“Our nation’s information and telecommunications systems are directly connected to many other critical infrastructure sectors, including banking and finance, energy, and transportation. The consequences of an attack on our cyber infrastructure can cascade across many sectors, causing widespread disruption of essential services, damaging our economy, and imperiling public safety.” (The Department of Homeland Security).
Software applications can be both a blessing and a curse to security professionals; the majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws. Recent compromises of Windows 2000 and NT-based web servers are typically traced to entry via well-known vulnerabilities. A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems. System administrators report that they have not corrected these flaws because they simply do not know which of over 500 potential problems are the most dangerous, and they are too busy to correct them all. (). Another threat in the form of software are viruses, viruses have left a number of corporations sadder but all the wiser. A virus can change data within a file, erase a disk, or direct a computer to perform system-slowing calculations. Downloading programs off of the Internet, sharing floppy disks, e-mail or communicating with an infected computer through a network, by telephone or through the Internet may spread viruses. Anti-virus products are a necessity for the detection, eradication and prevention of viruses. In addition, security policy should define permissible software sources, bulletin board use, and the types of applications that can be run on company computers. The policy should also provide standards for testing unknown applications and limit diskette sharing.
“The speed, virulence, and maliciousness of cyber attacks have increased dramatically in recent years. Accordingly, the Department of Homeland Security would place an especially high priority on protecting our cyber infrastructure from terrorist attack by unifying and focusing the key cyber security activities performed by the Critical Infrastructure Assurance Office (currently part of the Department of Commerce) and the National Infrastructure Protection Center (FBI). The Department would augment those capabilities with the response functions of the Federal Computer Incident Response Center (General Services Administration). Because our information and telecommunications sectors are increasingly interconnected, the Department would also assume the functions and assets of the National Communications System (Department of Defense), which coordinates emergency preparedness for the telecommunications sector.” (The Department of Homeland Security).
The information security community is meeting this problem head on by identifying the most critical Internet security problem areas – the clusters of vulnerabilities that system administrators need to eliminate immediately. Additionally, system administrators need to identify the ports used by commonly probed and attacked services. By blocking traffic to those ports at the firewall or other network perimeter protection device, will add an extra layer of defense that helps protect you from configuration mistakes.
(The Sans Institute).
Today’s corporate networks are complex and diverse. They connect mainframes, desktops, laptops, had-held devices, LANs, WANs and peripherals over ever-widening geographic boundaries. This diversity, both technically and geographically, means that devising an effective corporate-wide security plan involves adapting security techniques and procedures from the various systems currently incorporated into the organization. Things to consider in designing a network security policy protecting information in-transit, from being seen, altered, or removed by an unauthorized person or device; any breaches of security that occur on the network should be revealed, reported and receive the appropriate response and have a recovery plan, should both your primary and backup communications avenues fail. Additionally, unless your local network is completely isolated, (standalone) Your will need to address the issue of how to handle local security problems that result from a remote site, as well as problems that occur on remote systems as a result of a local host or user.
Computers, its data, and its components are subject to theft. Today’s laptop, handheld computers and connected devices are especially vulnerable. Access controls are one of the best strategies to combat computer and data theft. Access controls are required not only for the computer facility but the computer itself. This includes protection against unauthorized remote access. Passwords, biometrics, firewalls are effective countermeasures and controls that permit system access only to users who are register with a computer or device. However, the best countermeasure against computer and data theft is awareness education and training. (Purpura 373).
The Computer Security Institute (CSI) conducts the "Computer Crime and Security Survey" with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad.
The survey is an effort aimed at raising the security awareness level and to aid in the determination of the scope of computer crime in the United States. CSI surveyed 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. Based on responses to this survey: “The findings of the "2002 Computer Crime and Security Survey" confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.” (Computer Security Institute).
Patrice Rapalus, CSI Director, remarks that the "Computer Crime and Security Survey," has served as a reality check for industry and government:
"Over its seven-year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession, for example that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom,' for example that the 'threat from inside the organization is far greater than the threat from outside the organization' and that 'most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.' Over the seven-year life span of the survey, a sense of the 'facts on the ground' has emerged. There is much more illegal and unauthorized activities going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace. Post-9/11, there seems to be a greater appreciation for how much information security means not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training and enhanced organizational clout for those responsible for information security." (Computer Security Institute).
In conclusion, several approaches need to be implemented in order to provide the necessary security for computers and networks. Education, Planning and risk assessment are among the most important of these. A strong awareness-training program must accompany the introduction of security planning and countermeasures. It is extremely important to create an awareness of security and inform your users of the procedures they need to maintain for adequate safeguards. The cause of most data security problems is lack of management concern. Security will always be a managerial rather than a technical problem. To guard against costly and embarrassing breaches of security, management must clearly establish and enforce security policy, plans, and procedures. Government or corporate security policy statements should be widely disseminated and discussed. The policy should be reinforced with internal education, training for all new-hires, on-going workshops, and review sessions. Personnel should clearly understand the policy and its language so that there is no ambiguity or inconsistencies within the policy. Management first responsibility in handling Security Violations and Breaches is to define what an “insider” and “outsider” is, based on administrative, legal and political boundaries within your organization. These boundaries will then become your course of action against an offending party from a written warning, to filing formal legal charges. Therefore, policies need to define actions based on the specific type of violation, as well as, defining the series of actions based on the kind of user that violates your computer security policy. Finally, making sure both physical security and data security measures work is imperative to successfully securing your data and users.
Works Cited
-
Computer Security Institute. “Cyber crime bleeds U.S. corporations, survey shows; financial losses from attacks climb for third year in a row.” Computer Security Institute April 7, 2002. Online December 5, 2002. <http://www.gocsi.com/press/20020407.html>
-
Kornblum Jane. “Federal Unit to fight hacking.” CNET News.Com February 27, 1998. Online December 5, 2002 < http://news.com.com/2100-1023-208562.html?tag=rn >
-
The Department of Homeland Security. “Information Analysis and Infrastructure Protection.” The White House. Online December 5, 2002 <http://www.whitehouse.gov/deptofhomeland/sect6.html>
-
The Sans Institute.” How to Eliminate the Ten Most Critical Internet Security Threats, The Experts’ Consensus.” Sans Institute. June 25, 2001. Online December 5, 2002 <http://www.sans.org/topten.htm>
-
Purpura P. Philip. Security and Loss Prevention. Butterworth-Heinemann, 1998. (373-375).