Security Policy

Security Policy, whats that?

Security Policy is the definition of what it means to be secure whether for a organisation or system.

For organisations, the security policies focuses on physical security like doors, wall and keys. For systems, it deals with constraints on functions, restrictions on access by external systems and other things including access control by any user and programs.

In this post, I would type about a few types of Security Policies, just like the previous post. (:

Different kinds of Security Policies

First

Access Control is a security policy whereby different users are given different levels of accessing any form of resource. The resource can be a building, a certain room or digital information.

It has been applied to nearly everywhere in our lives. A common example would be our keys to our homes, or the keys to our letter boxes. Even our bank cards are also a form of access control as it only allows the card holder to have access to the money in the bank.

The importance of access control is considerably high when certain information or equipment needs to be secured and kept safe.

Second

Network Security Policies are documents that contains the rules for computer network access, it also tells of how the enforcement of policies are done besides showing the basic layout of the company's security or network security environment.

Usually the document itself is quite long and drawn up by a committee, and it goes further beyond the simple purpose of "not letting anyone bad in". The document can be quite complicated and contains sentences which need time to be understood as it is meant to govern many important things ranging from data access, web-browsing permissions, passwords,, encryption and more. This document actually speaks in detail of each rule for lone users or a groups of users within the company.

Third

Last but not least I would be posting about User Account Policy.

Again, it is another document but it contains the requirements that needed to be fulfilled concerning Requesting and Maintain an account on the system or network in the organisation.

Massive sites like Facebook would most likely have their own User Account Policy implemented and given to all registering users to read and agree to it.

Some policy contents include things like

• Should state who has the authority to approve account requests.
• Should state who is the allowed to use the resources (eg. employees or students only)
• Should state any citizenship/resident requirements.
• Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a single host.
• Should state the users' rights and responsibilities.
• Should state when the account should be disabled and archived.
• Should state how long the account can remain inactive before it is disabled.
• Should stated password construction and aging rules.

The End

Common Networking Attacks Threats and Solution

Definition of Network Attack

Basically any method, way or means that is used to intentionally compromise any form of network security can be considered as a Network Attack.

How many Network Attacks are there?

Honestly, too many for myself to read on the Internet and type here. So I'll just post about a few, hopefully in words you and I can understand.

Moving on...

Any information after this sentence should pertain to the subject or topic that is "Common Network Attacks", do feel free to comment about anything on this blog or its posts as long as it is made in a polite and friendly manner. (:

Or else I will find you and hunt you down.

I'm serious.

I don't joke.
HAHAHA
Okay okay, I hope you're enjoying this post as much as I have typing this out for you all!

Back to work!

First

Data modification or data manipulation is a form of network attack where changes are made to private company data whether the data has been interpreted, modified or deleted. This network attack is considered properly completed when the sender doesn't realize that the data has been tinkered with.

Solutions: 

1) Backup the important data (whether its yours or the company's) regularly. 

2) Implementing Access Control Lists (ACLs) which would manage the users and only allow a few qualified people you trust to have permission to access your data.

3) Insert codes into your applications that can actually validate the data input to ensure that the information or data has not been tampered with.

Second

Eavesdropping is done when the perpetrator, like some sort of pervert, actually stalks and snoops in on your network traffic and just reading any data he can find. What he understands of course, depends entirely on the level of protection applied to your data.

Solutions: 

1) Use Internet Protocol Security (IPSec) to grant some form of protection on your data through encryption before the data gets sent over the network.

2) Security policies and procedures are also another way to defend your data from getting a sniffer on the network.

Note: Sniffer is a type of software or hardware that allows the user to log or record down moving traffic and intercept them on a network.

Third

IP address spoofing, in simple terms, identity theft but in IP style. The attacker masquerades his IP as one which belongs to a valid IP address to the company targeted. Upon doing so, the attacker would do his utmost best to discover the other computers on the network. Since most IP networks associate users with their specific IP addresses, this fake packet gets through the routers and lands up where ever the attacker wishes. He can then choose to change the flow of traffic or start a Denial of Service (DoS) attack.

Solutions:

1) Set up encryption at the traffics between routers and external hosts.

2) Implement ingress filters to block any inbound packets with source addresses coming from trusted users within the internal network.

The End

I have come to the end of my first post, and I do hope you all have enjoyed reading this little brief introduction on a few network attacks.

TITLE 1 SIA

Hello hello, is this thing on? Is it working??
Testing 1, Testing 2, Testing 3!