Information Technology Security. Advice from Experts

Chapter List

Chapter VI: Wireless Information Security

Chapter VII: Reference Materials

Section Overview

This section reviews several information security technologies that are critical to just about every organization that has information systems. Written for executives and senior managers who are aware of some of the technology components but who are not experts overviews about protecting computer operating systems, wireless local area networks (LANs), data obsolescence, data recovery, public key infrastructure, biometrics and smartcards are provided.

The objective is to expose technologies that are close to full market acceptance and introduction, and that are useful to security engineers , senior managers and executives as they prepare budgets and resource plans.

Overall Strategy

Given the multiple methods , technologies and objectives applied by hackers, crackers, teenagers and employees to gain unauthorized access to information assets, the management strategy to defeat their efforts also requires a multi- faceted approach. As an omnipresent enabler , technology plays a key role in automatically closing, sensing, locating, identifying and documenting intrusive and unapproved access to information systems and networks.

When properly selected, installed and configured, technology systems provide 24 x 7 support to security experts and engineers who can provide the necessary analysis and final decisions concerning intrusions, equipment failure, software error, or planned security testing. In general, technology security barriers are grouped into:

• Infrastructure Protection: provides a base-level foundation upon which enables higher levels of security to successfully inter- operate and communicate successfully

• Operating System and Application Software Protection: Securing or isolating the operating and application software against authorized changes and modifications by removing unused software components and requiring that all changes be made by the system administrator under configuration management processes

• Hardware Verification: provides an irrefutable identity code embedded in hardware that is not easily or cheaply changed and can be used for auditing and user verification purposes

• Planning and Managing Data Obsolescence: ensures that data collected and stored over many years time can be successfully recovered and utilized despite changes in technical standards and performance

• Backup and Recovery Protocols: enables the accurate duplication and recovery of information currently used by the organization, should a non-recoverable hardware failure occur

• Authorized System Access Methods: provides various levels of authentication support to ensure that only authorized people and systems can gain access to information and networks

• Security System Verification: verifies that the security systems are working as planned, in accordance with generally accepted industry standards, policies and practices

Applied together with a solid architecture and governance foundation, equipment and software provide substantial protection from multiple threats inside and outside the organization. Of course, there is no perfect security solution the computing and communications markets are too innovative, dynamic and market driven to agree on the rigid standards that type of draconian approach would require.

Infrastructure Protection

The computing infrastructure for most organizations provides the dial tone services, including network operations, telecom and data transport, system integration of commercial-off-the-shelf (COTS) software, Domain Name Services (DNS), enterprise directory services (single password across all systems) and ongoing support operations. Protection of the infrastructure involves physical security of data center computing equipment, data libraries and tape or disk backups , and redundant network access points to avoid single points of failure. In addition, redundant power sources are available and hardened (protected) to ensure continuity of operations in case of commercial power outages due to power grid failure or weather related problems.

Protecting the physical infrastructure is a traditional IT activity that has been successfully accomplished there are very few reports about data centers being physically attacked by terrorists or intruders, and even fewer reports of any physical thefts occurring. Staff members , according to published reports, have caused virtually all thefts from inside data centers.