IT Security   Term Paper ID:38718 Click to get this paper

Essay Subject: An account of the issue fronts relevanat to Internet and Information Technology security with ...... More...

16 Pages / 3600 Words 10 sources, 27 Citations, MLA Format $64.00 Return to List of Papers

Paper Abstract: An account of the issue fronts relevant to Internet and Information Technology security, with reference to different approaches to security and the importance of the human factor in managing security issues. Paper Introduction: The purpose of this research is to examine the issue of security onthe Internet and in technology-driven information systems more generally The plan of the research will be to set forth the salient issues that arisein connection with computer-related security and then to discuss how therelevant issues have been analyzed and are deemed important to themaintenance of the integrity of key information systems that governoperations and data management and storage in the current business andadministrative environment with a view toward forecasting possible Text of the Paper: The entire text of the paper is shown below. However, the text is somewhat scrambled. We want to give you as much information as we possibly can about our papers and essays, but we cannot give them away for free. In the text below you will find that while disordered, many of the phrases are essentially intact. From this text you will be able to get a solid sense of the writing style, the concepts addressed, and the sources used in the research paper. (2 4). Byextension, it follows that encryption could enable host platforms to embedutilities for state appraisal, proof carrying code, path histories, andexecution tracing that would be transparent to mobile users. Theseissues in turn combine to point up the fact that, however sophisticated thetechnologies, protocols, and algorithms might be, the human factor may comeinto play where IT security is concerned. identify four kinds of sanitization--disposal,clearing, purging and destroying--with disposal referring to merely tossingsomething away with no regard for its security implications. Policy authority inheres in the "policy-setting authority, such as a security officer," who has the job of"specifying the conditions under which information can be exchanged" (p.7). I-1). (1999). It is a truism of contemporary organizational management that riskanalysis and risk management are embedded into the raft of concerns thatmust be addressed. (2 4, February 17). Clearing. But that is true of virtually all IT security, sinceIT itself is something of a moving target. 9). Even so, he acknowledges that the more autonomousthe mobile agent, the more vulnerable a given mobile unit might be.Accordingly, Jansen proposes certain methods of controlling mobile agents'technology so as to protect it from attack: . Tumbleweed Communications (brochure).Grance, T., Kent, K., & Kim, B. Path histories, or a version of virtual "paper-trail" log or tracking of a mobile agent's IT use patterns . ReferencesBossardt, M., Dubendorfer, T., & Plattner, B. By and large, however, the discourse of IT securitydeals in moral terms--with the consequences of human frailty or malice.Bossardt, Dubendorfer, and Plattner explain that the variety of "malicioustools" makes it "easy for non-experts (i.e. Additionally, he cites the utility ofcryptographic methods and authentication protocols that can be embeddedinto the technology with a view toward administrative control of agentbehavior and capability. Despite the risks associated with IT proliferation, organizations ofall sizes want to be competitive. Whatis implied by that guideline is that sanitization as an IT security matteris an issue of organization management, with the technology involved as aninstrument of human systems. Implicitly, they value upward IT applications thathave the effect of shielding and/or encrypting proprietary IT architecturedata, even as they acknowledge the technical complexities associated with"how to express privilege and policy" in various codes and algorithms thatare sufficiently powerful to assure security but also simple to use. Additional methods ofsecurity management have been proposed, however. As one marketing brochure aimed atenhancing Internet security for commercial providers puts it: "Ultimatelycustomers lose faith in the Internet as a means to conduct business becausethey can not determine who they can trust" (Fisher, 2 4, p. Interception ofdata, transmission of bogus data, and the like can modify agent behavior onone hand or encoded data on the other and can affect organizationaloperations and threaten enterprise-wide security. Guideto information technology security services: Recommendations of theNational Institute of Standards and Technology. The security issue andits solution is characterized in terms of organizational authority andresponsibility: When storage media are transferred, become obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that has been deleted is not easily recoverable. Despite thechallenges associated with the multivaried ways in which security can beviolated, there is evidence of a continual quest to come up with someversion of comprehensive and step-by-step responses. include both hardcopy, or paper documents andrelated media (typewriter ribbons, platens, etc.), and electronic copy, ordigitized storage media in their review of IT security and sanitization.They note that hardcopy items are in fact often more vulnerable tounauthorized data recovery than digitized information is.[1] That isbecause physically tangible documents and the media that helped generatethem are often consigned to (unguarded) trash bins. What the foregoing responses to the problems of IT security share isthe attribute of screening as a preventive measure. They anticipate "tradeoffs in performance, scalability,and compatibility" (Jansen & Karygiannis, n.d., p. (1988). Gaithersburg, MD: National Institute of Standards andTechnology, Computer Security Division.Grance, T., Hash, J., Stevens, M., O'Neal, K., & Bartol, N. All such elements are meant to be captured in asecurity plan that protects assets while continually allowing foridentification of evolving risk factors. Media that do not allow overwriting or that are of a particularly large size could not be efficiently "cleaned" but would have to be sanitized in a different way. Writing jointly on the mobile-agent security issue, Jansen andKarygiannis forcefully argue that it is an area that is "in a somewhatmature state," despite the continual refinement of technology and protocolsdesigned to address prospective threats. Wiping out all effects of an incident may even involve rebuilding acompromised system from scratch (2 4, p. government despite the implication of earlieradministrations--were marshaled as evidence of America's record ofgeopolitical duplicity in Iran since the 195 s (see Taheri, 1988). (2 3). That is whyattacks on technology systems are perceived as so important and why theirgrowth and variety (viruses, interruptions of service, hacking, phishing,vandalism, etc.) are considered so serious. As Grance, Kent, and Kim point out, sanitization may benecessary after a security breath to decisively remove all traces of abreach. Gaithersburg, MD: NationalInstitute of Standards and Technology, Computer Security Division.Jansen, W. Risk management dealswith protecting assets, and there are five "disciplines" keyed to the kindsof assets meant to be protected: physical, personnel, information,communications, and technical/technological. That is, technical papers tend to cite the costsand potential dangers of security breaches, as well as instances and costsof such breaches, and then deal with specific methods of responding to orpreventing them. (n.d.) Assigning and enforcing security policies on handheld devices. It must be resistant to keystroke recovery attempts executed from standard devices and data scavenging tools" (Kissel et al., 2 6, pp. And that, of course, would be a function of sophisticatedalgorithms, algebra, testing, and the like, which implies expense as wellas recruitment of technologically proficient personnel to accomplish thetasks at hand. 8-9) As Jansen explains the last-named method, it would involve host servermanipulation of hardware and/or software to be distributed to mobile agentstechnology. However, all procedures,they add, should be documented so that future breaches can be prevented. There is a certain sameness to much of the professional literaturedealing with IT security. make clear, storage media are not the securityproblem; information is. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. On one hand the host of IT villains seemintent on identifying ways of subverting state-of-the-art security; forexample, what worms and viruses could not do as of 1994 phishing evolved todo as of 2 4 (see Fisher, 2 4). (2 6, p. Nest of spies: America's journey to disaster in Iran. The wider the distribution ofcapability, however, the more potentially vulnerable the information movingthrough the IT network is. It is worth noting that these issue fronts may change as the range ofIT itself enlarges or transforms. ii). If critical operations are potentially compromised because of risks tocomputer security from the standpoint of the organizations involved, theimplications for marketplace users of Internet and other high-technologyapplications are even more compelling. One neednot know the exact meaning of such terms to recognize their mission- andenterprise-critical implications. NIST special publication 8 -19-- Mobile agent security. Zurich, Switzerland: Computer Engineering and Networks Laboratory, Swiss Federal Institute of Technology.Fisher, J. Gaithersburg, MD: Computer Security Division Information Technology Laboratory.Roper, C.A. It is "created, processed,and stored by an information technology (IT) system," and at some point itmay also be disposed of, or discarded. Threats become active when trustedtechnology is manipulated by untrustworthy actors or even by failures of ITcapability brought on by natural disasters such as flood, fire, ortechnical failure. However, simple elimination of datais in fact not such a simple process. Government-related information may entaildifferent levels of security concern, but the importance of confidentialityfor some kinds of government information is difficult to contradict.Importantly, Kissel et al. For example,Fisher (2 4) proposes a spam-filtering software utility for organizationsthat rely on Internet traffic for the conduct of business, such as banksand other entities that accept payments online. The phenomenon of "residual data" isthe name given to pieces or segments of data "supposedly deleted" from anyof a variety of media--discs, drives, tapes, etc.--that are in fact leftover and subject to partial or full reconstruction. Jansen sees four kinds of security threats related to mobile IT: those"stemming from an agent attacking an agent platform, an agent platformattacking an agent, an agent attacking another agent on the agent platform,and other entities attacking the agent system" (p. 4). These in turn are associatedwith costs the are incurred in order to support the management of risk:personnel, equipment, products, facilities, and training. 8). Enhanced Internet security by a distributed traffic control service based on traffic ownership. 2). That is especially true of organizationsthat conduct significant amounts of business online, via commercialservers. According to analysis by Jansen (n.d.), encryption-relatedinstallations and protocols are most critical with respect to "mobile agenttechnology," or mobile IT devices (e.g., telephones, PDAs, laptops). Interfaces between government organizations andprivate-sector contractors would be part and parcel of the security-management and information-sanitization protocols that would be undertaken.In order to clarify the logistical and administrative concerns associatedwith sanitization, they provide a flowchart describing how disposition ofvarious media can be accomplished. As for electronic data,Kissel et al. 9). Purging. Bossardt, Dubendorfer, and Plattner (2 5) citeattempts to blackmail transnational online gambling operations by way offlooding and thereby overwhelming the capacity of the Internet sites withunsolicited online traffic. In such cases, the next level of sanitization is required. Further, they say, the battle againstsuch attacks is asymmetrical, with the commercial entities constantlylagging behind the attackers. Indeed, entirely newvocabularies have emerged that were unthinkable before IT architectureemerged as so important a feature of organization management andoperations: "distributed denial of service (DDoS), [] traceback, pushback,i3, SOS, and Mayday" (Bossardt, Dubendorfer, & Plattner, 2 5, p. 6). The range of issues to consider when implementing anorganizationwide IT security plan has been identified: The factors to be considered when selecting, implementing, andmanaging IT security services include: the type of service arrangement;service provider qualifications, operational requirements and capabilities,experience, and viability; trustworthiness of service provider employees;and the service provider's capability to deliver adequate protection forthe organization systems, applications, and information. are at pains to explain that sanitization entails a hostof logistical issues, such as time, facilities, personnel clearances andtraining, as well as the organizational authority under which sanitizationmight be carried out. Effective sanitization begins with appropriate categorization ofinformation in security terms. People (iPods, cell phones), activities (CAD/CAM design,document generation, Internet access), information (classified data),facilities (computer-controlled access), and equipment (robotics, CAD/CAMoperations) are all aspects of IT performance. A. Undoubtedly the awareness of management regarding security issues mustbe high. The purpose of this research is to examine the issue of security onthe Internet and in technology-driven information systems more generally.The plan of the research will be to set forth the salient issues that arisein connection with computer-related security and then to discuss how therelevant issues have been analyzed and are deemed important to themaintenance of the integrity of key information systems that governoperations and data management and storage in the current business andadministrative environment, with a view toward forecasting possible linesof development. This method of encryption would enable a mobile agent to"execute a program embodying an enciphered function without being able todiscern the original function; the approach requires differentiationbetween a function and a program that implements the function" (p. It should also be noted that sanitization and filtering are notmutually exclusive. (Kissel, Scholl, Skolochenko, & Li, 2 6, p. (2 5, June 19). The fact that so much IT is played out on the Internet amplifies thecomplexities of IT security. Theseconsiderations will apply (to varying degrees) to every service dependingon the size, type, complexity, cost, and criticality of the services beingconsidered and the specific needs of the organization implementing orcontracting for the services (Grance, Hash, et al., 2 3, p. 2-3) and that aresubject to systematic auditing. One analysis of the concept of risk holds that it isessential for organizations to anticipate security issues so as to "developand increase an awareness of security in terms of potential loss impacts,threats, and vulnerabilities" (Roper, 1999, p. One has to do with theissue of data management controls, which are an attribute of the fact thatinformation has something of a life of its own. The basic idea is toauthenticate the identity of users and to enable users to prevent"phishing" entities from detecting their digitally stored personal identityinformation. IT-related security threats may be highly variable, but they appear tofall within four so-called "comprehensive classes: disclosure ofinformation, denial of service, corruption of information, and interferenceof nuisance" (Jansen, n.d., p. Execution tracing, or a way the home platform might detect unauthorized alterations of state, code, histories . . This is a self-evident term that could take various forms: disintegration, incineration, pulverization, melting, shredding. Jansennotes that security issues with mobile technology are not really differentin kind from threats to "classical client-server systems" but cautions thatmobile technologies "simply offer a greater opportunity for abuse andmisuse, broadening the scale of threats significantly" (n.d., pp. That is because "the trick is to findappropriate encryption schemes that can transform arbitrary functions asneeded" (p. That flowchart is reproduced as Figure1. Theyalso observe that the techniques for implementing mobile agent security arenot all compatible with one another and are not all equally suitable forall applications. Figure 1. The core of meaning here is that information cannot be "retrieved by data, disk, or file recovery utilities. That would notonly limit the vulnerability of the agent to malicious attack but wouldlimit the capacity of a malicious agent to attack the host platform orother distributed technologies. Mobile agents and security. Bossardt, Dubendorfer, and Plattner propose a "distributed trafficcontrol service," whereby access to Internet sites is parsed through alevel of routing security called "ingress filtering" that is designed totruncate malicious attacks. 2). Risk management for security professionals. Computing with encrypted functions, or the creation of algorithms that are transparent to mobile users but that reflect embedded security functions. 3). Effectiveprotection and implementation are therefore of primary concern not only toIT managers but also to executive managers, whose awareness of theirreliance on technology for both obviously complex and seemingly simpleorganizational operations ought to be high. Today, organizations of any appreciable size are enmeshed in IT.Employees have Internet access. cite the multiplicity of digital devices, from hard drives tomobile phones, RAM chips, and holographic storage, as well as theinformation they contain. 1). Costs may also beincurred in a negative way, such as with the loss of technology,opportunity costs, and "inept actions," as well as overkill on unnecessaryprotective measures. Jansen, Karygiannis, Gavrila, and Korolev elaborate a method ofsecuring enterprise communications and data based on a "policycertificate," or a set of protocols that issue from corporate IT authorityand that are distributed to users only according as the technicalarchitecture of the devices they use conform with relevant "digitalsignatures" that are "enforced at the device" (pp. Computer security incident handlingguide: Recommendations of the National Institute of Standards andTechnology. Such capabilities drive and manage commerce,schedules, access to information, and so on. 35). Meanwhile, e-mail, pagers, cellphones, BlackBerrys, iPods, and similar devices and capabilities are derigueur for field representatives, managers, assistants, the public,teenagers, and others. While the focus of this research is on information technology andwhile IT may be the single most important potential security risk in anystate-of-the-art organization, it is well to recognize that IT is oneaspect of the more comprehensive enterprise of protecting people, physicalplant, and intellectual property. However, as Jansen cautions, the conceptmay be divorced from its execution. 12). Andthat list does not even include words that have become a part of the pop-culture lexicon in recent years: viruses, worms, Trojan horses. Gaithersburg, MD: National Institute of Standards and Technology.Jansen, W., & Karygiannis, T. That is not to say that equipment andtechnology quality are not important but only that the human factor isembedded in effective deployment of the technology in ways distinguishablefrom such deployment in the security-as-filtering strategy. Computer security: Guidelines for media sanitization, recommendations of the National Institute of Standards and Technology. Sanitization and Disposition Decision Flow [pic] Source: Kissel, Scholl, Skolochenko, & Li (2 6, p. ix; emphasis added) As Kissel et al. Crosscut shredding may be required, for example. 2-3). Consider that the phenomenon of "texting" hascaptured the popular imagination in just the past year, and it becomes easyto see why Jansen, as well as Jansen and Jansen and Karygiannis (whoseundated texts are nevertheless "dated" by references that reach no furtherthan 1998) are at their most prescient in noting that mobile IT security isan "immature" stage. Gaithersburg, MD: National Institute of Standards and Technology, Computer Security Division.Jansen, W.A., Karygiannis, T., Gavrila, S., & Korolev, V. They attribute this chiefly to the"traditional host orientation" of security analysis, meaning that theprincipal concerns of organizations are to protect host platforms frommobile attacks, and they acknowledge that protecting the agents is a morecomplicated problem. (n.d.). Deprivation of IT access andcapability represents a significant risk to any technology-dependentorganization--and most organizations today are so dependent. This method, which has fused with clearing when applied to certain digital media, is designed to prevent data from being collected via "signal processing equipment and specially trained personnel," such as in a laboratory. They characterize this entire area of concernas an issue of "trust management" (p. Burlington, Mass.: Butterworth Heinemann.Taheri, A. 3). New York: Pantheon Books.----------------------- [1]Consider the coup scored by the Iranians who in 1978 invaded theU.S. Destruction. In other words, the relevantconsiderations may become a moving target that IT professionals andmanagers may have to identify in the future. A specialized and information-driven form of filtering is that ofencryption of organizational data. Itis a method of risk mitigation. It comes down to degaussing, or "exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains" (p. Unlike the data-filtering security methodologies, which are designedto restrict access to information that is newly created or stored and"live," sanitization security methodologies are designed to restrict accessto data that may no longer be mission critical but that nevertheless may beenterprise critical and may contain such historical mission-critical dataas may facilitate unauthorized dissemination of organizational orenterprise information. Jansen, Karygiannis, Gavrila, and Korolev(n.d.) caution that proprietary corporate intelligence could be compromisedby transmission over insecure wire and wireless devices such as handheldPDAs or portable computers. Their computers are linked by local areanetworks, or LANs, with architectures of sufficient complexity to justifyan IT staff. 3.5) comment that security-related incidents "canoccur in countless ways, so it is impractical to develop comprehensiveprocedures with step-by-step instructions for handling every incident." Thus to be aware of security issues for an organization is to be awareof the primacy of IT security, in its myriad configurations. On the other hand there is the issue ofcontinue IT innovation. Embassy in Tehran and imprisoned some 54 Americans for more than ayear when they painstakingly reconstructed hastily shredded intelligencedocuments that had long lain in the embassy's vaults and that--much to theembarrassment of the U.S. State appraisal, or the level of autonomous access privileges an agent has . Aiming for thatappears to be a key way of attempting to manage security issues. That is because, whatever thestate of the IT art, human vigilance will remain the touchstone of ITsecurity control. . By and large, the methods proposed are technology-based,involving hardware and software solutions to perceived risks. (Jansen, n.d., pp. To summarize the issue fronts involved in IT security is a challenge,not so much because of the highly technical nature of much securitydiscourse as because even the unsophisticated user of various kinds ofcomputer technology is likely to be aware that security experts arecontinually playing catch-up. Compared to the filtering methodologies, which relyon creative deployment of hardware and software technology as well asprotocols designed to maximize the power of such technology, sanitizationmethodologies are dependent first on the protocols and secondarily oneffective deployment of such tools as may guarantee effective disposal.Kissel et al. Jansen identifiesoperational protocols at the level of technology installation and at thelevel of periodic audits. Properly categorized information and mediais meant to facilitate "a sanitization process that will ensure adequateprotection of the system's information" (Kissel et al., 2 6, p. Gaithersburg, MD: The National Institute of Standards and Technology.Kissel, R., Scholl, M., Skolochenko, S., & Li, X. (n.d.). Despite its spotty history, shredding of digital media may be effective, as long as the "shred size of the refuse" is small enough to guard against information reconstruction (p. In that connection, Grance,Kent, and Kim (2 4, p. The importof that assertion reaches meaning not so much in terms of, say, anindividual who decides not to order from Amazon.com any more, as in termsof a corporate industrial organization that ends e-commerce with a vendorwhose compromised IT architecture might have damaged a multimillion-dollaronline transaction. Suchtechnology is linked to "home platforms," such as an organization'scomputer server, but it also has interface outreach capability. script kiddies) to carry outeven large-scale attacks" (p. 17). So much for the idea; implementation that would not inhibit endusers' flexibility remains elusive. 7-8). The organization is likely to have an "Internet presence,"meaning its public/marketplace identity is in part a function of ITmanagement, irrespective of how effectively management has deployed thatpresence to the organization's advantage. (2 6, September). 8). Proof carrying code, or software- and hardware-authentication procedures programmed into mobile devices and keyed to home platform protocols . Accordingly, only read-write digital media that could be efficiently overwritten would be relevant to clearing protocols. . Indeed, Fisher predicts that authenticated e-mail will be thenext step in security to suppress and dispose altogether of the "phishing"phenomenon. The encryption option is a form ofsecurity based on some version of hardwired IT architecture, algorithms,digital signatures, and/or hierarchical levels of password-protectedaccess. Clearing,purging, and destroying are therefore considered relevant to the protocolsof sanitization. Tumbleweed email firewall. Roper introduces the concept of securityconsciousness as a mechanism for guiding risk management, which hecharacterizes as "the core business process of security protection" (Roper,1999, p. Kissel et al. 13). That means they desire the benefitsassociated with instantaneous and flexible, not to say powerful, IT-basedcommunications and operational, productivity, and/or analytical tools.Synchronization between an organization's main computer network, individualenterprise workstations, remote handheld devices, home workstations, cellphones, and the like are desirable utilities. The varieties of e-mail and Web site access,combined with occasional published reports of DDoS and/or networkbreakdowns, point up the security vulnerabilities that may affectindividuals, private-sector enterprises, and government intelligence. Because degaussing equipment varies in power, purging may not be sufficient for all situations. To be sure, not all assets merit the same level ofprotection, but the hard truth is that information technology is implicatedin risk, threat, vulnerability, anticipated impact on the value oforganizational assets because so many operations of an organization aretechnology driven. If this paper is not what you are looking for, you can search again: Search for: or Click here to request an essay written just for you.