Taking a more abstract view on computer security, week 8’s topic was computer security for large networks. This first part of the lecture discussed risk analysis. Some key steps in conducting risk analysis:
- Value of assets being protected – if attacks break into our network what is the worst case scenario? This value is constantly rising in today’s business environment. This step will also establish a budget range for system security, there is no point spending 1 million protecting a system that contains information and assets worth one hundred thousand.
- Threat identification – What are the known threats to our system? This could include likely attackers, the types of known exploits and an understanding of what possible unknown exploits may be capable of.
- Identification of key system components:
- Define each step in the security life cycle – Prevention -> Detection -> Response -> Recovery
- Specifying policy areas for People, Processes and Tools
- Begin development of security policy using a logical framework: Organizational -> Security Architecture -> Technical
- Design, implementation and testing of chosen security tools:
- Audit any security systems in place at set time periods (ie: once a year)
- Understand that organization requirements can change quickly and that the security policy is in place to protect organizations whilst allowing them to operate as unhindered as possible, there is no point having a completely secure systems that takes employees 2 hours to gain access to.
Design of system wide security policies may come off as a more managerial, less technical operation. However, to implement a good security policy, decision makers must be aware of and have an in depth understanding of the available tools, threats from attackers and the organizational requirements. I would be very surprised if most vulnerabilities were as a direct result of technical issues rather than holes as a result of poorly designed and implemented security policies.