Jing An Telescope Factory (JATF): A network security case study, The

Journal of Information Systems Education, Fall 2003 by White, Doug, Rea, Alan

A company must decide how much time and effort it can spend on security. However, the amount of risk must drive this decision. Customer data and mission critical systems must be protected. Hackers target high-profile systems and information that may be revealed for value or personal gain. Low-profile systems are targeted as potential platforms for attacks on other systems. Although hackers won't want the information on the low-profile system, there is still a risk of data being gleaned, destroyed, or compromised.

At the very least, a company must focus on securing its network. However, if there is greater risk to a system, more focus needs to be on that particular system. For that reason, a company must rank systems to determine which one is a low- versus a high-risk system.

Ultimately, basic security consists of four main elements: identification, assessment, observation, and prevention. You must consider and address all four in order to remain secure.

6.2 Identification

To begin, identify two things: critical points of entry into the network and mission critical systems. The most-likely entry point is the connection to the Internet. It is also important to identify any systems in use that are absolutely critical to the business. You must protect these systems and identify all possible weaknesses in these machines. For instance, a desktop that is used to store your accounting system may be considered mission critical, while a system used only in the manufacturing shop for printing out orders is not.

6.2.1 System Rank Scale: A simple plan is to list all the uses of a system and then consider the loss of the system. How big will the impact be if the system is compromised or erased? Using two ten-point scales you can develop a rating of security need for all the systems in your network. The first scale is an analysis of the critical level of the system. A score of ten (10) represents a system that is indispensable (e.g., an e-commerce transactions server) and a one (1) represents a system that is connected to the network but can easily be replaced/repaired in a failure. Reserve the zero score for machines that are not connected to the network.

The second scale is the risk. Machines may represent different levels of risk in terms of the amount of access they grant. A ten (10) on the scale might be a machine that is connected to the Internet, allows anyone to access the Web pages, supports FTP transactions, and has remote access. A one (1) on this scale is a single user machine that allows only inbound transactions (e.g., Web browsing). Reserve a zero score for machines that are very low risk such as a single user workstation that is password protected and not connected to a network.

Obviously, the scale is subjective but it should be useful if applied consistently. The scale creates a basic guideline for analysis of systems for security. In both scales, the operating system (OS) being used should be considered as some OSs are weaker than others, particularly dated OS legacy systems.