FIGURE 14.2 Security Technologies by OSI Layer
564 Part IV • The Information Management System
Layer #1:
Perimeter Layer
(web servers, mail
servers, etc.)Firewalls
VPN encryption
Network-based anti-virusPros:lots of vendor solutions, easy to implement
Cons:hackers can easily penetrate itLayer #2:
Network
(LAN/WAN)Intrusion detection systems (IDS)
Vulnerability management systems
Network access control
User control/authenticationPros:solutions provide deep security not easy to breach
and regular monitoring
Cons:IDS tend to report false alarms; some solutions
better for specific network devices rather than network
as a whole
Layer #3:
Host Security
(individual computer,
server, router, etc.)Host IDS
Host anti-virusPros:solutions provide good operational protection at
device level
Cons:time-consuming to deploy as are fine-tuned for
individual devices
Layer #4:
ApplicationPublic key interface (PKI)
RSA
Access control/authenticationPros:encryption provides robust security
Cons:overhead results in slower system responseLevel #5:
DataEncryption Pros:solutions provide good security
Cons:Dependent on good organizational policies and
good execution by data stewardSome computer crimes take advantage of unwary
users by spoofing—a technique in which a Web site that
mimics a legitimate site is set up for the purpose of mis-
leading or defrauding an Internet user. A message board
or e-mail might be used to direct the victim to the spuri-
ous site, or the spoofer might simply use a close variant
of another site’s URL to con people who make an inno-
cent typing mistake. This type of practice is called social
engineering.
Most of today’s organizations typically have invested
in a variety of technologies for each layer of the OSI
model—beginning with firewalls at the perimeter, automated
virusscanning technologies, physical security systems,
spyware/adwaredetection software, automated or manual
“patch” management, and other sophisticated network traffic
monitoring and tracking tools—or have contracted with serv-
ice providers to provide such security (see Figure 14.2).
Identifying and justifying these types of technologies is an IT
manager’s responsibility, but all managers responsible for
information security compliance should be kept apprised of
the technology basics so that they can participate in decisions
about capital investments as part of an organization’s
approach to security management.
In the next section we discuss the relatively new
organizational role responsible for information security: the
Chief Security Officer role. However, good security man-
agement also depends on alert and dedicated IT employees.
For examples of thwarted (or minimized) computer crimes
due to actions taken by skilled IT employees, see the box
“E-Crimes Solved by IT Professionals.”E-Crimes Solved by IT ProfessionalsDefacement of Web site: tracked down the defacer: he was convicted and served three years in a
federal prison.
Attempt to plant logic bombs and password sniffers: non-American hackers (Asian and Eastern
European) were detected and threat was avoided
Infected PC of a contractor was spreading a virus: it was caught in the first hour of being online