work
A+ Work Needed
LearningModule2.docxCybersecurity Module 2: Business Use Security
.
Background
Summary:
Businesses commonly use Internet to access a variety of data and to perform transactions internally and externally. The Internet becomes the communications medium that links internal communications with the outside world. We discuss here the cybersecurity infrastructure and architecture that is associated with procedures and applications.
Description:
Businesses invest money to build a networking infrastructure and then build a networking and communication system on this infrastructure to support business activities. In today’s environment, extensive use is made internal communication via the Intranet and external communication via the Internet. An open architecture, as often used earlier, might have been good for data access. With the increased number of threats as found today, the open architecture can expose data and other assets to attacks.
We discuss business use of networking that protects the assets without hindering normal work.
Risk – How Can It Happen?
There are a number of possibilities that may lead to undesirable situations, as follows:
1. Malicious destructive attack on network
2. Systematic penetration to steal data
3. Improper procedures to secure data
4. Complacence, network designed without security measures
5. Data integrated without partitions
6. Inadequate oversight of insiders
The list is not necessarily complete.
Example of Occurrence: Scenarios
Ryan Chalak has recently taken charge of IT at Sun Health Systems which provides health care services over a region of the US. Because of the nature of their work, Sun Health holds in its database a large volume of patient information which has to be very secure as mandated by federal law. They also have other volumes of data that do not require the same level of security. Most of the data comes to the database at the head office from remote locations all over the region. However, the remote locations need access to the data to do their work.
Ryan calls in a security consultant who has worked with defense contractors and they make a number of recommendations as follows:
1. All the data should be transported through secure VPN tunnels.
2. In addition to the existing firewalls there should be Intrusion Protection Systems (IPS).
3. The network should be partitioned so a compromised segment can be isolated.
4. The data should be segmented and partitioned with the highest security applied to only those parts that need the high security.
5. Network administrators and personnel who have access to the secure data should be supervised.
Ryan took the recommendations to the Vice President who said that they were only providing health care and were not defense contractors. He could only provide money for some things.
Answer the following questions:
Question 1:
Considering that the VP has agreed to doing some of the work, what should Ryan do?
A. He should not worry unnecessarily. Nothing has happened so far.
B. He should resign. The company is in serious danger and it will be his responsibility.
C. If all of the security measures cannot be done there will be so many holes that there is no point in doing anything.
D. He should get a prioritization from the consultant, get the budgets, and negotiate with the VP for a phased approach.
Question 2:
A general approach to guarding data from cyberattacks and penetration threats is to segment and partition. Which of the following best describes the reason for this?
A. Security can be focused and the most valuable data can be held most secure as in a vault.
B. Nobody wants all the data. There is no point in keeping it together.
C. One database may not have enough space for all data, and it is better to segment and separate.
D. Use multiple databases so that if one is down the others are still available.
Question 3:
At least one of the consultant’s recommendations can be implemented without any major budget outlay. This is the supervision of people with network access capabilities and access to sensitive data. What is the best approach in this respect?
A. These jobs should be held only by friends and family of senior management.
B. They are people and their privacy should be respected.
C. Everyone in a secure environment must submit to vetting, supervision, and audit.
D. All people should be encouraged to spy on their coworkers.
Responsible Use – How can these errors be avoided?
This scenario involves a bank and highlights the fact that security is following the right procedures and may not always be electronic in context.
A bank may have many communications between branches and corporate offices all of which are done through secure channels. But there are also many communications with customers. Most messages sent to customers are accessed only via login to a secure website. Many customers are not aware of security policies, and prefer to conduct business over the telephone by calling from a crowded location on a cell phone. In these situations the bank may inform the customer not to say out loud the ID or social security number needed for identification. The bank customer should really retire to a private area such as inside a car so that no one can overhear any part of the conversation, or see keypad entries over the shoulder. It is also not a good practice to leave paper documents in the open where a passing person can steal a quick glance.
Answer the following questions:
Question 1:
If the customer requests the bank to email information because that is the most convenient way for him/her to receive the information, should the bank comply with the request?
A. The bank should serve the customer and comply with the request.
B. The bank should use email but only use vague and bland terms that would mean nothing to another person.
C. The bank should not email but should complete the business on the telephone regardless of who else might be listening.
D. The bank may only communicate documents through secure upload and download from the website, or use US Mail in a secure way.
Question 2:
A customer might think that the bank’s security policies are designed to irritate the customer and deter the customer from communicating with the bank. Which of the following best represents the scope of the bank’s security policies?
A. The security policies protect both the bank and the customer.
B. The security policies are designed to cause delays and cover the bank’s slow response.
C. The security policies are designed to take power away from the customer.
D. Security policies are designed by people who have nothing better to do.
Laboratory Assignment
STEP 1: Internet Research
http://www.forbes.com/sites/kateharrison/2016/05/03/the-best-practices-in-cyber-security-for-small-to-medium-sized-businesses/#294655de5e8d
The Best Practices in Cyber Security For Small-To-Medium-Sized Businesses
By Kate Harrison
Read the article listed above and answer the following questions.
Question 1:
Why is it critically important to have a corporate security policy defined at the top level and have everyone trained in the principles of security?
Question 2:
What are some of the electronic components of cyber security, e.g. firewalls, network threat prevention, rogue detection, etc.?
Discussion Questions
Question 1:
Defense Against the Dark Arts is important not only in Harry Potter’s world but also in the world of business under the threat of cyber insecurity. Cyber Security measures are often substantial investments and may lead to substantial operating costs. Why is it still imperative for a business to take this route?
Question 2:
It is not legal for any business operating in the US to penetrate cyber defenses of any other business. There is no law protecting the US business from cyber attack from another country. It is difficult for FBI to go after international rogues. It is believed that NSA has more knowledge and capability in cyber security than any other organization. Would it be ethical for NSA to help US businesses in cybersecurity? [ Note: Would they want to? It might expose them.]
