Page |1 Selling Security to the Organization

Please type a three- to five-page (800 to 1,200 words) paper. Using APA Use transition words, a thesis statement, an introduction, a body, a conclusion, and a reference page with at least two references. Use double-spaced, 12-point Arial font.

Selling Security to the Organization By: Desiree Carter

Having a comprehensive security policy within the organization is important. Information security policy can be defined as a document that states how an organization plans to protect the organizations tan gible and intangible information assets. (Greene) There are three other definitions that are used to describe Information Security Policy the first is: The instructions of management indicating a course of action, a guiding principle, or an appropriate procedure. The second is: High-level statements that provide guidance to the workers who must make present and future decisions. The third is: Requirements that are generalized and written down that are communicated to certain groups of people within and outside of the organization.

Page |2

Policies inside of an organization are extremely important especially a comprehensive security policy. A policy dictates how the organization should operate and the behavior of the employees and stakeholders of the organization. This policy should protect the information inside the organization and the employees and its customers. The policy protects information in the forms of storage, processing and transmission. The goal of information security policies is to secure the organizational information and protect it from all foreseeable harm while also leaving flexibility for the unforeseen. Network attacks are becoming more prevalent on the news because of this organizations are spending more of their IT budget on security. We need to take the steps necessary to keep our networks safe.

There are nine types of common network attacks the first is: Eavesdropping in which an attacker that has gained access to our data paths in our network can listen in or interpret (read) the traffic. This ability harms our network it is said to be the biggest security problem that administrators face. We need strong encryption services that are based on cryptography because of this. The second is Data Modification if an attacker has read our data they can alter the data in the packet without our knowledge or the recipients knowledge. The third is IP address spoofing; our networks and operating systems use the IP address of a computer to identify that we are a valid entity. An attacker can generate a false IP address. The attacker might also use special programs to

Page |3

construct IP packets that appear to originate from valid addresses within our intranet.

The forth is password based attacks; If our password-based access control is weak our accounts can be compromised. Our access rights to a computer and network resources are determined by our user names and passwords. If an eavesdropper attacker gains access to our network by posing as a valid user our accounts are compromised. If an attacker gains access to our network with a valid account they can: Obtain lists of valid user and computer names and network information. Modify server and network configurations, including access controls and routing tables. Modify, reroute, or delete your data. ("Common types of,)

The fifth is Denial of Service Attack which prevents normal use of your computer or network by valid users. If they gain access to our network they can harm it by: randomizing the attention of our internal Information Systems staff so that they do not see the intrusion immediately, which would allow the attacker to make more attacks during the diversion. They could send invalid data to applications or network services, which could cause abnormal termination or behavior of the applications or services. They could flood one computer or the entire network with traffic until a shutdown occurs because of the overload. They could block traffic which would result in a loss of access to network resources by authorized users.

Page |4

The sixth is the main in the middle attack. With the man-in-the middle attack you are victim as well as the person with whom you are communicating to because you and the person you are communicating with are actively being monitored, data is being captured and the communication is being controlled transparently. One scenario is the attacker having the ability to re-route a data exchange. If a computer is communication at a low level in the network layer they have the possibility of falling victim to an attack like this because the computers might not be able to determine with whom they are exchanging data. In a way the perpetrator of the Man-in-the-middle attacks is like opening someone elses mail in essence they open your message and use it to communicate with the person on the other end. Then the person on the other end may believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information.

The seventh is: an application-layer attack it targets application servers by deliberately causing a fault in the servers operating system or its applications. If this happens the attacker may gain the ability to bypass the normal access controls. Then the attacker takes advantage of this situation and controls your application and/or system or network and harms you in any of the following ways: Read, add, delete, or modify your data or operating system. Introduce a virus program that uses your computers and software applications to copy viruses throughout your network. Introduce a sniffer program to analyze your network

Page |5

and gain information that can eventually be used to crash or to corrupt your systems and network. Abnormally terminate your data applications or operating systems. Disable other security controls to enable future attacks. ("Common types of,)

The eighth is: compromised-key attack a key is the code or number necessary to interpret secured information over the computer. Obtaining a key is a difficult and resource-intensive process for an attacker, and it is possible and comes with rewards. Once the attacker obtains a key, that key is referred to as a compromised key. The rewards of a hacker with a compromised key are access to a secured communication without anyone being aware of the attack. Also the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.

The ninth is: sniffer attack, A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key. ("Common types of,) With a sniffer an attacker can do two things they are: Analyzing your network as to gain information to eventually cause your network to crash or to become corrupted and read your communications.

Page |6

The purpose of a security policy should be clearly stated in essence it says why this rule exists. If this is clear than nobody can misinterpret the reason for its existence. The scope tells what the policy covers and whom it applies to. When this is clearly stated everybody will easily understand what the proper protocol or conduct is and human error is reduced. The authority is who governs the policy who are people held accountable to. If this is clearly stated than a person is more likely to follow the chain of command. The policy are the statements their selves, they should be clearly defined so everyone understands each of the statements concepts and the rule or rules it states.

If this is done than nobody can claim a misunderstanding of the policy. The penalties for noncompliance are the actions that are taken for noncompliance with the policy. If there are levels of noncompliance then each level of noncompliance must be stated as well as the punishment for such action. Everyone no matter their position in the company should be held accountable for adhering to the policy. Then operations are more likely to run smoothly.

Page |7

References

Greene, S. Security policies and practice

Common types of network attacks . (n.d.). Retrieved from http://technet.microsoft.com/enus/library/cc959354.aspx