Table of Contents
The current level of world development and competitiveness do almost impossible to have a computer out of any network (passive or active). These computers work with many kinds of information (e.g.: industrial processes, operative, administrative, security); data and information are considered assets for companies, individuals and governments. Thus, risk assessment, handle and policies addressing security issues become essential. Some of these risks involving performance, spying, hacking, phishing, etc. are:
§ Confidentiality, making sure that information sent across a network can only be accessed/opened by those for whom the information is intended;
§ Information integrity, ensuring that information is protected against unauthorized modification whilst in transit;
§ Hardware integrity, ensuring that the hardware failure has the lower interference in work process;
§ Availability, ensuring that information is made available and accessible over a network if and when required;
§ Investment, ensuring the correct investment in hardware, software, personnel, contractors, etc.
§ Privacy, making information secluded for those how do not to see it;
§ Authorization, making information available over a network only to those who have a right to access it;
§ Identification and authentication, ensuring that the origin of information can be correctly identified over a network, with the necessary assurance that the identity is not false; and
§ Health checking, ensuring the optimal operation of the system, hardware and software.
These risks could be evaluated for different threatening structures such as local (e.g.: hard disk failures, theft, fire, power outages) or global (e.g.: LAN, WAN, Internet). Eliminate all risks is not possible in a network scheme; in addition, risk has an inverse relationship with cost. Every company or person should evaluate their own risk through a risk assessment where this is practicable, realistic and helpful. The risks should be analyzed, sized, and then some strategy should be developed to put them under acceptable level (avoidance, control, retention or transfer).
The risk assessment method gives us the tools for evaluating the risks associated to each network. It considers three aspects: asset, threat and vulnerability. Home and corporate networks are based on the same principles of the ISO OSI layer models, but both networks present different level of risks (any other item could be included in one of these risks):
§ Size: corporate networks could work with hundreds or thousands of computers and devices; home networks are typically made up of few computers and devices. The risk due to size of the network is higher for corporations (e.g.: hardware risks (e.g.: more hard disks failure) and software risks (e.g.: more exchanged emails and shared information);
§ Interconnection: home networks are typically peer-to-peer networks. Corporate networks usually have a T1 or faster connection that allows better performance. Thus, for most of the previous considerations, corporate present higher risks;
§ Networking hardware: corporate could invest in more secure and performing hardware (e.g.: wireless technology, backup systems, firewalls, switches). This subject offers to corporation a lower risk;
§ Speed: more expensive technology is accessible for corporations; this technology offer higher speed rates (e.g.: fiber). This item presents a low incidence for security considerations;
§ Security: corporations are valuable target for hackers and spies’ attacks. Nevertheless, corporations have access to high specialized professionals and/or consultants, technology and money to conduct an up-to-day status permanently. In other hand, home networks are target of some level of attacks (e.g. phishing). This item has opposite effects, but usually presents more risk for corporations;
§ Complexity: home networks are very simple in comparison to corporate networks; corporate networks include several levels of sub-networks, with restricted access, resources, etc. for different employees, partners, contractors, etc. This item exposes to a more risk to corporations;
§ Configuration: usually, home networks are configured as peer to peer. For corporate networks this scheme could result inefficient (e.g.: administration, security, investment, encryption). This item presents lower risk for corporations; and
§ Policies: corporations follow strict and homologated policies to deal with the network security. Usually, home networks lack of any policy and the followed rules depend of many things (e.g. children). Corporations are better prepared following appropriate policies.
As conclusion, home network risks strongly depend of home network owner. Corporate network has high risk, but they also have a better preparation and tools to address them.
Introduction to Information Technology (JRSB 150) custom textbook compiled by Andy Igonor.
Bring Hub. Defining a Home Network. Retrieved May 11, 2010, from http://www.brighthub.com/computing/hardware/articles/69529.aspx
Lai, Y. and Hsia, P. (2007) Using the vulnerability information of computer systems to improve the network security. Journal of Computer Communications 30. 2032-2047
Venter, H. and Eloff, J. (2000) Network Security: Important Issues, Journal of Network Security 6, 12-16
Kraemera, S., Carayonb, P. and Clemc, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Journal of Computers & Security. 509-520
Furnell, S. (2004) Hacking begins at home: are company networks at risk from home computers? Computer Fraud & Security (1), 4-7