3–1

Unit 3
Ethics and Security
Unit time: 199 Minutes

Y
Complete this unit, and you’ll know how to:

L
A Ethics

N
B Introduction to network security

O
C Understanding security threats

E
D Creating a secure network strategy

S
U
N E
L I
N
O
R
FO
3–2 Computer Fundamentals: Book 2

Topic A: Ethics
What is Ethics?
Ethics (also known as moral philosophy) is a branch of philosophy which seeks to
address questions about morality; that is, about concepts like good and bad, right and
wrong, justice, virtue, etc.

ACM Code of Ethics and Professional Conduct

1. GENERAL MORAL IMPERATIVES.

LY
N
1.1 Contribute to society and human well-being.
This principle concerning the quality of life of all people affirms an obligation to protect

O
fundamental human rights and to respect the diversity of all cultures. An essential aim
of computing professionals is to minimize negative consequences of computing

E
systems, including threats to health and safety. When designing or implementing
systems, computing professionals must attempt to ensure that the products of their

S
efforts will be used in socially responsible ways, will meet social needs, and will avoid
harmful effects to health and welfare.

U
In addition to a safe social environment, human well-being includes a safe natural

E
environment. Therefore, computing professionals who design and develop systems must
be alert to, and make others aware of, any potential damage to the local or global

N
environment.

1.2 Avoid harm to others.

L I
"Harm" means injury or negative consequences, such as undesirable loss of information,

N
loss of property, property damage, or unwanted environmental impacts. This principle
prohibits use of computing technology in ways that result in harm to any of the

O
following: users, the general public, employees, employers. Harmful actions include
intentional destruction or modification of files and programs leading to serious loss of

R
resources or unnecessary expenditure of human resources such as the time and effort
required to purge systems of "computer viruses."

O
Well-intended actions, including those that accomplish assigned duties, may lead to

F
harm unexpectedly. In such an event the responsible person or persons are obligated to
undo or mitigate the negative consequences as much as possible. One way to avoid
unintentional harm is to carefully consider potential impacts on all those affected by
decisions made during design and implementation.
To minimize the possibility of indirectly harming others, computing professionals must
minimize malfunctions by following generally accepted standards for system design and
testing. Furthermore, it is often necessary to assess the social consequences of systems
to project the likelihood of any serious harm to others. If system features are
misrepresented to users, coworkers, or supervisors, the individual computing
professional is responsible for any resulting injury.
Safety 3 –3

In the work environment the computing professional has the additional obligation to
report any signs of system dangers that might result in serious personal or social
damage. If one's superiors do not act to curtail or mitigate such dangers, it may be
necessary to "blow the whistle" to help correct the problem or reduce the risk. However,
capricious or misguided reporting of violations can, itself, be harmful. Before reporting
violations, all relevant aspects of the incident must be thoroughly assessed. In particular,
the assessment of risk and responsibility must be credible. It is suggested that advice be
sought from other computing professionals. See principle 2.5 regarding thorough
evaluations.

1.3 Be honest and trustworthy.

Y
Honesty is an essential component of trust. Without trust an organization cannot

L
function effectively. The honest computing professional will not make deliberately false
or deceptive claims about a system or system design, but will instead provide full

N
disclosure of all pertinent system limitations and problems.

O
A computer professional has a duty to be honest about his or her own qualifications, and
about any circumstances that might lead to conflicts of interest.

E
Membership in volunteer organizations such as ACM may at times place individuals in
situations where their statements or actions could be interpreted as carrying the "weight"

S
of a larger group of professionals. An ACM member will exercise care to not
misrepresent ACM or positions and policies of ACM or any ACM units.

U
1.4 Be fair and take action not to discriminate.

E
The values of equality, tolerance, respect for others, and the principles of equal justice

N
govern this imperative. Discrimination on the basis of race, sex, religion, age, disability,

I
national origin, or other such factors is an explicit violation of ACM policy and will not

L
be tolerated.
Inequities between different groups of people may result from the use or misuse of

N
information and technology. In a fair society,all individuals would have equal
opportunity to participate in, or benefit from, the use of computer resources regardless

O
of race, sex, religion, age, disability, national origin or other such similar factors.
However, these ideals do not justify unauthorized use of computer resources nor do they

R
provide an adequate basis for violation of any other ethical imperatives of this code.

O
1.5 Honor property rights including copyrights and patent.

F
Violation of copyrights, patents, trade secrets and the terms of license agreements is
prohibited by law in most circumstances. Even when software is not so protected, such
violations are contrary to professional behavior. Copies of software should be made
only with proper authorization. Unauthorized duplication of materials must not be
condoned.
3–4 Computer Fundamentals: Book 2

1.6 Give proper credit for intellectual property.

Computing professionals are obligated to protect the integrity of intellectual property.
Specifically, one must not take credit for other's ideas or work, even in cases where the
work has not been explicitly protected by copyright, patent, etc.

1.7 Respect the privacy of others.

Computing and communication technology enables the collection and exchange of
personal information on a scale unprecedented in the history of civilization. Thus there
is increased potential for violating the privacy of individuals and groups. It is the
responsibility of professionals to maintain the privacy and integrity of data describing

Y
individuals. This includes taking precautions to ensure the accuracy of data, as well as
protecting it from unauthorized access or accidental disclosure to inappropriate

L
individuals. Furthermore, procedures must be established to allow individuals to review

N
their records and correct inaccuracies.
This imperative implies that only the necessary amount of personal information be

O
collected in a system, that retention and disposal periods for that information be clearly
defined and enforced, and that personal information gathered for a specific purpose not

E
be used for other purposes without consent of the individual(s). These principles apply
to electronic communications, including electronic mail, and prohibit procedures that

S
capture or monitor electronic user data, including messages,without the permission of
users or bona fide authorization related to system operation and maintenance. User data

U
observed during the normal duties of system operation and maintenance must be treated
with strictest confidentiality, except in cases where it is evidence for the violation of

E
law, organizational regulations, or this Code. In these cases, the nature or contents of
that information must be disclosed only to proper authorities.

1.8 Honor confidentiality.

I N
N L
The principle of honesty extends to issues of confidentiality of information whenever
one has made an explicit promise to honor confidentiality or, implicitly, when private
information not directly related to the performance of one's duties becomes available.

O
The ethical concern is to respect all obligations of confidentiality to employers, clients,
and users unless discharged from such obligations by requirements of the law or other
principles of this Code.

R
FO
Safety 3 –5

2. MORE SPECIFIC PROFESSIONAL RESPONSIBILITIES.

2.1 Strive to achieve the highest quality, effectiveness and dignity in both the
process and products of professional work.
Excellence is perhaps the most important obligation of a professional. The computing
professional must strive to achieve quality and to be cognizant of the serious negative
consequences that may result from poor quality in a system.

2.2 Acquire and maintain professional competence.

Excellence depends on individuals who take responsibility for acquiring and

Y
maintaining professional competence. A professional must participate in setting

L
standards for appropriate levels of competence, and strive to achieve those standards.
Upgrading technical knowledge and competence can be achieved in several ways:doing

N
independent study; attending seminars, conferences, or courses; and being involved in
professional organizations.

O
2.3 Know and respect existing laws pertaining to professional work.

E
ACM members must obey existing local, state,province, national, and international laws

S
unless there is a compelling ethical basis not to do so. Policies and procedures of the
organizations in which one participates must also be obeyed. But compliance must be

U
balanced with the recognition that sometimes existing laws and rules may be immoral or
inappropriate and, therefore, must be challenged. Violation of a law or regulation may

E
be ethical when that law or rule has inadequate moral basis or when it conflicts with
another law judged to be more important. If one decides to violate a law or rule because

N
it is viewed as unethical, or for any other reason, one must fully accept responsibility for

I
one's actions and for the consequences.

N L
2.4 Accept and provide appropriate professional review.
Quality professional work, especially in the computing profession, depends on

O
professional reviewing and critiquing. Whenever appropriate, individual members
should seek and utilize peer review as well as provide critical review of the work of
others.

R
O
2.5 Give comprehensive and thorough evaluations of computer systems and their
impacts, including analysis of possible risks.

F Computer professionals must strive to be perceptive, thorough, and objective when

evaluating, recommending, and presenting system descriptions and alternatives.
Computer professionals are in a position of special trust, and therefore have a special
responsibility to provide objective, credible evaluations to employers, clients, users, and
the public. When providing evaluations the professional must also identify any relevant
conflicts of interest, as stated in imperative 1.3.
As noted in the discussion of principle 1.2 on avoiding harm, any signs of danger from
systems must be reported to those who have opportunity and/or responsibility to resolve
them. See the guidelines for imperative 1.2 for more details concerning harm,including
the reporting of professional violations.
3–6 Computer Fundamentals: Book 2

2.6 Honor contracts, agreements, and assigned responsibilities.

Honoring one's commitments is a matter of integrity and honesty. For the computer
professional this includes ensuring that system elements perform as intended. Also,
when one contracts for work with another party, one has an obligation to keep that party
properly informed about progress toward completing that work.
A computing professional has a responsibility to request a change in any assignment
that he or she feels cannot be completed as defined. Only after serious consideration and
with full disclosure of risks and concerns to the employer or client, should one accept
the assignment. The major underlying principle here is the obligation to accept personal
accountability for professional work. On some occasions other ethical principles may
take greater priority.

LY
A judgment that a specific assignment should not be performed may not be accepted.
Having clearly identified one's concerns and reasons for that judgment, but failing to

N
procure a change in that assignment, one may yet be obligated, by contract or by law, to
proceed as directed. The computing professional's ethical judgment should be the final

O
guide in deciding whether or not to proceed. Regardless of the decision, one must accept
the responsibility for the consequences.

E
However, performing assignments "against one's own judgment" does not relieve the
professional of responsibility for any negative consequences.

U S
2.7 Improve public understanding of computing and its consequences.
Computing professionals have a responsibility to share technical knowledge with the

E
public by encouraging understanding of computing, including the impacts of computer
systems and their limitations. This imperative implies an obligation to counter any false

N
views related to computing.

L I
2.8 Access computing and communication resources only when authorized to do so.

N
Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 -
"Avoid harm to others." Trespassing and unauthorized use of a computer or

O
communication system is addressed by this imperative. Trespassing includes accessing
communication networks and computer systems, or accounts and/or files associated
with those systems, without explicit authorization to do so. Individuals and

R
organizations have the right to restrict access to their systems so long as they do not
violate the discrimination principle (see 1.4). No one should enter or use another's

O
computer system, software, or data files without permission. One must always have

F
appropriate approval before using system resources, including communication ports, file
space, other system peripherals, and computer time.
Safety 3 –7

3. ORGANIZATIONAL LEADERSHIP IMPERATIVES.

BACKGROUND NOTE:This section draws extensively from the draft IFIP Code of
Ethics,especially its sections on organizational ethics and international concerns. The
ethical obligations of organizations tend to be neglected in most codes of professional
conduct, perhaps because these codes are written from the perspective of the individual
member. This dilemma is addressed by stating these imperatives from the perspective of
the organizational leader. In this context"leader" is viewed as any organizational
member who has leadership or educational responsibilities. These imperatives generally
may apply to organizations as well as their leaders. In this context"organizations" are
corporations, government agencies,and other "employers," as well as volunteer
professional organizations.

LY
3.1 Articulate social responsibilities of members of an organizational unit and
encourage full acceptance of those responsibilities.

N
Because organizations of all kinds have impacts on the public, they must accept

O
responsibilities to society. Organizational procedures and attitudes oriented toward
quality and the welfare of society will reduce harm to members of the public, thereby
serving public interest and fulfilling social responsibility. Therefore,organizational

E
leaders must encourage full participation in meeting social responsibilities as well as

S
quality performance.

U
3.2 Manage personnel and resources to design and build information systems that
enhance the quality of working life.

E
Organizational leaders are responsible for ensuring that computer systems enhance, not
degrade, the quality of working life. When implementing a computer system,

I N
organizations must consider the personal and professional development, physical safety,
and human dignity of all workers. Appropriate human-computer ergonomic standards

L
should be considered in system design and in the workplace.

N
3.3 Acknowledge and support proper and authorized uses of an organization's

O
computing and communication resources.
Because computer systems can become tools to harm as well as to benefit an

R
organization, the leadership has the responsibility to clearly define appropriate and
inappropriate uses of organizational computing resources. While the number and scope

O
of such rules should be minimal, they should be fully enforced when established.

F 3.4 Ensure that users and those who will be affected by a system have their needs
clearly articulated during the assessment and design of requirements; later the
system must be validated to meet requirements.
Current system users, potential users and other persons whose lives may be affected by
a system must have their needs assessed and incorporated in the statement of
requirements. System validation should ensure compliance with those requirements.
3–8 Computer Fundamentals: Book 2

3.5 Articulate and support policies that protect the dignity of users and others
affected by a computing system.
Designing or implementing systems that deliberately or inadvertently demean
individuals or groups is ethically unacceptable. Computer professionals who are in
decision making positions should verify that systems are designed and implemented to
protect personal privacy and enhance personal dignity.

3.6 Create opportunities for members of the organization to learn the principles
and limitations of computer systems.
This complements the imperative on public understanding (2.7). Educational

Y
opportunities are essential to facilitate optimal participation of all organizational
members. Opportunities must be available to all members to help them improve their

L
knowledge and skills in computing, including courses that familiarize them with the

N
consequences and limitations of particular types of systems.In particular, professionals
must be made aware of the dangers of building systems around oversimplified models,

O
the improbability of anticipating and designing for every possible operating condition,
and other issues related to the complexity of this profession.

4. COMPLIANCE WITH THE CODE.

S E
U
4.1 Uphold and promote the principles of this Code.

E
The future of the computing profession depends on both technical and ethical
excellence. Not only is it important for ACM computing professionals to adhere to the

N
principles expressed in this Code, each member should encourage and support

I
adherence by other members.

N L
4.2 Treat violations of this code as inconsistent with membership in the ACM.
Adherence of professionals to a code of ethics is largely a voluntary matter. However, if

O
a member does not follow this code by engaging in gross misconduct, membership in
ACM may be terminated.

R
This Code and the supplemental Guidelines were developed by the Task Force for the
Revision of the ACM Code of Ethics and Professional Conduct: Ronald E. Anderson,

O
Chair, Gerald Engel, Donald Gotterbarn, Grace C. Hertlein, Alex Hoffman, Bruce
Jawer, Deborah G. Johnson, Doris K. Lidtke, Joyce Currie Little, Dianne Martin, Donn

F
B. Parker, Judith A. Perrolle, and Richard S. Rosenberg. The Task Force was organized
by ACM/SIGCAS and funding was provided by the ACM SIG Discretionary Fund. This
Code and the supplemental Guidelines were adopted by the ACM Council on October
16, 1992.
Source: http://www.acm.org/about/code-of-ethics
Safety 3 –9

Topic B: Introduction to network security

Explanation As personal and business-critical applications become more prevalent on the Internet,
network-based applications and services can pose security risks to all information
resources. Network security is essential—information is an asset and must be protected.
Without adequate protection or network security, a company is highly susceptible to a
financial or commercial loss. The fear of a security breach can be just as debilitating to
a business as an actual breach. Distrust of the Internet can limit business opportunities
for organizations, especially those that are 100% Web-based. It’s imperative that
organizations enact security policies and procedures and incorporate safeguards that are
effective and that are perceived as effective by potential customers.

Y
Network security is the process by which digital information assets are protected. The

L
goals of network security are to maintain integrity, protect confidentiality, and ensure
availability. Specifically, network security includes, among other things, enforcing

N
copyright and privacy laws, protecting against data loss, and ensuring that systems are
available on an uninterrupted basis.

O
The growth of computing has generated enormous advances in the way people live and
work. For the Internet to achieve its potential usefulness, it’s important that all networks

E
are protected from threats and vulnerabilities. A threat is defined as any activity that

S
poses a danger to your information. A vulnerability is a weakness in a system, such as
misconfigured hardware or software, poor design, or end-user carelessness. Threats

U
exploit vulnerabilities in order to gain unauthorized access to a network.
Security risks cannot be completely eliminated or prevented, but with effective risk

E
management and assessment, the risks can be minimized to an acceptable level. What is
considered acceptable depends on how much risk the individual or organization is

I N
willing to assume. A risk is worth assuming if the benefits of implementing the risk-
reducing safeguards far exceed the costs.

N L
Effect of evolving technologies on security
When networks were first implemented, they consisted of dumb terminals connected to

O
a central mainframe computer. The mainframe was kept in a well-secured computer
room, and users could connect only via dumb terminals from approved locations over

R
static, point-to-point connections. A user name and password were required to access
the system, and user access was restricted. Security was very simple given those

O
circumstances.

F
With the development of more extensive network infrastructures made up of hardware
and software (specifically, PCs, LANs, and WANs), global access to information
dramatically increased. So did the need for advanced network security.
 The introduction of firewalls in 1995 allowed successful businesses to balance
security with simple outbound access to the Internet (mostly for e-mail and Web
surfing), creating a positive impact on the bottom line for those businesses.
 The growth of extranets produced tremendous corporate cost savings by
connecting internal systems to business partners, connecting sales-force
automation systems to mobile employees, and providing electronic commerce
connections to business customers and consumers.
 The proliferation of firewalls began to be augmented by intrusion detection,
authentication, authorization, and vulnerability assessment systems.
3–10 Computer Fundamentals: Book 2

Today, companies are achieving a balance by keeping the bad guys out with
increasingly complex ways of letting the good guys in.

Managing risk
Security is critical for all types of Internet businesses. By protecting high-availability
systems from intrusion and corruption, security technologies help companies build trust
with their employees, suppliers, partners, and customers—a trust that information is
protected and transactions are reliable.
When most people talk about security, they mean ensuring that users:
 Can perform only the tasks they are authorized to do

Y
 Can obtain only the information they are authorized to have

L
 Cannot damage the data, applications, or operating environment of a system
The word “security” connotes protection against malicious attack by outsiders, but

N
security also involves controlling the effects of errors and equipment failures. Anything

O
that can protect a system against an attack can prevent random misfortune as well.

Goals of network security

S E
The goal of implementing network security is to maintain an acceptable level of
integrity, confidentiality, and availability for your data.

U
Integrity

E
Integrity refers to the assurance that data is not altered or destroyed in an unauthorized
manner. Integrity is maintained when the message received is identical to the message

N
sent. Even for data that is not confidential, data integrity must be maintained. For

I
example, you might not care if anyone sees your routine business transaction, but you

L
would certainly care if the transaction were modified.

N
Confidentiality
Confidentiality is the protection of data from unauthorized access by or disclosure to a

O
third party. Whether it is customer data or internal company data, a business is
responsible for protecting the privacy of its data.

R
Proprietary company information also needs to remain confidential. Only authorized
parties should be granted access to information that has been identified as confidential.

O
The transmission of such information should be performed in a secure manner,

F
preventing any unauthorized access en route.

Availability
Availability is defined as the assurance that computer services can be accessed when
needed. It is the opposite of denial-of-service (DoS) attacks, which slow down or even
crash systems by engulfing network equipment with useless noise. Applications require
differing availability levels, depending on the business impact of downtime. For an
application to be available, all components—including application and database servers,
storage devices, and the end-to-end network—must provide continuous service.
The increasing dependence of businesses and other organizations on networked
applications and the Internet, together with the convergence of voice with data,
increases requirements for highly available applications. System downtime of any sort
might result in lack of credibility, lower customer satisfaction, and lost revenues.
Safety 3–11

Do it! B-1: Discussing network security

Questions and answers
1 What are the goals of security? (Choose all that apply.)
A Maintain integrity
B Protect confidentiality
C Ensure availability
D Improve performance

Y
2 Which of the following types of access can be a threat to networks?

L
A Authorized

N
B Needed
C Unauthorized

O
D Invalid

E
3 True or false? Integrity is maintained when the message sent is identical to the

S
message received.

U
4 True or false? Confidentiality is the protection of data from authorized disclosure

E
to a third party.

I N
5 True or false? Availability is defined as the continuous operation of computing

L
systems.

N
O
R
FO
3–12 Computer Fundamentals: Book 2

Topic C: Understanding security threats

Goals of network security
Explanation The goals of network security are integrity, confidentiality, and availability. Data threats
are pervasive in today’s society, however, and continue to challenge even the most
secure systems. Among these threats are:
 Corporate espionage — The FBI estimates that U.S. companies lose up to $100
billion in profits every year because of information theft. This theft often stems
from reports and confidential information being thrown in the trash.

Y
 Identity theft — According to the Identity Theft Resource Center, each year,

L
more than 700,000 Americans have their personal information used illegally.
 Computer viruses — Computer Economics magazine reports that the estimated

N
worldwide impact of malicious code was $13.2 billion in the year 2001 alone.

O
Each company must weigh the cost of network security against the cost of lost assets
and decide how much they are willing to risk.

E
When data integrity is compromised, an organization must incur extremely high costs to
correct the consequences of attacks. If an unauthorized user changes a Web site so that

S
it gives customers the wrong information about specific items, the organization must
further invest to correct the Web site and address any public relations issues with

U
customers.
When data confidentiality is compromised, the consequences to the organization are not

E
always immediate, but they are usually costly. Unauthorized users might find scientific
data on company research and steal it to use for their own competitive advantage.

I N
When application availability is compromised by network outages, organizations can

L
lose millions of dollars in just a few hours. Unauthorized users can take down Web
servers and not allow customers to view and obtain information they need. Customers

N
might then go elsewhere for services.
The compromising of each of these three security goals can dearly cost an organization.

O
Sometimes the costs are direct, such as when data integrity is compromised or when an
e-commerce Web site is rendered unavailable by a denial-of-service attack. Other times,

R
the costs are indirect, such as when corporate secrets have been stolen or when users
lose productivity due to downtime.

FO Sources of threats
Compromised security has four primary causes:
 Technology weaknesses
 Configuration weaknesses
 Policy weaknesses
 Human error or malice
Safety 3–13

Technology weaknesses
Computer and network technologies have intrinsic security weaknesses in the following
areas:
 TCP/IP — A communication protocol suite for routed networks, TCP/IP was
designed as an open standard to facilitate communications. Due to its wide
usage, there are plenty of experts and expert tools that can compromise this open
technology. It cannot guard a network against message-modification attacks or
protect connections against unauthorized-access attacks.
 Operating systems — OSs such as UNIX, Linux, Windows, and Mac OS need
the latest patches, updates, and upgrades applied to protect users.

Y
 Network equipment — Routers, firewalls, and switches must be protected
through the use of password protection, authentication, routing protocols, and

L
firewalls.

N
Configuration weaknesses

O
Even the most secure technology can be misconfigured. Security problems are often
caused by one of the following configuration weaknesses:

E
 Unsecured accounts — User account information might be transmitted
unsecurely across the network, exposing user names and passwords to sniffers.

S
Sniffers are programs for monitoring network activity; they can capture and
analyze IP packets on an Ethernet network or dial-up connection.

U
 System accounts with easily guessed passwords — Poorly administered
password policies can cause problems.

E
 Misconfigured Internet services — A common problem is turning on Java and

N
JavaScript in Web browsers, enabling attacks via hostile Java applets. Another

I
problem is putting high-security data on a Web server; this type of data (Social

L
Security numbers, credit card numbers) should be behind a firewall and require
user authentication and authorization to access.

N
 Unsecured default settings — Many products have default settings that enable
security holes.

O
 Misconfigured network equipment — Poor configuration of network devices
can cause significant security problems. For example, misconfigured access lists,

R
routing protocols, or Simple Network Management Protocol (SNMP)
community strings can open up large security holes.

O
 Trojan horses — Delivery vehicles for destructive code, these appear to be

F
harmless programs but are enemies in disguise. They can delete data, mail
copies of themselves to e-mail address lists, and open up other computers for
attack.
 Vandals — These software applications or applets can destroy a single file or a
major portion of a computer system.
 Viruses — These are the largest threat to network security and have proliferated
in the past few years. They are designed to replicate themselves and infect
computers when triggered by a specific event. The effect of some viruses is
minimal and only an inconvenience, while others are more destructive and cause
major problems, such as deleting files or slowing down entire systems.
3–14 Computer Fundamentals: Book 2

Human error and malice

Human error and malice constitute a significant percentage of breaches in network
security. Even well-trained and conscientious users can cause great harm to security
systems, often without knowing it.
Well-intentioned users can contribute to security breaches in several ways:
 Accident — The mistaken destruction, modification, disclosure, or incorrect
classification of information.
 Ignorance — Inadequate security awareness, lack of security guidelines, lack of
proper documentation, or lack of knowledge. Users might inadvertently give
information on security weaknesses to attackers.

Y
 Workload — Too many or too few system administrators.

L
Conversely, ill-willed employees or professional hackers and criminals can access

N
valuable assets through deceit:
 Dishonesty — People might commit fraud, steal, embezzle, or sell confidential

O
corporate information.
 Impersonation — Attackers might use the telephone to impersonate employees

E
in order to persuade users or administrators to give out user names, passwords,
modem numbers, and so on.

S
 Disgruntled employees — Those who have been fired, laid off, or reprimanded

U
might infect the network with a virus or delete files. Usually one of the largest
security threats, these people know the network and the value of the information
on it.

E
 Snoops — Individuals engage in corporate espionage by gaining unauthorized

N
access to confidential data and providing this information to competitors.

I
 Denial-of-service attacks — These attacks engulf network equipment with

L
useless noise, thereby causing systems to slow down or even crash.
 Social engineering — Also called “hacking humans,” social engineering refers

N
to tricking employees into giving out passwords, opening doors (literally), and
providing other access and information. Hackers pose as fellow employees,

O
technical consultants, cleaning staff, or whatever induces real employees to trust
them and give them virtual or physical access to computer systems.

R
FO
Safety 3–15

Do it! C-1: Identifying security threats

Questions and answers
1 Which of the following computer and network technologies have intrinsic security
weaknesses?
A TCP/IP
B Operating systems
C Network equipment
D All of the above

LY
2 What is a crime called in which one person masquerades under the identity of
another?

N
A Identity theft

O
B Confidentiality
C Integrity

E
D All of the above

S
3 Which of the following is not a primary cause of network security threats?

U
A Encryption
B Technology weaknesses

E
C Policy weaknesses

I N
D Configuration weaknesses

L
E Human error

N
4 True or false? Trojan horses are destructive programs that masquerade as benign
applications.

O
R
5 Which of the following is not considered a configuration weakness?
A Unsecured accounts

O
B Misconfigured Internet services

F
C Misconfigured access lists
D Human ignorance
3–16 Computer Fundamentals: Book 2

Topic D: Creating a secure network strategy

Elements of a successful strategy
Explanation The most important goal of network security is to achieve a state in which any action
that is not expressly permitted is prohibited. To be successful, a network strategy must
address both internal and external threats.
Successful strategies look at technical threats and their appropriate responses. Strategies
are used to develop the necessary network security policies and procedures for the
response effort. A strong security strategy defines policies and procedures and reduces

Y
risk across perimeter security, the Internet, intranets, and LANs.

L
When you’re planning a strong security strategy, here are some things to consider:
 Human factors

N
 Knowing your weaknesses

O
 Limiting access
 Achieving security through consistency

E
 Physical security

S
 Perimeter security
 Firewalls

U
 Web and file servers


E
Access control
 Change management

N


I
Encryption


L
Intrusion detection systems

N
Human factors
Many security procedures fail because their designers do not truly consider the users.

O
You might want to consider the following questions:
 Does your network security system recognize that a user has tried to log onto

R
more than one computer at the same time?
 Can staff members who forgot to log off at work also log on from home by using

O
remote dial-up?

F
 Can the screens of secure workstations be easily seen by passersby, and are users
aware of potential snoops when they log on or view confidential information?
 Can staff members log onto the network from a machine other than their own?
 Is your security policy built into network management tools so that the
misconfiguration of a server or router is flagged and noticed?
 Can an employee remove a hard disk or add a ZIP drive, CD-R drive, flash
drive, or other removable storage device to a desktop computer without anyone
noticing?
Security must be sold to your users, and compliance must be enforced. Users must
understand and accept the need for security. To reduce your security risk, you must
know where your users are, electronically and physically, and whether they are
following security policies.
Safety 3–17

Knowing your weaknesses

Every security system has vulnerabilities. Attack your own system to determine where
your weaknesses are located. Once you identify your weaknesses, you can plug those
holes effectively.
Determine the areas that present the largest danger to your system, and prevent access to
them immediately. Add more security to these areas. Is your weakness an internal
server, a firewall, a router, or an improperly trained staff ? Develop a methodology for
testing your systems and ensuring that they remain safe.

Limiting access

Y
The security of a system is only as good as the weakest security level of any single host
in the system. Not everyone needs to have authorization to every folder or document.

L
Segment your network users, files, and servers. For example, staff members in the

N
Accounting department do not need access to personnel files in the Human Resources
department.

O
The default access should be no access. From there, you open holes with permissions
and authentication, allowing authorized users to access designated resources. Security

E
will be tighter if you start from this premise, rather than starting from “open access.”
Along the same lines, users should be aware of their surroundings when they log in and

S
view private information. Simply looking at someone else’s screen, or “screen surfing,”
is a low-tech but effective way to gain information. It’s hard to guard against, because

U
users must take individual responsibility to guard the information on their screens.

E
Achieving security through consistency

N
Develop a change management process for your network. Whenever there are network

I
upgrades—whether patches, the addition of new users, or a firewall update—you should

L
document the process and procedures. If you are thorough in documenting the process,
you limit your security risks. When you add new users to the network, do you always do

N
the same thing? What happens if you forget a step? Is your security breached? Be
methodical and follow a written process.

O
Physical security

R
It makes no sense to install complicated software security measures when access to the
hardware is not controlled. Require authorization to go into your network room and the

O
different closets in which network equipment is kept; otherwise, unauthorized users can
easily access and destroy network equipment in seconds. Ideally, doors to server rooms

F
should have good locks that require an access code, ID card, or some other
authentication to open.

Perimeter security
Perimeter security refers to controlling access to critical network applications, data, and
services. Services include secure Web and file servers, gateways, remote access, and
naming services. Each organization should be prepared to select perimeter security tools
based on their network requirements and budget. Along with the network, blueprints for
all campus grounds and buildings are necessary for successful perimeter security. In
addition, all hardware, PCs, and software components must be documented.

Firewalls
A firewall is a hardware or software solution that contains programs designed to enforce
an organization’s security policies by restricting access to specific network resources.
3–18 Computer Fundamentals: Book 2

The firewall creates a protective layer between the network and the outside world. The
firewall has built-in filters that can be configured to deny unauthorized or dangerous
materials from entering the network. Firewalls log attempted intrusions and create
reports.

Web and file servers

Organizations must test mission-critical hosts, workstations, and servers for
vulnerabilities. Determine whether your organization has the in-house expertise and
experience to successfully test the network. If it does not, outsourcing to a reputable
security assessment organization is recommended.

Y
Access control

L
Access control ensures that legitimate traffic is allowed into or out of your network.
This control is achieved by having users identify themselves via passwords to prove

N
their identity at login. In addition, access must be permitted or denied for each
application, function, and file. Most attacks against networks occur when unauthorized

O
people find a way through the login system, typically by guessing or stealing a user
identity that is recognized by the system. These attacks are successful because networks

E
utilize access control systems, which merely involve entering a user ID with a
password. With such limited security, attacks are simple and common. Many systems

S
do not log invalid password entries into their systems, and thus allow an attacker to be
more persistent. Hackers can continue trying different passwords repeatedly without

U
being noticed.
Another type of access control is the use of personal identification numbers (PINs).

E
These are commonly used at banks. The only difference between passwords and PINs is
that PINs are usually all numeric and only a few characters long.

I N
Security tokens are gaining popularity as well. The security-token hardware plugs into a

L
computing device and dynamically generates a new password at each login. This is done
automatically for the user after the user authenticates with a password.

N
Smart cards, with embedded chips, contain code that identifies the cardholder, or
contain keys that can read and send encrypted data. These cards are becoming more

O
popular and are very useful for maintaining security.
Fingerprint readers are sometimes used, but have been shown to be vulnerable. In May

R
of 2002, a Japanese researcher presented a study showing that biometric fingerprint
readers can be fooled 80% of the time by a fake finger created with gelatin, using

O
fingerprints lifted from a drinking glass.

F
Change management
Change management is a set of procedures developed by network staff that are followed
whenever a change is made in the network. Most organizations focus on servers and do
not document changes in the backbone, which touches the entire network infrastructure.
It is important to document changes in all areas of your IT infrastructure.
Safety 3–19

Encryption
Encryption ensures that messages cannot be intercepted or read by anyone other than
their intended audience. Encryption is usually implemented to protect data that is
transported over the public network; it uses advanced algorithms to scramble messages
and their attachments.

Intrusion detection systems

An intrusion detection system (IDS) provides 24/7 network surveillance. It analyzes
packet data streams within the network and searches for unauthorized activity. When
unauthorized activity is detected, the IDS can send alarms, with details of the activity, to
a management console and can order other systems to cut off the unauthorized session.

Parental Controls

LY
Although most businesses won’t use Windows Vista’s Parental Controls, you might

N
want to use them at home, and some educational organizations might find the features

O
useful to control students who use Vista computers in the classroom or on mobile
computers they take home.

S E
U
N E
L I
N
O
R
FO
3–20 Computer Fundamentals: Book 2

LY
N
O
E
Exhibit 3-1: Parental Controls

U S
Parental controls are available in Windows Vista Home Basic, Home Premium, and
Ultimate. You can use parental controls, shown in Exhibit 3-1, to control user activity in
the following ways:

E
 Restrict Web sites, Web content, and file downloads
 Set time restrictions on computer use

I N
 Control gaming by restricting specific games or games based on content ratings

L
 Allow or block specific programs

N
You can also enable the reporting feature, which gives a detailed account of user
activity. Parental Controls are configured on a per-user basis, which means that you

O
must configure Parental Controls on individual user accounts.
To open Parental Controls:

R
1 Open Control Panel.
2 Click User Accounts and Family Safety. (If you don’t see Family Safety, you are

O
using a version of Windows Vista that doesn’t include Parental Controls.)

F
3 Click Parental Controls.
4 Click a user account to configure.
After you have selected a user, you can configure the different settings in the list above.
Safety 3–21

Do it! D-1: Discussing strategies to secure your network

Questions and answers
1 True or false? Ideally, the administrator should give everyone access to everything
and then start securing the system when a problem arises.

2 Which of the following are considered to be part of a successful network security

strategy? (Choose all that apply.)
A Knowing your weaknesses

Y
B Determining the cost

L
C Remembering human factors

N
D Controlling secrets

O
3 Which of the following statements is incorrect?
A Firewalls restrict access to specific network resources.

E
B Firewalls contain built-in filters.

S
C A firewall creates a protective layer between the network and the outside

U
world.
D Firewalls are a hardware-only solution.

E
4 Examples of access controls might include which of the following? (Choose all

N
that apply.)

I
A Smart cards

L
B Security tokens

N
C Change management

O
D PINs

5 What are some things you can control with Vista’s parental controls?

R
FO