Consider this

					Susan Student stopped by the electronics store in the shopping centre to drop off her
flatmate’s mobile phone to be repaired. Susan couldn’t understand why Rhonda
Roommate wanted a phone in the unit. Susan used her mobile phone for all her calls
and for exchanging text messages with her friends. When Susan was not using her
phone, she kept connected by e-mail and instant messaging on her desktop
computer (cable internet) or a lab computer at her college.

As Susan walked through the store she stopped to gaze at a new notebook computer
like the one she planned to purchase next week. Susan had been using the Internet
to compare different notebook computers and had decided to make her purchase
online, which would save her hundreds of dollars.

Susan was surprised to see a long line of customers at the repair desk with their
personal computers. As she waited in line, Susan overheard some of the
conversations. She then remembered reading that the “Blaster” worm had been
released through the Internet over the weekend. Perhaps these customer’s
computers had become infected by the worm and needed to be worked on by a
technician.

At the desk an older gentleman was telling the repair clerk that his computer had
been “hit” by the Blaster worm. The repair clerk asked the gentleman,“ Did you bring
your operating systems’ recovery disk?” “What’s a recovery disk?” the man asked.

Behind Susan two women struck up a conversation about their experiences. “That
worm infected my computer and now it won’t turn on!” one woman complained. “The
same thing happened to me,” said the other woman. “It made the color on my
printer fade. I hate these worms

Two young men in line next to Susan were also talking about what happened.
“Someone told me that anti-virus software couldn’t stop a worm. Only a firewall will
stop a worm.”
The other man replied, “I tried to download the patch from Microsoft for my firewall,
but the worm got to it first.”

Susan was puzzled. She thought to herself, “I didn’t know a worm could do all these
things.” But she wasn’t completely sure that the worm caused all these problems.
After all, the color on her printer started to fade last month because it ran out of ink.
Susan began to wonder if her computer had been infected. She quickly left the store
and hurried back to her unit.

“Why all the fuss?” asked Rhonda Roommate as Susan Student sat down at her
computer. Susan repeated the conversations she overhead in the store and told
Rhonda that she was worried the Internet worm had attacked her computer, too.

 “So what if it did? What’s the worst that could happen?” Rhonda asked.
Susan said that she had heard stories of worms stealing or even erasing data off of a
computer.
“Can’t you just put it all back?” Rhonda said.
Susan replied,” Rhonda, this is the only place I have this stuff. If it’s erased, then it’s
all gone. And besides, remember when my computer broke last year and I couldn’t
use it for a whole week? I was completely lost!” Susan continued feverishly clicking
on her mouse and looking over her screen.
After several minutes Rhonda said, “Hey Susan, how will you know if you find the
worm?”
Susan suddenly stopped and stared at Rhonda. “I don’t know.”

Susan Student put down her fork. Several of her friends were eating lunch in the
cafeteria together. The Blaster worm had attacked the college computers and forced
the college to disconnect from the Internet until the damage could be repaired and
new security software installed. Susan’s economics class was cancelled because they
could not use the computers in the lab.

“Teenagers,” said Fran Friend. “They’re the ones who write these worms. They’ve got
too much free time on their hands, and all they do is play games and write worms.
I’m sick of it!”

 “I don’t know,” said Paula Pal. “My younger brother’s really smart about computers,
but I don’t think he could do that. I read that companies that sell security hardware
write the worms so people will have to buy their stuff.”

Just then Peter Professor walked by their table.
“Who do you think writes these worms?” asked Susan.
Peter smiled and said, “Teachers. They do it to cancel classes.”   !
THE SECURITY POLICY

SAFEGUARDING A SYSTEM
Of course, knowing that your system is vulnerable is one thing. Knowing how to
protect your system and minimize its vulnerabilities is quite another. There are three
major steps to making something secure, whether it is a computer, a car stereo, or a
mobile phone. The first step is to identify the bad things that can happen to it. The
second step is to restrict who can legitimately use it. The last step is to put these all
together into a plan of action.
In this section, you learn the basics of safeguarding a system. To aid your
understanding, the discussion will also include a parallel discussion of protecting a
car radio. This is done to help you visualize the situation more clearly.

Identifying, Analyzing, and Controlling Risks

Susan Student was still worried about her computer being attacked by a worm but
did not know what to do in order to make her computer more secure. However, she
had other things to do.

Susan sat down at her kitchen table with a brochure and prices for an expensive car
stereo. Susan is considering buying one for her car. However, she has heard of some
car break-ins at a townhouse complex nearby and is concerned about how safe a
new stereo would be.

Susan first thinks about where she parks her car at night. Billy Boyfriend in the unit
downstairs always parks his truck underneath the security light. Susan believes that
Billy would swap parking places with her so she could park her car under the security
light. If that didn’t work, Susan knows that she could rent one of the separate
parking garages and lock her car in it each evening.

Without realizing it, Susan has performed many of the same steps that information
security professionals go through when evaluating security for a computer. When
Susan sat down at her kitchen table to consider the advantages and disadvantages
of buying the new car stereo and how she would protect it, she was performi ng risk
management.

Risk management is a systematic process for identifying, analyzing, and controlling
risks. Most decisions involve evaluating risk.
     Should I buy a new car now? (There’s a risk that I might not be able to afford
        it.)
     Is moving closer to the beach the right decision? (There’s a risk of cyclones
        that could destroy the house.)
     Should we open up a new factory this summer? (There’s a risk that there may
        not be enough sales to support it.)
Risk assessment, which is one part of risk management, is the process of evaluating
risks. It weighs the risk against the potential benefits to determine if the risk should
be taken.

Formalized Security Policy
Because Susan’s roommate Rhonda occasionally borrows her car, Susan decides that
before she buys the new stereo system she needs to make it clear to her roommate
about her ideas regarding where the car is to be parked and how it is to be used.
And above all, Susan wants to let her know that absolutely nobody else can borrow
the car without Susan’s knowledge.

The final phase is one of the most important because it ties everything together.
Susan is establishing a security policy that outlines how the new stereo will be kept
safe.

In order for a computer system to be secure the organization must have a
comprehensive and enforced security policy. This policy outlines the importance of
security to the organization. It establishes the policy’s goals, how the security
program is organized, and who is responsible at the various levels. A security policy
will also sketch out details such as acceptable use, privacy, and password
management.

				
DOCUMENT INFO