INTRODUCTION

Although the history of the Internet is relatively short, its growth has been dynamically explosive. The number of Internet users worldwide has grown from 95 million to 130 million in 1998, and it is projected that there will be 350 million users in the year 2003 (eMarketer, 1998). The Internet is a worldwide collection of networks that links together millions of computers by various means, such as modems, fiber optic lines, routers, and servers. It provides connections to businesses, the government, industries, educational institutions, and individuals. Each of these organizations has become increasingly dependent on networks and distributed computing and processing systems. Furthermore, because they possess a critical and integral asset of information, internetworking security and what measures to protect this information has become a major area of concern. In this report we will address the key concepts of network security, common network vulnerabilities, network security threats and attacks, security measures and tools, and the development of a network security policy and proper violation response plan. A breach in network security could cost your company a great deal in lost productivity, lost data, repair work, and loss of confidence among customers, partners, and employees. But these damages are preventable. You just need a solid security strategy and a wellplanned implementation. With the explosion of the public Internet and e-commerce, private computers and computer networks are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees, and even human error all represent clear

and present dangers to networks. And all computer users, from The most casual Internet surfers to large enterprises could be affected by network security breaches. With the rapid explosion of e-commerce and the Internet as a serious business tool, a lot of attention has been given to information security. Helping businesses securely manage information has become a multi-billion dollar industry. Companies such as Verisign, Microsoft, Cisco, Oracle and SUN Microsystems, to name a few, all spend a significant amount of time and money developing their services with security in mind. .

For purposes of this document, rather than describe what security is, well discuss the needs that security should fill. Well address the need for physical security, back-ground checks, firewalls, access codes, to-kens and other methods all designed to protect ones information. In general, the need for security can be summed up as follows
Now we talks about network security, what it is?

Network security is an ongoing process; as technology progresses and your business evolves, it will be more important than ever to keep up with your changing security needs Protective measures to ensure the absence of intrusion or other damaging activity.
Benjamin Field Securityfocus.com

Network security involves all activities that organizations, enterprises, and institutions undertake to protect the value and ongoing usability of assets and the integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them. With such a wide range of companies engaged in the information security business, it begs the question, What exactly is security? Security means different things to different people depending on their age, position within a company or access to top secret information.
The needs for security

1. Keep outsiders from entering the organization and gaining access to sensitive or private information. Access can be gained physically or virtually. 2. Prevent unauthorized information from leaving the premises.
4

3. Monitor and control internal employees access to information and systems.

Basic approach

The first step in developing a security policy is recognizing the need for one. To begin designing the policy, it is important to first determine what the policy should cover. Additionally, the policy should be integrated and cohesive with existing organizational policies within the company. In general, by asking yourself the following questions, you should be able to deter-mine how robust your security system needs to be, as well as ensure that the security yields cost benefits. 1. What am I trying to protect? 2. From what and whom do I need to protect it? 3. How likely are the threats and whatare the consequences if they happen? 4. Can the assets be covered in a cost-effective security manner? 5. And finally, have I reviewed the process and improved any weaknesses? Once you have the answers to these questions, you can begin designing an information security process. The process should take into consideration that information is valuable to your company and that you have exclusive right to the information. The information and systems must be protected from fraud, disclosure, and intentional misuses. Additionally, the data and software must be securely stored and guarded. The policy should define ac-accountability for information at each employee level. The security policy developed must con-form to existing policies, rules, regulations and laws to which the organization is subject. Another important
5

element that of-ten is overlooked is the value of collaboration when designing policies. A security policy should be a joint effort by technical Personnel who understand the full ramifications of the proposed policy and the implementation of the policy, and by the decision makers who have the power and responsibility for enforcing the policy. Without the joint development process, the organization risks implementation of a process that is neither enforceable nor useable.
Identifying the assets, What am I trying to protect?

Part of a risk analysis involves identifying all things that need to be protected. Some things are obvious, like the various pieces of hardware or cardholder data. Others are apt to be overlooked, such as people who actually have access to the systems. It is essential to list all things that could be affected by a security problem or potential threat. A list of categories should include: 1. Data. Stored online, archived off-line, backups, audit logs, databases, in transit over a communication media, during execution, and during delivery (physical or otherwise) This can include cardholder data, merchant specific data, ACH files, contract information, rate information, contact information, etc. 2. Supplies. Paper, forms ribbons, magnetic media. 3. Hardware. Including CPUS, keyboards, terminals, terminal servers, routers, firewalls, disk drives, communication lines, printers, personal computers and laptops. This should include not only the hardware used for actual processing, but also the hardware used to view data and access the
6

data. This might also include hardware systems used for access to the facilities and systems (tokens or smart cards). 4. Software. Often includes source pro-grams, utilities, backup operating systems, communication programs, object programs, source code itself, web con-tent and e-mail systems. 5. People. Users of the systems, people needed to run systems, contract personnel for hardware and software. The U.S. Department of Commerce lists insiders as the number one threat to informa-tion.6. 6. Documentation. Documentation often is overlooked, but should include documentation of programs, hardware, systems, local and remote administrative procedures. After identifying all of the assets, assign a value to them according to loss of business, contract obligations and legal ramifications should the assets be compromised. Some-times it helps to assign a monetary value, however, this is not necessary for each item. Once ranked in a matrix, the next step is to identify the threats to the assets.
Identifying the threats

When examining the possible threats, a business should consider both internal and external sources. The threats should be examined with the perspective of what the potential loss might be according to the protected assets. A common threat is disclosing information. It is necessary to determine how valuable and sensitive the information stored on the computer systems is. This could be a pricing proposal, a technical paper or perhaps guides to future product development market initiatives. Consider placing passwords and encrypting potentially valuable information. How
7

many computers in businesses today, using only a basic password, contain access to this sort of valuable data? Unfortunately too many businesses ignore this easy-to-implement practice. One of the most common threats is unauthorized access to computing facilities. Unauthorized access is the use of any computer resource or facility without prior permission to use those resources that can take place in a variety of ways. One way is by the use of another persons account to gain access to a system, facility or application. Perhaps one of the greatest threats to recently emerge is the denial of service. Everyone is familiar with the recent attacks on eBay or Yahoo where repeated attacks from thousands of computers forced the sites to shut down. Another high profile example is the I Love You virus that affected hundreds of thousands of systems worldwide. The impact ranged from a minor inconvenience at the mail server, to absolute shut down of corporate systems. Both examples show the importance of protecting systems and businesses against these types of attacks and the potential for monetary impact. Each business has its unique needs and should determine which services are essential, and for each of the essential services, determine the effect to the service or productivity should that business portion become disabled.

NETWORK SECURITY THREATS AND ATTACKS

When a network is connected to the Internet to increase information sharing, communications, or productivity, the network is vulnerable to potential intrusions and attacks. Areas where potential intruders can enter may be dial-up access points, network connections, or misconfigured hosts. Misconfigured hosts, frequently overlooked as points of network entry can be network systems that (1) use unprotected login accounts (such as guest accounts), (2) employ extensive trust in remote commands, (3) have illegal modems attached to them, or (4) use easy-to-break passwords (Cisco Systems, 1997). Security threats are classified as passive or active (Stallings & Van Slyke, 1998). Passive attacks involve eavesdropping on, or monitoring, transmissions without actually
9

disturbing the network. The main concern of the point of vulnerability in the net-work is eavesdropping by another employee or unauthorized user. Data is transmitted in the form of frames or packets containing the source and destination address, and other related information. An eavesdropper can monitor the traffic of this information on the network. Individuals who attempt to read privileged data, perform unauthorized modification to data, or disrupt the system, on the other hand, carry out active attacks. There are many ways in which to attack the network security. These security attacks target the key elements of the network security architecture as aforementioned: Authentication Attacks (Unauthorized access) These types of attacks occur when a user manipulates system resources or gains access to system information without authorization by either sharing logins or passwords or using an unattended terminal with an open session. Password attack is a frequently used method of repeating attempts on a user account and/or password. These repeated attempts are called brute force attacks (Cisco Systems, 1999). They are performed using a program that runs across a network and attempts to log into a shared resource, such as a server. Confidentiality Attacks (Network Snooping/Sniffing) Because network computers communicate serially (even if networks communicate in parallel) and contain limited immediate buffers, information and data are transmitted in small blocks or pieces called packets. The attackers use a variety of methods known collectively as social engineering attacks (Cisco Systems, 1999). With the use of dozens of freeware and shareware packet snuffers available,
10

Which do not require the user to understand anything about the underlying protocols, the attackers would capture all network packets and thereby the users login names, pass-words, and even accounts. The intruders usually take advantage of human tendency, e.g. using a single, same password for multiple accounts. More often they are successful in gaining access to corporate sensitive and confidential information. Some snooping attacks place the network interface card in promiscuous mode, while other packet snuffers capture the first 300 bytes of all telnet, file transfer protocol (FTP), and login sessions. Integrity Attacks (Message Alteration, Delay, and Denial) In this type of attack, data or information is added, removed, or modified in transit across the network. This requires root access to the system or a router. If a program does not check buffer limits when reading or receiving data, this opening can be exploited by an attacker to add arbitrary data into a program or system. When run, this data gives the intruder root access to the system. Integrity attacks can create a delay, causing data to be held or otherwise made unavailable for a period of time. The attackers flood the network with useless traffic, making the system extremely slow to serve the customers, and in the extreme case, causing the system to crash. They could also cause the data to be discarded before final delivery. Both delay and denial attacks can result in the denial of service to the Network users. Access Control Attacks (Address Masquerading) An attacker listens to the network traffic, finds the Internet Protocol (IP) address of a trusted host or system, configures his/her own network inter-face,
11

and transmits the message as if from the trusted host. This is called IP address masquerading or IP spoofing. Like packet sniffers, IP address masquerading is not restricted to people who are external to the network

TOP 10 LIST OF PROACTIVE SECURITY MEASURES

1. Security Policy: Develop a security policy. This will limit liability exposure and is the basis for applying appropriate security to the enterprise telecommunications infrastructure. 2. Security Awareness: Implement a strong security awareness, training and education program. 3. Monitor Access: Know who, when, why and how users are accessing your systems. 4. Routine Backups: Routinely back up all systems, store backups off-site and test the backups. 5. Integrity Checks: Run system integrity checks and compare using off-line encrypted checksums. 6. Check Reusable Passwords: Routinely scan for bad passwords, or better force the use of good passwords. Consider using one-time passwords or hand-held tokens for authentication, especially over the Internet. 7. Audit: Dont just audit, but use the audit data for intrusion detection by audit reduction and analysis.
12

8. Secure Mobility: Encrypt all data on laptops leaving the premises. 9. Physical Security: Physically secure all laptops, desktops, servers and peripherals after business hours. 10. Limit Access: Limit Internet access to those with a real need.

TOOLS SECURITY
Firewalls

FOR

INFORMATION

Remember the good days when a firewall was something you found in the front of your Chevy. Well, in todays high-tech world, a firewall serves the same purpose, but for a network. Much the same as a Firewall is put in a car to provide a point of resistance to a burning or hot engine, a firewall on a network performs the same type of functionality for a computer sys-tem. There are three main types of firewalls: 1) A packet filter, 2) A hybrid or 3) A proxy. A packet filter firewall examines each IP packet crossing the net-work, and based upon a set of rules, either lets the packet through, or denies access. A proxy firewall actually acts as a secure gateway between net-works. The proxy authenticates data and al-lows only specific information to enter or leave the secure side of the proxy. Often times, proxy servers are referred to as application level firewalls, protecting the network (inbound or outbound) depending on
13

the specific application in use. Proxy firewalls are one of the most secure. For that reason, administration of a proxy firewall can take special skills and discipline in keeping it accurate. The third type of a firewall actually is a hybrid between the two, providing the functionality of the packet filter with an increased security level found in a proxy. A proxy firewall works much the same as a packet filter, except that a host would be in place between each of the stations desiring access to the Internet or outside services. This often is referred to as dual homed host architecture. The proxy server doesnt always forward users requests to Internet services; it controls what users do because it makes decisions about the requests it processes based on the companys security policy. Additionally the proxy server can control what access comes in to the network. A proxy service sometimes is more of a soft-ware solution, and not necessarily firewall architecture per se. below is a diagram showing a proxy service in place with a dual-homed host. According to Visas Cardholder Information Security Program, a firewall mechanism is to be put into place so that all electronic cardholder data is protected from unauthorized access during all phases of its life, from generation to destruction, and to en-sure that it cannot be compromised, released to any unauthorized entity or otherwise have its confidentiality or integrity placed at risk. The firewall mechanism must be built and maintained using the model of least privilege. All access is to be on a need-to- know basis, and more importantly, all access to cardholder data will be restricted to personnel who need to access said data to perform their stated job function only.
14

Management of system passwords

Going back a few years, employees used secret handshakes and code words to identify their right to use facilities or enter a building. Alpha bravo five, left shake right shake four finger dribble provided access to ever trade secret in the organization. This age-old tradition actually is still in place today, just in a different format. Now, systems and applications can assign, log and track an employees access to the network or facility by use of passwords and system identification numbers. Each employee, contractor, or vendor accessing an organizations system should have a unique user ID and a private password. In addition, personnel needing access to systems, building infrastructure, networks and applications that access data in the organization should have prior written approval from an appropriate manager or supervisor. Requests for changes to account access also should

15

follow established written procedures. Some common guidelines for pass-word Management includes: 1. Avoid dictionary words. 2. Use both numbers and letters. 3. Difficult passwords that cannot be remembered. 4. Easily guessed names, such as a street address or product name. 5. Change passwords every few weeks Dont allow users to re-select previous passwords. 6. If a user has multiple attempts to sign on with an incorrect password, block all access after a certain number of tries. One of the simplest tools to implement with passwords is a shutdown of the application after a certain period of inactivity, say five minutes. This is critical for applications containing cardholder data. This way if a user unexpectedly steps away from the workstation, the system is not left vulnerable for a lengthy period of time. Additional measures should include training personnel to log off of the system when leaving the workstation. Another method of authenticating users that is catching on rapidly is the use of a token or a physical device to validate the users identity. The most popular are smart cards. When users sign into a system, they are asked for a password; in addition they are prompted to insert a smart card. The system then validates both the smart card and the password prior to allowing the user to continue the session. Other authentication methods use the human body as a token. This is most often referred to as biometrics. Biometrics serves as a gatekeeper of confidential information where authentication and the personal security of remote users are essential. Biometrics is the ultimate password replacement.
16

The question a password seeks to answer is, Does this user possess the right information? With biometrics, the fundamental question that is answered is, Is this the right person? Biometric authentication methods include fingerprint validation, iris scans, voice recognition and other non-invasive methods to validate unique aspects of the user. Again, as with smart cards, the user can (at the discretion of the security policy) be required to supply a password that works in conjunction with the biometric scan. To gain the most out of passwords and token systems, establish multiple controls and levels for the passwords. With a pass-word or smart card, it becomes easy to limit where an employee can go on the network. While many persons in the organization need cardholder information, many do not. Passwords protect or re- quire secure authentication from users prior to allowing access to applications that pro-vide this data.

Encryption

1. Encryption is an important tool in that even if other controls such as passwords or firewalls are compromised, the data is still is unusable. Data Encryption Standard (DES) is perhaps the most widely used data encryption mechanism. In a nutshell, DES uses an algorithm and a key value to take Plain text and encrypt the data. Another encryption method is Secure Sockets Layer (SSL) that often is used to transmit data in a secure method over the Internet. Several types of encryption packages are available on the market today. They range from complex
17

software solutions to external hardware encryption devices (such as Attalla or Racal encryption devices). While both serve similar purposes, hardware encryption devices typically are much faster than a software solution. Many common software packages provide encryption tools for use by the operator or author when storing data or saving files. Perhaps one of the main advantages to encryption is that only machines or operators in possession of the key can restore the encrypted text to a readable format. When providing access to keys, the user should be instructed not to write the key down or keep it in a physical place close to the secured data. When using cryptographic keys to store cardholder information, or to access Cardholder information, it is vital that the integrity of the keys not be compromised. For this reason, whether it is Personal Identification Number encryption, or PIN pad encryption processes, key management controls should be implemented. The key management controls should be clearly Defined, written and audited on a regular basis. 2. Encryption is the process of transforming plaintext into unreadable form (called cipher text) using a mathematical process (RSA Data Security, 1998). An encryption system includes four elements: (1 the Plaintext, the raw data or message to be encrypted, (2) the cryptographic algorithm, a mathematical method that determines how plaintext is to be combined with a key, (3) the key, a string of digits, and (4) the cipher text, the encrypted message. The longer the key string digits, the more difficult the encrypted data is to break. In theory, trying all possible keys in sequence can break any crypto18

graphic Method with a key. If a brute force is used to attack the crypto-graphic algorithms, the required Computing power increases exponentially with the length of the key. There are two classes of keybased mechanisms, symmetric (private-key or secret-key) and asymmetric (public-key) algorithms (SSH Communications Security, 1999). The difference between the two is that private-key algorithms Use the same key for encryption and decryption, whereas public-key algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. In general, symmetric algorithms are much faster to execute on a com putter than asymmetric ones. In practice, however, they are frequently used together. Asymmetric algorithm is used to encrypt a randomly generated encryption key, and a random key is used to encrypt the actual message using a symmetric algorithm. Cryptographic algorithms, both asymmetric and symmetric, are widely used in network security. The followings are some of the popular algorithms: Public-Key Algorithms RSA (Rivest-Shamir-Adelman) encryption is the most commonly used public-key algorithm. The security of RSA relies on the difficulty of factoring large integers. With the advancement of computing power, currently 512- bit keys are considered weak against brute force attacks, 1024- bit keys are secure enough for most purposes, and 2048-bit keys are likely to remain secure for Decades (SSH Communications Security, 1999). Diffie-Hellman Algorithm involves two-way communications across the Internet without
19

exchanging keys. Each party obtains the public key for the other from a certificate authority and performs a special calculation using a discrete logarithm with their own private keys. The result Of the algorithm will be the same for both parties. Pretty Good Privacy (PGP) is an emerging encryption mechanism for protecting the privacy of Network files and e-mail. It provides the means for encrypting the files and e-mails, creating public and private keys, maintaining a database of public keys, adding digital signatures to documents, and certifying keys and obtaining keys from key servers (Sun Microsystems, 1999). PGP runs on virtually every operating system, such as UNIX, Windows, DOS, OS/2, and Mac OS. Elliptic Curve Cryptography (ECC) is an emerging network security technology that allows longer key size while decreases overhead and latency. ECC uses an algebraic system that is defined on the points of an elliptic curve to provide public-key algorithms. These algorithms can be used to create digital signatures, and provide a secure means to transmit confidential information. More applications of ECC algorithms have been identified, such as financial transfers and wireless data transmissions that require intensive use of signing during the process of authentication. They are performed at high-speed and with limited bandwidth (Sun Microsystems, 1999).

20

Private-Key Algorithms Data Encryption Standard (DES) is a symmetric cipher, which encrypts a message by breaking it down into blocks and encrypting each block (RSA Data Security, 1998). DES algorithm uses 56-bit keys out of a 64-bit block size. It was developed in the 1970s and has been adopted by the U.S. government. With todays com-putting power, DES is easily breakable. A variant of DES, triple DES or 3DES, uses DES algorithm three times and follows an encrypt-decrypt-encrypt sequence with three different, unrelated keys. With three iterations of DES algorithms, the effective key length is 112 bits, which is much more securing than plain DES. RC4 is a cipher algorithm de-signed by RSA Data Security. RC4 is essentially a pseudo random number generator, and the output of the generator is logically exclusiveored with the data Stream (SSH Communications Security, 1999). It is essential that the same RC4 key never be used to encrypt two different data streams. The U.S. government approves this type of algorithm with
21

40-bit keys only for export. The security is very weak for its key length even though the algorithm is very fast. International Data Encryption Algorithm (IDEA) is a fairly new algorithm developed at ETH Zurich, Switzerland. It uses a 128-bit key and is considered very secure.
Security Protocols

Currently, public-key and private-key algorithms are being implemented in the network security protocols. These protocols are necessary because more and more companies are doing business on the Internet, and the issue of secure payments over the Web has become a greater network security problem. Merchant servers are developed to provide secure measures for electronic commerce applications. The following are some of the widely used protocols for performing secure transactions on the web. Secure Socket Layer (SSL protocol employs a private-key encryption nested within a public-key Encryption, authenticated through the use of digital certificates (Netscape Communications, 1999). Netscape Communications based on RSA public key cryptography developed SSL. It allows private information, such as Credit Cards and purchase orders, to remain private while traveling across intranets and the public Internet. SSL is currently the most widely used method and particularly suitable for use in e-commerce applications due to the following features: (1) privacy is ensured through encryption, (2) integrity is ensured through decryption, and (3) authentication is provided through the use of digital certificates (Net savvy Communications, 1999).
22

 Secure Electronic Transaction (SET) protocol was developed by Visa and MasterCard for enabling Secure credit card transactions on the Internet. It employs RSA public key encryption technology And DES single-key technology (Stallings & Van Slyke, 1998). SET uses digital certificates to ensure the identities of all parties involved in a transaction and encrypts credit card information before sending it across the Internet.

System Audits

Nearly all businesses undergo a financial audit on a regular basis. An audit of the security policy in place is just as important. During the security audit, the organization .Should review any policies that concern sys-tem security, as well as the processes and procedures put in place to enforce them. While it is not always necessary to have fire drills, it is recommended that as part of the ongoing security policy, organizations perform random testing of mission critical components.
Physical Security

Many organizations processing card information have physical security controls in place for entry into the operations building where information is kept. The typical scenario involves issuing of badges that must be swiped or presented to enter the building. Additionally, once inside the main Building, administrators can determine where in the building the person can have access by requiring badges at doors to different areas of the building. For instance, an employee answering calls at a help desk probably doesnt need access to the computer operations data center. However, this employee
23

might need access to the file room containing original merchant setup information. This access should be administered and monitored on a daily basis. Changes to access should require written approval from the employees immediate supervisor and possibly require approval from other entities (Such as security or information technology). While many organizations are good at implementing security at the head office, many neglect to implement the same types of controls at the remote sales offices or facilities beyond the main operations center. Remote sales offices tend to be a little lax in their implementation of security Procedures. While it may not be necessary to require a badge system at a small office, consider other physical controls in the office. Require that items such as CDs, diskettes and laptops be secured when not in use. When sending reports to remote locations, dont include cardholder information on the reports or allow copying and printing of sensitive material at these sites. A common mistake made with cardholder information is the improper destruction of cardholder data. Printed reports, microfiche or other media containing cardholder information should be destroyed .In a secure manner prior to disposal. This could include shredding, incineration or other commercially accepted methods for secure data destruction.

DEVELOPING AN EFFECTIVE NETWORK SECURITY POLICY

24

A study reported by the U.S. General Accounting Office (GAO) (1996) found that the U.S. Department of Defense network computers are extremely vulnerable. A series of security attacks conducted by the Defense Information System Agency (DISA) revealed that of 38,000 attacks DISA could penetrate the protection and gain access to the network computers 65% of time. Of those successful attacks only 4% (988 attacks) were detected by the target organization. Furthermore, of those detected, only 27% (267 attacks) were actually reported to the appropriate security authority. Given the sophisticated computer network at the Department of Defense and the number of computer personnel involved, the statistics are alarming. The goal of network security is to provide maximum security with minimum impact on the user accessibility and productivity. The network Security policy developed must con-form to the existing organization policies, rules, and regulations. Security policies should reflect constant organization changes in its new business directions, technological changes, and resource allocations. When developing an effective network security policy, the following 11 areas should be addressed (Cisco Systems, 1997): 1. Identify the Network Assets to Protect The first step is to understand and identify the organizations network assets and determine the degree to which each of these assets must be protected. Items to be considered include hardware, software data, procedures, personnel and users, documentation and supplies.

25

2. Determine Points of Risk Risk analysis includes what you need to protect, what you need to protect it from, and how to protect it. You must understand how and where potential intruders can enter your organizations network or sabotage network operations. 3. Determine the Cost of Security Measures Security measures invariably cause inconvenience, particularly to certain personnel or users. They can consume significant computing resources and require dedicated hardware. Another cost of security measures is that they can also delay work and create expensive administrative and educational overhead. If the cost of implementing security measures outweighs its potential benefits and the actual A danger, then it is a disservice to the organization to implement them. 4. Limit the Scope of Access Too much security can be as counterproductive as too little security. Organization can provide higher levels of security to the more sensitive areas of the network. Create multiple barriers within networks such that any authorized access to a part of the system does not automatically grant access to the entire infrastructure. 5. Identify Assumptions Every network security system has underlying assumptions. For instance, an organization might assume that its network is fairly secure, that its network is not tapped, that intruders are not knowledgeable, that attackers use standard software, or that a locked room is safe. It is essential to identify, examine, and justify your
26

assumptions. NY unmassaged or hidden assumption ay turns out to be a big security hole.

6. Consider Human Factors It is optimal that a network security policy strikes a balance between productivity and protection. If security erasures interfere with the essential se of the system and the users are not fully informed, the users almost always exist the change. These measures then re either ignored or even circumvented All users should be educated n the proper use of their account or workstation, the proper procedure of his security, the detection of unauthorized access, and the accidental release r revelation of passwords or other erects over unsecured telephone lines. 7. Control A properly only on a secrets There are, them all. the Number of Secrets designed network security policy relies limited umber of secrets. The more the more difficult it becomes o keep

8. Limit Your Trust You should know which network evinces you can trust and which software you can rely on. Under no Circumstances should an assumption be made that all software are bug-free. 9. Understand Typical Network Functions Understanding how a network system normally functions, being aware of what is expected and unexpected, and knowing how network devices are
27

usually utilized will help you detect any Security problems. System software auditing tools can help detect, log, and track any unusual events. 10. Realize Physical Security Often times, the most obvious element of security is the one moszeasily overlooked, such as security guards, closed-circuit television, and card-key entry systems. It is essential that physical security, such as the server room or the network administration station be taken into consideration because they are the controlling center to the most sensitive, confidential information.

11. Implement Pervasive and Scalable Security All personnel and users need to realize the security implications of every change they make. The goal of a network security policy is to create an environment that is not susceptible to every minor change.

SUMMARY

Developing a network security policy comprises of identifying the organizational assets, threats, and risks as well as evaluating and implementing the tools and technologies available to meet these risks. When all these factors are accounted for, a usage policy is then developed. In addition, an auditing procedure that reviews network and server usage must be established on a timely basis. A proper response should also be in place before any breach or breakdown occurs.

28

CONCLUSION
After taking a look at many tools and options available for security, there are a lot of similarities between a security policy and Linus security blanket. The fiber that makes up the blanket consists of the many tools and services used in a security policy; the firewalls, biometrics, passwords, access Controls and documentation all are combined to cover the assets of the company. Along with the fiber that makes up a blanket, there also is a border that holds it all together, making it easy to unfold and use. For a security program, the border consists of common sense, a return on the security investment and diligence in implementing and operating the security program. Pro-grams that are bound too tight or are created in a convoluted manner actually might end up being a detriment to the company. Security plans should be reviewed regularly, easy to use and enforceable throughout the organization.

29