Business Strategies - Coursework Example

Business Strategies  Introduction  Starting a business is undoubtedly an exciting time for any new entrepreneur who is anxious to present his/her ideas to the world and of course, to generate profit. However, it is also a given that starting a business is not an easy feat. Careful planning is an essential ingredient to success as well as the determination of the entrepreneur to handle any problems or difficulties that may come in the way. In this paper, the writer would like to discuss the strategies associated with starting up a business, focusing on the security industry. By security industry, the writer would like to draw attention to the IT related side associated with starting a new business. In other words, the security aspect of the business can also be referred to as computer information security, wherein information held by the company is protected from misuse by another. It goes without saying that rival companies may be interested in the information held by a company and it should be anticipated that cases such as theft of such held information may happen. Therefore, in order for a company to be successful, such problems should be kept under control.   In a survey provided by the Ministry of Information and Communication, investment in information protection systems are not equivalent to the type of protection systems technology available in more developed countries. This means that these companies are not aware of the value such in investment could bring. Another reason could be the fact that specialists who have a considerable amount of expertise regarding such technology cannot be found easily. Therefore, a security manager alone cannot singlehandedly prevent illegal intrusions into a company’s database. As a result, most companies do not see the importance of investing large sums of money in order to have a good protection system against information trespassing. 1  The Importance of Security in Business The usage of technology in starting up a business is important because it could mean the difference between properly managing a business and mismanaging it. Should rival elements get in the way of a company’s records or files, the operation of the company could be ruined. A variety of disadvantages could follow as a result of such a scenario. The reputation of the company would not only be at stake, but also the reputation of the company’s employees. Information acquired from a company’s database could be misused with the intention of leading towards the company’s downfall and loss of assets. In a survey performed by The Conference Board, it turned out that 74 percent of companies had a difficult time protecting information that was confidential and mandatory for the company’s existence. This difficulty lay only second against other difficulties a company may face, the top constraint being a company’s difficulty in complying with rules and regulations set by the government. Security is everything when it comes to business. It does not only judge financial risks, but it may also be the judge on whether the company would continue operations for a longer period of time. Competition against other rival companies is key towards deciding whether a company should strengthen its security information systems or not. In any case, it is always better that a company is equipped with the latest technology to prevent any information from leaking out. 2  Network security is the focus of this study and this term includes the protection, the continuity and the integrity of assets that are included in the network. This, in turn, includes hardware, software and data protected by a company for its own personal business use, in addition to other related network services. Network access controls are necessary because they limit who can log on to the said network and who can utilize whatever information can be acquired from there. Intrusion prevention systems, or IPS, such as a firewall or even as simple as an antivirus software has the ability of repelling attacks from outside forces through the Internet, and it also determines and controls access to shared network software. It is a given that wireless networks should have a stronger security system in order to prevent unnecessary and unwanted intruders from gathering important data that should not be released to them. 3  The problem with computer security systems is that they are not perfect and it is very difficult for a company to program computers into performing specific actions as required of them. Technical strategies are required in order for a computer to perfectly satisfy and fulfil its purpose for guarding a company’s stored information. Therefore, computer security is a branch of computer science that is beyond a doubt of the more complicated kind. For a start up company that has incorporated a security system in its company software, two factors are considerably important to ensure maximum efficiency of the security system. These two factors are the ability of the system to perform at optimum speed and the ability of the system to have a quick and certain response rate towards any external forces that may disrupt the company’s security system and business operations. The most common kinds of crimes related to information include forgery, alteration of electronic data or material, defamation of communication that takes place online, the distribution of materials (obscene or not), the intrusion into private computer networks, and of course, the production and circulation of viruses that could harm a company’s network and database.   Common system security systems would include an intrusion detection system or a firewall. However, due to the fact that there are many ways to trespass into private computer systems, with time, it is getting more and more difficult to detect such intrusions and to stop it. It does not help that there are millions of places around the world from which an intrusion into a computer system can occur. People’s behaviour and capabilities are quite unpredictable, so judging from these factors, it is a constant struggle to avoid such intrusions. In addition, modern times have proven the entry of more sophisticated and more complex security systems that may not always perform as efficiently as hoped.   In an information system, it must be noted that there is no way that a computer system can be protected one hundred percent. Therefore, the best way to allow for a secure information system within a company, prevention would be key, and this could be done via physical security controls wherein strategies are implemented, and investment in top equipment is carried out in order to prevent damages from happening. When things also go wrong within a system, it is mandatory that detection procedures need to be done as soon as possible to make sure that the problem does not remain, or worse, turn out to be a series of problems that are impossible to fix all at once. Information is very sensitive and therefore can easily fall into the wrong hands. Thus, detection methods along with prevention methods are a good tandem in ensuring that a company’s information system is one step closer to totally evading intruders. Another important factor to consider is the data recovery function of a particular system so that, just in case data is intruded upon, it will not be too difficult to retrieve information that may be lost.   A custodian is the term used to describe a person or a group who is responsible for protecting information resources. They are the ones who provide the appropriate security materials needed to ensure that access to valued information is limited to the authorities and whoever is allowed to gain access to the mentioned data. They can also be referred to as a systems controller or a security systems professional or expert. It is important that these personnel be trained so that they can perform security controls more efficiently and effectively. They should also be kept up-to-date with new forms of technology and new information systems threats that may harm the overall well-being of a company. 4  The Internet Attack The Transmission Control or Internet Protocol (TCP/IP) where the Internet is based on, was initially intended to be a research network that helped to connect data systems of schools and other research institutions. However, this changed and TCP/IP expanded into a more commercial network wherein data can be accessed by a wider audience, for their own specific uses. Therefore, sharing of information was not limited to education alone, but also extended into the business sector. Meanwhile, information that can be acquired can, as mentioned previously, lead to improper information dissemination, which, in turn also leads to information crimes. Such cases have been common not only through intranets, but also through all places of society, and have been drastically proliferating through the years. There are three stages by which a system attack via the internet can be performed. In the first stage, the attacker would find information about the hosts that would serve as his/her victim. The information regarding the services offered by the host can also be acquired by the attacker. The second stage would consist of the attacker attacking individual systems, by using the information retrieved in the first stage. Through this stage, the attacker attacks the most vulnerable part of the system. The third step, on the other hand, consists of the attacker expanding his/her intrusion base, wherein he/she can intrude further into other systems, using the information acquired from the first two stages. 5  Viruses can also be detrimental to a system’s overall efficiency and privacy of information. It is a program that when created operates in accordance to the security policy of a system. The activation of a virus allows such elements such as a Trojan horse to search a system’s authorized environment for programs that it can modify. It then attaches itself to the programs and can spread throughout the computer in this manner. Such viruses are relatively easy to produce but quite difficult to detect. There exist anti-virus programs that can help solve the problem of viruses temporarily, until a new one may be released into the system again. Worms, on the other hand, are programs that have the ability to migrate to different computer environments, and has the ability to log in to machines, which proves to be critical and detrimental to the system’s efficiency as a data restorer. 6  The Intrusion Detection System and the Firewall System There exist a variety of intrusions that include port scanning and intrusions via hacking into systems by using a password. Detection of such intrusions would include monitoring a network or a host in order to prevent attempts and actual intrusions from really happening. This could be brought about by providing real-time warnings through gathering information first about the intrusion, processing the information required, analyzing the intrusion and detecting it, and finally, reporting the intrusion and taking action in order to stop it. IDS, or an intrusion detection system, collects necessary information from the system that is to be protected. The useless information that is received can then be filtered, and actions can be taken after going through detection techniques. This is brought about by the security system guarding the network’s entrance, and incoming and outcoming packets are inspected based on set security policies. These packets are then checked to see if they go against the security rules in order to decide whether they will be allowed passage or not.   A firewall, on the other hand is set up in order to protect a system so that any accidents or threats that may be detrimental to the network may be avoided, and will not spread. The system is defended by blocking illegal traffic to the network of the company, and by only permitting authenticated or allowed traffic to enter. Therefore, it follows that the basic function of a firewall is to reduce risks to the network while allowing network users to be ‘transparent’ to one another. The main difference between an intrusion detection system and a firewall is that an IDS inspects all the packets of data that would be transmitted around a network, including the incoming and out coming packets from the network.7 Secure Operating Systems The military and the government has made use of state machine models in order to secure organizational privacy. Such a model for example would be the Bell-La Padula model which ensures optimum information confidentiality. This model consists of access control rules wherein security labels are used such as ‘Unclassified’ or ‘Top Secret.’ It consists of multi-level security, wherein a subject can only be granted access to one level and not all levels at once. Information is divided into different levels and security policies decide whether levels of information can be released or not, and to whom or what. Through this model, users have the capability of creating content for their own security level, and users can only gain access to information below this security level. This type of model provides a perfect foundation wherein an organizational system has a higher chance of being protected from external intruders. This is brought about by providing a system that contains features consisting of a special microprocessor hardware and also a memory management unit. The operating system kernel technology ensures that the security policies are strictly enforced and no external forces are exempted or can go against the rules. In such a way, the penetration of illegal forces can either be impossible to occur, or prevented.8  It is vital that data from information systems are backed up with identical files so as not to damage the entire system database in case problems or threats occur. However, there is a difference between backup files and security backup files. Backup files are created in accordance to a policy or a schedule by an individual who also has the power to create them, store them and eventually, can also delete them. Security backup files, on the other hand, have the ability to reverse an action that could result in losing specific records for a limited period of time. They are produced just in case a disaster happens and damage occurs as a result. Therefore, there is a possibility that security backup files may not be exactly identical to the original piece of information it was formatted from. There are three stages one should keep in mind with regards to security backup files. One of them is persistence. In this case, persistence refers to how data can be stored in a reliable manner. The lower the possibility of an error from occurring, the better would be the medium for storing such files. It must be noted here that every medium has a potential to malfunction eventually. Granularity is how often backup files are created. In other words, granularity refers to the frequency with which they can be produced. Some systems produce backup files regularly on a daily basis, while others can be produced on a less frequent basis and can be produced weekly. The duration of how long a backup file can be stored in a system is also a factor to be considered. This means that should a change occur, the duration would allow such a change to be reversed according to one’s preference. 9  Other devices that can be used to ensure maximum security within a company also include wiretap detection, lie detection devices, voice logging systems, and other equipment that could offer surveillance within the company around the clock.   Security System Design Subject identifiers should be unique to a company, but this in itself proves to be a manual job. Therefore, having a unique identification system design ensures that information within the system cannot be easily copied by external forces. This is because unique identification information are based on user names that may be assigned by an administration to a variety of individuals or objects in an organization. Normally, a unique ID for an object would be a number created by the system when the object is created from the start. The same can be said about an individual who belongs to an organization as well. Ideally, the IDs should not have been used for a previous time for another object or another individual to ensure maximum security and easy identification. This should also prevent false identification from happening and from any security mishaps. The purpose also of the unique ID is for the system to determine whether two objects are the same. Knowledge of this is required in order to determine whether access of this foreign object or individual should be permitted, especially when change occurs. Unique IDs have a variety of functions such as allowing backup of files and retrieval of files for instance. Without this, a security violation may occur.   ESM solutions are ideal for start-up companies looking into optimum security management of their information systems. This type of solutions focus on managing a centralized system with the help of other security systems. This is done to ensure that false detections of intrusion are avoided. This type of interconnected system also cuts down on resource consumption and also improved the system of a centralized form of management. Such a system also exhibits execution of divided routine tasks such as monitoring, generation of reports and log analysis, all of which form a systematic way of performing regular security checks. 10  Fingerprint identification devices are also part of security systems, without much dependence on the Internet, firewalls, or intrusion detection systems as was previously described. An example of a top fingerprint access and attendance control device would be the FS22, produced by Futronic Technology Company Limited, which is a leading global provider of hardware products and high quality biometric software. FS22 is a device that uses the Digital Signal Processor in order to identify fingerprints. Amazingly, such a device can perform matches for 700 fingerprints in one second alone. Therefore, the matching does not come to a stop even though the preset matching score has been achieved. To date, it is the most accurate device that provides fingerprint recognition and inaccuracy has an almost zero chance of happening. This type of device can be controlled via the intranet and internet through the Futronic proprietary Fingerprint Authentication Server, or FAS. This way, it allows for an efficient log-in process, and Live Finger Detection such as LFD has the function to prevent spoof fingerprints from happening. This type of technology is particularly useful for companies who require advanced fingerprint recognition and who are looking for an advanced level of security in identification management. However, as expected, such stat of the art technology does not come cheap. Therefore, for start-up businesses, the incorporation of such forms of technology need not be necessary, although it would provide an intimidating touch to the company’s security system and will help greatly in repelling intruders.   Furthermore, out of all the different techniques that can be used in order to design a security system, one of the most effective is the concept or principle of providing least privilege. By this, it is meant that an intruder or attacker cannot gain access to as much information as he/she may have hoped for, even though access can still be gained into the database. In other words, data that serves as part of the system’s input is broken up into small parts so that the attacker cannot access all at once. Each succeeding level would require more difficulty to be able to gain access to any more information. 11  Information Security Laws There exist information security professionals who work together to ensure that threats against data within an organization and information systems are protected against threats. The Internet, being a sort of ‘network of networks’ makes it easier for information theft to happen via the computer or any other electronic device capable of gaining access to all sorts of information about absolutely anything in general. The downside of the Internet is that laws are not really respected when it comes to jurisdictional boundaries between different countries. This is because the Internet allows an exchange of information between different areas without borders being a problem most of the time. To date, there exists a law in the United States called the ‘CFAA,’ or the Computer Fraud and Abuse Act. Initially meant for providing protection against computer crime, it now is the law for the protection of security systems that are both in the private and the public sector. Through this Act, liabilities are imposed on individuals who are responsible for gaining access to a protected computer without being authorized to do so. In addition to this, if any information is retrieved that is of value, a fine of $5000 would also be imposed. Transmission of a program, a code or an instruction that could be detrimental to the operation of a computer system and could cause damage would also be punishable by law, especially if the individual responsible for this act is not authorized to do so. Attempts to intrude or in other words, ‘hack’ into restricted computer information systems are also backed up by this law.   The Digital Millennium Copyright Act, on the other hand protects copyrighted work, as well as the removal of technological devices without any authorization whatsoever. Despite the laws set aside for protecting computer systems and the vast amounts of information they contain, theft and misuse of data acquired from the computer systems of these companies are still common and still continue to proliferate throughout society. In order to help such laws to take control of security crime, it is advisable that system proprietors set their own rules and regulations regarding access to a system’s resources and how they are to be used. This would be effective as long as all individuals follow the terms and conditions, because once this does not happen and the limitations are found to exceed boundaries, system controllers would lose control over the resources that they are supposed to handle. Most information resources are of the four categories of intellectual property. These include the secrets of the trade, the trademark, the copyright and the patent. State law protects trade of this kind. By trade, the writer means to refer to information, a technique, a strategy or a process that has economic value of some sort, and can provide the same value for any individual who makes use of such resources. Security professionals who are involved with protecting information resources must therefore be knowledgeable about the kind of laws available and they should also make use of their authority to ensure that these laws come into play once intrusion is evident or any sort of computer theft has been committed. They should also be aware of the economic value of an information resource and should realize exactly for how long the item would continue having the same value. Thus, it follows then that an investment should not only be made on security systems that protect a company’s well-guarded information resources, but it should also invest in top security personnel who would help the system work optimally and efficiently. There should be a balance between the efforts of the security staff to be alert just as well as the security system in order to yield overall benefits for the company. 12  Conclusion Having top equipment to ensure security within a company’s information systems is not the only way for a company to be successful in taking care of its own information resources. It is also important that the system used to protect a company’s resources should be up-to-date at all times, in order to protect it from new ‘hacking’ methods. Having a good support security system is strongly advisable because it can make a difference in giving potential clients the confidence that the company can be trusted. With a good security system, the company can be sure of having a good reputation already with competitors and customers alike. Furthermore, a good security system can also help a business reduce loss of financial and manpower resources and other liabilities. After all, the information possessed by a company should be confidential to its employees and managers alone in order to establish its own uniqueness in a sea of other companies aiming for the same thing. Identity is crucial for a company to be successful, and having an identity starts with having the resources to ensure that this identity is secured.         References 1. Bell, D. (December 2005) Looking back at the Bell-La Padula Model. Proc. 21st Annual Computer Security Applications Conference 2. Bell, D., LaPadula, J. (March 1 1973) Secure Computer Systems: Mathematical Foundations. MITRE Technical Report 2547, Volume I, pgs 1-33. 3. Sandhu, R. (1994) Relational Database Access Controls. Handbook of Information Security Management (1994-95 Yearbook),  Auerbach Publishers, pgs. 145- 160. 4. Sang-Hoon, L., Goung-Hwa, D., Kyung-Won, J., and Moon-Seok, J. (2002), Design of packet filtering module for firewall to prevent an inside network utility with malice, Korea Information Science Society, p. 10. 5. Dong Young Lee, Dong Soo Kim and Tai Myoung Chung (2001), A study of hierarchical policy model of policy-based integrated security management for managing heterogeneous security systems, Korea Information Processing Society, p. 10. 6. Morrie Gasser (1988), Building a secure computer system, pgs. 173-251. 7. Abrams, M. D., and Podell, H. J. (1987). Tutorial: computer and network security. IEEE Computer Society Order No. DX756. 8. Technology & Business Journal (Dec 2 2008) Futronic Technology Company Limited; Futronic launches FS22 Fingerprint Access Control Device, pg. 47. 9. Robinson, S. (February 25 2003) U.S information security law; Part 1. Retrieved on November 30 2008 from http://www.securityfocus.com/infocus/1669 10. Department of Cultural Resources (2008) Security backup files as public records in North Carolina; Guidelines for the recycling, destruction, erasure and re-use of security backup files. Retrieved on December 1 2008 from http://72.14.235.132/search?q=cache:rpz4YtABj8MJ:www.records.ncdcr.gov/erecords/BackupsProcedsfinal020822.pdf+backup+files,+security+systems&hl=tl&ct=clnk&cd=10&gl=ph&client=firefox-a 11. Lee, E. (1999) Essays about computer security; University of Cambridge, Computer laboratory. Centre for communications research, pgs. 100-204. 12. Schneier, B. (2003). Beyond fear: Thinking sensibly about security in an uncertain world, Copernicus Books. Read More