Under
Ethiopian TVET-System
Maychew Poly Technical College
LEARNING GUIDE # 15
Unit of Competence: Monitor and Administer System and
Network Security
Usernames with dynamic passwords: the password is constantly changed by a password generator
synchronized with the user and system.
other challenge response systems: this may involve PINs, questions to the user requiring various answers or
actions
Certificate based: this requires the user to have an electronic certificate or token. This may also need to be
digitally signed by a trusted authority. Kerberos is an example.
Physical devices: these include the use of smartcards and biometrics. Generally the entire authentication
process occurs on the local workstation, thus eliminating the need for a special server.
Whatever method is used is determined by the organizational policy and security requirements.
Identity Management
In large organizations there may be thousands of users for a network. These users could be employees,
contractors, partners, vendors and customers. Being able to identify and manage each of these users is most
important because each user has different requirements and levels of access.
This information is managed using either the Network Operating System, Directory Services or specialized
Identity Management Software. Essentially, all of these use a central repository or database that contains all
the user information and credentials. This presents a single location for all applications and services to use
when authenticating users as required.
Authorization
Once a user has been authenticated (that is their identity validated) they are granted access to the network or
system. For the user to then access data or an application or execute some task or command they need be
authorized to do so. The authorization process determines what the user can do on the network. In other
words it enforces the organization policy as applicable to the user.
The Network and System administrators are responsible for the technical configuration of network operating
systems, directory services and applications. Part of the configuration includes security settings that
authorize user access. The administrators use an organizational policy to determine these settings.
User Account Configuration
Network and System Administrators are responsible for configuring user accounts. Network operating
systems and applications have many security options and setting relating to user access. How does an
administrator determine the configuration and setting for user accounts?
o Regularly review organizational policies and procedures to be aware of requirements and address any
organizational or network changes
o Conduct regular checks to ensure the change management procedures are working for new, changed and
deleted users
o Review and investigate current work practices regarding user network access
o Conduct information and training sessions for network users to reinforce appropriate practices and
organizational policy
o Conduct regular audits of network access—verifying current users and deleting expired accounts
Managing user accounts can be a complex and tedious task but we can things easier by ensuring appropriate
policy and procedures are in place.
Reflect: Policies and procedures
Many larger organizations post the policies that govern their user authorization processes on their intranets. Try
searching intranet sites for larger companies—particularly IT based organizations. You may need to look under
’Publications’ or ‘Policies’. Also try a Google search for the term’ ’user authorization policy’ (use’
Self check
1. What is Authentication?
2. What is Authorization?
3. Is the following statement True or False?
Identity Management Systems store user information and credentials to many separate network locations in
many separate databases making user management difficult.
4. Before giving individual or group users access to a network, access privileges and restrictions need to
be set up. List at least 5 settings usually associated with configuring user accounts
5. Is the following statement True or False?
The network administrator decides which documents users will access on the network.
6. What should user authorization policy and procedures address? List at least 6 items.
7. How does the use of groups facilitate user management and administration?
8. Is the following statement True or False?
Network operating systems and Application software have the means to control user access to data.
Under
Ethiopian TVET-System
Maychew Poly Technical College
HARDWARE AND NETWORK SERVICING
Level-III
LEARNING GUIDE # 16
Internal threats
Internal threats mean danger from within an organization or inside the network. The majority of
security breaches are a result of employees accessing data that they should not have access to, making
errors such as deleting files or introducing viruses.
Access to data, and the ability to delete files should be controlled by permissions and access rights
depending upon employee roles in the organization. Employees may deliberately seek access to
sensitive or confidential data for personal gain or to ’get back at management’ for various reasons. In
some cases employees are oblivious to the need to keep their username and passwords a secret so their
credentials may be used by others to gain unauthorized access. Lack of employee training or
awareness of computer security and lack of user account management processes also constitute
internal threats.
External threats
An external threat means danger from outside the organisation’s network. The security events that
get the biggest press coverage are the external attacks on sites. These can include hackers
attempting to break into a network to obtain confidential data or to overload the system and so deny
normal service.
The important tools that are used by a network administrator to monitor the network may also be
used to eavesdrop or attack the network.
Network monitors
In a very large network the administrator may need to make use of a network monitor. These
devices can read and display every packet on the network. They can also report on the physical state
and operation of network devices. They have high-speed processors and can receive and store
packets for later review. It is this feature that could lead to a security breach. Normally the
administrator will use these to obtain statistics on such things as:
the operation of the network
the numbers of lost and/or corrupted packets
the number of packets ignored
Network monitors can also be used to gather event logs, system logs and audit logs from various
network devices. If these devices are used on a wide area network then it is conceivable that someone
could capture packets of data that contain sensitive information. It is very difficult to know if such a
device is in use since the telecommunications company can have several of these devices on the
network as a normal monitoring process. This becomes a real security threat if confidential data or
passwords are sent in plain text on the network.
What to monitor
In understanding threats and where they originate, we can now determine what to monitor in
conjunction with organizational policy. In most cases we need to monitor events like:
o network user logon/logoff
o failed logon/logoff attempts
o specific file or data accesses
o internal and external connections
o administrator or privileged system access and changes
o Business processes relating to IT data access.
o email content (if organizational policy specifies this)
o Web site access and downloads.
What you decide to monitor will depend upon organizational policy, network design and threats specific
to the business.
Most network operating systems and network devices will record events and activities in a log or audit
file. If you are trying to track down a security problem then these may be able to provide useful
information. There are three main issues concerning log files:
Log files can become very large and so take up disk space.
Logging events can slow system performance.
Log files may be difficult to read because of the amount of detail recorded.
In addition to the log files created by the operating system there may be applications that create
similar files that can give you more information about user access and activities. In addition, audit
logs may be generated by operating systems, applications and network devices. Usually, auditing
features need to be turned on in the operating system, application or device and options enabled as
to what information will be recorded in the audit logs.
It must be noted that log files are historical records – they contain information about events that have
occurred. Administrators need to decide how to use this historical information. Generally, log files
are reviewed on a regular basis for example once a week to look for any unusual activity or events.
Should a breach of security be suspected, the dates, times and events can be correlated using
information contained in the various log files.
As human beings we are not very well suited to sifting through complex log files to find possible
events. Fortunately we can use log viewers that come with the operating system, application or device
that generated the log. Here we can view and search the log file in a more productive fashion. Log
analyzers are third party products that can search log file for specific information and initiate some
sort of alert or message to the administrator. These may be developed ’in house’ using script
languages like Pearl to scan the text in log files and produce some result when specific strings of text
are encountered.
Commercial products are available from companies like CA, Sawmill and Net Tracker. Go online
to search for more information about each of these.
File integrity
Application or program behavior
System calls between the application and operating system
Log file activities
Users and connection of the host computer
These systems can have significant impact on system performance because it utilized resources of the
host computer
(CPU, memory, etc).
Examples of IDS systems include SNORT and Real Secure. Go online to search for more information
about each of these. What other products are available?
Content filters and scanners can produce both log files and real time monitoring of email and web site
access to and from a network. These systems are mainly used to monitor and enforce email and
internet use policies.
With access to web sites, specific types of sites can be allowed, restricted or just monitored in
accordance with organizational policy. Specific types of downloads can also be restricted. This
type of monitoring can give useful bandwidth usage statistics along with web site access trends
for the organization.
The content of emails can be scanned for compliance with organizational policy, for example
racial discrimination, inappropriate email use, etc can be detected. The suspected incoming and
outgoing emails in breach of policy can be quarantined and usually need to be reviewed by an
appropriate person who can manage the messages.
Content filters and scanners usually incorporate some form of scanning for harmful virus and
’malware’ (malware is a contraction of the words ’malicious software’—software developed to
cause harm to a computer). These scanners can usually give real time monitoring on breeches and
useful statistics for volume and throughput which may indicate an attack in progress using up
internet bandwidth.
Other tools
Many real time monitoring tools are available from various third party vendors. In some cases IDS has
been combined with firewall products making them convenient solutions for monitoring and protection
particularly for small office or home environments. Other products can analyse log files as they are
written and provide alerts in almost real time. These third party products are usually expensive and
considerable planning is needed to come up with the correct configurations for an organisation.
Implementations have caused grief by alerting and responding to events which are, in fact, legitimate
non threatening activity.
This is probably the most important part of network monitoring. How do we know if we have
everything covered and that we are looking at all the necessary information? How do we actually
do the monitoring and what do we do if we detect a threat or beech of security?
Operational procedures
Organizational policy will usually provide a high level starting point for developing procedures. The
policy should make statements about security and perhaps indicate some important guidelines.
However the policy usually does not say how to do things. Operational procedures outline details on
how something will be done to comply with the policy.
For network monitoring, operational procedures should document specific details:
What makes up the network, that is, devices, computers, etc
what log files will be reviewed
What to do with the log files after they have been reviewed
What real time monitoring systems exist (if any)
How these systems are configured, that is, what rules and responses are set up
How to use the real time monitoring system
How to perform any other tasks relating to network monitoring
What to do if something is detected
Who is responsible for each activity.
In small simple networks, the operational procedures document will contain detailed and specific
tasks and activities to successfully monitor the network.
In large organizations with complex systems the operational procedures document can become
overwhelming because of the amount of detail it needs to contain. To make this manageable the
specific details of individual activities or tasks can be contained in separate sub documents called
’work instructions’.
Operational procedures ensure, regardless of who is employed by an organization, everyone with
the responsibility to monitor the network will do this the same way by following the instructions.
Incident Response Procedure
Incident Response Procedures are included in Network Monitoring Operational Procedures. As the
name implies, these are detailed instructions outlining what action to take if a breach of network
security is detected. The procedures should specifically address:
Who will be informed of the event or incident
What steps or action to take for specific incidents, that is, network intrusion, email policy
breech, etc.
Responsibilities of people involved.
Once again, the procedures ensure that everyone knows what to do in the event of a security incident
occurring.
Updating Procedures
All operational procedures need to be reviewed from time to time. This ensures that the procedures
remain relevant and cover any changes that occur in the network. Updating procedures and work
Summary
Someone should be responsible for monitoring network security and this may involve regular
reviews of audit and log files to check for suspicious activity. For example, users attempting to
access a confidential database at midnight might be cause for concern. Various tools are available to
make the monitoring task easier. It is worthwhile to monitor other
events in the security world such as hoaxes, attacks and other developments. There are several websites
that can help you
do this.
Most importantly, procedures and work instructions need to be in place to ensure that network
security monitoring is performed correctly and completely. These will save you time and effort in
the long run when dealing with security issues.
We need to know how to fix the security gap. In most cases vendors provide software patches or
firmware upgrades with specific instructions on how to apply them. In some cases the fix may require
network rearrangements to change the way network traffic is generated or moves across the network.
In all cases we need to consider:
What hardware, firmware or software is needed for the fix
What technical process is needed to apply the fix
What resources (people, time, equipment, etc) is required to apply the fix
What will it cost financially to apply the fix(software purchase, etc)
What impact will there be on business operations to apply the fix (down time, training etc)
What changes will occur to processes and procedures after the fix is applied.
Solutions provided for fixing new security issues need to be tested to confirm that they address and fix
the security issue. Every network environment is different so testing will ensure that the security fix
solution will not have any adverse effects on existing network services.
Testing should always be done using test environments that are configured like the live production
environment. Testing on working production environments should be avoided because you may
disrupt services with untried software and compatibility issues.
As administrators we are responsible for the technical management of a network. With regard to
network security it is the job of organizational management to make decisions regarding acceptable
levels of risk and what security measures need to be applied for the business. This applies to network
security.
Once we know that a security update or issue is applicable to the network we need to present to
organization management all the information they need to make an appropriate decision on whether to
apply a fix or not. This information must be in plain English and meaningful to non technical people.
The information should include:
Description of the issue, threat or vulnerability
Impact and consequence of the issue, threat or vulnerability
Requirements to implement a fix (resources, costs, training etc.)
The IT environment is not a static one. If it were, we could set and forget network security. However,
we know that with changes in technology, existing network devices and software need to be checked
regularly to ensure they remain secure. As flaws and vulnerabilities are detected we need to apply
fixes as determined by organization requirements.
To ensure that network security remains at an optimal level, we need to ensure processes and
procedures exist to perform regular checks and that we are informed of any potential security gaps.
These processes and procedure may be manual. For example, performing weekly searches of vendor
web sites for security updates.
Alternatively, some hardware devices and software provide an automated update services that uses the
Internet to check for security updates. The hardware device or software may even apply these updates
without any human intervention. Many anti virus products do this because new virus threats can
appear daily and the best defence is to ensure the products constantly are up to date.
Go online and use your preferred search engine (such as Google - www.google.com.au) and search
for the term 'security alert services'. (Tip: put the phrase within "quote marks" to search only for the
Network tools and utilities can also be used. These can scan the network devices and software to
know vulnerabilities. These also need to be kept up to date to detect the latest threats and
vulnerabilities. Network security tools and utilities are available for download via the internet.
These may be open source, shareware or commercial products. Web references in the 'Resources'
section of this learning pack provide links to various sources.
Manual procedures
If manual procedures are used we must ensure that our inventory of network devices and software is
kept up to date and that schedules and responsibilities are well defined. Organizations should treat the
application of security fixes as part of its essential maintenance procedures.
Subscription services
Subscription to security alert services may also be of value. They usually notify via email of any
issues as they arise and provide advice and solutions to address the issues. Information about
subscriptions is available on line from providers like AusCERT (www.auscert.org.au).
Summary
With the rapidly changing IT environment, especially the Internet and e-commerce systems, it is
essential that security be taken seriously. Hackers love to find flaws in popular products and protocols
that most organizations use to run their business.
We know how to use Internet and other resources to find information on security updates and new
issues. We also know how to evaluate security issues, their fixes and present this to the appropriate
decision makers for their consideration. The importance of good processes and procedures for
updating and optimizing network security cannot be underestimated.
Self Check
Part I. Answer the following questions
1. List five events that should be monitored with respect to network security.
2. List ten kinds of information that should be contained in Network Security Monitoring Operational
Procedures.
3. List five main reasons for implementing an Intrusion Detection System.
c. usually small
d. read easily by human beings
e. none of the above
auditors.
_______ 2. The greatest threat to an organization’s computer network security is its own
employees?
Under
Ethiopian TVET-System
LEARNING GUIDE # 17
The algorithm may work in both directions meaning that information can be encrypted and
decrypted with the correct keys. Knowing any three items will allow you to derive the fourth.
However encryption methods are designed to make discovering keys and algorithms extremely
difficult.
Ciphering
Ciphering is the process of how data or the original information is converted into cipher text.
The process uses algorithms and encryption processes, but more specifically this refers to how
the raw data is managed. There are generally two cipher methods.
Stream cipher is a relatively simple method where each bit of data in the original information
is sequentially encrypted using one bit of the key. If the key is of a fixed length it may be
possible to mathematically deduce the key by analyzing the cipher text. Using a variable length
key or continually changing the key in the stream cipher process can theoretically produce an
unbreakable encryption system. One-Time pad is the process of continually varying the
encryption key with random numbers. This method is not commonly used because of
overheads and encrypting efficiency.
Block cipher encrypts the original information into chunks. Depending upon the encryption
system, the size of these chunks or blocks will be fixed. Each block is processed by an
algorithm and key to produce blocks of cipher text. These cipher text blocks can be further used
with encryption keys to strengthen the encryption. Block cipher processes more data than stream
cipher on each pass and is more commonly used today.
Private Key Encryption
Private Key encryption is also known as symmetric encryption or single key encryption. This
encryption method requires the use of one key to both encrypt and decrypt information. All people
and systems accessing the cipher text must use the same key to decipher that was used to encrypt
the data.
The security of data using this method depends upon the security of the key. Only authorized people
and systems should have the key. It should be kept private and secret. If anyone else knows the key,
Information encrypted with the public key can only be decrypted using the private key of the key pair.
Therefore only the owner of the private key can decipher the information. The public key used to
Digital Certificates
Public key encryption works using pairs of keys. Anyone wishing to send an encrypted message must
use the recipient's public key to encrypt the message. If the recipient of the message wishes to verify
the digital signature they must use the sender's public key. Where do we find these keys and how can
we be sure that we are using the correct key of a pair?
Digital Certificates provide a means of identifying and managing public keys. A digital
certificate is a password protected and encrypted file that contains information about an
individual's identity and their public key.
A certificate server stores digital certificates and is used as a central location for users requiring public
keys. This is known as a Certificate Authority (CA) and is trusted authority providing certified public
key information. CA can be setup within an organizational network or are a service available on the
internet. CAs can work in a hierarchy or mesh fashion to provide certificates from other CAs.
Reflect: Australian CAs
What Australian organizations act as Certificate Authorities (CAs)? To find out more, go online and
search for the phrase
‘Australian Digital Certificate Authority' through your preferred search engine (such as Google:
www.google.com). You will find large organizations such as Australia Post and VeriSign Australia
act as CAs. What other organizations also act as CAs?
For an overview of PKI try the Section 6 networks website (www.section6.net). Go to the Tutorials
section and search for 'Digital certificates'.
Reflect: Kerberos
Find out more about who uses Kerberos. Use your preferred search engine (for example Google:
www.google.com.au) to search for information about which products use Kerberos. Do Windows use it?
What about Eudora or SAP?
Secure Data Transmission
There are a number of methods that use encryption to ensure that data transmission on a network is
secure.
Internet Protocol Security (IPSec)
This protocol defines encryption, authentication and key management for TCP/IP transmissions.
It secures data in transmission by various means at the IP packets level.
The Point-to-point Tunneling Protocol (PPTP) is an expansion of the existing Point-to-Point Protocol
(PPP). PPTP uses the same principle of encapsulating other protocol packets so that they can be
transported via a switched network (the Internet) to a specific destination. The destination receives the
PPTP packet and extracts the encapsulated data. PPTP also supports encryption and authentication.
This protocol is a proprietary Microsoft development and is widely used in conjunction with VPN (see
below). There are open source alternatives that will also work with PPTP (for example 'PPTP Client' -
see the Source forge website:
pptpclient.sourceforge.net).
This is one of the most popular encryption programs. This is a public key encryption system that
provides authentication and encryption. It is commonly used for email transmissions and supports a
wide range of operating systems. Both commercial and open source versions are available.
See the website: www.pgp.com for PGP information.
No matter how good an encryption system is it still requires some sort of management. Security relies
on keeping private keys secret. If keys are stored or delivered ad hoc there is a good chance that the
private keys will be compromised. Management and maintenance processes need to be checked to
ensure security.
Users need to be aware of security issues. For example an encryption system may be doing its job
well, but if a user leaves a logged on computer unattended the confidentiality of information may
be compromised by someone else accessing the logged on computer.
Self Check
Question 1: What is 'Single key encryption' and by what other name(s) is it known?
Under
Ethiopian TVET-System
HARDWARE & NETWORK SERVICING
Level III
LEARNING GUIDE # 18
Network Security
What is network security? Before we can evaluate the status of network security we need to
understand what network security is.
Security refers to the measures taken to protect certain things or elements of information. There are three
main elements.
Confidentiality (Privacy)
This means keeping information secret and safe. It means controlling access to information so that
only the people with authorization will access the information. No one else should have access to the
information.
With Network Security this means keeping all information stored in a network environment
confidential and safe. This means keeping unauthorized people off the network and preventing them
from browsing around and accessing thing they have no authority to access.
Integrity (Honesty)
This refers to the correctness of information. It means making sure that the information is kept as it
should be and not altered or changed by unauthorized people. It also means protecting the
information from changes or corruption by other things like system or program failures or external
events.
With Network Security this means keeping all information stored in a network environment as it
should be. Information includes user generated data, programs, computer services and processes
(email, DNS, etc). This means protecting information from unauthorized changes and deletion by
people, network devices or external influences.
Availability (Accessibility)
This refers to the ability to access and use information. It means making sure that the information can be
accessed whenever it’s required. If information is not available it is useless.
With Network Security this means keeping all information stored in a network environment ready and
accessible to those who need it when they need it. Information includes user-generated data, programs,
computer services and processes (email, word processing application, etc).
The threat will compromise confidentiality, integrity and/or availability of network information.
People or organizations that have possible access to the network may present threats. Threats may be
presented by people or organizations that have some reason for compromising network security and
have the knowledge and resources to pose a threat. Some examples of threats could be hackers gaining
access to confidential files, or a disgruntled employee deleting corporate data, or virus infections
corrupting data. Joy riders also pose a threat. They have no particular reason for gaining access except
for the challenge and a bit of fun or perhaps prestige within their peer group.
Threats may also arise through circumstance. For example using second hand or old hardware
may pose a threat to network security.
Vulnerability(Weakness)
This refers to potential ways or avenues that could be used to compromise network security. For a
network to be vulnerable it must be accessed in some way. For example, Internet connection, user
workstations, wireless access via user laptops are all means of accessing the network. All these access
points use various systems such as firewall, computer operating systems, transmission protocols to
authenticate and authorize network access. Various methods can be used to gain unauthorized access if
vulnerabilities exist in the systems.
Operating system bugs, shortcomings in the authentication mechanism, and no security checks for
people entering the workplace are examples of vulnerabilities.
Countermeasures
Countermeasures are used to reduce the level of vulnerability in the organization. They can be physical
devices, software, policies and procedures. Examples of countermeasures include firewalls, antivirus
software and security guards checking employee IDs as they enter the building. In most cases,
countermeasures are implemented at network access points or where the vulnerability exists.
Impact
Impact means what will happen to the organization if a threat actually happened. The consequence of a
threat occurring is usually measured in financial terms because the result may be loss of business
productivity, stolen equipment replacements and repairs, costs for investigation and expert contractors.
Other consequences may be damage to reputation, loss of business or time and resource related.
Assessing impact can be an involved process and a topic in its self. However, in brief terms, assessment is
usually done by identifying systems or resources in the organization. Then by analyzing usage patterns,
business processes and work flow the importance of a system can be determined. Finally, with user and
management questionnaires, analysis of usage, business processes and workflow, the consequence of the
system or resource being unavailable or compromised can be determined in financial and other terms.
Likelihood(Possibility)
For any breach of security, there must be some form of access so it is important to consider all
possible means of access (physical and electronic). While hackers are usually associated with
external 'criminals', network security is more often jeopardized from within an organization.
Look for vulnerabilities in the following areas of the individual network components.
Lack of a security policy, leading to users not knowing or understanding security requirements
Dishonest or disgruntled employees abusing their access rights
an ’unused’ computer being left logged on to the network, thereby providing access to an unauthorised
user
Users or administrators choosing easy-to-guess passwords
Computer rooms being left unlocked, allowing unauthorized physical access
Backup tapes or floppy disks containing confidential information being discarded in public waste bins
Administrators failing to delete system accounts of employees who have left the organization.
Brute-force attacks are similar to Dictionary attacks. The difference is that Brute-force attack
intruders will use encrypted sniffing to try to crack passwords that use all possible
combinations of characters. These characters include not only letters, but other characters as
well.
Replay attacks—By reprogramming their client software, a cracker may not need to decrypt the
password; the encrypted password can be used ’as is’ to log into systems
consider what issues or concerns result from your findings. These concerns may become threats and
risks. From the concerns and issues consider what you can do to remove the issue or concern.
Take a look at the sample Risk Evaluation table on the next page
Identify the Physical environment (Example: Anyone can walk in and access (Example: Lock the computer room and only
network system or
component the computer and console. They could copy authorized people have keys)
(List here your findings about the physical
or delete information and damage the
security of the system)
hardware)
(Example: Finance (Example: insecure computer room)
database server,
windows 2000)
Access configurations (Example: Password complexity is low. (Example: Change system requirements for
Passwords could be easily cracked) longer and complex passwords)
(This includes authentication systems,
electronic access to the system, operating
system configurations for access)
Authorized users and access levels (Example: Default permission is to read all (Example: Do not use default permissions.
files. Secure information cannot be changed Develop required permissions for each group of
(List of authorized user and what they can
or deleted by unauthorized people but users and implement)
do and access on the system)
anyone logged in can see it)
(Example: Default permission set on all
files for everyone accessing the server)
Process or procedural assessment (Example: Anyone can gain access when (Example: Set password protected screensavers
authorized user is away from desk) to activate after 5 minutes and educate user
(List any failings in procedures or work
about the need for security)
practices. This includes the way the system
or network is used.)
Vulnerability test results (Example: results of code may leave server (Example: Apply vendor supplied security patch
open to remote control by unauthorized to server)
(List test results from specific tests or test
people)
utilities like penetration tests, network
scans, etc)
Existing Countermeasures (Example: Antivirus software is 3 months (Example: Update the antivirus software and
out of date. The server is vulnerable to the develop procedures to ensure regular update)
(List existing specific countermeasures for
latest virus)
the system and any failings of these)
Using tables like the one above will give us a picture of the security status of the components and the
network as a whole. As network or system administrators we make technical recommendation on these
finding to improve or correct any network security deficiencies. However it is up to organization
management to approve any recommendation.
Information on threats, vulnerabilities, impact or consequence along with recommendations
(including implementation costs) addressing the risks must be provided in a meaningful way for
organizational management to make sound decisions regarding network security.
Quantifying Risk
We know that risk is the result of threats and vulnerabilities, but how do we measure the risk?
One useful way is to scale risks based on impact and likelihood. Using this method organisational
management can identify the most likely and most damaging risks.
Consider table on the following page. Risk is calculated by multiplication of impact and likelihood.
Risk is now scaled between 0=no risk and 25= extreme risk.
Confidentiality of client Access to 5 0 0 Records kept on database server None require as long as server remains
records (Example: information from on separate network segment not isolated
credit card numbers outside organization accessible via internet
may be gained by via internet
This risk does not exist
unauthorized people
because there is no
vulnerability
Access via 5 2 1 Unauthorized person may gain Increase building access security by
internal 0 access to the building and introducing security guards and key
workstations computers in the closed card access
segment
Employee education on security issues
Covert employee activity
Implement auditing on sensitive
may occur.
resource accesses
Access via failed 5 1 5 Procedure checks in place Audit procedures and perform spot
process and checks
Copies of shredded printouts
procedures
may be accessed Locked document destruction bins.
In the above example both impact and likelihood are equally weighted. If an organization
is only concerned with impact, then likelihood may use a smaller scale or not be used at
all to calculate the risk factor.
It is a management decision to accept the risk with consequences and potential cost to the
organization. The alternative is to implement countermeasures or mitigation strategies to
reduce the impact or likelihood. These measures usually come at a cost and management
needs to decide if they wish to spend potentially lots of money to prevent something that
is unlikely to occur.
Prepare Report
As mentioned, your risk assessment findings must be presented using clear
documentation. The report presented to management regarding the status of network
security should include:
Your summary of concerns and recommendation in plain English
Summary of findings should include your main concerns, possible consequences
and current network security compliance with existing organization policy and
standards
Recommendations need to include implementation costs, resources required, time
required, and potential impact on continuing business or systems access.
A risk summary table including impact and likelihood (weighted if required)
your methods of evaluation and investigation of network security status.
any other relevant supporting documentation.
As an IT professional, management will be relying on your skills and judgment in
presenting a clear picture of the current network security status. Key points to remember
here is that management want to know if the organization is exposed to potential risk,
what is really at risk and how much it will cost in financial terms, time and material to
mitigate the risk.
As IT professionals, sometimes we may not look at the big picture and think in technical
terms. What you present must be understood by non technical people so that they can
make valid and justifiable business decisions using your information.
Summary
There is a lot of hype about network security and with it comes the potential to spend big
dollars in securing a network. We now know how to assess and evaluate the status of
network security by identifying real and valid threats. Without vulnerabilities to the threat
there is no risk to network security.
We have learnt that there must be some form of access to the network for security breaches to
occur. Evaluating network security means looking at the individual components that make up
the network, investigating how they are accessed specifically looking for vulnerabilities in
Learning guide 18 Date 09-2017 Page 46 of 47
Author: IT Experts
Training, Teaching and Learning Materials Development Lo4
confidentiality, integrity and availability. Third party security evaluation tools are a most
useful resource when used in conjunction with our other findings to formulate
recommendations.
Most importantly, our findings need to be interpreted and presented in a meaningful way with
recommendations that are easily understood. Management makes decisions on acceptable risk
not administrators.
Self check
Part I. Answer the following questions
1. What is network security?
2. What are threats?
3. What are vulnerabilities?
4. Make a list of five things that should be investigated when evaluating the security