Originally published on November 30, 2016
This is the first post in a three-part Blog series on Network Security
Data breaches are occurring at an increasing rate for both large and small businesses. No business is immune—breaches may cost an average of $145 per record lost or stolen but may suffer consequences for as long as a year following the breach (Stoller, 2015). In April 2015, 11 channels associated with the TV5Monde network went black due to an “extremely powerful cyberattack,” according to the network’s director (Meilhan, P., & Botelho, G., 2015). Three main reasons may be attributed to this trend: First, companies are using more frequently systems tied directly to Internet access, such as “cloud” services; second, hackers continue to evolve, becoming more sophisticated; third, many companies lag in implementing security measures as a matter of short-term financial analysis rather than strategic considerations.
You are the Weakest Link…
People—the human-machine interface—is the weakest link in any security process. People are easily lulled into a false sense of security about the effectiveness of passwords and access codes, identity verification, and policies regarding the use of information technology (IT) systems and networks. It takes just one careless moment to potentially breach the integrity of protected information and systems—if network security user policies and protocols are too complicated, compliance is less likely. Because of this human factor, it is important to ensure that network security schema is clear and simple for network administrators and users to operate, with the necessary complexity to identify, deter, or contain threats being embedded in state-of-the-art hardware and software solutions that are nearly transparent to internal network users.
The “New” Network Security Threat
Modern network security is comprised of many facets, some of which are in your control, others which may not be. In an increasingly mobile world, traditional network security measures focused on desktop platforms and “dumbphones” are no longer relevant to the world of tablets, phablets, and smartphones. Because of the constantly changing landscape of network environments, organizations of all sizes and complexities face challenges in keeping pace with change, developing counters to emerging threats, and controlling network and security policies. Once the realm of the highly trained and richly resourced, development of malicious code has become widespread to the degree that school children have been known to compete with each other in hacking contests.
As IT systems became available to the public at an affordable cost, the need for IT security found its early roots. No longer was high-tech the sole domain of major companies, organizations, and government agencies, but the global information network became the domain of everyone from multi-billion dollar international conglomerates to grade school children. As technologies developed, the industry response was typically the addition of new stand-alone, single- or dual-purpose hardware or integrated hardware-software packages designed to address newly identified threats. This resulted in a constant state of expensive upgrades that added network complexity, integration of new devices and scrubbing and repurposing or disposing of legacy hardware, new policy development, and new management consoles. This served to increase workload, retraining, and complexity for network administrators and end users, exacerbating the balancing problem between security and productivity.
In a world growing ever more complex with network portability being built into an increasing number of devices of varying capabilities, network security continues to evolve in complexity—and importance. In the 1980’s a transition from early closed networks to a broader Internet occurred, with the advent of Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985—the first .com domain name registration. But it was not until 1991 that the Worldwide Web (WWW) came into existence; by 1995, what we know now as the modern Internet became established as a fixture in how business—and the world—would communicate in the future (see figure below).
Figure 1. From closed networks to Global Information Grid.
What is Network Security?
Simply put, network security is risk management. It comprises the provisions and policies put in place by a network administrator to prevent unauthorized access, misuse, modification, or denial of a computer network and resources accessible through that network. Network security encompasses a variety of IT networks—both public and private—used routinely in communications and e-commerce transactions among individuals, companies, and government entities. In today’s global marketplace—and the future business environment—network security is essential to protect business, organizations, government, and their customers, clients, and employees.
The main objective of computer network security is the safe utilization, flow, and storage of data and information. According to the NIST Computer Security Handbook, computer security includes three fundamental principles—preserving the integrity, availability, and confidentiality of information system resources. These three principles are commonly referred to as the CIA Triad.
Figure 2. The CIA Triad.
Confidentiality includes two related areas.
Data confidentiality is the assurance that confidential or private information is not disclosed or made available to unauthorized individuals.
Privacy is the assurance that controls are in place for what related information may be collected and stored and by whom and to whom that information may be provided.
Integrity also includes two related concepts:
Data integrity is the assurance the information and programs are only changed in specified and authorized ways.
System integrity is the assurance that a system is able to function in an unimpeded manner, without deliberate or inadvertent unauthorized manipulation of or to the system.
Availability is the assurance that systems function properly and there is no denial of service to authorized users.
Next week will be Part 2 of the series: Emerging Threats
Network security certification training is a core competency of Dynamic Worldwide Training Consultants, offering training through internationally-recognized names such as EC-Council, Juniper Networks, and Fortinet Network Security. Check certification program and course offerings at http://www.DWWTC.com or call for a free, no-obligation consultation with a Dynamic Worldwide Training Consultants advisor.
Meilhan, P. and G. Botelho, French TV network hit by “powerful cyberattack.”, in CNN. 2015, Turner Broadcasting System: Atlanta, GA.
Stoller, P., Data breaches escalating, but steps available to stop them., in Phoenix Business Journal. 2015, Ray Schey: Phoenix, AZ.