C安全與否,E;O*^8E)t8o4G%x,Y9你大概聽計算機和計算機除非你的計算機遭到過或的攻或者病毒，那么其中重要的個人信息和軟件就有可能丟失。+v+R;{!C9kIT安全性的方案。明確的任務將在后面給出。8 S6M7Y.n&X-U.通過多個防御層來防止計算機系統活動的。包括政策層和技術層(圖1,預防性的防御措施(略))兩者在內的這些防御層將會對機構的風險類型產生各種不同的影響(2,IT系統經濟風險的示意圖(略))。用無線設備的使用有關可移動的關注個人應用的限制和用戶培訓。一種實例性的政策可以包括對的長度和所用字母的要求更改的費用以及影響到生產效率和安全性的因素。在圖1中，只對最面作了詳細3@+y.G:O%檢測系統(IDS=IntrusionDetectionSystems)，，防系統，易受擊的掃描儀和冗余備份等。比如說，IDS監視并記錄某一特定計算機或來自具有數據并能提供識別可疑活動“之后”的偵破能力的網絡上的重要。 )是一個廣受歡迎的IDS方案。圖1提供了一個關鍵防御措施的樣本(管理/使用的政策和技術解決方案)和政策一樣,技術解決方案也有)u/W"?&k- q%ToBeSecureorNotto(V*V:n(]'}7j7U*Youprobablyknowaboutcomputerhackersandcomputeres.Unlessyourcomputerhasbeentargetedbyone,youmaynotknowhowtheycouldaffectanindividualoranorganization.Ifacomputerisattackedbyahackeroritcouldloseimportantalinformationandsoftware.:X(U4J2W;S:E.V)u0H4Z#EThecreationofanewuniversitycampusisbeingconsidered.Yourrequirementistomodeltheriskassessmentofinformationtechnology(IT)securityforthisproposeduniversity.ThenarrativebelowprovidessomebackgroundtohelpdevelopaframeworktoexamineITsecurity.Specifictasksareprovidedattheendofthisnarrative.Computersystemsareprotectedfrommaliciousactivitythroughmultiplelayersofdefenses.Thesedefenses,includingbothpoliciesand(Figure1PreventativeDefensiveMeasures),havevaryingeffectsontheorganization’sriskcategories(Figure2EconomicRiskSchematicforITSystems)."@;D9]%s0h9R$h+FManagementandusagepoliciesaddresshowusersinctwiththeorganization’scomputersandnetworksandhowpeople(systemadministrators)maintainthenetwork.Policiesmayincludepasswordrequirements,formalsecurityaudits,usagetracking,wirelessdeviceusage,removablemediaconcerns, aluselimitations,andusertraining.Anexamplepasswordwouldincluderequirementsforthelengthandcharactersusedinthepassword,howfrequentlytheymustbechanged,andthenumberoffailedloginattemptsallowed.Eachsolutionhasdirectcostsassociatedwithitsimplementationandfactorsthatimpactproductivityandsecurity.InFigure1,onlythetopmostbranchisfullydetailed.Thestructureisreplicatedforeachbranch.:},@/t/C-^-Thesecondaspectofasecuritypostureisthesetoftechnologicalsolutionsemployedtodetect,mitigate,anddefeatunauthorizedactivityfrombothinternalandexternalusers.Technologysolutionscoverbothsoftwareandhardwareandincludeintrusiondetectionsystems(IDS),firewalls,anti-systems,vulnerabilityscanners,andredundancy.Asanexample,IDSmonitorsandrecordssignificanteventsonaspecificcomputerorfromthenetworkexaminingdataandprovidingan“afterthefact”forensicabilitytoidentifyactivity.SNORT( )isapopularIDSsolution.Figure1providesasampleofkeydefensivemeasures(management/usagepoliciesandtechnologysolutions).Aswitha,atechnologysolutionalsohasdirectcosts,aswellasfactorsthatimpactproductivityandsecurity.K+j4Z!\2v,e8R:?風險的來源包括(但并不限于)機構內部或者外部的人或硬件（2）。不同的預防性防御措施（圖1）可能在防御內部比防御來自計算機的威脅更有效。另外，外部的動機往往不同，這也可能需要不同的安全措施。比如說對付一個正試圖檢索私人數據或庫的者和對付一個正試圖癱瘓網絡的者很可能要采取極不同的斗法。-F#q7i6u3L"X2屬于機構可能要面對方面的潛在費用包括機會成本(圖2)(注:企業管理沒有作出一項決策或未能利用一個能帶來收益的機會(例如投資項目),失去的收益就是機會成本)、人員費用和預防性防御措施的費用。重要的機學的衛生院由于在應訴醫療記錄可用性方面的損失比之于重建服務系險類型都會對取決于機構的任務和要求的費用產生影響性指的是保護數據不向的者公開如果衛生院的記錄數據因疏忽而被公開或者被果者修改了某些產品的定價信息或者刪除了全部的數據集機構將會3_;~'`3h1為增加機構安全狀況所執行的每一種措施都會(正面或地)影響到這三種風隨其后的潛在的機會成本機構所的一個復雜的問題是怎樣在他們的潛在ITf.^#f)^!d;r&H(p)Q.KSourcesofrisktoinformationsecurityinclude,butarenotlimitedto,peopleorhardwarewithinoroutsidetheorganization(Figure2).Differentpreventivedefensivemeasures(Figure1)maybemoreeffectiveagainstaninsiderthreatthanathreatfromacomputerhacker.Additionally,anexternalthreatmayvaryinmotivation,whichcouldalsoindicatedifferentsecuritymeasures.Forexample,anintruderwhoistryingtoretrieveproprietarydataorcustomerdatabasesprobablyshouldbecombatedmuchdifferentlyfromanintruderwhoistryingtoshutdownanetwork.,F6|#G*v2}Potentialcostsduetoinformationsecuritythatanorganizationmayface(Figure2)includeopportunitycost,people,andthecostofpreventativedefensivemeasures.Significantopportunitycostsinclude:litigationdamages,lossofproprietarydata,consumerconfidence,lossofdirectrevenue,reconstructionofdata,andreconstructionofservices.Eachcostvariesbasedontheprofileoftheorganization.Forexample,ahealthcarecomponentoftheuniversitymighthaveagreaterpotentialforlossduetolitigationoravailabilityofpatientmedicalrecordsthanwithreconstructionofservices."t s/N ]8X(WAnorganizationcanevaluatepotentialopportunitycoststhroughariskysis.Riskscanbebrokendownintothreeriskcategories;ity,integrity,andavailability.Combined,thesecategoriesdefinetheorganization’ssecurityposture.Eachofthecategorieshasdifferentoncostdependingonthemissionandrequirementsoftheorganization.ityreferstotheprotectionofdatafromreleasetosourcesthatarenotauthorizedwithaccess.Ahealthcareorganizationcouldfacesignificantlitigationifhealthcarerecordswereinadvertentlyreleasedorstolen.Theintegrityofthedatareferstotheunalteredstateofthedata.Ifanintrudermodifiespricinginformationforcertainproductsordeletesentiredatasets,anorganizationwouldfacecostsassociatedwithcorrectingtransactionsaffectedbytheerroneousdata,thecostsassociatedwithreconstructingthecorrectvalues,andpossiblelossofconsumerconfidenceandrevenue.Finally,availabilityreferstoresourcesbeingavailabletoanauthorizeduser,includingbothdataandservices.Thisriskcanmanifestitselffinanciallyinasimilarmanner ityand*L7V~,n)F%L0Eachmeasureimplementedtoincreasethesecuritypostureofanorganizationwillimpacteachofthethreeriskcategories(eitherpositivelyornegatively).Aseachnewdefensivesecuritymeasureisimplemented,itwillchangethecurrentsecuritypostureandsubsequentlythepotentialopportunitycosts.AcomplicatedproblemfacedbyorganizationsishowtobalancetheirpotentialopportunitycostsagainsttheexpenseofsecuringtheirITinfrastructure(preventativedefensivemeasures).(@;h+{!J"K!o)O:j7\IT安全水平所需要的正確的政策和技術與系統管理員的培訓等各項費用一起極小化機會成本的各種預防性防御措施的最佳組合RiteOnIT一些據包含在附件中的表格A與表格B中。v+VEMs;E,N5F&{&s'p10個學術系，一個校際體育部，一個招生辦公室，一家書店，一個教務(成績和學術狀況管理)，一個可容納15,000名學生的綜合宿舍樓大學預期有600名職員和教（不包括IT支持人員）來完成日常的工作。學術系將21個計算機(每個30臺計算機)600名職員和教員所使用的計算機(員一臺計算機)。宿舍中的每個房間配備兩個可以高速接入校園網的接/WEB教務將一個WEB站點便于學生可以查詢情況和成績。另外，行政、學生健康中心和體育部也將各自一個B站點。3001個系統管理員（桌面支持）。另外，(WEB機或者數據管理系統的)1名系統管1IT機會成本的預測.各種不同風險類型(C表示性、I表示完整性而A表示可用性)在給定成本中所占的1給出。2y/Q8F1^7k)f*H,Task1:YouhavebeentaskedbytheRite-OnConsultingFirmtodevelopamodelthatcanbeusedtodetermineanappropriateandthetechnologyenhancementsfortheproperlevelofITsecuritywithinanewuniversitycampus.Theimmediateneedistodetermineanoptimalmixofpreventivedefensivemeasuresthatminimizesthepotentialopportunitycostsalongwiththeprocurement,maintenance,andsystemadministratortrainingcostsastheyapplytotheopeningofanewprivateuniversity.Rite-OncontractedtechnicianstocollecttechnicalspecificationsoncurrentusedtosupportITsecurityprograms.DetailedtechnicaldatasheetsthatcatalogsomepossibledefensivemeasuresarecontainedinEnclosuresAandB.Thetechnicianpreparedthedatasheetsnotedthatasyoucombinedefensivemeasures,thecumulativeeffectswithinandbetweenthecategories ity,integrity,andavailabilitycannotjustbeadded..H(_-F%U'p(Q6c7z1D+@#Theproposeduniversitysystemhas10academicdepartments,adepartmentofintercollegiateathletics,anadmissionsoffice,abookstore,aregistrar’soffice(gradeandacademicstatusmanagement),andadormitorycomplexcapableofhousing15,000students.Theuniversityexpectstohave600staffandfaculty(nonITsupport)supportingthedailymission.Theacademicdepartmentswillmaintain21computerlabswith30computersperlab,and600staffandfacultycomputers(oneperemployee).Eachdormroomisequippedwithtwo(2)highspeedconnectionstotheuniversitynetwork.Itisanticipatedthateachstudentwillhaveacomputer.Thetotalcomputerrequirementsfortheremainingdepartment/agenciescannotbeanticipatedatthistime.ItisknownthatthebookstorewillhaveaWebsiteandtheabilitytosellbooksonline.TheRegistrar’sofficewillmaintainaWebsitewherestudentscancheckthestatusofpaymentsandgrades.Theadmissionsoffice,studenthealthcenter,andtheathleticdepartmentwillmaintainWebsites.Theaverageadministrativeemployeeearns$38,000peryearandtheaveragefacultyemployeeearns$77,000peryear.Currentindustrypracticeemploysthreetofoursystemadministrators(sysadmin)persub-networkandthereistypicallyone(1)sysadmin(helpdesksupport)employee300computers.Additionally,eachseparatesystemofcomputers(forwebhostingordatamanagement)istypicallymanagedbyone(1)sysadmin .8T-@%JH6i*hThecurrentopportunitycostprojection(duetoIT)withnodefensivemeasuresisshownin1.Thecontributionofvariousriskcategories( ityIntegrity,andAvailability)toagivencostisalsoshowninTable1.來確定其最初的IT安全系統并定期對它進行更新。.M5x!i Q2Y)]8b:G任務3：為大學校長準備一個3頁左右的描述你在任務2中所建模型的么以及不應該推斷什么。"p3p'B3Y0H任務4：如果你為一家提供WWW搜索引擎的商業公司(例如YahooAltaVista,…)IT安全模型，解釋兩者在初始風險類型貢獻方面(1)可能存在的差異。你為大學建立的模型同樣適用于這些商業性公司嗎？!S+D:|/w;fj%choneynet提出建議.(校注:HoneynetProject是一個由獻身于的安全專業人員的非性研究組織.它創建于1999年4月,其全部工作就是開放資源(OpenSource)并與安全界共享.)5m9Z5C9r%K9]#y任務6：要想成為一個IT安全咨詢方面的者，Rite-On咨詢公司必須能夠有效地預見到的未來發展方向并能夠向其他公司提出如何應對未來風險的建議。在完成你的分析之后，為Rite-On咨詢公司的寫一份兩頁的備忘錄，的未來。另外，12和附錄12略]0D`8R7}$h9T+i9p26A.`;F!i4Q3k,U%Z/Task2:Weknowthattechnicalspecificationswillchangerapidlyovertime.However,therelationsandinteryamongcosts,riskcategories,andsourcesofriskwilltendtochangemoreslowly.CreateamodelfortheprobleminTask1thatisflexibleenoughtoadapttochangingtechnologicalcapabilitiesandcanbeappliedtodifferentorganizations.Carefullydescribetheassumptionsthatyoumakeindesigningthemodel.Inaddition,provideanexampleofhowtheuniversitywillbeabletouseyourmodeltoinitiallydetermineandthenperiodicallyupdatetheirITsecuritysystem.(u.h2o5m!G/c6Task3:Prepareathreepagepositionpapertotheuniversity