Security Policies and Risk Analysis

In the last chapter, we discussed the basics of network security. Among the issues that we briefly touched on are the techniques and best practices that are currently being used by many security personnel in a variety of networks that make up the communication infrastructure. In this chapter, we are going to start with what is considered to be the most basic of all security techniques—security.policy. We will discuss several issues about security policy, like what constitutes a good policy and how to formulate, develop, write implement, and maintain a security policy.

Building Trust in the Information Infrastructure

The rapid advances in computer technology, the plummeting prices of information processing and indexing devices, and the development of sprawling global networks have all made the generation, collection, processing, indexing, and storage of and access to information easy and have made the information infrastructure an enjoyable environment. The information. infrastructure consists of computer or computer-related hardware, software to run on the hardware, and humanware to run both. The human component in the information infrastructure is essential because humans create the life and dynamism in the infrastructure that has made it what it is. However, humans also create all the problems facing the infrastructure as we will see throughout the book. Note that the infrastructure we have just defined is actually cyberspace. So throughout the book, we will use cyberspace and information infrastructure interchangeably. Cyberspace technology has brought more excitement to humanity than ever before. Communication has become almost instantaneous. The speed of data access is chasing the speed of light. Humanity could not have gotten a better technology. However, with the excitement and “bewilderness,” there has come a realization, after rough experiences, that the new technology has a serious downside. Based on individual experiences, the fear of the new technology on which we have come to depend is on the rise. But because there are more benefits of the new technology to humanity, trust of the technology must be cultivated among the users of the technology. Webster’s Dictionary (1989) defines trust, as a noun as confidence or faith in a person or a thing and as a verb as having confidence or faith in someone or something. For us, we want users of the information infrastructure to have confidence in it.

Security Analysis, Assessment, and Assurance

In the previous chapter, we discussed the important role security policies play in the security of networks, in particular, and in the information communication technology (ICT) infrastructure, in general. The security policy should always be considered as the baseline security piece that dictates what other security mechanism are to be used and how. However, one must not forget that security policies are passive documents; they are lines of statements of what must be done and nothing more. A security policy will not physically stop a determined intruder, for example. To stop a determined intruder, or any other intruder for that matter, the security policy must be put into use. This chapter moves us into a new phase of the implementation of the security policies we discussed in the last chapter, starting with security assessment and analysis.

Network Basics and Securing the Network Infrastructure

In Chapter I, we outlined the many causes of insecurity in the information communication technology (ICT) infrastructure. We indicated one particular weakness as users with little knowledge of the working of the communication infrastructure. In this chapter, we intend to address that concern. We give a very elementary treatment of the theory of networks and then outline the best network security solutions.

Security, Anonymity, and Privacy

All recent social, economic, and technological advances can be attributed to the dramatic advances in availability of information and the ability to access it easily and quickly. The increasing demand for information has driven the need for easier access to it. This almost obsessive demand for information together with the abundance of it on almost any topic have created privacy and security challenges. The value of information in our information-driven economies has made it into a valuable commodity so that having it means having superior intellectual, economic, and social status. It has become a vital resource in this information age. Along with it, we have to face the security and privacy challenges it has created.

Building an Ethical Framework for Decision Making

We closed the last chapter on a note about building a good ethical framework and its central role in securing the information infrastructure. A good ethical framework is essential for good decision making. Decision making is a staple for human beings. As we get more and more dependent on computer technology, we are slowly delegating the right to make rational decisions and the right to reason. In so doing, we are abdicating our responsibilities as human beings. Human autonomy, the human ability to make rational decisions, is the essence of life. If you cannot make personal decisions, based on the principle of duty of care, for your day-to-day living, you may as well be called the living dead. We are focusing on decision making in this chapter and how character education, that is ethics education, and codes of conduct help in creating an ethical framework essential for good decision making.

Access Control, Authentication, and Authorization

If we were not to allow users into the system, then we would have no problems of security. However, the system would not be utilized, hence, useless. The system must be used, and there must be security. This means we must find a way to access and authenticate users. This way we improve on the security of the system. In this chapter, we focus on three major security mechanisms from our pool of security mechanisms. We cover access control, authentication, and authorization. Before we continue, however, let us define the working terms.

Security Threats and Vulnerabilities

Perhaps some of the biggest security problems facing all of us using computers and other information systems are the security threats and vulnerabilities that an average computer user has little to no idea about. Even those who have some knowledge of these threats are still in the dark as to how prepare for and avoid them. The focus of this chapter is to explain what these are and how to deal with them in our everyday activities. A security threat to a computing system is a set of events that do not actually exist yet, but are likely to happen, with the potential to cause harm or loss. For example, heavy sustained rain in areas prone to flooding creates a threat of flooding. A vulnerability, on the other hand, is a flaw or weakness currently existing in the system, the security procedures, design, or implementation that could be exploited intentionally or accidentally, resulting in a loss or harm. For example, a broken lock on a door is a vulnerability, because, if known by a thief, it can be exploited to enter the house and cause a loss to property. Finally, a control is a mechanism used to prevent a threat by controlling the vulnerabilities. For example, buying a new lock and replacing the broken lock on the door with it is a control.

Software Standards, Reliability, Safety, and Risk

Software, more than anything else, is at the heart of the information communication infrastructure. It is in fact one of the three main components of the infrastructure, together with hardware and humanware, as we discussed before. Being at the core of this infrastructure we all depend on implies the importance we must put on the software component. In this chapter, we are going to focus on this role and how we can keep software safe, dependable, and secure, as we struggle to make the information communication infrastructure secure. For the remainder of this chapter, we are going to focus on the quality of the service of software products, causes of software failures, developer and buyer protection, and techniques for improving software quality.

Need for Morality and Ethics

In Chapter I we discussed the rising rate of computer-related crimes and, in particular, information-related crimes. We pointed out that the information infrastructure is made up of two components; the manmade component, consisting of hardware and software, and the humanware component, consisting of users. Surely a good solution to the information infrastructure problem must address problems in both of these components. We begin our survey and discussion of an array of solutions and best practices that address and try to build trust in the information infrastructure, starting with the humanware. Our discussion will focus on morality and ethics.