Week 2 Essay Questions
18 January 2017
When storing information on a network, it is best to identify and categorize the information by levels of importance to save money and narrow focus of security measure. To achieve this goal, businesses/organizations are using Data Classification Systems to effectively categorize and separate information. “Data Classification is the process of organizing data into categories for its most effective and efficient use” (Rouse, 2007). Data classification systems differ depending on the network hosting organization. For example, a Military organization will have a different data classification system than a commercial organization. The main difference in the two data classification systems is that a government classification system has a set standard, whereas commercial does not.
For a commercial organization, “The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired” (Bragg, 2002). Commercial data classification systems have no set standard and are set up per the information stored by the network hosting company. They come in all different forms with different levels of classifications and according to Pearson IT Certification, “CISSP Security Management and Practices”, the most common classification levels are:
For a military/government organization, data classification is a set standard and the same across the board. These classification levels are:
- Sensitive–information that will do the most damage to a company if it ended up in the wrong hands. This information requires the highest level of CIA within a company. Examples of sensitive information would be network user information, company financial information, or customer PII.
- Confidential –information that is less protected within the walls of a company network but could do damage to a company if it ended up in the wrong hands. Examples of this information would be company activities/projects, employees that work within certain departments, or general computer/hardware information.
- Private–information that probably would not do damage to a company but must be kept private for other reasons such as protection laws. An example of private information would be human resources information on employees.
- Proprietary–Information that is known throughout the company and its employees involved, but is only disclosed outside of a company on very limited basis due to its worth to a company and its competitive edge. An example of this would-be information on a new company product.
- Public–information that causes little or no harm to a company. Examples would be company size, marketing information, or number of working employees.
- Top Secret – The disclosure of top secret information would cause severe damage to national security. Examples of top secret information would be mission details, deployment information, aircraft system information, intelligence information, or financial information.
- Secret – The disclosure of secret information would cause serious damage to national security. Examples of secret information would be member PII, schedules, training activities, training schedules, software/hardware information, or future agency scopes.
- Confidential – “Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data” (Bragg, 2002). Examples of this information would be activities taking place by specific agencies or branches of service that are known throughout the agency/branch of service and kept from the public until the activity is taking place or over.
- Unclassified – public information that has no classification or sensitivity level. This information is anything about an agency or branch of service that can be acquired through public access.
- Physical Security – the physical security layer is designed to keep physical assets/locations secure. This layer is important because it keeps unauthorized people from entering secure areas and getting their hands-on workstations or hardware used for networks. Examples of physical security are security guards, gates, fences, barriers, and door locks.
- Network Security – the network security layer is meant to keep networks secure from unauthorized access. This layer is important because it keeps unauthorized users from accessing a network and information stored on a network. Examples of network security are firewalls, IDS/IPS systems, DMZ zones, and routers/switches set up with security configurations to route traffic.
- Computer Hardening – the computer hardening layer is meant to keep intruders from accessing computer systems through vulnerabilities. Examples of computer hardening are anti-virus software, host IDS systems, locking unused computer ports, and removing unused applications/services from workstations to avoid creating vulnerabilities.
- Application Security – the application security layer is meant to control access to programs and applications. This layer is important because it is used for complete network traffic/user control through access control settings and forcing login credentials for certain applications. An example of application security is Microsoft Active Directory Doman Service which is a Role Based Access Control System.
- Device Hardening – the device hardening layer is meant to secure devices used for network access. This layer is important because many devices come with factory settings that create vulnerabilities on a network. An example of device hardening is reconfiguring a device with specifications to match the network and remove all factory settings that create network vulnerabilities.
“Facilities and IT teams can effectively maintain physical and information security with a “defense-in-depth” approach that addresses both internal and external threats. Multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets.” (Banathy, Panozzo, Gordy, Senese, 2013). Defense-in-depth strategies include the coverage of five main areas to insure full coverage. These areas are:
“The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures” (Rouse, 2005). In other words, a TCB is a network built with fully customizable pieces of hardware and software that can be set up to meet the company’s needs. Rather than compromising a company’s needs around a network setup, a network can be designed specifically to meet a company’s standards. Trusted computing bases encompass everything form a compound with buildings inside, down to authentication tools. Every piece of the puzzle plays a vital role in providing security.
When designing a trusted computing base, or simply upgrading a preexisting network to become a TCB, it is best to have a network layout with as much information as possible about the network and its activity. Beneficial information would be all aspects of the network such as hardware, software, users, domains, data classifications, business operations, authentication tools, IP addresses, workstations, departments, organization units, etc. Having this information will allow the architect to plug in security details where they see fit.
To begin, it is best to start at the biggest part and work down to the fine details. First you have a physical location with security measure. Physical security tools would be a facility with a perimeter fence, security guards on post, door locks, and security alarms. To go into more detail, secure rooms inside the facility for server rooms and security tools on the inside to deter/catch anyone trying to enter areas they are not authorized to enter. Next step is securing a network. This is done with hardware like IDS/IPS systems, Firewalls, DMZ zones, and Routers/Switches with security configurations to control network traffic. Next step is configuring secure workstations. This is accomplished by evaluating current operating systems, hardware, and other software on the workstation to ensure all is up to date and any known vulnerabilities are addressed. Also, host IDS systems, authentication tools and anti-virus software can be used to further create a TCB. Next step is device hardening. Device hardening is ensuring that all devices are properly set up to work on a network without creating vulnerabilities. Also, making sure security measures are set up on a device so only authorized personnel can make changes.
The last step, and most important, is application security. Installing a program like Microsoft Active Directory Domain Service, in my opinion, is the most important piece to the puzzle. This program allows for centralized control of all security features on a network and allows full customization of network operations as well. This tool is used to control user access, user activity, user privileges, workstation access, workstation activity, network access rules, sophisticated password standards, hardware security settings, network traffic, and many more security options. In my opinion, Active Directory Domain Service is one of the best tools that can be used to create a TCB. The best part about this tool is as the network grows, users are added, and policies are changed, the program can easily be changed to meet the company’s needs without spending money. TCB’s need to be flexible with the ability to grow or shrink without creating vulnerabilities, and Microsoft Active Directory Domain Service, with the support of good hardware, software, policies, is the perfect tool to achieve this goal.
Banathy, A., Panozzo, G., Gordy, A., &Senese, J. (2013, July). A Layered Approach to Network Security | Security and Compliance | Industrial IP Advantage. Retrieved from http://www.industrial-ip.org/en/knowledge-center/solutions/security-and-compliance/a-layered-approach-to-network-security
Bragg, R. (2002, December 20). Classifying Data | CISSP Security Management and Practices | Pearson IT Certification. Retrieved from http://www.pearsonitcertification.com/articles/article.aspx?p=30287&seqNum=9
Rouse, M. (2005, September). What is trusted computing base (TCB)? Retrieved from http://searchsecurity.techtarget.com/definition/trusted-computing-base
Rouse, M. (2007, May). What is data classification? Retrieved from http://searchdatamanagement.techtarget.com/definition/data-classification