Computer Systems Security Foundations, Essay Example

Introduction

This brief report provides the ABC Management team with the key points for putting forward a new security program. The report will provide information covering the scope of the policy, details of the risks the firm faces and how these will be appropriately mitigated, the importance of responsibilities of the users and the management team and the considered limitations of the security proposal.

The Need For A Security Program

Information Technology is one of the most important assets contained within any business organization.  As such the IT Department contains important assets like Computer Equipment, Software and Communications equipment that needs to be safeguarded and protected.  These systems are the very core of the business operations and as such any threat or disruption to them can be extremely damaging to the business. In order to oversee the security policy we will need to appoint a Security Manager who will be responsible for the overarching strategy of the implementation of the security policy.

The main components of the Security policy will include the following items:-

Safeguard of Company Assets – In particular those assets applicable to the Information Technology contained within the firm. This considers items such as computer equipment, telecommunications, software, data and storage. The policy will address environmental conditions, insurance and back-up or recovery procedures

Business Continuity and Disaster Recovery – Although a separate policy we will need to integrate emergency planning and the security implications of invocation of staff to a secondary site.

Security of the system –  This will consider such items as who gains access to the system, the restrictions on use of the system, password protection  and overall security of information

Company Policy – This will consider the corporate policy as applicable to systems security and the policies that need to be carried out in order to enforce same.

The security policy will be divided up into three distinct components comprising Management Services, Operational Services and Technical Services.  Management services will focus upon the risks and computer security policies of the firm and will collaborate with the Executive and Internal Audit.  The operational services component will consider the human resources implications and the responsibilities of individuals within the organization. Technical services will concentrate on those areas that cover the in depth controls of computer security.  (Kovacich, 2003)

Security Risks

Problems Associated with the old site

The previous site indicated that it contained the following risks and vulnerabilities:

Previously the old system was purely a local area network for internal uses. It had no outside or external links. This is now proposed to change with data being transmitted to the host system from remote PC’s. This increases the risk of intrusion and external penetration of the system from hackers, viruses, spam, and other uninvited guests.

The Company wishes to introduce a new website and this provides a portal to the system via the world wide web (internet) thereby providing a global threat of intrusion to the system without the required security measures being put in place.  The order entry system provides a means for viruses, spam and other potential unauthorised entries to the system.

Litigation Issues

Litigation is an area that is often overlooked in IT security but one that represents one of the most significant areas of risk.   Nearly all forms of electronic media have the potential for being involved in legal dispute cases. In the determination of evidence for potential criminal investigations it is possible for computer equipment and network devices to be taken away and used for evidence. This type off disruption to the business can have disastrous consequences unless a contingency plan is in place.  It means the business operation could be halted until an appropriate back up system is put into place. The courts have far reaching powers in this regard and may either seize assets or shut down areas of the business that are subject to legal investigations. This can provide a major disruption to the business where the systems are fully integrated.  This risk is mitigated by having the system suitably partitioned in order that trouble spots can be isolated without bringing the entire system to a closure.

Vulnerability over systems communications

The potential for external threat and disruption to the business via external communications is both real and immediate.  One of the more significant threats relating  to that of e-mail. The threat here is two-fold: (i) the interception of messages and communication by hackers and others who are intent on theft of intellectual copyright or business confidential information (ii) incoming messages from the outside that may have attachments and carry harmful viruses that can penetrate the Banks firewall and impose serious damage to the computer network.  Certain of these offences may be a breach of criminal law but others may be either simple mistakes or poor use of communications that do not have appropriate antivirus software installed.  Policies within this arena have become more difficult to interpret but basic steps can be made to safeguard the situation. This may include non-acceptance of e-mails with attachments that potentially may contain viruses or Trojans.  Access to the network should only be permitted to trusted that have been security cleared.

The responsibilities of the Security Manager have been made more difficult  because of items like USB Pen Drives that have high storage capacity.  They can be plugged into virtually any USB port in the . Easy access to the system can be made thereby removing confidential data ( White, G.B. 1996)

Small devices like USB drives are easy to conceal  and as such may impose a security issue to the firm.  This has become further complicated by the introduction of wireless networks and portable PC devices like laptops. Statistics indicate that most company threats derive from internal sources where staff have access to sensitive or confidential information.  Here data can be easily extracted and passed on to other interested parties.  Such acts can be very difficult to trace and prevent future occurrences. (Whitman, M.E. 2009

Threats imposed on wireless networks

Security issues over wireless networks impose significant systems security issues.   These vary from eavesdropping to that of physical intrusion and penetration of the  system. Both can be potentially damaging but as a minimum a gross invasion of your privacy.  Examples of these threats are:

Rogue Wireless Area Networks:  This is where someone may introduce an additional router to your network and thereby gain access to the wider network.  This is essentially a hardware intrusion.  Software applications like Network Magic will detect and report such intrusions to the network administrator.

Spoofing Internal Communications:  Considered a direct and deliberate attack from someone wishing to gain access to your system i.e. A hacker.  They simulate internal domains and essentially look harmless on the network maps.

Direct Theft of network resources:  This is where your system is hacked with the objective of the intruder  stealing your bandwidth to surf the internet.  They can then indulge in a variety of illegal activities that indicates the source as your network.  i.e. downloading pornography, music, video clips etc. Degradation of your network performance is an indication of this type of attack.

Local Area Network segmentation is one means of improving security whilst offering better operational advantages over the efficiency of the network. (Bradley, T 2011)

Whilst segmentation is a method of wireless encryption creating a means of preventing eavesdroppers on to your personal wireless network.  The early method used WEP (Wireless equivalent privacy); it was later found to be flawed allowing anyone who gained the key access to join the network.  It was also easily cracked by professional hackers.  Progress was made by moving to WPA (wireless protect access).  This used temporary key integrity protocol and provided a much tougher code system to decipher. Even this was not good enough for large enterprise networks that required a much higher degree of sophistication and security.

Conclusions

It is important to recognise the Management and User responsibilities within the governance of the system. Policy guidelines will be provided and it is expected both staff and management will adhere to their use. Further, there are certain limitations imposed upon the system security in terms of overall protection. No system is completely safe from attack but the objective is to minimise the risk and incorporate extensive mitigation measures. There is a need to remain vigilant at all times and report improper use of the system to the Security Manager.  The Security will continue to be monitored for points of vulnerability and areas where ongoing improvements may be made.

References

Bradley, T. (2011, 10 26). Secure your wireless network. Retrieved from Net Security: http://netsecurity.about.com/od/secureyourwifinetwork/a/securewifi.htm

Gregory B. White, G. W. (1996). Computer system and network security. Austin, Texas: CRC Press.

Kovacich, G. (2003). The Information Systems Security Officers Guide . Burlington MA: Elsevier.

Whitman, M. M. (2009). Principles of Information Security, 3rd Ed. New York: CRC.