Operational and organizational security covers a variety of topics such as setting security policies for the entire organization, user training and awareness, risk assessment, physical security of the equipment, privilege management, and implementing a backup and recovery plan. The sole purpose of implementing organizational and operational security is to ensure a safe and secure working environment where users know what is expected from them, and management has the guidelines to respond to unexpected situations in order to maintain business continuity. The sections that follow cover the concepts of some of the main areas of organizational and operational security.
Physical security involves keeping the network equipment, computer hardware, and software secure from unauthorized access. This includes having appropriate access control systems in place, training the users to protect them from social engineering, and maintaining a perfect operating environment for the equipment. Each component of the business network is vulnerable to different types of external and internal threats. It is important that physical security be given priority while designing and implementing security policies.
The following sections explain how physical security can be ensured by taking care of access control, implementing physical barriers, and controlling environmental factors.
Access control is used to grant only authorized personnel of the organization access to necessary physical network equipment. For example, a server room may be locked for ordinary users and may be accessible only to those administrators who need to manage servers. Creating physical barriers for unauthorized personnel is one way to control access to critical network equipment, which includes server hardware and network hardware such as firewalls, routers, and switches.
Access control is implemented using physical barriers and biometrics, as summarized in the following paragraphs:
Most organizations keep the critical servers and network equipment in a locked room, and unauthorized access is denied. Server rooms should be locked and equipped with alarm systems. Logbooks should be maintained for entries to the secure room. All equipment should be locked down with strong passwords. If some outsiders need to work inside secure rooms, an employee of the organization must remain with them all the time.
Authenticating users with biometric methods is considered more secure than other techniques, such as using passwords. Biometric devices use the physical characteristics of a person—for example, fingerprints, facial attributes, or voice patterns. Biometric equipment used for authentication is an expensive alternative but allows for tighter authentication and access control.
Social engineering is acquiring personal information or confidential information, or information about an organization by taking an individual into confidence. The so-called social engineer generally tricks the victim over the telephone or on the Internet to reveal sensitive information about the organization. Unfortunately, no technical configuration of systems or networks can protect an organization from social engineering. There is no firewall that can stop attacks resulting from social engineering. The best protection against this is to train users about the security policies of the organization.
Preventing unauthorized access to critical network equipment is meaningless if the environmental factors are ignored. The environment surrounding the network equipment includes temperature, humidity, electrical interference, and airflow, among other factors. Equipment should be operated within acceptable limits of temperature and humidity. Server rooms especially should be equipped with temperature and humidity control systems. An increase in temperature inside a computer leads to a defect known as chip creep or socket creep. It makes computer chips loose in sockets. The following are some of the measures to protect against environmental factors:
Temperatures should be kept within limits. Alarms should be installed to monitor temperatures and should sound alerts, if required.
Humidifiers or dehumidifiers, as required, should be installed to control humidity levels.
Hardware technicians should wear ESD wristbands to prevent electrostatic discharge.
Arrangements should be made to maintain good air quality inside server rooms.
Servers and other network equipment should be located properly in racks, well above the ground level. Most modern server rooms are built on raised floors.
If required, an STP cable should be used to protect the equipment from electromagnetic interference (EMI) and radio frequency interference (RFI).
Fire suppression equipment should be used to prevent damage from accidental fire breakouts. Remember that water sprinklers are not recommended for server rooms. Fire extinguishers used for server rooms are known as clean agents that put out the fire but do not damage equipment.
Disasters can come at any time and in any form. It may be a fire, a flood, or a terrorist attack, or it may even take some other unknown form. A disaster recovery plan should take into account all possible kinds of internal and external threats. It is important to make necessary plans to protect the critical data from any such events in order to let the organization recover in a minimum amount of time and resume its business as soon as possible.
Data backup methods, secure recovery of data, and a well-designed and documented disaster recovery and business continuity plan should be in place. The disaster recovery plan should not wait for a real disaster to occur.
Data backup is one of the fundamental elements of a disaster recovery plan. Backed-up data is copied to another media such as magnetic tapes or compact disks (CDs or DVDs), which are safely and securely stored at an offsite location. The administrators must decide what data is to be backed up and what should be the frequency, depending on the volume of the backup data and the requirements of an organization. Commonly used backup methods include the following:
This method backs up all the data in a single backup job. The backed up data includes systems files, applications, and all user data on a computer. Full backup changes the archive bit on files to indicate that it has been backed up. It takes longer to complete the backup process, but the data can be restored faster, as only a single backup set is required.
This method backs up all the data that has changed after the last full or incremental backup was taken. It uses the archive bits and changes them after the backup process is complete. It takes the least amount of time to complete the backup process but is the slowest method when data needs to be restored. The last full backup tape and all incremental tapes after the full backup are required to completely restore data.
This method backs up all the data that has changed after the last full backup. It does not change the archive bits and thus, does not disturb any scheduled incremental backups. Since it does not use the archive bits, if a differential backup is taken more than once after a full backup, the differential backup tapes will contain duplicate data. When restoring data, only the last full backup tape and the differential backup tape are required. It is faster to restore than the incremental backup.
This method copies all the data on the system but unlike the full backup, does not change the archive bit.
Most organizations implement a mix of one or more backup types to create weekly, monthly and yearly backup plans. Depending on the requirements of an organization and the amount of data to be backed up, different organizations may adopt different backup schemes. The combination of full backup on weekends and incremental backups on weekdays is one of the commonly used methods.
Make sure that you understand different backup types, the function of the archive bit, and the pros and cons of each backup type. The difference between copy backup and full backup is commonly asked in the Security+ exam because both make a full backup of the system. Remember that a copy backup does not use or change the archive bit while the full backup uses and changes the archive bit. Similarly, the difference between incremental and differential backup types is another common exam question.
Magnetic tapes are the most popular media used for backups. In order to reduce the cost involved in the purchase of new tapes for every back up, most organizations reuse the tapes after a certain amount of time and according to a preset tape rotation plan. A commonly used tape rotation plan is known as Grandfather-Father-Son (GFS). Backup tapes are categorized into daily, weekly, and monthly sets. With this rotation scheme, a full backup is taken every week, and differential or incremental backups are taken every day. The daily and weekly tapes are stored offsite at the end of the week and new tapes are used for the next week. Additionally, another full backup is taken at the end of the month. When the month changes, the tapes used for the first week in the previous month are reused, followed by the tapes used in the second week, and so on. In the GFS rotation scheme, the daily tape set is known as son, the weekly tape set is known as father, and the monthly full backup tape set is known as grandfather. It is important to note that the grandfather tape set is not reused as it contains all files changed during a particular month.
It is important that the tapes be stored at a safe and secure offsite location. Offsite storage helps protect critical data stored on tapes in the event of a disaster. If backup tapes are not stored offsite, they are vulnerable to destruction along with other equipment when a disaster strikes. Organizations may store tapes at another location or can engage a third-party professional organization for the purpose. It is important that administrators make an assessment that the safety and security requirements are fulfilled if offsite storage is managed by a third party
The secure recovery of data is a part of the backup process. Data may need to be recovered from backup tapes, even when a small incident such as accidental deletion of files happens, or when some virus application corrupts files. The damage may occur on a single system or on multiple systems across the network. Administrators should also not forget that the organization might be subject to outside malicious activity by professional hackers. The worst-case scenario is a disaster that requires administrators to carefully make a disaster recovery plan and define procedures for secure and quick restoration of data.
The safety of backup tapes is of prime concern. This includes protecting the tapes from physical damage and theft. Aside from this, procedures and guidelines must be in place to describe how the data can be restored with minimal delays. Large organizations usually have dedicated backup operators who are proficient in backup and restoration functions. Offsite storage is an excellent way to secure tapes. Large organizations can also have alternate sites, which can be used to resume business in case of a disaster.
Alternate sites are critical to all such organizations that do not want any delay in restoration of data after a disaster strikes. An alternate site is a temporary facility away from the original location of the organization that enables administrators to restore a working network in a minimum amount of time so that the organization can resume its business. Alternate sites can be classified into the following types:
A hot site is equipped with all necessary hardware, software, network devices, and telephone lines. It allows organizations to resume business activities almost immediately. The equipment is fully configured, data is replicated to servers at the site in real-time, and in case of a disaster, the organization can resume business with minimal delays.
A warm site normally is equipped with all necessary hardware, software, network devices, and telephone lines. Unlike a hot site, this site is not fully configured and does not store a working copy of data. Hardware and software must be configured, and data must be restored from backup tape sets. It takes administrators a little while before this site can be made functional.
A cold site requires the maximum amount of time to be set up and made functional. It contains only partial hardware, software, and network devices that are not configured. This site needs to be built from scratch to make it fully functional.
A disaster recovery plan is a written document that defines how the organization will recover from a disaster and how the business can be restored with minimum delays. This document describes how the risks of a disaster are to be evaluated, and offers data backup and restoration methods, alternative sites, and individual skills of administrators and users that can be helpful in case of a disaster. It also notes what estimated cost is involved in resuming business after the disaster.
A business continuity plan is a written document that defines the major threats that a company may face, including disasters, and sets up policies and procedures to ensure that the business resumes with minimum delays after an interruption due to any unforeseen circumstances. This plan is developed after a careful assessment of risks and the impact of each type of disaster and event. Essential elements of a business continuity plan are as follows:
This plan defines the recovery procedures for after a disaster strikes.
This plan describes the procedures to resume business functions at an alternate site after a disaster.
This plan describes the procedures to resume functions of critical systems in order to go back to business as normal.
This plan describes the procedures to resume business after a disaster strikes or when additional unforeseen events take place during the recovery process.
Utilities essential for network services include electricity, Uninterruptible Power Supplies (UPS), and power generators. Although system and network administrators might have taken every step to provide reliable and efficient system services, they are still dependent on these utilities to keep the systems working. UPS systems are useful when there is a power outage, but they are good only for a small amount of time. If the power outage remains for longer periods, power generators may be required to supply essential electricity to the network. It is essential that the organizations select reliable third-party vendors to install and maintain such utilities as UPS systems and power generators.
High availability refers to maximum uptime as well as efficiency of the systems and the network. It can be achieved only if there are adequate arrangements in place to maintain network services in case of a system failure. Network load balancing is a common method used to share the load of requests for a particular service such as a web server or a DNS server. Server clustering is another method to ensure high availability. As far as a single server is concerned, most of the system crashes are caused by failure of hard disks. Server hardware addresses the problem of hard disk failures by implementing a Redundant Array of Inexpensive Disks (RAID), also known as fault-tolerant disks. Servers equipped with RAID systems normally allow hot swapping of hard disks so that the server does not need to be taken offline when a failed disk is to be replaced. The following types of fault-tolerant RAID systems are commonly used:
This RAID system uses exactly two disks, preferably of the same size and make. The data written to one of the disks is copied to the second disk. In this system, the disk utilization is only 50 percent.
This RAID system uses 3 to 32 disks, preferably of the same size and make. The data is evenly written to all hard disks simultaneously. The failure of a single disk does not bring down the server.
RAID systems can be either hardware- or software-based. Hardware-based systems are more expensive but more efficient than software RAID systems. Software RAID systems are implemented using the network operating system. They have limited functionality and are used only where the cost of implementing a RAID system is to be kept to a minimum.
Security policies and procedures are sets of written documents that describe how a safe and secure computing environment is to be created and maintained inside an organization. The following sections explain some of the security policies and procedures covered in the Security+ exam.
An acceptable use policy describes the guidelines for users so that they use the computers and the technology appropriately. It explains what activities are permitted and what are prohibited. The following are some of the guidelines included in an acceptable use policy:
Users should not indulge in activities that might damage the image of the company.
Users should not participate in activities that might consume network resources beyond limits.
Users must follow the rules that restrict visits to web sites and email programs.
Users should not print any confidential documents and/or take them out of the organization.
Users should not transmit classified or confidential information over the Internet.
Some organizations enforce the acceptable use policies by having the employees sign an agreement when they are hired.
A due care policy describes how the employees should handle computer hardware and software in order to protect it from damage. Since computer equipment and software are expensive, employees should be given guidelines on how to properly work on them. Efforts should also be made to protect the integrity of data by performing regular virus scans and detection of malicious software. A simple example of due care in protecting operating systems is to use the Shut Down feature instead of directly turning off power. Users should follow manufacturers' guidelines when using any type of equipment. Administrators are expected to keep OS/NOS and other applications updated with the latest service packs, hotfixes, and security patches.
Privacy is one of the major issues concerning almost every employee of the organization. Aside from the privacy of an individual, the privacy of a particular department and of the organization is also important. Employees should be trained on how to maintain privacy while using modern technologies. They should be instructed to refrain from such activities as disclosing personal or organizational information over the Internet, through emails, or in chatting. A privacy policy also usually states that the organization has the right to inspect personal data stored on company computers. This data can be inspected anytime by the appropriate authorities and can be done by performing regular audits on users' personal folders, emails, and other software that they might be using. Data critical to the operation of an organization is also considered private and confidential. Administrators must make sure that all efforts are made to protect this confidentiality of data.
The separation of duties policy ensures that critical tasks are not assigned to a single person. These tasks should usually be divided among two or more persons so that no single person has control over the task or procedure from beginning to end. Employees should not be allowed to monopolize any task that is critical to a department's function, or to an organization's function. This also ensures that no single employee has complete information about a particular project, which results in more security. If a single person has all the information related to a project, the chances of leakage of confidential information increase. Senior employees, such as supervisors and managers, should break up duties among their subordinates and should be responsible for coordination among them. Another positive side of separation of duties is that individual employees can concentrate on their specific jobs and become experts in whatever task they are performing.
The need-to-know policy dictates that employees should be given only as much information as they need to perform their job functions. Giving excessive information to employees might result in inappropriate handling of information, or even its leakage to third parties. If any employee needs more information than what he is authorized to obtain, he should submit a written request to his supervisor, who in turn should forward it to the departmental manager. This ensures that permission to use classified information is in the control of supervisors and managers. Organizations usually protect confidential information by having employees sign a non-disclosure agreement at the time of hiring.
A password management policy describes how employees should manage their passwords. A password is the employee's key to gaining access to the organization's resources stored on computers. Without having a sound password policy, employees may make their passwords weak or disclose their passwords to unauthorized people. Professional hackers may exploit an organization's confidential resources by guessing insecure passwords. Password policies include the following essential elements:
The use of blank passwords should not be allowed for any employee.
Passwords should have at least eight characters.
A password should be made up of a combination of upper- and lowercase letters, special characters, and numbers.
Employees should be forced to change their passwords regularly.
Employees should not be allowed to reuse their old passwords for a certain amount of time.
Administrators should use normal user accounts when not performing any administrative tasks. Only designated IT employees should have administrative privileges.
Passwords should be longer and stronger to prevent brute force or dictionary attacks. Password policies can be enforced through the NOS. For example, in Windows Server 2003, administrators can enforce a group policy (Group Policies are mainly used to enforce enterprise wide policies) to enforce a password policy throughout the network.
An SLA is an agreement between an organization and a third party or a vendor providing critical services to the organization. SLAs usually describe the expected level of performance and confidentiality of the organization. For example, an organization might not be able to afford a full-time IT staff to maintain its computer network. It may hire another company to install, upgrade, administer, and maintain the IT setup. The SLA can also be used inside an organization, describing what the company can expect from its IT employees and what procedures they should follow to perform their duties.
SLAs often include information on the maximum allowed downtime of the computer systems and the network. In other terms, SLAs can describe the expected uptime. This information is usually given as nines. This ensures that the IT staff or a third-party IT maintenance company will be responsible to provide expected system and network uptime. Table 11-4 shows how expected uptime and downtime are calculated.
A safe disposal and destruction policy for data should be in place to protect the organization from undesired leakage of confidential information by means of old computers that are either thrown away or sold to third parties. As time passes, the computer and network equipment become obsolete and are replaced by newer models with added features and functions. It is common for organizations to dispose of old and unused equipment, either by destroying it or by selling it to others. But before older servers and desktops are disposed of, it is important to make them free of any confidential data that may be stored on their hard disks. Data stored on magnetic tapes and floppy disks should be destroyed by using a degausser (also called bulk demagnetizer). Hard disks should be formatted to clear them of any data.
Similarly, documents printed on paper should not be put into recycle boxes without first shredding them. Printed documents might contain confidential information that could be used by an individual or a third party. As noted earlier, someone may go dumpster diving in order to obtain confidential information about the organization.
The human resources (HR) department works closely with all other departments of an organization, particularly with the IT department, when most of the employees are working on computers. An HR policy should be in place to enforce rules on what should be done about employees' desktops and user accounts when people are hired, terminated, or promoted, or when they voluntarily resign. In some situations, people go on a long leave of absence, or sometimes an employee is involved in criminal activities and is being investigated. The HR policy plays an important role in ensuring the safety and security of the employees as well as the security of the organization's computer network. The HR staff is supposed to contact the IT staff as soon as any of the noted incidents take place. If an employee is hired, the IT staff is contacted to create a user account for him. When an employee resigns or is terminated, the IT staff is again requested to disable or delete his account. Similarly, when an employee is promoted or changes duties within the organization, his need to access computer resources also changes and he may need higher privileges. The HR department is supposed to enforce policies that should serve as guidelines on how the interaction between the HR department and the IT department will take place.
Another term closely related to computer security is the code of ethics. The code of ethics describes how the employee is expected to work in the organization, and what principles are in place regarding racism, sexism, and other fair business practices. A code of ethics dictates that the employee is expected to abide by the law and by other rules and regulations of the organization. Employees may be required to sign a document that enforces the code of ethics in the organization—if an employee refuses to do so, she could face termination or dismissal.
The incident response policy describes how employees will respond to unexpected incidents involving personal safety, security, and other incidents involving the safety and security of the resources of the organization. The incident response policy describes what actions will be taken and who will take those actions in case of an untoward incident. This ensures that the right persons are selected to perform particular tasks, such as finding out the reasons behind the incident or preparing a report. The incident response policy has the following common elements:
How are incidents to be handled in an appropriate manner without causing a panic?
Who will be in charge of investigating and analyzing the reasons behind the incident?
Who will be in charge of finding an immediate and acceptable solution to the problem caused by the incident?
What other documents can be referred to in order to help resolve the problem?
Large organizations usually have a special incident response team, which handles all aspects of the incident from initial collection of evidence to preparation of the final report.
Privilege Management involves administrative tasks that control access to the shared network resources. Access control allows administrators to assign access permissions for internal and external users. In most cases, the access to resources is based on job functions of users or groups of users. In this section, we will summarize some basic concepts behind privilege management to ensure security of the organizational data and other network resources.
Every user in a computer network is assigned a user account. The user account can further be a member of a group of users. Administrators are responsible for creating and managing user accounts and groups, and assigning them permissions on the basis of their roles (job functions) in the organization. The administrator himself is assigned a user account with higher privileges. Access to shared resources is restricted by means of permissions. When a user leaves an organization or is terminated, his user account is disabled. Users are given permissions to resources based on the rule of least privilege.
Single sign-on enables users to log on and be authenticated to the corporate network once, and to access resources in all parts of the network where he is assigned appropriate permissions. Network operating systems (such as Windows Server 2003) store and maintain user accounts in multiple Active Directory database servers known as domain controllers. When a change is made to a user account or to the permissions assigned to it, they are replicated to all domain controllers in the network.
Network servers can be located either at a centralized location or they can be distributed at multiple locations, depending on the requirements of the organization. For a small or medium-sized organization, all servers can be located at a centralized location in secure server rooms. Access to these rooms can be restricted to only authorized administrators. In large organizations with multiple geographical locations, servers can be spread across locations to simplify administration and maintenance tasks. The IT staff at each location is responsible for configuring the security of these servers. Decentralization has an added benefit of fault tolerance. A particular server at one location can have its mirror at another location so that if one fails, the other is available to service user requests. The advantage of centralizing servers is the ease of administration and tighter physical security. But, at the same time, a centralized location is not considered optimal from disaster recovery and business continuity viewpoints.
Auditing, as discussed in the beginning of this chapter, is the process of tracking actions of users and services on a particular server, or on the entire network. Auditing helps administrators troubleshoot, as well as keep an eye on user actions. It helps with regular monitoring of network activities in order to take corrective action if something goes wrong. Auditing requires significant planning and configurations on servers and network equipment. The events that are tracked are written to log files that can be analyzed at any time. Auditing also helps investigate the criminal activities of a malicious user. Audit logs are used as evidence against the person involved in criminal activities. For example, if a user is trying to log on to the network when he is not supposed to, or is trying to access resources he is not permitted to, the audit logs can reveal this information. If someone else is trying to log on to the network using another account, the audit logs can be helpful to track the source of this illegal attempt.
MAC, DAC, and RBAC are different types of mechanisms used to control and restrict access to system and network resources. For more details on access control methods, refer to the section "General Security Concepts" covered earlier in this chapter.
Computer forensics is the application of computer expertise and skills to establish factual information about an incident for a judicial review. It involves activities such as collecting and preserving evidence, examining evidence, and transferring it using electronic media. Presentation of evidence is also considered an aspect of this. Computer forensics is done using a method that adheres to standards of evidence that are acceptable in a court of law. It is important that these standards are followed to collect and preserve evidence so that it is not damaged in a way that lawyers may argue its validity and the judges may consider it inadmissible.
It is important that users are made aware of the consequences of incidents that may lead to criminal investigations. If there is some incident that is considered a criminal activity, it should be reported to the incident response team. This team follows the incident response policy of the organization in order to deal with the incident. Each person on the incident response team has a specific role. Criminal investigations consist of people performing the following activities:
Identifies and protects the crime scene. He also preserves any evidence that may be volatile (information that may change over a period of time).
Establishes a chain of command/chain of custody and conducts a search of the crime scene. He is responsible for maintaining the integrity of the evidence.
Is responsible for preserving volatile evidence and duplicating computer disks. He shuts down the system for transportation, logs activities, tags the system, packages the system, and makes arrangements for transportation. He is also responsible for processing the collected evidence, such as performing analysis of log files or screen captures.
A chain of custody describes how the evidence is transferred from the crime scene to the court of law. Evidence has to be handled using standard procedures, and proper documentation is created at each step. The chain of custody specifies the personnel who will be responsible for maintaining and preserving the evidence right from the scene crime. Each piece of evidence is kept inside a sealed bag, no matter how small or big it is. Sealed bags are tagged and signed. The chain of custody is detailed in the evidence log and specifies the persons who had possessed the evidence or worked on it. Each time the evidence is transferred from one person or another, or from one place to another, a log entry is written to the documentation.
Preservation of evidence refers to the evidence integrity. In computer forensics, preservation of pieces of data and equipment from damage is important so that the original evidence is not damaged. The following are important aspects regarding preservation of evidence:
Steps should be taken to preserve the volatile data first.
Photographs of screens should be taken to capture the data displayed on monitors at the time of the incident.
Images of hard disks should be done using accepted imaging tools.
The system should be shut down using normal shutdown procedures.
Photographs of the existing system setup should be taken before moving any piece of hardware.
Each piece of hardware should be unplugged and tagged.
Appropriate safety procedures should be followed when handling hardware. These include using antistatic wrist straps with proper grounding.
Circuit boards, hard disks, and other smaller pieces of hardware should be placed inside antistatic plastic bags.
All equipment should be kept away from strong electromagnetic fields, radio frequencies, and heat sources.
Aside from the steps given here, all steps taken to preserve evidence should be documented in appropriate logs.
Collection of evidence is the process of identifying, locating, processing, and making appropriate documentation. This starts by securing the scene of the crime (for example, a server room) and preventing unauthorized personnel from entering the area and accessing the evidence. Once the evidence is identified and secured, the investigation team can start the process of examining the evidence and take steps for collection. Collection of evidence from servers can be done in a variety of ways, such as a review of audit log files and screen displays, and a recovery of data files using acceptable software utilities such as SafeBack, EnCase, and ProDiscover. These software utilities are recognized by investigating agencies and are capable of performing several checks on recovered data to ensure its integrity. The collected data must then be preserved in order to prevent it from damage. Once again, the volatile data must be collected and preserved before collecting and preserving any other types of evidence. Steps taken in collection of evidence should be recorded in appropriate logs.
Educating and training users is one of the important aspects of creating a safe and secure working environment. Organizations may go for in-house training or can hire a professional training company to provide training to users. This is an ongoing process, especially when new equipment is installed or a new application is implemented. This training applies to employees of all departments of the organization.
Users must know the different methods available to communicate to their peers, their supervisors, management, and employees in other departments. Telephone and email are considered the most common and effective means of communication. For employees at remote locations, corporate intranets enable employees to send internal memos and emails through the intranet. Some organizations allow Instant Messaging (IM) inside the corporate network to enable employees to talk to each other or to allow employees in a specific department to collaborate on an ongoing project. Organizations can use different security mechanisms to protect internal communications from eavesdroppers. For example, email can be encrypted or digitally signed so that only the intended recipient can read the message.
In any organization, small or large, employees are expected to follow the rules and regulations. Computer users, in particular, should be aware of the issues related to good work ethics and rules governing their work inside and outside the organization. It is necessary that users are made aware of rules, regulations, and security issues in order to create and maintain a secure working environment. Administrators must take steps to make the users aware of their responsibilities and of what is expected of them. This can be done by keeping users informed about existing rules, policies, and any periodic changes.
User education is the primary means of enhancing skills and expertise in users' respective fields. Where security is concerned, educating users about security issues and methods to tackle them is important. Users should be made aware and educated on how to handle minor as well as major issues concerning security of equipment and data resources.
There are a number of online resources available to educate and train users. These resources are also helpful in keeping users informed about any new developments in their field. For example, most of the software vendors post security patches, updates, hotfixes, and service packs on their web sites, which are free for download. Similarly, hardware venders post updates on their web sites. Making the users aware of these issues can be very helpful in keeping them informed and educated. In some cases, free education and training resources are made available online by vendors. Aside from this, there are several articles on the Internet that might be helpful in resolving technical and security-related issues. Microsoft's Knowledge Base is just one example of such an online resource.
Risk Identification is the process of identifying assets, risks, threats, and vulnerabilities in a system. A risk is the possibility of incurring some loss due to unexpected situations. It is the possibility of certain loss and does not necessarily mean that loss will occur. For example, a disaster such as a fire or a flood can potentially cause a heavy loss to an organization in terms of lost business and lost clientele. Risks can be caused by internal or external sources. It is necessary that all forms of risks are evaluated and that threats from these risks be identified.
Assets are the physical property and resources that belong to an organization such as servers, desktops, network equipment, printers, scanners, and critical data stored on servers. Even furniture and office supplies are considered to be assets of an organization. The organization needs to take steps to identify all types of assets and make an evaluation. This helps identify the costs involved in replacing a particular asset. Important assets that are critical to the functioning of an organization's business should be identified and tagged. Inventory should be taken and lists should be prepared. This helps decide what assets will be replaced on a priority basis in the event of a disaster. Even employees are the assets of the organization.
Different types of assets will have different type of risks associated with them. After collecting information about assets, the organization needs to identify and assess the type and severity of risks associated with each type of asset. In order to make an assessment of risk, organizations may get help from insurance companies, police departments, news agencies, or other investigating organizations. The likelihood of the occurrence of a risk within one year is known as Annual Rate of Occurrence (ARO). This is helpful in calculating the dollar amount of loss due to the risk for an asset. The dollar value of this loss is known as Single Loss Expectancy (SLE). Multiplying ARO and SLE gives a value of Annual Loss Expectancy (ALE). Thus, the formula for calculating the loss resulting from a risk is as follows:
| ALE=ARO×SLE |
For example, consider a critical data server that has failed. The organization was running e-commerce services using this server. The ARO for the server is 30 percent and its SLE is $20,000. The ALE for the server would be calculated as follows:
| ALE=0.3×20,000 |
The result is $60,000. Thus, the ALE resulting from the risk associated with the data server will be $60,000.
Identification of threats is usually done after the identification of risks. Identification of risks may lead to identification of possible threats to a system. Organizations must make sure that risk assessment is properly calculated in order to reduce the possibility of threats. Appropriate steps should be taken to avoid potential threats. It is important to identify the threats and decide how a particular threat can be dealt with. For example, if an organization concludes that the risks and cost of assets is to high, it may move the assets to another secure location where the threats can be reduced. Threats commonly include incidents involving vandalism, theft of equipment or data, physical and software intrusions, and other situations varying from one organization to another.
Vulnerability is defined as the weakness of a system. It can lead to exposure of critical and confidential information. Vulnerabilities can lead to internal malicious activities or even outside security attacks. Every software application is vulnerable, if not configured and secured properly. Failing to secure server and desktop hardware, operating systems, and software applications can be fatal for an organization that depends on computers to run its business.
Removing a known vulnerability is the only way to secure a system and protect it from unexpected damages. It is important to note that the threat of a malicious activity, internally or externally, will exist until the vulnerability is removed. Keeping OS/NOS and application software virus-free and up to date with the latest security patches, hotfixes, and service packs is helpful in reducing vulnerabilities.
Organizations must make sure that proper security policies are implemented and all software applications are scanned for viruses, as well as kept up to date with the latest security updates and service packs.