You are a security consultant and your services are requested by an established corporation with many locations. Your task is to help the corporation identify the security requirements. (a) State how you would go about the assignment step by step and, (b) What are the critical success factors that you will be submitting to the corporation for consideration in their security planning.
a) Network security can be defined as the protection of computer-based systems from illegal actions or unauthorized access, and the prevention of such incidents. There are six key characteristics of an effective network security policy: availability, authorization, authenticity, integrity, non-repudiation, protection of privacy and confidentiality (Speciner & Perlman & Kaufman, 2002). Availability means the ability of the system to function in the required periods of time, authorization deals with appropriate resource access grants, authenticity implies that the transactions within the system are associated with particular users, integrity describes the method of ensuring the trustworthiness of data, non-repudiation implies the irrevocability of transactions in the network, and confidentiality/privacy issues relate to non-disclosure of data to unauthorized persons and non-leakage of sensitive information. All these characteristics should be reflected in the security requirements.
The aspects of network security protection should include the security defense, deterrence and detection (Bragg & Rhodes-Ousley & Strassberg, 2004). The first step in identifying the security requirements will be to determine what assets should be protected. The list of locations and associated assets should be created at this step. The second step is to determine the threat vectors, vulnerabilities and risks (Bragg & Rhodes-Ousley & Strassberg, 2004). All assets identified at step 1 should be analyzed with regard to possible threats and their sources. At this step, it is also necessary to determine which security controls should be considered to address these steps, where these controls can be placed, and what budget can be allocated for these controls (Bragg & Rhodes-Ousley & Strassberg, 2004).
At the third step, the tools for ensuring protection should be considered, including the actual techniques, processes and policies. A list of general security techniques should be formulated at this step. During the fourth step, for each category of protections identified at the previous step, specific tools should be defined. Such issues as product evaluation, usage policies and procedures have to be considered (Bragg & Rhodes-Ousley & Strassberg, 2004). As a result of this assessment, a list of specific protective steps for every asset will be made. Finally, the fifth step deals with assigning the order (priority) of the protective steps.
b) Critical success factors for network security are three interrelated policies: prevention, detection and response (Maiwald, 2003). Thus, the security policy should include the list of preventive measures, reporting mechanisms for detection of network threats (including the description of the resources, associated vulnerability and threat ownership), and mechanisms of responding to threats (Maiwald, 2003). The organization of network security policy should necessarily cover three areas: computer systems and networks (including types of technology, types of network controls, hardware and software protection, etc), personnel management (management of sensitive data, guidelines for password management, rules for dealing with social engineering attacks, etc.) and physical security measures (surveillance, physical access rights, alarms) (Bragg & Rhodes-Ousley & Strassberg, 2004).
Employees are considered to be the greatest risk to an organization. State in bullet points (a) Why this is so and, (b) What can be done to minimize that risk.
a) The employees receive a high level of trust by default, and due various human factors they can present significant security threats to the organizations (Bragg & Rhodes-Ousley & Strassberg, 2004):
employees have access to trusted information and network resources;
employees are vulnerable to social engineering attacks;
employees can breach physical security (or their forgetfulness can create a threat for physical security);
employees can reveal sensitive information such as passwords, accounts, and documents;
one weak link (employee) can bring down the whole security system.
b) Despite the potential threats imposed by employees, they can also prevent security accidents and mitigate damage, and they can also help in early identification of security threats. In order to mitigate employee-related potential network security threats, it is necessary to create a security awareness program. This program should include (Bragg & Rhodes-Ousley & Strassberg, 2004):
well-formulated measurable security goals;
clear identification of the audience and description of specific categories included into target audience;
specification of the information and assets protected by the policy;
description of employee benefits associated with the awareness program.
Security awareness program should be written in a positive, interesting and reassuring manner, in order not to discourage and alienate the employees. They should take appropriate security training, and it is recommended to schedule refresher courses. The persons responsible for conducting the program should be clearly mentioned in the security awareness program, and the employees should sign a document proving that they understood and agreed to comply with this policy.
A security breach has occurred at one of the locations of the corporation addressed in Question 1. (a) State what steps the corporation should take to ensure that this particular breach does not occur again and, (b) What steps you would advise the corporation to take to ensure that other parts of the business are not affected by this particular breach.
a) An effective incident response plan should include the following stages: detection of the threat, response and containment, recovery and resumption, and finally, review and improvement. The process of ensuring that the breach does not occur again is a part of the final fourth stage of the incident response. For security breaches, the following steps of analysis are recommended (Bragg & Rhodes-Ousley & Strassberg, 2004):
1) it is necessary to determine whether critical data was accessed, to notify the affected parties, if there is such a possibility, and to increase monitoring of the breach (even if the attack was not successful);
2) using firewall and IDS logs, it is recommended to trace the intruder’s actions and to identify how this intrusion occurred;
3) the security holes on the affected machines and in other similar places should be closed;
b) In order to ensure that other parts of the business are not affected by the particular breach, the organization should review its procedures and performance (Bragg & Rhodes-Ousley & Strassberg, 2004):
1) the procedures associated with the security hole have to be analyzed to find how this breach came into existence; possible causes of such issues are failure to install critical patches, wrong service configurations, lack of password control, etc.
2) organizational performance should be reviewed in order to identify areas for improvement. Key issues for analysis in this section are:
3) the period of time from the breach to the identification of the problem
evidence of the performance of critical personnel in this situation
the availability of critical personnel during the incident
the existence of roadblocks in the security response situation
4) The organization should improve its security policy, security awareness program and practices for critical personnel after analyzing the critical issues in order to prevent similar breaches in the other parts of the business.
Bragg, R. & Rhodes-Ousley, M. & Strassberg, K. (2004). Network security: the complete reference. McGraw-Hill/Osborne.
Maiwald, E. (2003). Network security: a beginner’s guide. McGraw-Hill Professional.
Speciner, M. & Perlman, R. & Kaufman, C. (2002). Network Security: Private Communications in a Public World. Prentice Hall.