CHAPTER 9 Protecting Your System: Network (Internet) Security | ||||||
| | |||||
| Introduction to Network Security Network security, especially as it relates to the biggest network of all, the Internet, has emerged as one of today's highest-profile information security issues. Many education organizations have already connected their computing
resources into a single network; others are in the process of doing so. The next step for these organizations is to weigh the costs and benefits of opening a connection between their private networks (with their trusted users) and the unknown users and networks that compose the Internet. | |||||
| If, like many readers will, you have turned to this Network and Internet chapter first because it is your highest priority, be reminded that the information included in the other chapters of this document cannot be ignored. To reduce redundancy, security strategies from Chapters 1-8 and 10 that apply to Network and Internet security are not repeated in this chapter. Warning! Discussions about Internet security can get technical. But while this issue is not for the faint of heart, it can and must be addressed before going online! | |||||
While employment sanctions and denial of access privileges are enforceable deterrents for internal users, they are not options for external Internet
users. | Commonly Asked Questions Q. What is the Internet? Q. Wouldn't an internal network be safer if it was never connected to an external network like the Internet in the first place? Q. Why is there so much anxiety over connecting to the Internet? | |||||
| When you don't know who is accessing your network, you also don't know their intentions or level of technical expertise--thus, choosing to connect to the Internet has a significant impact on an organization's risk assessment (see Chapter 2). It Really Happens! Dan's files were losing data. There were no two questions about it--they had somehow been infected by a computer virus, and it deeply perplexed him. After all, hadn't he just downloaded a new virus scanner from the Internet precisely so this wouldn't happen. He was so baffled by the situation that he called Lisa, the office's computer guru to explain the mystery. "I had been worried about my files accidentally getting infected by a virus for some time--you know, you read so much about it. So when I received this e-mail about getting a free virus scanner..." Lisa interrupted, "What do you mean you received an e-mail? Who sent it?" "That's the interesting part," Dan replied, "the guy who sent it said it was an electronic cold call. It seems that he was working for a software company and was trying to drum up business by offering a free virus scanner on a trial basis. I thought that it sounded weird, but when I visited the Web site, it all checked out." Lisa also thought that it sounded odd and resolved to do some investigating. The first thing she did was run the software Dan had downloaded through her own virus scanner, one that had been verified for its authenticity. Sure enough, the scan revealed that Dan's download harbored a hidden virus--probably the one that was destroying his files. Now convinced that something very fishy was indeed going on, she decided to pay a visit to the Web site from which Dan had
downloaded the software. When she got to it, the solution to the puzzle stared her in the face. | |||||
| The web site you have accessed belongs to Antivirus, Inc. | |||||
Guidelines for security policy development can be found in Chapter 3. | Policy Issues Connecting to the Internet doesn't necessarily raise its own security policy issues as much as it focuses attention on the necessity of implementing security strategies properly. Internet security goals fall within two major domains. The first centers around protecting your networks, information, and other assets from outside users who enter your
network from the Internet. The second deals with safeguarding information as it is being transmitted over the Internet. | |||||
| Although it is not within the scope of this document to address in sufficient detail, policy-makers must consider what information can and cannot be posted to the Internet on, for example, a school's Web page. | |||||
As discussed more completely in Chapter2, a threat is any action, actor, or event that contributes to risk. |
| |||||
If your brand-name operating systems, hardware, or software have any known security weakness built in, someone on the Internet will know about it. The Computer Emergency Response Team (CERT) Web site and comparable sites (see Appendix E) monitor weaknesses in computer software and post corrections. You should watch these sites--after all, hackers do.
| ||||||
A countermeasure is a step planned and taken in opposition to another act or potential act.
Select only those countermeasures that meet perceived needs as identified during risk assessment (Chapter 2) and that support security policy (Chapter 3).
| Network Security Countermeasures Because the Internet is relatively new, it isn't surprising that its standards are still being established and agreed upon. Consequently, it also shouldn't be surprising that its existing mechanisms for governing information exchanges are varied, not uniformly implemented, and, in many cases, not interoperable. Thus, it is only fair to admit that although the following countermeasures will greatly increase Internet security, more sophisticated and robust solutions remain on the horizon. The following countermeasures address network security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter breaches in the security of your network. Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end
countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps even hire a reliable technical consultant. | |||||
Digital signatures, time stamps, sequence numbers, and digital certificates are simply more examples of "authentication" procedures as discussed in Chapter 8.
| Protect Your Network from Outsiders:
| |||||
"Encryption" is a term used to describe when information is transformed into an unreadable format unless the reader possesses the appropriate key for decryption. The term "key" refers to a mathematical equation used to code (encrypt) information. | More Than You Need to Know about How Messages Are Encrypted The process of encrypting and decrypting files depends on which encryption model your security solution employs. Encryption models vary in the number and size of the key(s) they use. As a general rule, the larger the key, the tougher it is to crack. There are two major types of encryption keys, systems currently in use: Consensus appears to be moving the Internet toward a public/private
key system in which third-party organizations that are entrusted as certificate authorities provide key management. Key management refers to the secure administration of encryption keys so that they become available to users only when and where they are required. This system is often referred to as the Public Key Infrastructure. | |||||
Closing Thoughts on Network Security The Internet simply is not secure unless you make it so. Luckily, basic Internet security is not beyond a non-technical person's ability to understand. By collaborating with technical support staff (or outside consultants if necessary), educational administrators can ensure that the near limitless amount of information and resources that exist on the Internet are available to system users without jeopardizing system integrity. It should also be noted that network configurations are constantly changing. Many organizations are now relying upon Intranets for their internal communications. All security recommendations for the Internet can also be applied to Intranet applications.
While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations. They are most useful when initiated as part of a larger plan to develop and implement security policy within and throughout an organization. Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline. | ||||||
Security Training Checklist While it may be tempting to simply refer to the following checklist as your security plan, to do so would limit the effectiveness of the recom-mendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to customize policy
to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline. | ||||||
Security Checklist for Chapter 9 | ||||||
|
What is the Web site that evaluates your computer to check for Internet and email vulnerabilities?
Glossary | |
online security service | A web app that evaluates our computer or mobile device to check for Internet and email vulnerabilities. |
parent | Term used in three-generation backups to refer to the second oldest copy of the file. |
passphrase | Similar to a password; several words separated by spaces. |
What happens when people steal personal?
Which of the following refers to a technique intruders use to make their network or Internet transmission appear legitimate to a victim computer or network?
Glossary | |
spoofing | Technique intruders use to make their network or Internet transmission appear legitimate to a victim computer or network. |
spyware | Program placed on a computer without the user's knowledge that secretly collects information about the user. |