← A Small Pharmacy: Ways to Mitigate the RisksWomen, Science and Technology →

Enterprise Security



Introduction

The essential part of the programs related to informational security are technical controls. Unfortunately, as a separate unit, they cannot provide full security to IT environment. Managing the use and development of them has a requirement to be familiar with the technology, which enables them. Policy enforcement can be enabled through technical controls in situations where behavior of human is challenging to regulate (Whitman, Mattord, 2011). Moreover, it is quite a hard task to enforce policies and standards on humans.

Get a Price Quote
Title of your paper
Type of assignment Writer level
Spacing Timeframes
Currency Pages
First order only:

There are some classifications of the technical controls: Access Controls (Whitman, Mattord, 2011), which are to control logical access or physical access and has four processes, such as Identification (during this process the access to a physical or logical area is requested by the identity of the entity), Authentication (this process provides confirmation that the identity of the entity is looking for an access to a physical or logical area), Authorization (during this process, the actions, which an entity can perform in that logical and/or physical area, are determined), and Accountability (this type of a process documents the all-types of activities, which are done by authorized systems and individuals.

Main Body

Then goes Firewalls (Whitman & Mattord, 2011) is any device for prevention of a specific information type from the movement of the outside world, which is also known as the non trusted network, as well as the inside world, or the trusted network. Intrusion Detection and Prevention Systems (Whitman & Mattord, 2011) is the third classification, and it is represented via prevention systems and intrusion detection. It is like an alarm that is visible and audible, or silent. Remote Access Protection (Whitman & Mattord, 2011) serves for checking persons with remote access permission. Wireless Networking Protection (Whitman & Mattord, 2011) is used to provide a wired network with a low-cost alternative. Nevertheless, it is very vulnerable to hacks and attacks.

The most widely-used are the Wi-Fi Protected Access (WPA), Wired Equivalent Privacy (WEP) and families of protocols. Scanning and Analysis Tools (Whitman & Mattord, 2011) is the next classification for finding holes in security components, vulnerabilities in systems, and other unsafe points. The unpredictable behavior of people is impossible to detect. Some of the tools are port scanners, vulnerability scanners, content filters, packet sniffers, etc. Cryptography (Whitman & Mattord, 2011) means “secret writing” and is used to keep the information confidential using cryptographic algorithms, so no intruder will be able to decrypt it.

There are also technical controls, which are known as RIT's and can be classified into Network Technical Controls (Security Standard: Institute Networks and Equipment, 2009). These are used to ensure the integrity of the network. The special network technical controls are:

  1. Physical Security: a limited access area where all equipment and network devices are secured;
  2. Access and authentication lists: this is done by the central server. Moreover, a particular user must configure access with the help of defined services in order to access certain data from a peculiar place.
  3. Network Management: Management traffic should be separated from user traffic while plain text cannot be used. Network Management should use only SNMPv3 as protocols such as LDAP without TLS, SSLv3, TELNET FTP, remote host protocols etc. are prohibited.
  4. Intrusion Detection System, which are like alarms. Once a violation is detected, alarm is activated. The nature of it might be visible (noise and lights), audible and even silent, which is sending an emergency message to a monitoring company.
  5. Anti-ARP Spoofing: network devices must have an enabled DHCP/ARP snooping.
  6. Change control: this process must check all potential risks on the Institute network. It should include Supporting data, problem statement, Management and Impact/Risks approval of changes, and Potential solutions.
  7. Logging and Monitoring: the regular monitoring must be held by centralized network management system. The devices must be also logged.
  8. Passwords: a certain specified intervals are set for passports to be changed. The right to change the default passwords of manufactures belongs to the administrators.
  9. Configuration backups: The backup of network equipment must be done on a regular basis. Moreover, this process should be subject to a constant revision control.
  10. VPN: this is important that all VPN undergo a regular security review. The connection to the Internet will not bet not allowed through other networks except the RIT one.
  11. Vulnerability scanning and quarantine: This is very important that the network is scanned regularly as it can get vulnerable to remotely to certain attacks. Hosts that are classified as unprotected are automatically sent to a special location in the network under quarantine where they have time and possibility to be cured.
  12. Wireless Security: ISO-Approved Encryption Methods must be supported by wireless Network Devices on a regular basis.
  13. Device Registration: it is rather important that all the devices have passed registration with ISO-approved registration system. This process should definitely include the name of the responsible party for the device and all MAC addresses.

Next in the classification is Server and Application/Database Technical Controls (Security Standard: Servers, Server-based Applications and Databases, 2009). This is a special type of the security controls that must be enabled, applied to, and running on all servers, which are connected and/or have an access to the Institute network. There is a special standard, under which the following technical control is listed:

  1. Physical Environment and Secure Network: this means that all the servers should have a restricted access only and be physically secured.
  2. Patching/ Server Maintenance: All the included applications and operating systems are to be constantly updated with patches.
  3. Logging: the standard of logging must be defined by a real time, and besides of that all, logs should be saved and stored on another secure server. Logs contain such important actions as Privilege escalation, Access control changes, authentication, User additions and deletions, System integrity information, Job schedule start-up. Log entries are also an important part of logs and must be date and time stamped.
  4. System Integrity Controls: HIPS and host firewalls must be used by servers. In order to maintain system integrity, the latter mentioned must be employed as authentication servers.
  5. Vulnerability Assessment: Not only servers but services prior to their production must have a vulnerability assessment, which is checking the reliability and server work in general. ISO approved vulnerability scanners, which must be used to perform the mentioned actions.
  6. Authentication and Access Control: this is a mandatory requirement for all users of the system or root/administrator privileges. The configuration of the Access Control must be in such a way that it allows only authenticated, authorized access to the system, data and application.
  7. Restore, Backup, and Business Continuity: the idea of this standard is in that all servers, which have an Operationally Critical data, must be provided with a documented back up, application and system restoration (including configurations) and procedures of data restoration. This is important to support business continuity, integrity and disaster recovery planning, which can be a part of crisis management procedures.
  8. Applications Administration: this may sound as a mistake, but actually, every application should have an application and system administrator. It is really the role and responsibility of the application administrator to make sure that the application is in compliance to all server standards and will run smoothly without abruptions.
  9. Risk Management and Security Review: risk and security management assessment is an integral part of any process when any major or significant modifications are done on services or servers.
  10. Server Registration: ISO-approved centralized registration system should register network access servers as it is very important.
  11. Server Hardware Replacement and Retirement: All the media and devices that contain and store information on servers have a RIT Confidential Information. They must be degaussed on a regular basis as if it is not done, the data can be unrecoverable, which would be a disaster.
  12. Server Administration: this function uses secure protocols for administrative functions of servers.
  13. High Performance/Distributed Computing: RIT Confidential information must be protected. To do it, the servers, which participate in High Performance/Distributed Computing/ grid computing, are used. The documented and appropriate safeguards are employed to access and protect the RIT internal networks.

Web Technical Controls is the next standard in this classification (Security Standard: Web, 2008). The main task of it is to specify all the technical controls, which are applied to all services and web servers (RIT and 3rd party). They use HTTP-based protocols. The latter mentioned use Confidential, RIT authentication services, or Operationally Critical Information. This is done in order to ensure the RIT’s web infrastructure safety and the security of web-based applications. They also have special standards, which are listed below:

  • General: when the information is presented in the network, it must be protected through the processes of confidentiality and integrity. Web content services are the key instruments for that job. All applications must have a vulnerability scanning of system. RIT network should only use encryption on SSLv3/TLS. Patches must be included in the list of regular updates. Moreover, the server-side application filters should be in place.
  • Logging: the logs that Web Server is accessing must contain full URL, IP address, and timestamp as a minimum requirement.
  • Access controls: a process known as a Stateless user authentication must be in place. The responsibility to regulate the web service access belongs to the system administrator.
  • Development and Acquisition: The selection or development of any information system should have a full security review.
  • Appropriate products non-availability: The system selects a specific requirement until an appropriate solution is put into place. This means that sometimes, specific products from a reliable open source communities or reputable commercial are not available.

Desktop Technical Controls (Information Security, 2009). This classification of technical controls can be applicable to all RIT owned and personal machines. There are certain standards of specifications, which are:

  • Antivirus: this is very important to install antivirus, and besides, the signatures patches should be regularly updated.
  • Operating system and application
  • Personal firewall
  • Anti-spyware
  • Anti-phishing
  • HIPS

Most of those standards must be installed and enabled while others should have an implemented control.

The next in the classification list is Portable Media Technical Controls (Security Standard: Portable Storage Devices and Media, 2008): such type of security controls must be used for any kind of removable or portable media, which stores or transports Confidential or Private information. RIT gives a list of the specific technical control, which are used to regulate the portable media:

  1. Portable media: the standards of ISO must approve the portable media.
  2. Operationally Critical Data: it should not be located solely on portable media.
  3. Incident Handling process: if the content is unfamiliar or contains Confidential or Private information, the mentioned process reports it.

The RIT’S technical control has passed evaluation on mitigating risks effectiveness, and it contains the following risks: software failure or errors, human failure or errors, hardware failure or errors, concerns on intellectual property, unauthorized access to the information, theft, vandalism, information extortion, forces of nature, software attacks, technology obsolescence, and quality of the service provider (this is from a service provider).

Summary

After the summary was made, some potential areas of improvement can be identified. The major issue for RIT is usually the act of stealing portable devices like laptops, cell phones, tablets and other gadgets. The biggest risk factor is actually a person who stole the device, or a theft. This is unlikely that any of the stolen devices have the usage of data encryption. Most of them have their delicate credentials and data in clear text. Unfortunately, this is a real possibility for the smart user to steal the credentials by taking the full advantage of this situation. Another threat is that the students use disks not in an encrypted format. That is why the privacy and security of their files is not protected.

This would be very useful if RIT would be able to implement some sort of program and/or practice, etc. that would be able to protect these mobile devices. The example of such practice can be surveillance camera implementation and lockers for students in order to store personal portable devices. Another suggestion can be an encryption of software/application implementation that can be provided to students free. It is rather important to make such practice of special software programs implementation mandatory, which will make avoid and decrease the leakage of private data and credentials. It is good that students are provided with McAfee anti-virus by RIT, but this is not enough. Intrusion Prevention System would be also beneficial for students to have.

The following report includes useful information about technical controls and how they are important for RIT. Their main task is to keep the security of RIT’s information assets safe and protected from any kind of intruders. However, this is extremely hard to predict human factor. The main purpose of technical control’s diversity is to be able to provide security to different layers and levels of RIT’s information assets. Besides, the mentioned technical controls have an automated service, such as constant routine password checking and changes, which are executed by servers, so the level of security is higher. Thereafter, the structure of RIT’ informational technology has in its basis the technical controls.

Related essays

  1. Women, Science and Technology
  2. Cloud Computing
  3. A Small Pharmacy: Ways to Mitigate the Risks
  4. HSE Vodafone Quality Management Organization
×
Enter discount code "20off" and get 20% discount for your first order. Limited Time offer! Order Now
X