Thesis on "Security Planning and Assessment"

Thesis 7 pages (2028 words) Sources: 7 Style: APA

[EXCERPT] . . . .

Security Planning and Assessment

Security Assessment

A security assessment is the process of looking at a business and supporting technologies and determining what security risks are present. It is a process that management can use to determine whether the existing information security program is adequately addressing a company's security risks. It is also something that should be done on an ongoing basis to make sure that any security implications resulting from changes in the environment or new initiatives are addressed (Kairab, 2004).

There are four types of Security Assessment: Audit, Security Assessment, Vulnerability Scan, and Penetration Test. All are ways to analyze risk. They emphasize different aspects of risk management, different types of vulnerabilities, and different types of threat.

We'll take a look at them briefly: (Security Management, n.d.)

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards it adopts are appropriate for the institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system.

They may also focus on different aspects of the information system, such as one or more hosts or networks.

Penetration Tests. A penetration test subjects a system to the real world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is identified and assesses the response mechanism s effectiveness. Because a penetration test seldom is a comprehensive test of the system's security, it should be combined with other monitoring to validate the effectiveness of the security process (Security Management, n.d.).

Vulnerability Scan. The goal of running a vulnerability scanner (software program) is to identify devices on your network that are open to known vulnerabilities. Different scanners accomplish this goal through different means. Some work better than others (Bradley, n.d.).

Okay, great, but really, what is a security assessment?

Case in Point

The very protocol we all use every day on our computers is called IP -- Internet Protocol.

We all assume it is safe. The fact is, it is as open to problems as anything else on the internet.

IP supplies the basic data transfer capability for the internet -- so pretty important. It transfers data is what is called "datagrams" from a computer or server at a source to a destination computer. It does some other things too, but its basic function as the primary data transfer mechanism is the important one for now.

To simplify...and shorten...this whole discussion, the basic supplier of data on the internet is vulnerable in several areas to security breaches and attacks by hackers. The problem areas include attacks on the memory allocation to the extent that the computer could crash and be useless, and problems with the reassembly algorithm and ambiguity of the packet reassembly process. For example, information is sent in packets or modules over the internet so a long message can be split up into separate pieces for more efficiency in data transfer over the internet. These packets can be intermixed with packets of info for other transfers going on at the same time. They are then reassembled at the destination computer to make a readable or usable message.

Due to bugs in that reassembly process, the IP is left open to attack which can lead to memory buffer overload and, once again, that dreaded computer crash.

There are several other vulnerabilities of the IP, but the point is, due only to a security assessment of the IP, were these problems and their fixes recognized.

The following is a description of the document which was a source of the above information, and gives us a prime example of what exactly a security assessment does in a real, specific case:

"This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point-of-view. Possible threats were identified and, where possible, counter-measures were proposed.

Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies" (Gont, 2008, p. 4)

Now that we have an idea of what a security assessment is and what it accomplishes, we'll look at it in a bit more depth.

Network Security Assessment

Any business or other organization that wants to control its own computers, networks, and data has to take an active, aggressive role in security, and the entire process, and possibly the future of that business lies in beginning with a security assessment to both identify and categorize potential risks to those systems. Assessing the security of a company's networks is an ongoing, "living" process, and is never a one-time event.

Business Advantage

Though the fact that security of its data and networks is a "duh" as far as being a benefit to any business or organization, there is one positive worth just a brief discussion.

Security assessment becomes an "enabler of business." In other words, proper assessment, design, and employment of vast business networks for major corporations, or for a small business allows that company to "embrace" that technology to improve and increase their business because they know it is secure and they have a plan to keep it that way.

Short-circuiting this important path to network security and to a policy of continuous assessment can leave a business open to compromise of its data by hackers. NASDAQ, Cryptologic Inc., Playboy Enterprises, RSA Security, and many, many others over the recent years have been victimized -- not because they did everything right and still were victimized -- but because they failed, in some way, to maintain a security policy to protect its networks and data from a determined attack. And it all begins with planning and assessment. (Cryptologic is an online gambling casino that lost $1.9 million in just a few hours to hackers.) (O'Reilly Media, 2005)

Two Types of Threats

"Opportunistic attackers" are those who attack publicly accessible networks with auto-scanning tools to locate and "infect" those computers and systems it finds vulnerable. These guys actually can be defined in two distinct groups: the ones who attack computers just for the pleasure of denying them internet service or flooding them with junk, and those who attack in order to be able to "bounce" their hacking results to other computers (like sending thousands of spam emails).

"Determined attackers" will, with great persistence and will, pick and probe every aspect of a particular network or host that they find might be vulnerable for a port of entry for the purpose of compromising the system. Even if they can't do it, they will return later with creative approaches to breaching that system.

Because of this, those networks with large numbers of accessible host computers or terminals are the most vulnerable. The hundreds or even thousands of potential ports of entry into the system magnify that vulnerability. And in dealing with those risks as their networks continue to grow, the "living and breathing" security assessment policies and procedures become critical to business.

Security Assessment Methodology

The most important element (as we keep saying) of a successful security program is the security assessment methodology. Without it, there is absolutely no guarantee that the real security risks have been identified. And without that, we go back to our business enabler discussion -- any security program implemented won't provide any assurance at all that the company's networks and data are secure. Therefore, it is impossible for the organization to "embrace" their security and press on with embracing the increase in profits for their business.

As simply stated as possible, security assessment is the pilot for the airplane of the whole security program. The findings from the assessment drive the policies, technologies, procedures, and audit. If the critical results of the assessment are inaccurate or incomplete, the whole thing falls apart. An entire information security program consists of security strategy, security policies and procedures, security organization, executive support, training and awareness, toolsets, and enforcement -- including thousands upon thousands of man-hours, and perhaps millions of dollars, spent each year.

And what is it all worth without an accurate, thorough, comprehensive security assessment? Zero.

There are five steps, and within those steps, important tasks that must be accomplished for a successful security assessment: (Kairab, 2004)

Planning -- Define the scope, logistics and scheduling

Initial Preparation -- Gather publicly available information; prepare initial documentation

Business Process Evaluation -- Gain understanding of the key business processes; meet with business process owners; identify critical supporting technologies.… READ MORE

How to Reference "Security Planning and Assessment" Thesis in a Bibliography

Related Thesis Papers:

Security Risk Management Process Microsoft Company Term Paper

Security Risk Management Process - Microsoft Company

Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Value Risk Management

Risk Management Procedures and Processes

Key Success Factors For… read more

Term Paper 13 pages (3314 words) Sources: 1+ Topic: Business / Corporations / E-commerce

---

Security Policy Dr. Fossett's Dental Office Term Paper

Security Policy of a Dental Office

Information Technology Security for XYZ's Dental Office will be achieved by implementing these controls, policies, procedures and standards. This approved Security policy reflects the… read more

Term Paper 3 pages (1254 words) Sources: 0 Topic: Computers / IT / Internet

---

Security Roles Research Paper

Security Roles

In the present digital age when a substantial amount of data and other key corporate information is stored in servers, the word "security" takes on a new and… read more

Research Paper 3 pages (1081 words) Sources: 3 Topic: Business / Corporations / E-commerce

---

Security Self-Assessment Coyote Systems Security Self-Assessment Organization Thesis

Security Self-Assessment

Coyote Systems Security Self-Assessment

Organization Description

The company Coyote Systems develops enterprise software applications for the world's leading manufacturing companies. It has development offices in Chicago, Illinois, throughout… read more

Thesis 7 pages (2030 words) Sources: 1 Topic: Management / Organizations

---

Security - Agip Kazakhstan North Caspian Operating Term Paper

Security - Agip Kazakhstan North Caspian Operating Company N.V. (Agip KCO)

Agip Kazakhstan North Caspian Operating Company N.V. (Agip KCO) is the single operator of the North Caspian Sea Production… read more

Term Paper 35 pages (14948 words) Sources: 1+ Topic: Business / Corporations / E-commerce

---

View 100+ more related papers  >>