2004 ICM Problem:To Be Secure or Not to Be?
You probably know about computer hackers and computer viruses. Unless your computer has been targeted by one, you may not know how they could affect an individual or an organization. If a computer is attacked by a hacker or virus, it could lose important personal information and software.
The creation of a new university campus is being considered. Your requirement is to model the risk assessment of information technology (IT) security for this proposed university. The narrative below provides some background to help develop a framework to examine IT security. Specific tasks are provided at the end of this narrative.
Computer systems are protected from malicious activity through multiple layers of defenses. These defenses, including both policies and technologies (Figure 1), have varying effects on the organization’s risk categories (Figure 2).
Figure 1 – Preventative Defensive Measures
Management and usage policies address how users interact with the organization’s computers and networks and how people (system administrators) maintain the network. Policies may include password requirements, formal security audits, usage tracking, wireless device usage, removable media concerns, personal use limitations, and user training. An example password policy would include requirements for the length and characters used in the password, how frequently they must be changed, and the number of failed login attempts allowed. Each policy solution has direct costs associated with its implementation and factors that impact productivity and security. In Figure 1, only the topmost branch is fully detailed. The structure is replicated for each branch.
The second aspect of a security posture is the set of technological solutions employed to detect, mitigate, and defeat unauthorized activity from both internal and external users. Technology solutions cover both software and hardware and include intrusion detection systems (IDS), firewalls, anti-virus systems, vulnerability scanners, and redundancy. As an example, IDS monitors and records significant events on a specific computer or from the network examining data and providing an “after the fact” forensic ability to identify suspect activity. SNORT (www.snort.org) is a popular IDS solution. Figure 1 provides a sample of key defensive measures (management/usage policies and technology solutions). As with a policy, a technology solution also has direct costs, as well as factors that impact productivity and security.
Sources of risk to information security include, but are not limited to, people or hardware within or outside the organization (Figure 2). Different preventive defensive measures (Figure 1) may be more effective against an insider threat than a threat from a computer hacker. Additionally, an external threat may vary in motivation, which could also indicate different security measures. For example, an intruder who is trying to retrieve proprietary data or customer databases probably should be combated much differently from an intruder who is trying to shut down a network.
Potential costs due to information security that an organization may face (Figure 2) include opportunity cost, people, and the cost of preventative defensive measures. Significant opportunity costs include: litigation damages, loss of proprietary data, consumer confidence, loss of direct revenue, reconstruction of data, and reconstruction of services. Each cost varies based on the profile of the organization. For example, a health care component of the university might have a greater potential for loss due to litigation or availability of patient medical records than with reconstruction of services.
Figure 2 - Economic Risk schematic for IT systems
An organization can evaluate potential opportunity costs through a risk analysis. Risks can be broken down into three risk categories; confidentiality, integrity, and availability. Combined, these categories define the organization’s security posture. Each of the categories has different impacts on cost depending on the mission and requirements of the organization. Confidentiality refers to the protection of data from release to sources that are not authorized with access. A health care organization could face significant litigation if health care records were inadvertently released or stolen. The integrity of the data refers to the unaltered state of the data. If an intruder modifies pricing information for certain products or deletes entire data sets, an organization would face costs associated with correcting transactions affected by the erroneous data, the costs associated with reconstructing the correct values, and possible loss of consumer confidence and revenue. Finally, availability refers to resources being available to an authorized user, including both data and services. This risk can manifest itself financially in a similar manner as confidentiality and integrity
Each measure implemented to increase the security posture of an organization will impact each of the three risk categories (either positively or negatively). As each new defensive security measure is implemented, it will change the current security posture and subsequently the potential opportunity costs. A complicated problem faced by organizations is how to balance their potential opportunity costs against the expense of securing their IT infrastructure (preventative defensive measures).
Task 1: You have been tasked by the Rite-On Consulting Firm to develop a model that can be used to determine an appropriate policy and the technology enhancements for the proper level of IT security within a new university campus. The immediate need is to determine an optimal mix of preventive defensive measures that minimizes the potential opportunity costs along with the procurement, maintenance, and system administrator training costs as they apply to the opening of a new private university. Rite-On contracted technicians to collect technical specifications on current technologies used to support IT security programs. Detailed technical data sheets that catalog some possible defensive measures are contained in Enclosures A and B. The technician who prepared the data sheets noted that as you combine defensive measures, the cumulative effects within and between the categories confidentiality, integrity, and availability cannot just be added.
The proposed university system has 10 academic departments, a department of intercollegiate athletics, an admissions office, a bookstore, a registrar’s office (grade and academic status management), and a dormitory complex capable of housing 15,000 students. The university expects to have 600 staff and faculty (non IT support) supporting the daily mission. The academic departments will maintain 21 computer labs with 30 computers per lab, and 600 staff and faculty computers (one per employee). Each dorm room is equipped with two (2) high speed connections to the university network. It is anticipated that each student will have a computer. The total computer requirements for the remaining department/agencies cannot be anticipated at this time. It is known that the bookstore will have a Web site and the ability to sell books online. The Registrar’s office will maintain a Web site where students can check the status of payments and grades. The admissions office, student health center, and the athletic department will maintain Web sites.
The average administrative employee earns $38,000 per year and the average faculty employee earns $77,000 per year. Current industry practice employs three to four system administrators (sys admin) per sub-network and there is typically one (1) sys admin (help desk support) employee per 300 computers. Additionally, each separate system of computers (for web hosting or data management) is typically managed by one (1) sys admin person.
The current opportunity cost projection (due to IT) with no defensive measures is shown in Table 1. The contribution of various risk categories (Confidentiality Integrity, and Availability) to a given cost is also shown in Table 1.
Table 1: Current Opportunity costs and Risk Category contributions
Task 2: We know that technical specifications will change rapidly over time. However, the relations and interplay among costs, risk categories, and sources of risk will tend to change more slowly. Create a model for the problem in Task 1 that is flexible enough to adapt to changing technological capabilities and can be applied to different organizations.
Carefully describe the assumptions that you make in designing the model. In addition, provide an example of how the university will be able to use your model to initially determine and then periodically update their IT security system.
Task 3: Prepare a three page position paper to the university President that describes the strengths, weakness, and flexibility of your model in Task 2. In addition, explain what can be inferred and what should not be inferred from your model.
Task 4: Explain the differences that may exist in the initial Risk Category Contributions (Table 1) if you model IT security for a commercial company that provides a search engine for the World Wide Web (such as Google, Yahoo, AltaVista, … ). Will your model work for this type of organization?
Task 5: Honeynets are designed to gather extensive information on IT security threats. Write a two-page memo to your supervisor advising whether a university or a search engine company should consider using a honeynet.
Task 6: To become a leader in IT security consulting, Rite-On Consulting must also take an active role in anticipating the future direction of information technology and advising companies on how to respond to future security risks. After performing your analysis, write a two-page memo to the President of Rite-On to inform him of the future of IT security. In addition, describe how your model can be used to anticipate and respond to the uncertain future.