Network security is concerned, above all else, with the security of company information
assets. We often lose sight of the fact that it is the information and our ability to access that
information that we are really trying to protect-and not the computers and networks. I have a
simple definition for information security:
Information security = confidentiality + integrity + availability + authentication
There can be no information security without confidentiality; this ensures that unauthorized
users do not intercept, copy, or replicate information. At the same time, integrity is necessary
so that organizations have enough confidence in the accuracy of the information to act upon
it. Moreover, information security requires organizations to be able to retrieve data; security
measures are worthless if organizations cannot gain access to the vital information they need
to operate when they need it. Finally, information is not secure without authenticationdetermining
whether the end user is authorized to have access.
Among the many elements of information security are ensuring adequate physical security;
hiring proper personnel; developing, and adhering to, procedures and policies; strengthening
and monitoring networks and systems; and developing secure applications. It is important to
remember that information security is not just about protecting assets from outside hackers.
The majority of the time threats are internal to an organization: "We have found the enemy
and it is us."
Information security is also about procedures and policies that protect information from
accidents, incompetence, and natural disasters. Such policies and procedures need to address
the following:
• Backups, configuration controls, and media controls;
• Disaster recovery and contingency planning;
• Data integrity.
It is also important to remember that network security is not absolute. All security is relative.
Network security should be thought of as a spectrum that runs from very unsecure to very
secure. The level of security for a system or network is dependent on where it lands along that
spectrum relative to other systems. It is either more secure or less secure than other systems
relative to that point. There is no such thing as an absolutely secure network or system.
Network security is a balancing act that requires the deployment of "proportionate defenses."
The defenses that are deployed or implemented should be proportionate to the threat.
Organizations determine what is appropriate in several ways, described as follows.
• Balancing the cost of security against the value of the assets they are protecting;
• Balancing the probable against the possible;
• Balancing business needs against security needs.
Organizations must determine how much it would cost to have each system or network
compromised-in other words, how much it would cost in dollars to lose information or access
to the system or to experience information theft. By assigning a dollar value to the cost of
having a system or network compromised, organizations can determine the upper limit they
hould be willing to pay to protect their systems. For many organizations this exercise is not
necessary, because the systems are the lifeblood of the business. Without them, there is no
organization.
Organizations also need to balance the cost of security against the cost of a security breech.
Generally, as the investment in security increases, the expected losses should decrease.
Companies should invest no more in security than the value of the assets they are protecting.
This is where cost benefit analysis comes into play.
Risk Assessment
The concept of risk assessment is crucial to developing proportionate defenses. To perform a
risk analysis, organizations need to understand possible threats and vulnerabilities. Risk is the
probability that a vulnerability will be exploited. The basic steps for risk assessment are listed
as follows:
- Identifying and prioritizing assets;
- Identifying vulnerabilities;
- Identifying threats and their probabilities;
- Identifying countermeasures;
- Developing a cost benefit analysis;
- Developing security policies and procedures.
Security Models
There are three basic approaches used to develop a network security model. Usually,
organizations employ some combination of the three approaches to achieve security. The
three approaches are security by obscurity, the perimeter defense model, and the defense in
depth model.
Security by Obscurity
Security by obscurity relies on stealth for protection. The concept behind this model is that if
no one knows that a network or system is there, then it won't be subject to attack. The basic
hope is that hiding a network or at least not advertising its existence will serve as sufficient
security. The problem with this approach is that it never works in the long term, and once
detected, a network is completely vulnerable.