security and online privacy regulations: an analytical assessment of how young adults can effectively adopt self-protections when using the internet
The work of Munteanu (2004) entitled: “Information Security Risk Assessment: The Qualitative vs. Quantitative Dilemma” relates the primary security risk assessment methodologies used in information technology. Munteanu relates that information security technology does not reduce information risk very effectively because information security is primarily a human problem. Whatever forms an information asset takes, a risk assessment must be undertaken to understand which are best security measures suited for protecting information security framework: (1) confidentiality; (2) integrity; and (3) availability. (Munteanu, 2004) Munteanu states that that are various standards including documents and books entitled: “Information Security Best Practices” which are targeted at managers of information technology managers however in these publications Munteanu notes that there are “similar limitations and inconsistencies in description of risk assessment methodologies that follow in information systems risk literature” including
1) Inconsistent or too general definitions of risk assessment;
2) lack of rigor;
3) Applicability of risk assessment models depend on the analyst knowledge and business context;
4) Lack of an exhaustive and up-to-date database of risk vulnerabilities and exposure applicable in quantitative models; and 5) Many standards with little or no substantial differences. (Munteanu, 2004)
This study utilizes questionnaires that are included in a risk assessment, which provides identification of “…risks and risks impacts, and recommendations of risk-reducing measures.” (Munteanu, 2004) the methodology in this study contains nine specific steps as follows:
1)System Characterization;
2) Threat Identification;
3) Vulnerability Identification;
4) Control Analysis;
5) Likelihood Determination;
6) Impact Analysis;
7) Risk Determination;
8) Control Recommendations; and 9) Results Documentation. (Munteanu, 2004)
The work of Munteanu (2004) states that “…prerequisite to qualitative risk analysis, and the lack of good data may be that of “good data” and it may be the lack of good data that is the “main reason qualitative analysis of information security risk is not usually performed. Qualitative assessment use risk assessment matrix and questionnaires.” (Munteanu, 2004) in the risk, matrix risks are generally rated as low, medium, or high and in questionnaires people use a risk scale for risk ranking. In this case, the qualitative assessment undergoes a transformation and becomes a qualitative-quantitative one.” (Munteanu, 2004) Before the assessment is begun it is critical that the analyst gain and understanding of the use of the computer by the individual in terms of the computer ‘processes and functions’ including the ‘framework’ of the users applications and the technology characteristics used by the individual in combination with the philosophy of those applications and use with the constraints, interdependencies and the “…interactions between information system components.” (Munteanu, 2004) This study relates that there are three points-of-view on information availability that have to be addressed, which are:
1) Organizational;
2) Users; and 3) Computer Network
The following chart lists categories of these three: (Muntenu, 2004)
Muntenu (2004) states of risk analysis:
Calculating the risks is a subjective estimation, in terms of: low, medium or high. In this case, we simply use a matrix risk-value and a risk impact ranking, but we can estimate exactly what value risks have. Most qualitative risk analysis methodologies make use of these elements and the assessment depends on the experience and judgment of the professional who made the analysis or identify quality elements that have an impact on information security. In fact, we talk about a “what-if” analysis. The analysts use qualitative variables but the result must be finally quantitative to serve the scope of a management decision…”
The ‘General Security Risk Assessment’ is illustrated as follows:
General Security Risk Assessment
Source: ASIS international guidelines Commission as cited in Muntenu
For example, as in the management of information technology internet security in terms of the number of incidents because that is the precise measurement in the assessment and analysis of risk to security.
Qualitative Risk Assessment
Qualitative risk assessment in the study reported by Muntenu (2004 relates that four elements were accounted for:
1) Asset value;
2) Threats;
3) Vulnerability; and 4) Controls.
The assessment goal in Burd’s study was stated to be for the purpose of determining if the existing risk exposure is addressed by security controls that are in place. Further addressed is the correct or accepted techniques in making this analysis. Specific technological risks are addressed and inherent risk involvement in applications using the database server and the database management system. Also needing addressed in the study was particular transaction risk on the database. All these findings hold “significance for the assessment” however only a qualitative approach is not sufficient in making this analysis. In the event of such a scenario, “the database administration is reactive and makes the changes on the database at the moment when he knows the vulnerability.” (Muntenu, 2004)
Limitations to Quantitative Approach
Qualitative risk assessment is “scenario-based” in its approach while quantitative analysis “assigns monetary values to the components identified in the risk assessment phase.” Higher efficiency represents fewer breakdowns in security processes. Because of this, in business organization information systems, the analyst identifies the assets, the threats that could have an effect on these assets and the vulnerabilities associated with the identified assets. In this case and in view of the theory of social capital and the assets represented by adolescents, which is the focus of the present study this factor is something that can only be qualitatively analyzed but to understand system efficiency the qualitative business system analysis will serve well to inform the present study therefore that process is herein reviewed. Muntenu goes on to relate that qualitative process elements include:
1) Financial value of the asset
2) Cost to build the asset
3) Value of the asset to the competition; and 4) Cost to recover the asset. (Muntenu, 2004)
Muntenu (2004) additionally states: “If we assume that the database server stores financial information, the value of the data may be based on two factors” which are those of:
1) the data contribution to the financial goals of the company; and 2) the value of the data to an external individual or organization.
Resulting is “the indirect value of the database server is the most difficult assessment.” (Muntenu, 2004) Muntenu relates the work of Dillard (2004) who presented a five-step process in making determination of the asset value and some security metrics. Those five steps are as follows:
1) Assign a monetary value to each asset class.
2) Input the asset value for each risk;
3) Produce the single loss expectancy value (SLE);
4) Determine the Annual Rate of Occurrence (ARO); and 5) Determine the Annual Loss Expectancy (ALE). (Muntenu, 2004)
Stated as ‘Single Loss Expectancy’ (SLE) is that this “represents the expected impact of a specific threat event and can be computed by multiplying the exposure factor of a given threat by the financial value of the asset (AV).” The exposure factor (EF) is the percentage of asset loss caused by identified threat and can be calculated by multiplying the threat frequency level (TL) with the impact factor (if). The threat frequency level (TL) is calculating by multiplying the threat probability (TP) by the risk factor (RF), where the risk factor is the criticality factor (CF) of the attack divided by the effort (E) required performing the exploit.
EF = (((TP x (C / E)) x (VF x AP)) / 100)
Calculating the exposure factor following this formula does not take into account the time variable.” (Muntenu, 2004)
Muntenu next states that this formula is adjusted through estimation of three other elements:
1) Average time period for threat identification;
2) Average time period for releasing technical procedures to reduce or accept threat; and 3) Average time period necessary till the system becomes operational and the threat eliminated. (Muntenu, 2004)
The sum of these three variables is termed exposure time. This equation would appear as follows:
Average Time Period (ATP) Threat Identification
Average Time Period (ATP) Release technical procedures reduction/acceptance of threat
Average Time Period (ATP) for system to become operational and threat eliminated
TOTAL SUM = EXPOSURE TIME
According to Muntenu: “Exposure factor will be bigger when exposure time is longer. Because estimating exposure time is based on security historical incidents, its value will be highly subjective. The annualized rate of occurrence (ARO) is the probability of a threat occurring during a one-year time frame.” (Muntenu, 2004)
Annual Loss Expectancy’ (ALE) is the ‘single loss expectancy’ multiplied “by the annualized rate of occurrence (ARO) or:
ALE=SLE * ARO
Muntenu states importantly that it is not easy to apply these formulas and to realize a cost-benefit analysis by taking the ALE and subtracting the initial cost of the countermeasure and the annual recurring cost of the countermeasure. The main problem when the analyst applies this formula is the numerical expression of the variables included. A rare threat is different from a threat that will never appear. Lacking of exhaustive threat probability database, the analyst puts in this formula a value based on a qualitative assessment. The impact factor and threat frequency level are variables that depend on statistical estimation of the threat.” (Muntenu, 2004)
According to Muntenu (2004) “It is almost impossible for a security analyst with only technical background to quantify security risk for intangible assets. He can perform a quantitative or qualitative evaluation using dedicated software to improve the security of the information systems, but not a complete risk assessment for the whole information system. Qualitative assessment based on questionnaires use in fact statistical quantitative methods to obtain results. Statistical estimation represents the basis for quantitative models.” Muntenu states conclusion that in each of these approaches the “moral hazard of the analyst has influence on the results because human nature is subjective. He must use a sliding window approach according to business and information systems features, balancing from qualitative to quantitative assessment.” (2004) qualitative study of information systems security is reported in a study conducted in U.S. academic institutions in the work of Steffani a. Burd, Principal Investigator for Information Security in Academic Institutions in a project funded by the United States Department of Justice for the National Institute of Justice reports in the Impact of Information Security in Academic Institution on Public Safety and Security in the United States (2005-2006) that “despite the critical information security issues faced by academic institutions, little research has been conducted at the policy, practice, or theoretical levels to address these issues, and few policies or cost-effective controls have been developed.” (Burd, 2005-2006) the following are next listed:
1) the profile of issues and approaches, 2) to develop a practical road map for policy and practice, and 3) to advance the knowledge, policy, and practice of academic institutions, law enforcement, government and researchers.
In this study reported the design was on that incorporated three different methods of data collection, which included:
1) Quantitative field survey;
2) Qualitative one-on-one interviews, and 3) an empirical assessment of the institutions’ network activity. (Burd, 2005-2006)
This study reports data collection specifically to have involved data collection in what was a simple random sampling of 600 academic institutions from the Department of Education’s National Center for Education Statistics (NCES) Integrated Postsecondary Education Data System (IPEDS) database. Recruitment is reported to have been through use of postcard, telephone, and email including Web-based survey administration, and three follow-ups. Survey data collection is reported as having involved “simple random sampling of 600 academic institutions from the Department of Education’s National Center for Education Statistics (NCES) Integrated Postsecondary Education Data System (IPEDS) database, recruitment via postcard, telephone, and email, Web-based survey administration, and three follow-ups.” (Burd, 2005-2006) it is reported that network data collection involved “convenience sampling of two academic institutions, recruitment via telephone and email, installing Higher Education Network Analysis, recruitment via telephone and email, installing Higher Education Network Analysis (HENA) on participants systems and six months of data collection.” (Burd, 2005-2006)
Network security is defined in this study as involving ‘the protection of networks and their services from unauthorized modification, destruction or disclosure. Network security provides assurance that a network performs its critical functions correctly and there are no harmful side effects.” (Burd, 2005-2006) This study states that for the purposes of the interview that was administered that vulnerability was defined as “the potential for a compromise of the confidentiality, integrity, or availability of the institution’s network or information…” that may be “exploited by “outsiders” including students, faculty or staff. The section of the interview labeled ‘Institution’s Potential Vulnerability’ asked the participants the questions as follows:
1) What do you consider are the top three vulnerabilities at your institution? (These responses were written into three provided spaces in the questionnaire.
2) Do you believe these top three areas of vulnerability at your institution are different from those of other universities? Answer options provided were:
a) yes;
b) no; and not sure.
3) Participants were asked to state on a scale 1-7 (with 1 is ‘no’ vulnerability and 7 is critical vulnerability) how they would rate the overall level of vulnerability in maintaining the security of the institution’s network.
4) Participants were asked based on their observations whether they predict that the vulnerability of their institution in maintaining its network security in the upcoming one to three years will:
a) increase the upcoming 1-3 years;
b) decrease in the upcoming 1-3 years;
remain the same in the upcoming 1-3 years; or d) not sure. (Burd, 2005-2006)
In the next section of the interview entitled “Institutions Potential Threat’ it is reported that for the purpose of this interview that ‘threat’ is defined “as the potential your institution’s network may pose to compromising individuals, organizations, or critical infrastructure including;
Threats to individuals may include identity theft, credit card fraud, and spam;
Threats to organizations may include theft or disclosure of information, dedicated denial of services (DDOS) against specific organizations, worms, viruses, or spam;
Threats to critical infrastructure may include DDOS to SCADA and communication systems or compromise of sensitive or classified information, including research and development (e.g., DARPA, HASARPA). (Burd, 2005-2006)
The interview reported by Burd (2005-2006) asks the following questions in this section of the interview:
1) Based on your institution’s information security posture, which of the following are ways your institution may pose a threat to individuals, other organizations, or critical infrastructure? (Please check all that apply.)
Attacking critical infrastructure (e.g,. DDOS on SCADA, communications) attacking specific organizations (e.g., DDOS, virus, worms, bots)
Phishing scams
Stealing individuals’ private information (e.g., for identity theft / credit card fraud)
Stealing intellectual property (e.g., R&D, patents)
Spam/spim
Spreading malware (e.g., viruses, worms, blended threats)
Unauthorized use of bandwidth
Other (please specify)
Not sure (Burd, 2005-2006)
The following questions were rated on a scale of 1 to 7 with 1 being no threat and 7 being a Sure Threat:
2) What do you believe is the current level of potential threat that the institution may pose in compromising individuals?
3) What do you believe is the current level of potential threat that the institution may pose in compromising other organizations?
4) What do you believe is the current level of potential threat that your institution may pose in compromising critical infrastructure? (Burd, 2005-2006)
It is reported that for the purposes of this interview that ‘information’ includes research and private data. Research data is stated as technical, medical and government related data and private data includes social security number, drivers license number, date of birth, and medical data. Specifically stated is: “It may be resident on the network or in transit. It includes data located in the centralized network as well as on departmental and individual computers.” (Burd, 2005-2006) Value is stated to address “the monetary and non-monetary aspects of information, including costs associated with creating the information losses due to compromised information, recovery costs, and implications of compromise (e.g., reputation damage, law suits).Questions asked in this section of the survey entitled: “Information Sharing and Value” include the following:
1) What do you consider to be the three most valuable types of information at your institution? Participants were asked the responses in this question as follows:
most valuable second-most valuable third most valuable” the following information:
Grades, evaluations and recommendations
Private identifying data (e.g., social security number, drivers license, date of birth)
Private financial data (e.g., credit history, credit card information, family’s finances)
Private medical data
Institution intellectual property (e.g., coursework, distance learning, articles)
Institution research data (e.g., technical, medical, government-related)
SCADA and communications data
Other (please specify)
Burd, 2005-2006)
2) Why do you consider this information to be the most valuable at your institution? For providing answers the participants were asked to write their answer in blanks that were provided. (Burd, 2005-2006)
3) With which government agencies, if any, do you share sensitive information?
DARPA/HSARPA
REN-ISAC
SEVIS
US-CERT
Other (please specify)
None of the above Not sure (Burd, 2005-2006)
4) Which methods do you use to secure sensitive information at your institution?
Identity management
Internal firewall
Physical separation
Role-based access control
Other (please specify)
None of the above Not sure (Burd, 2005-2006)
5) Which methods do you use, if any, to share sensitive information with government organizations?
Email (encrypted)
Email (unencrypted)
FTPHTTP
HTTPS
VPN (SSL or IPSec)
Other (please specify)
None of the above Not sure (Burd, 2005-2006)
6) Which vetting procedures, if any do you use for it staff who handle sensitive information?
Reference check – sometimes
Reference check – always
Criminal background check – sometimes
Criminal background check – always (Burd, 2005-2006)
7) Which vetting procedures, if any do you use for administrative staff who handle sensitive information?
For the purpose of this study ‘end user’ is described as “any individual who accesses information at your institution including the following:
1) Students (full- and part-time, on-campus and off-campus)
2) Faculty (both full-time and part-time; on campus and off campus)
3) Staff (both full-time and part-time; on-campus and off-campus); and 4) Affiliates (contractors, visitors, library users, alumni) (Burd, 2005-2006)
Questions in this section of the study entitled: ‘included those as follows:
1) What are the key issues you encounter with end users in attempting to maintain information security at your institution? (Please select all that apply) a. Culture
Belief in freedom of information
Low security or safeguards on information
Privacy issues
Resistance to security measures
Senior management does not support information security efforts b. Policy
Policy does not exist
Policy is not adequate
Policy is not sufficiently enforced c. Awareness and Knowledge
Insufficient awareness of security issues (e.g., wireless security threats)
Inadequate understanding of actions (e.g., storing sensitive information on palm pilots)
Inadequate knowledge of the internet and computing (e.g., phishing scams)
Limited technical ability (e.g., don’t know how to install antivirus software) d. Technology, Structure & Systems
Distributed computing systems (e.g., departmental computers)
Emerging technology (e.g., wireless, instant messaging, P2P networking)
Remote access issues
Rogue, unsupported computing systems (e.g., departments’ systems)
Unpatched systems (e.g., operating system and application holes)
2) of all the end user security issues listed above, which is your biggest challenge?
3) When you consider the different types of end users, which group poses the greatest challenge in maintaining the security if the institution’s information and systems?
Staff
Students
Other (please specify)
4) Why is this type of end user the most challenging?
5) How does your institution process new students’ personal computers – if at all?
Clean computer when student arrives at the institution
Install firewall application on the computer
Install intrusion detection/intrusion prevention application on the computer
Install virus protection application on the computer
Notify student that computer should be cleaned
Notify student of virus protection, firewall, intrusion detection/prevention options
Provide security awareness training – optional
Provide security awareness training – mandatory
Require cleaning and protection prior to logging onto institution’s system
Require signature accepting institution’s security policy (e.g., via click through)
Other (please specify)
None of the above 6) How does your institution process new faculty members’ personal computers – if at all?
Clean computer when faculty member arrives at the institution
Install firewall application on the computer
Install intrusion detection/intrusion prevention application on the computer
Install virus protection application on the computer
Notify faculty member that computer should be cleaned
Notify faculty member of virus protection, firewall, intrusion detection/prevention options
Provide security awareness training – optional
Provide security awareness training – mandatory
Require cleaning and protection prior to logging onto institution’s system
Require signature accepting institution’s security policy
Other (please specify)
None of the above (Burd, 2005-2006)
In the section of this interview entitled ‘Countermeasures’ it is stated that for the purpose of this interview ‘information security policy’ is defined as the procedures, guidelines and practices for establishing and managing security in the institution’s environment.” Questions asked in this section of the survey include the following:
1) How would you characterize the formality of the institution’s information security policy?
No policy
Informal policy
Currently developing a formal policy
Currently implementing a formal policy
Formal policy
Other (please specify)
2) Information security policies may be sponsored at various levels within institutions (e.g., it Department, executive-level). How would you describe the level at which your institution’s information security policy is sponsored?
Not applicable – we do not have a policy
Sponsored by it department
Sponsored by some departments in addition to it department
Sponsored by all departments in addition to it department
Sponsored at executive-level (e.g., President, Dean)
Other (please specify)
3) How do you distribute the information security policies to your institution’s end- users?
____ Post information security policies on the institution’s web site
____ Written document when end user first enters the institution
____ Electronic document when end user first enters institution
____ Written document provided periodically during end user’s affiliation with institution
____ Electronic document provided periodically during end user’s affiliation with institution
____ Other (please specify)
4) Please indicate below which, if any, of the following end users are required to sign an information security policy:
____ Staff (it department)
____ Staff (administrative)
____ Students
____ No end users
____ Other (please specify)
5) What are the consequences, if any, of violating the institution’s information security
6) on a scale of 1 to 7, where 1 is “not at all effective” and 7 is “extremely effective,” how would you rate the effectiveness of your institution’s policy in maintaining network security? (Burd, 2005-2006)
This study reports next the section of the interview labeled ‘Awareness and Training’ that for the purpose of this interview that ‘awareness and training’ is described as involving the provision of end users with sufficient information security knowledge that they do not pose a significant threat to the institution’s information. ‘Awareness’ is inclusive of the development of sensitivity to potential vulnerabilities and understanding potential security issues. Training involves provision of sufficient knowledge that end users are able to act on their awareness such as installation of antivirus programs as well as performing system checks. Questions asked in this section of this study include those as follows:
1) What type of optional or mandatory training does your institution provide to its end users in maintaining information security:
a) Orientation for new end users – optional;
b) Orientation for new end users-mandatory;
Ongoing security training – optional;
d) Ongoing security training – mandatory;
e) Periodic alerts for new threats;
f) Incident identification;
g) Other (please specify); and h) Not sure. (Burd, 2004)
2) Does your institution measure the effectiveness of its security training?
If yes: How do you measure the effectiveness of your security training?
A a) Mandatory written-digital test based on content of security training;
b) Social engineering testing;
Staff reports of experiences;
d) Track volume of incidents per week;
e) Track volume and type of help desk issues;
f) None of the above;
g) Not sure. (Burd, 2004)
3) if you had unlimited resources and could change one aspect of awareness and training at your institution, what would you do? (Burd, 2005-2006)
Operational practices were also addressed in this study and the participants were instructed to consider the practices that the institution uses to prevent information security breaches. The following chart was provided to participants to review and mark their responses:
Source: Burd (2005-2006)
In terms of ‘Detection and Investigation’ it is stated that detection involves: “identifying potential or actual compromise of the confidentiality, integrity or availability of the institution’s network and information. Investigation refers to analysis of the causes of compromise to the institution’s network and information.” (Burd, 2005-2006) the participants in this study are instructed to consider the practices that the institution uses to detect and investigate incidents and the following chart is provided for responses:
Source: Burd (2005-2006)
The next question in this section of the study asks the participants to indicate the groups that the institution has reported information security breaches or incidents to in the past year and provides the following options for participant response:
Within institution
IT department
Legal affairs
Executive level (e.g., Dean, President)
Student affairs
Other (please specify)
Outside institution
Local law enforcement
Federal law enforcement
ISP (Internet Service Provider)
REN-ISAC
SANS (SysAdmin, Audit, Network, Security)
US-CERT
Other (please specify)
Not sure (Burd, 2005-2006)
In the ‘Technology’ section of this interview participants are instructed to indicate the general technologies utilized by the institution in securing its network and information and the following checklist is provided for participants to indicate their response to this issue:
Source: Burd (2005-2006)
Participants are asked to indicate the programs currently used for: (1) Anti-virus; (2) Firewall; and (3) IDS/IPS. Furthermore, participants are asked of all technologies utilized which one they believe is the most effective in maintaining the security of the network and which is the least effective in maintaining network security. Participants are quizzed as to what they anticipate ‘will be the top three technologies that the institution will use in the upcoming 1-3 years to ensure information security. In the section of the interview entitled ‘Resources’ the questions asked are those as follows:
1) How many staff at your institution have a role dedicated to information security?
Part-time it staff:
Full-time it staff:
2) Please consider your central it budget for this year. Approximately what percentage of this budget is allocated to information security (e.g., systems, technology, training and awareness)?
____ 0% – 2%
____ 3% – 5%
____ 6% – 10%
____ 11% – 25%
____ Not sure
3) Do you use a methodology to quantify losses from security breaches (e.g., worms, viruses, spam, P2P, loss of information)?
____ No
____ Yes
____ Not sure
“Yes,” Which methodology(ies) do you use?
4) Based on compromises over the past year, would you estimate losses at your institution to be:
____ $0 – $100K
____ $101K – $250K
____ $251K – $1M
____ $1.1M – $3M
____ $3.1M – $M
____ Not sure
____ Prefer to not disclose
5) Which of the following resources, if any, do you use for obtaining information about best practices?
Colleagues
EDUCAUSE
HEITA
InfraGard
NSA NIETP
SANS
US-CERT
REN-ISAC
Journals and magazines
Internet
None of the above Other (please specify)
If you had unlimited additional staff, time, and funding allocated to network security at your institution, what would you do differently? (Burd, 2005-2006)
The final section of the interview entitled ‘Insights’ asks the questions related as follows:
1) Overall, on a scale of 1 to 7, where 1 is “not at all effective” and 7 is “extremely effective,” how would you rate the effectiveness of information security at your institution?
Participants were asked to rate as follows:
Not at all Effective
Not very effective somewhat effective moderately effective highly effective very highly effective extremely effective
2) Overall how does information security currently rank on your list of priorities?
A a) Increase priority;
b) Decrease priority
Remain the same;
3) What do you consider to be the biggest challenge in the upcoming year in ensuring the security of your institution’s network?
4) What do you consider to be the one thing your institution does best to protect its network?
5) if you had unlimited resources, budget, and authority, what is the one thing you would do to ensure the security of your institution’s network?
This study reports that network analysis data collection included convenience sampling of two academic institutions, recruitment via telephone and email and installation of Higher Education Network Analysis (HENA) on the participant institution systems combined with six months of data collection.
Quantitative Field Survey Data
Reported in the same study is that the ‘Quantitative Field Survey Data’ contains 19 specific variables and of characteristics of institutions that participated in the field survey component of this study being reported along with 236 variables derived from responses to the Information Security in Academic Institutions Survey, which was organized into five sections:
1) Environment;
2) Policy;
3) Information security controls;
4) information security challenges and resources. (Burd, 2005-2006)
Qualitative One-on-One Interview Method
The Qualitative One-on-One Interview Data contains responses that are qualitative in nature to a combination of closed-response and open-response formats with the data divided into seven sections including:
1) Environment
2) Institution’s potential vulnerability;
3) Institution’s potential threat;
4) Information value and sharing;
5) End users;
6) Countermeasures; and 7) Insights. (Byrd, 2005-2006)
Data Collection
Data was collected through empirical analysis of network activity and include type and protocol of attack, source and destination information, and geographic location. Geographic coverage included the entire United States, Department of Education region classification.
Computer Data Collection
The method used in collection of the network data on the computer included setting the computer to record logs which was accomplished through use of the following instructions:
Step 1: Set Up Machine to Process Logs
1. Go to www.dshield.org/howto.php
2. Select appropriate prewritten client a. Go to “Prewritten clients” in red text b. Look for your firewall to see whether it is listed under either DShield “Universal” CVTWIN Client or Third Party Programs that submit Firewall Logs to DShield.
c. If your firewall is listed under DShield “Universal” CVTWIN Client:
i. Click on DShield “Universal” CVTWIN Client, which will take you to www.dshield.org/windows_clients.php.
A ii. Scroll down ae of the page to CVTWIN-SETUP.EXE (2.1 megabytes) iii. Download CVTWIN-SETUP.EXE (2.1 megabytes) by clicking on it.
d. If your firewall is listed under Third Party Programs that submit Firewall Logs to DShield:
i. Click on Third Party Programs that submit Firewall Logs to DShield, which will take you to http://www.dshield.org/windows_clients.php#3rd_party ii. Select the appropriate program and follow it instructions.
3. Install appropriate scripts a. Go to where you saved the file, and unzip the application by double-clicking on the.zip file.
b. Follow the instructions, using the defaults as you continue.
Note: The second prompt, which has a box for DShield Universal Firewall Client Setup, is not intuitive. You actually need to click on the computer icon in the upper left hand side of the command box.
4. Configure scripts a. Go to the “Start” menu. Under “Programs” select “DShield” then “DShield Universal Firewall Client” b. Go to “Edit” on the tool bar and select “Configure.. ” c. Modify the “DShield User ID” field by entering your assigned UserID d. Modify the “Your Email Address” field by entering your assigned email address e. Change the “SMTP Server Name” field by entering dshield.infosecurityresearch.org
Note: If your university blocks the use of external SMTP servers, you must use your internal
SMTP server name in this field.
f. Fill in the “Firewall” field by selecting your university’s firewall (e.g., Snort, Windows XP, etc.) from the drop-down menu g. Fill in the “Logfile” field by selecting the location where you’d like the log files to be stored use the browse button) h. Press OK
5. Modify your CVTWIN.INI file a. Change the destination of your scripts i. Go to the “Edit” pull-down and select “Edit CVTWIN.INI.” This will open a notepad screen ii. Go to the line specifying where the reports will be sent
Search for “toaddr” by using the “Edit” pull-down, selecting “Find,” and entering “toaddr” iii. Change the “toaddr=dshield.org” to “toaddr= ” b. Change the Time Zone (if needed) i. Go to the line specifying the time zone
Search for “time zone” by going to the “Edit” pull-down, selecting “Find,” and entering “TZ” ii. Look at the “TZ=” values corresponding with your time zone (e.g., – 5:00 is Eastern Standard Time) iii. Change the default of “TZ=-04:00” to the appropriate “TZ=” value c. Save and Exit the “Edit CVTWIN.INI” file i. Go to “File” pull-down and select “Save” ii. Go to “File” pull-down and select “Exit”
6. Change the IP Filter Configurations a. Change the IP Source filter i. Go to “Edit” and select “Edit Source IP Filters.” This will open a notepad screen called
SourceIP.flt” ii. Put a # sign in front of each line of IP numbers so they aren’t filtered (the lines start at 0.0.0.0 and end at 255.255.255.255) iii. Save and Exit the SourceIP.flt file a. Go to “File” pull-down and select “Save” b. Go to “File” pull-down and select “Exit” c. Change the IP Target filter i. Go to “Edit” and select “Edit Target IP Filters.” This will open a notepad screen called “TargetIP.flt” ii. Put a # sign in front of each line so they aren’t filtered (starts at 0.0.0.0 and ends at 127.0.0.1) iii. Save and Exit the TargetIP.flt file a. Go to “File” pull-down and select “Save” b. Go to “File” pull-down and select “Exit”
Step 2: Process the Logs
1. Go the “Start” menu and start up DShield by 2. Go to “File” pull-down and select “Convert [depending on what firewall you configured in Step 1]”
3. Go to “File” pull-down and select “Mail to ”
Step 3: Automate Sending the Logs
If you use Unix: Set your cronjob to every 1/2-hour
If you use Windows: Set your scheduler to every 1/2-hour (Burd, 2005-2006)
Bibliography
Burd, Steffani a. (2006) Impact of Information Security in Academic Institutions on Public Safety and Security: Assessing the Impact and Developing Solutions for Policy and Practice. Final Report.” NCJ 215953, United States Department of Justice. National Institute of Justice, Oct 2006.
Muntenu, Adrian (2004) Managing Information in the Digital Economy: Issues & Solutions Information Security Risk Assessment: The Qualitative vs. Quantitative Dilemma
Full text PDF: http://www.ncjrs.gov/pdffiles1/nij/grants/215953.pdfMunteanu, Adrian (2004) the Information Security Risk Assessment: The Qualitative vs. Quantitative Dilemma. Managing Information in the Digital Economy: Issues & Solutions.
Get Professional Assignment Help Cheaply
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Why Choose Our Academic Writing Service?
- Plagiarism free papers
- Timely delivery
- Any deadline
- Skilled, Experienced Native English Writers
- Subject-relevant academic writer
- Adherence to paper instructions
- Ability to tackle bulk assignments
- Reasonable prices
- 24/7 Customer Support
- Get superb grades consistently
Online Academic Help With Different Subjects
Literature
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Finance
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
Computer science
Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!
Psychology
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
Nursing
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Sociology
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
Business
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
Statistics
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Law
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
What discipline/subjects do you deal in?
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Are your writers competent enough to handle my paper?
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
What if I don’t like the paper?
There is a very low likelihood that you won’t like the paper.
Reasons being:
- When assigning your order, we match the paper’s discipline with the writer’s field/specialization. Since all our writers are graduates, we match the paper’s subject with the field the writer studied. For instance, if it’s a nursing paper, only a nursing graduate and writer will handle it. Furthermore, all our writers have academic writing experience and top-notch research skills.
- We have a quality assurance that reviews the paper before it gets to you. As such, we ensure that you get a paper that meets the required standard and will most definitely make the grade.
In the event that you don’t like your paper:
- The writer will revise the paper up to your pleasing. You have unlimited revisions. You simply need to highlight what specifically you don’t like about the paper, and the writer will make the amendments. The paper will be revised until you are satisfied. Revisions are free of charge
- We will have a different writer write the paper from scratch.
- Last resort, if the above does not work, we will refund your money.
Will the professor find out I didn’t write the paper myself?
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
What if the paper is plagiarized?
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
When will I get my paper?
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
Will anyone find out that I used your services?
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
How our Assignment Help Service Works
1. Place an order
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
2. Pay for the order
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
3. Track the progress
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
4. Download the paper
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
PLACE THIS ORDER OR A SIMILAR ORDER WITH US TODAY AND GET A PERFECT SCORE!!!
