Running head: ADDRESSING NETWORK SECURITY ISSUES 1

Addressing Network Security Issues

Through the Perspective of a Chief Security Officer

Alyssa L. Reph

Wilkes University
ADDRESSING NETWORK SECURITY ISSUES 2

Introduction

According to Bruce Schneier, If you think technology can solve your security

problems, then you dont understand the problems and you dont understand the

technology (Top 10, n.d.). Information security relies on more than just technology; it

requires intelligent people behind the systems. In a company, the Chief Security Officer

has the responsibility of assessing risk, managing technology, implementing policies, and

educating staff (Whitman & Mattord, 2014, p. 35). Though there are a variety of security

issues, five unique situations will be addressed through the perspective of the Chief

Security Officer.

Discussion

Accessing Company Files

The Board of Trustees are going on retreat to Florida and need to access their files on

the company file server, which is an internal server only. The primary concern is how can

they be given access to their files in a secure manner and what will that require the

company to do? To obtain access to the network, the Chief Security Officer will utilize a

virtual private network. This type of network is a private data network that makes use of

the public telecommunication infrastructure, maintaining privacy through the use of a

tunneling protocol and security procedures (Whitman & Mattord, 2014, p. 347). In other

words, the virtual private network will enable the company to securely extend the

network connections to other locations.

Before the Board of Trustees is offered access to that network, the Chief Security

Officer must confirm that the company has a policy to control usage. It is essential to

have an issue-specific security policy, which details the authorized usage of the virtual
ADDRESSING NETWORK SECURITY ISSUES 3

private network and accompanying resources (Whitman & Mattord, 2014, p. 164). Is

there an issue-specific policy already in effect? If so, does it include the use of resources

over virtual private networks? The policy format can be an electronic document emailed

to the Board, with a short quiz to assess their understanding of the guidelines. The Board

of Trustees will be required to read and sign that they are in agreement with the policy

(Whitman & Mattord, 2014, p. 112).

Purchasing a Server

The finance department is looking to purchase a server to store all of the budgeting

materials. When deciding to purchase such an important piece of equipment, multiple

factors must be considered. What software and servers is the company currently

operating on and are they effective? If they are working well, the Chief Security Officer

may decide to purchase another similar model. Additionally, is there room in the budget

for a new server? The Chief Security Officer will need to check the budget and have the

server approved for purchase. Once the decision is made on the type and size of the

server, the protection of information needs to be taken into account.

How will the company protect the information that is housed on the server? Since the

server will be guarding financial information, documentation is key to keeping the

companys files safe. An intrusion detection and prevention system (IDPS) should be set

up to log data and keep the server secure (Whitman & Mattord, 2014, p. 361). The IDPS

will document all activity on the server so in the event of an attack, the company would

have the documentation necessary to track down the intruder. Along with the IDPS,

firewalls will need to be configured. Who will be in charge of the firewall configuration?

There will be an employee designated as the authorized firewall administrator. They will
ADDRESSING NETWORK SECURITY ISSUES 4

set up the firewall to protect the server from outside attacks. The configuration and

operation of a network firewall (Whitman & Mattord, 2014, p. 168) can be found in the

systems-specific security policy. That policy will guide the administrator in establishing

the firewall according to the companys instructions.

Firing a Network Administrator

When one of the key network administrators is fired, procedures must be followed to

ensure the safety of the companys information. How can the company minimize risks to

their security? Risks can be decreased if specific procedures are followed regardless of

the level of trust the company had for the employee (Whitman & Mattord, 2014, p. 578).

An exit interview should be conducted whether the departure is friendly or hostile. Who

will conduct the employees exit interview? The Chief Security Officer will likely handle

the exit interview because they have worked closely with the network administrator and

have built good rapport. The interview will consist of a meeting with the employee to

review contractual obligations, such as nondisclosure agreements, and to obtain

feedback about the employees tenure (Whitman & Mattord, 2014, p. 577).

What specific procedures will guarantee that the employee no longer has access to

network information? The Chief Security Officer must disable the employees access to

network systems, secure hard drives, and collect any removable media, company devices

and access cards. Locks on filing cabinets and doors should be changed along with

administrative level passwords (Whitman & Mattord, 2014, p. 578). Since this employee

had extensive authorized access to the network, the Chief Security Officer should run a

security check to check the vulnerability of the network to outside attacks (Verry, 2008).
ADDRESSING NETWORK SECURITY ISSUES 5

When a network administrator is being fired, who should be notified of the change?

Human resources should be made aware as they will be responsible for providing

important documents, such as a contract and nondisclosure agreement, to the exit

interviewer to review before the meeting. Also, human resources are responsible for

posting the job opportunity. Furthermore, the company employees will be made aware

because it should be made clear that any communication with the terminated employee

should be reported to the management (Verry, 2008). Business partners and consultants

must be informed that this employee no longer works with the company. This is a

preventative measure so the employee does not take advantage of these contacts as a

means to acquire company information (Verry, 2008).

How will this firing affect the company, and who will take over this position in the

interim? Due to the importance of the companys security, it is vital that someone cover

that position. Most likely the Chief Security Officer will have that responsibility because

they already obtain proper access and knowledge of the network. Once someone new is

hired or promoted, they will be trained in the companys policies and procedures.

Preventing a Worm Attack

A new Internet worm has just been reported by CERT. According to Whitman and

Mattord (2014), the complex behavior of worms can be initiated with or without the user

downloading or executing the file (p. 84). A worm is a type of malicious software that

can copy itself onto Web servers and spread to hundreds of machines in a matter of

minutes (Incident Handling, n.d.). How can the company protect itself from this

possible threat? The company may choose to start by checking the intruder protection

system and use scanning tools to evaluate the readiness of the system (Whitman &
ADDRESSING NETWORK SECURITY ISSUES 6

Mattord, 2014, p. 360). How do current security measures respond to threats? The data

collected from scanning the system can be analyzed to determine areas of weakness and

find ways to improve protection.

Does the company have an issue-specific security policy for worms? The company

may have a policy, which details the specific minimum configurations of computers to

defend against worms and viruses (Whitman & Mattord, 2014, p. 165). Are the

measures in place effective or does the company need to update their policy? According

to Whitman and Mattord (2014), Policies can only retain their effectiveness in a

changing environment if they are periodically reviewed for currency and accuracy and

then modified accordingly (p. 172). The policy may be outdated or lack the security

necessary to protect the company from the new worm. The policy should be checked for

the most recent revision and tested for effectiveness. If the policy is not detailed enough

to protect the company from new threats, it should be revised and updated immediately.

How will staff be notified of changes to the policy and threat of a new worm? A

newsletter should be sent out to make staff aware of the possible threat, give preventative

measures to be taken, and notify them regarding any changes made to the policy. After

the policy has been revised, it will be electronically sent to staff along with a quick quiz

to ensure they have read and understand it. Risks can be minimized when the company

checks the system periodically, updates policies, and keeps staff informed on possible

breaches.

Selling Products Online

The company is going to begin selling widgets online and accepting credit cards. As

with any new business venture, there are risks that need to be addressed before moving
ADDRESSING NETWORK SECURITY ISSUES 7

forward. How will the company protect the privacy of the consumers? Privacy is defined

as the right of individuals or groups to protect themselves and their information from

unauthorized access, providing confidentiality (Whitman & Mattord, 2014, p. 115). One

measure to protect the privacy of consumers is to ensure that information obtained online

through purchases is used only for providing goods and not for marketing (Whitman &

Mattord, 2014, p .115).

How can the company keep the consumers information secure? The website should

be configured to provide secure electronic transactions by encrypting credit card

information (Whitman & Mattord, 2014, p. 454). Also, the firewall administrator should

establish a firewall to protect consumers credit card information from hackers (Whitman

& Mattord, p. 125). To maintain the security of both company and consumer information,

the Chief Security Officer should ensure that there is an updated policy detailing these

security measures.

Conclusion

As a Chief Security Officer, the security of the network is the top priority. However,

various situations may arise that could threaten or damage the security measures in place.

Whitman and Mattord (2014) posit that, Managing information security has more to do

with risk management, policy, and its enforcement than the technology of it's

implementation (p. 48). Chief security officers play a vital role is assessing risk,

outlining policies and procedures, and informing staff in order to maintain security of the

network.
 ADDRESSING NETWORK SECURITY ISSUES 8

References

Incident handling procedure. (n.d.). Retrieved June 13, 2016, from

https://www.mtech.edu/cts/policies/policies/incident.handling.pro..pdf

Top 10 IT security quotes. (n.d.). Retrieved June 14, 2016, from

http://www.itscolumn.com/2011/08/top-10-it-security-quotes/

Verry, J. (2008, December 18). Best practices for firing a network or information security

admin. Retrieved June 12, 2016, from http://pivotpointsecurity.com/blog/best-practices-for-

firing-a-network-or-information-security-admin/

Whitman, M. E., & Mattord, H. J. (2014). Principles of information security. Boston,

MA: Cengage Learning.