Network and Computer Security
Steve Mallard
© - 2007
The Impact of Computer and Network Security in
Corporations Today:
Understanding the Impact and Solutions of Computer
and Network Security in Today’s World
by
Steve Mallard
Computer and Network Security
Copyright © 2007 Steve Mallard
All rights reserved. No part of this book may be
used or reproduced by any means, graphic,
electronic, or mechanical, including
photocopying, recording, taping or by any
information storage retrieval system without the
written permission of the publisher except in the
case of brief quotations embodied in critical
articles and reviews.
Printed in the United States of America
The Problem
In today’s world of the internet and
ecommerce, many companies lack the expertise and
training to secure their critical network infrastructure
and data. Because of this fallacy, many companies’
infrastructures are subject to being compromised.
With extortion, cyber theft, malicious attacks and
internal theft occurring at an unprecedented pace,
many companies are just becoming aware of the
aforesaid problems. While a few companies and
corporations awaken to a new world of problems,
many continue to sleep, totally oblivious to what is
happening as they go about their daily work. This
research gives terminology and briefs from the
Information Technology industry. This research
provides an in-depth understanding of what network
and infrastructure security problems are present and
what will be required from companies and
corporations in order to protect themselves from
malicious activities.
Research Method and Design
The research behind this paper combines
information from industry experts, national
publications, the Internet, technology college
textbooks and a large school system (A higher
education facility) implementing a strategy for the
ongoing development of a security plan for protecting
their network infrastructure and data. The use of
information from the latter was most beneficial to
discussions of internal network infrastructure,
interpretation of friendly vs. malicious and how to
implement compliance for Computer and Network
Security. The implementation plan outline is provided
in Chapter 2, followed by the methodology used and a
detailed plan in use at the researcher’s place of
employment (A higher education facility) in Chapter
3.
Findings
As the study concludes, the primary
requirement for compliance with network and
infrastructure security is a strong and robust internal
policy and procedure for the infrastructure of
companies with continual training. Companies with
no policies or weak policies will continue to fail with
their compliance of security initiatives and the costs
for repairing or troubleshooting their network will be
far greater than that of a company within compliance.
Ultimately, those companies with a strong policy and
procedure that includes disaster recovery and failure
will excel. Individual users, including the main
hierarchy of the Information Technology Department
will have more assurances that they are protected as
well as their individual client’s data. Companies and
corporations must support Computer and Network
Security initiatives along with meeting the budgetary
needs of their department in order to maintain a
healthy profit margin for the end product produced by
the business.
The lack of security in today’s
infrastructure could result in the demise of the
corporation.
Computer and Network Security
The Impact of Computer and Network Security in
Corporations Today:
Understanding the Impact and Solutions of
Computer and Network Security in Today’s World
CHAPTER 1
Introduction
Problem Statement
Since the advent and infancy of the internet,
many U.S. companies and corporations have
functioned and operated with very little Computer and
Network Security in place in their network
infrastructure. Although many of these companies
and corporations have hardware firewalls and
intrusion detection systems in place, many of these
businesses do not have policy and procedures to guide
and govern their infrastructure security. Policies
-1–
Steve Mallard
Computer and Network Security
along with personnel are the backbone of the
Computer and Network Security. This backbone is
the fragile structure that keeps companies secure in
today’s digital world. These directives (Policy and
Procedures) insure that companies and corporations
will be in compliance as long as the CIO or IT manger
enforces them.
Although a definite and structured
compliance has not been put in place, directives and
training are the true tools needed to help companies
maintain a form of security within their organization.
Until now, computer security and locking
down the network infrastructure has been on the back
burner with most companies and corporations because
of cost. According to a corporate poll in A nationally
recognized information technology magazine, 99% of
U.S. companies now use some type of preventive
antivirus technology with 98% of these companies
now using firewalls. This electronic security poll was
based on compiled information from larger
corporations and their practices and does not include
small to midsize companies found throughout the
United States. The recently released polls in this
research paper show are usually focused on larger
companies and corporations in the United States. The
main reason for this was found by interviewing
several midsized and smaller companies locally.
These smaller companies and corporations usually
have outsourced their Information Technology
infrastructure to private organizations that do not have
written policy and procedures written for these smaller
companies. Normally, these companies do not have
-2–
Steve Mallard
Computer and Network Security
any type of policy and procedure in place for their
current clientele. Because of this practice, these
companies and small corporations do not look at
industry related security trends, security issues or any
relevant areas of computer security. Although it was
found that <10% of the companies offer a service
related plan that pushed security issues for their
clientele.
This complacency can have an enormous
impact on consumers and customers of the companies
and corporations. With no or very little money or
funding for a technology budget, these entities often
use friends, family or small computer companies to fix
or repair their computers or network. This results in a
huge security gap between a professional information
technology department and someone who is not
trained in basic security needs.
With this gathered statistical information,
numerous private and public corporations can
appreciate the need for network infrastructure
security, and are beginning to put in place multiple
phases of internal and external protection for their
digital and electronic assets. Small to mid-size
organizations are hesitating due to simple inadequate
funding and the rising cost and expenses of security of
digital assets found in the modern workplace.
Companies often miss the importance of the cost of a
security breech vs. the cost of preventive security
measures.
This unintended hesitation of
implementing network infrastructure security is
causing more and more companies to be violated or
exploited by malicious hackers and crackers. With
-3–
Steve Mallard
Computer and Network Security
this exploitation, companies subject themselves to
lawsuits from their own customers. These companies
often are ignorant of the simple fact that they have
been exploited until customers report the issues to
these companies and corporations. Many times, more
than thirty days goes by before someone alerts the
company of a possible security breech.
Cost of an electronic exploit can be greater
than a million dollars per incident as reported by the
FBI. This information is found in the FBI’s (Federal
Bureau of Investigation) report of cyber threats in the
United States. In order to help counterbalance this,
smaller to midsized companies could spend less than
$5,000 to harden their systems and operating systems
to put a statefull firewall in place. As stated in this
paper, these companies often lack the resources,
materials and funds to do so. With the FBI report
showing reported incidents, there are thousands of
incidents that go unreported. Often these incidents are
yet to be discovered.
With this number of small to mid-size
corporations ignoring or slowly implementing security
measures, more and more electronic computer crimes
are beginning to take place throughout the U.S. With
extortion now moving into the digital age, many
corporations do not report intrusions to law
enforcement in order to avoid negative publicity.
Reports of an intrusion could directly have a negative
effect on the company’s sales and position in a global
competitive market.
Approximately 35% of
corporations don’t report electronic intrusions to keep
their competitors from gaining any type of advantage.
-4–
Steve Mallard
Computer and Network Security
Today’s modern bank robber can be a hacker
thousands of miles away hidden behind spoofed ip
addresses or behind a zombie computer. Reports are
also withheld to avoid embarrassment with the general
public. This withholding of information often leads to
a band-aide fix.
Other means of protection include
standardizing policy and procedures within
corporations to help protect the network infrastructure
of corporations. Policy and Procedures rely on the
initial implementation along with annual or semi
annual follow-ups.
Without these policy and
procedures in place, a company’s survival in the
security
race
to
protect
their infrastructure is compromised.
Smaller and mid-sized companies very rarely
have these policies in place and often operate their
network by the “seat of their pants”.
These
companies rely and trust their computer vendors to
make them as safe as possible. Poorly trained
personnel with these computer vendors can have a
negative impact on the overall security of the
organization.
Medium size companies often have the
budget but the Information Technology manger is
often stretched too thin to prevent or react to security
needs of the company. These IT Mangers often work
longer hours and tend to miss early warning signs of
network lapses. Through no fault of their own,
breeches can occur and not be discovered for weeks.
Outsourcing information technology teams to
other countries can have another form of negative
-5–
Steve Mallard
Computer and Network Security
impact with companies. With third world countries
competing in a global market, the confidential
information of clients and internal data can be
jeopardized by these companies. Using third world
countries for technical support can lead to disastrous
consequences when relying on someone over a world
apart
to
secure your network.
CIOs (Chief Information Officers) and IT
Mangers found in larger companies and corporations
usually have these operational policies in place with a
system for disaster recovery and planning. The
logistics alone in larger corporations can be a double
edged sword. With these policies in place, the
arduous task of changing the policies can take weeks
or even months as management goes through several
meetings with committees and sub-committees.
Agreement among industry professionals on the
correct internal computer security is usually lead by a
trained security analyst in the corporation who may or
may not have proper certifications or security training.
CIO’s have to put raw faith and trust into the
company’s security analyst in hopes that their
knowledge is on the cutting edge in a technology that
is changing daily.
These analysts have to make
decisions on how and when to implement protection
within minutes of finding out vulnerabilities. The
communication by the analyst must be thorough and
accurate. The Computer and Network Security
analysts have to look into the immediate future for
growth of their business and often they have to try and
foresee changes before these changes come about.
-6–
Steve Mallard
Computer and Network Security
Smaller companies and young corporations,
on the other hand, usually do not have policies or
disaster recovery and planning policies in place. With
limited budgets, these companies may have a limited
number of IT (Information Technology) personnel
within their ranks or may outsource all of their
network or technology personnel. This limit in
resources may cause a lack of compliance with
industry standards and conformity to security
standards. With laws in effect such as HIPAA (Health
Insurance Portability and Accountability Act of 1996),
GLB (Graam Leech and Bliley) and the U.S. Patriot
Act, these companies may not be conforming to U.S.
laws or rules imposed in their industry.
Therein lies the problem: Companies have to
understand that setting internal policy and procedures
on security (along with proper disaster recovery and
planning) have to be put in place in order to protect
their assets and the consumers they serve. With
ecommerce growing by leaps and bounds each year,
more and more companies from small to large are
accepting credit cards, debit cards and electronic
checks on line. With over two million dollars in lost
annual revenue in the United States, they must ensure
that their initial investment will be worth the
protection of their data and their client’s information.
This act alone can help to prevent the breech in
security of their corporate network.
Setting and
maintaining an information technology budget along
with policies can help to insure the protection of the
company’s network.
-7–
Steve Mallard
Computer and Network Security
Purpose of the Study
This study has multiple purposes: 1) to
discuss the necessity of policy and procedures related
to disaster recovery and planning and security; 2) to
discuss the advances in security to include intrusion
detection systems; 3) to discuss the impact of security
in the business environment along with legal
ramifications in the event data is stolen or destroyed ;
4) to present and to validate the necessity for security.
This study will review the history of security
and the ways it has grown to a multibillion dollar
business over the past decade. Flaws in Operating
Systems and applications, the history of the internet
and the development of policy and procedures will be
examined for a critical understanding of the
importance of protecting corporate clients and assets.
The research will define policy and
procedures and security across local area networks,
metropolitan area networks and wide area networks to
include the internet. It will provide an in-depth
discussion of the potential impact on today’s
corporations
in terms
of planning,
cost,
implementation and legal cost in the event of a breach.
With consumer assets growing on the internet, a
consumer puts trust in the company’s hands that their
credit card or debit card is being protected.
Consumers are often undereducated in finding reliable
security oriented companies.
-8–
Steve Mallard
Computer and Network Security
The aforesaid research, when implemented, is
vital to the future of not just ecommerce; but to the
survivability of companies today. With consumers
spending more money on the internet than ever,
companies have to protect their infrastructure. This
study will present a plan for policy and procedures
and how they outline good security practices and will
illustrate the necessity for predicting the future of
security in the information technology industry.
The fictitious names “Allen Corporation”,
“Neill Corporation” and “Taylor Corporation” will be
used to reference several companies known by the
researcher along with a higher education facility.
These references setup an example of small, medium
and large businesses, and allow for the confidentiality
of real operating businesses the researcher has worked
with. This is needed in order to protect the anonymity
of each entity and protects the operational and
confidentiality of each business. These businesses
represent the medical industry, a retail industry and a
large production corporation.
Importance of the Study
It is very important to understand security with
regard to the world’s economic infrastructure and how
it is now based on the globalization of ecommerce.
With billions of dollars based in virtual monies on the
internet in databases worldwide, extortion, theft,
identity theft and other malicious activities are
becoming more wide spread. The FBI’s security
survey shows an increase to over $93 million dollars
-9–
Steve Mallard
Computer and Network Security
this year (2004). This report shows the following
information about security losses this year alone:
o
o
o
$26 million dollars – denial of service
$11.5 million dollars – theft
$55 million dollars – viruses
Identity Management to help prevent the
security losses reported by the Federal Bureau of
Investigation are deployed nationally in less than 50%
of companies with less than 5000 employees. Identity
Management alone for companies shows the following
information about the deployment of networking
sessions:
With this amount of profits being lost by
businesses and corporations, companies are looking at
electronic security to maintain a competitive edge
over other businesses in the U.S. Companies are also
looking at the cost of an electronic breech and the
amount of money it would cost through damages lost
by consumers or a client.
Information Technology professionals today
struggle with keeping up with technological changes
throughout the information technology industry.
Often security patches and updates are produced by
software vendors on a daily basis. With this in mind,
Chief Information Officers try to keep their employees
up-to-date on the operating systems, computer
applications and proprietary software. This often leads
to a “surface skimming” of security if CIOs and
- 10 –
Steve Mallard
Computer and Network Security
security analyst do not study and focus on current and
past security issues.
“Surface skimming” covers the basics of
security and is not in-depth enough to help companies
adequately protect their networks.
Long meetings on the exact effect of missed
software updates or patches results in lost monies by
companies. Briefings often have to do for meetings
on security and protection of the network
infrastructure.
These meetings often cover the
releases and very rarely a description of the exact
security problem.
Because these problems can be quite
technical, often trainers or IT mangers inform their
colleagues to get the updates or patches and never
explain the reasons why.
With internet oriented viruses and “hackers”
and “crackers” out on the internet, the challenge now
becomes ‘how to’ train these professionals who
protect your infrastructure and how to protect your
client and company assets.
Training young information technology
professionals becomes a tedious never ending task for
information technology managers. Often the IT
departments are understaffed and overwhelmed by the
amount of work they have to contend with. This leads
to missed meetings, inadequate training or other
related items being put off due to long hours of work.
With training at the aforesaid companies, security
becomes a priority for not just the IT department but
also all of the other departments throughout the
corporations.
- 11 –
Steve Mallard
Computer and Network Security
Scope of the Study
This study encompasses many areas and a
broad-based research of relevant materials from
industry leading experts.
The implementation of
security in stages across organizations is of the utmost
importance.
The study uses research materials
collected through November 2004 and will draw on
the professional position of the researcher to observe
the impact of security on organizations today. With
over twenty years of experience, this research has
gone through many implementations of new security
trends. This study looks at the implementation of
security of organizations from the CIOs viewpoint.
Security among organizations today has
several parts that need reviewing and updating. This
study will identify why and how organizations are not
meeting the demands of industry as ecommerce grows
globally. This research paper provides research into
all aspects of companies whether the company is small
or big. Companies who the feasibility of how
industries today could take precautionary measures to
protect themselves if the companies would provide
policy and procedures for all members of the
company’s information technology team. With cyber
crimes increasing every year, the research materials
and written analysis of this study could encompass an
enormous amount of material. Included in the
- 12 –
Steve Mallard
Computer and Network Security
appendixes of this study are such laws that have gone
into effect over the past several years.
An implementation plan for security in a
modern company covers both physical and cyber
security. A look at the example companies and how
they used modern methods for “locking down” their
networks and clientele data will be discussed. The
following steps have been used to gather the analysis
for this paper:
1. Collected data to support the weakness
and underlying causes of security
collapse.
2. Used professional experience from the
researcher’s company to look at
analyzing and confirming research
materials.
3. Consulted with Allen Corporation, Neill
Corporation and Taylor Corporation to
gather information relevant to the
discussion on security in modern
infrastructures.
4. Analyzed and collected data based on the
scope outlined in these sections.
5. Made the final analysis.
Rationale of the Study
Protecting a corporation’s network is no
longer an option. Many different opinions across the
nation exist on how to protect a company’s assets.
CIO’s now hire security managers and security
analysts just to review current policy and procedures
- 13 –
Steve Mallard
Computer and Network Security
and to look at the business’s infrastructure. In order
to survive without a disruption of business or without
having assets stolen, businesses today must meet
industry
requirements
and
look
at
their
implementation strategies for long term protection.
This research will investigate several experts’
views on what is needed in order to protect internal
data. From these materials researched, this study will
present the Computer and Network Security
infrastructure in place at the Allen Corporation, Neill
Corporation, Taylor Corporation, and A higher
education facility. Using the expertise of industry
leading experts who have implemented, or utilized
skills to protect their company is the best way to
present a recommended security plan.
- 14 –
Steve Mallard
Computer and Network Security
Overview of the Study
Every magazine listed in the bibliography
contains information regarding to security. With this
tremendous amount of media press surrounding
security, industry experts are beginning to agree and
acknowledge the need for security. Every field in the
information technology industry, including experts
from consulting, auditing, financial,
medical,
government and technology venders are giving their
opinions and interpretations on the broad subject of
Computer and Network Security. Many of these
experts have turned this subject matter into a lucrative
business. This study will narrow the broad range
down to discuss the impact on companies and provide
a summary of recommendations based on the
given companies within this paper.
To look at all of security as a whole would be
impractical. Security is constantly going through a
metamorphosis. Because of these changes, this paper
will be outdated if all security measures, programs and
threats were outlined. As a result, this study will
focus on the most critical and initial requirements for
protection in the workplace.
In conclusion, the researcher’s professional
background in the Inforamtion Technology field with
over 20 years experience will contribute to the
significance of this study.
- 15 –
Steve Mallard
Computer and Network Security
- 16 –
Steve Mallard
Computer and Network Security
CHAPTER 2
Review of Related Information
Introduction
As the internet came to be, security was low
profile and on the back burner for most corporations.
Connectivity was a primary concern for Information
Technology Professionals as the internet began several
years ago. With this beginning, malicious users began
to infiltrate and modify systems and data. Sending out
viruses and hacking through weak unprotected
networks, these users became an immediate threat to
legitimate business that wanted to expand and grow
globally.
Many Chief Information Officers state that
the ever growing concerns of security is one of the
biggest tasks facing the information technology field
today.
With spyware/malware, worms, viruses,
internal threats and hackers, companies today face
their most challenging time for ecommerce growth.
With customers all over the globe, the protection of
- 17 –
Steve Mallard
Computer and Network Security
local assets as well as the customer’s accounts
information is of the utmost importance.
The historical events that have caused such a
concern with computers began with the simplex
hacking of phones by “Captain Crunch” and the
adding of boot sector viruses to floppy disks. The
growth of these malicious activities now can affect
millions of users within a matter of minutes. The
historical events for malicious and non malicious
activities
are
as
follows:
1960 Students become the first hackers
1970 Phone Phreaking and Captain
Crunch
1980 Hacker Boards on BBS (early
ways to chat)
1983 Kids Begin Hacking
o Note: Los Alamos National
Laboratory, which helps
develop nuclear weapons was
hacked this year.
1984 Hacker Magazines
1986 Computer Fraud and Abuse Act
1986 Boot sector viruses
1987 File infecting viruses
1988 Fist Antivirus solution – Encrypted
viruses
1988 Unix Worm
1989 Cyber Espionage with Germans
and KGB
- 18 –
Steve Mallard
Computer and Network Security
1989 Credit Card Theft Goes
Mainstream
1989 Date oriented viruses
1990 Stealth, Polymorphic, Multipartite
and armored viruses
1991 Stealth, Polymorphic and
Multipartite
1992 Code change viruses
1993 Viruses that attacked viruses
1993 Hacking used to cheat phone
system to win contest
1994 Hacking Tools Become Available
1994 Encoded Viruses
1995 Kevin Mitnick Hacks the
Government
1995 First Macro Viruses
1996 Macro viruses affecting Microsoft
Excel
1997 AOL (largest) ISP Hacked
1998 The Cult of Hacking Takes Off
1998 Spyware/malware begins to
download to machines globally
1999 Macro viruses affecting Microsoft
Word
1999 Software Security (Windows
begins providing updates
2000 Service Denied
2000 Worm viruses
2001 DNS Attack
- 19 –
Steve Mallard
Computer and Network Security
Many other significant events have happened over the
past forty years. This timeline is a brief listing of
major
events
that
took
place.
As the timeline above shows, malicious
activities have been around for forty years and are
growing by leaps and bounds every day. With
government laws on cyberterrorism being put into
place all over the globe, the continual infection of
machines along with hacking is at an all time high.
The research materials presented show because of
ecommerce and the growth of the internet, there is no
end in site to the growth of these activities. This study
will present research materials to give several
opinions on the recommendations to protect your
network infrastructure.
Importance of Internal Company Security and
Auditing Controls
This section discuses several categories of
Internal Company Security and Auditing Controls.
Included is a discussion on the general importance and
purpose of having these controls in place and their
relevance to protecting the internal and external
infrastructure by the information technology
department.
It is important to understand that the control
of every aspect of the network infrastructure (out to
the client side) is very important, and the lack of such
controls by the company or the information
technology department could be catastrophic
- 20 –
Steve Mallard
Computer and Network Security
General Internal Company Security and Auditing
Controls
General Internal Company Security and
Auditing Controls are being applied today so that
companies can have a standard approach to bring
together different opinions and ideas. These Internal
Controls are generally brought together by a
consortium of management and other personnel to
achieve objectives by the company. Internal Controls
allows companies to maintain several of the following
areas:
Efficiency of operations.
Compliance with laws and regulations.
Several documents have also been released to
suggest ideas about Internal Company Security and
Auditing Controls:
Company controls should be built into
operations currently in place.
All departments and personnel within a
company have input to Company
Controls.
Company and Internal Controls help to
govern companies currently operating.
According to policies of a higher education
facility, companies should have a continuous program
in place to put together and assemble training and
implementation through several avenues:
Risk Assessment
- 21 –
Steve Mallard
Computer and Network Security
The identification of key weaknesses in computer
systems, nodes on a network, clients, connectivity
and training.
Security Control Activities
Policies and Procedures that ensure all levels of
the company are within compliance with
standards set by the company.
Activities
include
hierarchal
structure,
authorization, implementation, disaster recovery
and planning.
Information and Communication
Information from vendors is archived.
Information from customers (clients) is logged.
Communication along internal paths of the
company to insure all areas of protection are
available.
Monitoring/Auditing
Assessment of hardware firewall.
Assessment of Software Patches and Service
Packs.
Management of all personnel.
Auditing of logs and change orders.
Monitoring of performance of all nodes on the
network.
Monitoring of security alert sites of government
and for profit sites.
The research paper at this point has focused
on the importance and makeup of generalized Internal
Company
Security
and
Auditing
Controls.
Weaknesses in this structure follow:
- 22 –
Steve Mallard
Computer and Network Security
Communication
Poor or lack of judgment
Lack of training
Lack of concern
Disgruntled employees
Lack of review
Lack of training
It is up to management at all levels to
monitor company security and auditing controls.
General Information Technology Controls
Certification vendors have tried to measure
the general knowledge of information technology
professionals by providing tests in vendor and vendor
neutral areas. These certifications are used to show
the competences of IT professionals. It is important
to understand this information when looking at the
internal controls of your information technology
department.
The strength of these certifications
are indicated by the exposure to the conceptual
material of the subject matter. The weaknesses of
these certifications are the fact that materials and
testing materials can be gained anywhere on the
internet. Therefore, it is important to qualified
personnel who have certifications and the “hands on”
experience of working with different operating
systems and hardware.
With general controls of security and
auditing at the company level, an adherence to
- 23 –
Steve Mallard
Computer and Network Security
controls at the IT department level is of the utmost
importance because this department is at the front end
of the network protection strategy
In many networks, the company has an
intricate complex infrastructure of local area
networks, virtual LANS, virtual private networks and
security policies in place. However, many networks
today lack the expertise and trained personnel to
provide maintenance. .
Miscellaneous Laws Defined
Computer Fraud and Abuse Act of 1986
Versions of this Act intended solely to protect
confidential information contained in government and
financial industry computers from criminal theft by
hackers, or to prevent conduct that actually "damaged"
a computer’s programming.
Internet Security Act of 2000
Jurisdictional and Definitional Changes to the
Computer Fraud and Abuse Act: The Computer Fraud
and Abuse Act, 18 U.S.C. § 1030, is the primary
federal criminal statute prohibiting computer frauds
and hacking. This bill would amend the statute to
clarify the appropriate scope of federal jurisdiction.
First, the bill adds a broad definition of “loss” to the
definitional section. Calculation of loss is very
important both in the company determining whether
the $5,000 jurisdictional hurdle in the statute is met,
- 24 –
Steve Mallard
Computer and Network Security
and, at sentencing, in calculating the appropriate
guideline range and restitution amount.
Gramm Leech Bliley
The Financial Modernization Act of 1999,
also known as the “Gramm-Leach-Bliley Act” or GLB
Act, includes provisions to protect consumers’
personal financial information held by financial
institutions. There are three principal parts to the
Gramm-Leach-Bliley Act’s privacy requirements:
Financial Privacy Rule, Safeguards Rule and
pretexting provisions. With this act in place, many
non financial institutions and business may be covered
by this act. A higher education facility has posted this
act because of the financial aid provided to students.
HIPAA
The Health Insurance Portability and
Accountability Act (HIPAA) was passed by Congress
in 1996. The United States Congress called for
regulations promoting and advising administrative
simplification of electronic healthcare transactions as
well as many regulations ensuring the security and
privacy of a patient’s information. The Act required
Congress to enact laws implementing these goals by
1999. When Congress failed to do so, the Department
of Health and Human Services stepped in and began
- 25 –
Steve Mallard
Computer and Network Security
promulgating regulations. The regulations apply to
what are called "covered entities:" health plans,
healthcare providers and healthcare clearinghouses
that transmit any electronic health information in
electronic transactions. The regulations are made up of
three distinct parts: transaction standards, privacy and
security.
U.S. Patriot Act
This law dramatically expands the ability of states
and the Federal Government to conduct surveillance
of
American
citizens
and
corporations.
The Government can monitor an individual's or
company’s web surfing records, use roving wiretaps to
monitor phone calls made by individuals "proximate"
to the primary person being tapped, access Internet
Service Provider records, and possibly monitor the
private records of the general public involved in
legitimate protests. All companies are governed by
this law after the September 11 tragedy.
Impact of Laws on Companies
Several laws have been put into place to
include the Computer Fraud and abuse act of 1986,
Gramm, Leech and Bliley, HIPAA, the U.S. Patriot
act and others which commonly affect some if not
most companies.
Medical facilities are governed by all of these
and especially by HIPAA. With this law in effect,
companies (health organizations) are especially
- 26 –
Steve Mallard
Computer and Network Security
affected by this due to the strict regulation of privacy
and the protection of patient records.
Impact on Operations and Organization
Security can have a direct impact on
organizations by creating an infrastructure that is often
slowed by taking security measures. These measures
on appearance may “hinder” the day to day operations
of the facility. Personnel may complain of the
“hardened” security measures put into place, however,
these measures are needed.
Impact on IT Infrastructure
The information technology department can
often be under manned a lack of trained displayed
personnel may be in place when trying to conform to
industry standards for security. This can lead to poor
or inadequate protection of data. Databases such as
SQL, MySQL, SAP or Oracle can contain millions of
customers and demographic information which needs
to be protected. With this much data, the overall risk
becomes greater because of the loss that can occur.
With databases such as those listed above,
multiple servers can be used for redundancy creating a
twice the workload on IT personnel. This researcher
along with industry experts agree that logs on all
servers should be in place for an adequate auditing
system. Industry leaders also agree that just because
- 27 –
Steve Mallard
Computer and Network Security
security logs are in place and if the internal controls
are not in place for auditing (the reading of logs) this
can lead to disaster and loss of data.
Larger companies have a distinct advantage
over smaller companies because of the minimal work
required to keep their network infrastructure secure.
A small list of duties below is required to keep data
protected:
Periodic changes of passwords
Updating of policy and procedures
Auditing server logs
Auditing firewall logs
Researching new malicious threats at third
party information sites
Physical security
Applying patches
Applying service packs
User management
Monitoring spyware/malware
Monitoring new installs
Monitoring performance
Monitoring IDS systems
Monitoring anti-virus protection
Password policies are often overlooked after
the inception of the computer network. Network
administrators can use the group policy editor in
workstations or rules in active directory to set
password rules.
Minimal, complex and history
settings can greatly increase Computer and Network
Security.
- 28 –
Steve Mallard
Computer and Network Security
Companies should look at the update of
policy and procedures in order to keep up with
changes across its infrastructure. These regulations
help to guide all levels of information technology
professionals. The consistent and concise update is
critical to security in a network infrastructure.
The auditing of logs at all levels is critical
and cannot be stressed enough. These logs provide
accurate details on the access and changes requested
and made during a session. All of the companies
mentioned in this study review logs on a frequent
basis. This becomes one of the single most important
processes in looking for patterns and breeches of
security.
Research should be done on a daily basis at third party
security sites. This action falls hand in hand with the
monitoring of IDS systems, service packs and updates,
antivirus suites, firewall and security logs along with
the overall “health” of the network.
This research becomes important to “not
missing” information that can be critical to a
company’s survival. According to Juniper Networks,
93% of companies who lose data center access for 10
days or more file for bankruptcy protection within a
year of the loss and a breech can cost an average of
$475,000 in losses and the recovery of the data .
Physical security is likely caused by employees
of companies. Over 76% of companies surveyed by
Juniper networks reported physical security and
hacking was more than likely caused by internal
resources.
- 29 –
Steve Mallard
Computer and Network Security
Often companies overlook user management
and fail to restrict access as needed and the companies
fall short on maintaining an archive of users and
former users/employees of a network infrastructure .
All of these items are found in the policy and
procedures at the Allen Company, Neill Company,
Taylor Company and a higher education facility.
Because of these standards, a distinct “upper hand” is
given to the companies. Each of the above items are
looked at on a daily basis and these companies review
the overall standards set by third party vendors
Smaller companies, on the other hand, may
not have the financial or physical resources to comply
with these standards. These companies may outsource
their work to small firms or “mom and pop”
companies that may not be properly trained in any of
the above areas. Often small companies have no
policy and procedures in place and when violations or
breaches of security take place. These companies may
not have any idea that data has been compromised.
Larger companies often recommend an internal policy
for small companies. The research found through the
interview of experts at the Allen, Neill and Taylor
companies indicates that small companies should hire
reputable outside companies that have certifications in
the area of security.
Policy and procedures are a set of directives
used to outline the hierarchy of the Information
Technology personnel department and their day to day
procedures. The importance behind these directives
can not be stressed enough. Included in these
procedures is the “what ifs” for disaster recovery and
- 30 –
Steve Mallard
Computer and Network Security
planning. With millions of records in place, disaster
planning becomes an integral part of Computer and
Network Security. The mentioned companies have all
of implemented policies and procedures to protect the
assets in their companies .
Information technology departments often
become stressed with the day to day activities of
monitoring security and an air of complacency can fall
over the staff. Management needs to have an internal
auditing process available for the IT department to be
sure that the department stays with in compliance of
industry related security procedures .
Auditing teams and committees need to be
formed to review and to govern the actions of the
information technology department .
Summary of Chapter 2
This chapter presented discussion and cited
expert opinions on how Computer and Network
Security can affect both managerial and IT personnel.
Companies wishing to be secure must meet strict
guidelines as outlined in order to protect their personal
and client data.
The ability for companies to protect their
network through Internal Company Security and
Auditing Controls and to understand new laws and
technology will have a dynamic impact on the
company’s survival. This research shows that larger
companies and corporations have a direct advantage
of small companies. It could take small companies
months to gain strict guidelines and regulations to
- 31 –
Steve Mallard
Computer and Network Security
conform to what industry experts call “in
compliance”. Initial startup cost could be several
thousand dollars along with several thousand dollars
to train information technology personnel.
- 32 –
Steve Mallard
Computer and Network Security
CHAPTER 3
Methodology
Approach
The approach used in this study uses the
research of relevant information along with filtering of
the available information. The approach also used
interviewing of internal associates in the Information
Technology field. These information technology
experts are responsible for the compliance of
Computer and Network Security with a background of
professional knowledge and previous experience in
the field of Information Technology security. During
the developing of this study, there was a specific focus
on the collecting of information needed to accurately
look at the problem of protection of network
infrastructure and data.
This allowed for the
presentation of discussions found later in this paper
found under “Review of Related Information”.
- 33 –
Steve Mallard
Computer and Network Security
Discussion was provided for several of the
subjects relating to Policy and Procedures and Internal
Company Security and Auditing Controls.
The
impact of network infrastructure is discussed, along
with the impact of breeches of U.S. companies.
These findings of several of the companies
along with the researcher’s first-hand experience in
protecting network infrastructures at a higher
education facility are examples in this research paper
of related information concerning Computer and
Network Security.
Data Gathering Method
The primary method used by this study was
the typical and historical method of research. This
research method uses the interpretation of a collection
of materials and facts in order to present all of the
discussion materials. The many experiences of the
researcher with a higher education facility along with
the interviews of associates of a higher education
facility were also used to gather the material needed
for this study. Several of the appendices have extracts
of publications found on the world wide web and are
used as factual backups to many of the discussions
listed in this research paper. These appendices
contain relevant articles and excerpts from several
laws.
The secondary method used by this study is
actual case studies.
This method allowed the
researcher to challenge and interview many industry
experts in the Information Technology field. This
- 34 –
Steve Mallard
Computer and Network Security
along with first-hand experience, internal interviews
and resources allowed the researcher formulate the
validating and presenting of Policy and Procedures
along with methods and methodologies of protecting a
network’s infrastructure.
The secondary method used by the study is
the case study. This method allowed the researcher to
“observe” the predictions and theories of industry
experts, along with utilizing the first-hand experience
and internal interviews to formulate the basis for
presenting and validating the security implementation
plan. The paper itself is based on looking and
studying the mentioned companies and the gathering
of specific subject matter related to information
technology security.
Database of Study
This study collected related information on
Understanding the Impact and Solutions of Computer
and Network Security from external publications such
as newspapers, Internet websites, corporate
publications, etc. Magazines which offered the most
relevant information included Information, A
nationally recognized information technology
magazine, Networking, Automation Notebook and
TechNet. These various publications target security
related information in the full scope of Information
Technology and their target audience is all levels of
IT, and their focus is on all areas of the technology
field.
The researcher’s approach was to use
“Google.com” and search for “Computer and Network
- 35 –
Steve Mallard
Computer and Network Security
Security”, “protecting your network” “viruses”,
“spyware/malware”, and “hacking”. This research
method presented many direct hits and resources. All
of the information had to be filtered for relevant
information on the topic of Computer and Network
Security in order to get direct related hits on the topic
of Computer and Network Security.
To prove discussions on Policy and
Procedures and Internal Company Security and
Auditing Controls, various sources were used
including the Policy and Procedures of a higher
education facility and policy and procedures from the
companies named in this study. These many sources
of information along with board and entry level
policies are vital in establishing the outline and
importance of Policy and Procedures.
Several areas of the research contained
different surveys which are used in the context of this
research paper.
Results of these surveys help to
contribute to the overall discussion of the impact of
companies in terms of finances, operations and
organizational structure. Surveys are an important
contribution for this paper in that they show what
organizations are doing country and worldwide.
The appendices were used to show many of
the laws going into place along with the Federal
Bureau of Investigation’s annual report. Due to their
length, many of the laws have been summarized
because of the amount of content found in laws such
as the U.S. Patriot Act. Actual content is used in some
of the laws to provide valuable information to readers
of this research paper.
- 36 –
Steve Mallard
Computer and Network Security
Validity of Data
Much of the research was garnered from
reputable and leading industry sources.
These
resources represent a diverse group of Information
Technology professionals. The discussions on the
setup of their individual networks came from CIO’s
and Information Technology Managers with a
combined time in the IT field of over 65 years. Much
of the information on Policy and Procedures came
from the author’s place of employment.
The
updates and service pack information, along with
spyware/malware information came from sources on
the internet including Microsoft Corporation and
Lavasosftusa.com Other sources included magazine
periodicals from CMP and other publishers to include
Microsoft.
Finally, the implementation plan used to
outline security in the workplace is a compilation of
interviews through the Allen, Neill and Taylor
Corporations.
The cumulative efforts of the
researcher’s association with these companies
contributed greatly to the outline given in this research
paper.
The information technology mangers and
CIOs from these organizations provided key input and
knowledge from several personnel who have more
than sixty five years of combined expertise.
This outline provides input from local
industries with adequate reputations and leadership
foresight and to obtain could be used to show the most
cost-effective approach while providing the best
security for industries today. This outline provides
- 37 –
Steve Mallard
Computer and Network Security
guidance used by leaders in the
technology industry.
information
Originality and Limitations of Data
There has been no study done companywide
for the Allen Company, Neill Company or Taylor
Company on infrastructure security until this research
took place.
A higher education facility has
undertaken a study several times and does quarterly
reviews of security policy at least twice each year
within their own facility.
This study has
revolutionized
the
importance
of
network
infrastructure security by bringing security into focus
across these Middle Tennessee companies and
corporations.
Because the Information Technology field
has very few standards in place for Computer and
Network Security, this study has limitations based on
the ideology and philosophy of sources. While
CERT.ORG and other institutions, including
CompTIA set standards for the “what to check” and
security certifications, there are no industry wide
guidelines concerning Computer and Network
Security. No in-depth research was done to uncover
the reason for this situation. Many companies use the
following companies and organizations as references
and resources for Computer and Network Security and
advice.
Techrepublic
www.techrepublic.com
Carnegie Mellon www.cert.org
- 38 –
Steve Mallard
Computer and Network Security
United States Computer Emergency
Readiness Team www.us-cert.gov
The Center for Education and
Research in Information Assurance
and
Security
www.cerias.purdue.edu
National
Security
Institute
http://nsi.org/compsec.html
Microsoft
www.microsoft.com/security/default.mspx
Outline of the Implementation Plan at a higher
education facility
The outline below is provided to illustrate
and show how Computer and Network Security has
been implemented as a plan to a higher education
facility. This basic outline targets the infrastructure of
companies through which the bases of protecting
internal assets are most critical.
It shows the
effectiveness of the school’s control, auditing and
implementation.
A. Periodic control of Operating System Patches
B. Virtual Private networking to Domain
Servers with Student Information Systems
Software from staff workstations
C. Periodic control of Operating System Service
Packs
- 39 –
Steve Mallard
Computer and Network Security
D. Anti-virus software installed on each
workstation to include student
work stations
E. Spyware/malware / Malware control
measures
F.
“Pop up” control measures
G. Application updates (i.e., Microsoft Office
and related)
H. Software Update Services Server installed to
push updates approved by administration
I. Documented Policy and Procedures school
level
J.
Documented Policy and Procedures board
level
K. Active Directory Server login for staff to
establish IT Policies
L. Applications with logging of activities
(customized)
M. Application and Security Logs running on
Servers
N. Network Address Translation used at firewall
level
- 40 –
Steve Mallard
Computer and Network Security
O. DMZ (demilitarized zones) used on web
server
P. Hardware firewall (three honed) used with
logs and specific port number restrictions.
Q. IDS (Instruction Detection Server) in place
and monitored
R. Traffic monitor in place to monitor inbound,
outbound and intranetworking packets
S. Disaster recover plan in place
Control of patches and updates becomes one of
the
most
important
aspects of Computer and Network Security. With
operating systems flaws being one of the most critical
needs to identify when operating a network, control of
pushing service packs or updates to computers
becomes extremely important. Companies should
have this in their plans and someone in the
information technology department should be
assigned to check SUS (System Update Services)
servers daily. This IT person should also check
security and operating system websites for alerts.
Often these sites have email alerts to alert end-users of
a security problem.
Virtual Private Networks or VPNs should be
created between workstations and servers that contain
critical data.
By using PPTP (Point to Point
Tunneling Protocol), this ensures the data is
encapsulated as it travels across the internal network.
While packet capturing software can be installed on a
network, this will help to encrypt the data and prevent
loss due to network sniffing.
- 41 –
Steve Mallard
Computer and Network Security
Antivirus software must be installed on every
workstation and the software should be updated daily.
This control of updating can come through push
services through a server to insure the virus pattern or
signature is up to date.
Spyware/malware control is becoming an
issue at all companies. Spyware/malware is software
download automatically be some websites to track a
user’s internet surfing habits or to track software use
on the end user’s computer. Often computers become
burden by spyware/malware loaded in the operating
system and become nonfunctional or extremely slow.
Control of spyware/malware and the protection of
workstations fall on the information technology
department. Control of spyware/malware helps to
prevent pop-ups which in turn helps to keep
productivity high.
Application updates should be controlled by
the information technology department and periodic
updates checks should be performed by personnel
assigned to the IT department. Because security
Without the above recommendations in
place, companies can have a breech in their network
infrastructure by hacking, virus infestation or physical
security violation. Breeches can cause the loss of
consumer or customer data. This loss can involve the
loss of credit card data, personal demographic
information, or other valuable data. Breeches can cost
the company an insurmountable amount of money and
public embarrassment.
To large universities were recently hacked and
the embarrassment and possible lawsuits that could
- 42 –
Steve Mallard
Computer and Network Security
follow could
universities.
jeopardize
the
integrity
of
the
Summary of Chapter 3
The methods used and sources utilized for
conducting this study are simplex. Supporting data
from leading industry resources that has been
supplemented with internal interviews along with the
researcher’s personal experience provide the
supporting data as stated.
These methods no matter how simplex are
the basis and foundation needed to support the
Computer and Network Security and guard the
infrastructure of computer and data assets from within
a company or corporation. Research was also guided
by magazines, textbooks, corporate policies and the
Internet along with industry leading experts’ advice.
With the aforesaid resource information
available, the researcher had to “weed out” and screen
undesirable information and utilize documentation
that offered the greatest benefit to the research paper.
This “weeding out” of information helped to keep
valid data within the scope of this research paper.
The above outline of a higher education
facility provides a basic outline and framework for a
moderately detailed plan to support and implement
need for security of the information technology
department network infrastructure in the modern
workplace.
- 43 –
Steve Mallard
Computer and Network Security
This security plan is a basic example of a
“case study” for companies and corporations desiring
to “lock down” or secure their network infrastructure.
- 44 –
Steve Mallard
Computer and Network Security
CHAPTER 4
Data Analysis
Introduction
The Scope section of Chapter 1 explains the
outline of Chapter 2 with a primary focus of security
in the corporate infrastructure. The majority of
companies of any significant size practice what this
research paper has found. Internal Controls and
Auditing inside the infrastructure of the company
along with the Controls in place for the Information
Technology Department are reviewed in this paper
based on the four companies outlined in previous
chapters.
Implementation Methodology Used at Neill,
Taylor, Allen Companies and a higher education
facility
Senior management at all of the companies
under consideration constantly looks at the need to
protect sensitive data. During the initial stages of
protection, each of these companies followed the same
pattern of implementing Computer and Network
Security.
- 45 –
Steve Mallard
Computer and Network Security
Each of these companies developed policy
and procedures to guide and deliver procedures for all
technology professionals at all levels within the
companies. With these members of the IT department
looking at securing the data within the company, this
became the starting point and first layer of securing
information. The development of these policy and
procedures created a foundation for the practices
delivered by the companies.
These companies
developed the policy and procedures to guide their
information technology professionals as a direct entry
in the company wide policy and procedures. The
Allen Taylor and Neill companies along with a higher
education facility maintain an active and dynamic set
of policy and procedures that can be changed on the
“fly”. Each of these changes are passed through a
former form of communication in order to get a level
and uniform understanding of the policy and
procedures that are put in place.
The following steps are from integral studies of these
companies:
Policy and Procedures
o Committees and Subcommittees
used to monitor changes, constant
updates and reviews by all members
of the information technology team.
Risk Assessment
o Value of product and client data,
cost of breach. This assessment can
give the company an idea of the risk
of a breach.
Inventory
- 46 –
Steve Mallard
Computer and Network Security
o
Inventory of software and hardware.
Inventory allows for control of
products and control of sensitive
information.
Needs Assessment
o Users and applications “Need to
Know Basis Only”. This form of
assessment allows for securing data
at different levels based on rank or a
hierarchal structure in the company.
Structure
o Physical
security
and
ideal
topologies to meet performance
needs and environmental controls.
Levels of Protection
o Workstation
Antivirus
software,
operating systems updates
and patches, application
updates, VPN to servers,
strong password protection
o Private Servers
Antivirus
software,
operating systems updates
and patches, application
updates,
VPN
from
workstations,
Kerberos
security,
tokens
and
certificates,
strong
password protection
o SNMP nodes
- 47 –
Steve Mallard
Computer and Network Security
o
o
o
o
o
Password Protected SNMP
manageable devices
Wireless Access Points
Wireless
Encryption
Protocols
(128
bit
minimum)
MAC filtering
Routers
Acceptable ports and sites
Firewalls
Acceptable ports and sites
IDS Systems
Backend for internal and
external NIC cards used to
monitor all traffic within
the organization
Network Address Translation Needs
Public to Private ips for
internal networks with few
public ip addresses
o
Public Servers
Located in DMZ areas all
patches updates and only
necessary ports open
o Training programs
New software
New hardware
The methodology used by the Allen, Neill
and Taylor companies along with a higher education
facility also includes consideration of company
growth and changes in security needs.
- 48 –
Steve Mallard
Computer and Network Security
Policy and procedures provide the guidance
for the IT department to use as a guideline in their day
to day operations. These policies also supply the
personnel from the IT department with directives for
what to do in a breech and disaster recover and
planning for catastrophic events.
Risk assessment provides the protection vs.
breech cost. Risk assessment looks at the hardware,
software, physical security and other areas defined as
a potential risk. It is this assessment that can act as a
guide for the CIO when protecting the company’s
network infrastructure.
CIO’s also have to look at the ever changing
inventory of wireless devices, tablet PCs, PDAs,
servers, workstations, and other nodes on the
company’s network. The importance of inventory is
often overlooked by junior Information Technology
professionals. These personnel often overlook this
important topic because of the changing out of
antiquated equipment with new equipment. Often
newer nodes placed on a network are not hardened.
This negligent act is usually because of the “rush” to
replace the old node and to get the newer node
operational to save money and time.
The needs assessment found above is based
on personnel security and the relevance behind
restricting personnel from specific applications or
areas within the corporate infrastructure .
The physical structure of the network layout
becomes important to the security analyst for several
reasons. Wireless devices too close to outside walls
can broadcast beyond the companies physical
- 49 –
Steve Mallard
Computer and Network Security
boundaries. Location of the server room may leave it
in a location that physical security becomes an issue.
Switches or hubs in areas located in any business can
leave the network infrastructure vulnerable to internal
security violations. Looking at these vulnerabilities, it
is easy to understand how structure of a network can
become an important issue with companies.
Companies today need to look at the level of
protection needed for different nodes on the
company’s network. Because servers may contact the
outside world, these nodes may need to be harden
more than a typical desktop. Although all nodes need
to be protected, it becomes an issue of where in the
network infrastructure the node is placed.
Simple Network Management Protocol is
used to manage many devices on networks. Some of
these devices include items such as routers, switches,
wireless devices and printers. With this protocol in
place, unwary companies could leave this
management tool open and have their network
reprogrammed by a malicious individual.
The gateway to most networks to the internet
is via a router. Misconfigured routers can lead to
intrusion to a company’s network.
Firewalls are the bodyguard of most
networks. Properly configured firewalls can protect
corporate infrastructures. Firewalls must be dynamic
enough to change with the ever changing world of
security. Corporations need to look at the individual
port numbers often used by viruses or hackers to gain
access to internal networks.
- 50 –
Steve Mallard
Computer and Network Security
Leading the FBI’s security survey, antivirus
infiltration in a corporation leads the survey in monies
lost by corporations.
Security covers a broad
spectrum of areas and antivirus protection is a form of
protection security. Corporations who do not deploy
updated antivirus definitions, could open up Trojans
or viruses that open ports or send documents to
malicious individuals. Deployment often relies on
Enterprise level software to protect the entire local
area network.
In order for security analyst to monitor
possible network violations, many companies have put
in intrusion detection systems to monitor network
traffic and use alarms and logs to alert appropriate
personnel of possible intrusion.
Because public ip addresses are accessible by
the public, hackers have easier access to servers or
computers within corporations’ networks. Network
address translation provides private ip addresses
behind a public ip address to help protect a company’s
network infrastructure. This ip address manipulation
allows for many servers and workstations to hide
behind proxy servers or firewalls. The only fallacy to
this is some servers may need public ip address to be
seen from the outside. Working hand in hand with
firewalls, public ip addresses can stand behind the
DMZ (demilitarized zone) section of the firewalls.
As stated in the previous chapter, training of
personnel helps corporations protect their valuable
assets and their clients’ assets. Training of personnel
should take place at a minimum of twice annually.
- 51 –
Steve Mallard
Computer and Network Security
Companies spread across a metropolitan
network or a wide area network often unintentionally
neglect branch offices or outlying offices. CIOs and
IT mangers need to focus on the entire corporation as
a whole. Neglect of branch offices can result in
infiltration into a vulnerable section causing an
infiltration throughout the entire network.
Policy and procedures should cover these
issues so that these areas are not overlooked. A copy
of the policy and procedures should be kept at each
location with scenarios for disaster recovery.
The overall strategy for the initial phase of
protection involves the publishing of Policy and
Procedures.
The publication of Policy and
Procedures includes the hierarchal structure of the
information technology department and all tasks
associated with it. The following approach is used to
monitor the updating of the Policy and procedures:
Document changes to existing Policy and
Procedures.
Identify weaknesses
Test disaster recover portion of Policy and
Procedures
Test auditing procedures
Rewrite when significant amount of changes
takes place
On going training
This strategy is being used by all of the
companies in this research paper. Each of the
companies uses primarily the same software, but
has different database backends that keep the
- 52 –
Steve Mallard
Computer and Network Security
entire mission critical and protected demographic
data. Each of the companies uses different virus
protection, but has the same update policies in
place for this malicious activity.
These companies use their policy and
procedures to look at backup strategies for their
data. This form of security is one of the most
important aspects of Computer and Network
Security. Companies use backup DLT tapes and
rotation schedules for the tapes to ensure tapes are
carried offsite daily.
Many companies are
looking for and some are using offsite backup
strategies through third party companies. This
action alone can be a risk if a thorough
background check of the company is not
performed and if the company does not follow
internal policies of security.
Training is in place from the lowest level of
help desk to the Information Technology manager
and CIO. Training updates are given to all
employees outside of the IT department so that
security can be maintained throughout the
company. These companies use the following
training methods:
o Memos to all staff on new viruses
o Memos to IT Personnel on new
viruses
o Memos to IT Personnel on
opportunities to train at seminars
o Seminars (Mandatory)
o Seminars (Voluntary)
o Webcasts/Podcasts
- 53 –
Steve Mallard
Computer and Network Security
o
o
o
o
o
o
o
In house training by security
personnel
In house training by outside
resources
College reimbursement
New product training
Policy and procedure review
Proper use of the internet
Proper use of email and best
practices
Memos provide a written form of
communication for IT professionals. Whether in
email format or in written document format, memos
provide a backbone for communication in information
technology security.
Email memos can be used with a
collaboration of emails used in software programs
such as Microsoft Outlook and used in conjunction
with the calendar feature. This feature allows for
reminders to be set and the collaboration allows for all
team members to see the reminders.
Seminars are an excellent resource for
learning security and new product features and
updates. With Microsoft Technet briefings quarterly
in many major cities in the United States, this allows
the IT professional to network with Microsoft’s
professionals. This networking allows for audience
reaction and discussion on issues found in industry
today.
Setting seminars as voluntary allows team
members the freedom of attending these events as they
- 54 –
Steve Mallard
Computer and Network Security
choose while mandatory insures the members gather
information that can be used in the organizations.
This selection should be both voluntary and
mandatory to insure the IT professional achieves a
diverse knowledge of areas needed for the true
protection of networks.
Webcasts/Podcasts provides the training of
organizations on-site and is offered by large
organizations and software vendors. Webcasts can be
prerecorded or live. These forms of training allow
the IT manager or CIO to be present to answer
questions for junior IT professionals or help desk
personnel.
In-house training allows for security directors
or outside industry leading experts to come on site and
educate personnel on topics involving security. This
form of training ensures personnel are present and
communication gets through to all in-house personnel.
Outside experts coming into facilities allows
for a variety of topics and a third party view of what
security practices are being used by other industries.
College reimbursement provides motivation
for employees to educate themselves. This allows
employees to gain higher education at no or little cost.
This becomes a valuable tool for not just the employee
but for the company or corporation. The payoff of
reimbursement becomes the knowledge of the
employee.
Because the technology field in the world of
computers changes at the drop of a hat; new products
are introduced at a record breaking pace. This
introduction is not only for totally new products to the
- 55 –
Steve Mallard
Computer and Network Security
industry but can be for updates or version changes on
software. It is very important for CIOs to have this
training for new products available to all levels of
information technology.
With policy and procedures being one of the
largest keys in the solution of protecting a network,
the introduction of all aspects of network management
change daily. Once these items are put into place, it
cannot be stressed enough to review and update these
assets of your company as often as possible.
Communication of these updates falls back to written
and email memos to peers as mentioned in this
chapter.
With IT personnel trained in security it
becomes very important to have other members of an
organization to be aware of Internet and email use
policies to cut off problems before they occur.
Summary of Chapter 4
Chapter 4 presented the methodology and
detailed plan of the Allen, Neill, Taylor companies
and a higher education facility.
From these
discussions, it is evident that each of these companies
has distinct policy and procedures in place with an
overall approach of the following keypoints:
Employ certified and experienced personnel
All are focused on standards set by
CERT.ORG and other security industry
leaders
Strong Policy and Procedures in place
- 56 –
Steve Mallard
Computer and Network Security
Communications among internal company
and internal information systems.
Committees and Sub-committees in place for
compliance issues
- 57 –
Steve Mallard
Computer and Network Security
- 58 –
Steve Mallard
Computer and Network Security
CHAPTER 5
Summary, Recommendations and Conclusions
Introduction
To
support
the
Conclusion
and
Recommendations, it is import to understand and to
restate the problems of Infrastructure Security.
“Companies must put all means of security in place
both internally and externally”. This chapter will
discuss whether this study supports the problem
statement and it will provide a conclusion concerning
what companies need to do in order to protect their
assets.
It will also provide additional
recommendations related to the research findings.
Conclusions and Recommendations
“Companies must put all means of security in place
both internally and externally”
The research has been abundantly clear that
the initial requirements to meet standards set by the
industry should include policy and procedures and
guidelines to effectively protect internal assets as well
- 59 –
Steve Mallard
Computer and Network Security
as ecommerce assets from companies or individuals
doing business.
With the FBI’s cyber report on crime and
related organizations producing reports on cyber
related security, businesses should keep a parallel
focus on security as well as staying on focus with their
main product(s).
“Companies will have to stay ahead of the game and
should not question or wavier away from protecting
their internal assets.”
With guidance and support of peer
companies, companies should network with software
and hardware vendors, other non competitive
companies and with organizations that specialize in
security. Past examples of hackers, and thieves on the
internet should awaken sleeping companies.
In answering “why security is needed and
how to implement security”, companies should look
at past examples and the ever increasing number of
companies who have had security violations
throughout their infrastructure. This provides a
learning basis for all companies. This is one area
companies do not want to lead by example.
The problem statement components of “when
security is needed, and how to implement it” are
answered as follows:
Industry
wide
compliance
of
recommendations by industry leading
experts.
Restating the key elements from previous
chapters include:
- 60 –
Steve Mallard
Computer and Network Security
Employ
trustworthy
Information
Technology workforce to protect assets
from within the companies as though
assets were their own.
Focus on industry statistics and separate
fact from fiction for the best protection
of the security infrastructure.
Utilize all means of security including
beta based security tools, physical tools
and update policys and procedures as
necessary. Document all deficiencies and
follow thorough with any and all short
comings to insure the best and most
adequate protection from thieves,
whether internal or external
Ongoing communications between all
levels of employees from help desk to
the CIO (Chief Information Officer).
CIOs cannot lose touch with reality of
the “real” world of security.
A quality control program should be put
into place to maintain site wide integrity.
Policy and procedures must be reviewed.
Internet usage policies should exist and
all employees should review and sign
acceptance letters.
Email usage policies should exist and all
employees should review and sign
acceptance letters.
Systems must be tested in order to
ensure quality.
- 61 –
Steve Mallard
Computer and Network Security
o
Ongoing training must be put into place
for IT professionals and accurate records
must be maintained in order to verify
training and training needs.
“Companies must provide high level training to
meet the needs of industry growth while
maintaining a balanced budget and customer
security”.
In the early stages of security and
ecommerce, the selected companies and corporations
had to have the foresight to look at the “What ifs” of
protection and hold onto paranoia for the “just in
case” scenarios that crop up with business forecast and
predictions. These companies in the early years of
ecommerce were beginning to provide SSL (Secure
Socket Layer) protection of their websites along with
early Cisco firewalls and web servers. The Allen,
Neill, Taylor Companies and a higher education
facility all provided above average protection for their
clients and the exchange of data along their local area
connections and their extranets. This protection
provided customer reassurance and customer growth
that in turn provided growth for the revenue of the
company.
With this electronic protection in place, the
Allen, Neill and Taylor companies along with a higher
education facility all provide digital certificates and
SSL encryption for their clients or consumers. This
extra protection allows for the companies to exchange
- 62 –
Steve Mallard
Computer and Network Security
critical demographic and financial data including
credit card numbers and personal account information.
Each of the above listed companies use web
databases that “dump” the client information to a
printer and purges any critical data. This practice is
becoming a trend for companies. By purging data,
the database is empty and in the event a breech is
successful by a hacker, no data will be lost.
During a recent event, the A local technical
college in Middle Tennessee accepted over 200 credit
card orders for a regional conference and the data was
accepted, purged to a printer and the database emptied
for security reasons.
This type of transaction allows for the
security of the corporate infrastructure to remain intact
even in the event of an ecommerce breach.
Although many companies use databases on
the web, the above practice is new in the industry and
allows the company to reenter the data into an internal
server that has been NATed behind a firewall, thus
adding an extra layer of security.
This practice requires more work on the
company side of taking and automating orders but
helps keep hackers at bay.
An empty database
discourages these individuals from returning to an
empty nest.
Since the Internal Company Security and
Auditing Controls of security infrastructure
throughout the companies under consideration were
compliant with industry standards the impact on the
companies’ operations was minimal. The operations
and organization of the companies’ functionality
- 63 –
Steve Mallard
Computer and Network Security
prove to be industry leaders in setting industry
examples. With the ever changing world of security,
and with ecommerce and the precarious balancing of
performance of business, these companies along with
other companies have to look at performance and new
technologies to protect their business without
sacrificing customer demands from their business.
Budget constraints within the economy of 2004 cannot
sacrifice the cost of loss due to neglecting the
protection of customers and internal assets.
The
companies used in this study have to balance the
monies available for security while looking at the cost
of loosing customers due to possible security
breeches.
In conclusion, the emphasis on strong
Internal Company Security and Auditing Controls
with the area of security for companies is vital. These
controls should be dynamically flexible throughout the
company, from the help desk employee to the Chief
Information Officer. These controls encompass from
the overall operations of the Information Systems
department throughout the entire organizational
structure and should be in place to help companies
stay on the leading edge in protection of their assets.
The recommendations from this study are as follows:
Companies should do extensive background
checks on their Information Technology
employees. Checks should include financial,
criminal and past employment checks.
Companies should put Policy and Procedures
into place to make sure that all aspects of
- 64 –
Steve Mallard
Computer and Network Security
disaster recovery and planning are covered
including hardware failure, software failure,
network setup, personnel hierarchy, team
responsibilities, deployment of all software
and appropriate licensing and other mission
critical objectives.
Companies should have a consistent audit
practice in place for server logs, firewall logs,
patches, service packs and updates.
The network infrastructure for companies
needs a consistent quarterly overview
committee to look at security needs and
challenges. This would provide quarterly
updates of mission statements and policies as
needed.
Companies need training programs in place
for Junior as well as Senior level analysts to
understand the challenging environment of
security. These training programs need to
include industry leaders and seminars from
software vendors.
Companies need consistent and open forums
within their infrastructure for communication
of daily changes affecting the security
environment.
The hierarchal level of the internal
department
of
Information
Systems/Technology needs to be dynamically
flexible to meet the needs and challenges
facing the ever changing world of
information technology security in the
workplace.
- 65 –
Steve Mallard
Computer and Network Security
Small Ecommerce servers should “dump”
data to a printer and be reentered as a
precautionary measure in case of a breach on
an internal file server.
Large ecommerce servers should have multileveled
security in place and should require re-registration in
the event a consumer does not frequent the site.
Records should be archived off of the server for nonreturning or one time customers.
- 66 –
Steve Mallard
Computer and Network Security
Appendices
CSI/FBI Survey
The Computer Security Institute over the past several
years has produced a survey with the Federal Bureau
of Investigation. Below is an excerpt form the website.
The survey is available for free download from the
Institute's Web site at GoCSI.com.
Much of the
context below is verbatim and in its original format
as found on the internet.
Computer Crime Survey
Highlights of the 2004 Computer Crime and Security
Survey
include
the
following:
-- Overall financial losses totaled from 494 survey
respondents
were
$141,496,560. This is down significantly from 530
respondents
reporting
$201,797,340 last year.
-- In a shift from previous years, the most expensive
computer
crime
was
denial of service. Theft of intellectual property, the
prior
leading
- 67 –
Steve Mallard
Computer and Network Security
category, was the second most expensive last year.
-- Organizations are using metrics from economics to
evaluate
their
security decisions. Fifty-five percent use Return on
Investment
(ROI),
28 percent use Internal Rate of Return (IRR), and 25
percent
use
Net
Present Value (NPV).
-- The vast majority of organizations in the survey do
not
outsource
computer
security
activities.
Among
those
organizations
that
do
outsource some computer security activities, the
percentage
of
security
activities outsourced is quite low.
Based on responses from 494 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical institutions
and universities, the findings of the 2004 Computer
Crime and Security Survey confirm that the threat
from computer crime and other information security
breaches is real. Chris Keating, CSI Director, believes
that the Computer Crime and Security Survey, now in
its ninth year, suggests that organizations that raise
their level of security awareness have reason to hope
for measurable returns on their investments.
"Although the CSI/FBI survey clearly shows that
cybercrime continues to be a significant threat to
American organizations, our survey respondents
appear to be getting real results from their focus on
information security. Their average dollar losses per
- 68 –
Steve Mallard
Computer and Network Security
year have dropped in each survey for four straight
years. Obviously, computer crime remains a serious
problem and some kinds of attacks can cause ruinous
financial damage. We don't believe that all
organizations maintain the same defenses as our
members -- financial damages for less protected
organizations are almost certainly worse. And hackers
won't become complacent anytime soon -- new attacks
are devised every day. So we still have our work cut
out for us. The message here is that it makes sense to
continue our focus on adherence to sound practices,
deployment
of
sophisticated
technologies,
and adequate staffing and training."
- 69 –
Steve Mallard
Computer and Network Security
- 70 –
Steve Mallard
Computer and Network Security
Definition of Terms
Abuse of Privilege: Users who performs actions that
they should not have, according to company policy or
law.
Access: The ability to enter an electronically secured
area. The process of interacting with a computer
system.
Access Authorization: Permission granted to users,
programs or workstations or shared objects.
Access Control: A set of procedures performed by
hardware, software and administrators to monitor
access, identify users requesting access, record access
login attempts, and grant or deny access to computer
objects while creating administrative logs.
Access Sharing: Permitting two or more users
simultaneous access to files or objects on servers or
for objects on a workstation.
- 71 –
Steve Mallard
Computer and Network Security
Application Level Gateway (Firewall): A firewall
system in which service is provided by processes that
maintain complete TCP connection state and
sequencing. Application level firewalls often readdress network traffic so that outgoing packets and
traffic appears to have originated from the
corporation’s firewall, rather than the internal host.
Audit: The collection of records to access their
completeness
and veracity.
Audit Trail: In computer and data center security
systems, a chronological record of when users log in,
how long they are engaged in various activities. An
audit trail may be on paper or on disk.
Authenticate: In networking, to establish the validity
of a user or an object.
Authentication: The process of establishing the
legitimacy of a node or user before allowing access to
requested information.
Authorization:
successfully.
The
process
of
authenticating
Availability: The portion of time that a system can be
used for productive work. Server rules fall under the
rule of five 9’s or a desired uptime of 99.999%.
- 72 –
Steve Mallard
Computer and Network Security
Back Door: An entry point to a program or a system
that is used to gain normally unauthorized access to an
area within a network.
Bandwidth: Capacity of a network, dial-up or data
connection, measured in kilobits per second (kbps) or
megabits per second (Mbps).
Biometric Access Control: Any means of controlling
access through human anatomy measurements, such
as fingerprinting, iris or voice recognition.
Business-Critical Applications: Vital software
needed for specific companies such as databases.
(Microsoft Office, SQL, MS Exchange, etc.)
CERT: Computer Emergency Response Team
established
at
Carnegie-Mellon
University.
(www.cert.org)
Challenge/Response: A security procedure in which
one computer/user requests authentication of
computer/user after which the host sends a response.
Clustering: Groups of servers working together as a
single host.
Computer Security: The assurance of availability,
integrity and confidentiality of data.
- 73 –
Steve Mallard
Computer and Network Security
Computer Security Audit: An evaluation of logs,
procedures and policies to insure the infrastructure of
companies is maintained.
Data Encryption Standard: An standard for
encryption developed by EBM and later adopted and
used by the National Bureau of Standards. Used in
private and government standards.
Decode: Conversion of encrypted text to plain text
through the use of a code.
Decrypt: Conversion of encoded or enciphered text
into plaintext.
Defense in Depth: The security approach whereby
each system on the network is secured to the greatest
possible degree. May be used in conjunction with
firewalls.
DES: Data encryption standard.
DNS Spoofing: Emulating the Domain Name Services
of another system.
Encryption: The process of scrambling files through
an algorithm (such as the DES algorithm).
- 74 –
Steve Mallard
Computer and Network Security
End-to-End Encryption: Encryption at the point of
origin within a network, followed by decryption at the
destination site.
Extranet: Internet access to partners and affiliates
outside your organization.
Fault Tolerance: A design method to ensure
continued systems operation by providing redundant
system resources.
Firewall: A hardware or software program used to
provide boundaries between networks.
Gateway: A bridge between two networks, normally a
router (Cisco).
Hack: Software that has had a significant portion of
the programmer’s code rewritten and modified from
the original code.
Hacker: Usually a malicious individual or group of
individuals who breach networks.
Information Systems Technology: The protection of
a corporation’s information assets from unauthorized
disclosure or modification which in turn prevents the
corporation from loosing data.
- 75 –
Steve Mallard
Computer and Network Security
Intrusion Detection: Detection of breaches in
security. Systems using this are commonly called IDS
(Intrusion Detection Systems).
IP Sniffing: Reading the packets of data released from
a network.
IP Spoofing: The use of an internal IP address to
emulate a legitimate user.
ISO: International Standards Organization.
ISSA: Information Systems Security Association.
Local Area Network (LAN): An interconnected
system of computers and peripherals. Usually found in
a star topology.
Logging: The process of storing information about
events that occurred on systems or the firewall.
Log Retention: The holding of logs from systems.
Network Computer: A computer or host found on
the Local Area
Network Worm: A program designed to move or
channel across a network.
- 76 –
Steve Mallard
Computer and Network Security
One-Time Password: A password used only one time
during an initial session.
Operating System: System software that controls
computers. Commonly used OSs today are Windows
2000, Windows XP Professional, Windows 2003
Server, Linux and Unix.
Password: A secret word, numbers, phrase or
combination that is used in authentication.
Performance: The speed at which data is processed.
Computers, network, etc.
Perimeter-based Security: The control of entry and
exit points on network(s).
PIN: Personal Identification Number.
Policy: Organizational based rules and procedures that
establish “how processes should take place.”
Private Key: In encryption, one key (or password) .
Protocols: “Languages” of computers.
Proxy: Computer that acts on the behave of other
computers. Common proxies are ISA server or
Analogx.
- 77 –
Steve Mallard
Computer and Network Security
Public Key: In encryption, two key system.
Remote Access: The accessing of computer systems
or nodes in a network from a different geographical
location.
Risk Analysis: The analysis of an organization's
information resources.
RSA: A public key cryptosystem.
Scalability: The ability to add on or to expand
systems resources to support large numbers of users
without impacting performance.
Server: A computer used to control other computers
or to share resources or objects.
Server-based Computing: A computer that delivers
critical business applications to end users.
Server Farm: A group of servers.
Smart Card: A credit card sized electronic device
that controls access to restricted areas or systems.
Social Engineering: To deceive users and gain access
by false means.
- 78 –
Steve Mallard
Computer and Network Security
State Full Inspection: Firewall inspection of packets
to search for data such as IP information, content and
port numbers.
TCO: Total Cost of Ownership.
Token: A authentication tool.
Trojan Horse: A malicious program that disguises it
harmful intent by emulating another program.
User: Any person who interacts directly with a
workstation or personal pc.
User ID: Often known as the “username”. Use can be
alpha or numeric.
User Interface: The part of an application that the
user works with. User interfaces can be text-driven,
such command line driven, or graphical.
Virtual Private Network: A network providing no
outside contact using the protocols L2TP or PPTP. A
link between one network and another providing a
secure connection of data using the aforesaid
protocols.
Virus: A self-replicating code segment. Viruses may
or may not contain attack programs.
- 79 –
Steve Mallard
Computer and Network Security
- 80 –
Steve Mallard
Computer and Network Security
Country Code Extensions (Internet):
ac – Ascension Island
.ad – Andorra
.ae – United Arab Emirates
.af – Afghanistan
.ag – Antigua and Barbuda
.ai – Anguilla
.al – Albania
.am – Armenia
.an – Netherlands Antilles
.ao – Angola
.aq – Antarctica
.ar – Argentina
.as – American Samoa
.at – Austria
.au – Australia
.aw – Aruba
.az – Azerbaijan
.ba – Bosnia and Herzegovina
.bb – Barbados
.bd – Bangladesh
.be – Belgium
- 81 –
Steve Mallard
Computer and Network Security
.bf – Burkina Faso
.bg – Bulgaria
.bh – Bahrain
.bi – Burundi
.bj – Benin
.bm – Bermuda
.bn – Brunei Darussalam
.bo – Bolivia
.br – Brazil
.bs – Bahamas
.bt – Bhutan
.bv – Bouvet Island
.bw – Botswana
.by – Belarus
.bz – Belize
.ca – Canada
.cc – Cocos (Keeling) Islands
.cd – Congo, Democratic Republic of the
.cf – Central African Republic
.cg – Congo, Republic of
.ch – Switzerland
.ci – Cote d'Ivoire
.ck – Cook Islands
.cl – Chile
.cm – Cameroon
.cn – China
- 82 –
Steve Mallard
Computer and Network Security
.co – Colombia
.cr – Costa Rica
.cu – Cuba
.cv – Cap Verde
.cx – Christmas Island
.cy – Cyprus
.cz – Czech Republic
.de – Germany
.dj – Djibouti
.dk – Denmark
.dm – Dominica
.do – Dominican Republic
.dz – Algeria
.ec – Ecuador
.ee – Estonia
.eg – Egypt
.eh – Western Sahara
.er – Eritrea
.es – Spain
.et – Ethiopia
.fi – Finland
.fj – Fiji
.fk – Falkland Islands (Malvina)
.fm – Micronesia, Federal State of
.fo – Faroe Islands
.fr – France
- 83 –
Steve Mallard
Computer and Network Security
ga – Gabon
.gd – Grenada
.ge – Georgia
.gf – French Guiana
.gg – Guernsey
.gh – Ghana
.gi – Gibraltar
.gl – Greenland
.gm – Gambia
.gn – Guinea
.gp – Guadeloupe
.gq – Equatorial Guinea
.gr – Greece
.gs – South Georgia and the South
Sandwich Islands
.gt – Guatemala
.gu – Guam
.gw – Guinea-Bissau
.gy – Guyana
hk – Hong Kong
.hm – Heard and McDonald Islands
.hn – Honduras
.hr – Croatia/Hrvatska
.ht – Haiti
.hu – Hungary
.id – Indonesia
.ie – Ireland
- 84 –
Steve Mallard
Computer and Network Security
.il – Israel
.im – Isle of Man
.in – India
.io – British Indian Ocean Territory
.iq – Iraq
.ir – Iran (Islamic Republic of)
.is – Iceland
.it – Italy
.je – Jersey
.jm – Jamaica
.jo – Jordan
.jp – Japan
.ke – Kenya
.kg – Kyrgyzstan
.kh – Cambodia
.ki – Kiribati
.km – Comoros
.kn – Saint Kitts and Nevis
.kp – Korea, Democratic People's
Republic
.kr – Korea, Republic of
.kw – Kuwait
.ky – Cayman Islands
.kz – Kazakhstan
.la – Lao People's Democratic Republic
.lb – Lebanon
.lc – Saint Lucia
.li – Liechtenstein
.lk – Sri Lanka
.lr – Liberia
- 85 –
Steve Mallard
Computer and Network Security
.ls – Lesotho
.lt – Lithuania
.lu – Luxembourg
.lv – Latvia
.ly – Libyan Arab Jamahiriya
.ma – Morocco
.mc – Monaco
.md – Moldova, Republic of
.mg – Madagascar
.mh – Marshall Islands
.mk – Macedonia, Former Yugoslav
Republic
.ml – Mali
.mm – Myanmar
.mn – Mongolia
.mo – Macau
.mp – Northern Mariana Islands
.mq – Martinique
.mr – Mauritania
.ms – Montserrat
.mt – Malta
.mu – Mauritius
.mv – Maldives
.mw – Malawi
.mx – Mexico
.my – Malaysia
.mz – Mozambique
.na – Namibia
.nc – New Caledonia
.ne – Niger
- 86 –
Steve Mallard
Computer and Network Security
.nf – Norfolk Island
.ng – Nigeria
.ni – Nicaragua
.nl – Netherlands
.no Norway
.np – Nepal
.nr – Nauru
.nu – Niue
.nz – New Zealand
om – Oman
.pa – Panama
.pe – Peru
.pf – French Polynesia
.pg – Papua New Guinea
.ph – Philippines
.pk – Pakistan
.pl – Poland
.pm – St. Pierre and Miquelon
.pn – Pitcairn Island
.pr – Puerto Rico
.ps – Palestinian Territories
.pt – Portugal
.pw – Palau
.py – Paraguay
.qa – Qatar
.re – Reunion Island
.ro – Romania
.ru – Russian Federation
.rw – Rwanda
.sa – Saudi Arabia
- 87 –
Steve Mallard
Computer and Network Security
.sb – Solomon Islands
.sc – Seychelles
.sd – Sudan
.se – Sweden
.sg – Singapore
.sh – St. Helena
.si – Slovenia
.sj – Svalbard and Jan Mayen Islands
.sk – Slovak Republic
.sl – Sierra Leone
.sm – San Marino
.sn – Senegal
.so – Somalia
.sr – Suriname
.st – Sao Tome and Principe
.sv – El Salvador
.sy – Syrian Arab Republic
.sz – Swaziland
.tc – Turks and Caicos Islands
.td – Chad
.tf – French Southern Territories
.tg – Togo
.th – Thailand
.tj – Tajikistan
.tk – Tokelau
.tm – Turkmenistan
.tn – Tunisia
.to – Tonga
.tp – East Timor
.tr – Turkey
- 88 –
Steve Mallard
Computer and Network Security
.tt – Trinidad and Tobago
.tv – Tuvalu
.tw – Taiwan
.tz – Tanzania
.ua – Ukraine
.ug – Uganda
.uk – United Kingdom
.um – US Minor Outlying Islands
.us – United States
.uy – Uruguay
.uz – Uzbekistan
.va – Holy See (City Vatican State)
.vc – Saint Vincent and the Grenadines
.ve – Venezuela
.vg – Virgin Islands (British)
.vi – Virgin Islands (USA)
.vn – Vietnam
.vu – Vanuatu
.wf – Wallis and Futuna Islands
.ws – Western Samoa
.ye – Yemen
.yt – Mayotte
.yu – Yugoslavia
.za – South Africa
.zm – Zambia
.zw – Zimbabwe
- 89 –
Steve Mallard
Computer and Network Security
- 90 –
Steve Mallard
