meetings with committees and sub
-
committees.
Agreement
among industry professionals
on
the
correct

internal
computer
security is usually lead by a
trained
security analyst
in the corporation
who may or
may not have prop
er
certifications or
security
training.
CIO’s

have to put

raw

faith
and trust
into the
company’s
security analyst in hopes that their
knowledge is on the cutting edge

in a technology that
is changing daily.

These
analysts

have to make
decisions on how a
nd when to implement protection
within minutes of finding out vulnerabilities.

The
communication by the analyst must be thorough and
accurate.
The
Computer and Network

Security

analysts have to look into the
immediate
future for
growth of the
ir

business

a
nd often
they
have to tr
y and
foresee changes before these changes

come

about
.

Computer

and Network

Security

-

7



Steve Mallard



Smaller companies

and
young
corporations
,

on the other hand
,

usually do not have policies
or
disaster recovery and planning policies in place
. With
limited budgets, these comp
anies may have a limited
number
of IT

(Information Technology) personnel
within their ranks or may outsource all of their
network or technology personnel. This limit in
resources may cause a lack
of
compliance with
industry standards and conformity to sec
urity
standards. With laws in effect such as HIPAA (Health
Insurance Portability and Accountability Act of 1996),
GLB (Graam Leech and Bliley) and the U.S. Patriot
Act
,

these companies may not be conforming to U.S.

laws

or rules imposed in their industry
.


Therein
lies

the problem: Companies have to
understand that setting internal policy and procedures
on security
(
along with proper disaster recovery and
planning
)

have to be put in place in order to protect
their assets and the consumers they serve. Wit
h
ecommerce growing by leaps and bounds each year,
more and more companies from
small

to
large

are
accepting credit card
s
, debit card
s

and electronic
checks on line. With over two million dollars in lost
annual revenue in the United States
,

they must ensu
re
that their initial investment will be worth the
protection of their data and their client’s information.

This act alone can help to prevent the breech in
security of their corporate network.

Setting and
maintaining an information technology budget a
long
with policies can help to insure the protection of the
company’s network.


Computer

and Network

Security

-

8



Steve Mallard





Purpose of the Study



This study has multiple purposes: 1) to
discuss the necessity of policy and procedures

related
to

disaster recovery and planning and security; 2) to
d
iscuss the advances in security to include intrusion
detection systems; 3) to discuss the impact of security
in the business environment along with legal
ramifications in the event data is stolen or destroyed ;
4) to present and to validate the necessity f
or security.


This study will review the history of security
and the ways it has grown to a multibillion dollar
business over the past decade. Flaws in Operating
Systems

and applications
, the history of the internet

and
the development of polic
y and procedures will be
examined for a critical understanding of the
importance of protecting corporate
clients and
assets.


The research will define policy and
procedures and security across local area networks,
metropolitan area networks and wide area n
etworks to
include the internet. It will provide an in
-
depth
discussion of the potential impact on today’s
corporations in terms of planning, cost,
implementation and legal cost in the event of a breach.

With consumer assets growing on the internet, a
co
nsumer puts trust in the company’s hands that their
credit card or debit card is being protected.
Consumers are often undereducated in finding reliable
security oriented companies.

Computer

and Network

Security

-

9



Steve Mallard



The aforesaid research, when implemented, is
vital to the future of not j
ust ecommerce; but to the
survivability of companies today.
With consumers
spending more money on the internet than ever,
companies have to protect their infrastructure.
This
study will present a plan for policy and
procedures

and how they
outline
good s
ecurity practices and will
illustrate

the necessity for predicting the future of
security in the information technology industry.


The fictitious names “Allen Corporation”,
“Neill Corporation” and “Taylor Corporation” will be
used to reference several co
mpanies known by the
researcher

along with
a higher education facility
.
These references setup an example of small, medium
and large businesses
,

and allow for the confidentiality
of real operating businesses the researcher has worked
with. This is needed

in order to protect the anonymity
of each entity and protects the operational and
confidentiality of each business.

These businesses
represent the medical industry, a retail industry and a
large production corporation.


Importance

of

the

Study




It is very important to understand security
with
regard

to the world’s economic infrastructure

and how
it

is now based on the globalization of ecommerce.
With billions of dollars based in virtual monies on the
internet in databases worldwide, extortion,
theft,
identity theft and other malicious activities are
becoming more wide spread.

The FBI’s security
survey shows an increase to

over

$9
3

million dollars
Computer

and Network

Security

-

10



Steve Mallard


this year (2004). This report shows the following
information about security losses this year alone
:


o

$26 million dollars


denial of service

o

$11.5 million dollars


theft

o

$55 million dollars


viruses



Identity Management to help prevent the
security losses reported by the Federal Bureau of
Investigation are deployed nationally in less than

50%
of companies with less than 5000 employees. Identity
Management alone for companies shows the following
information about the deployment of networking
sessions:



With
this amount of
profits

being lost by
businesses and
corporations, companies are lo
oking at
electronic
security to maintain a competitive edge
over other
businesses in the U.S
.

Companies are also
looking at the cost of a
n electronic

breech and the
amount of money it would

cost through damages lost
by consumers or a
client.


Information

Technology professionals today
struggle with keeping up with technological changes
throughout the

information technology

industry.


Often security patches and updates are produced by
software vendors on a daily basis.

With this in mind,
Chief Informat
ion
O
fficers try to keep their employees
up
-
to
-
date on the operating system
s
,
computer
applications and proprietary software. This often leads
to a
“surface skimming” of security if CIOs and
Computer

and Network

Security

-

11



Steve Mallard


security analyst do not study and focus on current and
past secur
ity issues.


“Surface skimming” covers the basics of
security and is not
in
-
depth

enough to help companies
adequately protect their networks.


Long meetings on the exact effect of missed
software updates or patches results in lost monies by
companies. Br
iefings often have to do for meetings
on security and protection of the network
infrastructure. These meetings often cover the
releases and very rarely a description of the exact
security problem.


Because these problems can be quite
technical, often tr
ainers or IT mangers inform their
colleagues to get the updates or patches and never
explain the reasons why.


With internet oriented viruses

and


hackers


and

crackers


out on the
inter
net, the challenge now
becomes ‘how to’ train these professionals who

protect your infrastructure and how to protect your
client and company assets.


Training young information technology
professionals becomes a tedious never ending task for
information technology managers. Often the IT
departments are understaffed and ove
rwhelmed by the
amount of work they have to contend with. This leads
to missed meetings, inadequate training or other
related items being put off due to long hours of work.
With training at the aforesaid companies, security
becomes a priority for not jus
t the IT department but
also all of the other departments throughout the
corporations.

Computer

and Network

Security

-

12



Steve Mallard






Scope of the Study



This study encompasses
many areas and
a
broad
-
based research of relevant materials from
industry leading experts. The implementation of
securi
ty in stages across organizations is of the utmost
importance. The study uses research
materials

collected through November 2004 and will draw on
the professional position of the researcher to observe
the impact of security on organizations today.

With

over twenty years of experience, this research has
gone through many implementations of new security
trends. This study looks at the implementation of
security of organizations from the CIOs
viewpoint.


Security among
organizations today

has
several part
s that need reviewing and updating. This
study will identify why and how organizations are not
meeting the demands of industry as ecommerce grows
globally.
This
research
paper provides

research into
all aspects of companies whether
the company is
small
o
r big. Companies

who the feasibility of how
industries today could take precautionary measures to
protect themselves if the companies would provide
policy and procedures for all members of the
company’s information technology team. With cyber
crimes incre
asing every year, the research materials
and written analysis of this study could encompass
an
enormous

amount of material. Included in the
Computer

and Network

Security

-

13



Steve Mallard


appendixes of this study are such laws that have
gone

into effect over the past several years.


An implementation p
lan for security in a
modern company covers both physical and cyber
security. A look at the
e
xample companies and how
they used modern methods for “locking down” their
networks and clientele data will be discussed.
The
f
ollowing steps
have been

used to
gather the analysis
for this paper:

1.

Collected data to support the weakness
and underlying causes of security
collapse.

2.

Used professional experience from the
researcher’s company to look at
analyzing and confirming research
materials.

3.

Consulted with

Allen C
orporation, Neill
Corporation and Taylor Corporation to
gather information relevant to the
discussion on security in modern
infrastructures.

4.

Analyzed and collected data based on the
scope outlined in these sections.

5.

Made the final analysis.


Rationale of t
he Study



Protecting a corporation’s network is no
longer an option. Many different opinions across the
nation exist on how to protect a company’s assets.
CIO’s

now hire security managers and security
analyst
s

just to review current policy and procedure
s
Computer

and Network

Security

-

14



Steve Mallard


and to look at the business’s infrastructure. In order
to survive without a disruption of business or without
having assets stolen, businesses today must meet
industry requirements and look at their
implementation strategies for long term protection.


This research will investigate several experts’
views on what is needed in order to protect internal
data. From these materials researched, this study will
present the
Computer and Network

Security

infrastructure in place at the Allen

Corporation, Neill
C
orporation, Taylor Corporation, and
A higher
education facility
.

Using the expertise of industry
leading experts who have implemented, or utilized
skills to protect their company is the best way to
present a recommended security plan.



















Computer

and Network

Security

-

15



Steve Mallard


Overview of the Study



Every magazine listed in the bibliography
contains

information
regarding

to security. With this
tremendous amount of media press surrounding
security, industry experts are beginning to agree and
acknowledge the need for security.

Every field in the
information technology industry
,

including experts
from consulting,
auditing, financial
,

medical,
government and technology venders

are giving their
opinions and interpretations on the broad subject of
Computer and Network

Security
. M
any of these
experts have turned this subject matter into a lucrative
business. This study will narrow the broad range
down to discuss the impact on companies and provide
a summary of rec
ommendations based on the
given

companies

within

this

paper.

To l
ook at all of security as a whole would be
impractical. Security is constantly going through a
metamorphosis. Because of these changes, this paper
will be outdated if all security measures, programs and
threats were outlined. As a result, this study wi
ll
focus on the most critical and initial requirements for
protection in the workplace.


In conclusion, the researcher’s professional
background in the Inforamtion Technology field with
over 20 years experience will contribute to the
significance of this s
tudy.





Computer

and Network

Security

-

16



Steve Mallard


































Computer

and Network

Security

-

17



Steve Mallard








CHAPTER 2

Review of Related
Information







Introduction


As the internet came to be, security was low
profile and on the back burner

for most corporations
.

Connectivity was a primary concern for Informati
on
Technology Professionals

as the internet began several
years ago. With this beginning,
malicious

users began
to infiltrate and modify systems and data
.


Sending out
viruses and hacking through weak unprotected
networks, these users became an immediate
threat to
legitimate business
that
wanted to expand and grow
globally.


Many Chief Information Officers state that
the ever growing concerns
of security

is one of the
biggest task
s

facing the information technology field
today
. With
spyware/malware
, worms
, viruses,
internal threats and hackers
,

companies today face
their most challenging time for ecommerce growth.
With customers all over the globe, the protection of
Computer

and Network

Security

-

18



Steve Mallard


local assets as well as the customer’s accounts
information

is of the utmost importance
.


The historical events that have caused such a
concern with computers began with the simplex
hacking of phones by “Captain Crunch” and the
adding of boot sector viruses to floppy disk
s
. The
growth of these malicious activities now can affect
millions of u
sers within a matter of minutes. The
historical events for malicious
and non malicious
activities are as follows:




1960 Students
become the

first hack
ers



1970 Phone Phreaking and Captain
Crunch



1980 Hacker Boards

on BBS
(early
ways to chat)



1983 Kids Beg
in Hacking

o

Note:
Los Alamos National
Laboratory, which helps
develop nuclear weapons

was
hacked this year
.



1984 Hacker Magazines



1986 Computer Fraud and Abuse Act



1986

Boot sector viruses



1987

File infecting viruses




1988

Fist Antivirus solution


Encrypt
ed
viruses



1988 Unix Worm



1989 Cyber Espionage with Germans
and KGB

Computer

and Network

Security

-

19



Steve Mallard




1989 Credit Card Theft Goes
Mainstream



1989

Date oriented viruses



1990

Stealth, Polymorphic, Multipartite
and armored viruses



1991

Stealth
, Polymorphic and
Multipartite



1992

Code change vi
ruses



1993

Viruses that attacked viruses



1993 Hacking used to cheat phone
system to win contest



1994 Hacking Tools Become Available



1994

Encoded Viruses



1995 Kevin Mitnick Hacks the
Government



1995

First Macro Viruses



1996

Macro viruses affecting Microsof
t
Excel



1997 AOL (largest) ISP Hacked



1998 The Cult of Hacking Takes Off



1998
Spyware/malware

begins to
download to machines globally



1999

Macro viruses affecting Microsoft
Word



1999 Software Security (Windows
begins providing updates



2000 Service Denied



2
000

Worm viruses



2001 DNS Attack

Computer

and Network

Security

-

20



Steve Mallard



Many other significant events have happened over the
past forty years. This timeline is a brief listing of
major events that took place.


As the timeline above shows, malicious
activities have been around for forty years
and are
growing by leaps and bounds every day. With
government laws on cyberterrorism being put into
place all over the globe, the continual infection of
machines along with hacking is at an all time high.
The research materials presented show because of

ecommerce and the growth of the internet, there is no
end in site to the growth of these
activities
.

This study
will present research materials to give
several
opinions

on the recommendations to protect your
network infrastructure.


Importance of
Inte
rnal Company Security and
Auditing Controls



This section discuses several categories of
Internal Company Security and Auditing Controls
.
Included
is a discussion on the general importance and
purpose of having these controls in place and
their

relevance

to protecting the internal and external
infrastructure by the information technology
department.


It is important to understand that the control
of
every

aspect of the network infrastructure
(
out to
the client side
)

is very important
,

and the lack of suc
h
controls by the company or the information
technology d
epartment could be catastrophic

Computer

and Network

Security

-

21



Steve Mallard




General
Internal Company Security and Auditing
Controls



General
Internal Company Security and
Auditing Controls

are being applied today so that
companies can have

a standard approach to bring
together different opinions and ideas. These Internal
Controls are generally brought together by a
consortium
of management

and other personnel to
achieve objectives by the company. Internal Controls
allows companies to main
tain several of the following
areas:



Efficiency

of operations
.



Compliance with laws and regulations.


S
everal documents have
also
been released to
suggest ideas about
Internal Company Security and
Auditing Controls
:



Company controls should be built into
op
erations currently in place
.



All departments and personnel within a
company have input to Company
Controls
.



Company and Internal Controls help to
govern companies currently operating
.


According to policies of
a higher education
facility
, companies should
have a continuous program
in place to put together and assemble training and
implementation through several avenues
:

Risk Assessment

Computer

and Network

Security

-

22



Steve Mallard




The identification of key weaknesses in computer
systems, nodes on a network, clients, connectivity
and training
.

Security
Control Activities



Policies

and P
rocedures
that ensure all levels of
the company are within compliance with
standards set by the company.



Activities include hierarchal structure,
authorization, implementation, disaster recovery
and planning.

Information an
d Communication



Information from vendors is archived
.



Information from customers (clients) is logged
.



Communication along internal paths of the
company to insure all areas of protection are
available
.

Monitoring/Auditing



Assessment of hardware firewall
.



As
sessment of Software Patches and Service
Packs
.



Management of
a
ll
p
ersonnel
.



Auditing of logs and change orders
.



Monitoring of performance of all nodes on the
network
.



Monitoring of security alert sites of government
and for profit sites
.




The research
paper at

this point
has

focused
on the importance and makeup of generalized
Internal
Company Security and Auditing Controls
.
Weaknesses in this structure follow:

Computer

and Network

Security

-

23



Steve Mallard




Communication



Poor or lack of judgment



Lack of training



Lack of concern



Disgruntled employees



Lack of review



Lack of training





It is up to management at all levels to
monitor company security and auditing controls.



General Information Technology Controls




Certification vendors have tried to measure
the general knowledge of information techn
ology
professionals by providing test
s

in vendor and vendor
neutral areas. These certifications are

used

to show
the competences of IT professionals. It is important
to understand this information when looking at the
internal controls of your informatio
n technology
department.

The strength of these certifications
are indicated by the exposure to the conceptual
material of the subject matter. The weaknesses of
these certifications are the fact that materials and
testing materials can be gained anywhe
re on the
internet.

Therefore
,

it is important to qualified
personnel who have certifications and the “hands on”
experience of working with different operating
systems and hardware.


With general controls of security and
auditing at the company level, a
n adherence to
Computer

and Network

Security

-

24



Steve Mallard


controls at the IT department level is of the utmost
importance because this department is at the front end
of the network protection strategy



In many networks, the company has an
intricate complex
infrastructure of

local area
networks, v
irtual LANS, virtual private networks and
security policies in place. However, many networks
today lack the expertise and trained personnel to
provide maintenance
.

.


Miscellaneous Laws Defined


Computer Fraud and Abuse Act

of 1986



Versions of
this Act intended solely to protect
confidential information contained in government and
financial industry computers from criminal theft by
hackers, or to prevent conduct that actually "damaged"
a computer’s programming.


Internet Security Act of 2000




Jurisdictional and Definitional Changes to the
Computer Fraud and Abuse Act:

The Computer Fraud
and Abuse Act, 18 U.S.C. § 1030, is the primary
federal criminal statute prohibiting computer frauds
and hacking. This bill would amend the statute to
c
larify the appropriate scope of federal jurisdiction.
First, the bill adds a broad definition of “loss” to the
definitional section. Calculation of loss is
very
important both in
the company
determining whether
the $5,000 jurisdictional hurdle in the statu
te is met,
Computer

and Network

Security

-

25



Steve Mallard


and, at sentencing, in calculating the appropriate
guideline range and restitution amount.





Gra
m
m Leech Bliley



The Financial Modernization Act of 1999,
also known as the “Gramm
-
Leach
-
Bliley Act” or GLB
Act, includes provisions to protect co
nsumers’
personal financial information held by financial
institutions. There are three principal parts to the
Gramm
-
Leach
-
Bliley Act’s
privacy requirements:
Financial Privacy Rule, Safeguards Rule and
pretexting provisions.

With this act in place, many
n
on financial institutions and business may be covered
by this act.
A higher education facility

has posted this
act because of the financial aid provided to students.



HIPAA



The Health Insurance Portability and
Accountability Act (HIPAA) was pa
ssed by Congress
in 1996.

The United States
Congress called for
regulations promoting
and advising
administrative
simplification of
electronic
healthcare transactions as
well as
many
regulations ensuring the
security and
privacy
of
a
patient
’s

information
. The Act required
Congress to enact laws implementing these goals by
1999.
When Congress failed to do so, the Department
of
H
ealth and
H
uman
S
ervices

stepped in and began
Computer

and Network

Security

-

26



Steve Mallard


promulgating regulations. The regulations apply to
what are called "covered entities
:"
health plans,
healthcare providers

and healthcare clearinghouses
that

transmit any
electronic
health information in
electronic
transactions
.

The regulations are made up of
three distinct parts: transaction standards, privacy and
security.


U.S.

Patriot

Act



Th
is

law dramatically expands the ability of states
and the Federal Government to conduct surveillance
of American citizens and corporations.



The Government can monitor an individual's or
company’s web surfing records, use roving wire
taps to
monitor phone calls made by individuals "proximate"
to the primary person being tapped, access Internet
Service Provider records, and
possibly
monitor the
private records of
the general public
involved in
legitimate protests.

All companies are gov
erned by
this law after the September 11 tragedy.



Impact of
Laws on Companies



Several laws have been put into place to
include the Computer Fraud and abuse act of 1986,
Gra
m
m
, Lee
ch and Bliley, HIPAA, the U.S. Patriot
act and others which commonly af
fect some if not
most companies.



Medical facilities are governed by all of these
and especially by HIPAA. With this law in effect,
companies (health organizations) are especially
Computer

and Network

Security

-

27



Steve Mallard


affected by this
due to

the strict regulation of privacy
and the protecti
on of patient records
.




Impact on
Operations and Organization



Security can have a direct impact on
organizations by creating an infrastructure that is often
slowed by taking security measures. These measures
on appearance may “hinder
” the

day to day
o
perations
of the facility. Personnel may complain of the
“hardened” security measures put into place, however,
these measures are needed.



Impact on IT Infrastructure



The information technology department can
often be under manned
a
lack of trained dis
played
personnel may be in place when trying to conform to
industry standards for security. This can lead to poor
or inadequate protection of data. Databases such as
SQL, MySQL, SAP or Oracle can contain millions of
customers and demographic information

which needs
to be protected.
With this much data, the overall risk
becomes greater because of the loss that can occur
.


With databases such as those listed above,
multiple servers can be used for redundancy creating a
twice the workload on IT personnel.

This researcher
along with industry experts agree that logs on all
servers should be in place for an adequate auditing
system. Industry leaders also agree that just because
Computer

and Network

Security

-

28



Steve Mallard


security
logs are in place

and

if the internal control
s
are not in place for au
diting

(the reading of logs) this
can le
ad to disaster and loss of data
.


Larger companies

have a distinct advantage
over smaller companies because of the minimal work
required to keep their network infrastructure secure.
A small list of duties below is r
equired to keep data
protected:



Periodic changes of passwords



Updating of
p
olicy and
p
rocedures



Auditing
s
erver
l
ogs



Auditing
f
irewall
l
ogs



Researching new malicious threats at third
party information sites



Physical
s
ecurity



Applying
p
atches



Applying s
ervi
ce
p
acks



User
m
anagement



Monitoring
spyware/malware



Monitoring new installs



Monitoring performance



Monitoring IDS systems



Monitoring
a
nti
-
virus protection


Password policies are often overlooked after
the inception of the computer network. Netwo
rk
administrators can use the group policy editor in
workstations or rules in active directory to set
password rules. Minimal, complex and history
settings can gr
eatly increase
Computer and Network

Security
.

Computer

and Network

Security

-

29



Steve Mallard




Companies should look at the update of
polic
y and procedures in order to keep

up with
changes across its infrastructure.

These regulations
help to guide all levels of information technology
professionals. The consistent and concise update is
critical to security in a network infrastructure.


T
he a
uditing of logs at all levels is critical
and cannot be stressed enough. These logs provide
accurate details on the access and changes requested
and made during a session. All of the companies
mentioned in this study review logs on a frequent
basis. Thi
s becomes one of the single most important
processes in looking for patterns and breeches of
security.

Research should be done on a daily basis at third party
security sites.
This action falls hand in hand with the
monitoring of IDS systems, service packs

and updates,
antivirus suites,
firewall and security logs along with
the

overall

“health”

of

the

network
.


This research becomes important to “not
missing” information that can be critical to a
company’s survival.

According to Juniper Networks,
93% of companies who lose data center access for 10
days or more file for bankruptcy protection within a
year of the loss and a breech can cost an average of
$475,000 in loss
es and the recovery of the data
.


Physical security is likely caused by

employees
of companies. Over 76% of companies surveyed by
Juniper networks reported physical security and
hacking was more than like
ly caused by internal
resources
.

Computer

and Network

Security

-

30



Steve Mallard



Often companies overlook user management
and fail to restrict access as needed

and the companies
fall short on maintaining an archive of users and
former users/employ
ees of a network infrastructure
.


All of these items are found

in the policy and
procedures

at the Allen Company, Neill Company
,
Taylor Company and
a higher education
facility
.
Because of these standards, a distinct “upper hand” is
given to
the

companies.

Each of the above items are
looked at on a daily basis and these companies review
the overall standards set by third party vendors


Smaller companies
,

on the other h
and
,

may
not have the financial or physical resources to comply
with these standards. These companies may outsource
their work to small firms or “mom and pop”
companies that may not be properly trained in any of
the above areas. Often small companies hav
e no
policy and procedures in place and when violations or
breaches of security take place
.

T
hese companies may
not have any idea that data has been compromised.
Larger companies often recommend an internal policy
for small companies. The research found

through the
interview of experts at the Allen, Neill and Taylor
companies indicates that small companies should hire
reputable outside companies that have certifications in
the area of security.


Policy and procedures are a set of directives
used to outli
ne the hierarchy of the Information
Technology personnel department and their day to day
procedures. The importance behind these directives
can not be stressed enough. Included in these
procedures is the “what ifs” for disaster recovery and
Computer

and Network

Security

-

31



Steve Mallard


planning. W
ith millions of records in place,
disaster
planning

becomes an integral part of
Computer and
Network

Security
. The mentioned companies have all
of
implemented policies and procedures to protec
t the
assets in their companies
.


Information technology depar
tments often
become stressed with the day to
day
activities of
monitor
ing

security and an air of complacency can fall
over the staff. Management needs to have an internal
auditing process available for the IT department to be
sure

that

the department stay
s with
in
compliance of
indus
try related security procedures
.


Auditing teams and committees need to be
formed to review and to govern the actions of the
in
formation technology department

.



Summary of Chapter 2



This chapter presented discussion and c
ited
expert opinions on how
Computer and Network

Security

can affect both managerial and IT personnel.
Companies wishing to be secure must meet strict
guidelines as outlined in order to protect their personal
and client data.



The ability for companies
to protect their
network through Internal Company Security and
Auditing Controls and to understand new laws and
technology will have a dynamic impact on the
company’s survival. This research shows that larger
companies and corporations have a direct advan
tage
of small companies. It could take
small

companies
months to gain strict guidelines and regulations to
Computer

and Network

Security

-

32



Steve Mallard


conform to what industry experts call “in
compliance”. Initial startup cost could be several
thousand dollars along with several thousand dollars
t
o train information technology personnel.






























Computer

and Network

Security

-

33



Steve Mallard










CHAPTER 3

Methodology





Approach



The approach used in this study uses the
research of relevant
information

along with filtering of
the
available

information.
The approach a
lso used
interviewing

of
internal associates in the
Information

Technology field. These
information technology
experts are responsible for the compliance of
Computer and Network

Security

with a background of
professional knowledge and previous experience
in
the field of Information Technology security. During
the developing of this study, there was a specific focus
on the collecting of information needed to accurately
look at the problem of protection of network
infrastructure and data. This allowed for
the
presentation of discussions found later in this paper
found under “Review of Related Information”.

Computer

and Network

Security

-

34



Steve Mallard



Discussion was provided for several of the
subjects relating to
Policy

and Procedures and
Internal
Company Security and Auditing Controls
. The
impact
of network infrastructure is discussed
,
along
with the impact of breeches o
f

U.S. companies.

These findings of several of the companies
along with the researcher’s first
-
hand experience in
protecting network infrastructures at
a higher
education facility

a
re examples in this research paper
of related information

concerning
Computer and
Network

Security
.


Data Gathering Method



The primary method used by this study was
the typical and historical method of research
. This

research
method uses the interpretati
on of a collection
of materials and facts in order to present all of the
discussion materials. The
many
experiences of the
researcher with
a higher education facility

along with
the interviews of associates of
a higher education
facility

were

also used to

gather the
material

needed
for this study
. Several of the appendices have extracts
of publications found on the world wide web and are
used as factual backups to many of the discussions
listed in this research paper. These appendices
contain relevant ar
ticles and excerpts from several
laws.


The secondary method used by this study is
actual case studies. This method allowed the
researcher to challenge and
interview

many

industry
experts in the Information Technology field. This
Computer

and Network

Security

-

35



Steve Mallard


along with first
-
hand ex
perience, internal interviews
and resources allowed the researcher formulate the
validating and presenting of
Policy

and Procedures
along with methods and methodologies of protecting a
network

s infrastructure.


The secondary method used by the study is
th
e case study. This method allowed the researcher to
“observe” the predictions
and theories
of industry
experts, along with utilizing the first
-
hand experience
and internal interviews to formulate the basis for
presenting and validating the
security
imple
mentation
plan.
The paper itself is based on looking
and
studying
the mentioned companies and the gathering
of specific subject matter related to
i
nformation
t
echnology
s
ecurity.


Database of Study



This study collected related information on

Understand
ing the Impact and Solutions of
Computer
and Network

Security

from external publications such
as newspapers, Internet websites, corporate
publications, etc. Magazines which offered the most
relevant information included
Information
,
A
nationally recognized

information technology
magazine
,
Networking,
Automation Notebook

and
TechNet
.

T
hese
various
publications target security
related information in the full scope of Information
Technology

and their

target audience is all levels of
IT
, and

their
focus
is
on a
ll areas of the technology
fiel
d.

The researcher’s approach was to use
“Google.com” and search for “
Computer and Network

Computer

and Network

Security

-

36



Steve Mallard


Security
”,

protecting your network”

“viruses”,

spyware/malware
”, and “hacking”
. This research
method presented many direct
hits and

resources
. All
of the information had to be filtered for relevant
information on the topic of
Computer and Network

Security

in order to get direct related hits on the topic
of
Computer and Network

Security
.


To prove discussions on Policy and
Procedures
and
Internal Company Security and
Auditing Controls
, various sources were used
including the Policy and Procedures of
a higher
education facility

and policy and procedures from the
companies named in this study
. These
many
sources
of information along wit
h board
and entry
level
policies are vital in establishing the outline and
importance of Policy and Procedures.


Several areas of the research contained
different
surveys
which

are used in the context of this
research paper. Results of these surveys help

to
contribute to the
overall
discussion of the impact of
companies in terms of finances, operations and
organizational structure.

Surveys are an important
contribution for this paper in that they show what
organizations are doing country and worldwide.


The appendices were used to show many of
the laws going into place along with the Federal
Bureau of Investigation’s annual report.
Due to their
length, m
any of the laws have been summarized
because of the amount of content found in laws such
as the U.S. P
atriot Act.
Actual content is used in some
of the
laws to provide valuable information to readers
of this research paper.

Computer

and Network

Security

-

37



Steve Mallard


Validity of Data



Much

of the research was
garnered

from
reputable
and leading
industry sources. These
resources represent a divers
e group of Information
T
echnology professionals. The discussions on the
setup of their individual networks came from
CIO’s

and Information Technology Managers
with a
combined time in the IT field of over 6
5

years. Much
of the information on
Policy

and Pr
ocedures came
from the
author’s place of employment
.

The
updates and service pack information
,

along with
spyware/malware

information came from sources on
the internet
including

Microsoft Corporation and
Lavasosftusa.com Other sources included magazine
p
eriodicals from CMP and other publishers to include
Microsoft.


Finally, the implementation plan used to
outline security in the
workplace

is a compilation of
interviews through the Allen, Neill and Taylor
Corporations. The cumulative efforts of the
rese
archer’s association with these companies
contributed greatly to the outline given in this research
paper.

The information technology mangers
and
CIOs
from these organizations provided key input and
knowledge from several personnel who have more
than six
ty five years of combined expertise.


This outline provides input from
local
industries with adequate reputations and leadership
foresight and
to obtain

could be used to show the most
cost
-
effective approach while providing the best
security for industries

today.

This outline provides
Computer

and Network

Security

-

38



Steve Mallard


guidance

used by leaders in the information
technology industry.



Originality and Limitations of Data



There has been no study done companywide
for the Allen Company, Neill Company or Taylor
Company on infrastructure sec
urity until this research
took place.
A higher education facility

has
undertaken a study several times and does quarterly
reviews of security policy at least twice each year

within their own facility
. This study has
revolutionized the importance of netw
ork
infrastructure security by bring
ing

security into focus
across these Middle Tennessee
c
ompanies

and
corporations
.



Because the Information Technology field
has very few standards in place

for
Computer and
Network

Security
, this study has limitations b
ased on
the
ideology

and philosophy of sources. While
CERT.ORG and other institutions
, including

CompTIA
set standards

for the “what to check” and
s
ecurity certifications, there are

no industry wide
guidelines
concerning
Computer and Network

Security
. No

in
-
depth research was done to uncover
the reason for this situation
.

Many companies use the
following companies and organizations as references
and resources for
Computer and Network

Security

and
advice.



Techrepublic
www.techrepublic.com



Carnegie Mellon

www.cert.org

Computer

and Network

Security

-

39



Steve Mallard




United States Computer Emergency
Readiness Team
www.us
-
cert.gov



The Center for Education and
Research

in Information Assurance
and Security
www.cerias.purdue.edu




National Security Institute
http://nsi.org/compsec.html



Microsoft

www.microsoft
.com/security/default.mspx


Outline of the Implementation Plan at
a higher
education facility



The outline below is provided to illustrate
and show how
Computer and Network

Security

has
been implemented as a plan to
a higher education
facility
. This
basi
c
outline targets the infrastructure

of
companies

through which the
bases of protecting
internal assets are

most critical. It shows the
effectiveness of the school

s control, auditing and
implementation.



A.

Periodic control of Operating System Patches


B.

Vir
tual Private networking to Domain
Servers with Student Information Systems
Software from staff workstations

C.

Periodic control of Operating System Service
Packs


Computer

and Network

Security

-

40



Steve Mallard


D.

Anti
-
virus software installed on each
workstation to include student

work stations


E.

Spyware/mal
ware


/ Malware
control
measures


F.

“Pop up” control measures


G.

Application updates (i.e., Microsoft Office
and related)


H.

Software Update Services Server installed to
push updates approved by administration

I.

Documented
Policy

and Procedures school
level


J.

Docu
mented Policy and Procedures board
level


K.

Active Directory Server login for staff to
establish IT Policies


L.

Applications with logging of activities
(customized)


M.

Application and Security Logs running on
Servers

N.

Network Address Translation used at firewall
level


Computer

and Network

Security

-

41



Steve Mallard


O.

DMZ (demilitarized zones) used on web
server

P.

Hardware firewall (three honed) used with
logs and specific port number restrictions
.

Q.

IDS (Instruction Detection Server) in place
and monitored

R.

Traffic monitor in place to monitor inbound,
outbound and in
tranetworking packets

S.

Disaster recover plan in place


Control of patches and updates becomes one of
the most important

aspects of
Computer and Network

Security
. With
operating systems flaws being one of the most critical
needs to identify when o
perating a network, control of
pushing service packs or updates to computers
becomes extremely important. Companies should
have this in their plans and someone in the
information technology department should be
assigned to check SUS (System Update Servic
es)
servers daily. This IT person should also check
security and operating system websites for alerts.
Often these sites have email alerts to alert end
-
users of
a security problem.


Virtual Private Networks or VPNs should be
created between workstations
and servers that contain
critical data. By using PPTP (Point to Point
Tunneling Protocol), this ensures the data is
encapsulated as it travels across the internal network.
While packet capturing software can be installed on a
network, this will help to e
ncrypt the data and prevent
loss due to network sniffing.

Computer

and Network

Security

-

42



Steve Mallard



Antivirus software must be installed on every
workstation and the software should be updated daily.
This control of updating can come through push
services through a server to insure the virus pat
tern or
signature is up to date.


Spyware/malware

control is becoming an
issue at all companies.
Spyware/malware

is software
download automatically be some websites to track a
user’s internet surfing habits or to track software use
on the end user’s compu
ter. Often computers become
burden by
spyware/malware

loaded in the operating
system and become nonfunctional or extremely slow.

Control of
spyware/malware

and the protection of
workstations
fall on the in
formation technology
department.

Control of
spy
ware/malware

helps to
prevent pop
-
ups which in turn helps to keep
productivity high.


Application updates should be controlled by
the information technology department and periodic
updates checks should be performed by personnel
assigned to the IT departme
nt. Because security



Without the above recommendations in
place, companies can have a breech in their network
infrastructure by hacking, virus infestation or physical
security violation. Breeches can cause the loss of
consumer or customer data. This
loss can
involve the
loss of credit card data, personal demographic
information, or other valuable data. Breeches can cost
the company an insurmountable amount of money and
public embarrassment.


To large universities were
recently hacked and
th
e emba
rrassment and possible lawsuits that could
Computer

and Network

Security

-

43



Steve Mallard


follow could
jeopardize

the integrity of the
universities.


Summary of Chapter 3



The methods used and sources utilized for
conducting this study
are

simplex. Supporting data
from leading industry resource
s
that has been

supplemented with internal interviews along with the
researcher’s personal experience provide the
supporting data as stated.


These methods no matter how
simplex

are
the
basis

and foundation needed to support the
Computer and Network

Securi
ty

and guard the
infrastructure of
computer and data
assets from within
a company or corporation. Research was also guided
by magazines, textbooks, corporate policies and the
Internet

along with industry leading experts’ advice
.


With the aforesaid

res
ource

information
available, the researcher had to “weed out” and screen
undesirable information and utilize documentation
that offered the greatest benefit to the research paper.

This “weeding out” of information helped to keep
valid data within the scop
e of this research paper.


The above outline of
a higher education
facility

provides a

basic
outline and framework for a
moderately detailed plan to support and implement
need for security

of the information technology
department network infrastructure

in
the modern
workplace.

Computer

and Network

Security

-

44



Steve Mallard



This
security
plan is a basic example of a
“case study” for companies
and corporations
desiring
to “lock down” or secure their
network
infrastructure.






























Computer

and Network

Security

-

45



Steve Mallard








CHAPTER 4

Data Analysis


Introduction



The S
cope section of Chapter 1 explains the
outline of Chapter 2 with a primary focus of security
in the corporate infrastructure. The majority of
companies of any significant size practice what this
research paper has found. Internal Controls and
Auditing in
side the infrastructure of the company
along with the Controls in place for the Information
Technology Department are reviewed in this paper
based on the four companies outlined in previous
chapters.


Implementation Methodology Used at Neill,
Taylor, Allen

Companies and
a higher education
facility



Senior management at all of the companies
under consideration constantly looks at the need to
protect sensitive data. During the initial stages of
protection, each of these companies followed the same
pattern o
f implementing
Computer and Network

Security
.

Computer

and Network

Security

-

46



Steve Mallard



Each of these companies developed policy
and procedures to guide and deliver procedures for all
technology professionals at all levels within the
companies. With these members of the IT department
looking at
securing the data within the company, this
became the starting point and first layer of securing
information. The development of these policy and
procedures created a foundation for the practices
delivered by the companies. These companies
developed the
policy and procedures to guide their
information technology professionals as a direct entry
in the company wide policy and procedures. The
Allen Taylor and Neill companies along with
a higher
education facility

maintain an active and dynamic set
of policy

and procedures that can be changed on the
“fly”. Each of these changes are passed through a
former form of communication in order to get a level
and uniform understanding of the policy and
procedures that are put in place.

The following steps are from in
tegral studies of these
companies:



Policy and Procedures

o

Committees and Subcommittees
used to monitor changes, constant
updates and reviews by all members
of the information technology team.



Risk Assessment

o

Value of product and client data,
cost of breach.

This assessment can
give the company an idea of the risk
of a breach.



Inventory

Computer

and Network

Security

-

47



Steve Mallard


o

Inventory of software and hardware.
Inventory allows for control of
products and control of sensitive
information.



Needs Assessment

o

Users and applications “Need to
Know Bas
is Only”. This form of
assessment allows for securing data
at different levels based on rank or a
hierarchal structure in the company.



Structure

o

Physical security and ideal
topologies to meet performance
needs and environmental controls.



Levels of Protec
tion

o

Workstation



Antivirus software,
operating systems updates
and patches, application
updates, VPN to servers,
strong password protection

o

Private Servers



Antivirus software,
operating systems updates
and patches, application
updates, VPN from
workstation
s, Kerberos
security, tokens and
certificates, strong
password protection

o

SNMP nodes

Computer

and Network

Security

-

48



Steve Mallard




Password Protected SNMP
manageable devices

o

Wireless Access Points



Wireless Encryption
Protocols (128 bit
minimum)



MAC filtering

o

Routers



Acceptable ports and sites

o

Firewall
s



Acceptable ports and sites

o

IDS Systems



Backend for internal and
external NIC cards used to
monitor all traffic within
the organization

o

Network Address Translation Needs



Public to Private ips for
internal networks with few
public ip addresses


o

Public Serv
ers



Located in DMZ areas all
patches updates and only
necessary ports open

o

Training programs



New software



New hardware


The methodology used by the Allen, Neill
and Taylor companies along with
a higher education
facility

also includes consideration of comp
any
growth and changes in security needs.

Computer

and Network

Security

-

49



Steve Mallard



Policy and procedures provide the guidance
for the IT department to use as a guideline in their day
to day operations. These policies also supply the
personnel from the IT department with directives for
what to d
o in a breech and disaster recover and
planning for catastrophic events.


Risk assessment provides the protection vs.
breech cost. Risk assessment looks at the hardware,
software, physical security and other areas defined as
a potential risk. It is this
assessment that can act as a
guide for the CIO when protecting the company’s
network infrastructure.


CIO’s also have to look at the ever changing
inventory of wireless devices, tablet PCs, PDAs,
servers, workstations, and other nodes on the
company’s netw
ork. The importance of inventory is
often overlooked by junior Information Technology
professionals. These personnel often overlook this
important topic because of the changing out of
antiquated equipment with new equipment. Often
newer nodes placed on
a network are not hardened.
This negligent act is usually because of the “rush” to
replace the old node and to get the newer node
operational to save money and time.


The needs assessment found above is based
on personnel security and the relevance behind

restricting personnel from specific applications or
areas with
in the corporate infrastructure

.


The physical structure of the network layout
becomes important to the security analyst for several
reasons. Wireless devices too close to outside walls
can b
roadcast beyond the companies physical
Computer

and Network

Security

-

50



Steve Mallard


boundaries. Location of the server room may leave it
in a location that physical security becomes an issue.
Switches or hubs in areas located in any business can
leave the network infrastructure vulnerable to interna
l
security violations. Looking at these vulnerabilities, it
is easy to understand how structure of a network can
become an important issue with companies.


Companies today need to look at the level of
protection needed for different nodes on the
company’s

network. Because servers may contact the
outside world, these nodes may need to be harden
more than a typical desktop. Although all nodes need
to be protected, it becomes an issue of where in the
network infrastructure the node is placed
.


Simple Networ
k Management Protocol is
used to manage many devices on networks. Some of
these devices include items such as routers, switches,
wireless devices and printers. With this protocol in
place, unwary companies could leave this
management tool open and have t
heir network
reprogrammed by a malicious individual.


The gateway to most networks to the internet
is via a router. Misconfigured routers can lead to
intrusion to a company’s network.


Firewalls are the bodyguard of most
networks. Properly configured fir
ewalls can protect
corporate infrastructures. Firewalls must be dynamic
enough to change with the ever changing world of
security. Corporations need to look at the individual
port numbers often used by viruses or hackers to gain
access to internal networ
ks.

Computer

and Network

Security

-

51