Strategies Of Implementing Information Security

Published Date: 02 Nov 2017

Carl James V. Tauyan

Wilmington University

Table of Contents

Abstract

Network security threats to an organization’s network can include intentional break-ins, denial-of-service attacks, various sophisticated penetration methods, and just about everything else in between. Due to the constant growing number of threats, security measures cannot simply be implemented and then ignore by the organization. All personnel within an organization must have some level of security awareness and know the available tools and methods to securing their network infrastructure. People of the organization are often referred as the weakest link of network security and one of the main keys to maintaining network security is through its’ personnel and their behavior over the network. Having an effective security awareness program will address this human factor weakness. There are numerous methods a network can be attacked and no single tool or application can protect every segment of a network infrastructure. Because of this reason, a layered approach to network security should be implemented. The layered-security model centers on maintaining security measures and represents technologies among five different levels: perimeter, network, host, application, and data.

Strategies of Implementing Information Security

Network security threats to an organization’s network can include intentional break-ins, denial-of-service attacks, various sophisticated penetration methods, and everything else in between. Security cannot simply be implemented and then ignore by the organization. New threats emerge requiring network administrators to constantly update the company’s security policies, designs, and programs. All personnel within an organization must have some level of security awareness and know the available tools and methods to securing the network infrastructure. While every network threat may not be completely eliminated, having a solid security strategy will go a long way to mitigating many of them (Clark, 2012).

Despite having the most current software patches updated and the best firewalls and network security devices installed, it only takes the weakest link for an attacker to gain access and expose the entire network infrastructure of an organization. Many IT professionals have pronounced that people are among the weakest link in an information security design. The people or the employees of the organization can leave networks exposed either through malicious motives, accidental misuse of hardware or software equipment, or a lack of security awareness (Russell, 2002). One of the main keys to maintaining network security within a company is through its’ personnel and their behavior over the network. A careless end user can cause disastrous effects to even the most exceptional security applications (Clark, 2012). This human factor weakness will always be factor within an establishment’s network security but an effective security awareness program will help reduce these risks to a more acceptable level. Security awareness programs can be broken into two groups, awareness and training (Russell, 2002).

End user education and training are actual forms of network security. This type of training, however, should begin in the orientation process upon acceptance of employment. Future employees must be educated of the company’s expectations pertaining to its computer and network security processes such as acceptable use policies (Montoya, 2011). These policies should reflect the organization’s position toward overall security implementation and be written in such a manner so all employees within the establishment can understand. Once policies are created and/or amended, it is important all users are made aware of these documents and be made available to access (Russell, 2002). Having proper guidelines are important. Employees must know how to perform their roles in protecting the organization’s network and know the consequences when they do not abide by them (Clark, 2012).

In addition, security awareness must include other items that may not be covered by company policy. These elements may include such topics as the effects of security breaches on the organization, the necessity of implementing strong password, or addressing acceptable social engineering behavior (Montoya, 2011). Organizations must also take the time to evaluate the levels of security knowledge across the entire business and then determine the need for additional and reoccurring training (Russell, 2002). Scheduled training will not only serve as reminders of the need but also the importance of implementing security policies. This will also assist in keeping current employees up to date of the changes to security threats and vulnerabilities. Training and educational opportunities within the company should include presentations made available by fellow employee staff, any available training videos, computer-based training, and newsletters. Other training methods may include presentations provided by external professionals or through one-on-one training as needed (Montoya, 2011). Like an updated hardware or software device, people can only defend against known threats (Clark, 2012).

There are many options to network security within an organization. Due to the growing number of threats that include cyber-terrorists, disgruntled employees, and different types of hackers; enhanced security procedures have become more mandatory rather an option (Ashley, 2003). There are a number of methods a network can be attacked and no single tool or application can protect every segment of a network infrastructure. Because of this reason, a layered approach to network security should be implemented (Bala, Lucky, & Pal Garg, 2010). Through this approach, one of the goals of a layered-security model is to increase a hacker’s "work factor." A company network with a high work factor would be more difficult to compromise than a company with a lower work factor. A layered approach to network security would allow a hacker’s work factor to be so high that the hacker will decide move on and seek other less secure networks (Ashley, 2003). The layered-security model centers on maintaining security measures and represents technologies among five different levels: perimeter, network, host, application, and data (Bala, Lucky, & Pal Garg, 2010).

The first line of defense from an outside, untrusted network is the perimeter. It is inside the perimeter where the gateway of an organization’s network ends and the untrusted Internet begins. Security devices at this level must enforce strict access rules that limit what enters the network as well as what traffic is allowed to interact with the Internet from inside the company network (Ashley, 2003). A compromised network perimeter is capable of preventing a company from conducting business. Example technologies used to secure the perimeter of a network are firewalls, network-based anti-virus software, and virtual private networks (Bala, Lucky, & Pal Garg, 2010).

The local area network and wide area network are considered the network level of the layered-security model. The internal network may include devices such as desktops, servers, and other hardware PCs. The network level may also include more complex remote access devices. Because networks can be open behind the perimeter and travel through the company network undetected, this makes a tempting target for malicious individuals (Ashley, 2003). To monitor and secure these network level devices, technologies such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), vulnerability management, network access controls, and access control and user authentication can be used (Bala, Lucky, & Pal Garg, 2010).

Individual devices to include servers, switches, and routers make up the host level in the layered security model. If any of these devices are configured inaccurately or inappropriately, they can create exploitable security vulnerabilities within the organization’s network. Parameters such as registry settings or patches on the operation system can cause these holes (Ashley, 2003). Host security implementations can include the use of host based IDS/IPS devices, host based vulnerability assessments, network access controls, and anti-virus software usage (Bala, Lucky, & Pal Garg, 2010).

Application-level security can be a great concern because poorly protected applications are able to provide easy access to an association’s confidential data and records. Applications can be made available on the Web then accessed by customers, business partners, and remote employees. Programmers may code these applications with little security concerns allowing these applications as potential targets for hackers. Imposing a security strategy for each network application may be necessary (Ashley, 2003). Level 4 application security methods may include application shields, access control/user authentications, and input validation products (Bala, Lucky, & Pal Garg, 2010).

Data-level security combines the use policy and encryption. Company-wide policies govern which employees have access to data, illustrate what these authorized end users are allowed do with it, and who has ultimate responsibility for its integrity and safekeeping. Data travels across the company’s network and is highly recommended to implement a strong encryption scheme in order to protect proprietary data (Ashley, 2003). Finally at the data level, encryption and access control/user authentication may be utilized to secure this level (Bala, Lucky, & Pal Garg, 2010).

Network security threats are out there as more vulnerabilities and viruses are reported every day. With this acceleration of attacks and technology, it is even more apparent for company employees to have proper security awareness and kept up to date of the current security threats and vulnerabilities. A well maintained security awareness program will have a great impact of the overall security practice (Russell, 2002). In addition, hackers of all types, cyber terrorists, and disgruntled employees are all capable of conducting attacks on company networks with increased frequency and using more sophisticated methods. Organizations may not be able successfully starve off every attack but a good layered-security implementation will assist in thwarting many of them away to less secure networks (Ashley, 2003).