Introduction
As the Chief Information Security Officer of FansivOps International, it is essential to formulate a proper and effective information security and risk management policy to conduct an evaluation of information security management requirements in regard to opening a new branch office in the southern region of Sudan, Africa. In addition to opening a new branch office in Juba, it is anticipated that a smaller site office will be maintained at Agar to facilitate mining and export operations. As most of the transactions would be done online it is important to understand the risk involved and formulate a plan to negate the threats.
Background
A possible risk arises when our computer connects with a network and starts to communicate and download programs. Protecting the files and the Internet account of our computer from other users who can cause harm to it is known as Internet Security. Certain security measures, which help us to protect our computer, would be making backup copies of our important data, changing file permissions every now and then and assigning passwords, which only we know. The various IT systems, which are used in different businesses, view security concerns as an important aspect.
Internet users need to be sure that their computers, which contain valuable information are completely secure. Cybercriminals can cause many damages and thus, effective security measures are necessary. The professionals who handle Internet security need to be confident about certain areas like penetration testing, audit or legal compliance, incidence response and intrusion detection (Xenos & Moy 2007).
TCP/IP Networks and Security
TCP/IP or the Internet Protocol Suite is a collection of certain communication protocols, which are used by the Internet and other networks. It contains two important protocols, Transmission Control Protocol or TCP and Internet Protocol or IP. These were among the very first networking protocols to be defined as a standard. They have developed into complex forms over the years. The TCP/IP has four different layers. The highest is the Application Layer, then the Transport Layer, the Internet Layer and the Data-link Layer. Each layer handles its own data transmission and provides support services to the higher layer protocols. The users are closer to the upper layers and depend on the lower layer protocols for the translation of data (Ammari 2006).
The TCP/IP network is considered highly vulnerable and unsecured. It contains a number of security flaws inbuilt in them and is often exploited by hackers. TCP/IP has no inbuilt security, as it is simply a delivery system. The packets can be easily captured or sniffed and the IP address can be faked. Its major problems are:
TCP SYN (sequence number) attacks or SYN Flooding – sequence numbers are used by TCP to make sure that the appropriate user obtains the data in the proper order and are determined by a Three-way handshake. The hackers take advantage of the way the handshake is implemented by the host. A wicked host sends a number of SYN request to another who ultimately stops accepting them, giving the wicked host time to apply DOS attacks (Speed & Ellis 2003).
ICMP attacks – the IP layer uses the Internet Control Message Protocol or ICMP for sending messages to a host. It works only one way. It too does not perform any authentication, which allows hackers to capture the sent packets.
Routing attacks – here advantage is taken of the Routing Information protocol or RIP. It forms an important part of the TCP/IP network. Various routing information is distributed within a network using RIP. It too does not have an authentication process and the RIP packets are often utilized without validating them.
DNS attacks – in order to map IP addresses to their host names and vice versa, Domain Name Service or DNS protocol is used. Hackers who want to fool authentication process can use this mapping property.
IP Spoofing – through this unauthorized access can be obtained into computers. The attacker pretending to be the actual host sends certain messages to a computer using a forged IP address. The IP layer does not perform any authentication, receives it, and thereafter enjoys unofficial privileges (Ammari 2007).
Technologies are employed in securing TCP/IP implementations
Secure Socket Layer or SSL – Netscape originally devised this technology. As the name implies, SSL resides at the same layer as the Socket API. When a client uses SSL to contact a server, the SSL protocol allows each side to authenticate itself to the other. The two sides then negotiate to select an encryption algorithm that they both support.
Finally, SSL allows the two sides to establish an encrypted connection. We need to secure the data, which is being sent over the network. SSL protocol protects the data when it is being transmitted over any network service. The HTTP server-client application mainly uses it. It has a more recent form, which is Transport Layer Security or TLS. A program layer is used by SSL, which is located between the HTTP and TCP layers (Rhee 2003).
IP Security or IPSec – it is also a suite of protocols, which are used to make IP communications secure. All the IP packets in a data stream are encrypted and authenticated. Before a session begins, a mutual authentication between the parties is established and the parties determine the encryption and decryption keys. It protects the data, which flows through the network between the hosts or gateways.
It operates in the Internet Layer of the Internet Protocol and is an end-to-end security solution. It is very flexible as it operates in the lower layer of the model and protects the various high level protocols. Its predecessor was the Network Layer Security Protocol or NLSP. IPSec has two modes of operation, the Transport mode and Tunnel mode. The former only encrypts and authenticates the date contained in the IP packets while the latter encrypts and authenticates the whole IP packet (Behr 2004).
Kerberos – it is an authentication protocol used by the computer network. People who communicate through a non-secure channel can identify themselves to each other through this in a very secure way. It has been mainly designed for a client-server model and offers mutual authentication. The messages in this protocol are secure from replay attacks and eavesdropping.
It uses symmetric key cryptography but can also use public key cryptography for authentication. Its drawbacks are that it continuously requires the central server. In addition, the clocks of the two parties need to be synchronized for authentication to be effective. Administration protocol depends on the implementation of the server and has not been standardized. As the user’s secret keys and passwords are kept on the server, they can be compromised at times (Blaauboer 2006).
Security evaluation certificates
In order to determine the actual level of assurance or trust to be placed upon a system, which is secured from loss of information and valuable and sensitive data, a security evaluation needs to be done. A product evaluation determines the proper features of a computer product and a system evaluation determines whether a system is safe from outside attack. There are a number of security evaluation certificates, which guarantee that the evaluation processes are carried out by professionals in a proper and universally agreed manner.
The Evaluation and Certification Schemes, the IT security evaluation methods and the IT security evaluation criteria are well recognized by the law and valid in a number of countries. The certificates meet all the required conditions, which have been unanimously agreed upon and have been given in the Information Technology Security Evaluation Criteria or ITSEC and the Information Technology Security Evaluation Manual or ITSEM (Preetham 2002).
The security certificates are useful as they assure the customers that the services or products offered to them are safe, as the products cannot be compared with security. It tells them that the product has been properly evaluated and has passed certain criteria. The product after passing the tests is deemed and is stated to be secure and competent to fulfil all our needs. A detailed certification report is given along with the security certificate, which provides the various security claims of the product, the security levels, which it has obtained, and other features of the product. Sometimes the security claims can also be negotiated.
Risk Assessment and Management Process or RAMP
Nowadays it is a challenge to maintain the security risks faced by Information Technology. Most of the private organizations and federal agencies find it very difficult to make their systems efficient against security risks by implementing appropriate measures. The security risk assessment and management process helps the various managers by providing them with different examples and case studies of a number of risk assessment processes.
Determining or assessing the potential risk of a computer system is an important aspect of risk management. A number of other entities are also involved like building up a focal point for the management, awareness promotion, implementation of different controls and policies and evaluating them properly. Risk management can be considered as a cycle and all its elements are of importance especially risk assessment, which acts as the foundation. Risk assessment also helps to select gainful techniques for implementing the policies and establishing them.
As these risks change and develop with time, the firms and organizations need to occasionally re-assess the risks and the efficiency of the controls and policies, which they use. We rely on our computer to perform most of our daily works and electronically store all our important data. Thus, information security risk is one of highest risk factors threatening us (Chakraborty 2002).
There are a number of methods and models to assess the risk factors and the decisions that we make depend on the accessibility of important data and capacity of the made assessment. The assessments are made keeping certain points in mind. Some are like the possibility of an event, which can cause damage, the expenses, which we have to pay in case of losses and also the cost and effect of the actions, which are to be taken. Most of the times not all these information are present and the risks are assessed to be low, medium or high. The firms to conduct risk management and assessment use a number of tools. These tools ensure that the approaches used by the firms are steady and uniform.
Every time a new assessment is required to be made, these tools help to change the evaluation policies appropriately. RAMP has a number of benefits. It ensures that our business and organization is not threatened by any risks and even if they are then the risks are identified. It also helps the managers understand the potential risks themselves so that they can solve it on their own in the future (Farmer 2004).
Security policy
It is a set of official statement of certain rules through which an organization or firm is made secure and its employees can access its technology, information and system assets. It defines the various security and business objectives and goals of the management. It must be economically viable, consistent in its working, provide proper protection to the objectives and goals, easily understandable and its procedure should be tolerable.
The following characters are necessary for an organization to implement in its security policy:
Physical security – a person may be given physical access based on authorization or payment. People can be checked from entering into an area by a ticket collector, door attendant or guard. They can also be checked before they exit the premises of the secured place.
Authentication and access control – authentication is the process of finding the actual identity of a user who is attempting to access a secure system. The user’s identity is verified by using passwords, response calculators or personal challenges. Access control refers to the capability to either deny or permit usage of a resource by an entity. There can be physical access control or electronic access control. While the former controls the topic of when, where and who, the latter utilizes a computer to resolve the restrictions of various mechanical keys and locks (Spafford 2003).
Network security – refers to the different requirements of the infrastructure of a computer network, the various policies that have been adopted by the administrator to protect its resources and network from illegal access and the steady and constant monitoring of the given procedures. We start network security by authenticating the user first by their password or username. Then the user is allowed access to certain services by the Stateful Firewall. In case there are Malwares, an Intrusion Prevention system or IPS helps to prevent and detect it and it monitors the network traffic for its volume, anomalies and content.
Auditing or accounting procedure – auditing or accounting is the process of data collection and analysis that allows the administrators and others, like the IT auditors, to verify that the users and the authorization rules have produced the intended results as defined by the organizations business and security policies. To effectively analyze the security of a network and to respond to the security incidents procedures should be established for collecting network activity data (Isenmann 2002).
Conclusion
Internet security can also be attained through other ways. In order to block the use of unauthorized ports of our computer we can use a software program called firewall. They constantly record data about connection details of our computer. They are built using routers and prevent hackers from sending unnecessary messages to a system. A firewall is mainly of three types:
Packet filtering – it inspects the IP packets which flows through it and are forwarded only if they pass certain rules.
Proxy firewall – it acts as an intermediary of the user request and sets up a second connection to our desired resource at either the Application or Session or Transport Layer (Kaufman 2002).
Stateful firewall – it is a new generation in firewall technology and its most secure form. It does not require a separate proxy for every service, which needs to be secured, and provides full application layer awareness.
Most system administrators use a combination of both packet filtering firewall and proxy firewall to build a good security system.
We can also use Anti-Virus software to protect our computers from Trojan horses, viruses and worms. These are deceptive programs whose sole purpose is to destroy important data on our computer or cause them to malfunction. Trojan horses are hard to find and pretend to do some useful work when actually they find our personal data and destroy them. Worms replicate through the computer network and affect programs on our computer. Viruses are small piece of programs, which attach to our personal files and corrupt them. Anti-virus softwares are easy to get and can also be downloaded. Malwares and spyware cannot be detected by most ordinary anti-virus softwares and have a fixed payload (Merkow & Breithaupt 2000).
They require specially designed programs for their detection. They relay collected data from our computers to others even if we never use the program. There are also the adwares which are the irritating pop-ups constantly advertising some thing or other. However, sometimes they also install themselves secretly on our computers and clean up our entire computer system. We need to be careful about the web browser that we use. Among the widely used and popular browser is the Internet Explorer. Mozilla Firefox, Opera, Safari and Google Chrome are among the other browsers (Lazinger 2007).
Reference list
Ammari, H., 2006. Using group mobility and multihomed mobile gateways. International Journal of Communication Systems, 19 (10), pp. 1137-1165.
Ammari, H., 2007. A survey of current architectures for connecting wireless. International Journal of Communication Systems, 20 (8), pp. 943-968.
Behr, K., 2004. The Value, Effectiveness, Efficiency, and Security of IT Controls: An Empirical Analysis. Oregon: ICL Press.
Blaauboer, F., (2006). Requirements in Functional IT Management. Twente: Centrem for Telematics and Information Technology.
Chakraborty, G., 2002. An empirical investigation of antecedents of B2B Websites’ effectiveness. Journal of Interactive Marketing, 16 (4), pp. 51-72.
Farmer, D., 2004; IT Forensic Discovery. Boston: Addison-Wesley.
Spafford, G., 2003. Practical UNIX and Internet Security. Wellington: O’Reilly.
Isenmann, R., 2002. Internet use for corporate environmental reporting: current challenges – technical benefits – practical guidance. Business Strategy and the Environment, 11 (3), pp. 181-202.
Kaufman, C., 2002. Network Security: Private Communication in a Public World. London: Prentice Hall.
Lazinger, S., 2007. Internet use by faculty members in various disciplines: A comparative case study Journal of the American Society for Information Science, 48 (6), pp. 508-518.
Merkow, S., & Breithaupt, J., 2000. The Complete Guide to Internet Security. Boston: AMACOM.
Preetham, V., 2002. Internet Security and Firewalls. Auckland: Premier Press.
Rhee, Y., 2003. Internet Security: Cryptographic Principles; Algorithms and Protocols. Boston: John Wiley and Sons.
Speed, T., & Ellis, J., 2003. Internet Security: A Jumpstart for Systems Administrators and IT Managers. New York: Digital Press.
Xenos, M., & Moy, P., 2007. Direct and Differential Effects of the Internet on Political and Civic Engagement. Journal of Communication, 57 (4), pp. 704-718.