Research Paper

Describe the Strategies and Technologies a Business Enterprise Should Adopt in Achieving Security and Performance.

CS 4550 Information Systems Security and Control Spring Semester 2001 Professor: Varouhas Manos Student: Karvounas Ioannis

CS 4550 Information System Security and Control

Spring 2011

From the creation of the first business entity, there was the need of protecting its ability to function, while at the same time safeguarding the operation of procedures and the protection of the data collected and used, in order for the enterprise to last within the years. The second need for an enterprise to be successful, was the increase of the outputs that the company generated. The latter led us to the industrialization era, with the creation of big factories that produced hundreds of standardized products per day. The combination of both led to the information era, where a lot of information were, and are, generated per day, as much as products, and the need to handle these data efficiently and effectively increased, and continues to increase. Today for a business entity to survive and evolve in it's market, it is imperative that it utilizes some aspect of technology, be it a simple spreadsheet for managing and handling of supplier and employee payments and inventory control, or a sophisticated software that can automatically review the inventory of an item, inform you about the order need to be placed and also the debit account balance towards your suppliers. With the advances of technology integration in our day to day activities, both the need for information security and the need for better performance have increased in a parallel way, not only in the enterprise world, but also in our own private activities. This analogy started shifting towards the advances in information security, after the introduction of the first networked environment, which was a result of the multiplication of the sides open to exterior attacks, aiming at the illegal retrieval or corruption of the organizations data. In order to be able to address these issues successfully the business world realized that there was the need to have specialized people who would be responsible for finding ways in increasing productivity within the organizations boundaries, by introducing and implementing new technologies and procedures, and, at the same time, ensure the ongoing operations of a business entity and the protection of its information systems. This in turn created fields of specialization at an academic level, which later on led to the creation of new positions in a business entity. Karvounas C. Ioannis Page 2 of 11

CS 4550 Information System Security and Control

Spring 2011

Today a CISO (Chief Information Security Officer)/ CIO (Chief Information Officer) of an enterprise needs to worry for a lot of threats in his business environment that can cause harm to the systems and data that he manages. Threats such as: 1. Human error or failure. 2. Compromises to intellectual property. 3. Deliberate acts of trespass. 4. Deliberate acts of information extortion. 5. Deliberate acts of sabotage or vandalism. 6. Deliberate acts of theft. 7. Deliberate software attacks. 8. Forces of nature. 9. Deviation in quality of services. 10. Technical hardware failure or errors. 11. Technical software failures or errors. 12. Technological obsolescence. The generation/introduction of the list above has led to the creation of tools that can be implemented or utilized in order for the above issues to be managed and handled with. But as we know, what is appropriate for one can be inappropriate for someone else. So the question that rises from all the above is How do we decide which aspects pose the greatest risk for our enterprise? which leads to the next logical question How do I protect my enterprise from these risks? The decision on selecting the appropriate tools, in order to safeguard a company's data infrastructure, is dealt through research according to the Risk Management standards and procedures. Therefore, before we start planning for the tools and ways we are going to ensure the Confidentiality, Integrity and Availability (C.I.A.) of all the components in the organization's information system, we need first to identify its vulnerabilities. Risk management is separated in two major categories: Risk Identification and Risk Control. Karvounas C. Ioannis Page 3 of 11

CS 4550 Information System Security and Control

Spring 2011

Once we know our weaknesses, they cease to do us any harm George Christophe Lichtenberg (1742 1799) German Physicist, Philosopher

As stated by George Lichtenberg we must first know ourselves (Identify, examine and understand the systems currently in place), and then expand in getting to know our enemies (Identify, examine and understand threats the organization is facing). Through risk identification methods, a CISO is better able to understand the current situation of information technology security within his/her organization. Then through risk control he/she is able to apply mechanisms in order to reduce those risks. The mechanisms of risk control can be broken down to subcategories, depending on the threat the CISO is trying to control and minimize according to his/her analysis. These categories are: Physical Security, Hardware Security, Software Security, Security Policies/Procedures and Education/Training. In most situations these categories overlap and are interrelated with each other, and are often received as one integrated solution system. The solutions provided can also be categorized as Proactive, Post active or Monitoring.

Physical Security With the term Physical Security we mean the concept of monitoring and securing the physical installation of a company as a whole, or a part of the company, like a specific area. Under Physical Security the most common things utilized are: 1. CCTV (Closed Circuit TV)/ CCTV with Analytics (Pattern behavior alert i.e. abandoned object, loitering, queue etc.). This can be either proactive, with someone always monitoring the camera output, or post active, in order to review an event that has happened or respond to an alarm raised from the system. Karvounas C. Ioannis Page 4 of 11

CS 4550 Information System Security and Control

Spring 2011

2. Access Control mechanisms. These are systems used for valid identification using proximity ID's with embedded encoding, keypads, biometrics readers/scanners, road blockers. This is a proactive measure, allowing or denying access a specific area/building/room/computer. 3. RFID Systems. This can be used for valid identification in coordination with an access control system, or separately, and also provide for alarms when an individual is close to an object or inside a location where he/she is not supposed to be. 4. Burglar Alarm. These are systems used for detection of entry during non-operating hours, or illegal entry to a secluded area. This is a post active system, since it has to detect the incident in order to raise the alarm. 5. Fire Alarm. These are systems utilized for fire protection of the buildings by raising an alarm in case of fire and, in some cases, immediate deployment of a suppressing material in order to minimize the damage occurred. This is a post active system, since it has to detect the incident in order to raise the alarm.

Hardware Security With the term Hardware Security we refer to tangible components, often coming with some Linux based dedicated operating system that can work either proactively or post active or simple monitoring. Under Hardware Security, the most common things utilized are: 1) Firewall systems. These are systems that act as a wall of network

traffic from the inside world of a company (Trusted Network/Domain) to the outside world (Untrusted Network/Worldwide Web), and vice-versa. Firewalls can be categorized even further down to simpler categories, which are derived from the OSI protocol layering of network communication. These are: a. Packet Filtering: Examine header information of data packets. b. Application Gateways or Proxy Servers: Often placed in D.M.Z. (DeKarvounas C. Ioannis Page 5 of 11

CS 4550 Information System Security and Control Militarized Zone).

Spring 2011

c. Circuit Gateways: Prevent direct connection between two networks, operate in transport layer. d. MAC Layer Firewall: MAC addresses are linked to ACL (Access Control List) entries which identify specific types of packets that can be transmitted to each host, blocking all other traffic. e. Hybrid Firewalls: Combine elements of other types of firewalls. 2) Packet Filtering Routers: These are systems that act as an interface between the WAN (Wide Area Network) and the inside (Trusted) network of the company. They can be configured to reject packets that are not allowed within the companys networked environment. 3) Intrusion Detection Systems (IDS): These are systems that raise an alarm when they detect a violation, according to their configuration, and thus enable the network administrators to take actions almost immediately. There are two detection methods of IDS: a. Signature Based. b. Statistical anomaly based.

Software Security With the term Software Security we refer to software products created in order to give similar protection with the components of hardware security, but require a server with a fully functional operating system in order for them to be deployed. Under Software Security, the most common things utilized are: 1) Firewall systems. These are software that act as a wall of network traffic from the inside world of a company (Trusted Network/Domain) to the outside world (Untrusted Network/Worldwide Web), and vice-versa. Firewalls can be categorized Karvounas C. Ioannis Page 6 of 11

CS 4550 Information System Security and Control

Spring 2011

even further down to simpler categories, which are derived from the OSI protocol layering of network communication. These are: a) b) Packet Filtering: Examine header information of data packets. Application Gateways or Proxy Servers: Often placed in D.M.Z.

(De-Militarized Zone). c) Circuit Gateways: Prevent direct connection between two

networks, operate in transport layer. d) MAC Layer Firewall: MAC addresses are linked to ACL

(Access Control List) entries which identify specific types of packets that can be transmitted to each host, blocking all other traffic. e) Hybrid Firewalls: Combine elements of other types of firewalls.

2) Application Based Intrusion Detection Systems (AppIDS): These are software that raise an alarm when they detect abnormal events on an application. They can also be targeted on specific users and they are also able to operate with encrypted data. There are four detection methods for AppIDS: a) b) c) d) File System. Network. Configuration. Execution Space.

3) Honey Pots/Nets: These are decoy systems designed in order to lure potential attackers away from critical systems and encourage attacks against themselves. 4) Padded Cell: These are protected honey pots, so that they cannot be easily compromised. 5) Vulnerability Scanners: These are software that are categorized into two separate subcategories: a) Active: They scan the network for highly detailed information and they also Karvounas C. Ioannis Page 7 of 11

CS 4550 Information System Security and Control initiate traffic to determine holes.

Spring 2011

b) Passive: They listen in on the network and determine vulnerable versions of both server and client software. 6) Packet Sniffers: Software that collects and analyzes packets from the network, and thus provide valuable information for diagnosing and resolving network issues, 7) Data Leakage Prevention: These are software that monitor all outgoing traffic and decide on which type of data, or even portion of them, are allowed to pass through to the outside world (Untrusted Network), which are not allowed, and even it can automatically generate actions, such as warning to the user who initiated the data transfer. 8) Cryptography: These are software that en-codes the content of a file, under a specific pattern, in order for it to be transmitted with safety to it's destination. The receiving end must have the same pattern in order for the de-coding of the file to be possible.

Security Policies/Procedures With the term Security Policies/Procedures we refer to all these principles that are implemented within an organization in order to achieve a sustainable level of security. The main goal of these security policies and regulations is to point out, to all employees and business partners, what is the acceptable and the unacceptable code of conduct within the organizations information infrastructure. In order to create a security policy/procedure a lot of research has to be made in order to understand and determine which aspect/aspects of the organizations procedures are going to be affected by it. This is mostly done through efficient and thoroughly risk analysis. Some of the most common principles utilized under Security Policy/Procedures are: 1) Separation of Duties or Two Set of Eyes: Under this principle in order for one process to be completed it requires more than one authentication, depending on the Karvounas C. Ioannis Page 8 of 11

CS 4550 Information System Security and Control

Spring 2011

level of accessibility one person has to the specific information or resources of a system. 2) Least Privilege: Under this principle the users are given enough rights into system resources and information that are necessary for them to perform their tasks and no more than that. 3) Need to Know: Under this principle the users are not given any more information, despite the fact that they may have the necessary level of clearance, than the ones required to perform their individual official duties. 4) Clean Desk: Under this policy all desks should be clean of all material containing any kind of information, in any form or medium, and these material should be in their respective drawer or position and preferably locked.

Education/Training ... the human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain. Kevin Mitnick Hacker

It is clear that many security breaches are the result of human error on negligence resulting from weak operational practices. As any experienced hacker ethical or criminal will attest, it is more effective to focus on people errors and poor security practices than it is to try and crack today's sophisticated technology solutions Deloitte Global Financial Services Industry 2005 Global Security Survey

From the above abstracts, we understand that the most significant security threat in an Karvounas C. Ioannis Page 9 of 11

CS 4550 Information System Security and Control

Spring 2011

enterprise is its own employees. These are also verified from statistics, which claim that almost 70% of the total security threats an organization faces within the year, are generated from internal users, most of which are due to user error, mishap or ignorance. Furthermore, a 1998 survey (ISF Information Security Survey Analysis) claimed that losses from information security incidents amount up to 3% of corporate annual profit. From all of the above we can understand that, proper clarification and explanation of the security policies and procedures that need to be followed is imperative. But even with the easiest and simplest implementation of a security policy or procedure, it will not be enough if the employees are not educated and trained properly in order to be able to understand the reasons for the existence of these security policies, and the operations they have to complete in order to fulfill them, and to be able to operate the information systems at their disposal, correctly and efficiently. In general when developing a security strategy, there is no Golden Rule or fixed way of doing things. Each enterprise must assess its needs and wants in order to develop its own security model, policies and procedures, ones that will not make employees fear for the security measures, but will learn to respect them and incorporate them into their daily routine. In order for this to be achieved is it important for the CISO to understand that he/she does not only operate in the security department of their organization, but they interact and influence all the departments within the organization, and for this reason there should be a balance of understanding between the CISO and the rest of the enterprise.

Karvounas C. Ioannis

Page 10 of 11

CS 4550 Information System Security and Control

Spring 2011

BIBLIOGRAPHY

1. Purser, Steve, A Practical Guide to Managing Information Security, 1st ed. Artech House, 2004, Print. 2. McIlwraith, Angus, Information Security and Employee Behaviour, 1st ed. Gower, 2006, Print. 3. Munro, Lain, Information Warfare in Business, 1st ed, Routledge, 2005, Print. 4. Whitman, Michael and Mattord, Herbert, Principles of Information Security 2nd ed. Thomson Course Technology, 2003, Print. 5. Kizza, Florence and Kizza, Joseph, Securing the Information Infrastructure,1st ed, Cybertech Publishing, 2008, Print.

Karvounas C. Ioannis

Page 11 of 11