NETWORK sECURITY

wiregooseΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

148 εμφανίσεις

The Impact of Computer and Network Security in
Corporations Today:

Understanding the Impact and Solutions of Computer
and Network Security in Today’s World

by

Steve Mallard



In today’s world of the internet and
ecommerce, many companies lack the expertise
and training to secure their critical network
infrastructure and data. Because of this fallacy,
many companies’ infrastructures are subject to
being compromised.


With extortion, cyber theft, malicious attacks
and internal theft occurring at an
unprecedented pace, many companies are just
becoming aware of the aforesaid problems.
While a few companies and corporations
awaken to a new world of problems, many
continue to sleep, totally oblivious to what is
happening as they go about their daily work.
This research gives terminology and briefs
from the Information Technology industry.


Until now, computer security and locking down
the network infrastructure has been on the back
burner with most companies and corporations
because of cost. According to a corporate poll in
A
nationally recognized information technology magazine,
99% of U.S. companies now use some type of
preventive antivirus technology with 98% of these
companies now using firewalls. This electronic
security poll was based on compiled information
from larger corporations and their practices and
does not include small to midsize companies
found throughout the United States.


Cost of an electronic exploit can be greater than
a million dollars per incident as reported by the
FBI. This information is found in the FBI’s
(Federal Bureau of Investigation) report of
cyber threats in the United States. In order to
help counterbalance this, smaller to midsized
companies could spend less than $5,000 to
harden their systems and operating systems to
put a
statefull

firewall in place. As stated in
this paper, these companies often lack the
resources, materials and funds to do so


. A look at the example companies and how they used
modern methods for “locking down” their networks and
clientele data will be discussed. The following steps have
been used to gather the analysis for this paper:


Collected data to support the weakness and underlying
causes of security collapse.


Used professional experience from the researcher’s
company to look at analyzing and confirming research
materials.


Consulted with Allen Corporation, Neill Corporation and
Taylor Corporation to gather information relevant to the
discussion on security in modern infrastructures.


Analyzed and collected data based on the scope outlined in
these sections.


Made the final analysis.



1960 Students become the first hackers


1970 Phone
Phreaking

and Captain Crunch


1980 Hacker Boards on BBS (early ways to chat)


1983 Kids Begin Hacking


Note: Los Alamos National Laboratory, which helps develop
nuclear weapons was hacked this year.


1984 Hacker Magazines


1986 Computer Fraud and Abuse Act


1986 Boot sector viruses


1987 File infecting viruses


1988 Fist Antivirus solution


Encrypted viruses


1988 Unix Worm


1989 Cyber Espionage with Germans and KGB



1989 Credit Card Theft Goes Mainstream


1989 Date oriented viruses


1990 Stealth, Polymorphic, Multipartite and armored viruses


1991 Stealth, Polymorphic and Multipartite


1992 Code change viruses


1993 Viruses that attacked viruses


1993 Hacking used to cheat phone system to win contest


1994 Hacking Tools Become Available


1994 Encoded Viruses


1995 Kevin
Mitnick

Hacks the Government


1995 First Macro Viruses


1996 Macro viruses affecting Microsoft Excel


1997 AOL (largest) ISP Hacked


1998 The Cult of Hacking Takes Off


1998 Spyware/malware begins to download to machines globally


1999 Macro viruses affecting Microsoft Word


1999 Software Security (Windows begins providing updates


2000 Service Denied


2000 Worm viruses


2001 DNS Attack



General Internal Company Security and
Auditing Controls are being applied today so
that companies can have a standard approach
to bring together different opinions and ideas.
These Internal Controls are generally brought
together by a consortium of management and
other personnel to achieve objectives by the
company. Internal Controls allows companies
to maintain several of the following areas:



Efficiency of operations.


Compliance with laws and regulations.



Several documents have also been released to
suggest ideas about Internal Company Security
and Auditing Controls:


Company controls should be built into operations
currently in place.


All departments and personnel within a company
have input to Company Controls.


Company and Internal Controls help to govern
companies currently operating.



Risk Assessment


The identification of key weaknesses in computer systems, nodes on a network, clients,
connectivity and training.


Security Control Activities


Policies and Procedures that ensure all levels of the company are within compliance with
standards set by the company.


Activities include hierarchal structure, authorization, implementation, disaster recovery
and planning.


Information and Communication


Information from vendors is archived.


Information from customers (clients) is logged.


Communication along internal paths of the company to insure all areas of protection are
available.


Monitoring/Auditing


Assessment of hardware firewall.


Assessment of Software Patches and Service Packs.


Management of all personnel.


Auditing of logs and change orders.


Monitoring of performance of all nodes on the network.


Monitoring of security alert sites of government and for profit sites.






The research paper at this point has focused on the
importance and makeup of generalized Internal
Company Security and Auditing Controls.
Weaknesses in this structure follow:


Communication


Poor or lack of judgment


Lack of training


Lack of concern


Disgruntled employees


Lack of review


Lack of training






It is up to management at all levels to monitor
company security and auditing controls.


Larger companies have a distinct advantage over smaller companies because of the
minimal work required to keep their network infrastructure secure. A small list of
duties below is required to keep data protected:


Periodic changes of passwords


Updating of policy and procedures


Auditing server logs


Auditing firewall logs


Researching new malicious threats at third party information sites


Physical security


Applying patches


Applying service packs


User management


Monitoring spyware/malware


Monitoring new installs


Monitoring performance


Monitoring IDS systems


Monitoring anti
-
virus protection




Password policies are often overlooked after
the inception of the computer network.
Network administrators can use the group
policy editor in workstations or rules in active
directory to set password rules. Minimal,
complex and history settings can greatly
increase Computer and Network Security.



Companies should look at the update of policy
and procedures in order to keep up with changes
across its infrastructure. These regulations help to
guide all levels of information technology
professionals. The consistent and concise update is
critical to security in a network infrastructure.



The auditing of logs at all levels is critical and
cannot be stressed enough. These logs provide
accurate details on the access and changes
requested and made during a session. All of the
companies mentioned in this study review logs on
a frequent basis. This becomes one of the single
most important processes in looking for patterns
and breeches of security.



The outline below is provided to illustrate
and show how Computer and Network
Security has been implemented as a plan to a
higher education facility. This basic outline
targets the infrastructure of companies
through which the bases of protecting
internal assets are most critical. It shows the
effectiveness of the school’s control, auditing
and implementation.



Periodic control of Operating System Patches


Virtual Private networking to Domain Servers with Student Information Systems
Software from staff workstations


Periodic control of Operating System Service Packs


Anti
-
virus software installed on each workstation to include student

work stations


Spyware/malware / Malware control measures


“Pop up” control measures


Application updates (i.e., Microsoft Office and related)


Software Update Services Server installed to push updates approved by administration


Documented Policy and Procedures school level


Documented Policy and Procedures board level


Active Directory Server login for staff to establish IT Policies


Applications with logging of activities (customized)


Application and Security Logs running on Servers


Network Address Translation used at firewall level


DMZ (demilitarized zones) used on web server


Hardware firewall (three honed) used with logs and specific port number restrictions.


IDS (Instruction Detection Server) in place and monitored


Traffic monitor in place to monitor inbound, outbound and intranetworking packets


Disaster recover plan in place



Control of patches and updates becomes one of the
most important

aspects of Computer and Network Security. With
operating systems flaws being one of the most critical
needs to identify when operating a network, control
of pushing service packs or updates to computers
becomes extremely important. Companies should
have this in their plans and someone in the
information technology department should be
assigned to check SUS (System Update Services)
servers daily. This IT person should also check
security and operating system websites for alerts.
Often these sites have email alerts to alert end
-
users
of a security problem.


Virtual Private Networks or VPNs should be
created between workstations and servers that
contain critical data. By using PPTP (Point to
Point Tunneling Protocol), this ensures the data
is encapsulated as it travels across the internal
network. While packet capturing software can
be installed on a network, this will help to
encrypt the data and prevent loss due to
network sniffing.



Antivirus software must be installed on every
workstation and the software should be updated
daily. This control of updating can come through
push services through a server to insure the virus
pattern or signature is up to date.



Spyware/malware control is becoming an issue
at all companies. Spyware/malware is software
download automatically be some websites to
track a user’s internet surfing habits or to track
software use on the end user’s computer. Often
computers become burden by spyware/malware
loaded in the operating system and become
nonfunctional or extremely slow.


Policy and Procedures


Committees and Subcommittees used to monitor changes, constant
updates and reviews by all members of the information technology team.


Risk Assessment


Value of product and client data, cost of breach. This assessment can give
the company an idea of the risk of a breach.


Inventory


Inventory of software and hardware. Inventory allows for control of
products and control of sensitive information.


Needs Assessment


Users and applications “Need to Know Basis Only”. This form of
assessment allows for securing data at different levels based on rank or a
hierarchal structure in the company.


Structure


Physical security and ideal topologies to meet performance needs and
environmental controls.



Levels of Protection


Workstation


Antivirus software, operating systems updates and patches,
application updates, VPN to servers, strong password
protection


Private Servers


Antivirus software, operating systems updates and patches,
application updates, VPN from workstations, Kerberos
security, tokens and certificates, strong password protection


SNMP nodes


Password Protected SNMP manageable devices


Wireless Access Points


Wireless Encryption Protocols (128 bit minimum) (WPA
Preferred with a RADIUS Server


MAC filtering



Firewalls


Acceptable ports and sites


IDS Systems


Backend for internal and external NIC cards used to monitor
all traffic within the organization


Network Address Translation Needs


Public to Private
ips

for internal networks with few public
ip

addresses





Public Servers


Located in DMZ areas all patches updates and only
necessary ports open


Training programs


New software


New hardware



The overall strategy for the initial phase of protection
involves the publishing of Policy and Procedures.

The
publication of Policy and Procedures includes the
hierarchal structure of the information technology
department and all tasks associated with it. The
following approach is used to monitor the updating of
the Policy and procedures:


Document changes to existing Policy and Procedures.


Identify weaknesses


Test disaster recover portion of Policy and Procedures


Test auditing procedures


Rewrite when significant amount of changes takes
place


On going training



Training is in place from the lowest level of help desk to the
Information Technology manager and CIO. Training updates are
given to all employees outside of the IT department so that
security can be maintained throughout the company. These
companies use the following training methods:


Memos to all staff on new viruses


Memos to IT Personnel on new viruses


Memos to IT Personnel on opportunities to train at seminars


Seminars (Mandatory)


Seminars (Voluntary)


Webcasts/Podcasts


In house training by security personnel


In house training by outside resources


College reimbursement


New product training


Policy and procedure review


Proper use of the internet


Proper use of email and best practices



Employ certified and experienced personnel


All are focused on standards set by CERT.ORG
and other security industry leaders


Strong Policy and Procedures in place


Communications among internal company and
internal information systems.


Committees and Sub
-
committees in place for
compliance issues



The problem statement components of

“when security is
needed, and how to implement it”

are answered as follows:



Industry wide compliance of recommendations by industry
leading experts.


Restating the key elements from previous chapters include:


Employ trustworthy Information Technology workforce to
protect assets from within the companies as though assets were
their own.


Focus on industry statistics and separate fact from fiction for the
best protection of the security infrastructure.


Utilize all means of security including beta based security tools,
physical tools and update
policys

and procedures as necessary.
Document all deficiencies and follow thorough with any and all
short comings to insure the best and most adequate protection
from thieves, whether internal or external



Ongoing communications between all levels of employees
from help desk to the CIO (Chief Information Officer).


CIOs cannot lose touch with reality of the “real” world of
security.


A quality control program should be put into place to
maintain site wide integrity.


Policy and procedures must be reviewed.


Internet usage policies should exist and all employees should
review and sign acceptance letters.


Email usage policies should exist and all employees should
review and sign acceptance letters.


Systems must be tested in order to ensure quality.


Ongoing training must be put into place for IT professionals
and accurate records must be maintained in order to verify
training and training needs.



The recommendations from this study are as follows:


Companies should do extensive background checks on their
Information Technology employees. Checks should include
financial, criminal and past employment checks.


Companies should put Policy and Procedures into place to make
sure that all aspects of disaster recovery and planning are covered
including hardware failure, software failure, network setup,
personnel hierarchy, team responsibilities, deployment of all
software and appropriate licensing and other mission critical
objectives.


Companies should have a consistent audit practice in place for
server logs, firewall logs, patches, service packs and updates.


The network infrastructure for companies needs a consistent
quarterly overview committee to look at security needs and
challenges. This would provide quarterly updates of mission
statements and policies as needed.



Companies need training programs in place for Junior as
well as Senior level analysts to understand the challenging
environment of security. These training programs need to
include industry leaders and seminars from software
vendors.


Companies need consistent and open forums within their
infrastructure for communication of daily changes affecting
the security environment.


The hierarchal level of the internal department of
Information Systems/Technology needs to be dynamically
flexible to meet the needs and challenges facing the ever
changing world of information technology security in the
workplace.


Small Ecommerce servers should “dump” data to a printer
and be reentered as a precautionary measure in case of a
breach on an internal file server.



“Companies must provide
high level training to meet the
needs of industry growth
while maintaining a balanced
budget and customer
security”.