Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Airport security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Unix security wikipedia , lookup
Wireless security wikipedia , lookup
Mobile security wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Computer security wikipedia , lookup
Joshua Cormas COSC 356 – Net. Security Final Presentation Essay Network Security Policy: In the Work Place I will begin by providing a roadmap of what I will be discussing in this essay, in relation to network security policy in the work place. I will first explain how companies can control network security risks in the work place. I will also provide the different types of security policies companies most frequently utilize, as well as give some examples. After, I will provide descriptions of training and awareness programs which provide increased security for companies and organizations. Network security policies are very important in businesses and organizations to maintain daily functioning. The most important concept in information security and networks is of course the risk factor. There can be many different types of risk that are encountered in an organization. Some risks are small and easily managed, while other risks can threaten the existence of a business. These risks were once taken lightly, but today they are viewed as avenues through which an attacker can potentially cripple a targeted business. Many of these approaches can be applied to information security in general; however I will be focusing on the network security aspects. Most organizations utilize a multifaceted approach. First, they work to control risk through management techniques. Second, they develop a policy that reflects the organization’s needs and operation. The network security policy defines what the organization needs to protect and how they will do so. The third approach is awareness and training on the policies. Similar to how users must be instructed on how to use specific software or hardware, they also must be told network policies to maintain a secure network and business. Controlling the risk factor is the most important part of managing network security policies. It is important to know some commonly used definitions in network security. A threat is a type of action that has the potential to cause harm to a computer network. A threat agent is a person or element that has the power to carry out a threat. Vulnerability is defined as a flaw or weakness in a company’s network security. One example of this is authentication methods companies utilize. Finally, risk is the likelihood that the threat agent will exploit the vulnerability. Some classifications of network security risks are listed and described as follows. Compliance is a considered following a regulation or standard on a network. Strategic is an action that affects long-term goals of an organization, such as unauthorized access to intellectual property on a company database. Technical classifications are events that affect network systems, such as a DDoS or SQL injection attack. There are three important strategies for controlling risks in an organization. Privilege management is the process of assigning and revoking privileges to users on a network. Change management is a methodology for making modifications and keeping track of changes, such as new servers or routers being introduced to a network. Incident management is a framework and functions required to enable incident response. Another way of reducing risks is through a network security policy. A policy is a document that outlines the protections that should be enacted to ensure that the organization’s network stability and assets face minimal risks. This defines how an organization plans to protect the company’s network. The primary purpose of a network security policy is to inform users and staff the requirements for protecting various assets. These assets take many forms, including passwords, documents, or even servers. These policies also lay guidelines for acquiring, configuring, and auditing computer systems and networks. Things companies should consider when creating a network security policy include; what do you have on the network that others want? What processes, data, or information systems are critical to your organization? What would stop your company from functioning? The answers to these questions identify network assets in a wide range. These include critical databases, vital applications, personal data, shared network storage, e-mail servers, and web servers. Network security policies must consider all entities that deal with your network. Not only employees, but end users and anyone who has confidential data on your networks. Employees are considered potential threats in security policies. However, these policies must be implemented so that employees are still able to complete their jobs without being overly burdened by security measures. In network security policies, users can be organized into two audiences. One, internal audiences, which are managers, executives, departments, technical staff, and end users. Secondly, external audience, which are partners, customers, suppliers, and consultants. There are several main security policy components. Governing policy is a high-level treatment of security concepts that are important to the company. Managers and technical staff are the intended audience. This policy section controls all security-related interaction among business units and supporting departments in the company. An end user policy is a document that covers all security topics important to end users. This policy answers the “what”, “who”, and “when” and “where” network security policy questions for end users. Technical policies are used to carry out security responsibilities for the network or system by security staff members. These policies are more detailed than the others, and are system or issue specific. Network security staff members use the technical policies in the conduct of their daily responsibilities. An acceptable use policy defines the acceptable use of computing services and networks, and security measures employees should take. An audit policy is used to conduct audits and risk assessments, investigate incidents, ensure adherence to security policies, and monitor user and system activity when needed. Global web server policy defines the standards that are required by all web hosts on the network. E-mail policy defines standards to prevent tarnishing the public image of the organization, restrict automatic e-mail forwarding to external destinations without prior approval, and spam policies. Remote access policies define the standards for connecting to the network from any host or network external to the organization. A VPN security policy defines the requirements for remote-access IP security or Layer 2 tunneling protocol VPN connections to the organization network. Application service provider policy defines the minimum security criteria that an ASP must execute before the organization uses their services on a project. Database credential policy defines the minimum requirements for securely storing and retrieving database usernames and passwords. Inter-process communications policy defines the security requirements that any two or more processes must meet when they communicate with each other using a network socket or operating system socket. Source code protection policy establishes minimum security requirements for managing product source code. Extranet policy defines requirements that thirdparty organizations that need access to the organization networks must sign a third-party connection agreement. Policies are important, but are useless if staff doesn’t understand and implement them. Technical and administrative controls can all be defeated without participation of the end-user community. To get end users (accountants, administration, etc.) to think about security policies, the company must train and regularly remind them about security. Another important aspect of network security is the physical security that protects hardware, such as servers and other computer equipment. One method of protecting the physical assets of a network is to centralize network servers in one area. Access to the area would require authentication of some sort, such as an ID badge. Another key component to the physical security of a network is surveillance. Outside of a physical network asset, there should be cameras monitoring to see who enters and attempts to access the location. This will enable a company or organization to detect when someone enters a sensitive location, as well as evidence in the result of an attack. Network encryption is another key factor. Sometimes called “network level encryption” is a network security process that applies crypto services at the network transfer layer. Using existing network services and application software, network encryption is invisible to the end users and operates independently of any other encryption processes used. Businesses can utilize network encryption methods to ensure communications between local networks are confidential. One popular form of network encryption is Ipsec, otherwise known as Internet protocol security. It includes a set of cryptographic tools to protect communications, encrypting each IP packet going between network systems. Overall, network security is a very broad topic. When applied to businesses and work places, it becomes slightly more specific. Common methods and techniques of applying network security concepts can be seen in today’s companies. It is important for a business to critically analyze their assets to decide on a network security policy that best fits their company. Next they must be sure to practice these policies and apply them to all affected parties. These policies are pointless if the end-user community does not use them, so it’s important to regularly remind employees of their existence. Poor network security in a business can ultimately lead to the downfall of their organization.