Network Security - What Have You Got to Lose?

Computer Security - the protection of the computer resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware, and the denial of one's own computer facilities irrespective of the method together with such criminal activities including computer related fraud and blackmail.[Palmer]

• exposure - form of possible loss or harm in a computing system.
• vulnerability - weakness in the security system that might be exploited to cause a loss or harm.
• threats - circumstances that have the potential to cause loss or harm.
• control - protective measure that reduces a vulnerability.

Three main points of computer security:

• secrecy - limiting who can access assets of a computer system.
• integrity - limiting who can modify assets of a computer system.
• availability - allowing authorized users access to assets.

Four kinds of threats to the security of a computer system:

• interruption - asset of system becomes lost or unavailable or unusable.
  --------------------| |---------------
• interception - some unauthorized party has gained access to an asset.
  ----------------------------------------
  \__________________________________
• modification - some unauthorized party tampers with an asset.
  ------------------------- ------------------
  |____|
• fabrication - some unauthorized party might fabricate counterfeit objects for a computer system.
  ----------------------------------------
  _________________/

• Assessing Your Security Needs
  The staff or individual in charge of security, should have the following responsibilities:
  • report to management about the reliability and security of exisiting systems
  • evalaute every incident of compromised security
  • periodically review all practices pertaining to data-handling
  • guarantee that all procedures and the systems on which they run have a level of security appropriate to the particular procedure
  • A Policy Document [Appendix D]
    1. Network Passwords
    2. Access Levels
    3. Physical Security
    4. Response to Violation
    5. Internet
    6. Viruses
    7. Encryption
    8. Fax
    9. Termination
    10. Backup of Data
    11. Destruction of Media
    12. Background Checks
    13. Security Personnel
    14. Disaster Plan
    15. Audit/Review
  • Risks and Horror Stories
    3 most common methods for attacking a computer system:
    • Sendmail (attachments)
    • Password Cracking & Theft
    • Packet Sniffing
    threats may be directed at:
    • Hardware
    • Software
    • Operation
    UNINTENTIONAL HARM vs. INTENTIONAL HARM - ESPIONAGE
• Types of Security
  • Internet Security (Computer Emergency Response Team (CERT))
  • Network Security
    • PASSWORDS
    • REMOTE ACCESS
    • DATA REMANENCE
  • Physical Security
• Government Policies and Regulations
  • Government Security Classes
    • Class D - minimal security
    • Class C - discretionary protection
    • Class B - mandatory protection
    • Class A - verified protection
• Specific Legislation (H.R. 695 - SAFE Act)
• Summary