Skip to main content

Network Security

     During our fourth week of class, we were asked to explain the importance of information and system security for individuals and organizations.


     Keeping information secure is vital for any person or company.  If personal data is not secure, a person will have to worry about have portions of their identity potentially stolen.  If a company does not make sure that its data is secure, then they will have to worry about many different factors that will affect their customers, suppliers, employees, etc.  When examining information security, there are many different methods that can be used to gain access to data that would be otherwise secured.  In a previous assignment, we used the ping and tracert commands to determine the connectivity of different websites.  These commands can also be used in nefarious ways to attack personal or commercial technological infrastructure.  In addition to those two commands, there are many other different ways to attack an information network.  Two other examples are social engineering and password cracking.  An essential factor of information security that often gets ignored is the physical security of any hardware that may store potentially valuable data.

     Using malicious software, a computer hacker can use the ping command to overwhelm an information system.  This type of attack is often called a Distributed Denial of Service.  This attack stops people from accessing data sources on a network.  The attack is initiated by using software to send the ping command to a targeted server in quantities so large that the networking hardware and software cannot keep up.  DDoS attacks are often used to distract companies from other methods of attack being deployed to their systems.  Most companies used third-party services to monitor their network and help mitigate the threat of DDoS attacks on their network.  Overall, there usually is not much damage that happens from a DDoS attack.  The most common symptom and purpose of a DDoS attack is a service disruption.  That means the attackers are hoping to stop a company’s customers from being able to do business with the company.  Other potential types of damage can include loss of data, increased costs, or other types of damage.  In order to mitigate the threat of receiving a DDoS attack, a company needs to make sure that their IT support is trained to recognize that a DDoS attack is happening.  If the support staff does not recognize the signs, they will not be able to stop the attack.  Another, more efficient method for preventing DDoS attacks is to hire an external service provider who specializes in DDoS attacks.

     Another type of computer security incident is social engineering.  Social engineering attacks are focused on the most significant weakness of any information network, the people who are actually using the network.  There are many different methods that can be employed to facilitate a social engineering attack.  One of the most common social engineering attacks is to send a fake email from a company’s tech department requesting the login credentials of a user.  If deployed correctly, the email will appear to be from a valid resource and the user will send them their login information.  Another common social engineering method is sending emails to a personal email address with a fake story that makes the user believe that if they provide the requested information, they will receive a large sum of money in their bank accounts.  This type of attack is usually used to gather the information needed to attempt to steal the identity of a person.  Another type of social engineering is called a dead drop.  This strategy is used by loading malicious software onto a selection of USB storage drives.  The drives are then “accidentally” dropped outside of a targeted company’s doorway.  This type of attack can be very successful because a person’s curiosity will usually have them plug the drive into their computer which will then allow the malicious software into an information network.  One way to mitigate this type of attack is to use a computer policy that explicitly disables the USB ports on any computer within an infrastructure.  If the ports are disabled, then the USB drive will not be able to deploy any malicious software.  Another much more significant way for a company to protect their data is to ensure that their employees are attending regular information security training.  If protocols are not established or followed, the network of a company will have a high risk of being attacked.  The potential damage of a social engineering attack can vary from as small as infecting one computer to infecting an entire network with ransomware or potentially erasing all data located on any infected server.

     A third type of information security attack is password cracking.  This type of attack uses software to try multiple passwords for a set of login credentials until it “guesses” the correct password.  This type of attack was much more prevalent in the past because users were not often informed about needing to create a complex password, and there also was not many programs that could detect password cracking.  The main function of a password cracking attack is to gain access to a network by using the login credentials of a user.  As with social engineering, once a nefarious person has unlimited access to your system, they can accomplish an extensive range of activities.  The damage can range from as small as compromising the data of a single computer to allowing a hacker to potentially delete any information that they can find.  There are many different ways to protect from password cracking attacks.  First, a company can use software that will “lockout” a user account once a specified number of bad login attempts are completed.  Once the user account is locked, the person must contact their IT support to have the account unlocked.  A second method that is being employed more often is to enable two-, three-, or more factored authentication.  This means that a user must use multiple different methods to prove their authentication.  Most often the second form of authentication is established by asking security questions.  However, a company can also issue out software or hardware security tokens, such as RSA.

References

Vahid, F., & Lysecky, S. (2017). Computing technology for all. Retrieved from zybooks.zyante.com/
Andress, J. (2014, December). The Basics of Information Security. Retrieved June 25, 2018, from https://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security
Staff, T. (2017, May 19). The 7 Basic Principles of IT Security. Retrieved June 25, 2018, from https://www.techopedia.com/2/27825/security/the-basic-principles-of-it-security

Labels:

Comments

Post a Comment

Popular posts from this blog

CPT 200: Fundamentals of Programming Languages

    During my quest to obtain a Bachelor of Information Technology from Ashford University, my fourth class was CPT 200: Fundamentals of Programming Languages.  For that class, the programming language that is taught is Python 3.     On the first week of class, we were asked to create code that would ask a user to input several pieces of information about any specific employee.  We were to use the variables: employeeName, employeeSSN, employeePhone, employeeEmail, and employeeSalary.  After the data was inputted, it needed to be printed on the screen.  Below was what I turned in for Functionality 1:     During the second week of class, we were to read two chapters: Chapter 3: Types and Chapter 4: Branching.  These chapters introduced us to the different types of variables that can be used within Python as well as how to use branching in your scripts. For the second functionality, we were instructed to adjust our code to allow for 5 different employees to be input into the system
Post a Comment
Read more

CPT 200: Employee Management System Final Project

import sys import csv employeeList = {} employeeImport = {} lstMenuOption = ('1', '2', '3', '4', 'Q') edtMenuOption = ('1', '2', '3', '4', '5', 'Q') validation = False #initialize validation check to "False" menuSelection = None numEmployees = None num = 1 def cls():     print('\n'*50)     def main_menu():     totalEmployees = len(employeeList) #Display number of employees in the databse     print('{:~^79}'.format('~'))     print('{:~^79}'.format('                              '))     print('{:~^79}'.format('  Employee Management System  '))     print('{:~^79}'.format('          James Hardy         '))     print('{:~^79}'.format('                              '))     print('{:~^79}'.format('~'))     print(' ')     print('{:^79}'.format('There are (%d) employees in the
Post a Comment
Read more

CPT 200: Functionality 3 - Loops and Functions

import sys employeeList = {} lstMenuOption = ('1', '2', '3', 'Q') #i = 0 #loop count variable validation = False #initialize validation check to "False" menuSelection = None numEmployees = None num = 1 def main_menu():     print('-----------------------------------------------------')     print('(1) Add new employee(s)')     print('(2) View all employees in the database')     print("(3) Check employee's information")     print('(Q) Exit\n')     totalEmployees = len(employeeList) #Display number of employees in the databse     print('There are (%d) in the database' % totalEmployees)     print('-----------------------------------------------------')     option = input('Please select an option from the menu: ')     return option def valid(option): #Function to validate menu selection     if (option.isnumeric() == True):         if option in lstMenuOption:             return True
Post a Comment
Read more