wiregooseΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

148 εμφανίσεις

The Impact of Computer and Network Security in
Corporations Today:

Understanding the Impact and Solutions of Computer
and Network Security in Today’s World


Steve Mallard

In today’s world of the internet and
ecommerce, many companies lack the expertise
and training to secure their critical network
infrastructure and data. Because of this fallacy,
many companies’ infrastructures are subject to
being compromised.

With extortion, cyber theft, malicious attacks
and internal theft occurring at an
unprecedented pace, many companies are just
becoming aware of the aforesaid problems.
While a few companies and corporations
awaken to a new world of problems, many
continue to sleep, totally oblivious to what is
happening as they go about their daily work.
This research gives terminology and briefs
from the Information Technology industry.

Until now, computer security and locking down
the network infrastructure has been on the back
burner with most companies and corporations
because of cost. According to a corporate poll in
nationally recognized information technology magazine,
99% of U.S. companies now use some type of
preventive antivirus technology with 98% of these
companies now using firewalls. This electronic
security poll was based on compiled information
from larger corporations and their practices and
does not include small to midsize companies
found throughout the United States.

Cost of an electronic exploit can be greater than
a million dollars per incident as reported by the
FBI. This information is found in the FBI’s
(Federal Bureau of Investigation) report of
cyber threats in the United States. In order to
help counterbalance this, smaller to midsized
companies could spend less than $5,000 to
harden their systems and operating systems to
put a

firewall in place. As stated in
this paper, these companies often lack the
resources, materials and funds to do so

. A look at the example companies and how they used
modern methods for “locking down” their networks and
clientele data will be discussed. The following steps have
been used to gather the analysis for this paper:

Collected data to support the weakness and underlying
causes of security collapse.

Used professional experience from the researcher’s
company to look at analyzing and confirming research

Consulted with Allen Corporation, Neill Corporation and
Taylor Corporation to gather information relevant to the
discussion on security in modern infrastructures.

Analyzed and collected data based on the scope outlined in
these sections.

Made the final analysis.

1960 Students become the first hackers

1970 Phone

and Captain Crunch

1980 Hacker Boards on BBS (early ways to chat)

1983 Kids Begin Hacking

Note: Los Alamos National Laboratory, which helps develop
nuclear weapons was hacked this year.

1984 Hacker Magazines

1986 Computer Fraud and Abuse Act

1986 Boot sector viruses

1987 File infecting viruses

1988 Fist Antivirus solution

Encrypted viruses

1988 Unix Worm

1989 Cyber Espionage with Germans and KGB

1989 Credit Card Theft Goes Mainstream

1989 Date oriented viruses

1990 Stealth, Polymorphic, Multipartite and armored viruses

1991 Stealth, Polymorphic and Multipartite

1992 Code change viruses

1993 Viruses that attacked viruses

1993 Hacking used to cheat phone system to win contest

1994 Hacking Tools Become Available

1994 Encoded Viruses

1995 Kevin

Hacks the Government

1995 First Macro Viruses

1996 Macro viruses affecting Microsoft Excel

1997 AOL (largest) ISP Hacked

1998 The Cult of Hacking Takes Off

1998 Spyware/malware begins to download to machines globally

1999 Macro viruses affecting Microsoft Word

1999 Software Security (Windows begins providing updates

2000 Service Denied

2000 Worm viruses

2001 DNS Attack

General Internal Company Security and
Auditing Controls are being applied today so
that companies can have a standard approach
to bring together different opinions and ideas.
These Internal Controls are generally brought
together by a consortium of management and
other personnel to achieve objectives by the
company. Internal Controls allows companies
to maintain several of the following areas:

Efficiency of operations.

Compliance with laws and regulations.

Several documents have also been released to
suggest ideas about Internal Company Security
and Auditing Controls:

Company controls should be built into operations
currently in place.

All departments and personnel within a company
have input to Company Controls.

Company and Internal Controls help to govern
companies currently operating.

Risk Assessment

The identification of key weaknesses in computer systems, nodes on a network, clients,
connectivity and training.

Security Control Activities

Policies and Procedures that ensure all levels of the company are within compliance with
standards set by the company.

Activities include hierarchal structure, authorization, implementation, disaster recovery
and planning.

Information and Communication

Information from vendors is archived.

Information from customers (clients) is logged.

Communication along internal paths of the company to insure all areas of protection are


Assessment of hardware firewall.

Assessment of Software Patches and Service Packs.

Management of all personnel.

Auditing of logs and change orders.

Monitoring of performance of all nodes on the network.

Monitoring of security alert sites of government and for profit sites.

The research paper at this point has focused on the
importance and makeup of generalized Internal
Company Security and Auditing Controls.
Weaknesses in this structure follow:


Poor or lack of judgment

Lack of training

Lack of concern

Disgruntled employees

Lack of review

Lack of training

It is up to management at all levels to monitor
company security and auditing controls.

Larger companies have a distinct advantage over smaller companies because of the
minimal work required to keep their network infrastructure secure. A small list of
duties below is required to keep data protected:

Periodic changes of passwords

Updating of policy and procedures

Auditing server logs

Auditing firewall logs

Researching new malicious threats at third party information sites

Physical security

Applying patches

Applying service packs

User management

Monitoring spyware/malware

Monitoring new installs

Monitoring performance

Monitoring IDS systems

Monitoring anti
virus protection

Password policies are often overlooked after
the inception of the computer network.
Network administrators can use the group
policy editor in workstations or rules in active
directory to set password rules. Minimal,
complex and history settings can greatly
increase Computer and Network Security.

Companies should look at the update of policy
and procedures in order to keep up with changes
across its infrastructure. These regulations help to
guide all levels of information technology
professionals. The consistent and concise update is
critical to security in a network infrastructure.

The auditing of logs at all levels is critical and
cannot be stressed enough. These logs provide
accurate details on the access and changes
requested and made during a session. All of the
companies mentioned in this study review logs on
a frequent basis. This becomes one of the single
most important processes in looking for patterns
and breeches of security.

The outline below is provided to illustrate
and show how Computer and Network
Security has been implemented as a plan to a
higher education facility. This basic outline
targets the infrastructure of companies
through which the bases of protecting
internal assets are most critical. It shows the
effectiveness of the school’s control, auditing
and implementation.

Periodic control of Operating System Patches

Virtual Private networking to Domain Servers with Student Information Systems
Software from staff workstations

Periodic control of Operating System Service Packs

virus software installed on each workstation to include student

work stations

Spyware/malware / Malware control measures

“Pop up” control measures

Application updates (i.e., Microsoft Office and related)

Software Update Services Server installed to push updates approved by administration

Documented Policy and Procedures school level

Documented Policy and Procedures board level

Active Directory Server login for staff to establish IT Policies

Applications with logging of activities (customized)

Application and Security Logs running on Servers

Network Address Translation used at firewall level

DMZ (demilitarized zones) used on web server

Hardware firewall (three honed) used with logs and specific port number restrictions.

IDS (Instruction Detection Server) in place and monitored

Traffic monitor in place to monitor inbound, outbound and intranetworking packets

Disaster recover plan in place

Control of patches and updates becomes one of the
most important

aspects of Computer and Network Security. With
operating systems flaws being one of the most critical
needs to identify when operating a network, control
of pushing service packs or updates to computers
becomes extremely important. Companies should
have this in their plans and someone in the
information technology department should be
assigned to check SUS (System Update Services)
servers daily. This IT person should also check
security and operating system websites for alerts.
Often these sites have email alerts to alert end
of a security problem.

Virtual Private Networks or VPNs should be
created between workstations and servers that
contain critical data. By using PPTP (Point to
Point Tunneling Protocol), this ensures the data
is encapsulated as it travels across the internal
network. While packet capturing software can
be installed on a network, this will help to
encrypt the data and prevent loss due to
network sniffing.

Antivirus software must be installed on every
workstation and the software should be updated
daily. This control of updating can come through
push services through a server to insure the virus
pattern or signature is up to date.

Spyware/malware control is becoming an issue
at all companies. Spyware/malware is software
download automatically be some websites to
track a user’s internet surfing habits or to track
software use on the end user’s computer. Often
computers become burden by spyware/malware
loaded in the operating system and become
nonfunctional or extremely slow.

Policy and Procedures

Committees and Subcommittees used to monitor changes, constant
updates and reviews by all members of the information technology team.

Risk Assessment

Value of product and client data, cost of breach. This assessment can give
the company an idea of the risk of a breach.


Inventory of software and hardware. Inventory allows for control of
products and control of sensitive information.

Needs Assessment

Users and applications “Need to Know Basis Only”. This form of
assessment allows for securing data at different levels based on rank or a
hierarchal structure in the company.


Physical security and ideal topologies to meet performance needs and
environmental controls.

Levels of Protection


Antivirus software, operating systems updates and patches,
application updates, VPN to servers, strong password

Private Servers

Antivirus software, operating systems updates and patches,
application updates, VPN from workstations, Kerberos
security, tokens and certificates, strong password protection

SNMP nodes

Password Protected SNMP manageable devices

Wireless Access Points

Wireless Encryption Protocols (128 bit minimum) (WPA
Preferred with a RADIUS Server

MAC filtering


Acceptable ports and sites

IDS Systems

Backend for internal and external NIC cards used to monitor
all traffic within the organization

Network Address Translation Needs

Public to Private

for internal networks with few public


Public Servers

Located in DMZ areas all patches updates and only
necessary ports open

Training programs

New software

New hardware

The overall strategy for the initial phase of protection
involves the publishing of Policy and Procedures.

publication of Policy and Procedures includes the
hierarchal structure of the information technology
department and all tasks associated with it. The
following approach is used to monitor the updating of
the Policy and procedures:

Document changes to existing Policy and Procedures.

Identify weaknesses

Test disaster recover portion of Policy and Procedures

Test auditing procedures

Rewrite when significant amount of changes takes

On going training

Training is in place from the lowest level of help desk to the
Information Technology manager and CIO. Training updates are
given to all employees outside of the IT department so that
security can be maintained throughout the company. These
companies use the following training methods:

Memos to all staff on new viruses

Memos to IT Personnel on new viruses

Memos to IT Personnel on opportunities to train at seminars

Seminars (Mandatory)

Seminars (Voluntary)


In house training by security personnel

In house training by outside resources

College reimbursement

New product training

Policy and procedure review

Proper use of the internet

Proper use of email and best practices

Employ certified and experienced personnel

All are focused on standards set by CERT.ORG
and other security industry leaders

Strong Policy and Procedures in place

Communications among internal company and
internal information systems.

Committees and Sub
committees in place for
compliance issues

The problem statement components of

“when security is
needed, and how to implement it”

are answered as follows:

Industry wide compliance of recommendations by industry
leading experts.

Restating the key elements from previous chapters include:

Employ trustworthy Information Technology workforce to
protect assets from within the companies as though assets were
their own.

Focus on industry statistics and separate fact from fiction for the
best protection of the security infrastructure.

Utilize all means of security including beta based security tools,
physical tools and update

and procedures as necessary.
Document all deficiencies and follow thorough with any and all
short comings to insure the best and most adequate protection
from thieves, whether internal or external

Ongoing communications between all levels of employees
from help desk to the CIO (Chief Information Officer).

CIOs cannot lose touch with reality of the “real” world of

A quality control program should be put into place to
maintain site wide integrity.

Policy and procedures must be reviewed.

Internet usage policies should exist and all employees should
review and sign acceptance letters.

Email usage policies should exist and all employees should
review and sign acceptance letters.

Systems must be tested in order to ensure quality.

Ongoing training must be put into place for IT professionals
and accurate records must be maintained in order to verify
training and training needs.

The recommendations from this study are as follows:

Companies should do extensive background checks on their
Information Technology employees. Checks should include
financial, criminal and past employment checks.

Companies should put Policy and Procedures into place to make
sure that all aspects of disaster recovery and planning are covered
including hardware failure, software failure, network setup,
personnel hierarchy, team responsibilities, deployment of all
software and appropriate licensing and other mission critical

Companies should have a consistent audit practice in place for
server logs, firewall logs, patches, service packs and updates.

The network infrastructure for companies needs a consistent
quarterly overview committee to look at security needs and
challenges. This would provide quarterly updates of mission
statements and policies as needed.

Companies need training programs in place for Junior as
well as Senior level analysts to understand the challenging
environment of security. These training programs need to
include industry leaders and seminars from software

Companies need consistent and open forums within their
infrastructure for communication of daily changes affecting
the security environment.

The hierarchal level of the internal department of
Information Systems/Technology needs to be dynamically
flexible to meet the needs and challenges facing the ever
changing world of information technology security in the

Small Ecommerce servers should “dump” data to a printer
and be reentered as a precautionary measure in case of a
breach on an internal file server.

“Companies must provide
high level training to meet the
needs of industry growth
while maintaining a balanced
budget and customer