Network Security - Assignment Example

?Running head: NETWORK SECURITY Network Security Insert Insert Insert 11 April Network Security IntroductionNetwork describes an interconnection between two or more computers that share the available resources such as data, information, storage devices through a shared medium. Security on them other hand refers to the measures that are adopted to prevent the unauthorized use and reduce the various risks and threats that affect computers, network, and other external resources within any organization. All the measures that are taken ensure that information security is guaranteed because the information is a very valuable resource within the organization. Information security entails the adoption of specific measures that are supposed to prevent the unauthorized access, manipulation, use or the denial of access to any data, information, or capabilities that will ensure confidentiality (Douligeris and Serpanos, 2007). All these measures should be implemented to ensure the security of all the resources within the organization. Organizations nowadays have greatly relied on the various network technologies that ensure efficient data communications between different departments, at the same time ensuring that communication channels are secure. The expansion of an organization results into more resources being acquired in terms of new computers, printers, telephones, communication channels, hardwares and software’s and also the adoption of sophisticated network architectures. This results into an increased concern for information security within the organization to ensure that only the authorized personnel access the resources. Question 1. The question describes the main security issues, the principles of public key encryption, and the role of certification authority as follows: Security issues facing the expansion of the organization Expansion of the organization will result into a rise in the demand of various resources. More hardware and software will be acquired, more people will be employed, and the network architecture to be used and various protocols will change to meet the organizational needs. Various security issues will arise; in physical security, all the tangible assets within the organization such as computers (both personal and laptops), network printers, telephones, storage media, people, network cables, and servers will face a security threat. Indeed, each of the organizations assets faces a security threat from within (internal) and from outside the organization (external). Security issues that will arise from within the organization (internal attacks) include access attacks such as eavesdropping (listening to a conversation that one is not part of) by fellow employees or through wireless networks, and snooping (looking through information files). Others include interception of transit information, unauthorized access to computers by employees, computer attacks by viruses, worms, Trojans, internal hackers and theft of hardware from within the organization (Maiwald, 2003). External attacks include hackers and cyber terrorists, and malware. The organization needs to address the measures that will be used to ensure security of both information, physical hardware, internal and external attacks are checked. Internal threats from employees are both intentional and accidental, where an employee can eavesdrop on another employee, hence gaining access to some information during conversation. In addition, employees can forge passwords of their colleagues and hence gain access to their computers, use, modify, and transfer information to other unauthorized members outside the organization. Moreover, employees may bring external or foreign insecure hardware into the organization, resulting into virus infection and transmission. Lastly, employees could steal portable small size hardwares from the organization. Information and communication within the organization will be affected in one way or another. There might be lots of network traffic caused by attacks on the network, utilization of bandwidth by other clandestine programmes across the network, the security of both information and communication channels will face a threat. Public key encryption principles Encryption is one of the information security techniques that refers to the transforming of information (plaintext) using a defined algorithm so that the information becomes unreadable except to the parties involved who have the algorithm (hiding of information) to protect the information during transit. Public key encryption is a form of asymmetric key algorithm using two keys to hide information, a public key that is known to the entire public and a private or secret key known to the recipient of the message. The plain text to be sent form one point to the other is encrypted using the public key. For example, if the employer, say X, wishes to send a message to recipient Y, the message is encrypted using the public key of Y (recipient). After the message is encrypted (ciphered), it becomes a cipher text and is sent to Y. Both the sender and the receiver publish their public keys, but their private keys are kept secret. After the cipher text is received by Y, the secret key of Y is used to decipher the cipher text, after which the information sent is read by Y. If the message is sent back to X, the message is encrypted using the public key of X, and to read the message, the private key of X is used to decipher the ciphered text from Y. Public key encryption ensures the integrity of information in the sense that only the person with the appropriate private key is able to access the information. If the sent information is intercepted and accessed by unauthorized persons, the sender will know because of the public key of the receiver that will be used to encrypt the information. The private key creates a digital signature of the message, which can be verified using the public key, and this ensures the integrity and authenticity of the message. In this case, the algorithm performed on both keys ensures that the sender of the message is genuine and the intended receiver and hence no person can access and change the information because it contains a digital signature (Joshi, 2008). Certification authority refers to an entity that issues and revokes digital certificates to owners of public keys. Such entities verify and issue public key certificates that describe the genuine ownership of the public keys to the signers. The certification authority ensures that the certificates certify the ownership of public keys by named subjects; this ensures trust between both the owner of the keys and the parties that rely upon the signatures of the private keys corresponding to the public keys. Question 2. Describes risk management, determination of risk, and evaluation steps in system characterization, likelihood determination, and impact analysis, as follows; The purpose of risk management Risk management refers to the process of identification, assessment, and prioritization of various risks that may occur in the organization. Identification-this is usually the first step in the process of risk management. All possible risks that will affect the entire organization because of its expansion are identified with the probability of their occurrences. Such risks would include attacks by viruses, server breakdowns due to overloads, decrease of network speeds, increase in price of bandwidth, power outages, and theft of hardware and software. Those risks that generally affect the entire activities within the organization should be treated with utmost priority to ensure that the organization does not face a long-term effect because of such risks occurring. All the risks that are likely to occur are analyzed in terms of the effects to the organization. Assessing the likelihood and significance of various risks ensures that the potential major risks are dealt with before they cause more havoc to the organization. Planning ensures estimation of the effectiveness of the risks, financial expectations of each of the risks and mitigation strategies. Each type of risks identified within the organization is planned for in case of the expansion of the organization. For example, risk such as network speeds decreasing will affect the entire performance of the organization; hence, it will be identified as having a high likelihood and significance, as well as a high cost to correct. In addition, increase in bandwidth costs poses a great risk to the organization hence both these risks will have priority during the planning for them. Monitoring involves the process of reviewing, tracking, evaluating and reporting on the status of the risk. The identified risk such as theft of hardware from the organization is reviewed, that is, the occurrence of theft is tracked down and reported to management. Measures are put in place just in case the risk happens (Moeller, 2007). System characterization This involves identification of boundaries of the IT system along with the resources and information that describe the system and the scope of the risk assessment. The steps include collection of system related information, which entails gathering of system related information such as hardware, software, system interfaces, data, and information and persons involved with the support and use of the systems. This is in addition to collection of data related to the operational environment of the system such as security policies (organizational and federal policies and requirements), users of the system (application and technical). All this information is gathered using questionnaires, interviews, and document reviews. Likelihood determination This involves the identification of sources of threats and their vulnerabilities. This refers to a description of the probability of a given vulnerability threat to occur, and is described as high, medium, or low in terms of the threat source. For high likelihood, the source of the threat is highly motivated and the controls are ineffective. Medium implies that the controls are in place to slightly check on the vulnerabilities. Impact analysis This refers to the determination of the adverse impact resulting from a threat exercise of vulnerability. It involves obtaining information related to the overall mission of the system, system importance to the organization and the systems’ and data sensitivity. It also determines the magnitude of the impact analysis in terms of high, medium, and low magnitudes that imply high costly loss of assets or resources, lives and the organizations mission and reputation. Impact analysis uses both qualitative and quantitative (provides a measurement of the magnitude of the impact which can be used in the cost-benefit analysis) analysis. Determination of risk levels using the risk level matrix This is method used in the risk management process to determine the severity of risk of an event occurring. Three levels of risk occur, that is, high, medium, and low levels. The matrix is used in determination of the three levels of risks as follows; the risk is taken as the total of all the hazards, H that contribute to it, the outcome or consequence of each risk defined with “c”, and the probability “p” of any risk occurring. The risk of any hazard can be calculated as follows; Hazard=pH*cH and the total risk of any event is the sum total of the number of potential hazards that would result in the event (Stoneburner, Goguen, & Feringa, 2002). Question 3. Describes computer misuse Act, policies acceptable, and steps for prosecution as follows; Principles of computer misuse Act The computer misuse Act was created in order to prevent unauthorized access to computer systems and the subsequent use of the computer system in commissioning criminal offences (using e-mail messages for blackmail). Such access includes hacking. The U.K Act introduced the three criminal offences; unauthorized access to computer system, materials and modification of computer materials (distribution of computer viruses, deletion of files and altering accounts-fraud) with the intent to facilitate criminal offences. The principles therein state, “If some conduct is criminal, then the technology that is used to perform the conduct is also criminal and is subject to punishment by law” (Perera, 2008). The Act describes access by means of altering or using a program or data, causing output from the computer terminal (Perera, 2008). Various principles from the Computer Act restrict members within the company to unauthorized access to both the computer systems and the information. Such principles have a positive impact on business operations and all the IT systems within the company by ensuring that there is maximum information and computer security. Indeed, those members of the company who have unauthorized access to both information and computer are liable to prosecution from the law as stipulated. IT security policies are important because they restrict access to both the information and the systems that the company owns. The policies ensure that only the authorized employees and employers have rightful access to what they have been assigned to handle. Such security policies reduce various risks and threats that face information and systems .They ensure information security in terms of integrity, authentication, availability, and nontrepidation. Security policies provide roadmap to the IT staff that is planning network security implementations and identifies acceptable use of organizational resources; more so, it acts as a security contract with employees (Harrington, 2005). Acceptable use policy for the organization All employees of the organization should adhere to the following policies of the company. Each person should present a valid working identification card before being allowed to enter the office premises, no member will be allowed to access any property whatsoever without proper identification. In addition, all the configurations and upgrades of the computer systems shall be performed by the systems administrator, no person shall be allowed to perform such services, contrary to which one shall be liable to face the company law. Each employee is assigned one computer, telephone, and printer, which should be strictly taken care of in whatever circumstances. Additionally, misuse of the hardware shall call for stern measures to be taken by the company administration. Further, any member found eavesdropping, snooping and any other acts of malice with the company’s resources shall be liable to prosecution as per the company’s policies. The company’s intranet shall not be used to send e-mails to the corporate sector, and anyone found breaching this condition should be held liable for disciplinary action. All queries involving the company’s resources shall be addressed to the administration. Lastly, all the employees must follow all the rules and regulations as stipulated by the company to ensure smooth running of the company Steps for prosecution to be followed within the organization By liaising with various system administrators within the company, and the company employees, any information concerning the misuse of the company’s resources is availed to the administration. Complaints made should be considered at least two times and warning given to perpetrators. This will ensure a collection of concrete evidence that will help in the prosecution of any member, should the need arise. Reference List Douligeris C, & Serpanos, N, D., 2007. Network security: current status and future directions. Ontario: John Wiley & sons. (Online). Available from:  http://books.google.com/books?id=tsFVcHbpEwYC&printsec=frontcover&dq=Network+Security&cd=8#v=onepage&q&f=true.(Accessed 10 May 2011). Harrington L, J., 2005. Network security: a practical approach. San Francisco: Academic Press. (Online).Available from: http://books.google.com/books?id=c4WJUzoi2EwC&dq=Network+Security&source=gbs_navlinks_s.(Accessed (10 May 2011). James, B. D, J., 2008. Network security: know it all. Burlington: Morgan Kaufmann. (Online). Available from: http://books.google.com/books?id=6tX8Spgkq7kC&dq=Network+Security&source=gbs_navlinks_s.(Accessed 10 May 2011). Maiwald, E., 2003. Network security: a beginner's guide. California: McGraw-Hill Professional. (Online). Available from: http://books.google.com/books?id=dqZ6gcHxF7cC&printsec=frontcover&dq=Network+Security&cd=5#v=onepage&q&f=true(Accessed 10 May 2011). Moeller R, R., 2007. COSO enterprise risk management: understanding the new integrated ERM framework. New Jersey: John Wiley and Sons. (Online). Available from: http://books.google.com/books?id=gXqjof7I9t4C&dq=risk+managenent&source=gbs_navlinks_s.(Accessed 10 May 2011). Perera, D., 1990.The computer misuse Act (UK). http://www.daminda.com/downloads/ComputerMisuseAct.pdf (Accessed 10 May 2011). Stoneburner, G., Goguen, A., & Feringa, A., 2002. Risk Management Guide for Information Technology Systems. NIST. (Online).Available from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf(Accessed 10 May 2011). Read More