olhon.info Fitness Network Security Fundamentals Pdf


Tuesday, January 14, 2020

Fundamentals of Network Security. Presentation (PDF Available) · December with 4, Reads. DOI: /RG Network Security Basics. ▫ Security Issues, Threats and Attacks. ▫ Cryptography and Public Key Infrastructure. ▫ Security on Different Layers. ▫ Layer 2 and BGP. introductory level class, I wanted the book to cover the fundamentals of network security. Many good books covering computer or network security are available.

Network Security Fundamentals Pdf

Language:English, Spanish, Portuguese
Published (Last):13.06.2016
ePub File Size:23.31 MB
PDF File Size:9.82 MB
Distribution:Free* [*Regsitration Required]
Uploaded by: BRANDI

Network Security. Fundamentals. Steven Taylor. President, Distributed Networking Associates, Inc. Publisher/Editor, Webtorials [email protected] Policy and Control Systems: ▫ Dynamic control systems providing real-time and out-of-band analytics, focused on specific needs and drivers. Network Security. Ping sweeps and port scans - reconnaissance. • Sniffing – capture packet as they travel through the network. • Man-in-the-middle attack – intercept messages.

You can download our homework help app on iOS or Android to access solutions manuals on your mobile device. Asking a study question in a snap - just take a pic. Textbook Solutions. Get access now with.

Get Started. Select your edition Below by. Mark Ciampa. These terms refer to those who break into computers without authorization or exceed the level of authorization granted to them. While these problems get the largest amount of press coverage and movies, they only account for five to eight percent of the total picture. They are real and they can cause a great deal of damage.

But when attempting to allocate limited information protection resources, it may be better to concentrate efforts in other areas. To be certain, conduct a risk analysis to see what the exposure might be. In making these decisions, managers face difficult choices involving resource allocation, competing objectives, and organization strategy related to protecting both technical and information resources as well as guiding employee behavior. As such, information reaches beyond the boundaries of IT and is present in all areas of the enterprise.

There are as many forms, styles, and kinds of policy as there are organizations, businesses, agencies, and universities. In addition to the various forms, each organization has a specific culture or mental model on what and how a policy is to look and who should appr ove the document. The key point here is that every organization needs an information protection policy.

According to the CSI report on Computer Crime, 65 percent of respondents to its survey admitted that they do not have a written policy. The beginning of an information protection program is the implementation of a policy.

This book leads the policy writer through the key structure elements and then reviews some typical policy contents. Because policies are not enough, this book teaches the reader how to develop standards, procedures, and guidelines. Each section provides advice on the structural mechanics of the various documents, as well as actual examples.

The process of risk management is to identify those risks, assess the likelihood of their occurrence, and then taking steps to reduce the risk to an acceptable level.

All risk analysis processes use the same methodology. Determine the asset to be reviewed. Identify the risk, issues, threats, or vulnerabilities. Assess the probability of the risk occurring and the impact to the asset or the organization should the risk be realized. Then identify controls that would bring the impact to an acceptable level. It takes the reader through the theory of risk analysis: Identify the asset.

Identify the risks. Prioritize the risks. Identify controls and safeguards. The book will help the reader understand qualitative risk analysis; it then gives examples of this process. To make certain that the reader gets a well-rounded exposure to risk analysis, the book presents eight different methods, concluding with the Facilitated Risk Analysis Process FRAP.

The primary function of information protection risk management is the identification of appropriate controls. In every assessment of risk, there will be many areas for which it will not be obvious what kinds of controls are appropriate.

The goal of controls is not to have percent security; total security would mean zero productivity. Controls must never lose sight of the business objectives or mission of the enterprise. Whenever there is a contest for supremacy, controls lose and productivity wins. This is not a contest, however. The goal of information protection is to provide a safe and secure environment for management to meet its duty of care.

These include the legislation and regulations that govern your enterprise along with safety, reliability, and quality requirements. Remember that every control will require some performance requirements. These performance requirements may be a reduction in user response time; additional requirements before applications are moved into production or additional costs.

Be sure to examine any and all technical requirements and cultural constraints. If your organization is multinational, control measures that work and are accepted in your home country might not be accepted in other countries.

Accept residual risk; at some point, management will need to decide if the operation of a specific process or system is acceptable, given the risk. There can be any number of reasons that a risk must be accepted; these include but are not limited to the following: Information protection professionals sometimes forget that the managers hired by our organizations have the responsibility to make decisions.

The job of the ISSO is to help information asset owners identify risks to the assets.

Assist them in identifying possible controls and then allow them to determine their action plan. Sometimes they will choose to accept the risk, and this is perfectly permissible.

This book discusses these new standards in detail. Implementing controls to be in compliance with audit requirements is not the way in which a program such as this can be run. There are limited resources available for controls. To meet this end, it will be necessary for the information protection professionals to establish partnerships with their constituencies.

Work with your owners and users to find the appropriate level of controls. Understand the needs of the business or the mission of your organization. And make certain that information protection supports those goals and objectives. Information security is such a wide-ranging topic that it can be rather difficult to define precisely what it is. So when it came time for me to try to define it for the introduction of this chapter, I was stuck for a long period of time.

Following the recommendation of my wife, I went to the best place to find definitions for anything — the dictionary. I pulled up the Merriam-Webster dictionary online and came up with these entries: Main Entry: Considering that I have worked in information security for almost nine years now, it was a little unsettling to not be able to define, at the most basic level, what I really did.

The greatest difficulty in defining information security is, to me, because it is a little bit like trying to define infinity. It just seems far too vast for me to easily comprehend. All of the facets that we cover in the next few paragraphs are discussed in more detail throughout the remainder of the book. The first and probably most important aspect of information security is the security policy see Figure 2. If information security were a person, the security policy would be the central nervous system.

Policies become the core of information security that provides a structure and purpose for all other aspects of information security. To those of you who may be a bit more technical, this may come as a surprise.

Another aspect of information security is organizational security. Organizational security takes the written security policy and develops the framework for implementing the policy throughout the organization.

This would include tasks such as getting support from senior management, creating an information security awareness program, reporting to an information steering committee, and advising the business units of their role in the overall security process.

The role of information security is still so large that there are many other aspects beyond just the organizational security and security policy. Yet another aspect of information security is asset classification. Asset classification takes all the resources of an organization and breaks them into groups.

This allows for an organization to apply differing levels of security to each of the groups, as opposed to security settings for each individual resource. This process can make security administration easier after it has been implemented, but the implementation can be rather difficult.

However, there is still more to information security. Another phase of information security is personnel security. This can be both fun and taxing at the same time. Personnel security, like physical security, can often be a responsibility of another person and not the sole responsibility of the information security manager. Personnel security deals with the people who will work in your organization. Some of the tasks that are necessary for personnel security are creating job descriptions, performing background checks, helping in the recruitment process, and user training.

As mentioned in the previous paragraph, physical security is a component of information security that is often the responsibility of a separate person from the other facets of information security. Many times when an organization is thinking of stopping a break-in, the initial thought is to stop people from coming in over the Internet — when in fact it would be easier to walk into the building and plug into the network jack in the reception area.

For years I have heard one particular story, which I have never been able to verify, that illustrates this example very well. The attacker decides to break into the organization, not by using the Internet or their telecommunication connection, but instead decides to take a physical approach to the attack.

The attacker walks in the front door of the organization, walks to the second floor server room and proceeds to enter. Supposedly, the server room was having HVAC problems, so the door had to be propped open to allow the excess heat out. The attacker walks through the rows of devices in the server room and walks up to each of the cabinets and reads the electronically generated label on each device.

The attacker then proceeded to turn off the firewall, disconnect the cables, and remove the firewall from the rack. Physical security can encompass everything from closed-circuit television to security lighting and fencing, to badge access and heating, ventilation, and air conditioning HVAC. One area of physical security that is often the responsibility of the information security manager is backup power.

The use of uninterruptible power supplies UPS are usually recommended even if your organization has other power backup facilities such as a diesel generator. Another area of information security is communication and operations management. While it is easy to overlook some of these tasks, doing so can create large security holes in an organization.

Access control is another core component of information security. Following the analogy used previously, if information security is the central nervous system of information security, access control would be the skin. Access control can be implemented in many different parts of information systems. Some common places for access control include: In addition to the previously mentioned components of information security, system development and maintenance is another component that must be considered.

In many of the organizations that I have worked for, we never followed either of these principles. One area of system development and maintenance has been getting a lot of attention lately.

Table of Contents

Patch management would be a task from the maintenance part of system development and maintenance. And all it takes is one missed patch on any Internet-facing system to provide attackers a potential entry point into your organization. In addition to keeping systems up-todate with patches, system development is another area that should be security-minded. When a custom application is written for your organization, each component or module of the application must be checked for security holes and proper coding practices.

This is often done quickly or not at all, and can often lead to large exposure points for the attacker. In addition to keeping our systems secure from attackers, we also need to keep our systems running in the event of a disaster — natural or otherwise. This becomes another facet of information security, and is often called business continuity planning. Every information security professional should have some idea of business continuity planning.

Consider what you would do if the hard drive in your primary computer died. Do you have a plan for restoring all your critical files?

For me, it actually took many failed hard drives before I became more diligent in performing home backups of my critical files. In a large organization, just having an idea what you would do in the event of a disaster is not enough.

A formal plan must be written, tested, and revised regularly. This will ensure that when something much worse than a hard drive dying happens to your organization, everyone will know exactly what to do. The last aspect of information security discussed here is compliance.

And you might be telling the truth; but if we go back to our analogy that if information security were a person with security policy being the backbone and access control being the skin, then compliance would be the immune system. I know that might be a rather odd comparison, but compliance is a component of information security and I like to think of the compliance folks like a partner to the security folks.

Many information security professionals spend some time reviewing and testing an information system for completeness and adequacy, and that is compliance. So maybe now you see why information security is so difficult to define — it is just huge! With all the phases from policy to telecommunications, there is a lot to it.


All the phases are equally important, because when it comes to threats to an organization, a breakdown in any of the phases of information security can present a gaping hole to the attacker. This is why the information security professional must have an understanding of all the aspects of information security.

You might also like: PDF SECURITY REMOVER

Due to the many different types of threats, it is a very difficult to try to establish and maintain information security. Our attacks come from many different sources, so it is much like trying to fight a war on multiple fronts.

Our good policies can help fight the internal threats and our firewall and intrusion detection system can help fight the external threats. However, a failure of one component can lead to an overall failure to keep our information secure. This means that even if we have well secured our information from external threats, our end users can still create information security breaches. Recent statistics show that the majority of successful compromises are still coming from insiders.

In addition to the multiple sources of information security attacks, there are also many types of information security attacks. In Figure 2. The information security triad shows the three primary goals of information security: When these three tenets are put together, our information will be well protected.

The first tenet of the information security triad is integrity. A great example of a lack of information integrity is commonly seen in large home improvement warehouses. One day, I ventured to the local home improvement mega-mart looking for a hose to fix my sprinkler system. I spent quite some time looking for the hose before I happened upon a salesperson. The salesperson went to his trusty computer terminal and pulled up information about the hose I needed.

The salesperson then let me know that I was in luck and they had 87 of the particular type of hose I needed in stock. So I inquired as to where these hoses could be found in the store and was told that just because the computer listed 87 in the store, this did not mean that there really were any of the hoses. While this example really just ruined my Sunday, the integrity of information can have much more serious implications. Take your credit rating; it is just information that is stored by the credit reporting agencies.

If this information is inaccurate, or does not have integrity, it can stop you from getting a new home, a car, or a job. The integrity of this type of information is incredibly important, but is just as susceptible to integrity errors as any other type of electronic information. To attain confidentiality, you have to keep secret information secret.

It seems easy enough, but remember the discussion on threat sources above. People from both inside and outside your organization will be threatening to reveal your secret information.

The last tenet of the information security triad is availability. Once again, ISO defines availability as ensuring that authorized users have access to information and associated assets when required.

This means that when a user needs a file or system, the file or system is there to be accessed. This seems simple enough, but there are so many factors working against your system availability. You have hardware failures, natural disasters, malicious users, and outside attackers all fighting to remove the availability from your systems.

Some common mechanisms to fight against this downtime include fault-tolerant systems, load balancing, and system failover. Fault-tolerant systems incorporate technology that allows the system to stay available even when a hardware fault has occurred. One of the most common examples of this is RAID. According to the folks over at linux. I have heard much debate as to what those letters actually stand for, but for our purposes, let us just use that definition.

RAID allows the system to maintain the data on the system even in the event of a hard drive crash. Some of the simplest mechanisms to accomplish this include disk mirroring and disk duplexing.

With disk mirroring, the system would have two hard drives attached to the same interface or controller. All data would be written to both drives simultaneously. With disk duplexing, the two hard drives are attached to two different controllers. Duplexing allows for one of the controllers to fail without the system losing any availability of the data.

However, the RAID configuration can get significantly more complex than disk mirroring or disk duplexing. With level 5, RAID data is striped across a series of disks, usually three or more, so that when any one drive is lost, no information is destroyed. The disadvantage with using any of the systems mentioned above is that you lose some of the storage space from the devices. For example, a RAID 5 system with five gigabyte hard drives would only have gigabytes of actual storage.

The technologies just mentioned provide system tolerance but do not provide improved performance under heavy utilization conditions. To improve system performance with heavy utilization, we need load balancing. No redundancy or parity is involved. If one volume fails, the entire volume is unusable. It is used for performance only. Mirroring of drives. Data is written to two drives at once. If one drive fails, the other drive has the exact same data available. Data striping over all drives at the bit level.

Parity data is created with a hamming code, which identifies any errors. This level specifies the use of up to 39 disks: This is not used in production today.

Data striping over all drives and parity data held on one drive. If a drive fails, it can be reconstructed from parity drive. Same as level 3, except data is striped at the block level instead of the byte level. Data is written in disk sector units to all drives.

Parity is written to all drives also, which ensures that there is not a single point of failure. Similar to level 5 but with added fault tolerance, which is a second set of parity data written to all drives. Data is simultaneously mirrored and striped across several drives and can support multiple drive failures.

Usually a front-end component is necessary to direct requests to all of the back-end servers. This also provides tolerance, due to the fact that the front-end processor can just redirect the requests to the remaining servers or devices.

A technology that would lie between load balancing and RAID in terms of most availability would be system failover. With a failover environment, when the primary processing device has a hardware failure, a secondary device begins processing. This is a common technology to use with firewalls. In most organizations, to avoid having the firewall be a single point of failure on the network, the organization implements two firewalls Copyright by CRC Press, LLC.

In the event that the primary firewall cannot communicate with the secondary firewall, the secondary firewall takes over and begins processing the data.

As discussed, the job of the information security manager is difficult. There are many tasks that must be done to adequately protect the resources of an organization, and one slip along any of them can lead to a system breach. This is why the task of defending information systems is rather difficult. In the next section we look at other ways that your systems can be attacked. Because we cannot deny access to all of the user community, it becomes difficult to protect our systems from the people who need to use it day in and day out.

Errors and omissions attack the integrity component of the CIA triad. To help fight these mistakes, we can use some of the following security concepts. Using least privilege can create additional overhead on the support staff members who are tasked with applying the access controls to the user community. However, it will be worth the additional changes to keep the integrity of our information systems. Another principle that can help is performing adequate and frequent backups of the information on the systems.

When the user causes loss of the integrity of the information resident on the system, it may be easiest to restore the information from a tape backup made the night before.

Tape backups are one of the essential tools of the information security manager and can often be the only recourse against a successful attack. For most employees it is difficult to imagine a fellow employee coming into work every day under a ruse, but it does happen. It becomes very difficult to find the source of internal attacks without alerting the attacker that you suspect him of wrong-doing.

Guide to Computer Network Security

The best line of defense against fraud and theft by your internal employees is to have well-defined policies. Policies can make it easier for the information security manager to collect data on the suspected wrong-doer to prove what bad acts the employee has performed.

If you have well-defined policies in your organization, the information security manager can use forensic techniques to gather evidence that will help provide proof of who performed the attack. While the entire breadth of forensics is beyond the scope of this book, we do spend a little time here discussing forensics from a high level. Computer forensics allows a trained person to recover evidence from computer systems. The first rule of computer forensics is: The first goal of computer forensics is to leave the system in as pristine condition as possible.

This may run counter-intuitive to the technology professional whose instincts want to look at the system to determine exactly what is going on and how it happened. Every time the technical professional moves the mouse or touches the keyboard to enter a command, the system is changing.

This makes the evidence gathered from the system more suspect. After all, how would one determine what was done by the suspected employee and what was done by the professional investigating the activity?

There are many places that evidence of the activity may be left. Firewalls, server logs, and the client workstation are all places that should be investigated to determine if any evidence remains. When it comes to the client workstation, the first step in computer forensics is very nontechnical.

In this first step the security or support staff should be contacted to see what details they know about the system. One of the biggest potential problems would be if the client is using a hard drive encryption utility. We talk more about encryption in a later chapter of this book. Assuming that you are able to confirm that there is no hard drive encryption on the suspect system, the next step is as mentioned above — pull the plug. Now, if the system is a laptop, pulling the plug will not shut down the system; it will just run off of a battery.

In the case of the laptop, you need to pull the plug and remove the battery as well. In any case, once the system is powered off, the hard drive in the system should be turned over to a qualified professional. Please note that there are actually many more steps in the forensic process that are just beyond on the scope of this book.

A bit-stream backup is different from a regular tape backup in that it makes an exact copy of the hard drive. A bit-stream backup does not just copy the files and the file system; it copies everything. The blank space, the slack space, file fragments, and everything else get copied to a second hard drive. The reason for this is that all the data recovery processes will be done on the second hard drive, leaving the original hard drive in its pristine state and it will not be modified.

All data recovery processes performed on the system will also be performed on the backup copy of the hard drive. Once the copy is made, a comparison of the hard drives will be done using an integrity technology called an MD5 hash see Figure 2. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

Fundamentals of Network Security

Once the MD5 hashes are made from each hard drive, the corresponding values can then be compared. If these values are the same, then the two drives are identical; if the MD5 values are different, then the bitstream backup failed and the drives are different.

MD5 hashes are quite commonly used to verify the integrity of a file. The values can be used to ensure that a file was not modified during download and can also be used as a component of a digital signature. After the hard drives have been compared and found to be identical, the forensic professional would then begin looking at the hard drive for evidence that the attack was launched from that machine. The forensics professional will try to recover deleted files, will look for file fragments in slack space, and will also look through the data files on the suspect system to see if any evidence is present.

If any evidence is found on the system, the forensic professional will document the evidence and turn it into a final written report. Because we have been looking at the damage that internal employees can carry out against our information systems, let us look at the other community that can also cause destruction to our data — the outsiders.

The three primary groups are hackers, crackers, and phreaks. A hacker is a user who penetrates a system just to look around and see what is possible.

The etiquette of hackers is that after they have penetrated the system, they will notify the system administrator to let the administrator know that the system has a vulnerability. It is often said that a hacker just wants security to be improved on all Internet systems. The next group, the crackers, are the group to really fear. A cracker has no etiquette on breaking into a system.

Crackers will damage or destroy data if they are able to penetrate a system. The goal of crackers is to cause as much damage as possible to all systems on the Internet. The phreaks can then use the free phone access to disguise the phone number from which they are calling, and also stick your organization with the bill for long-distance phone charges.

The ways a hacker will attack a system can vary tremendously. Each attacker has his own bag of tricks that can be used to break into a system. There are several books on just the subject of hacking currently available, but we will cover the basic hacker methodology briefly here.

The basic hacker methodology has five main components: It might seem odd to think of a methodology for hackers; but as with anything else, time matters. So to maximize time, most hackers follow a similar methodology. The first phase in the methodology is the reconnaissance phase.

In this phase, the attacker tries to gain as much information as possible about the target network. There are two primary ways an attacker can do this: Most attackers would generally begin with passive attacks.

These passive attacks can often generate a lot of good information about the network or organization the hacker wants to attack. The attacker would look for contact information for key employees this can be used for social engineering , information on the types of technology used at the organization, and any other nugget of information that could be used in an attack.

After the attacker has gone through the Web site, he would probably move to Internet search engines to find more information about the network he wishes to attack. He would be looking for bad newsgroup postings, posts at sites for people who are upset with the company, and any other details Copyright by CRC Press, LLC. The attacker would then look for information in the DNS servers for the attack organization. This would provide a list of server and corresponding IP addresses.

Once this is done, the hacker would move to active attacking. To perform an active reconnaissance attack, a hacker would perform ping sweeps, SNMP network scans, banner grabbing, and other similar attacks. The attacks would help the attacker weed out the number of dead IP addresses and find the live hosts to move on to the next phase — scanning.

An attacker would begin scanning, looking for holes to compromise to gain access to the network. The attacker would scan all servers that are available on the Internet, looking for known vulnerabilities. These vulnerabilities could be in a poorly written Web-enabled application or from applications that have known security vulnerabilities in them. Once an attacker has compiled a list of vulnerabilities, he would then move on to the next stage — gaining access. There are many ways for an attacker to gain access to the target network.

Once the attacker has access, all he wants to do is make sure that he can keep it. To maintain access, an attacker would commonly upload a custom application onto the compromised server. This application would then be a back door into the target organization, and would allow the attacker to come and go at will. In addition to uploading new programs, an attacker can alter existing programs on the system.

The advantage of doing this is that a well-informed administrator may know the files on his system and he might recognize that new files have been installed on his servers. By modifying already-existing files, the system would appear to be unmodified at first glance. A common way of doing this is with a group of files called a rootkit. A rootkit allows an attacker to replace normal system files with files of the same name that also have Trojan horse functionality.

The new system files would allow the attacker in just as if he added additional files to the target server. An attacker may not need long access to the system and he might just wish to download the existing programs or data off the target server. Once an attacker has determined his mechanism for getting back into the server, the last step in the hacker methodology is to cover his tracks.

This would hide his access from the system administrator and would also leave less evidence behind in case the system administrator wishes to have a forensics examination performed on the compromised host. The level of skill of an attacker is often apparent in this phase. A crude attacker might delete an entire log file, thus making it easy for the system administrator to determine that someone has been in the system; but a more skillful attacker might just modify his log entries to show that the traffic was originating from a different IP address.

Malicious code is defined as any code that is designed to make a system perform any operation with the knowledge of the system owner. There are many different types of malicious code. This chapter discusses a few of the more common ones, including virus, worm, Trojan horse, and logic bomb. The message screen should include three basic elements: 1. The system is for authorized users only 2. That activities are monitored 3.

An information protection program is more than establishing controls for the computer-held data. The advent of third-generation computers brought about this concept.

However, today the bulk of all of the information available to employees and others is still found in printed form. To be an effective program, information protection must move beyond the narrow scope of IT and address the issues of enterprisewide information protection.

A comprehensive program must touch every stage of the information asset life cycle from creation to eventual destruction. Technology and users, data and information in the systems, risks associated with the system, and security requirements are ever changing. The ability of information protection to support business objectives or the mission of the enterprise may be limited by various factors, such as the current mind-set toward controls.

The result of this review should be used to form the basis for an initial risk analysis to determine the security requirements for the workstation. When conducting such a review, employee privacy issues must be remembered. Supporting roles are performed by the service providers and include Systems Operations, whose personnel design and operate the computer systems.

They are responsible for implementing technical security on the systems. Telecommunications is responsible for providing communication services, including voice, data, video, and fax. The information protection professional must also establish strong working relationships with the audit staff.

If the only time you see the audit staff is when they are in for a formal audit, then you probably do not have a good working relationship. It is vitally important that this liaison be established and that you meet to discuss common problems at least each quarter. Other groups include the physical security staff and the contingency planning group.

These groups are responsible for establishing and implementing controls and can form a peer group to review and discuss controls. The group responsible for application development methodology will assist in the implementation of information protection requirements in the application system development life cycle. Quality Assurance can assist in ensuring that information protection requirements are included in all development projects prior to movement to production.

The Procurement group can work to get the language of the information protection policies included in the purchase agreements for contract personnel. Education and Training can assist in developing and conducting information protection awareness programs and in training supervisors in the responsibility to monitor employee activities. An example of a typical job description for an information security professional is as follows: 1.

The information security design and strategy will complement security and network services developed by the other Global Practice areas. To work on corporate initiatives to develop and implement the highest quality security services and ensure that industry best practices are followed in their implementation.

Internal contacts are primarily Executive Management, Practice Directors, Regional Management, as well as mentoring and collaborating with consultants. Frequent external contacts include building relationships with clients, professional information security organizations, other information security consultants; vendors of hardware, software, and security services; and various regulatory and legal authorities.

This includes a quality assurance review to ensure that the details of the project are correctly implemented according to the service delivery methodology. Accountability: Maintain the quality and integrity of the services offered by the Global Security Practice. Review and report impartially on the potential viability and profitability of new security services.

Exercise professional judgment in making recommendations that may impact business operations. Will clearly demonstrate an ability to lead technological decisions. Will establish credibility with personal dedication, attention to detail, and a hands-on approach. Will also be capable of developing strong relationships with all levels of management.

Other important characteristics include the ability to function independently, holding to the highest levels of personal and professional integrity. Will be an excellent communicator and team player. This damage can range from errors harming database integrity to fires destroying entire complexes.

Losses can stem from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry. Precision in estimating information protection-related losses is not possible because many losses are never discovered, and others are hidden to avoid unfavorable publicity.

The typical computer criminal is an employee. Also included in this survey were the competition, contract personnel, public interest groups, suppliers, and foreign governments. The chief threat to information protection is still errors and omissions.

This concern continues to make up 65 percent of all information protection problems. Users, data entry personnel, system operators, programmers, and the like frequently make errors that contribute directly or indirectly to this problem. Dishonest employees make up another 13 percent of information protection problems. In a related area, disgruntled employees make up another 10 percent of the problem.

Common examples of information protection-related employee sabotage include destroying hardware or facilities, planting malicious code viruses, worms, Trojan horses, etc. The final area comprises malicious hackers or crackers. These terms refer to those who break into computers without authorization or exceed the level of authorization granted to them.ISBN alk.

Information security fundamentals

EAP Protocol and the The goal of social engineering is to trick someone into pr oviding valuable information or access to that information or resource. From the senior management who sit on the Information Security Steering Committee, to the responsibilities of every employee to practice good information security habits, the infrastructure must be robust and educated in order for the information security program to bring full benefit to the organization. Some common mechanisms to fight against this downtime include fault-tolerant systems, load balancing, and system failover.

Other plusses are that presentation software is easy to use and easy to modify. NSA Guidelines. We, as security professionals, must not lose sight of these goals and objectives.