The Strategies Applied in Computer Security - Assignment Example

Student Name: Course Name: Tutor: Date: Computer Security Introduction Several businesses are required to allow authorized access from distinctive security domains. This is simply because new data applications exists, which introduces very complex to data security administrators. The worldwide web and the internet provides alternative means which enable the sharing and collection of data with unlimited flexibility and convenience, several threats as well as challenges are presented (Allen 76). Computer security is the sub-section of computer basically identified as the information security for computers as well as the networks. Some of the main objectives for the application of computer security in any Information Technology based environment include safeguarding information and the available properties free from theft cases, natural disasters corruption. This enables the accessibility and application of the information as well as properties to the authorized users. The strategies or methodologies applied in computer security usually differ from the rest of computer technologies since it involves the prevention of unethical computer behavior, rather than just enabling the required computer behaviors (Layton 119). Data security Security of the data is very important to most of the organizations and to the home-based computer users. It is considered that the data lost as a result of natural disasters for instance; floods, outbreak of fire is considered as crushing, while losing the data to hackers or malware infection creates more consequences. Risk assessment and securing data are the two main processes undertaken to achieve data security (Amoroso 89). Risk Assessment Effective data security is instigated with the overall risk assessment strategies. This enables the identification of risks faced as well as the consequences of losing data due to system crash, theft cases and malware infection. The following are the potential threats that should be identified (Peltier 156). The physical threats which include fire, malicious damage and power outage Those exploits resulting from corporate espionage as well as malicious activities Human errors that involve the unintended data disposal , mistaken information processing and input errors Successful potential threat detection is followed with the establishment of vulnerability areas and development of relevant strategies to help in securing the data as well as information systems. The following as aspects should be considered; Firewall types and the anti-malware applications need to be applied Proper staff training and data security implementation The kind of people to access, be restricted on which type of the data The way people accessing the internet and email systems The efficiency and maintenance of passwords applications Completion of the vulnerability analysis introduces the prioritization of some specific data with high consideration of such data that need more security measures. In addition, the Business Continuity Plan is planned for to allow effective work continuation incase the system fails. The review of the organizational risks and the implementation of security measures, should be done frequently to effectively support the changes for instance; the growth of the business. Securing the data This is done the planning and assessment of the risks is complete and it involves the use of a system for data security. Due to the compromising nature of the data, the most effective way to protect it involves undertaking careful technical measures, well trained staffs and physical security. Clear security policies should be defined and implemented into the Information Technology infrastructures to be effectively practiced by the entire staff. In securing the data the following considerations need to be addressed (Amoroso 89). The office and data centers should be protected with alarms or rather monitoring systems The ant-malware software need to be updated Computers and the related components must be kept free from public view Use of power supply as well as backup batteries that are protected Protection against hack attacks with the application of the intrusion detection system technologies Using an updated operating system Information Security Information security involves the protection of information and the information systems against the unauthorized access, modification, disclosure, destruction and use. The components of information security include; Confidentiality, Availability, Authenticity and Non-Repudiation (Dhillon 124). Confidentiality Confidentiality is an information security principle that is aimed at preventing information disclosure to people or entities that are unauthorized to access both the information and information system. Confidentiality is best enforced through data encryption before transmission and restricting the access to its storage area. Some of the identified confidentiality breaches occur in different forms such as; letting an individual to have a look over the shoulder to view computer screens displaying the should be confidential information and revealing out of the confidential information through the telephone by unauthorized caller. Although, confidentiality is important, it is not very ideal in the maintenance of private among individuals who’s their personal information is stored by the system. Availability For proper functioning of the information system, it is necessary that information should be available at the time of its need. Therefore, the computing systems that store as well as process information, security controls for protection and the available communication channels for accessibility should be properly functioning. Enhanced availability systems are required to be available at all means to avoid service interruptions that result from; hardware failures, power outages, and system upgrades. The most effective strategy for ensuring the availability is denial-of-service-attacks control. Integrity The integrity principle involves the prevention of data from modifications by unauthorized entities. It is violated incase there is accidental deletion by an employee or rather a certain malicious intent alters very vital data files, the infection of computer virus and unauthorized user vandalizes a given web site. Experts of information security are challenged with the need to get and implement effective controls to eliminate the errors associated with integrity. Authenticity Authenticity is aimed at validating that the individuals or entities accessing the information system are the true as per their claims of who they call themselves to be. The principle of information security ensures that data, communications or rather documents and transactions are very genuine. Non-repudiation The no-repudiation principle confirms that the intention of an individual to respond to his or her obligations is considered. It also checks that a party to a transaction cannot object to have received neither the transaction nor the other party to have involved in sending transaction. System security threats Computer systems are associated with numerous vulnerabilities. Human vulnerabilities exist through people’s acts which accidentally or rather intentionally jeopardize the protection capabilities of the information within the information system. Vulnerabilities A very secure system should be in a position to provide the required protection against various vulnerabilities. Such vulnerabilities are grouped into three main categories; deliberate penetration, physical attack and accidental disclosures. Physical Attack: This is an attack on the available physical environment. Accidental Disclosure is concerned with a failure of the system components; the software, equipments or rather subsystems due to information violation on a system element. Accidental disclosures are more common due to hardware and software failures (Marco 274). The disclosure may as well occur as a result of improper actions within the machine operating and the person maintaining with purposeful intent. Deliberate penetration is an intended and secret attempt to get the information stored in the system, make the system not to operate normally and manipulate the working system causing it to be unreliable to an authorized user. The deliberate attempts involved in the penetration of secure systems either are passive such as; wire tapping or active infiltration that involve entering a system to get data stored in the files (Hardie, p.116). Security protection aspect areas The management should be informed about the vulnerability points that may be considered as the leakage points, effective counteract methods should be provided for accidental as well as deliberate attacks. The entire safeguarding of the vital information within the computer system, irrespective of its configuration, involves combined protection qualities for distinctive areas a given leakage point. System controls are implemented especially when the organizational management decides to mitigate risks. The following are the types of system controls that are normally practiced by most organizations in the enhancement of system security; Administrative controls The administrative controls commonly known as procedural controls are the approved documented policies, standards, procedures and the guidelines. They form important framework that help the running of a given business and the management of people within the organization. Such controls educate people on how to operate the business and the conduction of everyday activities. Some other organizations have policies, standards, guidelines and procedures for the authorization of the Payment Card of Industry (PCI) which is a standard for securing data. The administrative controls provide the ideal basis and source for the implementation of the logical as well as physical controls (Hardie 116). Physical Controls The physical controls are applied to monitor as well as control the organizational environment at the workplace and the computing equipments, such controls also monitor the accessibility to as well as from the computing equipments. An example of the physical control is the network separation from the workplace to the creation of functional environment. Duties separation is the commonly overlooked type of physical control. This control takes into consideration that a person is not in a position to accomplish a certain critical task alone. Network security controls The network security controls is one of the major controls in maintenance of the system security. Network security controls are difficult to evaluate them since they require a comprehensive review of different components as well as layers of the system and other external applications which interact with the system in place (McNab 67). Passwords controls Password controls are the main components involved in security schemes such as; user accounts, system services and sensitive websites are entirely protected by the passwords. Passwords are conventionally implemented since they are ideal in the enhancement of system security due to their ease of being incorporated in majority of the operating systems. It is also hard to crack passwords as they are usually secretive to the user only. Logical controls The logical controls also known as the technical controls make use of certain software as well as data in monitoring and control of the access to the available information and the computing systems. Examples of such controls include; passwords, systems to detect intrusion to the network, the access control lists, network as well as host related firewalls, and the encryption of the data. The commonly overlooked is least privilege principle which grants no extra than the necessary access privileges in performing any given task (Hardie 116). Access control Access control involves the restriction of access to the protected information by the unauthorized people. This is simply because computer programs need be authorized especially the computer which processes the really required information. Therefore, different mechanisms need to be implemented to allow only the authorized entities to access the information. Very sensitive information requires very strong control mechanisms, this greatly achieved through the following; i. Identification ii. Authentication iii. Authorization iv. Non-discretionary Cryptography Information security applies the knowledge of cryptography to convert the usable information into a certain form, making it not usable by a different person other than the authorized user by encryption process. The encrypted information may be transformed to the original state for usable by only the authorized user that possesses the required cryptographic key for accessing the information, this process is identified as decryption. Cryptography is usually applied in the information security necessarily to protect the vital information against unauthorized, intended attack or rather accidental disclosure especially when such information is being transmitted whether physically or by electronic means as well as during the information storage (Wilander & Kamkar 245). The mechanism of cryptography provides the ideal information security especially with the support of other important applications such as; the authentication methods, digital signatures, encrypted network kind of communication, message digests and non-repudiation. The defense in-depth security of the information is illustrated below; Defense in-depth security of the information  (Layton 45). In the above diagrammatic representation of in-depth securing of the information, it implies that information security should protect the information in its entire life span; this must originate from the basic information creation to its end of disposal. Information need to be under protection whether in motion or just at rest since throughout its life time, information goes through several and distinctive processing systems. For effective protection of the information to be achieved, every component that is comprised in the information dispensation system need to have its separate protection mechanism. The layering as well as overlapping to cover the information security procedures is basically referred to as in-depth defense mechanism. Conclusion Information security is a continuous process of practicing due care as well as due diligence with the intention of protecting information and the information system against disclosure, disruption, alteration, distribution and unauthorized access. The information security process never ends and comprise of the ongoing training, protection, responding to disasters, assessment, careful documentation, detection and monitoring of the information and the system. The information considered to be very sensitive requires very strong mechanisms for controlling and maintaining its integrity. The evaluation of the network security controls is very difficult because the technique requires comprehensive network review of various components and the system layers as well as other related external applications. Works Cited Allen, Julia H. The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley. 2001 Layton, Timothy P. Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications. 2007 McNab, Chris. Network Security Assessment. Sebastopol, CA: O'Reilly. 2004 Peltier, Thomas R. Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. 2001 Dhillon, Gurpreet. Principles of Information Systems Security: text and cases. NY: John Wiley & Sons. 2007. Hardie, Chris. Computer Security Audit Checklist. Richmond. Indiana and Wayne County, Indiana. 2003. From, Marco, Pistoia. A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Systems Journal. Vol. 46, No.2, 265-288. April-June 2007. Wilander, John & Kamkar, Mariam. A Comparison of Publicly Available Tools for Static Intrusion Prevention.proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002).Karlstad, Sweden. 68-84. November 7-8, 2002 Amoroso, Ed. Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: Prentice Hall.1994 Stallings, W. Cryptology and network security: Principles and practice. Upper Saddle River, NJ: Prentice Hall.2003. Read More