Managing Business Information Systems

Final Project

Managing Business Information Systems

The Need for Network Security

By: Jose L. Rodriguez

The Need for Network Security

The primary objective with this paper deals with how network security systems protect, detect, adapt, recover and/or reconfigured from anomalies in order to provide some desired level of security services. This paper is a strategy for the development of a general security mechanism/countermeasure valuation scheme. The general objective addresses the question, "Given the value of information to be protected and the threat environment, how strong and assured should security mechanism(s) be to provide desired security services(s)?" [DEL98]

Company information is as valuable a company asset as money in the bank. In fact, some information can be even more valuable than cash, so protecting the company's information with appropriate security is critical to business success. The network and data security measures you put in place for your business, from a firewall to a data backup system, are physical manifestations of business rules. You make business decisions about how important your computer network and the data it holds are to your business, and as well as how you want to protect it. Data security systems are the direct result of those business decisions.

Security exists on many layers. Network security considerations begin with (but are not limited to) a range of factors including: [ALE96]

* How company office facilities are selected and maintained,

* How potential employees are screened,

* The remote access policy and procedures to the company's systems and information, and

* What kind of encryption and firewalls are provided in the corporate network.

In other words best-practice security isn't just good business sense; in some cases, it's also the law. Legal requirements are vary between specific industries and different jurisdictions. For example, the Health Insurance Portability and Accountability Act (HIPAA) set requirements for patient privacy in the United States. In California, privacy laws prohibit financial institutions from sharing personal financial information with unaffiliated third party partners without the consumer's consent. And in Europe, privacy laws protect certain employee information--even to the point where inappropriately sharing an employee's name and location in a company directory can be considered a violation. [POW99] Therefore, when considering network security, it is important to consider business policy and practices, legal requirements, and technology.

First, the greatest asset of corporations and governments is information. Which encompasses a wide range of diverse sections including: computer data, marketing strategies, tax and personnel records, military strategies, financial data, communications, and business plans? Internal information is a strategic and competitive tool for an organization. Our society is so reliant on this that the loss or corruption of the United States' information infrastructure would create a situation where the systems such as the national banking system, electric power grid, transportation systems, food and water supplies, communication systems, medical systems, emergency services and most businesses could not survive. In short, information is the backbone of the operations of businesses and government, and the security of this information is critical. In conclusion, computers and software are a part of a world-wide network, no longer existing in limited constraints, making them more susceptible to information abuse and more in need of network security.

The convenience and easy access to information comes new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and the computer system will be corrupted. If information is recorded electronically and is available on network computers, it is more vulnerable than if the same information is printed on paper and may not even be the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity. [BAR96]

Why the Internet is Vulnerable

In the beginning network protocols that formed part of the Internet infrastructure were designed without security in mind. Without a fundamentally secure infrastructure, network defense becomes more difficult. Furthermore, the Internet is an extremely dynamic environment in terms of both topology and emerging technology. [COH95]

First, because of the inherent openness of the Internet and the original design of the protocols, Internet attacks in general are quick, easy, inexpensive, and may be hard to detect or trace. [KRO92]

Second, many sites place unwarranted trust in the Internet. It is common for sites to be unaware of the risks or unconcerned about the amount of the trust they place in the Internet.

Third, much of the traffic on the Internet is not encrypted, confidentiality and integrity are difficult to achieve. This situation undermines not only applications (such as financial applications that are network-based) but also more fundamental mechanisms such as authentication and no repudiation.

Fourth, another factor contributing to the vulnerability of the Internet is the rapid growth and use of the network, accompanied by rapid deployment of the network services involving complex applications. Often these services are not designed, configured, or maintained securely.

Fifth, compounding the problem, operating system security is rarely a purchase criterion. As a result, off-the-shelf operating systems are shipped in an easy-to-use but insecure configuration that allows sites to use the system soon after installation.

Finally, the explosive growth of the Internet has expanded the need for well-trained and experienced people to engineer and manage the network in a secure manner. Because the need for network security experts far exceeds the supply, inexperienced people are called upon to secure systems,