The Impact of Computer and Network Security in Corporations Today




Yüklə 229.28 Kb.
səhifə1/3
tarix27.02.2016
ölçüsü229.28 Kb.
  1   2   3
Network and Computer Security

Steve Mallard


© - 2007


The Impact of Computer and Network Security in Corporations Today:

Understanding the Impact and Solutions of Computer and Network Security in Today’s World


by

Steve Mallard



Computer and Network Security

Copyright © 2007 Steve Mallard


All rights reserved. No part of this book may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews.
Printed in the United States of America

The Problem
In today’s world of the internet and ecommerce, many companies lack the expertise and training to secure their critical network infrastructure and data. Because of this fallacy, many companies’ infrastructures are subject to being compromised. With extortion, cyber theft, malicious attacks and internal theft occurring at an unprecedented pace, many companies are just becoming aware of the aforesaid problems. While a few companies and corporations awaken to a new world of problems, many continue to sleep, totally oblivious to what is happening as they go about their daily work. This research gives terminology and briefs from the Information Technology industry. This research provides an in-depth understanding of what network and infrastructure security problems are present and what will be required from companies and corporations in order to protect themselves from malicious activities.
Research Method and Design
The research behind this paper combines information from industry experts, national publications, the Internet, technology college textbooks and a large school system (A higher education facility) implementing a strategy for the ongoing development of a security plan for protecting their network infrastructure and data. The use of information from the latter was most beneficial to discussions of internal network infrastructure, interpretation of friendly vs. malicious and how to implement compliance for Computer and Network Security. The implementation plan outline is provided in Chapter 2, followed by the methodology used and a detailed plan in use at the researcher’s place of employment (A higher education facility) in Chapter 3.

Findings
As the study concludes, the primary requirement for compliance with network and infrastructure security is a strong and robust internal policy and procedure for the infrastructure of companies with continual training. Companies with no policies or weak policies will continue to fail with their compliance of security initiatives and the costs for repairing or troubleshooting their network will be far greater than that of a company within compliance. Ultimately, those companies with a strong policy and procedure that includes disaster recovery and failure will excel. Individual users, including the main hierarchy of the Information Technology Department will have more assurances that they are protected as well as their individual client’s data. Companies and corporations must support Computer and Network Security initiatives along with meeting the budgetary needs of their department in order to maintain a healthy profit margin for the end product produced by the business. The lack of security in today’s infrastructure could result in the demise of the corporation.

The Impact of Computer and Network Security in Corporations Today:

Understanding the Impact and Solutions of Computer and Network Security in Today’s World

CHAPTER 1

Introduction
Problem Statement
Since the advent and infancy of the internet, many U.S. companies and corporations have functioned and operated with very little Computer and Network Security in place in their network infrastructure. Although many of these companies and corporations have hardware firewalls and intrusion detection systems in place, many of these businesses do not have policy and procedures to guide and govern their infrastructure security. Policies along with personnel are the backbone of the Computer and Network Security. This backbone is the fragile structure that keeps companies secure in today’s digital world. These directives (Policy and Procedures) insure that companies and corporations will be in compliance as long as the CIO or IT manger enforces them.

Although a definite and structured compliance has not been put in place, directives and training are the true tools needed to help companies maintain a form of security within their organization.

Until now, computer security and locking down the network infrastructure has been on the back burner with most companies and corporations because of cost. According to a corporate poll in A nationally recognized information technology magazine, 99% of U.S. companies now use some type of preventive antivirus technology with 98% of these companies now using firewalls. This electronic security poll was based on compiled information from larger corporations and their practices and does not include small to midsize companies found throughout the United States. The recently released polls in this research paper show are usually focused on larger companies and corporations in the United States. The main reason for this was found by interviewing several midsized and smaller companies locally. These smaller companies and corporations usually have outsourced their Information Technology infrastructure to private organizations that do not have written policy and procedures written for these smaller companies. Normally, these companies do not have any type of policy and procedure in place for their current clientele. Because of this practice, these companies and small corporations do not look at industry related security trends, security issues or any relevant areas of computer security. Although it was found that <10% of the companies offer a service related plan that pushed security issues for their clientele.

This complacency can have an enormous impact on consumers and customers of the companies and corporations. With no or very little money or funding for a technology budget, these entities often use friends, family or small computer companies to fix or repair their computers or network. This results in a huge security gap between a professional information technology department and someone who is not trained in basic security needs.

With this gathered statistical information, numerous private and public corporations can appreciate the need for network infrastructure security, and are beginning to put in place multiple phases of internal and external protection for their digital and electronic assets. Small to mid-size organizations are hesitating due to simple inadequate funding and the rising cost and expenses of security of digital assets found in the modern workplace. Companies often miss the importance of the cost of a security breech vs. the cost of preventive security measures. This unintended hesitation of implementing network infrastructure security is causing more and more companies to be violated or exploited by malicious hackers and crackers. With this exploitation, companies subject themselves to lawsuits from their own customers. These companies often are ignorant of the simple fact that they have been exploited until customers report the issues to these companies and corporations. Many times, more than thirty days goes by before someone alerts the company of a possible security breech.

Cost of an electronic exploit can be greater than a million dollars per incident as reported by the FBI. This information is found in the FBI’s (Federal Bureau of Investigation) report of cyber threats in the United States. In order to help counterbalance this, smaller to midsized companies could spend less than $5,000 to harden their systems and operating systems to put a statefull firewall in place. As stated in this paper, these companies often lack the resources, materials and funds to do so. With the FBI report showing reported incidents, there are thousands of incidents that go unreported. Often these incidents are yet to be discovered.

With this number of small to mid-size corporations ignoring or slowly implementing security measures, more and more electronic computer crimes are beginning to take place throughout the U.S. With extortion now moving into the digital age, many corporations do not report intrusions to law enforcement in order to avoid negative publicity. Reports of an intrusion could directly have a negative effect on the company’s sales and position in a global competitive market. Approximately 35% of corporations don’t report electronic intrusions to keep their competitors from gaining any type of advantage. Today’s modern bank robber can be a hacker thousands of miles away hidden behind spoofed ip addresses or behind a zombie computer. Reports are also withheld to avoid embarrassment with the general public. This withholding of information often leads to a band-aide fix.

Other means of protection include standardizing policy and procedures within corporations to help protect the network infrastructure of corporations. Policy and Procedures rely on the initial implementation along with annual or semi annual follow-ups. Without these policy and procedures in place, a company’s survival in the security race to protect their infrastructure is compromised.

Smaller and mid-sized companies very rarely have these policies in place and often operate their network by the “seat of their pants”. These companies rely and trust their computer vendors to make them as safe as possible. Poorly trained personnel with these computer vendors can have a negative impact on the overall security of the organization.

Medium size companies often have the budget but the Information Technology manger is often stretched too thin to prevent or react to security needs of the company. These IT Mangers often work longer hours and tend to miss early warning signs of network lapses. Through no fault of their own, breeches can occur and not be discovered for weeks.

Outsourcing information technology teams to other countries can have another form of negative impact with companies. With third world countries competing in a global market, the confidential information of clients and internal data can be jeopardized by these companies. Using third world countries for technical support can lead to disastrous consequences when relying on someone over a world apart to secure your network.
CIOs (Chief Information Officers) and IT Mangers found in larger companies and corporations usually have these operational policies in place with a system for disaster recovery and planning. The logistics alone in larger corporations can be a double edged sword. With these policies in place, the arduous task of changing the policies can take weeks or even months as management goes through several meetings with committees and sub-committees. Agreement among industry professionals on the correct internal computer security is usually lead by a trained security analyst in the corporation who may or may not have proper certifications or security training. CIO’s have to put raw faith and trust into the company’s security analyst in hopes that their knowledge is on the cutting edge in a technology that is changing daily. These analysts have to make decisions on how and when to implement protection within minutes of finding out vulnerabilities. The communication by the analyst must be thorough and accurate. The Computer and Network Security analysts have to look into the immediate future for growth of their business and often they have to try and foresee changes before these changes come about.

Smaller companies and young corporations, on the other hand, usually do not have policies or disaster recovery and planning policies in place. With limited budgets, these companies may have a limited number of IT (Information Technology) personnel within their ranks or may outsource all of their network or technology personnel. This limit in resources may cause a lack of compliance with industry standards and conformity to security standards. With laws in effect such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLB (Graam Leech and Bliley) and the U.S. Patriot Act, these companies may not be conforming to U.S. laws or rules imposed in their industry.

Therein lies the problem: Companies have to understand that setting internal policy and procedures on security (along with proper disaster recovery and planning) have to be put in place in order to protect their assets and the consumers they serve. With ecommerce growing by leaps and bounds each year, more and more companies from small to large are accepting credit cards, debit cards and electronic checks on line. With over two million dollars in lost annual revenue in the United States, they must ensure that their initial investment will be worth the protection of their data and their client’s information. This act alone can help to prevent the breech in security of their corporate network. Setting and maintaining an information technology budget along with policies can help to insure the protection of the company’s network.

Purpose of the Study
This study has multiple purposes: 1) to discuss the necessity of policy and procedures related to disaster recovery and planning and security; 2) to discuss the advances in security to include intrusion detection systems; 3) to discuss the impact of security in the business environment along with legal ramifications in the event data is stolen or destroyed ; 4) to present and to validate the necessity for security.

This study will review the history of security and the ways it has grown to a multibillion dollar business over the past decade. Flaws in Operating Systems and applications, the history of the internet and the development of policy and procedures will be examined for a critical understanding of the importance of protecting corporate clients and assets.

The research will define policy and procedures and security across local area networks, metropolitan area networks and wide area networks to include the internet. It will provide an in-depth discussion of the potential impact on today’s corporations in terms of planning, cost, implementation and legal cost in the event of a breach. With consumer assets growing on the internet, a consumer puts trust in the company’s hands that their credit card or debit card is being protected. Consumers are often undereducated in finding reliable security oriented companies.

The aforesaid research, when implemented, is vital to the future of not just ecommerce; but to the survivability of companies today. With consumers spending more money on the internet than ever, companies have to protect their infrastructure. This study will present a plan for policy and procedures and how they outline good security practices and will illustrate the necessity for predicting the future of security in the information technology industry.

The fictitious names “Allen Corporation”, “Neill Corporation” and “Taylor Corporation” will be used to reference several companies known by the researcher along with a higher education facility. These references setup an example of small, medium and large businesses, and allow for the confidentiality of real operating businesses the researcher has worked with. This is needed in order to protect the anonymity of each entity and protects the operational and confidentiality of each business. These businesses represent the medical industry, a retail industry and a large production corporation.
Importance of the Study


It is very important to understand security with regard to the world’s economic infrastructure and how it is now based on the globalization of ecommerce. With billions of dollars based in virtual monies on the internet in databases worldwide, extortion, theft, identity theft and other malicious activities are becoming more wide spread. The FBI’s security survey shows an increase to over $93 million dollars this year (2004). This report shows the following information about security losses this year alone:


  • $26 million dollars – denial of service

  • $11.5 million dollars – theft

  • $55 million dollars – viruses

Identity Management to help prevent the security losses reported by the Federal Bureau of Investigation are deployed nationally in less than 50% of companies with less than 5000 employees. Identity Management alone for companies shows the following information about the deployment of networking sessions:


With this amount of profits being lost by businesses and corporations, companies are looking at electronic security to maintain a competitive edge over other businesses in the U.S. Companies are also looking at the cost of an electronic breech and the amount of money it would cost through damages lost by consumers or a client.

Information Technology professionals today struggle with keeping up with technological changes throughout the information technology industry. Often security patches and updates are produced by software vendors on a daily basis. With this in mind, Chief Information Officers try to keep their employees up-to-date on the operating systems, computer applications and proprietary software. This often leads to a “surface skimming” of security if CIOs and security analyst do not study and focus on current and past security issues.

“Surface skimming” covers the basics of security and is not in-depth enough to help companies adequately protect their networks.

Long meetings on the exact effect of missed software updates or patches results in lost monies by companies. Briefings often have to do for meetings on security and protection of the network infrastructure. These meetings often cover the releases and very rarely a description of the exact security problem.

Because these problems can be quite technical, often trainers or IT mangers inform their colleagues to get the updates or patches and never explain the reasons why.

With internet oriented viruses and “hackers” and “crackers” out on the internet, the challenge now becomes ‘how to’ train these professionals who protect your infrastructure and how to protect your client and company assets.

Training young information technology professionals becomes a tedious never ending task for information technology managers. Often the IT departments are understaffed and overwhelmed by the amount of work they have to contend with. This leads to missed meetings, inadequate training or other related items being put off due to long hours of work. With training at the aforesaid companies, security becomes a priority for not just the IT department but also all of the other departments throughout the corporations.

Scope of the Study
This study encompasses many areas and a broad-based research of relevant materials from industry leading experts. The implementation of security in stages across organizations is of the utmost importance. The study uses research materials collected through November 2004 and will draw on the professional position of the researcher to observe the impact of security on organizations today. With over twenty years of experience, this research has gone through many implementations of new security trends. This study looks at the implementation of security of organizations from the CIOs viewpoint.

Security among organizations today has several parts that need reviewing and updating. This study will identify why and how organizations are not meeting the demands of industry as ecommerce grows globally. This research paper provides research into all aspects of companies whether the company is small or big. Companies who the feasibility of how industries today could take precautionary measures to protect themselves if the companies would provide policy and procedures for all members of the company’s information technology team. With cyber crimes increasing every year, the research materials and written analysis of this study could encompass an enormous amount of material. Included in the appendixes of this study are such laws that have gone into effect over the past several years.

An implementation plan for security in a modern company covers both physical and cyber security. A look at the example companies and how they used modern methods for “locking down” their networks and clientele data will be discussed. The following steps have been used to gather the analysis for this paper:


  1. Collected data to support the weakness and underlying causes of security collapse.

  2. Used professional experience from the researcher’s company to look at analyzing and confirming research materials.

  3. Consulted with Allen Corporation, Neill Corporation and Taylor Corporation to gather information relevant to the discussion on security in modern infrastructures.

  4. Analyzed and collected data based on the scope outlined in these sections.

  5. Made the final analysis.


Rationale of the Study
Protecting a corporation’s network is no longer an option. Many different opinions across the nation exist on how to protect a company’s assets. CIO’s now hire security managers and security analysts just to review current policy and procedures and to look at the business’s infrastructure. In order to survive without a disruption of business or without having assets stolen, businesses today must meet industry requirements and look at their implementation strategies for long term protection.

This research will investigate several experts’ views on what is needed in order to protect internal data. From these materials researched, this study will present the Computer and Network Security infrastructure in place at the Allen Corporation, Neill Corporation, Taylor Corporation, and A higher education facility. Using the expertise of industry leading experts who have implemented, or utilized skills to protect their company is the best way to present a recommended security plan.



Overview of the Study
Every magazine listed in the bibliography contains information regarding to security. With this tremendous amount of media press surrounding security, industry experts are beginning to agree and acknowledge the need for security. Every field in the information technology industry, including experts from consulting, auditing, financial, medical, government and technology venders are giving their opinions and interpretations on the broad subject of Computer and Network Security. Many of these experts have turned this subject matter into a lucrative business. This study will narrow the broad range down to discuss the impact on companies and provide a summary of recommendations based on the given companies within this paper.
To look at all of security as a whole would be impractical. Security is constantly going through a metamorphosis. Because of these changes, this paper will be outdated if all security measures, programs and threats were outlined. As a result, this study will focus on the most critical and initial requirements for protection in the workplace.

In conclusion, the researcher’s professional background in the Inforamtion Technology field with over 20 years experience will contribute to the significance of this study.



CHAPTER 2

Review of Related Information
Introduction

As the internet came to be, security was low profile and on the back burner for most corporations. Connectivity was a primary concern for Information Technology Professionals as the internet began several years ago. With this beginning, malicious users began to infiltrate and modify systems and data. Sending out viruses and hacking through weak unprotected networks, these users became an immediate threat to legitimate business that wanted to expand and grow globally.

Many Chief Information Officers state that the ever growing concerns of security is one of the biggest tasks facing the information technology field today. With spyware/malware, worms, viruses, internal threats and hackers, companies today face their most challenging time for ecommerce growth. With customers all over the globe, the protection of local assets as well as the customer’s accounts information is of the utmost importance.

The historical events that have caused such a concern with computers began with the simplex hacking of phones by “Captain Crunch” and the adding of boot sector viruses to floppy disks. The growth of these malicious activities now can affect millions of users within a matter of minutes. The historical events for malicious and non malicious activities are as follows:





  • 1960 Students become the first hackers

  • 1970 Phone Phreaking and Captain Crunch

  • 1980 Hacker Boards on BBS (early ways to chat)

  • 1983 Kids Begin Hacking

    • Note: Los Alamos National Laboratory, which helps develop nuclear weapons was hacked this year.

  • 1984 Hacker Magazines

  • 1986 Computer Fraud and Abuse Act

  • 1986 Boot sector viruses

  • 1987 File infecting viruses

  • 1988 Fist Antivirus solution – Encrypted viruses

  • 1988 Unix Worm

  • 1989 Cyber Espionage with Germans and KGB

  • 1989 Credit Card Theft Goes Mainstream

  • 1989 Date oriented viruses

  • 1990 Stealth, Polymorphic, Multipartite and armored viruses

  • 1991 Stealth, Polymorphic and Multipartite

  • 1992 Code change viruses

  • 1993 Viruses that attacked viruses

  • 1993 Hacking used to cheat phone system to win contest

  • 1994 Hacking Tools Become Available

  • 1994 Encoded Viruses

  • 1995 Kevin Mitnick Hacks the Government

  • 1995 First Macro Viruses

  • 1996 Macro viruses affecting Microsoft Excel

  • 1997 AOL (largest) ISP Hacked

  • 1998 The Cult of Hacking Takes Off

  • 1998 Spyware/malware begins to download to machines globally

  • 1999 Macro viruses affecting Microsoft Word

  • 1999 Software Security (Windows begins providing updates

  • 2000 Service Denied

  • 2000 Worm viruses

  • 2001 DNS Attack

Many other significant events have happened over the past forty years. This timeline is a brief listing of major events that took place.


As the timeline above shows, malicious activities have been around for forty years and are growing by leaps and bounds every day. With government laws on cyberterrorism being put into place all over the globe, the continual infection of machines along with hacking is at an all time high. The research materials presented show because of ecommerce and the growth of the internet, there is no end in site to the growth of these activities. This study will present research materials to give several opinions on the recommendations to protect your network infrastructure.
Importance of Internal Company Security and Auditing Controls
This section discuses several categories of Internal Company Security and Auditing Controls. Included is a discussion on the general importance and purpose of having these controls in place and their relevance to protecting the internal and external infrastructure by the information technology department.

It is important to understand that the control of every aspect of the network infrastructure (out to the client side) is very important, and the lack of such controls by the company or the information technology department could be catastrophic



General Internal Company Security and Auditing Controls
General Internal Company Security and Auditing Controls are being applied today so that companies can have a standard approach to bring together different opinions and ideas. These Internal Controls are generally brought together by a consortium of management and other personnel to achieve objectives by the company. Internal Controls allows companies to maintain several of the following areas:

  • Efficiency of operations.

  • Compliance with laws and regulations.

Several documents have also been released to suggest ideas about Internal Company Security and Auditing Controls:

  • Company controls should be built into operations currently in place.

  • All departments and personnel within a company have input to Company Controls.

  • Company and Internal Controls help to govern companies currently operating.

According to policies of a higher education facility, companies should have a continuous program in place to put together and assemble training and implementation through several avenues:

Risk Assessment

  • The identification of key weaknesses in computer systems, nodes on a network, clients, connectivity and training.

Security Control Activities

  • Policies and Procedures that ensure all levels of the company are within compliance with standards set by the company.

  • Activities include hierarchal structure, authorization, implementation, disaster recovery and planning.

Information and Communication

  • Information from vendors is archived.

  • Information from customers (clients) is logged.

  • Communication along internal paths of the company to insure all areas of protection are available.

Monitoring/Auditing

  • Assessment of hardware firewall.

  • Assessment of Software Patches and Service Packs.

  • Management of all personnel.

  • Auditing of logs and change orders.

  • Monitoring of performance of all nodes on the network.

  • Monitoring of security alert sites of government and for profit sites.

The research paper at this point has focused on the importance and makeup of generalized Internal Company Security and Auditing Controls. Weaknesses in this structure follow:



    • Communication

    • Poor or lack of judgment

    • Lack of training

    • Lack of concern

    • Disgruntled employees

    • Lack of review

    • Lack of training



It is up to management at all levels to monitor company security and auditing controls.
General Information Technology Controls
Certification vendors have tried to measure the general knowledge of information technology professionals by providing tests in vendor and vendor neutral areas. These certifications are used to show the competences of IT professionals. It is important to understand this information when looking at the internal controls of your information technology department. The strength of these certifications are indicated by the exposure to the conceptual material of the subject matter. The weaknesses of these certifications are the fact that materials and testing materials can be gained anywhere on the internet. Therefore, it is important to qualified personnel who have certifications and the “hands on” experience of working with different operating systems and hardware.

With general controls of security and auditing at the company level, an adherence to controls at the IT department level is of the utmost importance because this department is at the front end of the network protection strategy



In many networks, the company has an intricate complex infrastructure of local area networks, virtual LANS, virtual private networks and security policies in place. However, many networks today lack the expertise and trained personnel to provide maintenance. .
Miscellaneous Laws Defined
  1   2   3


Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azrefs.org 2016
rəhbərliyinə müraciət

    Ana səhifə