The Impact of Computer and Network Security in Corporations Today: Understanding the Impact and Solutions of Computer and Network Security in Today’s World.

The Impact of Computer and Network Security in Corporations Today:

Understanding the Impact and Solutions of Computer and Network Security in Today’s

Worldby

Steve Mallard

In today’s world of the internet and ecommerce, many companies lack the expertise and training to secure their critical network infrastructure and data. Because of this fallacy, many companies’ infrastructures are subject to being compromised.

With extortion, cyber theft, malicious attacks and internal theft occurring at an unprecedented pace, many companies are just becoming aware of the aforesaid problems. While a few companies and corporations awaken to a new world of problems, many continue to sleep, totally oblivious to what is happening as they go about their daily work. This research gives terminology and briefs from the Information Technology industry.

Until now, computer security and locking down the network infrastructure has been on the back burner with most companies and corporations because of cost. According to a corporate poll in A nationally recognized information technology magazine, 99% of U.S. companies now use some type of preventive antivirus technology with 98% of these companies now using firewalls. This electronic security poll was based on compiled information from larger corporations and their practices and does not include small to midsize companies found throughout the United States.

Cost of an electronic exploit can be greater than a million dollars per incident as reported by the FBI. This information is found in the FBI’s (Federal Bureau of Investigation) report of cyber threats in the United States. In order to help counterbalance this, smaller to midsized companies could spend less than $5,000 to harden their systems and operating systems to put a statefull firewall in place. As stated in this paper, these companies often lack the resources, materials and funds to do so

. A look at the example companies and how they used modern methods for “locking down” their networks and clientele data will be discussed. The following steps have been used to gather the analysis for this paper:

Collected data to support the weakness and underlying causes of security collapse.

Used professional experience from the researcher’s company to look at analyzing and confirming research materials.

Consulted with Allen Corporation, Neill Corporation and Taylor Corporation to gather information relevant to the discussion on security in modern infrastructures.

Analyzed and collected data based on the scope outlined in these sections.

Made the final analysis.

1960 Students become the first hackers 1970 Phone Phreaking and Captain Crunch 1980 Hacker Boards on BBS (early ways to chat) 1983 Kids Begin Hacking

Note: Los Alamos National Laboratory, which helps develop nuclear weapons was hacked this year.

1984 Hacker Magazines 1986 Computer Fraud and Abuse Act 1986 Boot sector viruses 1987 File infecting viruses 1988 Fist Antivirus solution – Encrypted viruses 1988 Unix Worm 1989 Cyber Espionage with Germans and KGB

1989 Credit Card Theft Goes Mainstream 1989 Date oriented viruses 1990 Stealth, Polymorphic, Multipartite and armored viruses 1991 Stealth, Polymorphic and Multipartite 1992 Code change viruses 1993 Viruses that attacked viruses 1993 Hacking used to cheat phone system to win contest 1994 Hacking Tools Become Available 1994 Encoded Viruses 1995 Kevin Mitnick Hacks the Government 1995 First Macro Viruses 1996 Macro viruses affecting Microsoft Excel 1997 AOL (largest) ISP Hacked 1998 The Cult of Hacking Takes Off 1998 Spyware/malware begins to download to machines globally 1999 Macro viruses affecting Microsoft Word 1999 Software Security (Windows begins providing updates 2000 Service Denied 2000 Worm viruses 2001 DNS Attack

General Internal Company Security and Auditing Controls are being applied today so that companies can have a standard approach to bring together different opinions and ideas. These Internal Controls are generally brought together by a consortium of management and other personnel to achieve objectives by the company. Internal Controls allows companies to maintain several of the following areas:

Efficiency of operations. Compliance with laws and regulations. Several documents have also been

released to suggest ideas about Internal Company Security and Auditing Controls:

Company controls should be built into operations currently in place.

All departments and personnel within a company have input to Company Controls.

Company and Internal Controls help to govern companies currently operating.

Risk Assessment The identification of key weaknesses in computer systems, nodes on a

network, clients, connectivity and training. Security Control Activities Policies and Procedures that ensure all levels of the company are within

compliance with standards set by the company. Activities include hierarchal structure, authorization, implementation, disaster

recovery and planning. Information and Communication Information from vendors is archived. Information from customers (clients) is logged. Communication along internal paths of the company to insure all areas of

protection are available. Monitoring/Auditing Assessment of hardware firewall. Assessment of Software Patches and Service Packs. Management of all personnel. Auditing of logs and change orders. Monitoring of performance of all nodes on the network. Monitoring of security alert sites of government and for profit sites.

The research paper at this point has focused on the importance and makeup of generalized Internal Company Security and Auditing Controls. Weaknesses in this structure follow: Communication Poor or lack of judgment Lack of training Lack of concern Disgruntled employees Lack of review Lack of training  

It is up to management at all levels to monitor company security and auditing controls.

Larger companies have a distinct advantage over smaller companies because of the minimal work required to keep their network infrastructure secure. A small list of duties below is required to keep data protected:

Periodic changes of passwords Updating of policy and procedures Auditing server logs Auditing firewall logs Researching new malicious threats at third party information sites Physical security Applying patches Applying service packs User management Monitoring spyware/malware Monitoring new installs Monitoring performance Monitoring IDS systems Monitoring anti-virus protection

Password policies are often overlooked after the inception of the computer network. Network administrators can use the group policy editor in workstations or rules in active directory to set password rules. Minimal, complex and history settings can greatly increase Computer and Network Security.

Companies should look at the update of policy and procedures in order to keep up with changes across its infrastructure. These regulations help to guide all levels of information technology professionals. The consistent and concise update is critical to security in a network infrastructure.

The auditing of logs at all levels is critical and cannot be stressed enough. These logs provide accurate details on the access and changes requested and made during a session. All of the companies mentioned in this study review logs on a frequent basis. This becomes one of the single most important processes in looking for patterns and breeches of security.

The outline below is provided to illustrate and show how Computer and Network Security has been implemented as a plan to a higher education facility. This basic outline targets the infrastructure of companies through which the bases of protecting internal assets are most critical. It shows the effectiveness of the school’s control, auditing and implementation.

Periodic control of Operating System Patches Virtual Private networking to Domain Servers with Student Information

Systems Software from staff workstations Periodic control of Operating System Service Packs Anti-virus software installed on each workstation to include student

work stations Spyware/malware / Malware control measures “Pop up” control measures Application updates (i.e., Microsoft Office and related) Software Update Services Server installed to push updates approved by

administration Documented Policy and Procedures school level Documented Policy and Procedures board level Active Directory Server login for staff to establish IT Policies Applications with logging of activities (customized) Application and Security Logs running on Servers Network Address Translation used at firewall level DMZ (demilitarized zones) used on web server Hardware firewall (three honed) used with logs and specific port number

restrictions. IDS (Instruction Detection Server) in place and monitored Traffic monitor in place to monitor inbound, outbound and intranetworking

packets Disaster recover plan in place

Control of patches and updates becomes one of the most important aspects of Computer and Network Security. With operating systems flaws being one of the most critical needs to identify when operating a network, control of pushing service packs or updates to computers becomes extremely important. Companies should have this in their plans and someone in the information technology department should be assigned to check SUS (System Update Services) servers daily. This IT person should also check security and operating system websites for alerts. Often these sites have email alerts to alert end-users of a security problem.

Virtual Private Networks or VPNs should be created between workstations and servers that contain critical data. By using PPTP (Point to Point Tunneling Protocol), this ensures the data is encapsulated as it travels across the internal network. While packet capturing software can be installed on a network, this will help to encrypt the data and prevent loss due to network sniffing.

Antivirus software must be installed on every workstation and the software should be updated daily. This control of updating can come through push services through a server to insure the virus pattern or signature is up to date.

Spyware/malware control is becoming an issue at all companies. Spyware/malware is software download automatically be some websites to track a user’s internet surfing habits or to track software use on the end user’s computer. Often computers become burden by spyware/malware loaded in the operating system and become nonfunctional or extremely slow.

Policy and Procedures Committees and Subcommittees used to monitor changes,

constant updates and reviews by all members of the information technology team.

Risk Assessment Value of product and client data, cost of breach. This

assessment can give the company an idea of the risk of a breach. Inventory

Inventory of software and hardware. Inventory allows for control of products and control of sensitive information.

Needs Assessment Users and applications “Need to Know Basis Only”. This form of

assessment allows for securing data at different levels based on rank or a hierarchal structure in the company.

Structure Physical security and ideal topologies to meet performance needs

and environmental controls.

Levels of Protection Workstation

Antivirus software, operating systems updates and patches, application updates, VPN to servers, strong password protection

Private Servers Antivirus software, operating systems updates and

patches, application updates, VPN from workstations, Kerberos security, tokens and certificates, strong password protection

SNMP nodes Password Protected SNMP manageable devices

Wireless Access Points Wireless Encryption Protocols (128 bit minimum)

(WPA Preferred with a RADIUS Server MAC filtering

Firewalls Acceptable ports and sites

IDS Systems Backend for internal and external NIC cards used to

monitor all traffic within the organization Network Address Translation Needs

Public to Private ips for internal networks with few public ip addresses

  Public Servers

Located in DMZ areas all patches updates and only necessary ports open

Training programs New software New hardware

The overall strategy for the initial phase of protection involves the publishing of Policy and Procedures.

The publication of Policy and Procedures includes the hierarchal structure of the information technology department and all tasks associated with it. The following approach is used to monitor the updating of the Policy and procedures:

Document changes to existing Policy and Procedures.

Identify weaknesses Test disaster recover portion of Policy and

Procedures Test auditing procedures Rewrite when significant amount of changes takes

place On going training

Training is in place from the lowest level of help desk to the Information Technology manager and CIO. Training updates are given to all employees outside of the IT department so that security can be maintained throughout the company. These companies use the following training methods: Memos to all staff on new viruses Memos to IT Personnel on new viruses Memos to IT Personnel on opportunities to train at seminars Seminars (Mandatory) Seminars (Voluntary) Webcasts/Podcasts In house training by security personnel In house training by outside resources College reimbursement New product training Policy and procedure review Proper use of the internet Proper use of email and best practices

Employ certified and experienced personnel

All are focused on standards set by CERT.ORG and other security industry leaders

Strong Policy and Procedures in place Communications among internal company

and internal information systems. Committees and Sub-committees in place

for compliance issues

The problem statement components of “when security is needed, and how to implement it” are answered as follows:

Industry wide compliance of recommendations by industry leading experts.

Restating the key elements from previous chapters include:

Employ trustworthy Information Technology workforce to protect assets from within the companies as though assets were their own.

Focus on industry statistics and separate fact from fiction for the best protection of the security infrastructure.

Utilize all means of security including beta based security tools, physical tools and update policys and procedures as necessary. Document all deficiencies and follow thorough with any and all short comings to insure the best and most adequate protection from thieves, whether internal or external

Ongoing communications between all levels of employees from help desk to the CIO (Chief Information Officer).

CIOs cannot lose touch with reality of the “real” world of security.

A quality control program should be put into place to maintain site wide integrity.

Policy and procedures must be reviewed. Internet usage policies should exist and all employees

should review and sign acceptance letters. Email usage policies should exist and all employees

should review and sign acceptance letters. Systems must be tested in order to ensure quality. Ongoing training must be put into place for IT

professionals and accurate records must be maintained in order to verify training and training needs.

The recommendations from this study are as follows: Companies should do extensive background checks on

their Information Technology employees. Checks should include financial, criminal and past employment checks.

Companies should put Policy and Procedures into place to make sure that all aspects of disaster recovery and planning are covered including hardware failure, software failure, network setup, personnel hierarchy, team responsibilities, deployment of all software and appropriate licensing and other mission critical objectives.

Companies should have a consistent audit practice in place for server logs, firewall logs, patches, service packs and updates.

The network infrastructure for companies needs a consistent quarterly overview committee to look at security needs and challenges. This would provide quarterly updates of mission statements and policies as needed.

Companies need training programs in place for Junior as well as Senior level analysts to understand the challenging environment of security. These training programs need to include industry leaders and seminars from software vendors.

Companies need consistent and open forums within their infrastructure for communication of daily changes affecting the security environment.

The hierarchal level of the internal department of Information Systems/Technology needs to be dynamically flexible to meet the needs and challenges facing the ever changing world of information technology security in the workplace.

Small Ecommerce servers should “dump” data to a printer and be reentered as a precautionary measure in case of a breach on an internal file server.

“Companies must provide high level training to meet the needs of industry growth while maintaining a balanced budget and customer security”.