Introduction to Network Security

This chapter is from the book

Network Defense and Countermeasures: Principles and Practices, 3rd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

Network Defense and Countermeasures: Principles and Practices, 3rd Edition

Learn More Buy

Threat Assessment

When attempting to assess the threat level for an organization, administrators must consider a number of factors. The first has already been mentioned: The attractiveness of the system to hackers. Some systems attract hackers due to the systems’ monetary value. The systems of financial institutions provide tempting targets for hackers. Other systems attract hackers because of the public profile of the organizations they support. Hackers are attracted to government systems and computer security websites simply because of their high profiles. If a hacker successfully gets into one of those systems, he will achieve fame and prestige in the hacker community. Academic institutions also receive a high frequency of hacking attempts. High schools and colleges have a large population of younger, computer-savvy students. The number of hackers and would-be hackers among such a group is likely to be higher than in the general populace. Additionally, academic institutions do not have a good reputation on information security.

The second risk factor is the nature of the information on the system. If the system has sensitive or critical information, then its security requirements are higher. Personal data such as Social Security numbers, credit card numbers, and medical records have a high security requirement. Systems with sensitive research data or classified information have even higher security needs.

A final consideration is traffic to the system. The more people who have some sort of remote access to the system, the more security dangers exist. For example, a number of people access e-commerce systems from outside the network. Each of these connections represents a danger. If, on the other hand, a system is self-contained with no external connections, its security vulnerabilities are reduced.

Considering the attractiveness of the system to hackers, the nature of the information the system stores, and the number of remote connections to your system together allows administrators to provide a complete assessment of security needs.

The following numerical scale can provide a basic overview of a system’s security requirements.

Three factors are considered (attractiveness, information content, and security devices present). Each of those factors is given a numeric designation between 1 and 10. The first two are added together, and then the third number is subtracted. The final score ranges from –8 (very low risk, high security) to 19 (very high risk, low security); the lower the number the less vulnerable the system, the higher the number the greater the risk. The best rating is for a system that

• Receives a 1 in attractiveness to hackers (that is, a system that is virtually unknown, has no political or ideological significance, etc.).

• Receives a 1 in informational content (that is, a system that contains no confidential or sensitive data).

• Receives a 10 in security (that is, a system with an extensive layered, proactive security system complete with firewalls, ports blocked, antivirus software, IDS, antispyware, appropriate policies, all workstations and servers hardened, etc.).

Evaluating attractiveness is certainly quite subjective. However, evaluating the value of informational content or the level of security can be done with rather crude but simple metrics. This system will be reiterated and then further expanded in Chapter 12, “Assessing System Security.”

Obviously, this evaluation system is not an exact science and is contingent to some extent on a personal assessment of a system. This method does, however, provide a starting point for assessing a system’s security but is certainly not the final word in security metrics.