About 25 years ago the only computers were mainframes. They had closed environments with little threat of secrurity breaches or vulnerabilities being exploited. Only a handful of people working in a "glass house" even knew how to operate the computer.
As networks were connected, it was done so only to accomplish specific tasks. As companies became more dependent on mainframes more functional applications were being developed. As PCs became more powerful, some jobs were given to the individual while all the large processing still took place on the mainframes.
It made no sense that each computer held information that was needed by all other computers. As a result servers were invented to hold the programs and data in a centralized location.
There were no barriers or protection from malicious users. Thus, information security is born.
Information Warfare
National:
Militaries used to only train its soldiers how to shoot, fight in combat, and practice evasive maneuvers. Now they need to also know how to use the technological tools that power vehicles, weapons systems, and communication systems. Disrupting communication or listening in on classified conversations can lead to sure victory or imminent defeat.
For example, in the Persian Gulf War it was reported that hackers from the Netherlands penetrated American military sites and extracted information about the exact location of troops, weapons on details, and movement of American ships. They offered to sell it to Saddam Hussein. Luckily he rejected the offer thinking it was a trick.
Corporate:
Organizations have trade secrets and other intellectual property. Several companies have had their databases attacked and lost data of their customers personal information including credit card numbers. Many companies now are insured in case of a natural disaster or a major security breach.
Government:
President Clinton, on July 15, 1996, approved the establishment of the Presidents Commission on Critical Infrastructure Protection (PCCIP). The role of this commission was to investigate attacks, how future attacks could be made, how they could affect the infrastructure, and assess our vulnerabilities to such attacks.
In 2002 Present Bush created the Office of Homeland Security. Departments of information technology and cybersecurity were included.
Internet and Web Activities
The internet was established for Universities and government organizations could communicate quickly and share information. As more and more sites connected to each other, the internet led to the development of the World Wide Web. The internet provides the hardware, platforms, and communication mechanisms, whereas the Web provides the software that sits on top of the internet.
With the introduction of HTML companies started to utilize the internet and bring their services to the web. Attackers had easy access if databases were directly connected to web servers with no protection mechanisms. This led to the two tier architecture. This consists of a server farm that sits behind a firewall and infront of the database.
The two tier is fine for environments that do not house very sensitive data, but for those companies that hold bank or credit card information a three tier system is far more secure. A three tier architecture has a front end server farm, middle servers running middleware software, and back-end databases with two distinct and uniquely configured firewalls.
A Layered Approach: As advised by the text
- Configure application, file, and registry access control lists (ACLs) to provide more granularity to users' and groups' file permissions
- Configure the system default user rights (in a Windows environment) to give certain types of users certain types of rights
- Consider the physical security of the environment and the computers, and apply restraints where required
- Place users into groups that have implicit permissions necessary to perform their duties and no more
- Draft and enforce a strict logon credential policy so that not all users are logging on as the same user
- Implement monitoring and auditing of file access and actions to identify and suspicious activity.
No comments:
Post a Comment