Internet/IT SECURITY METHODOLOGIES� term paper 41523

Internet term papers
Disclaimer: Free essays on Internet posted on this site were donated by anonymous users and are provided for informational use only. The free Internet research paper (IT SECURITY METHODOLOGIES� essay) presented on this page should not be viewed as a sample of our on-line writing service. If you need fresh and competent research / writing on Internet, use the professional writing service offered by our company.
View / hide essay

PAGE 1

Outline:

A) Introduction: Computer Security

B) General Discussion:

1) Designing Security

2) Policies and Protocols

C) Securing Intra-system Networking

1) Cryptographic techniques

2) Authentication techniques

3) Cryptoprocessors

4) Chain of Trust Techniques

5) Mandatory Access Control

6) Capability and Access Control List

7) Automated Theorem

D) Securing Against External Threats

1) Internet

a) Prevention, Detection, Response

2) Physical access

E) Conclusion

1) Recommendations

2) Improvements

3) Summation

PAGE: 2

Forward:

The development and amelioration of IT security is the undoubtedly the fastest growing segment of the Computer Science industry. The need for protecting computer systems from both internal and external attacks is paramount for any company which utilizes computers as part of their business function. There is no single product, software, hardware or programming that can secure any and all systems. Thus every avenue must be explored in an effort to structure as secure of an environment as possible for a computer system. In order to adequately configure this security, a complete analysis of the computer system including hardware, software, and peripherals as well as information on all users and their functions must be completed. This paper will identify and analyze various types of security methodologies for a particular computer networking system and then recommend an IT security policy which is best suited.

PAGE: 3

With the advent of the Internet and Computer Networking programs, the development and amelioration of IT security is the undoubtedly becoming the fastest growing and most solicited segment of the Computer Science industry. The need for protecting computer systems from both internal and external attacks is paramount for any company which utilizes computers as part of their business function. Regrettably, at this time there is no single product, software, hardware or programming that can completely secure any and all systems. Thus every avenue must be explored in an effort to structure as secure of an environment as possible for a computer system. In order to adequately configure this security, a complete analysis of the computer system including hardware, software, and peripherals as well as information on all users and their functions must be completed. This paper will identify and analyze various types of security methodologies for a particular computer networking system and then recommend an IT security policy which is best suited for the facilities as heretofore described:

3 Servers, 30 PC�s, 4 network printers, 6 printers connected to user PC�s. PC distribution is 10 at one location and 20 at another location being linked together using 256K leased line using Cisco routers. MS Windows NT-4 is the operating system and MS Office 2000 is the corporate software. Lotus Notes is the intra-email software with a custom in-house

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 4

Oracle based software is the Financial Applications program.

For my purpose, I will largely be profiling the methodologies of various security approaches for networking systems with only a few pages devoted to Internet and

Physical threats.

Unfortunately, most experts agree that it is important to realize a computer system�s security will ultimately be compromised and only the best strategies plan for this inevitability. Many poor souls falsely believe they can truly secure a computer system from any perceived vulnerabilities, and usually it is this naive reasoning which is exploited by attackers. Basically, any system which house foundational errors in its security plan cannot embody essential safety without trading-off its� usability. To begin, it is imperative to differentiate the techniques deployed to enhance a system�s security from the question of said system�s security condition. There are two different tactics to computer security: one is to focus primarily on external threats by assuming the computer system is trustworthy or a trusted system, and the other approach considers the computer system itself as the un-trusted system therefore it is reconfigured in a variety of modes to increase the security. Before we begin the process of describing and analyzing the different techniques available to secure our computer system from internal threats, we need to debate the idea of hiring a Network Administrator.

A Network Administrator�s purpose is to oversee all aspects of computer

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 5

operations for a company. Typically any business with multiple PC�s linked together or networked to one or more servers should consider hiring a Network or Systems Administrator. The reasoning is simple; one person responsible for all of the computer operations who is a professional expert in the field of systems management eliminates the risk of vulnerability due to �too many hands in the pie� syndrome. This is the first step in improving our systems security. By hiring a professionally trained and experienced NA, we reduce the possibility of the overall operations errors to one human. Many businesses tend to believe that because the system grew with the company so did the users. Additionally, the world is full of would be computer experts who truly believe they are capable of computer systems management, and generally the typical small to medium size business does not regard computer operations, especially security, as a high priority. At least not until the system fails or is attacked by disgruntled former employees, irate customers, business competitors or hackers. The Network Administrator should design a security policy tailored to meet the criteria, functionality and vulnerabilities of the system while maintaining a user friendly atmosphere. The first area of risk to be addressed is the networking use of the system.

There are a variety of techniques available to use in designing secure systems: Cryptographic, Cryptoprocessors, Authentication, Chain of Trust, Mandatory Access Control, Capability, Access Control Lists, and Automated Theorem. Each of these

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 6

techniques will improve the security of our computer system. By careful analysis of each protection article, we can then decide which item or items would offer the greatest security to the above listed system.

The purpose of using cryptographic techniques is to transform information by scrambling it so that it becomes unreadable while being transmitted. In this way, cryptograph defense will reduce the risk that data being transferred between systems can be intercepted and/or altered. This is accomplished by using an algorithm or cipher to encrypt/convert the plaintext in to an unrecognizable and therefore unreadable form. The ciphertext can now be transmitted, after reception the process is reversed (decryption) returning the data to its original readable form. A surreptitious parcel of information used to process the data into ciphertext is called the key. The accomplishment of specified duties assigned to the cipher is termed as protocols. The combination of an assemblage of protocols, ciphers, key administration, and predetermined user actions all combine to effectuate a concerto called a cryptosystem which is what is interacted with by an end-user. Cryptographic techniques are not the mythological impenetrable fortress as perceived to be and in fact there is an abundance of cryptographic software on the market, many of which is insecure and thus ineffective. Every precaution should be taken in determining the overall integrity and security before purchasing a particular cryptographic program.

A cryptoprocessor is a dedicated computer whose only function is to manage

DATED: JAN. 17, 05

�IT SECUROTY METHODOLOGIES� PAGE: 7

and fulfill cryptographic operations. It is designed in to the sub-structure and is the key component enabling the remainder of sub-structures to operate in a securer environment without the need for additional physical security systems. A cryptoprocessor is embedded in the packaging and through the use of layers of security measures; it adds a certain amount of resistance to threats. However, it is a burgeoning technology which still in the invention phases for PC�s and networking. There are a few cryptoprocessors that can run everyday operating systems such as Linux internal of the security border.

Another avenue to explore is the use of Authentication techniques to ensure the end-users are who they purport to be. The authentication process attempts to verify that the communications received are being sent by the entity listed on the message. Just like authorization tactics, authentication programs are seriously flawed by the fact that only one or two tests are used to determine the authentication and thus can be easily fooled or spoofed since most tests are not adequate. Another vulnerability lies in the typical end-user chooses a password which is easy to remember and never, if at all, changes it. Most hackers only need a few minor details on an employee and they can quickly determine that user�s authentication information. A far better process for our system would be to utilize blind credentials which do not establish any identity and only allow a very defined set of usage parameters for the user or program.

Chain of Trust techniques are implemented to attempt to ensure that all of the software employed by the system�s designers has been certified as credible or authentic.

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 8

The premise is to verify that the software is not a boot-leg or illegal copy, which could potentially contain viruses or worms or corrupted files that might jeopardize parts of the system if not the entire network. The easiest way to ensure credibility of the software is to purchase it new from a reliable source making sure it is still encapsulated in the original packaging and that any updates or upgrades to programming come straight from the software manufacturer.

Another security procedure is to utilize Mandatory Access Controls to assure that any special access to the computer system is removed when privileges are revoked. An example would be the deletion of the user account of a terminated employee. MAC�s increase the protection of the computer system from unwanted abuse since the revocation of privileges or the denial of access prevents unauthorized entry and stops any programs being run by that user. Typically the users are broken into two groups; trusted administrators and untrusted users. Trusted administrators are given unlimited access to all files and programs within the computer system. Untrusted users are granted limited access based upon their job function and hierarchy in the company. In this way, the security is structured in such a way as to prevent authorized users at one level from being able to access higher levels of the system or programs.

Internal in the computer system there are two means of keeping privilege divisions: capabilities and access control lists. These two techniques must work in

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 9

unison in order to provide any level of security since ACL�s are inadequate and can not be guaranteed when used alone. At this particular time, capacities are mostly used on research operating systems but they can be installed at the language tier and generally facilitate a type of programming which is basically a refined object oriented structure. These two security tactics have not been widely embraced due to the apparent ease of use of the ACL�s and harbor no actual reconfiguration for securing the operating system or hardware.

One final technique to consider is automated theorem proving which utilizes algorithms and code embedded in secure systems to mathematically prove specification requirements are being met. These ATP�s are found prolifically though out integrated circuits and microprocessors in which their use is to authenticate that various operations are functioning correctly and according to manufacturer�s specifications. So far we have been dissecting the intranet security issues of networked computer systems; since our system has Internet access, we need to address the issue of external threats and protecting against them.

The first issue to arise is deciding whether or not to allow Internet access through our computer system and then who is granted access. By allowing Internet access a whole new set of intrusion scenarios arises and must be dealt with. The amount of problems to consider is almost as vast as the Internet itself. Viruses, worms, spoofed emails, websites imputing spyware into your system to track what websites are

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 10

frequented are just a few of the threats waiting to pounce on an unsuspecting �surfer�.

Couple this with the possibility of receiving any of these attacks from what would be considered a credible source along with �hackers� trying to infiltrate the system for fun or for profit and the issue of allowing Internet access to anyone within the company is as important as the decision of which computer system to purchase. If the decision is made to allow Internet access then deciding who is granted the access will need to be addressed. And finally, the entire system should be protected with the latest version of an anti-virus software containing anti-spyware and an access firewall. The access firewall will prevent an unauthorized user from entering the Internet. There are several excellent programs currently on the market including Norton Anti-Virus Utilities and McAfee Security software.

The other factor to consider when addressing any external threats is a physical

persona. This could be a person or a thing. Changing locks and security codes on all access points to the building(s) is critical in maintaining a secure system. This should be done each and every time keys are lost or personnel changes are made. Installing 24 hour monitored burglar and fire alarms are a priority as well as having high quality surge protectors on every outlet being used by any component of the computer system. Having a battery back-up accessory in which each server is plugged in to will prevent

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 11

lost data during power outages and allow time to power down the system without trauma to the data, files or programs in use at the time of the outage.

The following details my recommendations for the best possible security policy to be implemented for our computer networking system. First hire an excellent Computer Systems Network Administrator with impeccable credentials and education and must pass a thorough background check. A binding and air-tight contract will be drawn up by our Attorneys to ensure the autonomy and anonymity of the Administrator should they leave our company. A probable design for a security system would incorporate the various security measures available through Microsoft utilizing the Windows NT-4 and Windows 2000 operating system. Microsoft has an encrypting program inside the NT-4 that can be enabled and should be adequate for our system since we do not have any government contracts which require security level clearances. The Administrator will periodically access the Microsoft website searching for any updates needed to repair flaws in the Windows NT-4 system. The Cisco routers can be easily set up a with a firewall program from Cisco Systems. Mandatory Access Controls should be implemented in an effort to minimize the inadvertent mis-use of our system by untrained users.

I would recommend allowing Internet access with limited usage, no downloading ability and utilizing an Internet Provider such as AOL where each User ID has access granted to certain websites. Each user will be given a password, based upon

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 12

their job function and group status, to access the computer system and every 30 days a new password will be issued. In the event an employee is terminated or abruptly leaves their employment, their User ID will be deactivated and a new password will be immediately issued for that department. All power outlets will be fitted with surge protectors and cable modem will be the method of transmission for data and internet access. All 3 servers and the 10 printers will be outfitted with battery back-up systems. All 3 servers will archive their data each night to CD-ROM and tape drives will be located off-premises to ensure that should the catastrophic events of the 911 terrorist attacks occur again our data archives will be preserved. These CD�s and tapes will in turn be stored in a fireproof, climate controlled facility at another location as well.

There are no surefire operations or management methods which will guarantee total system security. The only threats that can be guarded against are any we can possibly perceive or concocted and hope that our measures will prevent any intrusion. The inevitability of either an internal or external attack is a reality and one that we can only prepare for not negate. The policy and procedures outlined in this paper are a beginning to an ongoing analysis of implementing, updating, revising and improving the

security system for our computer network. If any improvements to the existing structure should be made, it would be to change the Cisco router from 256K to cable

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 13

modem. I can not find any reasons to implement greater and far more expensive methods since our company does not have the need for secrecy from competitors or foreign entities. Thus the security policy detailed is a sound and prudent schedule tailored to the design of the computer system and our business needs.

DATED: JAN. 17, 05

�IT SECUROTY METHODOLOGIES� PAGE: 14

Works Cited

"Awareness Is the Key to Preventing Laptop Thefts." Public Management Aug. 2003: 34. Questia. 17 Jan. 2005 .

Bailey, James M. "Effective Information Networks Combine Flexibility with Security." The CPA Journal 59.1 (1989): 60+. Questia. 17 Jan. 2005 .

Berkowitz, Bruce, and Robert W. Hahn. "Cybersecurity: Who's Watching the Store? Government Is Not Doing All It Could to Research the Problem or to Exercise Its Proper Regulatory Role." Issues in Science and Technology Spring 2003: 55+. Questia. 17 Jan. 2005 .

Bradbard, David A., Dwight R. Norris, and Paramjit H. Kahai. "Computer Security in Small Business: An Empirical Study." Journal of Small Business Management 28.1 (1990): 9+. Questia. 17 Jan. 2005 .

Brown, Ann. "Security Sweep: Products and Services Involving Security Provide Booming Sales for Small Business Owners." Black Enterprise Apr. 1997: 33. Questia. 17 Jan. 2005 .

Cashell, James D., and Jeri B. Waggoner. "Computer Viruses: The Risks Posed to CPAs and How to Deal with Them." The CPA Journal 59.7 (1989): 66+. Questia. 17 Jan. 2005 .

Cherry, Sheila R. "Computer Hacker Sneak Attacks." Insight on the News 20 Mar. 2000: 22. Questia. 17 Jan. 2005 .

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 15

Collette, Jason. "Symantec's Norton Anti-Virus 2000." T H E Journal (Technological Horizons In Education) 28.7 (2001): 34. Questia. 17 Jan. 2005 .

"Computer Data Protection Checklist." Journal of Accountancy 180.4 (1995): 8. Questia. 17 Jan. 2005.

Davis, Joyce E. "Safeguarding Your Network: Preventing Network Break-Ins in Your Company." Black Enterprise Oct. 1996: 48+. Questia. 17 Jan. 2005 .

Del Russo, Roger. "Securing Your Computer Network." T H E Journal (Technological Horizons In Education) 31.2 (2003): 25+. Questia. 17 Jan. 2005 .

Devito, Nicholas J. "Bluetooth Is Coming." Black Enterprise Apr. 2001: 54. Questia. 17 Jan. 2005 .

Donaldson, Sonya A. "Stop Hackers Cold." Black Enterprise Feb. 2001: 70. Questia. 17 Jan. 2005 .

Dunn, Cheryl L., Gregory J. Gerard, and James L. Worrell. "Evaluation of Network Operating System Security Controls." Issues in Accounting Education 18.3 (2003): 291+. Questia. 17 Jan. 2005 .

Evans, Ron. "Systems for Growing Firms: Novell vs Windows NT; Choosing a LAN for Your Business." Black Enterprise Apr. 1995: 44+. Questia. 17 Jan. 2005 .

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 16

Friedlob, George T., et al. "An Auditor's Primer on Encryption." The CPA Journal 67.11 (1997): 40. Questia. 17 Jan. 2005 .

Gozzi Jr., Raymond. "The Trojan Horse Metaphor." ETC.: A Review of General Semantics 57.1 (2000): 80. Questia. 17 Jan. 2005 .

Hunton, James E., and M.K. Raja. "How to Pick the Right Computer Network." Journal of Accountancy 175.6 (1993): 41+. Questia. 17 Jan. 2005 .

Katyal, Neal Kumar. "Digital Architecture as Crime Control." Yale Law Journal 112.8 (2003): 2261+. Questia. 17 Jan. 2005 .

Klosek, Jacqueline. Data Privacy in the Information Age. Westport, CT: Quorum Books, 2000.

Kolodzinski, Oscar. "Aligning Information Security Imperatives with Business Needs." The CPA Journal 72.7 (2002): 20. Questia. 17 Jan. 2005 .

L., Karen Sampson. Value-Added Records Management: Protecting Corporate Assets and Reducing Business Risks. New York: Quorum Books, 1992.

Lohmeyer, Daniel F., Jim Mccrory, and Sofya Pogreb. "Managing Information Security." The McKinsey Quarterly (2002): 12+. Questia. 17 Jan. 2005 .

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 17

Luczak, Mark. "Network Administrators: What They Do, Why You Need Them." The CPA Journal 62.3 (1992): 73+. Questia. 17 Jan. 2005 .

Mcfadden, Patrick James. "Guarding Computer Data." Journal of Accountancy 184.1 (1997): 77+. Questia. 17 Jan. 2005 .

Mohammad, Tariq K. "The Plan for LANS: Can a Local Area Network Help Your Business?." Black Enterprise Aug. 1996: 36+. Questia. 17 Jan. 2005 .

Muhammad, Tarik K. "Look before You LAN: Is a Local Area Network Right for Your Home or Office?." Black Enterprise Jan. 1998: 25+. Questia. 17 Jan. 2005 .

Neumann, Peter G. "Computer Insecurity." Issues in Science and Technology Fall 1994: 50+. Questia. 17 Jan. 2005 .

Nunoo, Mildred. "Health Care for Computers: Protect Your Computer and Your Business from Viruses." Black Enterprise July 1996: 34+. Questia. 17 Jan. 2005 .

O'Neil, Michael. "Cybercrime Dilemma." Brookings Review Wntr 2001: 28. Questia. 17 Jan. 2005 .

Roukis, George S., Hugh Conway, and Bruce H. Charnov, eds. Global Corporate Intelligence: Opportunities, Technologies, and Threats in the 1990s. New York: Quorum Books, 1990.

DATED: JAN. 17, 05

�IT SECURITY METHODOLOGIES� PAGE: 18

Savage, Kathryn, Linda Morris, and Norman Pendegraft. "Small Business Computer Security." Journal of Small Business Management 25.4 (1987): 54+. Questia. 17 Jan. 2005 .

Schperberg, Robert, Jeanie Larson, and Dee Schperberg. "Better Safe Than Sorry." Corrections Today Aug. 1997: 96+. Questia. 17 Jan. 2005 http://www.questia.com/>.

Stephens, Gene. "Crime in Cyberspace." The Futurist Sept.-Oct. 1995: 24+. Questia. 17 Jan. 2005 .

Thierauf, Robert J. Effective Business Intelligence Systems. Westport, CT: Quorum Books, 2001.

Van Horn, Royal. "TECHNOLOGY: Prudent Computing." Phi Delta Kappan 85.3 (2003): 183. Questia. 17 Jan. 2005 .

Wagner, Cynthia G. "Securing Our Information." The Futurist May 2001: 9. Questia. 17 Jan. 2005 .

Wright, Marie A. "Protecting Information: Effective Security Controls." Review of Business 16.2 (1994): 24+. Questia. 17 Jan. 2005 .

DATED: JAN. 17, 05

News

Live support is now available round-the-clock 24/7
A paper writing site You CAN trust!
  • 10+ years of experience in paper writing
  • Any assignment on any level. Any deadline!
  • Open 24/7 Your essay will be done on time!
  • 200+ essay writers. Live Chat. Great support
  • No Plagiarism. Satisfaction. Confidentiality.