Heather D Makwinski

Q: Benefits and Risks of Outsourcing

A:
Benefits: Obviously one of the largest benefits of outsourcing IT services (and really any other kind of services) is the cost savings that can be gained. It is true that work can be done more cheaply elsewhere than in-house or even in-country. It is also saves time and resources (which again eventually turns into financial savings). It’s one less thing to keep track of, to train people on, to maintain, and to worry about. From an audit perspective, it may be one less thing that will need to be audited. In my business we don’t always directly audit outsourced services such as hosting provides. Instead we will review the SOC reports/SSAE16 reports and call it a day. That actually saves us and the business an enormous amount of work and time (which ultimately equals money). It also saves some stress.

Risks:
I think one of the biggest risks from a higher-level perspective is that you are trusting someone else with part of your company. Information that should stay confidential could be disclosed, systems could be breached due to a more lax approach to security and a lack of monitoring over that situation. Also highly worth mentioning are the communication issues. If you’ve outsourced your change management to a company in India but your other IT functions stay in-house, those two teams need to learn how to effectively communicate and work together despite working remotely and from a considerable distance (and time difference) away. There are cultural differences and language barriers that all come into play.

1. What are the benefits and risks of out-sourcing?

Benefits of Outsourcing:
Focus on core competencies
Ease of Scalability
Ease of Deployment
Lower personnel requirement
Save costs from infrastructure and hardware purchases/implementation
Lower costs for utilities

Risks of Outsourcing:
Data Security
Availability
Audit Capability
Regulatory Compliance
Confidentiality

2. What controls can be implemented to mitigate the risks associated with outsourcing?

Detailed and specific Service Level Agreements (SLA’s) can be implemented when contracting 3rd party services. The ability to audit controls, or agreement on a 3rd party external auditor under SOX 404, can provide assurances of controls to the business. Service metrics can be agreed upon to provide concrete availability measurements to ensure service levels are met at all times. Insurance policies can be purchased to provide coverage for any failures with data security that the business is responsible for.

3. Explain common SLA issues identified by auditors

– Key Performance Indicators are not properly identified or set at a proper minimum level
– Control frameworks are not properly specified when required
– Regulatory compliance specifications are not set, or not properly set
– 3rd Party performance level assurance not available
– Penalties not set for under-performance or failure to meet requirements of business
– No right to audit granted to business (may not be granted to businesses that aren’t large source of revenues)
– No right to audit 3rd party service assessments
– No clause prohibiting vendor from using the businesses data for its own purposes
– Non-disclosure clause missing
– Proper review by legal personnel not completed
– No formal policy for vendor selection
– No formal policy for SLA creation, maintenance, and/or updating

4. Outsourcing and SLA audit questions

– Is a proper policy set for vendor selection?
– Is a proper policy set for creating, maintaining, and updating SLA’s?
– Is the SLA reviewed by legal personnel prior to signing in agreement?
– Is the vendor audited by an external 3rd party independent auditing firm?
– Are results from independent service level assessment available for review?
– Do vendor personnel have access to the business’s internal network?
– How is the business’s data segregated from other companies data?
– Is encryption used for the business’s data at rest, in use, and in motion?
– What physical security processes are in place for where the data is stored?
– What logical security is in place where the data is stored?
– Does the vendor have a DRP and BCP in place? Is it updated?
– Does the vendor carry a current and properly valued insurance policy/bond?
– Does the vendor and SLA stipulate backup procedures?
– Are backups stored onsite or elsewhere?

1. What are the benefits and risks of out-sourcing?
Benefits: risk-sharing, reducing operational costs, specialized experts, concentrating on core process rather than the supporting ones, IT resources-sharing
Risks: dubious accessibility, loss of personal touch, substandard security protocols, risk of exposing confidential data, hidden costs, lack of customer focus.

2. What controls can be implemented to mitigate the risks associated with outsourcing?
by mitigating the risks associated with outsourcing, we need to consider a detailed study about vendors including current processes, customer references, rather than blindly believing the track record. Another way we can do is to require vendors to meet security standard and monitor with effective auditing, review and approve business continuity and disaster recovery plans of the vendor. if the vendor is international, we need to increase cultural awareness through specialized trainings to avoid the problems from cultural differences.
https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing

4. Outsourcing and SLA audit questions
What service levels will you include in the SLA?
What, exactly, will each service level measure?
How will actual performance be measured?
What will the measurement period be?
What reports will the supplier provide?
How well will the supplier agree to perform?
Will the minimum and expected service levels change over time?
Will the SLA include service-level credits?
Will the supplier have the right to service-level bonuses?
What other options will the customer have in the event of service-level failures?

http://www.outsourcing-center.com/2014-07-ten-key-questions-for-developing-an-effective-service-level-agreement-63376.html

What are the benefits and risks of out-sourcing?
Benefits-Save Money
While companies that outsource IT services enjoy many benefits, saving money is one of the most compelling reasons for doing so. Outsourcing helps control capital outlay, especially in the early years of operations. IT services make up fixed costs for companies that do not outsource. Businesses that choose to outsource IT, whether offshore or through a local contractor, convert those fixed expenses to variable ones, freeing up capital for use in other areas. This makes the business more appealing to investors, since the company has more capital to funnel into areas of operations that directly produce revenues.

Risk-Loss of Personal Touch
An in-house network administrator becomes intimately familiar with the eccentricities and unique characteristics of the network he manages. Because of this, he is able to deliver results more efficiently, quickly and personally. IT outsourcing can never provide a personal touch that comes close to that of an in-house IT specialist. Many managers reject the thought of giving this up, even though they can save money by outsourcing.

What controls can be implemented to mitigate the risks associated with outsourcing?

Pick a transparent vendor with proven risk management processes.
There are a large number of vendors out there, and most will claim that they have risk mitigation practices in place. While you’re choosing your strategic partner, make sure to ask them how they have managed similar problems before.

Make sure your entire team knows what outsourcing entails.
Outsourcing is not a quick-fix. It takes time, and while you may have chosen the best vendor in the world, the project is still at risk of failure if your team does not know how to cooperate and communicate with your new team of remote professionals. Make sure the entire team knows what is going on, what outsourcing will bring, and what changes to expect. Offer some training before the outsourcing venture begins. Above all, make sure your entire team is on-board, not just the management.

Use appropriate communication channels.
Even when everyone knows how the outsourcing relationship is likely to proceed, there is a chance that an e-mail will go unread, a memo will be missed etc. There are many communication channels available, e-mail is an obvious one, but incorporate communication through channels such as Skype and GoMeeting. Also make sure to share information by setting up a common VPN or using a custom cloud solution. Pick two or three things that will do best
Resource： http://intetics.com/blog/outsourcing-risk-management-loss-of-visibility-and-control/

Explain common SLA issues identified by auditors
• Availability and timeliness of services;
• Confidentiality and integrity of data;
• Change control;
• Security standards compliance, including vulnerability and penetration management;
• Business continuity compliance; and
• Help desk support.

http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/risk-management/contract-issues/service-level-agreements-(slas).aspx

Outsourcing and SLA audit questions

• What audit worksheets are going to be used?
• Do you want the auditor to use your standard audit worksheets or are you are open to using theirs?
• What support is needed to monitor and track corrective actions that must be established?
• Will you want the auditor to follow up on corrective actions to verify effectiveness?

Outsourcing the Internal Audit Process

1) What are the benefits and risks of out-sourcing?
Benefits of outsourcing
• Better revenue realization and enhanced returns on investment
• Lower labor cost and increased realization of economics of scale
• Opportunity for innovation
• Frees management time, enabling companies to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation

The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Issues pertaining to lingual accent variation

Mitigation plan associated with the above risks :
• Well planned milestones, immediate deliverables along with appropriate documentation plan.
• Agreed upon standards and processes must be part of the binding contract.
• Flexible shits to respect time-zones and increased frequency of meetings.
• Increased cultural awareness through specialized trainings

Good explaining. Organizations use outsourcing as a strategic initiative to improve customer service, quality and reduce costs. Outsourcing can be a permanent or temporary arrangement to bridge the gap in staffing, to learn better quality techniques or improvement of faulty product design.

Explain common SLA issues identified by auditors

Too Complex. These documents are not usually short and precise in defining the services the supplier provide and the level of service the supplier and their customers agree on.

No measurements. If you do not have the technology and tool sets to track and report the timed-service events by responsiveness and resolution for the various severity level classifications, then SLAs will fail. Without continuous feedback on performance, the loop is incomplete and the SLAs become documents and nothing more.

Unrealistic management expectations. Often management does not acknowledge the amount of time needed to implement service level management, and therefore they do not staff it adequately. 

Unrealistic objectives and goals. Frequently, IT management and customers set unrealistic objectives and goals. This usually happens because there were inadequate measurements done prior to implementing the SLA.

4. Outsourcing and SLA audit questions

Are management requirements and expectations clearly defined in the contract?
Do policies regarding purchased services, and, in particular, third party vendor relationships exist?
Were vendor selection processes followed?
Do contract reviews and approval processes exist and were they followed?
Were existing contractual impacts considered?
Are customer service levels defined?
Are responsibilities of users and providers defined?
Does the outsourcer have adequate back-up procedures?
Are security requirements clearly defined in the contract?

What controls can be implemented to mitigate the risks associated with outsourcing?

• Adopt a thin-client approach which allows you to mitigate the risk while saying compliant to the Data Protection Act
• For organizations that outsource parts of their business, there is a risk of losing their core skills as they become more reliant on the outsourcing supplier. Keep control and retain influence over what you accomplish by Identifying and retaining your own special core skills and keep control of technical roadmaps and design.
• Carry out your end of the due diligence on site by working with the outsourcing supplier’s people to gain an understanding of their technical and procedural processes, and check the company’s controls are embedded in its processes. Specific control: ask suppliers to sign up to certain standards, levels of vetting for staff, level of physical security, and guarantees about how they run their operations. “occasional site visits at suppliers deemed to be high risk in order to evaluate their security and data protection controls”
• Gain an understanding of their technical and procedural processes and check the company’s controls are embedded in its processes in order to learn how to do what you outsource yourself. This mitigates the risk if something would happen to the company that you outsource the work to. Learn the process to understand where in that process flow something could go wrong, and if any of those steps are outsourced, what role suppliers may play in a failure.
• “Think strategically about their risk appetite for outsourcing certain functions” “Maybe their strategy is that they won’t outsource something because it’s just too risky. That’s a form of mitigation, too.”

• Sources:
• http://www.computerweekly.com/news/2240084219/How-to-mitigate-the-security-risks-of-outsourcing
• http://deloitte.wsj.com/cio/2012/07/10/it-outsourcing-4-serious-risks-and-ways-to-mitigate-them/

The Pros of Outsourcing
• Increased revenue and returns on investment
• Lesser labor cost
• Improved realization of economics of scale
• Knowledge base for better innovation
• More management time – enables management to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The Cons of Outsourcing
• Possible loss of control over a company’s business processes and activities
• Problems related to quality and turnaround time
• Sluggish response times and at times slow issue resolutions
• Shortcomings in performance
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation
• An irate customer base coupled with enraged employee unions

Source: https://www.flatworldsolutions.com/articles/pros-cons-outsourcing.php

Explain common SLA issues identified by auditors
• Availability of service;
• Unrealistic Expectations
• Too complex for general employees
• Resource allocation
• Micro management of agreement
• Process mismanagement
• Change control issues
• Compliance
• Confidentiality and integrity of data;

Outsourcing Questions:

1.Am I doing this because I want to simplify my life, or offer the market something new?
2.Am I doing this so I can “focus” on my “core” business?
3.How will this advantage me versus competitors? Would emerging competitors do this?
4.Can competitors do what I’m doing? Can this lead to a price war?
5.How will this make me more competitive in 10 years?
6.How will this make me more connected to markets?
7.How will this make me more flexible to deal with shifting markets, and how will I exploit this flexibility?
8.Am I doing this because I’m desperate to cut costs?
9.What could I be doing instead of outsourcing to be more competitive?

Source: http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-questions/#13f8a077d124

Sean, you can also add to the list of benefit : risk sharing. In fact, outsourcing certain components of the business process helps the organization to shift certain responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist, they can even plan the risk-mitigating factors better.

Sean one Risk of outsourcing that you could add would be that when you outsource, you risk losing touch with your processes and the skills that come with those processes that your company outsourced. One to cope with this risk is to stay involved and learn the techniques that the company you bring in employ to enhance your process.

Yulun, what do you mean by loss of personal touch? Do you mean loss of personal touch on the product, processes, activities, and workload?

I like how you put risk of exposing confidential data because the company you bring in to take over work may have access to your confidential data. Also, that company could use the expertise they learn from taking over your workload and processes to become a competitor.

Wenlin, you could also asks questions involving the quality of the work. Along those same lines, youc ould ask questions involving the benchmarks and goals that the company will reach. If they do not reach those goals, there could be penalties or a cheaper price to pay them. That way you can hold the company to a certain set of standards to the work that they will achieve for you.

I like the question you presented in “Will the supplier have the right to service-level bonuses?” Incentivizing the vendor to produce service levels beyond their minimum promised could be very beneficial to a business. The bonuses could even be more business conducted with the vendor as opposed to a traditional bonus of extra money. Even if the bonus levels aren’t hit, or aren’t hit constantly, it may be just the ticket to get a vendor to try and perform even better for a business.

Overall, I think due to the loss of control (real or perceived) when hiring an outsourced IT provider. It is important for businesses to put together an agreed-upon plan with their IT providers ( that the best way to mitigate outsourcing risk in my opinion). the plan can include :
Timelines for meetings
Updates and issues that the provider or business owner(s) might be having.
Any pertinent changes or inabilities with either party to help meet business and operational goals.
Identifying key staff to be in touch with the IT provider(s).

Wenlin , I like that you mention that companies should ” Pick a transparent vendor with proven risk management processes”. In fact, a way to eliminate some of the risk when hiring an outside IT provider is for a business to do their homework. Most IT provider will claim to ensure high quality, but where’s the proof? Organizations shouldn’t hesitate to speak with at least three-to-five of the IT provider’s clients, current and past. Past clients are especially important to speak with because they have nothing to lose by telling the truth.

What are the benefits and risks of out-sourcing?

Benefits of out-sourcing:
First of all, out-sourcing can significantly decrease the cost. For example, if a car manufactory wants to produce a new model of vehicle, it’s not necessary to produce every parts of the vehicle, but outsource some of them to other manufactories. Moreover, this can also save time for the company.

Risks of out-sourcing:
The most significant risk is the information security. Still using the example of the car manufactory, if it decides to outsource some parts of the specific model of vehicle, the company needs to share the designs of those parts to the outsourcers, which means the outsourcers are able to gain the design of the parts of the vehicle.

What controls can be implemented to mitigate the risks associated with outsourcing?

Risks:
1. Security breach including confidentiality, IP and trade secrets.
2. Infrastructure breakdown (software/hardware/network failure).
3. Poor selection of vendor.
4. Poorly designed disaster recovery systems/ processes.

Controls:
1. Require vendors to meet security standards and monitor with effective auditing.
2. Consider a detailed study about vendors including current processes, customer references etc.
3. Review and approve business continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.

Source: https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing

Explain common SLA issues identified by auditors

A service level agreement (SLA) is defined as a contract between a service provider and a customer. However, things can get confusing when creating an SLA policy if you’re not seeing it work as expected. For example, a newly created SLA policy may not apply to existing tickets, or an updated SLA policy is not applied to tickets already using that SLA. Also, the SLA may has some other issues like:

– SLA applied only to some tickets
– First reply time metric not working
– SLA not paused when ticket status is pending
– Target hours showing incorrectly

Source: http://www.ipa.ie/pdf/ServiceAgreementsReport_2014.pdf
https://support.zendesk.com/hc/en-us/articles/218161007-Troubleshooting-common-issues-with-SLAs

Outsourcing and SLA audit questions

– Are management requirements and expectations clearly defined
in the contract?
– Do policies regard purchase services, and, in particular,
third party vendor relationships exist?
– Do clearly defined benefits and business purposes exist to support
the decision to outsource?
– Do contract reviews and approval processes exist and were they
followed?
– Are transition plan, with completed requirements from all affected
Entities, completed?
– Are we compliant to warranty requirements?
– Are customer service levels defined?
– Are responsibilities of users and providers defined?
– Has outsourced function/operation allowed the customer service levels to be maintained or improved?

Source: Outsourcing, Audit program & Internal control questionnaire. www. Isaca.org

What are the benefits and risks of out-sourcing?

The benefits of out-sourcing:
– Fast assistance
– Expertise in that particular subject
– Cheaper (less employees, hardware, space, etc.)
– Focuses on competencies

The risk of out-sourcing:
-Risk sharing
-Substandard Security Protocols
-Out-sourced company’s objects align with companies
-Confidentially
-Accessibility

What are the benefits and risks of out-sourcing?

Benefits of out-sourcing

1. SAVE MONEY- I believe the greatest benefit of outsourcing is saving money, no matter which service are company out-sourcing. Outsourcing helps control capital outlay. In addition, outsourcing IT services to a company that specializes in business networks and support will alleviates some of its expense compare with businesses that perform operations internally.

2. FOCUS ON CORE OPERATIONS- Outsourcing allows company’s management to focus their energies on their competencies. It could be stressing when mangers have to split their energies between activities that engage prospective customers and concerns with operations outside of the core business objective.

3. IT RESOURCE SHARING- Outsourcing IT system and service create balance between small firms and large enterprises by sharing the IT resources. Often time small companies might not have the budget or resource that large companies have to implement IT systems and services they need.

Risks of out-sourcing

1. DUBIOUS ACCESSIBILITY- When there is critical system failures, the IT contractor might not be able to devote attention to the issues and resolve them right away. This will lead to loss of productivity and possibly decrease in revenue.

2. LIMIT UNDERSTANDING OF IT SYSTEM/SERVICE- Because the IT System and Service is outsourcing, the administrator is not able to deliver the results of the IT system implemented efficiently. There is lack of “personal touch”.

3. SUBSTANDARD SECURITY PROTOCOLS- Especially for offshore companies run from foreign countries, must confirm that the outsourcing company has strong security protocols. Some foreign country may not have laws to protect its intellectual property or other private data, so one should be very cautious in picking outsourcing company.

Source: http://smallbusiness.chron.com/benefits-vs-risks-outsourcing-services-2504.html

What controls can be implemented to mitigate the risks associated with outsourcing?

A: Some controls can be implemented to mitigate the risks associated with outsourcings:

-Research the outsourcing company in details including current processes, whether or not it has laws to protect its intellectual property or other private data (preventive control).

– Have recorded videos, tutorials, web casts to transfer knowledge to preventive inability to capture what outsourcing company has implement for the company (preventive control).

– When doing business with a foreign country, make sure to have some basic understandings of how that country doing business. Learn and increase cultural awareness is very important to avoid issues from cultural difference (preventive control).

– Visit the outsourcing company in timely basis to make sure everything is good in control (detective control).

-Review and approve Business Continuity of the outsourcing company, always have disaster recovery plans (corrective control).

Source: https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing

Q1. What are the benefits and risks of outsourcing?

Some benefits of outsourcing include:
-Cost savings
-Resource savings
-Access to expertise
-Scalability
-Time zone advantage

Some risks of outsourcing include:
-Decline in product/service quality
-Protection of intellectual property
-Dependence on vendor
-Regulatory/Legal compliance
-Availability of product/service

Q2. What controls can be implemented to mitigate the risks associated with outsourcing?

-Research: A company should complete a detailed analysis of potential vendors for outsourcing, having an understanding of their offerings, costs, and history, so it can make an educated decision regarding where it wants to outsource.

-Service Level Agreement: A detailed and specific SLA can set the expectations and ensure that both parties are understanding and agreeing to the same thing. This can reduce quality and legal risks.

-Reviews: Timely and regular reviews of third-party vendors and outsourced operations can help ensure that performance measures are still being met and that a company can still confidently do business with them.

Ariana, I agree that a vendor’s security processes should be one of the largest concerns for a company that is outsourcing parts of its business. This is why extensive research before selecting a vendor is crucial. A company should talk to past and present clients to understand their experiences. In addition, if there were security issues in the past, a company should discuss them with the vendor to see what changes have been made after the fact to strengthen security.

In addition to reviewing the vendor’s business continuity and disaster recovery plans, I believe the company doing the outsourcing must also ensure it has its own BC/DR plans. The difference between the two would be that a company’s business continuity and disaster recovery plans would focus on the required course of action if a vendor were to cease operations long-term (or even permanently). While the probability of such a thing is usually low, there is still a chance that a vendor can stop operating due to events unforeseen by one or both parties (e.g. going out of business, environmental disaster, terrorist attack, etc.).

Wenlin, I really like the second control you mentioned. As with any business relationship, outsourcing success is dependent on the cooperation of both parties. Training for employees on the various issues that can result from outsourcing, such as remote collaboration and cultural differences, should be started before outsourcing begins. This will allow for a smoother transition and can remove some of the obstacles to a good working relationship.

What are the benefits and risks of out-sourcing?
The benefits of outsourcing are mainly cost savings, potential increased efficiency, in addition to offloading outsourced services to skilled providers.

The outsourcing risks are:
– All the compliance risks the business manages with in-house service will still be managed with outsourcing vendor.
– Outsourced Application/Infrastructure/Network in terms of availability/updates/Security/backup/restore risks

What controls can be implemented to mitigate the risks associated with outsourcing?
– Establish agreed upon SLA including availability, outage events handling procedure.
– Establish process for regular communication particularly when outsourced application experience availability/security events.
– Establish confidentiality agreement and Non-Disclosure Agreement (NDA) to protect enterprise data handled by outsourcing vendor.

Explain common SLA issues identified by auditors
– SLA may not clearly document expected availability, performance, response time, location of data, issues resolution process, and other measurable quality of services metrics.
– SLA may not document infrastructure and security standards used by outsourced vendors.
– SLA may not be in line with enterprise business goals.
– SLA may not define all compliance requirements that outsourcing vendors have to comply with, process to communicate yearly compliance updates.
– SLA may not have exit process to move outsourced services to another provider should business decide to move with another vendor.
– How to independently measure SLA for internal reporting as opposed to SLA numbers provided by outsourcing providers.
– SLA may not provide details on governance processes like Change Management, BCP , DRP.

Outsourcing and SLA audit questions
– Do you have business management expectations defined in SLA agreement?
– Does business have internal policies on how to manage SLA risks?
– Does the outsourcing contract include expected availability, performance, response time, location of data, issues resolution process and other measurable quality of services metrics.
– Were there any transition plan to outsourcing provider and exit process.?

What are the benefits and risks of out-sourcing?

Benefits

* Can save money
* Control expenses
* Access to capabilities not internally available
* Focus on core operations
* Use IT resources on closer to business functions
* Access to first rate software/capabilities
* Share risk

Risks

* Loss of business/institutional knowledge
* Accessibility
* May not be ass familiar with system or business
* Substandard security/procedures
* Regulatory compliance
* Sub-contracting
* Some functions cannot be outsourced

Sub-contracting can be another important issue to consider when outsourcing. It would be important to know if and whom the contractor might hire. There may be some areas that are sensitive and would not be appropriate to outsource a second time, or the contractor may not be reliable. It would be important to research and find out any sub-contracting policies.

The benefits of outsourcing are:
• Increased control of your business
• Increased efficiency and productivity
• Ability to streamline business operations
• More flexible to change
• Reduced operational costs
• IT resource sharing

The risks of outsourcing are:
• Hidden costs, for example, legal costs while signing contracts between companies
• Misunderstanding the contract
• Renewing contracts
• Product or service quality may suffer therefore customer service may be affected
• Transition phase may fail if schedules and budgets are not reached
• Potential redundancies may occur affecting the quality of work by employees

What are the benefits and risks of out-sourcing?
Benefits
-Cost saving for the company since instead of using their own resources or money to buy equipment, they are outsourcing to an outside company to do it. That way they are saving on storage, equipment, personnel, electricity etc. They are then able to invest that money into something else. Outsourcing companies can provide the service they need and if they outsource to companies overseas then they could be saving a lot more money but also help people in those countries get jobs.

Risks
– Access to companies personal information is a huge risk factor when working with outsourcing companies. Companies are providing information and outsourcing firm employees are able to access information within the company and if there are no measures in places or barriers establish to limit what they are able to get access to, then that could be a huge issue. They would be able to access information and even change information in the system. There is also the risk of leaking personal information about the company early which could cost the company money. Those are some of the risk factors that comes with outsourcing to an outside company.

What controls can be implemented to mitigate the risks associated with outsourcing?
Access controls can help mitigate the risk associated with outsourcing. Specifically the access controls that provide users authority to be able to make changes to certain databases. I remember when working as an Associate App Developer I would have to submit a request to access certain databases and it would have to get approved by 4 different managers before I received access. So putting a control like that in place for outsourcing companies will reduce the risk of them getting access to companies personal information. They will get access to what they request and if there are any changes, then you know who had the access and who made the changes so there is a paper trail in place also. This will greatly reduce the risk.

What are the benefits and risks of out-sourcing?

Benefits:
1. Save money, manpower and time
2. Can focus on core operation
3. Swiftness and Expertise

Risks:
1. Risk of exposing confidential data
2. Have to deal with the relationship with the outsourcing partner
3. Lack of expertise in the long term
4. Quality service

What controls can be implemented to mitigate the risks associated with outsourcing?

In case of pool outsourcing vender selection, they company can conduct a detailed study about the vendors about current processes, customer references. They have to select the best quality outsourcing vendors since they are performing important business. Furthermore, data breach may often happen to outsourcing partner, it is especially significant for them to meet the security standards and monitor with effective auditing. Companies should also increase the awareness about region specific laws and regulations to better plan to incompatibilities and allowable trade offs to mitigate legal and regulatory risks.

Explain common SLA issues identified by auditors

A service-level agreement (SLA) refers to a contract between a service provider and its internal or external customers that documents what services the provider will furnish and defines the performance standards the provider is obligated to meet.

the issues identified by auditors:
1. Confidentiality, Integrity and availability of service provided by SLA
2. compliance issues

What are the benefits and risks of out-sourcing?

Outsourcing is the transfer of specific business processes from one organization to another organization specializing in that business process. Most organizations cannot handle all aspects of a business process internally due to lack of expertise or high operating cost. Once the task is outsourced to the service provider, it will take the responsibility of carrying out the tasks and maintaining the business process.
However before outsourcing any component of your business, it is important to understand the advantages and disadvantages of outsourcing.

Benefits:

Expertise – Vendors that provide outsourcing service usually specialize in that field. They have specific equipment and technical expertise that are usually better than the outsourcing organization. This enables them to complete that business process much more effectively, efficiently and at better quality.

Focus on core process rather than supporting process –By outsourcing supporting process, the organization can focus more time and resources on improving their own core business that actually helps raise their revenue.

Risk Sharing – Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they should be able to plan risk mitigating factors better.

Reduced Cost – Operational and recruitment cost can be reduced since the organization does not have to hire and operate in-house.

Disadvantages:

Risk of exposing confidential data – An organization will have to expose confidential company data if the outsourced business process that requires those information.

Potential setbacks – Sometimes, organizations may choose the wrong vendor. This can lead to unsynchronized time frames, low quality output and mix-up in responsibilities.

Lack of customer priority – Often times, outsourcing service vendors have multiple organizations that they cater to at a time. They focus their attention on the bigger clients instead of their smaller ones.

You listed risk sharing as a disadvantage of outsourcing. Based on the sources I read, risk sharing is listed as an advantage instead. Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they able to plan risk mitigating factors better. Obviously, this varies based on vendors as some are better than the other but ideally, that should be the case.

What controls can be implemented to mitigate the risks associated with outsourcing?

Inadequate outsourcing vendor – Conduct proper research on vendors before selecting an outsourcing partner

Misalignment of process and quality standards – An agreed upon standards and processes must be part of the SLA contract.

Security breach – Require vendor to meet security standard and monitor with effective auditing in SLA

Explain common SLA issues identified by auditors

– There are no proper Key Performance Indicators so the service provided cannot be monitored or audited.
– There is a lack of control frameworks which expose the organization to threats
– There are no penalties set for under-performance or failure to meet requirements of business
– No agreement of confidentiality that prohibits vendor from using the businesses data for its own purposes or exposing the data.
– Lack of formal policy for SLA updates.

Outsourcing and SLA audit questions

Does the SLAs adequately evaluate the effectiveness of the services to be delivered by the vendor?
Does the SLA have quantitative and qualitative metrics that measures the effectiveness of the service? Are they reasonable and measurable?
Is there a clearly defined customer service level?
Is there a required level of security control?
Are there penalties for under-performance or failure to meet requirements of business?
Is there a confidentiality agreement?
Is there a formal SLA update policy

Hi Wenlin,

I am on the fence about the risk of loss of personal touch. Usually, the business process that is outsource are the supporting processes. These processes are definitely essential to run the business but are limited on how much “personal touch” can be placed on these units. By outsourcing these processes, companies can focus on their core business process where “personal touch” plays a much bigger factor.

Wenlin, not sure if I also agree with you on the personal touch for the risk of out-sourcing. It is different and I can see where you are coming from but saving cost is what companies are mostly after and it is true, you can build it in house but that would take tremendous time and will cost the company in all areas. Outsourcing would help reduce those cost and time. I remember working as an Associate App Developer and the company had outsource some of the jobs over to India and that helped a lot with saving them on cost. They were able to provide customer help at all times of the day and while those of us sleep during the night in the U.S., those outsource resources are up working.

Wen, I liked your first point for the risk-outsourcing and how its dubious accessibility. When working as an Associate App developer I faced an issue like that. The outsource team had a project sign out and I needed access to it and also needed to know exactly what they have change to it. I couldn’t get in touch with them since they were sleeping since it was a different time zone. My work got delay since the Administrator was not able to sign the project over to me and I could not work on an old copy since the changes the outsource member made might have been needed. So I had to work on something different and it delay my project time because of these issue.

Good questions Alex!

I think all the questions you suggested help the auditors determine the conditions, pros and cons of the SLA. And I especially like the one that asks the back-up procedure of the outsourcer because if they don’t have it, it would be a risk for the company.

Outsourcing and SLA audit questions

How will actual performance be measured?
How frequent should we review the outsourcing performance?
What does outsourcing cover?
Cost, risks, time period, working hours, contract terms
Outsourcing vendors and location

What are the benefits and risks of out-sourcing?

Benefits:

Expertise
Risk-sharing
Reduce costs
Focus on core competencies

Risks:

Confidentiality
Integrity
Availability

What controls can be implemented to mitigate the risks associated with outsourcing?

First of all, the company should research all vendors and choose the one that fit the best to the company. Then, the company should require the vendor to meet security standards and monitor the vendor with effective auditing. It can also review and approve Business Continuity and disaster recovery plans of the vendor.

This is over simplified, but I admittedly struggle with the complexity of this. Quantum computing in general brings so much more computing power to the table. It’s the ability to compute mathematical problems and algorithms quicker. This could be used to crack existing cryptography quicker or create more complex algorithms to encrypt data. I agree with Anthony’s point. The fact that this is known and security professionals are working on solutions is important and a good sign.

Quantum computing has many benefits, but it could also undermine the cryptographic algorithms. Unlike conventional computers, which require data to be encoded into binary digits (bits) with values of either zero or one, quantum computers use quantum bits (qubits), which represent both zero and one values. If these qubits are separated while acting as though they are still connected, it can provide a huge amount of simultaneous output.

The obvious benefit of Quantum computing is that it breaks existing computer’s calculation power limitation and creates a computing power allowing to process a massive amount of data within very short period of time. In the context of cryptography world, if quantum computing is fallen into hands of malicious hackers, it would provide opportunity for them to break any encrypted information extremely fast and therefore defeat whole purpose of cryptography.

Quantum computing promises to be one of the most transformative innovations of the 21st Century, and actually, many companies such as Microsoft and IBM are investing a lot of money and resources into bringing it to the world at a full speed. It is predicted that in about 10-20 years, Quantum Computing will be fully introduced into the society and used at global scale for research, testing, analysis, hacking and hardening.

Given the benefits and risks of Quantum Computing, while it is so powerful by its nature, it can be used for breaking IT security; however, it can also help to create a whole new universal cryptography algorithm that might be impossible to break and perhaps be a single problem solver for the entire IT space.

Anthony,

Thanks for the detailed explanation and sources. As someone who (regrettably) didn’t do so hot in many of his math classes, this week’s Cryptography topic has been a challenge to learn. Between your post and some YouTube lectures I found, I think I have a better understanding.

For others, here are the videos I found:

– https://www.youtube.com/watch?v=vNV_3PkA9WM (How To Break Encryption – Defeating The Hackers – BBC; 3:44)
– https://www.youtube.com/watch?v=wF-BWgnpYmI (Quantum cryptography: basics and technology with Vadim Makarov; 50:00)

Quantum computing studies quantum computers that make direct use of quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. Traditional binary electronic computers are based on transistors, and use electronic current to turn on or off circuits to encode bits. They render data in binary bits that can only be one of the two states, 1 or 0, on or off. For example, there are four combinations for 2 bits, 00, 01, 10 or 11. They can be any of those positions and be only in one of them at a time. However, quantum computers can use qubits by using a single electron. Unlike a digital circuit, an electron can be doing many things at once. When you measure the electron, it actually doing both at the same time. It doesn’t have a defined state, and therefore, qubit doesn’t have to be either 1 or 0, and it can be any proportions of both states at a time as long as it is unobserved. That means for 2 bits, they can be 00, 01, 10, 11, all of these positions at once. This is called superposition. Therefore, qubits can carry more information than bits before it is measured. The values that qubits can carry equals to 2n bits, where n is the number of qubits used. That means quantum computers can carry out multiple computations at once, and the uncertainty around quantum states allows us to encode more information into a much smaller computer.

Quantum computers will shorten the calculating and computing time by doing multiple computations at a time. At the instant a qubit is measured, it collapses into one of the definite states, like a bit, either 1 or 0. All the other information about the states before the measuring is lost. That means a 2-qubit combination can only be one of the values, 00, 01,10, or 11 when it is measured. What we need to do is just to design a logical operation to get the final computation result you need. Therefore, quantum computers can be used for searching for needed information in a database. A traditional computer may have to test every single one of the entries to filter out unneeded information and keep needed information. It usually takes a long time, especially for a large database. However, quantum computers need only the square root of that time to screen all the entries, pick out what we need and just show the final results to us. However, fast is not always a good thing, especially for IT security because it’s fast to you also means that it’s fast to hackers and attackers. Right now your email and banking data is being kept secure by an encryption safety system in which you give everyone a public key to encode messages that only you can decode. The problem is that this public key can actually be used to calculate your secret private key. Luckily, doing the necessary math on any normal computer would literally take years of try and error, but a quantum computer with exponential speed up could do it much faster. On the other hand, quantum computers are not fast all the time. A qubit will collapse into either 1 or 0, and that means other values the qubit carried will not be available when it is measured. Therefore, it actually does not speed up things like watching a video or browsing internet that requiring every piece of data. In these cases, a qunit is equal to only one bit and quantum computers maybe even slower than traditional ones. Quantum computers can be only used in the situation that all the quantum superposition available at the same time to do same parallel computing. That’s also why quantum computers cannot replace traditional computers.

Refernces: https://www.youtube.com/watch?v=JhHMJCUmq28

Quantum computing in simple words is something that allows a particle to be both a zero and a one at the same time. Quantum cryptology depends on physics, not mathematics.
Quantum cryptography uses photons to transmit a key. Once the key is transmitted, coding and encoding using the normal secret-key method can take place.
But question comes how photon can be used to assign data so this is where binary code comes into play. Each type of a photon’s spin represents one piece of information — usually a 1 or a 0, for binary code. This code uses strings of 1s and 0s to create a coherent message. For example, 11100100110 could correspond with h-e-l-l-o. So a binary code can be assigned to each photon — for example, a photon that has a vertical spin can be assigned a 1 and horizontal spin as o .
Since this method uses physics instead of math to create the key used to encrypt the data, there’s little chance it can be cracked using mathematics.
It has certain flaws the original quantum cryptography system, built in 1989 by
Charles Bennett, Gilles Brassard and John Smolin, sent a key over a distance of 36 centimeters . Since then, newer models have reached a distance of 150 kilometers (about 93 miles). But this is still far short of the distance requirements needed to transmit information with modern computer and telecommunication systems and additionally quantum mechanics can make codes to break this cryptography .

http://science.howstuffworks.com/science-vs-myth/everyday-myths/quantum-cryptology.htm

How Quantum Computing Will Change Cryptography

I think even today I need more than just one paragraph to discusses quantum computing. Quantum computing is one of the resources in the toolkit of cryptanalysts. Quantum computing is based on physical quantum properties to perform operations, which behaves differently than the electronic properties we are used to finding in today’s computers and its basic unit of information, instead of bit, is called quantum bit or qubit. It started to be used in theoretical attacks against cryptosystems back in 1994, when Peter Shor published a quantum algorithm to find the prime factors of a given integer.
In 2006 the first PQCrypto Conference was hosted, bringing together researchers to look for secure alternatives against quantum computing attacks. At the time, some alternatives were already at hand, such as McEliece encryption (1978), and ever since many programs to fund research in PQCrypto have been launched. To many organizations and professionals, post-quantum computing represents a chance to rebuild their systems from scratch. The causes for the restart may be specific to an enterprise’s reaction to quantum computing, but they are already showing up. The post-quantum cryptography (PQC) landscape is where we are all heading, whether we want to or not.
There is a decline in the use of public-key algorithms, such as RSA and Elliptic Curves. In cases like symmetric crypto and hash functions, the current parameters will have to be revisited to ensure that they stay secure in a quantum world. This shift to modern algorithms should happen transparently to end users; however, whoever is responsible for development or configuration of security applications should be ready for the coming changes – in particular, those who support these functionalities in legacy systems.
As of now, new hope seems to be the most reliable method for in-transit document protection, if only because it uses well-examined, longstanding concepts. A long-term problem remains, however: methods will have to change and evolve. Underlying assumptions will vary as practical quantum computers arrive and quantum-flavored zero-day exploits emerge. Finally, if you expect long-term security for your information, then you should start looking for alternatives or planning for these changes right away. Adversaries who cannot overcome the security of your information today, by decrypting your data or forging your signature, can nevertheless keep a record of the data until they have quantum computers, at which point their attacks will succeed.

link: http://www.welivesecurity.com/2016/06/14/quantum-computation-cryptography-armageddon/

Running into an issue with Practical Assignment 5.2

The final step of this section where we are supposed to use our private key to decrypt the .enc file that is a combination of our userID and a partner’s userID I am given the following error.

“unable to load Private Key”

I am using the following command

1. openssl rsutl -decrypt – inkey .pem -in _.enc -out decrypted.text

where and are not literal

Anyone else having issues?

Oops I guess it doesn’t like “” brackets.

I am using myuserID.pem and trying to decrypt myuserID_theiruserID.enc

Quantum computing uses quantum physical properties to perform operations at a substantially faster rate than any computer would be able to perform today. In traditional computers transistors are either switched on or off (0 or 1), in quantum computers there are an infinite number of states that the “transistors” could undergo. Ultimately, this allows quantum computers to be significantly more powerful than computers are today. This can cause issues however for IT security since much of the security around encryption technologies are based around how long an algorithm can be cracked. If quantum computer would to become mainstream these computers could crack algorithms that would once take thousands of years to maybe only a couple years. Many cryptographers have already started creating new algorithms in the preparation that quantum computers become mainstream. Post-quantum cryptography research is focused on six approaches: lattice-based, multivariate, hash-based, code-cased, supersingular elliptic curve isogeny and symmetric key quantum resistance. It is estimated that in 20 years quantum computers will be available as mainstream, which is why many cryptographers are racing to figure out how to alter cryptography to prevent quantum computers from cracking algorithms quickly.

https://en.wikipedia.org/wiki/Quantum_computing
https://en.wikipedia.org/wiki/Post-quantum_cryptography
http://www.cio.com.au/article/444610/quantum_computers_will_commercially_available_20_years_scientist/

Encryption being used to store state secrets is a really good point, Mushima. Matthew Green, a computer scientist from Johns Hopkins Information Security Institute, predicts that practical use of quantum computing is still 15 to 30 years away. This will mean that most data currently being encrypted by ‘old’ encryption methods that rely on factoring today, won’t need to still be encrypted when quantum computing becomes viable, but state secrets and other government information will still need to be confidential 30 years from now. This also highlights why we need to start moving away from ‘old’ encryption methods now, instead of waiting until quantum computing is viable. The linger we continue to use the ‘old’ encryption methods, the more likely that something that needs to be protected after quantum computing is viable will be vulnerable.

The NSA plans to change the encryption being used on government and military data to one that can withstand quantum computing. I found an article that claims that lattice-based schemes are the most promising but the Government Communications Headquarters (GCHQ), Britain’s version of the NSA, says the most efficient lattice-based schemes are vulnerable to attack. They say that some security holes were left as the scheme was slowly made more efficient.

http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment

The Tricky Encryption That Could Stump Quantum Computers

Quantum Computing Vs. Traditional Computing

Traditional computing does two things really well, store numbers in memory and process the stored numbers with simple mathematical equations. Both processes are done using switches known as transistors. The transistors has two states {on,off} which are stored as binary digits (bits) of 1’s and 0’s. A computer can have up to two billion transistors inside of a single chip, allowing it to store and process more bits. According to Moore’s Law – the power of computers doubling roughly every 18 months is becoming more difficult to achieve because the relative size of today’s transistors are the size of an atom.

Quantum Computing
Quantum-computing looks at the behavior of transistors in an entirely different light. As the size of transistors becomes more atom-like, it behaves differently. It has more different properties, to allow it to store more values than just 1’s and 0’s. A qubit, analogous of bits in traditional computing, is capable of storing 1’s, 0’s, both 1’s and 0’s, or an infinite number of values in between and in different states at the same time. This idea allows quantum computers to store and process millions of time more than traditional computing.

Impacts on cryptography
Most encryption have their basis in prime factoring from public key encryption. With a traditional computer, multiplying two large prime numbers can be done rather quickly, but factoring requires more processing power. Since traditional computers can only do one thing at a time, it has to go through each combination of factors that would give it the correct value which would require a large amount of time to compute. This is why it is impractical to crack today’s encryption, With Quantum computers, these factoring can be down in parallel, meaning it can test more than one (perhaps millions) combination at a time. If quantum computers could indeed factor large prime numbers (basis of PKI), millions of times faster than today’s computer, than today’s encryption methods will become obsolete.

When the Kerckhoff’s Principle states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge, I think all is needed is to really keep the key secretly private without sharing it with public. For example, PKI concept and principles of operation are known by public, but cryptography key is known only to individual who has the private key. Given the algorithm complexity, it is almost impossible to break the algorithm unless an attacker posses the private key of end user.

Open protocols are critical to be known by public if it is used worldwide by majority of information systems for communications and data exchange. If everyone is using the same protocol when designing software or devices, then all systems will work properly since everyone follows standard development process. Also, professionals in internet community can analyze protocols and provide contribution to further influence better protocol design or fix vulnerabilities. As long as crypto keys are secured, encryption is not broken.

With proprietary algorithm, when companies develop custom software, OS or system with their own proprietary encryption algorithm, they may state that their protocol is secured because no one knows how algorithm works and therefore no one can break it. Actually, someone will always break the algorithm concept, because there is always weakness in the algorithm. In the example of Apple’s OS, the algorithm is proprietary and Apple did not allow FBI to know how to break it; however, a third party company in Israel broke the algorithm mechanism and decrypted the data. So, “never trust proprietary algorithms” is true statement and these type of companies should be ignored unless there is a big reason of accepting it. Proprietary algorithm create incompatibility and a huge obstacle when trying to integrate with other systems.

Good crypto algorithm should be designed so that even if algorithm concept is known, but the encryption is still secured. The strength of algorithm is in the secrecy of the key and never based on secrecy of the algorithm itself.

Ruslan,

Thanks for your post and examples. It really helped me understand Kerckhoff’s second principle: cryptosystem should be secure even if everything about the system, except the key, is public knowledge. If I understood correctly, then the importance in any cryptosystem is the “private” key and not the algorithms or protocols required for communication. In a sense, knowledge of proprietary or public algorithms does not necessarily cause any harm. Only when the private key is compromised is where there is a point of concern.

What are the advantages of VPN?

There are many advantages of VPN. From a security perspective, virtual private networks offer a higher level of protected communications unlike other remote methods of communication. This is because advanced technologies are used to protect the network from any unauthorized access. From a cost perspective, when it comes to operating a VPN within an organization the costs are lower than other types of configurations. This is because the lack of variables for different types of communications over the VPN and the opportunity to communicate securely at the low cost in other areas of the world. Essentially, VPN is a popular technology which offers more flexibility for business associates to communicate over a secure connection without sacrificing security.

What is OSI model? What’s the main function of each OSI layer?

The Open Systems Interconnection (OSI) model is comprised of seven layers:
-Application: partners are identified and network capacity is assessed. This layer is not directly the app itself, more of a set of services the app should use. However, some app may perform app layer functions directly.
– Presentation: a part of an OS and converts incoming and outgoing data from one format to another
-Session: sets up, coordinates and terminates conversations sessions, usually by authentication and connection
-Transport: packages data in order to deliver while checking for errors
-Network: handles the addressing and routing of the data via IP addresses over the internet
-Data Link: links data across the physical network, which consist of 2 sublayers: Logical Link Control Layer and the Media Access Control Layer. However, Ethernet is the main data link layer in use.
-Physical: It provides the streaming of data; the hardware means of sending and receiving data on a carrier network.

The main focus of the OSI reference model is guide vendors and developers so the digital communication products and software programs interoperate. The main concept of OSI is that the process of communication between two endpoints in a telecommunication network can be divided into seven distinct groups of related functions.

Source: http://searchnetworking.techtarget.com/definition/OSI

What are the advantages of VPN?

Virtual Private Network (VPN) is a network created between you and what you access. VPN tunnels your location and encrypts your data. This acts as a cognition- no one else can see, control or influence your activity. As you can image there are many advantages of VPN.
– Hiding/ changing your IP address: Changing your IP will help you not only to unblock restricted websites, but also to hide your identity and protect your personal data from being stolen.
– Privacy: Because of encryption, VPN keeps all your Internet activity private, far from any unwanted eyes.
– Security: VPN creates a safe connection between you and the servers. This protection is really hard, almost impossible to break.
– Unblock geo-restricted sites: I know while studying abroad in Spain, I had no access to Netflix. VPN’s allow you to the possibility to access geographically blocked sites from anywhere in the world.

What is OSI model? What’s the main function of each OSI layer?

Open Systems Interconnection (OS) is reference model for how applications can communicate over a network. It guides vendors and developers so the digital communication products and software programs they create will work together without special effort on the part of the customer. OSI also facilitate clear comparisons among communications tools.

It has 7 layers of communication provided by a combination of applications, operating systems, network card device drivers/ enabling a system to put a signal on a network cable or out over Wi-Fi.

The seven layers and their main function, in descendant order are as follow:

Application: responsible for network services to applications

Presentation: transform data formats to provide a standard interface for the Application layer

Session: establishes, manages and terminates connections between the local and remote application

Transport: provide reliable transport and flow control across a network

Network: responsible for logical addressing and domain routing

Data link: provides physical addressing and media access procedures

Physical: defines all the electrical and physical specification for devices

Q2: What are the advantages of VPN?

A VPN is one solution for many organizations/businesses to establish a long-distance and secured network connections. Compared to other technologies, a VPN has several advantages which are cost saving and scalability. For the cost-saving perspective, a VPN can is beneficial in eliminating the need for expensive long-distance leased lines, reducing long-distance telephone charges, and offloading support costs. A VPN is no longer requiring organizations to rent network capacity such as T1 lines to fulfill their secure connectivity between their office locations. With a VPN, you can utilized existing public network infrastructure including the internet to make these connections. A VPN also can replace remote access servers and long-distance dial-up network connections commonly used in the past by business travelers needing to access to their company intranet. For example, with an Internet VPN, clients need only connect to the nearest service provider’s access point that is usually local. With VPNs, the cost of maintaining servers tends to be less than other approaches because organizations can outsource the needed support from professional third-party service providers. These providers enjoy a much lower cost structure through economy of scale by servicing many business clients.For the scalability perspective, Internet-based VPNs avoid this scalability problem by simply tapping into public lines and network capability readily available. Particularly for remote and international locations, an Internet VPN offers superior reach and quality of service.

Source: http://compnetworking.about.com/od/vpn/f/vpn_benefits.htm

VPN is a technology which creates a virtual private network to which end users are connected via an encrypted channel.

Its main advantages are as below:

Ensure security – even if the communication channel is compromised, you cannot be harmed or the harm will be minimal if you are connected to a VPN because the VPN connection is encrypted and cannot be decrypted and thus read.

Protect your privacy – with VPN whenever you visit web sites, listen to radio, chat, etc. you will be identified with the VPN provider, i.e. his IP address, location etc. Your own IP address and personal details will remain hidden.

Allow access to restricted resources- VPNs have multiple points of presence in different geographic regions. The fact that you are identified only with the VPN provider allows you to circumvent any geographical restrictions.

Better internet connection

Excellent post, Magaly. Additional Point… Don’t try setting one up at work to circumvent network security; you’ll likely get in trouble.

Q1: What is OSI model? What’s the main function of each OSI layer?

The OSI Model = the Open Systems Interconnection Model

7 Layers of the OSI Medel:

1. Physical (Layer 1) – OSI Model, Layer 1 conveys the bit stream – electrical impulse, light or radio signal – through the network at the electrical and mechanical level.

2. Data Link (Layer 2) – At Layer 2, data packets are encoded and decoded into bits. It furnishes transmission protocol knowledge and management and handles errors in the physical layer, flow control and frame synchronization.

3. Network (Layer 3) – Layer 3 provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node.

4. Transport (Layer 4) – Layer 4 provides transparent transfer of data between and systems, or host, and is responsible for end-to-end error recovery and flow control.

5. Session (Layer 5) – This layer establishes, manages and terminates connections between applications.

6. Presentation (Layer 6) – This layer provides independence from differences in data representation by translating from application to network format, and vice versa.

7. Application (Layer 7) – Layer 7 supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified.

Source: http://www.webopedia.com/quick_ref/OSI_Layers.asp

According to TechTarget.com, the OSI model is: is “a reference model for how applications can communicate over a network. A reference model is a conceptual framework for understanding relationships. The purpose of the OSI reference model is to guide vendors and developers so the digital communication products and software programs they create will interoperate, and to facilitate clear comparisons among communications tools.”
The OSI Model has seven layers:

The physical layer focuses on the transmission and reception of the unstructured raw bit stream over a physical medium.

The data link layer allows the data frames to transfer from one node to another over the physical layer. The data link layer makes sure that layers above it has error-free transmission.

The network layer factors in network conditions, priority of service, and other factors to decide which physical path the data should take. The network layer overall is responsible for the operation of the subnet.

The transport layer makes sure that messages are delivered in sequence, with no losses, duplications, or errors.

The session layer allows session formation between processes running on separate stations.

The presentation layer formats the data to be presented to the application layer.

The application layer serves as the window for users and application processes to access network services.

source: http://searchnetworking.techtarget.com/definition/OSI;
https://support.microsoft.com/en-us/kb/103884

What are the advantages of VPN:

The advantages depend on what you use VPN for. Most businesses use VPN for: allowing remote workers (which saves the company money), branch offices, partners, and distributors. Today, some businesses use VPN to form a single secure private network by connecting different cloud providers.

Laly – Great advantages answer. I think a lot of your advantages depend on that proper planning that is needed in order to take the proper precautions that result in strong security.

Another disadvantage of a VPN is that VPN requires experienced employees that have knowledge with public networks security, password and data encryption, network address encryption,

VPN also has issues with availability and performance because VPN is difficult to control. VPN tends to have speed much slower than a traditional connection.

I will say that VPN is used when people attempt to secure their Internet connection to maintain anonymity while browsing. I know this post is about some disadvantages but I do believe taht VPNs are most positive when secured correctly and when an individual would like to secure network accesses.

What are the advantages of VPN?

A virtual private network (VPN), is a network that is constructed by using the Internet to connect to a private network, such as a company’s internal network.

The advantages are as follow:
– Enhance security as the data are encrypted
– Remote control as you can access your information everywhere
– Reduce costs
– Better performance as you can increase the bandwidth of your network
– Online anatomy as you can access both web applications and websites in complete anonymity

Source: https://www.ibvpn.com/2010/02/8-advantages-of-using-vpn/

What is OSI model? What’s the main function of each OSI layer?

The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.

Host layers:
Application: High-level APIs, including resource sharing, remote file access
Presentation: Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
Session:Managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
Transport: Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing

Media layers:
Network: Structuring and managing a multi-node network, including addressing, routing and traffic control
Data link:Reliable transmission of data frames between two nodes connected by a physical layer
Physical: Transmission and reception of raw bit streams over a physical medium

Resource: https://en.wikipedia.org/wiki/OSI_model

What are the advantages of VPN?

The advantages of using a VPN is that content you access on the internet and anything sent to a website is encrypted and routed through vpn. When a connection is encrypted it stops people from monitoring your connection. So all data send to website can’t be read by anyone except the VPN provider. When a connection is not encrypted a attacker could preforming a mitm(Man in the middle attack) where the attacker can view all data that is not encrypted that you send to the website including usernames and passwords.

Resource: http://security.stackexchange.com/questions/75799/what-are-the-advantages-to-using-a-vpn-over-secured-trusted-wifi

Absolutely, I agree with you. Security is one of the biggest challengers in today’s interconnected world. Local security solutions such as antivirus, firewall, etc., are not sufficient to protect you unfortunately. A separate, external solution is needed to protect the communication from you to the outside world.That’s where VPN comes to play. VPNs secure the otherwise insecure connection between you and remote resources. VPNs should be used especially in public networks such as WiFis. In any case, as a general rule no network should be considered secure because the communication flow passes through numerous points (routers) and for an attacker is sufficient to compromise any one of these points in order to compromise the communication channel and its information flow.

I strongly agree with you, VPN can protect your privacy. To protect your privacy you should use VPN again. Thus, with VPN whenever you visit web sites, listen to radio, chat, etc. you will be identified with the VPN provider, i.e. his IP address, location etc. Essentially, your own IP address and personal details will remain hidden.

Of course, I agree with you. VPNs have also other benefits depending on the VPN service provider you are using. For example, some VPN service providers allow their users to share more easily and faster information between themselves, play games and perform any other activity as if they are within a local area network (LAN).

I agree with you. The layer has two types. One is host layers, which were including Application layer, Presentation layer, Session layer, and Transport layer. Another one is Media layers, which were including Network layer, Data link layer, and Physical layer.

What is OSI model? What’s the main function of each OSI layer?

OSI (Open Systems Interconnection) is reference model for how applications can communicate over a network. It has seven layers.

1) Physical: allows the transmission and reception of the unstructured raw bit stream over a physical medium and describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers.
2) Data link: provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error-free transmission over the link.
3) Network: controls the operation of the subnet and direct the path of the data according to network conditions.
4) Transport: responsible to deliver messages without errors and no losses.
5) Session: allows sessions establishment between processes running on different stations.
6) Presentation: acts like a translator as it formats the data to be presented to the application layer.
7) Application; supports application and end-user processes by identifying communication partners, determining resource availability, and synchronizing communication.

Source: https://support.microsoft.com/en-us/kb/103884

What is OSI model? What’s the main function of each OSI layer?

According to the text, the OSI model is a seven-layered model that describes “how to build applications, protocols, and equipment that move data from your application to the physical wire, across hundred or thousands of miles, to an application on the other side”. To put simply, this model standardizes how computers communicate with one another within a network and should be utilized in the development of a network. The description from the text of the 7 OSI layers are listed below:

Layer 1 – Physical: Defines the physical link, cabling, and binary transmission (aka high pulse/low pulse)

Layer 2 – Data Link: Links data packets from one location to another.

Layer 3 – Network: Routes packets between networks.

Layer 4 – Transport: Makes sure that data arrives to its destination without any errors.

Layer 5- Session: Deals with the setup and management of sessions between computer applications

Layer 6 – Presentation: Handles formatting, encryption, compression, and presentation of data to the application.

Layer 7 – Application: User interface for displaying data.

After doing a little bit of research online for the OSI model, its apparently rarely used completely and to its fullest potential. Network developers might adopt one or two portions of the OSI model, but not the whole thing.

What are the advantages of VPN?

A Virtual Private Network, VPN for short, is a network commonly used to “travel” safely across the internet. This occurs by establishing a connection between two networks as if those networks were directly connected to one another and not traveling over the internet. This connection offers security and privacy since the traffic across the VPN is encrypted, the transmitted data is protected by some security protocols, and that the remote computer requires authentication before gaining access. For organizations, VPNs allow users to gain access to a company’s network even when they might be on a different, unsecured network. Due to the security characteristics of the VPN, users don’t have to worry about “bad guys” from collecting their web traffic and data. In today’s world, VPN’s are just as important as ever since most devices are mobile and businesses want their employees to access applications/data from anywhere they can. Especially as IT auditors who work remotely at a client’s site, VPNs are critical in making sure that confidential data on an audit is not accessed by anyone unauthorized.

Laly – I accidentally posted this below as well. I meant to post it here. Great VPN advantages answer. I think a lot of your advantages depend on the planning that is needed in order to take the proper precautions that result in strong security.

Some disadvantages of a VPN is that VPN requires experienced employees that have knowledge with public networks security, password and data encryption, network address encryption,

VPN also has issues with availability and performance because VPN is difficult to control. VPN tends to have speed much slower than a traditional connection.

I will say that VPN is used when people attempt to secure their Internet connection to maintain anonymity while browsing. I know this post is about some disadvantages but I do believe that VPNs are mostly positive when secured correctly and when an individual would like to secure network accesses.

Disadvantages:

-Complex Design
-Need for employees with high level understanding of VPN which can be costly
-Reliability can become a factor (need to choose a provider who can guarantee minimal downtime – costly)
-If it happens to be necessary to create additional infrastructure the solutions can become incompatible and cause technical issues
-If you need to reconfigure and customize, working with the same vendor can sometimes increase the cost of deploying additional infrastructure.
-The use of mobile devices to initiate connectivity to the virtual private network can cause security issues especially if the connection is wireless

I am just playing devils advocate here. VPNs offer a viable solution for secure communications between distributed users. It is still definitely very important to hire the correct IT professionals that have a high level understanding of VPNs so that you can configure your VPN to ensure a secure solution for your business.

I did some research to find out some advantages and disadvantages to the OSI model and below is what I found:

Advantages:
•Provides wide variety of choice.
•Does not depend on a specific computer system.
•interprets the product functionality at each-stage.
•Encrypts the data for security.
•Allows for the addition of multiple-network models.

Disadvantages:
•Many applications do not require/need the data integrity (which is typically provided by OSI-model).
•In order to quickly set up the OSI model, you will need an agreement between three-parties (users and the service provider).
•Overall, the OSI Model is Complex to configure and work with
•This model is not adapted at all to telecommunication applications on computer.

source: http://www.whatisnetworking.net/tag/advantages-and-disadvantages-of-osi-model/

Here are some of the alternatives to VPN:

* PC Anywhere – Involves buying the (somewhat expensive) PC Anywhere software & installing/configuring it on the office PC and on the remote. Once purchased, there are no operational costs other than the occasional upgrade.
* GoToMyPC, from Citrix – subscription based model, where you pay a monthly/annual fee to use their Internet service to connect to your office (or home) PC/Mac from any Internet connected PC via a browser.
* LogMeIn – Free; Create an account on the LogMeIn site, load a small application on any PC/Mac/Server you want to connect to.
* iPad apps – If you just need access to an office or home PC/Mac from an iPad, there are apps for that! Example: Splashtop

source: http://tomkconsulting.com/news021-remote-access-alternatives.htm

you’re right Laly. In fact, the purpose of the OSI reference model is to make networks more manageable and to aid the problem of moving data between computers.

Daniel, it must be noted that the OSI model is an abstract model that provides a framework that defines the functions of each layer. In other words the OSI standard defines the interfaces between the layers and as the data is passed from layer to layer, each layer adds its own information.

Indeed Ian, the advantages of VPN depend on the use case.
Individuals use VPN to secure their Internet connection and stay anonymous while browsing and business can use it to access information remotely, from home or even the phone. This can eventually contribute to the increase in productivity within a company.

What is OSI model? What’s the main function of each OSI layer?

OSI models can be used not just to understand how computer networks work but also how two computers communicate with each other. OSI model explains from user experience to all the way down to the electrical signals travelling in wires, and it does this in form of different layers.

Application Layer: This is basically software application. User looking at different applications on the computer. For e.g.: Google Chrome, Firefox, Microsoft outlook. This is basically software applications and this layer is closest to the user experience.

Presentation Layer: This is a layer what the operating system works on. This layer converts the user text and numbers into machine language (for eg: ASCII). It also encrypts data to protect it.

Session Layer: A session is basically a conversation between two computers. This layer is responsible for starting and ending sessions. For e.g.: if you want to get some data from a website, this layer will create a session between your computer and the web server. During the session, it will try to maintain the communication and if the connection is broken, it will help reestablish it. Eventually, it will also end the session.

Transport Layer: Whenever a computer sends data, it sends it in packets. This layer ensures that the packets are delivered reliably and in a proper order. It also breaks down packets into smaller units as required by different protocols.

Network Layer: This layer determines best route for data. There are many different routes (options) for a data to travel from one end to the other. This layer determines the fastest and the most reliable route for the data to travel.

Data Link Layer: This layer is responsible for checking errors in the data or if something went wrong in the above mentioned layers. For e.g.: if there was an error in the data, this layer will resend the data to ensure reliable transmission of data.

Physical Layer: Cable, fiber optics, etc. any electric signals or transmission of data is a part of physical layer in the OSI model.

Source: http://www.webopedia.com/quick_ref/OSI_Layers.asp

Said, in addition to the advantages you found, I would like to add that VPNs are great for accessing blocked websites or for bypassing Internet filters. Also if you need an IP address from another country, then a VPN can provide you this.

Wenlin,

Good job categorizing the layers further. And you are right about the reliability provided by the Data Link layer. I think it is important to have an extra layer of assurance that the data is transmitted correctly, in the right order and according to the protocol requirements. If there is an error in any of the other layers, Data Link layer fixes it and resends the packets.

Paul, although the protocols associated with the OSI model are rarely used any more, the model itself is actually quite general and still valid, and the each layer functions are still very important.

Brou,

Interesting that you talked about domain routing in Network Layer. Since even the routers that we have at home, have a job of finding the best and the most reliable path for packets to travel. I am wondering if the routers are involved mainly on the Network layer.

Ian,

Great post. May I add, for the Transport Layer, in addition to what you said, the layer also determines the packet sizes. These packet sizes are decided on the basis of different protocols. Some protocols require smaller packets than others and in that case Transport Layer will break the packets down.

Dan,

In addition to transparency, Transport Layer also provides reliability by making sure that when data is broken into different packets, they are also received in the correct sequence to by the receiver.

Ian I like the fact that your brought up some disadvantages of VPN.
Actually talking about security, if you want to remain anonymous online, a VPN can hide your real IP by using the VPN IP instead. However, the VPN IP is shared by an unknown number of persons, and its usage is public as long as the person subscribe a contract to the VPN provide. Therefore, by using a VPN, you open yourself to attacks such as IP spoofing.
On top of that, your IP address may be blacklisted due to the activity of another VPN user, which may result into limited or refused access into some websites.
So, VPN is very likely to reduce the trust that the destination service (bank, insurance account etc) has in you.

The advantages of VPN are as follows:

Security:
Local security applications like antiviruses and firewalls are not enough to protect. An external solution that provides a separate layer of protection is needed and this is where VPN comes in the picture. As a general rule, no network should be considered safe, especially the public networks (public Wi-Fi) as the flow of communication is passed through many routers/access points. VPN adds an extra layer of security as VPN connection is encrypted. If suppose, there is a Man-in-the-Middle attack, the attacker will only be able to see inexplicable data.

Restricted Access:
In certain countries, online broadcasters restrict access to clients in certain geographical areas. VPN allows its users to circumvent these geographical restrictions. For e.g.: in countries like China where access to certain websites are restricted, a VPN can be used to access anything online as long as you are connected to a VPN. In terms of securing data, an organization can use VPNs to only allow the VPN network to connect to private sensitive resources.

Privacy Protection:
As soon as we are connected online, we start leaving traces (digital footprints). VPN provides online anonymity by hiding IP addresses and personal details. For e.g.: People who are political activists are recommended to use VPN because of the frequent violation of their privacy.

Source: https://vpntunnel.com/faqs/top-five-vpn-advantages-benefits/

Q2 What are the advantages of VPN?
A2
A virtual private network, as the name suggests, is a private network that extends across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPNs can usually increase privacy and security. To prevent disclosure of private information, VPNs normally allow only authenticated remote access using tunneling protocols and encryption techniques.

The advantages of a VPN connection can be listed as :
• Confidentiality – Since the data transmitted over VPN is encrypted, it provides confidentiality such that even if the network traffic is sniffed at the packet level, an attacker would only see encrypted data
• Authentication : VPNs require authentication, thereby preventing unauthorized users from accessing the VPN
• Integrity : Message integrity to detect any instances of tampering with transmitted messages

Hey Ian,

Great point. I didn’t think about it in that regard.
However. while studying abroad everyone was raving about VPN so they could stream Netflix and their shows back home. I was reluctant to use it because, I knew you had to go through 3rd party websites to hid your VPN.

Not sure, if you have heard of HOLA.org however, after a few of my friends download the google chrome extension they experienced viruses and hacking. They later found out that Hola was selling their computers networks to anyone who was willing to pay.

Valid point Alex,

Not sure if you read my reply to Ian. It most definitely coincides with your point. Some VPN service providers are not worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you’re connected, and some even keep an eye on the types of traffic that you send through their networks while you’re logged in. They’ll tell you it’s in order to make sure you’re not doing anything illegal, or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn’t it?

Q1. What is OSI model? What’s the main function of each OSI layer?

The OSI model describes how data moves from one system to another and helps us understand how to build applications, protocols, and equipment that move data. The seven layers of this model include:

1. Physical: Defines the physical link, cabling, and binary transmission. Modulation and flow control occur here.
2. Data Link: Links data on hosts from one location to another, typically on the LAN. Switches and bridges operate at this later, typically using MAC addresses.
3. Network: Routes packets between networks. Routers operate at this layer typically using IP addresses.
4. Transport: Deals with transport issues, such as getting to the destination in one piece, and error control.
5. Session: Deals with the setup and management of sessions between computer applications.
6. Presentation: Handles formatting, encryption, compression, and presentation for the data to the application.
7. Application: Represents the end user application, such as HTTP or FTP.

Q2. What are the advantages of VPN?

Some advantages of a Virtual Private Network include:

-Security: Data is encrypted and kept away from those who should not have access to it.
-Remote Control: Allows data to be accessed from wherever you are.
-Bypass Filters/Blocks: Can access blocked websites and bypass filters.
-File Sharing: Can be useful to groups that need to share files for a long period of time.

What is OSI model? What’s the main function of each OSI layer?

The OSI model is a benchmark standard created to get third party vendors to develop protocols that are matched to the seven “layers” of the model. The goal is to have many different equipment and software manufacturers develop and implement equipment that will interface with equipment developed by competitors. The model helped create an international networking standard. It is comprised of seven logical “layers” that communicate with each other.

Each layer of the model is designed to separate each section based upon what is happening to the data.
Layer 1 – Physical Layer – Is the layer at which hardware transmits and receives the data as some type of signal.
Layer 2 – Data Link – Is the layer that transmits the data across the physical layer. Associated with the MAC address.
Layer 3 – Network – Is the layer at which IP addressing is used.
Layer 4 – Transport – Is the layer that transmits data reliably and checks “ACK” of data receipt.
Layer 5 – Session – Is the layer that establishes and maintains connections known as sessions.
Layer 6 – Presentation – Is the layer that converts data into a format acceptable for the application layer. Encryption and decryption take place at this layer.
Layer 7 – Application – Is the layer at which an interface is created to communicate with the system. This is the layer where a user interacts with a system.

What are the advantages of VPN?

A VPN is a Virtual Private Network. A VPN allows users outside the physical network to access the network logically. This allows a business to efficiently extend the reach of the network and its resources. A VPN also allows a business to utilize the concept of “telecommuting” with employees. This can save costs for the business and allows workers to conduct their jobs from outside the physical location of the business and gives workers efficient mobility while also maintaining network security as much as feasibly possible. Implementing a VPN means a business should institute anti-virus and remote access policies at a minimum. The business may also want to set up a “quarantine zone” so whenever an employee logs into the VPN, and a system check determines the anti-virus software is not-up-to-date for example, users will be directed to the zone to preserve the integrity of the VPN and local network.

Ian,

I like that you brought up VPN’s are used for branch locations, partners, and distributors. Implementing a VPN allows a business to essentially widen its network beyond where it is physically located, and doing so securely too. A VPN also leverages the use of the internet already in place to widen the business’s network without having to really absorb any new costs to expand the network.

OSI is an ISO developed networking model determines how data moves between networks. The data travels through the 7 layers of OSI model and is governed by a protocol of data is packaged and sent to the next layer.
Physical layer – Electronic Connection – This layer defines how raw data travels in forms of bits and bytes in form of electronic signals through a transmission media like a fiber optic or radio frequency. This is the lowest level of networking. IT uses physical devices like modems, network hubs, repeaters.
Protocols :Fiber optic or wireless mode
Data Link layer – Communication between nodes- This layer defines data that transfers from node to node. IT takes data from Layer 1, corrects in case of errors. It defines protocol that must be used in layer 1. This layer has two sub layers –
One, MAC – layer responsible for controlling how devices get access to a physical medium and permission to transfer data.
Two, Logical Link Layer – This layer is responsible for encapsulating data, checking errors and frame synchronization and identifying network protocols
Protocols:Ethernet, PPP, SLIP, FDDI
Network layer -Communication across networks- This layer defines data transfer in same network between different nodes. It transfers Logical address to physical address.The data packet in this layer consists of the message body, address of next node and routes message to nodes in the network to route them through the path to reach final destination node.
Protocols:IP, IPSec,ICMP,IGMP
Transport Layer – Data transfer between networks – This layer transfer data from one node to another between two networks. IT manages segmentation to handle large length of data and checks for errors and submits acknowledgement in case of success of transfer.
Protocols: TCP, UDP
Session Layer-Session Management – This layer manages connections between computers, between the local and remote applications.
Protocols: API’s , sockets
Presentation layer – Format conversion -This layer formats data and translates data from software application into network understandable format.This layer formats and encrypts data and inserts control information.
Protocols: SSL, IMAP, FTP
Application layer – Interface between applications- This layer first receives the data. IT is the link between local software applications and internet, identifying communication partners, determining resource availability, and synchronizing communication. It identifies the communication partners, quality of service , user authentication and privacy, constraints on data syntax.
Protocols: HTTP, SSH, DCH

Great point Ian, VPN may slow down the speed. About having experienced employees having encryption knowledge holds true only to a person who is setting up the VPN. For a user, it is just another level of authentication they need to provide.
I have experienced that companies prefer the employees to directly connect to servers rather than saving work locally. Working locally has data retention, data clean up, intellectual property clauses. Hence setting up VPN benefits the company in having all data on their server and they can keep track of data transfer.
Ex. In case of multinational firms where employees are ;located in another country, VPN will help monitor if an important file has been sent to a personal email id of the employee.

Great post Daniel. I agree with you that the level of security an organization can achieve using VPN with a decent cost is great. However it must be ensured that the service provider for the Internet via which the network is connected must have minimal downtime and good connectivity. Otherwise the day to day business work will be impacted.

Ian, you have stated an important point regarding mobile devices connecting to VPN. Currently not all mobile OS have a VPN built-in client (only Android and ios provide built-in). Mobile devices do not have an open VPN protocol which is disappointing. Companies must provide a software application to launch VPN client via mobiles devices. If one uses Wifi to connect to VPN they expose the data to many insecurities.

2. What are the advantages of VPN?

Virtual Private Network, or VPN, is a group of computers (or discrete networks) networked together over a public network—namely, the internet. The following are the advantages of VPN:

• Create private scope of computer communication
• Helps in remote connection to data centers
• Secure data transmission through encryption
• Helps in sharing files across the group for a period of time
• Access to web applications and websites in complete anonymity
• VPN provides change of IP address in case there is a need for an IP from location other than base.
• Provides better bandwidth and efficiency of the network
• Low maintenance cost

What is OSI model? What’s the main function of each OSI layer?

OSI (Open Systems Interconnection) is reference model for how applications can communicate over a network. It allows vendors and developers to manage interoperability of the digital communication products and software programs they create.

It has 7 layers:

Physical layer: This layer conveys the bit stream such as electrical impulse, light or radio signal through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier. Protocols: Fast Ethernet, RS232,and ATM

Data Link Layer: This layer helps in handling errors in the physical layer, flow control and frame synchronization. The data link layer is divided into two sub layers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls permission for a system to gain access to the data on the network. The LLC layer controls frame synchronization, flow control and error checking.

Network Layer: This layer provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. It is also responsible for error handling, congestion control and packet sequencing.

Transport Layer: This layer provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control.

Session Layer: This layer establishes, manages and terminates connections between applications. It deals with session and connection coordination.

Presentation Layer: This layer works to transform data into the form that the application layer can accept. It formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is also called the syntax layer.

Application Layer: This layer supports application and end-user processes. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist on this layer

What is OSI model? What’s the main function of each OSI layer?
The Open System Interconnection(OSI) reference model created by International Organization for Standardization(ISO) describes how a data is transmitted across the network. It defines how the network processes function, what the components are in the network and also how the data is transmitted.
This layered approach
1. Reduces complexity
2. Standardizes interfaces
3. Facilitates modular engineering
4. Ensures interoperable technology
5. Accelerates evolution
6. Simplifies teaching and learning
There are 7 layers in OSI model:
1. Application : This is the layer at which user communicates with the computer. This layer identifies and establishes the availability of the communicating devices and checks if enough resources are available to for the intended communication and establishes agreement on procedures for error recovery and control of data integrity. This layer provides network services to the application of the user like email, file transfer and terminal emulation. Provides user authentication.
2. Presentation: This layer ensures that the information send by the application layer of one system is readable by the application layer of the other system by providing the translation service. It formats, structures and provides encryption to the data. Example: jpeg, pict, mpeg, quicktime.
3. Session: This layer is responsible for establishing, managing and terminating the session between the communicating devices. This layer keeps different application data separate from the other application data. Examples of session layer protocols are: NFS(Network File System), SQL.
4. Transport: The transport layer segments the data from the system of sending host and reassembles the data into data stream on the system of the receiving host. It ensures data transport reliability through fault detection and recovery information flow control. Example: TCP/IP, UDP protocols
5. Network: This layer provides connectivity and path selection between 2 hosts on 2 different networks. It manages connectivity, provides logical addressing and path selection. When packets are received, destination IP address is checked. Examples of routing protocols are RIP, OSPF, EIGRP.
6. Data Link: This layer ensures that messages are delivered to proper devices. The message is formatted into data frames. It includes error detection to ensure reliable delivery of data. The Ethernet data link has two sublayers: Logical Link control(LLC) and Media Access Control (MAC protocols)
7. Physical: In physical layer data is sent and received in bits, It defines electrical, mechanical, procedural, and functional specifications for activating, maintaining and deactivating the physical link.

Source: Introduction to Cisco Networking Technologies Volume 1.

What are the advantages of VPN?
VPN (virtual private network) creates secure connection to another network over the internet. It keeps the connection private, encrypted and anonymous.
1. VPN provides internet anonymity for all the users connected to it by encrypting the data from the computers or other mobile devices before connecting to the internet. So the actual source is kept as a secret and sensitive information ie PII cannot be traced by hackers and government agencies.
2. It masks IP address thus reducing DDOS attack, hacking possibilities.
3. It hides the user’s geo location. Thus it can be used to create an impression that the user is browsing from a different location and also allowing to access geo- blocked websites.
4. Thus the VPN helps to bypass filters and access blocked websites.
5. Better streaming performance
6. Accessing local network resources remotely, especially if you are travelling and want to have access to office network or home network.

We are only seeing positive sides of the VPN. What about criminal organizations who use it?

Advantages of VPN
1. The main purpose of VPN is to have a secure connection which can be connected remotely over a Internet Protocol Security.
2. VPN offers higher level of security as the VPN needs authorized access to connect to the network.
3. VPN is comparatively low cost than any other configuration to remote connect over secure link.
4. It is easy to add more nodes in the existing VPN network. IT does not cost anything or does not need additional components.
5. VPN communications are encrypted
6. VPN service can make it easy to share files for a group of people for long periods
7. Performance can be greatly increased in terms of bandwidth

What are the advantages of VPN?

VPN is a technology which creates a virtual private network to which end users are connected via an encrypted channel.. VPN has three main advantages for the internet users, higher security, privacy protection and access to restricted resources.

Security:
Compared to direct connection, VPN provides a external security to protect personal data . VPNs secure the otherwise insecure connection between you and remote resources. VPNs should be used especially in public networks such as WiFis. This is because the communication flow passes through numerous points (routers) and for an attacker is sufficient to compromise any one of these points in order to compromise the communication channel and its information flow.

However, with VPN, even if the communication channel is compromised, ones cannot be harmed or the harm will be because the VPN connection is encrypted and cannot be decrypted and thus read. When an attacker captures VPN traffic he will be able to see only incomprehensible characters going from you to a VPN server. Thus, the attacker is not even able to see to the remote resources (sites, chats, etc).

Privacy protection:
As soon as ones are connected online with your pc or mobile phone, they are leaving traces such as the IP address and Internet service provider. This ultimately reveals essential personal information. Instead, to protect your privacy you should use VPN again. Thus, with VPN whenever visit web sites, listen to radio, chat, etc. you will be identified with the VPN provider, i.e. his IP address, location etc. Essentially, the vpn user’s IP address and personal details will remain hidden.

Access to restricted resources:
Sometimes service providers such as online radios, TVs, etc restrict access only to clients within certain geographical areas or Internet service providers. Other times company policies prevent employees to connect to generally available sites or resources such as Facebook. Such not always reasonable restrictions leave you with no option but to use VPN. VPNs have multiple points of presence in different geographic regions. The fact that you are identified only with the VPN provider allows you to circumvent any geographical restrictions.

Source:

https://vpntunnel.com/faqs/top-five-vpn-advantages-benefits/

What is OSI model? What’s the main function of each OSI layer?

OSI Model
1. Describes how data moves from one system to another system.
2. describe how to build applications, protocols, and equipment that move data from your application to the physical wire, across hundreds or thousands of miles, to an application on the other side.

OSI model contain seven layers and each layer has different function.
Layer 1: Physical
Defines the physical link, cabling and binary transmission. Also deals with Modulation and flow control
Layer 2: Data link
Links data on host from one location to another, typically on the local area network (LAN) but sometime on wide area network (WAN)
Layer 3: Network
Routes packets between networks
Layer 4: Transport
Deals with transport issues such as getting to the destination in one piece and error control
Layer 5: Session
Deals with setup and management of sessions between computer applications
Layer 6: Presentation
Handles formatting, encryption, compression and presentation of data to the application
Layer 7: Application
Represents the end user application such as HTTP, file transfer protocol, simple mail transport protocol or telnet

Source:
IT auditing: Using Control to Protect Information Assets

1. What is OSI model? What’s the main function of each OSI layer?
OSI stands for open systems interconnection. it was created to help standardize communication between computer systems. it defines a networking framework to implement protocols in seven layers.
1) the physical layer: defines the electrical and physical specifications of the data connection. Physical examples include Ethernet, FDDI, B8ZS, V.35, V.24, RJ45.
2) the data link layer: provides node-to-node data transfer, a link between two directly connected nodes. Data Link examples include PPP, FDDI, ATM, IEEE 802.5/ 802.2, IEEE 802.3/802.2, HDLC, Frame Relay.
3) the network layer: provides the functional and procedural means of transferring variable length data sequences from one node to another connected to the same network. Network examples include AppleTalk DDP, IP, IPX.
4) the transport layer: provides the functional and procedural means of transferring variable-length data sequences from a source to a destination host via one or more networks, while maintaining the quality of service functions. Transport examples include SPX, TCP, UDP.
5) the session layer: controls the dialogues (connections) between computers. Session examples include NFS, NetBios names, RPC, SQL.
6)the presentation layer: establishes context between application-layer entities, in which the application-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. Presentation examples include encryption, ASCII, EBCDIC, TIFF, GIF, PICT, JPEG, MPEG, MIDI.
7) the application layer: is the OSI layer closest to the end user, which means both the OSI application layer and the user interact directly with the software application. Application examples include WWW browsers, NFS, SNMP, Telnet, HTTP, FTP

http://www.webopedia.com/quick_ref/OSI_Layers.asp
https://en.wikipedia.org/wiki/OSI_model#Layer_1:_Physical_Layer

2. What are the advantages of VPN?
VPS stands for virtual private network. It is a group of computers networked together over a public network (the internet). VPS secures the computer’s internet connection to guarantee that all of the data we are sending and receiving is encrypted and secured. Student/worker can use provided VPN from their school or company to access resources on their network when they’re at home or traveling. Other advantages include share files, online anonymity, unblock websites and bypass filters, change IP address, better performance and reduce maintenance costs.

A good point made here. VPN helps in reducing the cost for the organisation. The Accenture case which we read mentioned the same point. Accenture established a global delivery network giving its employees a facility to work remotely and hence reducing the IT cost per person by 69% which is a big number.
In this way VPN has definitely proved its need and cost justification.

Just to add to your privacy point Brou, VPN also first encrypts the data before sending it to the network thus reducing the chances of data breach to minimum. This helps in maintaining the confidentiality and integrity of data.

To add to the disadvantages, If the company is not maintaining proper user provisioning along with the identity systems with VPN administration it can lead to unauthorized access.

One such example of insufficient VPN management and security that lead to a breach comes from an employee terminated by a utility company, Energy Future Holdings. The employee was able to use the VPN—even after his position was terminated—to access the corporate systems used for consumer demand forecasts. The terminated employee used the access to corrupt data, which caused $26,000 in lost business alone. Hence it is necesary to maintain the identity systems with VPN. I am not sure of does active directory have records of all active VPN users or not? If anyone have information on it do share.

The OSI, or Open System Interconnection model is a conceptual networking model of how network systems are supposed to communicate to each other. The model breaks down different components of network communication into layers. The model consists of 7 layers :

1) Application layer : This is the layer that the user interacts through. Application-layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. This layer supports application and end-user processes Eg: Browser, Email client.
2) Presentation layer : The presentation layer establishes context between application-layer entities, in which the application-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer.
3) Session layer : The session layer creates, manages and terminates the connections between computers (local and remote computer).
4) Transport : The transport layer Decides how much information should be sent at one time. Deals with the transport of data back and forth from a source to a destination host via one or more networks, while maintaining the quality of service functions.
5) Network : The network layer provides the functional and procedural means of transferring variable length data sequences (called datagrams) from one node to another connected to the same network. It translates logical network address into physical machine address. Network layer is involved in structuring and managing a multi-node network, including addressing, routing and traffic control. Routers operate at the network layer
6) Data link : The data link layer provides node-to-node data transfer—a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer. It, among other things, defines the protocol to establish and terminate a connection between two physically connected devices. It also defines the protocol for flow control between them. Eg: Switches
7) Physical : The physical layer defines the electrical and physical specifications of the data connection. It defines the relationship between a device and a physical transmission medium. Eg. Wiring/cabling

Source : https://en.wikipedia.org/wiki/OSI_model

Abhay, As far as I understand transport layer deals with segment and does not determine the size of packet. The packet headers and footers are added in Network layer. Transport layer deals with secure/unsecure transmission.

What are the advantages of VPN?

VPN stands for Virtual Private Network, it is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider.

VPN has the following advantages:

1. Data is kept secured and encrypted when you connect to the network through a VPN.
2. VPN increases productivity because with the remote control feature, the information can be accessed anywhere remotely.
3. With the VPN service, it makes convenient for people sharing files for long period of time.
4. VPN Allows people to access both web applications and websites anonymously.
5. VPN services are very useful for accessing blocked websites or for bypassing internet filters, especially for counties where internet censorship is applied.
6. VPN can provides people with change IP address if needed.
7. VPN solution provides better performance because it increases bandwidth and efficiency of the network.
8. Implement VPN reduces maintenance cost.

Source: https://www.ibvpn.com/2010/02/8-advantages-of-using-vpn/

Ian, rightly said that employees need to have right understanding about the VPN.

One member firm that I worked with used Global protect as VPN for first level of authentication and then needed to connect to remote access using EMUE code which was pretty complicated for most of the non tech savy users because EMUE was to be generated on their company approved PDA’s and if there were was any problem with the PDA they would have to wait till that PDA was repaired or another PDA was configured and had EMUE installed. Else they would have to call center for additional keys.

Transport layer: Segments
Network Layer: Packets
Data Link Layer: Frames
Physical Layers: Bits

Nice way of defining the advantages in terms of CIA concept.

Well explained, Priya. I liked that you have mentioned the associated protocols for each layer. I’d like to add that the ARP (Address Resolution Protocol) is also one of the protocols which is used to translate IPv4 or internet layer addresses (OSI layer 3) into link layer or Ethernet MAC addresses (OSI layer 2).

What are the advantages of VPN?

A VPN allows companies to securely transit data to an external network/device. Data transmitted through a VPN is encrypted so even if it is compromised, it is still safe. Businesses often need to access and transmit data to a remote server, or allow an employee to access a network from another location. Even with a secure infrastructure there is still the possibility of an intrusion, which increases when data travels remotely. A VPN is is an important component to information system security and provides many advantages including:

* Save money by allowing employees to work remotely by lowering traveling costs and office space
* Increase productivity because employees can access the network anywhere in the world securely
* Securely connect geographically dispersed corporate locations
* Works with most protocols, so it is easy to deploy and use – saves money by not needing a secure line
* User friendly
* Anonymity Can change an IP address, can be important depending on the data or if an employee is in
foreign country
* Low cost

Ian, you brought up a good point about the speeds over VPN being much slower than traditional internet. I agree partly to that view as the technology by itself is not designed such that speed achieved over VPN is slower than the parent connection however the different vpn clients that you use generally have a significant difference in the speeds you encounter. My previous company was earlier using a common VPN software which did give significantly lower speeds than the parent connection however the company switched over to a different and new VPN client a couple of years back and there is absolutely no noticeable difference in the speeds between VPN and the parent connection.

Hi Ian,

Thanks for the summary of the advantages and disadvantages of the OSI Model. Just looking at the model in our text, it seems the the entire model is very vague with alot of references to different protocols. For example, the application layer references the HTTP, File Transfer Protocol (FTP), Simple Main Transport Protocol (SMTP), or Telnet. Therefore, it would make sense that the OSI model is complex to configure and work with since one has to understand all the different protocols. With that being said, as Alex has stated below, the OSI model still serves as a framework due to it being general in nature.

What is the advantage of VPN?

Firstly, what is the VPN?
A Virtual Private Network (VPN) is a method used to add security and privacy to private and public networks, like WiFi Hotspots and the Internet. VPNs are most often used by corporations to protect sensitive data.
Then, how it works?
VPN allows you to have your connection encrypted and secure to become anonymous online and to keep your traffic data private and safe from hackers, government censorship, and other dangers of the internet. VPN also helps you get access to to block content because of geolocation, some online content such as video, music, news, search engines, etc. maybe unavailable from certain countries and locations. Using a VPN service allows you to log into a server located in a place from where the content is available.
lastly, what is the value?
The VPN gives you privacy freedom and security. It is very useful when you do your online banking, use WIFI hotspots shopping online, etc.

but something you needs to notice that not all VPN service providers are worth your trust.

Source：
https://technet.microsoft.com/en-us/library/cc779919(v=ws.10).aspx

What is OSI model? What’s the main function of each OSI layer?

* The OSI model is a reference/framework for vendors/developers to create products with interoperability. It is the primary method of communication between two endpoints in a telecommunication network. The model is comprised of seven layers from which data flows from one application to another, passing through each layer.

* Layer 7: The application layer: communication partners are identified and serves as a gateweay for the
application to access the network
* Layer 6: The presentation layer: essentially a translator because it translates the data from the
application’s format into a common format to send, and then the is translated again at the receiving end
* Layer 5: The session layer: facilitates a connection between processes on different networks/machines
* Layer 4: The transport layer: moves the message from one application to its destination error free
* Layer 3: The network layer: accurately directs and routes the data in the correct direction, and also for
incoming messages
* Layer 2: The data-link layer: transports data from each node over the physical layer
* Layer 1: The physical layer: Hardware which carries the message through the network

What is OSI model? What’s the main function of each OSI layer?

OSI stands for Open System Interconnection, OSI model is a standard reference model for communication between two end users in a network.

ISO has 7 layers, each layer has well defined functions. Seven layers are divides into two groups. The low layers (1, 2, 3 and 4) are transport service layers, they are necessary to the routing of information between the two concerned ends and depend on the physical medium. The higher layers (5, 6 and 7) are responsible for the data processing relative to the management of exchanges between information processing systems. Layers communicate with adjacent layers only, it allows layers to change without effecting other layers, as long as compatible with adjacent layers.

Layer 1—The physical layer:
This layer transmits bits from one computer to another and regulates the transmission of a stream of bits over a physical medium. This layer defines how the cable is attached to the network adapter and what transmission technique is used to send data over the cable.

Layer 2—The data-link layer:
This layer package raw bit from the Physical layer into frames (logical, structures packets for data). It is responsible for transferring frames from one computer to another, without errors. After sending a frame, it waits for an acknowledgment from the receiving computer.

Layer 3—The network layer:
This layer handles the routing of the data, addresses messages and translates logical addresses and names into physical addresses. It also determines the route from the source to the destination computer and manages traffic problems (flow control), such as switching, routing, and controlling the congestion of data packets.

Layer 4—The transport layer:
This layer handles error recognition and recovery, manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer.

Layer 5—The session layer:
This layer allows applications on different computers to establish, use, and end a session/connection. This layer establishes dialog control between the two computers in a session, regulating which side transmits, and when and how long it transmits.

Layer 6—The presentation layer:
This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). This layer also manages security issues by providing services such as data encryption and compression. It’s sometimes called the syntax layer.

Layer 7— The application layer:
This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. It represents the services that directly support applications such as software for file transfers, database access, email, and network games.

Source: http://nhprice.com/what-is-ios-model-the-overall-explanation-of-ios-7-layers.html

Two mnemonics to help you remember the seven layers.
1. All People Seem To Need Data Processing
2. Please Do Not Tell Sales People Anything

Hi Wenlin,

You mentioned that VPN’s are good at protecting against Man in the Middle Attacks. While I did know that “bad guys” can monitor an individual’s web traffic to potentially pick up any usernames and passwords, I didn’t know that “bad guys” could sit in-between a user and the internet. According to the video I linked below, man in the middle attacks not only have a view of web traffic but they can also provide prompts to gain information such as usernames and passwords. I can see how a VPN would eliminate such attacks through encryption, especially for businesses who utilize the internet for their work.

Link: https://www.youtube.com/watch?v=zy-ZpVA3v3I

What is OSI model? What’s the main function of each OSI layer?
Layer 1: Physical Layer
This is first layer in ISO model, represents physical characteristics of operating system communication channel including electronics specifications and optical signals used for communication. It manages network media types like CAT5 Twisted Pair, SFP Optical Fiber, connection interface characteristics, and any other specification for putting transmission signals on physical media. However, data transmission over physical media is function of Layer 2 while layer 1 is confined to physical aspects of the transmission media.
Layer 2: Datalink Layer
The DLL (Data Link Layer) resides between physical layer and Network layer. DLL provides data transmission validation for data being transported over the network. The DLL is logically divided into two sublayers: Media Access Control (MAC) sublayer, and the Logical Link Control (LLC) Sublayer. DLL MAC (hardware) address uniquely identify individual network card (NIC), used for inter-switch routing with ARP protocol (address resolution protocol), while LLC is responsible for end to end flow control of data frames transmitted, perform data transmission error checking.
Layer 3: Network Layer
The network layer is managing logical addressing of data packets and delivery to destination. Routers are special appliances used to perform network layer routing functions. The logical addresses are called IP address (Internet protocols) , are used to identify a computers and network addresses.
Layer 4: Transport Layer
The Transport layer manages the breaking of data packets into smaller chunks, transportation of data packets to computer on the other end, with different degrees of delivery assurance (reliable or unreliable).
Example of reliable transmission is connection oriented protocol TCP (Transmission Control Protocol), once a connection is established, data is sent from source to destination and waits for acknowledgment of receipt before it sends another data stream .
Example of unreliable transmission is UDP (User Datagram Protocol) is connectionless where multiple packets are send to destination without waiting for acknowledgement back (email).

Layer 5: Session Layer
The session layer is responsible for establishing, managing, and releasing connections between applications running on source and destination computers. This layer integrates function of transport layer to provide management capabilities to enhance control over transport layer functions.
Layer 6: Presentation Layer
Presentation layer converts application data into proper format to be sent by transport layer. Presentation layer performs other functions like compression, encryption, ASCII code conversion.
Layer 7: Application Layer
Application layer is the layer with human readable traffic generated on user or operating system level.
Example: user connecting to amazon site from laptop, the application layer manages all http and https traffic between laptop and e-commerce web site.

What are the advantages of VPN?
VPN or virtual private network protocol is used to extend local area network “LAN” data resource access to users connecting remotely with high degree of security and privacy. The remote systems (Laptop, PC, Server) uses VPN protocol to securely connect to LAN systems as if the remote system in part of the local area network “LAN”. Once connected, traffic between remote systems and local LAN data resources is encrypted with one of the encryption algorithm like IPSec to protect information transmitted on connection channel.

You are absolutely right! Even though VPN has so many advantages but not all VPN service providers are trustworthy. It’s very important to find the best VPN service for your needs. Things should be take into consideration such as:

-What Protocols Do They Support?
-How Many Servers Do They Have and Where?
-How Many Concurrent Connections Are Allowed?
-Do They Throttle Connections, Limit Bandwidth, or Restrict Services?
-What Kind of Logs, If Any, Do They Keep?
-What Payment Methods Do They Offer?
-Do They Have a Kill Switch System?

Source: http://www.howtogeek.com/221929/how-to-choose-the-best-vpn-service-for-your-needs/

what is OSI? and what is the function of each layer of OSI?
OSI is short for open system interconnection. It is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols.

OSI has 7 layers.
1. physical: a direct point-to-point data connection.
2. data link: a reliable direct point-to-point connection.
3. Network: addressing, routing and delivery of datagrams between points on a network.
4. transport: reliable delivery of segments between points on a network.
5. session: interhost communication, managing session between applications
6. presentation: data representation, encryption, covert machine dependent data to machine independent data.
7. application: network process to application

source: http://www.ibm.com/support/knowledgecenter/SSCVHB_1.1.0/glossary/npi_osi_model.html

Question 1: What is OSI model? What’s the main function of each OSI layer?

The OSI model stands for the Open System Interconnection Reference Model, which is a conceptual model that “characterizes and standardizes the communication functions of a computing system…” This model initially developed by the International Organization for Standardization (ISO). The OSI model has seven layers:

— Layer 7: Application: he application layer serves as the window for users and application processes to access network services.

— Layer 6: Presentation: The presentation layer formats the data to be presented to the application layer. It can be viewed as the translator for the network.

— Layer 5: Session: The session layer allows session establishment between processes running on different stations.

— Layer 4: Transport: The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern with the transfer of data between them and their peers.

— Layer 3: Network: The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors.

— Layer 2: Data link. The data link layer provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error-free transmission over the link.

— Layer 1: Physical. The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium.

The layer 1 to layer 3 consist the Media layers; and layer 4 to layer 7 belongs to the Host layers.

Source: http://community.mis.temple.edu/itacs5205fall16/2016/09/29/week-6-questions/#comments

What is OSI model? What’s the main function of each OSI layer?

The Open Systems Interconnection (OSI) Model is a conceptual and logical layout that defines network communication used by systems open to interconnection and communication with other systems.

Physical: the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium

Data-Link: Provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error-free transmission over the link.

Network: Controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors.

Transport: Ensures that messages are delivered error-free, in sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern with the transfer of data between them and their peers
.
Session: Allows session establishment between processes running on different stations.

Presentation: Formats the data to be presented to the application layer. Translates data from a format used by the application layer into a common format at the sending station, then translate the common format to a format known to the application layer at the receiving station.

Application: Serves as the window for users and application processes to access network services.

Source: http://searchnetworking.techtarget.com/definition/OSI
https://support.microsoft.com/en-us/kb/103884

What are the advantages of VPN?

Security – A VPN connection between a user and the remote resources are encrypted. Thus, if the user’s VPN traffic is compromised, the user will not be harmed because the attacker will not be able to see what remote sources the user is connected to.

Privacy Protection – Connection through a VPN will not leave behind a user’s IP address and personal details. Since the traffic is encrypted, the user’s internet usage cannot be tracked or monitored.

Access to Restricted Resources – Certain service provider sites restrict access to specific geographic locations. Since, a VPN hide the user’s personal details the user is able to access those sites.

Geographical restricted content can be frustrating to face sometimes. I recall the countless number of times where even watching some Youtube videos would be blocked because the content was not available in my geographical region.

I really liked how you explained the advantages of VPN through the CIA concept as well. However, do you mind explaining how message integrity detects instances of tampering?

Question 2: What are the advantages of VPN?
The first advantage is the security of VPN. The PC users usually connect the internet through cables, but it also allows the attackers to locate the users’ IP address. However, by using the VPN, the data from users’ machine to the VPN servers is encrypted, so it enhances the difficulty to attack for hackers, and it also prevents attackers monitoring the users’ operating system. In addition, the VPN also allows PC users break the internet limitation like the Great Firewall of China (GFW). For example, the GFW will lock the oversea IP addresses so the internet users in mainland China are limited in using some websites like YouTube and Facebook. However, by using the VPN, these users in limited areas can visit the websites without being affected by the GFW.

What is OSI model? What’s the main function of each OSI layer?
OSI model stands for Open Systems Interconnection model. It is a model that characterizes and standardizes the communication functions of a telecommunication or computing system regardless of its internal structure and technology. Its goal is to allow diverse communication through systems with standard protocols. This model partitions communication systems into layers.
Layer 1 – Physical: Transmission and reception of raw bit streams over a physical medium
Layer 2 – Data link: Reliable transmission of data frames between two nodes connected by a physical layer
Layer 3 – Network: Structuring and managing a multi-node network, including addressing, routing and traffic control
Layer 4 – Transport: Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing
Layer 5 – Session: Managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
Layer 6 – Presentation: Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
Layer 7 – Application: High-level APIs, including resource sharing, remote file access
https://en.wikipedia.org/wiki/OSI_model

What are the advantages of VPN?
– Data is kept secured and encrypted.
– Remote access and control to data.
– Share files
– Online Anonymity – can search websites privately
– Better performance – bandwidth and efficiency of a network are increased.
– Reduce costs – once VPN network is created the maintenance cost is really low.

8 advantages of using VPN

*the internet-based VPN

What is OSI model? What’s the main function of each OSI layer?

The Open Systems Interconnection (OSI) model is to provide a protocol suite used to develop data-networking protocols and other standards to facilitate multivendor equipment interoperability, composed of seven layers, each specifying particular specialized tasks or functions:

Application layer: it provides an interface to the network and communicates the computer’s available resources to the rest of the network;

Presentation layer: it converts data into a format acceptable by the network and provides common communication services.

Session layer: it manages all conversations, data exchanges and dialogs between the application layers.

Transport layer: it provides reliable and transparent transfer of data between end points, end-to-end error recovery and flow control.

Network layer: it is responsible for routing and forwarding through IP addresses.

Data link layer: it provides for the reliable transfer of data across a physical link.

Physical layer: it provides the hardware that transmits and receives the bit stream as electrical optical or radio signals over an appropriate medium or carrier.

Great post, Deepali ! You’ve covered all the advantages of VPN very well. Could you tell how VPN provides better bandwidth and efficiency of the network or are you referring to the bandwidth or efficiency being better generally of an organization’s intranet as I was of the opinion that VPN won’t really enhance the bandwidth.

What are the advantages of VPN?

VPN – Virtual Private Network is a network created between you and what you access. The advantages are as follow:

Change or hid your IP – it will help you hide your identity and protect your personal data from being stolen.

Privacy – Because of encryption, VPN keeps all your Internet activity private, far from any unwanted eyes

Security – VPN creates a safe connection between you and servers and this protection is really hard, almost impossible to break.

Torrent downloads – it enables you to download torrents in very nice and secure manner without being discovered.

Unblock geo-restricted sites – it provides you the possibility to access geographically blocked sites from anywhere in the world.

According to Microsoft Support, the Open Systems Interconnet (OSI) model was established by the International Standards Organization in 1978, to allow communications between different data transfer applications. (Microsoft, n.d.) The OSI allows for different interfaces to communicate by flowing through the 7 layers.

Layers:

1. Physical
a. Allows for communication between the devices on the computer.

2. Data Link
a. Allows for the transfer of data over the physical layer.

3. Network
a. Allows for the delivery of data.

4. Transport
a. Allows for the flow of traffic.

5. Session Layer
a. Establishes connection between two end-points.

6. Presentation
a. Displays data in a uniformed way.

7. Application
a. Connects applications to networked services

While researching the OSI, I found many confusing explanations. One from TechTarget says, “And although useful for guiding discussion and evaluation, OSI is rarely actually implemented, as few network products or standard tools keep all related functions together in well-defined layers as related to the model. The TCP/IP protocols, which define the Internet, do not map cleanly to the OSI model.”.

You’re right. Security and cost-saving are two main advantages, so many individuals and organizations choose VPN. I read an article about how VPN to keep security, one interesting method is that it could hide or change your IP address to keep you under cover when browsing from your devices, so that you could surf online without worrying that spying eyes are following you.

I totally agree with you. I want to add an example about VPN unblocks geo-restricted sites. In China, we’re not allowed to access to any Google services, but with VPN, costs 3-5 dollar for individual users, you could connect to Google, Youtube or any other blocked websites.

I agree with you about security and privacy, that’s two of main serious challenges in today’s world, and I just want to add something related what you said better internet connection.

It’s not unusual that sometimes your Internet routes may not be optimal or bandwidth is limited especially connect to international online resources. which could lead to poor web experience and slow browsing. In such cases you can connect to a local VPN point of presence which further routes your traffic. This will allow you to have a bandwidth to distant destinations similar to the bandwidth available between you and your local VPN server.

Ian – Why do most of the firms choice VPN over some of the options you mentioned above?

Once a user established VPN connection to his/her company’s next work, the node he/she logged in becomes part of the company’s network….what controls a company should deploy to mitigate the risk caused by the activities you mentioned above, such as downloading movies and music illegally?

I strongly agree with you. Indeed, the VPN can significantly enhance the security for the internet users. By using the VPN, people who connect the internet will directly transfer their data to the VPN servers with the coded protection. This increase the difficulty to attackers who wants to steal the information from the users. Moreover, the VPN can also lower the cost to the company, so overall, the VPN improves the security with lower cost.

You’re right, and I want to add something about the advantages – its scalability. Virtual Private Networks are very flexible in terms of growing with the company and adding new users to the network. This type of infrastructure allows for scalability without having to add new components to accommodate the growth. This is also very helpful for reducing cost.

An intersting article about how to select a VPN service provider:

How to Choose the Best VPN Service for Your Needs

An interesting article about how to select VPN vendor:

How to Choose the Best VPN Service for Your Needs

Good point in talking about the secure private network between different cloud providers. Since the VPN service allows the users visit the internet through VPN servers with the IP address and location of the provider, which means they need to send the data to the VPN servers first, and I was thinking that this may impact the speed of uploading and downloading the files, and this might also impact the data transferring between different cloud providers.

Sean, well explained. Challenge question: can you explain to the class on Wednesday, how OSI layers map to TCP/IP?

Hi Priya,

Great post, I liked how you summarized the advantages of VPN very briefly. I would like to add that VPN allows internet users to access to unrestricted resources if the IP is blocked from somewhere.

What is an OSI Model? What is the main function of each layer?
• The OSI model is a seven-layer hierarchical model that shows the communication and data flow through each computer system.
o Physical (Layer 1)
 The physical components (cabling, etc) that keep the network together.
o Data Link (Layer 2)
 This layer includes switches and links data between locations.
o Network (Layer 3)
 Routers operate at this layer, where they move packets of data between IP addresses.
o Transport (Layer 4)
 Decides how much information will be communicated from each destination
o Session (Layer 5)
 Deals with communication creating a session with the web server you are trying to get data from.
 Creates a session between where your computer is trying to get information from.
o Presentation (Layer 6)
 The layer that the operating system is on.
 The Application layer sends information to the Presentation layer
o Application (Layer 7)
 The layer that the end-user interacts with. Applications that the user interacts with are contained within this level (Firefox, Outlook, etc)

What are the advantages of VPN?
• A VPN (virtual private network) is a way of connecting to another network securing over the internet.
• Advantages of VPN are:
o Data encryption – Data is encrypted when sent over a VPN, which can help the security of the data if the network is entered by a hacker
o Low cost
o Employees can access the network from without needing to be physically in the office, thus remote workers can access resources.
o Tunneling Protocol – If the path/tunnel from which the data is moving through is comprised, the data is purged from the tunnel thus setting up another level of security.

Priya,

Great post, I like how you segmented out the different protocols from each layer. I was talking to someone in my company’s IT department, and a point he made was that the OSI model gives some framework to an IT worker who is trying to sort out an issue. For example, if users lose access to email, whoever is trying to fix the issue can work from the physical layer, check the cabling, and work up to spot the issue.

Daniel,

That’s pretty wild, I was under the assumption that most companies were able to remove any access employees had the day the employee leaves, but that is eye-opening.

Those are good questions to ask if your client is using a VPN service provider…

Like your approch to answer the question one step further…

What are the advantages of VPN?
Virtual private network are beneficial for companies since they have their own private server that outside people cannot access. This negates the risk of people stealing information about the company. The VPN is secure and only employees are able to access the network. Employees are able to use features on the network such as share files between each other and access the network remotely. Thus VPN enhances security within the company since only employees can access, it is better performance since they are able to access the network anywhere with the proper login or companies laptop, and it reduces cost for the company.

What is OSI model? What’s the main function of each OSI layer?
The Open System Interconnection (OSI) model is a network framework to implement protocols through 7 different layers.
1. Physical – Equipment use to transfer information between systems, examples are wires, Ethernet cords, cards, etc.
2. Date Link – Data is encoded and decoded into bits. Divided into two different layers, Media access control and logical link layer.
3. Network – Information is transfer through technology by logical pathways, also known as virtual circuits.
4. Transport – Information is transfer between systems or host.
5. Session – Applications is establish, manage or terminates in this layer.
6. Presentation – Information is sorted by differences by type and translated through application to network format and vice versa.
7. Application – The end user process layer, where they are able to send the information through file sharing or email etc.

Great point Yang, with the security feature the user is protected against outside attacks. So if the user is at home and an attack happens, the attacker would not know the location of the user since the VPN IP address is at a different location of the VPN. So the user is protected and the user can work in privacy since the attacker would not like you said be able to view what files they are working on. So security is an advantage of VPN. It safeguards the user and the companies resources from outside attacks since they do not have access to the network.

Daniel good list, I liked the employees being able to access the network without needing to be in the office. At my old job I was given a laptop and was able to login to the companies server anywhere as long as there was Wi-FI. That made it a lot easier to perform my work and access my projects located on the companies server. Great benefit since I can work from home, well from anywhere really and be able to connect to other co-workers who are also connected to the VPN. It made the job more easier and flexible since if there was any issue, I could login and sign over the program that was sign out to myself back in so that the other user needing it can have it.

Great points Jianhui, VPN gives you the ability to work without being bother and track. You are anonymous online like you said when connected to the VPN and you are safeguard against attackers. It is a good way to work if you do not want anyone monitoring what you do and it certainly helps sometimes to be under the radar. Being able to access the VPN from anywhere is also a plus and gives you the freedom to work anywhere and not being constantly monitor. It also gives you the ease of mind to know that you are secure and attackers cannot access what your working on.

A Virtual Private Network uses tunneling to allow for uses in a private network to communicate through a public network, without the risk of the information being intercepted by hackers. This means a person can work at a remote location (Home, Hotel, Restaurant, ect.) and have the data encrypted to ensure secure transmission, over a non-secure network.

Another benefit would be a more productive workforce. Providing a secure connection to the private network will allow for work tasks to be completed anywhere with an internet connection. Increasing employee production.

There are also cost savings for the business if the work of the employee requires working from a remote location. A VPN allows the employee to utilize their own equipment, reducing hardware and support costs associated with the job.

The biggest advantage is worker’s ability to work remotely over a secure tunnel. I would recommend anyone who uses public WiFi to use a VPN connection. There are cheap services that will allow for this and some phone service providers offer VPN services. You don’t want someone to see you went to a bank website and gain your information at a coffee shop.

Hello Everyone,

As I mentioned on the WebEx class, “Carbon Black” is endpoint security software that performs advanced memory analysis of abnormal activities. It helped our organization’s infrastructure to catch a Ransomware Cryptolocker and stop it from spreading in the network.

Home – Carbon Black Inc.

Part of CIA Triad compliance would be managing security of applications running in the organization. White List, Black List or Certificate/Trust based are some of available options along with other third-party solutions controlling restrictions of applications, including Symantec and Lumension Endpoint Management. All these can be used to create a controlled environment in secured fashion.

Some organizations prefer to use one solutions over another or both depending on different factors, such as:

1. How many Applications are running in the organization ?
2. How many software applications are critical to restrict ?
3. What Applications run locally in self-contained environment and what others communicate over LAN or WAN ?
4. What Applications are “must have” and “nice to have” based on business functions?
5. What applications carry sensitive data over the network and where to?
6. Is there enough IT staff to support restrictions management?

By answering the questions above, an organization may easier decide what application restriction controls to implement.

– White Listing is probably adequate restriction type for organizations with a few standard applications running on the network without much of changing environment.For example, White Listing could be a good option to configure on servers which don’t normally get changed often and have standard number of legitimate applications. Also, this option is good in very unsecured environments where extra layer of protection is not budgeted. However, having too many applications running in the network may create extra administrative overhead.

– Black Listing involves less administrative efforts, but may be appropriate only for software development organizations where users have to run different applications very often for testing and evaluation or any other purpose. Basically, if there are more legitimate applications, then BlackListing option is adequate. However, an advanced endpoint security solution should be in place to provide extra layer of security in case of malware presence. However, having too many applications running in the network may create extra administrative overhead to keep blacklist updated.

– Signature based trusted applications restriction type is an option to implement for devices and OS platforms that require vendor’s compatibility approval before the installation. If for example, an iPhone App developed by some guy in Australia wants to sell to the public for iPhone users, then that App msut be signed by Apple before it would be authorized for installation.

So, some organizations may choose one of options above and others may have hybrid restriction controls.

When talking about deciding whether or not to whitelist or blacklist applications, I think it really depends on the scenario. I have had some experience with these types of tools.

One area where I see a good use for whitelisting applications is at a kiosk type station. If you have a station that is only used for 1 purpose, then whitelisting is a good idea. I have employed this in my work. Working in a school district, we have two stations setup in our library that are for using the library card catalog only. So, that is the only application permitted to run on that station. Since the station is logged in with a default user (with limited user rights), this avoids anyone from “tinkering”. Another Scenario I have seen is a company that had one dedicated machine for doing financial transactions. That machine was limited in the resources it could interact with on the Internet. IT could only reach the banking sites that it needed to do daily business with, all other traffic was blocked. So, it had a whitelisted IP list.

As far as using the whitelisting method on users, I think that’s a very difficult scenario. Too often we tighten things down so much that users can’t even do their job. It’s a decision each organization has to make. Will end user productivity suffer if they can’t access the resources they need in a timely manner? Does the threat of a breach outweigh user non-productive time? Maybe in certain scenarios it’s warranted. Maybe a user who is working with confidential information that you don’t want being released. Again, you have to evaluate each scenario, there is no common answer.

Although this deviates a little bit from the question being asked this week, I wanted to share a blacklisting example I run into a lot at my work.

My employer has two network types that it uses to connect to the internet. The first is used mostly for enterprise-wide communication (Outlook), the second is used mainly to conduct research and testing. The enterprise-wide communication network blacklists a tremendous amount of applications and has a more restrictive nature when it comes to what websites you can visit. The research network is much more permissive in terms of web traffic, but has similar restrictions on applications.

Every employee in the organization is given access to the enterprise-wide communication network, but only certain roles are given access to the research network. However, more and more employees are trying to conduct some sort of research on the communication network, and are finding much of their options “locked down” through blacklisting. This has led to many complaints about the restrictions. Furthermore, it would be onerous and costly to give more employees access to the research network.

White list and black list can be both used in an organization if necessary. Based on situation, most organizations would choose one applications. To simply explain whitelist vs blacklist:
Whitelist:
• Default-deny
• uses a list of approved apps, software, emails, domains, etc.
• Items not on the approved list are restricted or denied, depending on your company’s needs
Blacklist:
• Default-allow
• Uses a list of unapproved apps, software, emails, domains, etc
• Items not on the unapproved list can be used without any modifications or control
For a specific example, should you use whitelist or blacklist for your marketing campaign? The benefit of using whitelist is helping organizations target their ads to the right audience, you don’t need to worry about the advertisements reaching to irrelevant audience. It can improve efficiency and lower costs.
If the business doesn’t target on several audiences, there are many potential audiences that can be explore, they can use blacklists to set up a list of places where they don’t want the ads on.

Often times when we discuss topics regarding IT and what is the right way to do something, the answer often boils down to “it depends.” In this case I believe that there might be a best practice approach if we look at the basic architecture of a client-server model. I believe that servers are better suited for white listing and clients for blacklisting. We setup servers to perform specific tasks, so we know exactly what should be allowed on each server. Servers are the back-end and would require more protection and filters, we would prefer to allow known transmissions rather than be reactive in nature.

Client computers are better for blacklisting than servers because a user will require a wider array of applications and functionalities. If you spread that out to an organization with 10K employees, the number of applications, services, software will be dramatically be higher. Management of a whitelist for client computers would definitely be harder and more costly. Blacklisting is like having a anti-virus software. It prevents the exploit of known vulnerabilities/viruses but is reactive in nature.

Both blacklisting and whitelisting applications is an effective way to implement a group policy in an organization. However, both have their advantages and disadvantages. Whitelisting applications is by far the most secure way to protect an organization but it hinders the Availability part of the CIA triad. Even though this method is more secure, most organizations opt to blacklisting applications since it is easier to make all applications available besides certain few. This increases the Availability in an organization but can hinder both the Confidentiality and Integrity if a user were to run a malicious or unknown application not blacklisted.

In different organizations whitelisting might be required due to the sensitivity of its information, say for instance financial institutions and federal government might only whitelist applications after a thorough vetting process. Blacklisting on the other hand can be used in organizations in which its employees may need access to several applications and not have to go through a vetting process just to open an application or less sensitive data is used and not as detrimental if an attack was discovered.

The operating system is the primary level of software that allows your computer to accomplish beneficial work. The operating system and its roles are key to making informed decisions about your computer. It manages the computer’s memory and processes, as well as all of its software and hardware. It also allows you to communicate with the computer without knowing how to speak the computer’s language. With that said, the operating system contains the software, hardware, applications, programs that contain valuable information. If you do not secure your OS, the hacker can obtain proprietary information, practically control your machine, and could essentially destroy your computer (stolen, edited or deleted).

https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html

^^^^ Why is so important to protect operating systems?

List common control issues associated with operating systems and remediation strategy/plan.

The OS must protect itself from security breaches, such as runaway processes ( denial of service ), memory-access violations, stack overflow violations, the launching of programs with excessive privileges, and many other like Breach of Confidentiality, Breach of Integrity, Breach of Availability, Theft of Service, and like I said above: Denial of Service, DOS.

Some of the ways they can do that include:
• Performing regular OS patch updates
o Issue: Lack of formal change management procedures could lead to a compromise of system integrity by allowing unauthorized access gain access to resources like Patch Management
• Installing updated antivirus engines and software
• Scrutinizing all incoming and outgoing network traffic through a firewall
• Creating secure accounts with required privileges only
o Issue: Lack of Administration of accounts can lead to a compromise of system integrity by potentially allowing unauthorized access gain access to sensitive areas
 Unauthorized modification of data, which may have serious indirect consequences. For example a popular game or other program’s source code could be modified to open up security holes on users systems before being released to the public.
• Strategic design of system, software, and hardware can help with security howver this can be expensive and take a long time to implement. Advancements with technology and the cloud have helped with this.
o Issue: Weak Design and Implementation can lead to a compromise of the system by potentially allowing unauthorized access.

slides and https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html

Why is it so important to protect operating systems?

The operating system provides an interface to the underlying hardware and data and is a platform on which various applications execute their operations. Hence, the security of the operating system is a necessity for the overall system security. Today most commercially developed operating systems provide security through authentication of the users, maintenance of access control mechanisms, and provide trusted applications to modify or manage system resources.

In an organization, critical data can be accessed through the operating system. It would be catastrophic for a competitor to obtain confidential files. Protecting the operating system is one way to take precautions to protect information assets.

Why is so important to protect operating systems?

The operating system is the software that allows a user to operate a computer system. It is the interface that allows a user to communicate with an entire system that they would not independently be able to communicate with and operate. An OS is what manages all the processes, software, and hardware installed in system, and if that were to fail there would be no way to operate the system. Since the OS encompasses so many different aspects of a system, and because it is the software that controls every process on a system, it is vulnerable to many different threats. The OS also is very vast in size logically which allows many different avenues of potential access in unauthorized ways. Protecting the operating system is important because without an operable system everything stored on it will not be accessible. Not only would everything not be accessible if the OS is damaged, but a damaged OS could potentially be used to damage the processors, the applications installed, other software installed, the hardware and interfaces installed, and the data/files installed on the system.

Common control issues associated with operating systems are worms, port scamming , and denial of service (DOS).
Worms, consume system resources, often, blocking out other, legitimate processes. Worms that propagate over networks can be especially problematic, as they can tie up vast amounts of network resources and bring down large-scale systems.

Port Scanning is a search for vulnerabilities to attack. The basic idea is to systematically attempt to connect to every known network port on some remote machine, and to attempt to make contact. Once it is determined that a particular computer is listening to a particular port, then the next step is to determine what daemon is listening, and whether or not it is a version containing a known security flaw that can be exploited.

Denial of Service ( DOS )I are a type of attacks that do not attempt to actually access or damage systems, but merely to clog them up so badly that they cannot be used for any useful work.

In order to remediate to those, companies can implement security defenses ranging from security policies to Virus Protection, auditing and intrusion detection, and also use cryptography security tools, which will help with preserving the trust and confidentiality of the system. These tools including: encryption and authentication . Encryption refers to the idea of encoding a message so that only the desired recipient can decode and read it. Authentication involves verifying the identity of the person who transmitted a message.

Question 1: Why is so important to protect operating systems?

The operating system is the software preinstalled on your computer. Computers have no ability to function without the operating system software. Not only does the operating system allow your computer to function, but it allows the user (you) the ability to effectively communication to computer by translating your clicks to computer language (0,1).

Conversely, the operation system contains many components such as hardware, software, applications and your personal information. Without having proper security protection on your computer such as firewalls, anti-virus protection and authentication codes. You become vulnerable personally and virtually. If a hacker is able to access your operating systems, in essence you lose your machine whether it be your information, your physical control of your machine and the actual life of your system. It is very important to protect an operation system, without doing so you’re compromising your information as well as your computer as a whole.

Question 2: List common control issues associated with operating systems and remediation strategy/plan.

Some common control issues associated with OS are as follows:
– File sharing
– Lack of malware protection
– Lack of firewall protection
– Weak or nonexistent drive encryption
– 3rd party software
– Weak authentication passwords

The strategy plan when combating these common control issues are sometimes right in front of you, your computer itself. Technology is constantly evolving and technically speaking, once you buy a piece of technology it becomes instantly old. Sometimes you can just update your computer with the newest OS which will most certainly help protect your computer or buy the latest version of your computer. However, that is not always the case.

Some suggestions could be:
-Screening your file sharing, by using secure sites
-Buying/ Installing the latest malware and firewall protection
– Using more complex passwords
– Only downloading software and applications provided by your OS
– Paying attention to your web traffic such as streaming sites, etc.
– Shutting your computer down habitually

Overall, there isn’t one-size-fits-all strategy approach but, understanding the common control issues associated with computers is a first step in the right direction. The majority of this issues have to deal with outdated software or hardware and human error; at the end of the day it’s up to the user themselves to protect their OS by being vigilant across all boards.

Q1: Why is so important to protect operating systems?

You can compare the OS (operating system) to the heart of a human body. That’s why the operating system is considered to be the most important software on a computer. It manages the computer’s memory and processes. It also allows the communication of hardware components of a computer to the software components of the computer system. Operating systems provide access to computer services which is possible only via working of both the hardware components and the software components. Hence not to mention protecting the operating system is crucial. The operating system is the key to access to all the software , so if the operating system is compromised or hacked, the computer itself is in danger.

Why is so important to protect operating systems?

The Operating System is the heart of your computer, without it your computer can “live” (operate). It is like a translator between the user and the computer. That being said, it is crucial to protect your OS; otherwise you will find yourself in a bad situation. In fact, the OS controls your computer hardware and allows communication between your applications and hardware. Not being able to protect it will allow hackers to take over your whole system.

List common control issues associated with operating systems and remediation strategy/plan.

Some common control issues associated with Operating Systems are “Password-Based Attacks”, “Denial-of-Service Attack”, and “Application-Layer Attack”.

A “Password-Based Attacks” is when an attacker gain access to your computer via your user name and password. Once he/she has access to your computer, he/she can modify server and network configurations, reroute, or delete your data. The best way to protect yourself against this type of attack is to use more complex passwords.
A “Denial-of-Service Attack” prevents normal use of your computer or network by valid users. On way to protect yourself from that is to update constantly your firewall protection.
An “Application-Layer Attack” targets application servers by deliberately causing a fault in a server’s operating system or applications. The attacker can read, add, delete, or modify your data or operating system. To mitigate this risk, protect your system with firewall and install security patches released by your OS.

Indeed Ian, the operating system is the key to making informed decisions about one’s computer. I’d say that it is similar to a resource manager and handles decision making and interruption. It manages the time for tasks to occur.

Why is so important to protect operating systems?

An operating system is the most important software on a computer and provides the graphical interface that allows users to use the computer. It manages the processes, memory, in addition to all hardware and software. Most operating systems are preloaded in computers because they would be useless without one. It allows the average user to communicate with the computer with an intuitive visual interface instead of using a complex computer language.

Multiple programs use the computers memory and processor simultaneously and the OS manages each program and allocates the computers resources. If a OS is compromised, than all of the computers functions, including hardware and software are vulnerable.

Operating systems are vulnerable to external and internal risks. Internal control issues can be employees accessing sensitive information that they do not have a need to know. For example, a marketing employee accesses payroll data restricted to HR. Or an employee at a healthcare company accesses patients healthcare data, which would violate HIPAA. Often internal risks can increase external risks. Such as employees downloaded unauthorized software, or not regularly updating software with latest security patches. These lapses can leave information systems vulvernable to malware and other malicious software and hacks.

There are many strategies and controls for these types of risks. A log-on procedure helps protect against unauthorized access by requiring each user to use an individual ID and Password to access the network. Then an Access Token control can be use which contains information about the user including, ID, password, user group, and privileges specific to each user. All actions taken by the user on the network can be regulated by the access token. Such as preventing an employee from editing a database that they may not be authorized to, or accessing sensitive data which is outside of their purview. Logs are also important because it allows user behavior to be scrutinized, which is especially important after a security incident. Logs can also store other information about the system such as firewall activity to monitor unauthorized external attempts to access the network. One more important strategy is to encrypt data in the event that there is a security breach. If sensitive data is accessed by with malicious intent, it is more difficult to decrypt without the keys.

List common control issues associated with operating systems and remediation strategy/plan.

Some common control issues and methods of remediation with Operating Systems are as follows:
– Unnecessary Services/Protocols Running – Run protocol scanners and shell commands such as “netstat” to find out all services running on a system. Then determine which are unnecessary vulnerabilities and disable them.
– Privileges Based Upon Groups – Privileges based upon user groups can easily grant authority/access to system areas to users inappropriately. Review each user group, its associated privileges, and user lists to determine if policy is followed correctly regarding access and authorization. Change the policy controls if necessary to ensure that users are grouped and granted privileges appropriately.
– Password Strength – Weak passwords, and password policies, make OS’s vulnerable to intrusion. Attempt to crack passwords with password cracking tools/methods to test for weakness. Review and implement a password policy that requires strong passwords with minimum lengths and character usage, sets password aging, and sets a maximum number of incorrect entries before lockout to prevent brute-force cracking.
– System Updates/Patches – Patches must be installed to prevent known vulnerabilities to continue to exist. Ensure a policy is set to test patches on a segregated network before implementation to prevent interruptions to production environment. Set a policy to install outside peak operation periods.
– System Security – An OS is an enticing target for malware and attacks because an attacker can enter other systems and apps once inside the OS. Add protective measures such as host/cloud based Anti-virus, install NIDS/NIPS/HIDS/HIPS, implement a firewall, and set policy for access for all users at a minimum privilege base setting.

Q2: List common control issues associated with operating systems and remediation strategy/plan.

There are some popular operating systems that are commonly used by users. Windows, Mac OS, Linux for example. Honestly, I’ve been a PC user for my entire life. Windows is one of the world most popular operating system used by individuals, companies, and educational institutions. Windows has many advantages including user-friendly interface, available software, backwards compatibility, support for new hardware, etc. As opposed to those great features of Windows, there is one common control issue that I want to emphasize associated with Windows.

– Poor security: Compared to other operating systems, Microsoft has a very poor security. It is more vulnerable to virus or malware attacks and easier to be hijacked. Windows itself has its own security settings that require configuration; however, like many other software requiring some type of configurations, it is also very time-consuming process. And not many users are knowledgeable about that.

Remediation Plans
– Poor security
–> Install external firewalls to improve the security
–> Take a time and effort to complete security configuration settings within Windows
–> Periodically check the system in terms of viruses or malware
–> Periodically updates the security patches

Security is definitely a big issue in operating system. Windows security is not that great at all. I remember reading an article mentioning that nearly one million malware threats that can affect Windows systems, are released every day. That’s crazy.

A good way to protect the operating system should be to configure it in a way that it would be used to monitor activity on the network easily and efficiently. This would allow it to reveal who is and isn’t making connections, and point out potential security events.

Laly, as I mentioned to Said computers have the ability to function without and OS. Proof is that the early computers did not have an OS.
The only thing is that it is very hard to use computer without OS because everything need to be done manually. Users need to key in the programs by hand, which is a waste of time. I mean it would take hours to get the computer ready for simple operations like add or multiply.

It isn’t impossible but It is not something that you will enjoy using for sure.

Why is so important to protect operating systems?

One of the key aspects of modern computing systems is the ability to allow many users to share the
same facilities. These facilities may be memory, processors, databases, or software such as compilers or subroutines. When diverse users share common items, one is naturally concerned with protecting various objects from damage or from misappropriation by unauthorized users.
Protection ensures that the resources of the computer are used in a consistent way. It ensure that each object accessed correctly and only by those processes that are allowed to do so.
As computer systems have become more sophisticated and pervasive in their applications, the need to protect their integrity has also grown. We need to provide protection for several reasons. The most obvious is the need to prevent the mischievous, intentional violation of an access restriction by user. An unprotected resource cannot defend against use (or misuse) by an unauthorized or incompetent user. A protection-oriented system provides means to distinguish between authorized and unauthorized usage. The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. These policies can be established in a variety of ways. Some are fixed in the design of the system, while others are formulated by the management of a system. Still others are defined by the individual users to protect their own files and programs. A protection system must have the flexibility to enforce a variety of policies.

Resource：http://www.slideshare.net/sohaildanish/system-protection

Why is so important to protect operating systems?

An operating system is the most significant system software related to a computer. It contains programs that interface between the user, processor and applications software. It provides the primary means of managing the sharing and use of computer resources such as processor, memory and I/O devices. It does so by simplifying complex computer language into a GUI which allows users to easily operate a computer.
In essence, the operating system is important because it allows the user to use a computer.

List common control issues associated with operating systems and remediation strategy/plan.

1) Lack of malware protection and firewall – Installing antivirus and firewall
2) Poor password policy – Establishing a strong IT governance which educates employee to use strong passwords.
3) Missing patches/ system updates – DBA keeping up to date with patches and informing the organization of updates and patches that needs to be done.
4) File and share permission to everyone in the network – Establishing a strong IT governance which educates employee to review file sharing groups.

List common control issues associated with operating systems and remediation strategy/plan.

Blue Screen of Death (BSoD）
Many people think of blue as a calming color; however, when it comes up on your computer screen with a bunch of white text, it probably has the opposite effect. The blue screen of death (BSoD or STOP Error) may appear to be one of the scariest computer problems you’ll come across. However, all your computer may need is for you to reboot it. This STOP error appears on your screen for a variety of reasons: failing hardware, damaged software, corrupt DLL files, problems with drivers and more. The remedy for a blue screen of death depends on the original problem. The screen provides you with codes that can help you identify and fix your computer problems.

Missing DLL File
Dynamic-Link Library (DLL) files house information for your operating system on how to perform certain functions. Occasionally, your computer loses DLL files or something damages them. When your PC can’t read the particular DLL file, it doesn’t know how to respond in certain situations. You may have a missing or corrupt DLL file if you receive an error message every time you perform a certain function, such as saving. If your computer problems are stemming from missing and damaged DLL files, you can restore them by downloading them back onto your PC.

Applications That Won’t Install
If you’re having trouble with an application not installing, it may be because your computer doesn’t have enough hard drive space. If this is the case, you need to free up some space. This is one of the computer problems that’s, well, least problematic. You can free up some hard drive space by getting rid of files and folders you don’t need. These may be temporary files, duplicate files or data for software you’ve uninstalled.

Applications Run Slowly
There are several reasons software might be running at turtle speed. You may have computer problems that involve your operating system or an application, your operating system might be missing updates or your computer doesn’t have enough hard drive space. If you don’t have enough hard drive space, you can scan, clean and optimize your hard drive.

Abnormal Applications Behavior
Computer problems that involve applications acting strangely oftentimes leave you wondering what has happened. Your application has been working just fine, but now, seemingly without reason, it is doing something strange.

Resrouce：http://www.toptenreviews.com/software/articles/5-common-computer-problems-solutions/

1. Why is so important to protect operating systems?

It is important to protect OS from below factors:

• Protecting the Security of an OS provides the ability to protect it from unauthorized access. It helps in managing the integrity of an OS system and provides the ability to restrict which programs can enter states to exercise hardware instructions.

• It is important to maintain Change Management procedures for an OS so as to keep the system secure from unauthorized access. For example, if an employee leaves the job, it is important to make the changes and remove the access rights.

• Monitoring of an OS is important to manage and analysis of the event log. It is also important to monitor the access to the sensitive directories.

• Availability of an OS is very important. It should be protected from factors such as downtime, system crashes etc.

• Protecting Resource protection: Any entity such as data-sets, programs on the z/OS system is considered a “resource”. These resources need to be protected

Is it Windows security is not that great, or is it that the majority of businesses use the Microsoft OS which increases the percentage of attacks on that platform? I think a lot of the security vulnerabilities with Windows has to do with the fact that the majority of businesses use that product as their OS which means that the system is constantly facing attacks from many hackers everyday. I don’t necessarily think iOS, Unix, or Linux are better protected so much as they don’t face as many threats as Windows does on as frequent a basis. With that said, I imagine MS does its best to find vulnerabilities and patch them as quickly as possible because they don’t want to lose market share to competitors or open source platforms.

What are your thoughts on administrative mitigation controls regarding malware protection? I think an administrative policy should be in place regarding malware as well. That policy, along with an employee training program, would help to create security awareness in employees regarding threats in email, web usage, flash drives, etc. The policy would not fully eliminate threats from employee actions, but it would certainly help mitigate their occurrence and frequency. Employees, through awareness training, could also become another layer of defense against malware as well.

2. List common control issues associated with operating systems and remediation strategy/plan.

The following control issues are associated with the operating systems:

• File and share permissions that give up everything to everyone
• Lack of malware protection
• Lack of personal firewall protection
• Weak or nonexistent drive encryption
• No minimum security standards
• Weak security policy settings
• Unaccounted for systems running unknown, and unmanaged, services such as IIS and SQL Server Express
• Weak or nonexistent passwords

Remediation strategy/plan for the above mentioned controls issues can be:

• User groups should be established with properly defined access rights for all the files by the root user or admin user.
• Antivirus and anti-spyware software should be properly enabled and installed so as to ensure malware protection against any kind of breach.
• Personal firewalls must be set so as to ensure malware infiltration, wireless intrusions are blocked.
• It is important to manage the drive encryption of that in case the machine is stolen, it is the only way to protect the data breach. Only relying on the OS encryption is not a good way to control security breach.
• It is important for employees to follow company policies while using official machine even at the home such as SSL for outlook web access, using password with a strong paraphrase to ensure the safety. Network access control(NAC) systems should be well configured. Ensure to enforce it wherever possible.
• Activities like Audit logging, password complexity, password protected screen-savers ensure safety
• Patch management should be securely tested at a lower environment before being applied to higher environment.

Why is so important to protect operating systems?
Operating system (OS) helps run programs on the computer and helps a computer system executes multiple application concurrently in a single hardware containing multiple processing unit. Protection is any mechanism for controlling the access of users or processes to resources. OS integrity is a very important for the protection of data and below features are recognized for it.
1. Interference is in resource utilization imposes a very big threat to operating system. Ensure that there is no interference by the user programs to the main program or default program. Each process has to run independently and yet concurrently without interfering with the other and should not write into the memory of the other program.
2. Ensure that each process has limited privilege and escalated privilege is provided on request alone.
3. Ensure that the user is assigned the correct level of authorization and is authentication to access the resources. Need to protect from deliberate and inadvertent modification

To maintain integrity of the system and the data, the operating system has to be regularly monitored and updated by updating the latest security patches. Not updating the patches regularly can compromise the OS by penetration by external agents.

Any changes made to the system configuration files i. e. the registry can impose a risk to the confidentiality, integrity and availability of the system.

Reason to protect OS:
1. To prevent data loss
2. To prevent corruption of data
3. To prevent compromise of data
4. To prevent theft of data
5. To prevent sabotage

Source: CISA review manual-26th edition

Q1. Why is it so important to protect operating systems?

Operating systems are an important part of a working computer system. They interact with programs and applications, as well as input and output devices, and control the computer’s memory. Because it is what manages all software and hardware on the computer, it is crucial that it is protected, since this represents a potential single point of failure and access for attackers looking to obtain confidential information.

Q2. List common control issues associated with operating systems and remediations.

Some common risks associated with operating systems and their remediations include:
-Weak password policies. This can be strengthened by having certain requirements for passwords (character length, need of both upper and lowercase, etc.), as well as requiring it to be changed periodically.

-Improper account management. A solution for this is to create and assign different account levels based on job needs, and implement a regular recertification process to ensure continued justification of account assignment.

-Inadequate patch management. An organization should ensure that there is a policy dictating who is responsible for patch management, and how they should go about it.

-Limited monitoring. It is not enough for an organization to simply have event logs, an organization must also establish who is responsible for analyzing those logs, as well as how often they should do so.

List common control issues associated with operating systems and remediation strategy/plan.

Some common control issues and their remediation strategies:

No proper definition of roles and responsibilities: The user has to be given the right level of access i.e. administrator or user and be assigned to the correct user group. Users need not be given access to make changes to the registry and restricted privilege to be given for installation of softwares. Make sure Administrator password should not expire.

Disabling unnecessary services: It is difficult to define unnecessary service. Every service has a potential for trouble. The worst vulnerability is 0-day. Apart from the services defined by the OS manufacturer or resource available, trial and error method can help us identify the services that can be disabled and yet not affect the performance of the daily operations.

Open ports: Open ports allow access for others into our system. If any of the ports are not necessary they have to be blocked.

Unpatched and legacy system: Proper security patches have to be updated regularly. If there are problems with the patches a new update has to be ready to fix this issue. There is an interval between when the patch is released and when it is updated. is most vulnerable and this period should be properly established. Make sure that the patches are tested before they are release and can be released phase wise.. Also ensure that the Operating system is still supported by the manufacturer, if not make sure to upgrade it when necessary.

Unencrypted channel: The communication to and between systems has to be encrypted especially while using external networks. The company can make sure that it has a VPN that is required to access the company network.

Unencrypted HDD: Normally without HDD encryption the data on the system can be easily copied. Encryption like bitlocker encryption encrypts the system which requires a 64 bit key to be able to copy content from the HDD.

Clear text Credentials: Credentials should be hashed with salt which will make it harder for bruteforce attack. Strong password policy should be in place. Make sure that the company has policies that require the customers to change password regularly.

Insecure protocols: Some protocols like communication protocol (SLIP) are insecure and should not be used. Another example use https instead of http which is more secure.

Rightly said Joshua. Computer functions along with the data-sets that resides on the Operating system become vulnerable to security breach if operating system is not properly protected. A properly protected OS ensures the availability, confidentiality and integrity of the data sets residing on it.

I forgot to address the concept of a legacy OS in a network in my response, so thank you for bringing it up. Many businesses run legacy systems because upgrading is not feasible for one reason or another, or not justifiable for the cost(s) associated. I know when I was in the military, there was a contract with Microsoft to continue to patch the Windows version we used, which was very old, solely to keep it operationally safe for use as much as possible until the cost to upgrade military was justifiable enough to get the funding to do so. The patches Microsoft created were not available to the public, so public users had to upgrade if they did not want to be vulnerable any longer with a legacy OS. Another method to respond to legacy OS systems is to segregate them on the network in a DMZ to prevent the rest of the network from being accessed by outside threats if the legacy system was accessed by an unauthorized entity.

1. Why is so important to protect operating systems?

In a business perspective, computer system is the basic operating asset of a company where it stores the most essential and sensitive data. An operating system is the platform of a computer, which supports a computer’s basic functions, such as scheduling tasks, executing applications, and controlling peripherals. Most large firms developed its own operating software that runs on different operating systems. Without an OS such as Windows, Linux, MacOS, a company cannot continue to operate, a computer cannot function properly.

The main reason to protect operating systems is to prevent data lose, data breach, malicious software installed in the system, unwanted use of data. According to our books, If the OS is not controlled properly, it’s like locking the door but leaving the windows open. People can exploit security weaknesses at those other layers in many ways and disrupt the integrity, reliability, and security of the application systems. That is why security controls should be inplace to prevent failure of operating system.

Source: IT Auditing: Using Controls to Protect Information Assets

Great explanation Daniel. In case of open source operating systems it becomes easy to to insert malicious code in OS using those applications. A study of more than 2.5 million apps last year found that 97% of malware targeted Android.
[http://www.makeuseof.com/tag/secure-mobile-operating-system/]

2. List common Control issues associated with operating systems and remediation strategy/plan.

Common control issues:
1. Weak password setting
– Having certain requirements of password setting
– Constant change of password
2. Lack of malware protection
– Firewall
– Anti-virus software
– Hire hackers to hack to system to see how well the system can be protected
3. Authorized assess are given to employees inappropriately
– Clearly identify roles and responsibilities for employees
4. Infrequency in patch management and update
– Policies set up for patch updates
– Test the patch before release

Denial of Service is more of a network based attack. A distributed DOS can cause more harm. In DDos an attacker may make use of the vulnerabilities in your system to use your system to launch further attack by sending huge chunks of data from your system.
Along with great firewall, good and up to date antivirus, keeping track of email and spam mail will help prevent the attack.

Joshua you brought up 2 great points,One, internal risks can increase external risks- this is absolutely true. A employee using unauthorized software has potential of ip breaches and malware entering the organization. Data retention policy must be followed rigorously. Classification of data for internal entities to clearly understand how to handle that data is important. Second, encryption of data is also a must. Especially in case of physical loss of laptop, flash drive, any storage media. Even if the hacker has physically got the device, if good encryption is in place he data will be secure. At Accenture, we had a software installed on laptops and phones, in case of theft of storage devices this software would delete data from the device whenever the thief would connect it to any network,

Why is so important to protect operating systems?

Importance of operating systems:

The operating system is more important than the hardware. The OS not only manages a computer’s tasks but also optimizes the performance. When several tasks are running at the same time and trying to access the CPU, memory and storage, OS then organizes the requirements and allocates proper resources to tasks.

It is basically a tool for us to communicate with the computer through the user interface without knowing computer’s language.

Why to protect:

OS needs protection to ensure that each program component that is active on a system is using resources only in ways defined in stated policies. These policies are either developed by the management of the system or are fixed in the design of the system.

The OS is also allowing users to access organization data. With that in mind, a compromised OS can give permission to a hacker who can then damage different application, steal/corrupt/delete important data, etc.

Binu,

I agree with your point of open ports. It essential to close those ports since unused services are usually left with default configurations that are using default passwords and can be exploited to distribute unwanted content.

Alex,

Yes. But you have a lot of work to do. Without an operating system using and enforcing a standard, systematic approach to running the computer, you’re put in the position of writing code that must tell the computer exactly what to do. Think of every single option or possibility your word processing program has. You’d have to write code for every single one of those directly onto your hard drive. So, I’m definitely more into the idea of OS systems being pre installed and it’s technological advancement,

List common control issues associated with operating systems and remediation strategy/plan.
The security controls depend on the configuration of the system and the sensitivity of data that is processed in the system.
The control issues are:

> Improper user access permissions
Remedy: Creating different user groups to define user privileges for files by the administrator.

> Unblocked ports: Port scanning can expose open ports and computer’s network services information can be obtained by an attacker to decide which port to use for an attack.
Remedy: Identify the processes that are keeping the ports open, check of the processes/services requiring the ports to be opened are required or not If not, configure the application to stop the service.

>Weak Password Policies: Weaker passwords or blank passwords can put the organization at risk.
Remedy: A password policy with a seven-character limit can be cracked by password decryption software in a matter of minutes. I think a good password policy should at least have a 20 plus character password (ideally a passphrase; easy to remember). It is important to also teach employees of the concept of passphrases.

>Patch Management: The common practice of “install and forget,” which means that systems after deployment are either not updated frequently or never updated.
Remedy: Systems should be updated timely with software updates. There should be a patch scheduling mechanism in place to serve as a guideline for scheduling plans.

Great analogy Daniel.
Like a body, using an operating system requires an understanding of how it works and how to use it.

What a great detailed post. I really enjoyed hearing about the Unpatched and legacy system. Many companies forgets that old technologies pose risks as well, and those risks aren’t going away. As legacy systems continue to get more out-of-date, the world around them continues to evolve with that being said, the risks are increasing.

Annamarie,

Great post! I was wondering if you have a password policy asking users to have upper * lower case characters, etc. As the passwords become more complex for the users, don’t you think it will increase the number of calls to the help desk for “I forgot my password” requests?

This was one of the challenges for the password policy remedy that I came across.

Brou,

Once again you are right, but it is counterproductive especially in the business world. The OSs were created to make the user life easier. And as I said it acts like the heart of the computer, it’s what allows the computer to be useful.

Yu Ming,

I agree with your patch management point. Just to add on that, I think timing is important too. Especially, for the security updates, they should be done in a timely manner and must be made in a controlled and predictable way. If the patch application process is organized and controlled, the system may drift from the compliance with assigned patch.

A lot good points, just one correction, OS is a software, facilitate the communication between applications and computer hardware components. Itself doesn’t include hardware part.

What cause the “blue scree of death”?

Why is so important to protect operating systems?

Protecting operating systems (OS) is important due to nature of functions performed by OS system wide. The OS is responsible for managing all compute functions running on system sharing hardware system resources (CPU, Memory, Disk, I/O devices). The OS manages process multitasking, resource time-sharing, inter-process communication (IPC). The OS is responsible for protecting individual application running from interfering with each other, accessing each other trusted compute base (TCB) in terms of virtual memory space and disk blocks managed by different processes.

List common control issues associated with operating systems and remediation strategy/plan.

The Operating System controls are part of every OS to protect end to end compute base. Operating system by default offers process traffic isolation to separate and protect trusted compute base (TCB) of each application/process running on the same system. The controls start from Access controls, password requirement, logging activities to remote syslog facility, protecting against malicious software, and finally performing logic isolation of compute resources like in case of multi-tenant cloud computing.

The access controls is concerned with permitting authorized users to log in system (OS), logging all their activities, incorporating role based access control (RBAC), and possibly two factor authentication. Instituting strong password (number of characters, special characters, password history, lock out policy after failed attempt) is one of the important OS security controls.

Great insight, Binu and well explained. I’d like to point out that apart from the reasons you shared, it makes sense to protect the Operating systems to avoid financial losses as well. Any company’s primary and long term objectives are to make greater profit and lower costs and minimal losses which would eventually translate to higher earnings per share. In this case, any financial losses and increases cost, means a direct impact (however small or insignificant ) to the gross profit. The cost to fix a broken operating system or one which runs at lower efficiency than required by the business, could run into a significant dollar amount. The higher financial losses could also be in the form of reduced employee productivity due to system downtime.

And don’t forget the resilience piece…very important. In addition, how about physical access to the computers, whether servers or desktops?

Why is so important to protect operating systems?
An operating system is a program that manages all application and application programs on your computer. All major computer platforms both hardware and software require an operating system. Since these operating systems are the base of so many other applications we need to ensure their integrity, confidentiality and availability. Therefore, OS security can protect it from threats, viruses and malware. If we did not protect our OS the integrity of information on our machines would be compromised.

https://www.techopedia.com/definition/24774/operating-system-security-os-security

List common control issues associated with operating systems and remediation strategy/plan.

Common controls we find with OS systems are listed below:

– Weak Password – requiring users to create more complex and strong passwords to prevent hacking.
– Lack of protection from network traffic – install a firewall and antivirus to prevent threats and leaks of important information from your machine
– Employees having to much access – creating secure accounts with required privileges only

Q] Why is so important to protect operating systems?
A] Operating system is the backbone of computer. It handles Memory Management,Processor Management, Device Management, File Management, Security, Control over system performance, Job accounting, Error detecting aids, Coordination between other software and users. The security of OS has fundamental impacts to the overall security of a computer system, including the security of all applications running within the system. An attack that infects OS has potential to expose danger to the running application and further attack other applications.

absolutely, critical data or central database system can be accessed through the operating system within an organization. It would be catastrophic for a competitor to obtain confidential files. therefore, protecting operation system is significant

Absolutely, OS software make our user life better and feel more convenient, The Operating System is the heart of your computer, without it your computer can run.

As we learned from answering the second question, Yes, operating systems do offer some level of security but they are not as secured. Additional layers of security in the form of third party applications such as antivirus and administrative policies should be implemented.

Absolutely, I agree with you Kshirsagar. The more complex password policy will increase the number of people forgetting their password. This is also a challenge for the help desk service, how to solve it problem. If the password provide some information reminder, it will reduce the frequency of customers to forget their password.

Great examples. OS is a very important component of a computer as it pretty much controls it. Virus protection is especially important as who knows who is able to use and control our computer once our computer is infected.

I wouldn’t say that the operating system is more important than the hardware. A computer can still operate without an OS through computer language but a computer cannot operate without its hardware. It is as you said, an OS makes operating a computer much easier for people who do not have knowledge in computer language.

Nice post Abhay,

I agree that weak password or black passwords can put the organization at risk. Choosing a complicated password can increase the number of possible combinations of password. I would add to that the system should block the account or require secondary authentication if an incorrect password is entered too many times in order to prevent hacking.

Question: Why is so important to protect operating systems?

Security refers to providing a protection system to computer system resources such as CPU, memory, disk, software programs and most importantly data/information stored in the computer system.

In today’s business world, personal computers and other mobile devices are widely used in storing an organization’s information assets like employees’ personal information, payroll process, or order to cash process data. Without appropriate protection of operating systems, the Trojan Horse, Warms or other malware may allow attackers monitor the system flow and copy the sensitive information like bank accounts and passwords, which may cause huge damage for the organization’s information.

To mitigate the potential risks of data leak, operating systems need to be protect by antivirus software or other preventive controls.

Source: https://www.tutorialspoint.com/operating_system/os_security.htm

Question: List common control issues associated with operating systems and remediation strategy/plan.

Common control issues:
– Lack of accessible authority control
– Lack of antivirus protections
– Do not have backup plan
– Lack of updating the operating system
– Lack of detective control to recognize the malware

These common control issues may cause serious problems like data leak, loss of personal identify information, and damage other information assets of the organization. To mitigate the risks caused by common control issues associated with operating systems, here are some suggestions:

1. Enhance the accessible authority control by setting passwords of the operating system and different authority levels to access the system.
2. Use antivirus software to ensure the operating system do not have any Trojan Horse or Worm.
3. Setting a backup and disaster recovery plan to make sure the operating system can maintain running, and recover the information.
4. Updating the operating system to the newest version.
5. Using the protection function of antivirus software to detect the malware.

Q] List common control issues associated with operating systems and remediation strategy/plan.
A] OS has to provide a confidentiality, integrity and availability to the system. OS security may be approached in many ways, including adherence to the following:
– Unauthorized access to the system – OS can have different users accessing different parts of memory. The software should have access level denied. Changes to OS dependent files must be restricted. At least 2 factor authorization must be provided. And authorization to determine level of access. read write, edit, execute etc.
– Patch management – Hackers come up with new attacks everyday and OS vendors release security patches to remove the vulnerability. Performing regular OS patch updates to keep systems up to date is a must.
– Networking security issues – Any device trying to connect to the network must be authorized and authenticated by the OS.Scrutinize all incoming and outgoing network traffic through a firewall
– User policy – Restricting access to files, network and terminal access , password change and locking should be deployed though user policy.
– Open ports – Open port that generally restricted by firewall can cause serious harm.
– Encryption – The storage media like HDD on the OS must be encrypted. The channel via which systems communicate must be an encrypted channel.
– Install updated antivirus engines and software and scan systems regularly.

1 Why is it so important to protect operating systems?
The importance of protecting OS can be understood by understanding the impact on an OS that is not protected :
• Potentially allowing unauthorized access – could lead to a compromised system and information integrity due to unauthorized access
• Administrator authority is given to too many people and often of the level that is much higher than required to perform regular tasks needed for the job – this means that the administrators can knowingly or unknowingly harm the system.
• Systems are prone to attacks if not protected so a system that is not protected could be broken into easily which poses threat to the information on the system. The system could be subject to theft of data – be it personal or proprietary, which could have different outcomes depending on what data is stolen.
• An unprotected OS could lead to financial loss – small or big. A laptop or a desktop that crashes or is broken into could require money being spent in fixing the system, permanent data loss could occur and even intellectual property could be stolen. System down time could mean lower employee productivity and lost revenue in the form of chargeability.

I like your point about risking the organization’s data. Not only does exposing the OS to vulnerabilities effect the user’s data but also keeps the data of the organization (confidential/ client related/ business) in the hotspot.

Laly,

After you did this, I decided to compare Windows to Linux. Below are some interesting things I found out:

Windows has a fairly straightforward version structure, Linux is much more complex. It is common for people to customize Linux because it is open source so it is difficult to pick which Linux distro you want and easier to pick between Windows 7 and Windows 8 for example. Installing Linux is more complex and can involve live-booting while Windows installations can take longer but are a lot simpler, requiring a minimum of user input compared to many distros. Another key difference from Windows is the method of software installation. Rather than downloading a nice, neat .exe file, most Linux programs install from within your distro’s software repositories.

source: http://www.itpro.co.uk/operating-systems/24841/windows-vs-linux-whats-the-best-operating-system

Abhay – For my company, yes. It is one of my biggest compalints about my job. I have so many passwords for signing on to many different things. It is very difficult to remember and keep track of. I asked the question to my boss about why and he said the amount of money risked is greater than the cost savings amount that would be saved with less help desk calls.

Why is so important to protect operating systems?

Operating system, executed on the top of a bare machine of hardware that allocates the basic resources of the system and supervises the execution of all applications within the system. Because of the crucial role of the operating system in the operation of any computer systems, the security (or lack of security) of an operation system will have fundamental impacts to the overall security of a computer system, including the security of all applications running within the system. A compromise of the underneath operating system will certainly expose danger to any application running in the system. Lack of proper control and containment of execution of individual applications in an operating system may lead to attack or break-in from one application to other applications

Source: https://www.giac.org/paper/gsec/2776/operating-system-security-secure-operating-systems/104723

Good example and clear explanation in comparing the OS to the heart of human body. Indeed, an effective and safe operating system allows the OS users smoothly operating the applications on the PC or other mobile device. Additionally, users prefer to store information in the PC, protect the OS away from virus like Trojan Horse or Worm, and ensure the users’ information assets are safe.

True Magaly, apart from the counter points you stated, using a computer without an OS would make it almost impossible for a large number of users who might not have the specialized skills required to work on that system. The way OSs have built in usability in today’s age, even people who do not have basic education are able to easily work on a computer. OS has certainly made the world a smaller, closer space and even simplified some of the toughest tasks.

Very insightful answer, Sean. The point you made about unnecessary services/ protocols running is a very good one as it’s very easy that these go unnoticed. Other option is to use the system configuration utility to get an idea of what unfamiliar or suspicious programs are installed and then take the necessary action to safeguard the system. In addition to that, we can also look for open ports by running a netstat -an command for a windows OS as hackers can take advantage of open ports to attack a system.

Why is it so important to protect operating systems?

The operating system is essentially the “middle man” between a computer’s software and its hardware. This means that it is the operating systems that allow the applications access to computer resources such as the CPU, hard drive, network, and many other information system components. With that being said, it allows millions of software applications to be used on a computer all while providing the user with a familiar graphical user interface to start the software. From a security standpoint, this means that the operating system needs to be protected with the two important areas being access to data and hardware. If an operating system is compromised, a “bad guy” can attempt to perform a denial of service which means that the organization’s hardware is strained past capacity, causing information technology to crash. Likewise, a “bad guy” can have access to data through the operating system to either manipulate or extract for sale. Due to this, it is extremely important to protect the operating system.

List common control issues associated with operating systems and remediation strategy/plan.

Two common control issues related to the operating systems is that of unauthorized access and patch management. Since the operating system can access both software and hardware, allowing an unauthorized user access to a system enables them to cause a significant amount of damage. This damage can either be to create an effect on the computer hardware or steal information. Due to this, it is important to have authentication steps logging into a computer as well as restrictions on the types of actions a user can perform once logged in. Likewise, patch management is another key control issue associated with operating systems. If an operating system has a bug or defect, it could potentially cause a disturbance in the information systems as well as be a potential vulnerability to malware. Therefore, it is important for a company to have controls which make sure patches to systems are identified and implemented in a timely manner.

Great post Binu,

You mentioned hashing passwords with salt, which is something I’d heard about but honestly had no idea what it was. This caused me to research hashing a password with salt, and its use in defense against a brute force attack. Thanks!

1. Why is it so important to protect the operating system?
a. The operating system can be viewed as the foundation for the computer, because the hardware and operating system need to communicate in order to reach the computer’s full potential. The operating system organizes the software and hardware of a computer and also, “acts as a scheduler and traffic controller”. I read an analogy online of the operating system play the role of a good parent to make sure that the applications get the right resources (memory, etc) from the hardware.
If the operating system was attacked the issue could then flow over into the applications and the hardware. Data could be corrupted, and stolen, and the users may not be able to access the applications due to corruption.

Magaly,

Rightly said, We need to enjoy using Operating Systems since they are existing for making our tasks in which related with any type of computer technology easier. In today’s nature of corporate America, technology takes a huge part of every business. And OSs are absolutely the key players to operate those technology systems.

Why is it so important to protect operating systems?
Operating systems are important since it is the tool we used every day to enter information and get information from the system. It is our way to communicate with the machine and to make it function. The operating system must be clear of viruses or malware so that information on it is protected. If a hacker was able to get access to the system then they could steal important information and even corrupt the system and make it inaccessible. Without a way to get back into a system could be a huge issue since important information lays within the system. Operating system thus must be protected from all these things so that we can function and have our information be secure. We hold important programs on the operating systems and losing that will be a huge blow. We must also be aware of our surroundings and make sure the operating system is back up just in case. A spill of some sort onto the machine could cause serious damage so that just comes to show us that anything can cause damage to the Operating system. We must make sure the Operating system is protected on all levels to prepare for anything that can happen.

2. List common control issues associated with operating systems and remediation strategy/plan

Common control issues that can affect an operating system are:
• High amount of access and share permissions granted
• Lack of malware and firewall protection
• Weak password policy
• Poor patch management

A way to remediate these issues is to:
• Check the group permissions and ensure that the right users are assigned to the right groups and no groups have rights that exceed their job responsibility.
• Ensure that proper antivirus software is installed and that a firewall is present.
• Set length, and complexity requirements for passwords. Also, require password changes within a reasonable amount of time.
• Check for patch updates to the OS.

2. List common control issues associated with operating systems and remediation strategy/plan
Common control issues that can affect an operating system are:
• High amount of access and share permissions granted
• Lack of malware and firewall protection
• Weak password policy
• Poor patch management

A way to remediate these issues is to:
• Check the group permissions and ensure that the right users and assigned to the right groups and no groups have rights that exceed their job responsibility.
• Ensure that proper antivirus software is installed and that a firewall is present.
• Set length, and complexity requirements for passwords. Also require password changes within a reasonable amount of time.
• Check for patch updates to the OS..

List common control issues associated with operating systems and remediation strategy/plan.

Some of the common attacks are:
• Denial-of-service (DOS) Attacks – Attacks that prevent the use of the operating system by gaining access to the system and flooding the system until it overloads or send invalid data to the system which cause abnormal termination.

• Password-Based Attacks – Attacker gets into the system by over hearing your password or having your computer unlock so that they are able to just access the system without having to enter a password. Mostly it is done by eavesdropping or using tools to generate multiple attempts for password login. But once their into the system, they are able to access everything and can modify, delete, or transfer data.

• Malware – Attackers that are trigger once the user clicks something that opens the virus which will enter the system to corrupt it and cause damage for the user.

Plans that can prevent these attacks are regularly updating the system software and keeping virus protection up to date. Making sure the system is lock when you are not using it and never letting anyone know your password into the system. Be aware of what you clicking on and not opening something that looks suspicious and searching the email address if it was sent by email up to make sure that it is not a scam. There must be software in place that regularly scans the system for any intrusion and virus scanning software must be run daily to scan the system to make sure there is nothing suspicious.

Hi Yu Ming,

After reading your post I thought to myself, what would it be like if operating systems were only used by one company and there were no common operating systems like Windows or Mac OS? Think of it this way, if the operating systems were specific to each business, then growing up we would not develop the computer skills that can be transferable from business to business. Therefore, each company would have to spend a significant amount of money training new hires to their specific operating systems. I think have only a handful of different operating systems and GUI’s benefits organizations since users can develop these skills on their own time and bring those skills into the workplace.

Q 2 List common control issues associated with operating systems and remediation strategy/plan.
=> Some of the common control issues associated with perating systems and their remediation strategy are listed below:
• User access to shared files and network drives – this could mean giving maximum rights to a user which could lead to unauthorized access or higher level of access than intended. The remediation is to set up appropriate file permissions for each user or user group to ensure that the user only has the appropriate access permissions.
• Vulnerabilities – The IOT(Internet of Things) devices used increasingly these days are easy routes to spread malware. Computers that have such devices communicating with them are at a serious risk of being infected with Virus and malware. The remediation to this issue would be to use the right Antivirus and Firewall software coupled with regularly updated virus definitions and the latest OS patches.
• Data available on disk which could be stolen easily – The right way to tackle this issue would be use file encryption software and whole disk encryption software so that data on a system that falls in the wrong hands would still be difficult to tap into.

Good point Fangzhou,

It is too risky to store all the sensitive information in our operating system without appropriate security on the operating systems. If the OS allows unauthorized assess to the organization data, it can lead to system downtime, virus, trojan, or data stolen.

The Operating system is the link between the User and Computer. It provides, now graphical user interfaces to the underlying hardware, and allows the user to execute software away from the command line. Examples of operating systems are: Windows, Linux, and iOS. The operating system is used to allow the user to input commands, via and I/O device, which the hardware will perform and complete the commands.

It is important to protect the operating system because:

1. The OS is the level where controls and policies are configured
Intruder may access areas of the network that are considered “sensitive”

2. The OS accesses the hardware
Intruder can overwork the hardware and kill it
Intruder can access other devices on the network

3. The OS is complex
Intrude can hide on your network and watch what you do. It is difficult to figure out you have been hacked. Many times, you don’t even know until your computer breaks, tells you to pay someone to get information back, or it is broadcasted on the news.

Even with a top notch policy plan, there may be some control issues that arise and every organization should have a remediation plan to reduce the down-time associated with the failure. Here are a few I have experienced.

1. Accidental – This would be the failure of equipment or untrained users. An example would be an old operating system, firewall, or anything that doesn’t get security updates from the provider or an employee not protecting their passwords

2. Deliberate – This is a planned attack for gain. It may be to gather information, bring down an organization, or hold data hostage. Malware may be installed by a disgruntled employee who is seeking revenge.

The best way to combat accidental and deliberate control issues is to have an accurate Enterprise Architecture blueprint. This will list the device names and versions. When each vendor provides a patch, a beta test of the patch can be performed, and if it checks out, a script can be created to push down the patches (Patch Management).

Keep an active security software solution for: Operating System, E-mail, firewall, and internet. Manage each solution on a daily basis. This will reduce the areas of penetration and increase awareness of new threats posted by the security provider.

Set controls for your employees. Only allow employees access to areas of the network required for the job. Monitor employee usage and limit access to the internet. You can also provide employee training on technology security best-practices. This will limit the chances of an employee accidentally causing an issue.

The discussion made me do a little research and I found this link to the history of Operating systems. Many of us only know about the last 20 years, but the first OS was created in 1950. Most computers were too expensive until the 70’s, when the PC & MS DOS took off but even then, they were a luxury for most families and was only a command line access. It wasn’t until the 90’s when Microsoft built a GUI (Graphical User Interface) or Windows. Shortly after Windows 3.0 came out and the craze for PC’s took off, in 1992 the first windows virus, WinVir was discovered, prompting Microsoft to implement user right controls (Admin vs. user).

From there, we have evolved into multiple different Microsoft windows versions, Apple Versions, Google versions, and others. The report ends with “The Internet of Things” (IoT).

The IoT is crazy technology that controls anything. The example it give is appliances talking to each other. One article I read a few years ago talked about window blinds adjusting based on where the sun was located throughout the day. What about your bed telling the coffee maker, radio, television, window blinds, or what ever else you use in the morning that you just got up. Crazy huh…

https://www.cs.rutgers.edu/~pxk/416/notes/01-intro.html

Why is so important to protect operating systems?
Computers are frequently used to surf the internet and for work, and many important data is included in the computer. So hackers may attach the computer if the security of its operating system is low. So protecting the operating systems are really important. Reasons see below:
Browsing history: when we browse the internet, the computer records the history of websites we have visited. So if the files are not deleted, other people can easily access the operating system and steal important data.
Cookies: cookies are files that originate from websites that we have visited. Cookies will remember the name, shopping preferences, items of interest, and other information. Hackers often use cookies to find out sensitive information.
Documents: computer stores documents that we recently worked on. If the security of OS is low, hackers can easily access the computer and view and steal the files that include sensitive information and data.

http://www.spamlaws.com/importance-of-computer-clean-up.html

List common control issues associated with operating systems and remediation strategy/plan.
People should:
1) make a habit of cleaning up the computer on a daily basis and every time that you finish browsing the internet.
2) perform regular operating system patch updates
3) install updated antivirus engines and software
4) scrutinize all incoming and outgoing network traffic through a firewall
5) create secure accounts with required privileges only.

https://www.techopedia.com/definition/24774/operating-system-security-os-security

That’t exactly the reason why we need OS….

Q:Why is so important to protect operating systems?

A:The operating system is the fundamental software that supports the basic functions of a computer. It serves as a basic control panel that manages the core of a computer. It is also the necessary tool for us to communicate with a computer which will further comprehend the data and information upon storage. Protecting the operating system means to secure the primary platform which essentially allows storage of our information. By creating a safe operating system, it will less likely to leak any of our valuable documents that might contain sensitive information that could be taken advantages if obtained by others. The security of the operating system is the key to protect our assets.

Q:List common control issues associated with operating systems and remediation strategy/plan.

A: Some common control issues associated with operating systems:
-Mandatory/Hidden installations of 3rd party softwares and plug-ins
-Malware while surfing on the internet
-Operating system becomes extremely slow
-Application compatibility
Remediation Strategies:
To prevent installations of many softwares and plug-ins, a firewall or an antivirus software is recommended, preferably a quality one with good reputation. This would also be a great tool to detect and eliminate malware since many websites we are viewing today have a great chance of having it. Excessive installations of softwares, storage files, cache and buffer files would slow down the operating system drastically. Therefore, it is also necessary to clean up the operating system every once in a while and defrag all drives. Since many applications are compatible with only certain operating system, the only possible solution is to find a similar program that would run through the operating system of your choice.

Great point Ming, improper care of individual applications in the operating system leaves the system vulnerable to attacks. Risk measurements must be in place to safeguard against this so that the operating system will be intact and safe. Individuals must know what to do in case of any scenario that can unfold. There must be meetings discuss of potential attacks and how to handle in each. This knowledge will save the company in the future by having individuals be alert of any potential danger that may occur.

Agreed Abhay, the operating systems provide access to those who are authorize. If that is compromised then it will be a huge risk since all the important information is stored within the OS. There must be safeguards in place that assign which users can access what system within the OS also. If everyone within the company has assign to all the databases then they can steal information or make changes that can be severe for the company. So making sure in the OS who has authorize access to what is very important and will mitigate potential risk.

Hi, Paul
Thanks for sharing, very interesting technique! I think this technique helps solve the problem with passwords being too simple, but I believe there is still possibility that people will forget about the phrase. Adding password hints might be a good idea.

I agree with you! The reason why “Zero-day attack” has its name is because it is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability. Therefore, patch cannot effectively remediate the risk caused by “zero day” attack

This is not a comment on the discuss, but some help with assignment PA 2.1

There are two command syntax errors you want to be aware of. In 5h and 5j, the context name needs to be in quotes.

Original: # ldapadd -x -D cn=Manager, dc=localhost,dc=localdomain -W -f /home/userid/basedomain.ldif

Correct Syntax: # ldapadd -x -D “cn=Manager, dc=localhost,dc=localdomain” -W -f /home/userid/basedomain.ldif

Make the same correction for 5j.

I would prefer windows because at the end of the day, you know Microsoft is the responsible party for patching and fixing issues. Depending on your distribution of Linux, that’s a little fuzzier. Since Microsoft and Windows have a larger market share and more money, tons of resources can be spent securing their operating systems compared with Linux competitors. Now venturing outside my knowledge set, I would argue that any custom solution you wanted to enable to lock down a linux machine would also be available with Windows if you have the proper skillset. From a business standpoint if there is a purely windows vulnerability that impacts your company, chances are there are a lot of other businesses in the same situation so the PR nightmare isn’t as bad. Just a few thoughts.

Thank you for your help, Scott

Hello Classmates,

Also, I wanted to add a few tips regarding the lab PA2.1.

When importing basedomain.ldif, user1.ldif and user2.ldif, you may get the errors as follows:
“Protocol Error (2)”
“No such Object (32)“

Root Cause:
Linux is very sensitive at interpreting the code. So, the ldif file containing the code must be clean in terms of having no extra spaces and no extra characters. Otherwise, Linux shell will not read the code and therefore generate errors.

Resolution:
When copying code text from the instructions into created file with ldif extension, and before uploading file to Linux FTP server from within Windows, make sure to clean up the file, line by line, as follows:
– remove any leading and trailing empty spaces
– remove unnecessary/extra characters that could be inserted by MS Word or NotePad during copy and paste operation
– organize each code line item exactly the same way as written in the Brian’s instructions, because text code could be distorted by Word or NotePad during copy and paste operation.

This is very time consuming process to perform this type of clean up, but this is how I fixed the aforementioned errors. Once files were clean, I was able to import them into LDAP from Linux shell with successful results.

Here are some questions that I had and responded to from another student:

With step 2 and 3. I’m getting errors. Questions:
-When we edit vsftpd do we follow the blog post instructions to the t, or we just need to comment local enable=yes.
The only thing you need to do is make sure that there is no “#” in front of local_enable=yes
To save it you need to enter Shift+Z+Z

-When I comment local enable=yes actually how do I exit the screen to move on.
To save it you need to enter Shift+Z+Z
If you exit incorrectly, then the system will create a swap file. In that case you need to remove the swap file
It should look something like this : # rm /etc/vsftpd/.vsftpd.conf.swp
Once you delete that, go back in : vi /etc/vsftpd/vsftpd.conf and make sure that the # is removed
Then save it (Shift+Z+Z)

-When I try to FTP via explorer I get error (Opened in Internet Explorer)
You are suppose to use FTP from you host machine, the machine that is running the VMware.
Open a folder and in the browser bar type in: ftp://student:student@serveripaddress
You should see folders like you would normally do when opening a My Documents folder.

– When I do FTP via terminal and I cannot create file that way to through using “mkdir’ command.
You can see when I list I do not have new file.
Try logging in as root. But the exercise asked for you to mkdir through the VM terminal and not through FTP.
Try using the command SU to elevate your privilege in the VM Terminal
Then # mkdir /home/student/public_html

Linux or Windows? Seems like nothing starts a war in the IT department like this topic… but which is better?

I’m a lifelong Windows user and have never used Linux. However, I’d hesitate to say one is comprehensively better than the other. Windows obviously enjoys a huge market share advantage over Linux in desktops, but Linux has more or comparable market share in the world of servers. I’d argue that Windows is better for typical desktop enterprise use because of the pervasiveness of applications like the Office suit and Outlook. However, Linux isn’t a bad choice because of the quality of the operating system, rather because it’s adoption is more limited in the space that Windows excels.

Which is more secure?

Again, I think the answer is a matter of degrees. Windows presents a bigger target for attackers due to its widespread use, so your risk increases if you use a Windows desktop. However, that’s not to say that Linux has no vulnerabilities, or that it’s risk free.

I have been exposed to Windows and Linux environments and constantly using Mac and Windows to accomplish my everyday tasks at work and home. I am not choosing anything specific as I enjoy working with multiple OSs and different technologies to meet various business challenges. However, it seems like Linux is favorable OS by many large corporations versus having Windows as core infrastructure systems. The notable reasoning I have found if business core function is money (such as banks, e-commerce), then Linux is preferred due to its robust and advanced functions that can provide fully customized secured environment in controlled fashion, whereas Windows platform would be a choice of preference for small-mid size businesses who are not dealing with money but rather provide healthcare, educational and professional services.

Linux is open-source OS that provides unlimited opportunity for passionate and dedicated developers in the internet community to contribute their inspirational ideas into real world and release customizable products. Linux provides a lot of powerful built-in capabilities and tools for development, penetration and vulnerability assessments, advanced exploitation (such as Metasploitable), Web, FTP and SQL servers, shell with kernel programmability, and much more. Tools are built with security in mind. However, new security patches and releases may not be releases quick enough.

Windows is not open-source and comes pre-packaged with no customization possible. All built-in securities are not customizable. Kernel is hidden from modification. Windows does not have as many built-in free powerful tools as Linux does. Many software packages are built by various vendors without security in mind, thus weakening security of entire system. However, Windows releases security patches on monthly basis.

Both Linux and Windows provide various capabilities enabling functions for unique business types. However, neither Linux nor Windows nor Mac are secured. Linux allows to see what is underneath its kernel allowing to view what is actually running and how it can be manipulated in malicious or legitimate ways, whereas Windows is a black box where it is not possible to manipulate with. There is always a way to breach security. Every OS type has its own security mechanisms and weaknesses.

Since Windows is largely used worldwide and most of its software is configured and built the standard way with the same versions without much of customization, it is more prone to attacks. Windows OS and related Apps get targeted more than Linux. If a Windows component is compromised there is more gain for hacker given its worldwide presence. If Linux portion is compromised, there is higher likelihood that the same function used by other organization might be customized to reduce attack surface, so hacker may not gain much from it.

Ruslan, this is a very tough act to follow and you’ve provided a great number details for both OS. I have always been a Windows user and have only venture into Linux in the recent year. I still find Linux a little confusing, but am hoping to become better at it. At this juncture, I would prefer the GUI of the Windows OS, mainly due to my familiarity with the system. For somebody that doesn’t use Linux on a regular basis there is a huge learning curve that must be overcome.
In regards to which one being more secured, I can only answer based on reading and in class discussions. Since Windows OS and products are mass produced without customization, a vulnerability found in the OS puts all systems with Windows OS at risk of an attack. With Linux, which is highly customizable, the potential of vulnerability exploitation is limited to the specific Linux OS instance, making the potential gain of a single exploit less favorable for a hacker.
The Windows OS is more of a one-size fit all, whereas default configurations of the OS applications and software, out-of-the-box, may not be necessary or enough for the organization. The organization can “hardened” the OS base on their needs by removing default services or programs and changing default settings such as firewalls. The Linux, on the other hand, provides a platform where the organization can add on the services and tools that they need, as they need it.

I’ve been on the linux bandwagon for the majority of my life. My first computer was an old Dell desktop donated from a library with 128 MB of RAM and barely 10 GB of storage. At the time, an average computer had about 2048 MB of RAM and a 100 – 500 GB of storage. Using Linux helped me make the most of limited resources I had to do just about everything short of virtualization and games that users with the 2 GB “supercomputers” of the time were able to do.

However, I got off my bandwagon after my first $900 laptop had a video card which was incompatible with Ubuntu. I started to see the benefits of both operating systems based on what I needed to do. when I started working in IT.

While linux is faster, lightweight and more satisfying to use, it takes up quite a bit of time which can be saved if I can use a more powerful PC that I runs Windows. Working at small to midsize IT shop let me see the nightmare of managing user expectations which are hard enough to satisfy with the consistent experiences of Microsoft Windows, group policies, AD and all of the support tools that are available with Microsoft Windows. I can’t even imagine how hard it would be to manage PCs with different hardware in a linux environment with users who are used to seeing windows operating systems.

Long story short, my OS preference depends on what I need done.

What are key characters of relational database management systems?

• Data is displayed in tables, columns, and rows.
• Supports missing data in an organized and logical way.
• Supports at least one language
o Languages support data definition operations, data manipulation, constraints, and transaction management.
• Supports logical data independence.
• Supports physical data independence
• Support distribution independence.

http://it.toolbox.com/blogs/enterprise-solutions/characteristics-of-relational-databases-24134

List some risk associated with database management systems (DBMS)

• High development costs
• Long development projects
• Large and expensive physical infrastructure
• RDMS are known to resource inefficiency and ineffective distribution
• Facilitate poor performance “bottlenecks” for the user
• Each single server has limits and when those limits are reached, many database platforms have few practical options available for further scalability. This is a management nightmare and it causes significant overhead costs.

http://blog.tonybain.com/tony_bain/2009/05/the-problem-with-the-relational-database-part-1-the-deployment-model.html

Relational databases are a collection of computer programs that are used to organize files into a database for the storage, organization, manipulation, and retrieval by the computer’s operating system. Traditional file systems are used as a collection of raw data files stored on a hard drive.

DBMS has more benefits over traditional file system because DBMS can handle a large majority of applications which purpose is to manage the data stored in databases. File systems make tasks like storage, search and retrieval more tedious because it has to be done manually. This could potentially cause problems like, data integrity, data inconsistency and data security which can be avoided when using a DBMS.

DBMS is the more efficient option because reading line by line is not required and specific control mechanisms are in place.

What are key characters of relational database management systems?
The Relational database management system are created for fast storage and recovery of large quantities of data.
Provides data to be stored in tables:
– Keeps data in the form of rows and columns
– Provides multi-user availability that can be controlled by an individual user
– Runs primary keys, to identify the rows
– Generates keys for quicker data retrieval
– Provides a virtual table creation in which sensitive data can be stored and simplified query can be applied
– Sharing of common columns, in two or more tables such as primary key and foreign key

Key benefits/advantages brought by relational databases?
The advantages of RDMS is that it removes duplicate data and allows easy accessibility to information from other users, as well as makes it easier to update data.

List some risk associated with database management systems (DBMS)?
– Increased cost
– Management difficulty
– Maintaining Currency
– Upgrade and Frequency
Source: https://equizine.wordpress.com/2012/10/22/advantage-ans-disadvantages-of-database-management-system/comment-page-1/

What are key characters of relational database management systems?
Relational database management systems are a collection of data items organized as a set of formally-described tables from which data can be accessed or reassembled in many different ways without having to reorganize the database tables.
The key characters are as below:
1. Data is presented as a collection of relations.
2. Each relation is depicted as a table.
3. Columns are attributes that belong to the entity modeled by the table
4. Each row represents a single entity
5. Every table has a set of attributes that taken together as a “key” uniquely identifies each entity

Key benefits of relational databases vs traditional file system?

A database is generally used for storing related, structured data, with well defined data formats, in an efficient manner for insert, update and/or retrieval.

A file system is a more unstructured data store for storing arbitrary, probably unrelated data. The file system is more general, and databases are built on top of the general data storage services provided by file systems.

A database management system is designed to coordinate multiple users accessing the same data at the same time.
A file-processing system is usually designed to allow one or more programs to access different data files at the same time
.
Unauthorized access is restricted in RDBMS but not in the file system.

RDBMS allow to control unwanted repetition of data ( redundancy)

List risks associated with database management systems (DBMS)

Database systems interface with many different technologies and have a significant impact on a company’s resources and culture. The changes introduced by the adoption of a database system must be properly managed to ensure that they help advance the company’s objectives. The fact that database systems hold sensitive information is a vulnerability. Indeed, they can contain customers’ personal data, confidential competitive information, and intellectual property. Losing these data can result in brand damage, competitive disadvantage, and serious fines.
Because DBMS are accessed from multiple sources, security issues must be assessed constantly.

What are key characters of relational database management systems?

A relational database is a collection of data items organized as a set of formally described tables from which data can be accessed easily. It is created using the relational model. The software used in a relational database is called a relational database management system (RDBMS).

Each table (which is sometimes called a relation) contains one or more data categories in columns
Each row contains a unique instance of data for the categories defined by the columns.
A user of the database could obtain a view of the database that fitted the user’s needs.

Sources: Deck slides
http://searchsqlserver.techtarget.com/definition/relational-database

Key benefits of relational databases vs traditional file system?

– Reduce data redundancy
– Improve data integrity
– Data and program independence
– Improve strategic use of data
– Improve security

However, relational databases are more complex, expensive, and difficult to recover from a failure.

Source: https://prezi.com/_yvckcg5pinu/advantages-of-using-database-approach-vs-traditional-file-pr/

List risks associated with database management systems (DBMS)

– Easily guessed passwords
– Missing Patches
– Misconfigurations
– Excessive Privileges
– Web application attacks (SQL-injection) •
– Insider mistakes
– Weak or non-existent audit controls

Source: Slide decks

What are key characters of relational database management systems?
1. Data Integrity: DBMS maintains consistency of data
2. Rollback: Revert the previously executed command
3. Security: No unauthorized user can access the data
4. Concurrency control: Multiple user access
5. Backup: Backup of the data can be stored for security
6. Data Independent: Independent of queries.

Key benefits of relational databases vs traditional file system?
Benefits of relational databases:
1. Query ability: In file system, the information was stored in file and to retrieve it the entire file had to be scanned. For doing this query had to be written step by step in programming language. Whereas in database, the query ability helps in finding the data
2. Redundancy Control: Unwanted repetition of data. In file system suppose if user has to be restricted from viewing or accessing certain information, 2 copies of the same information needs to be stored- one with the restricted access and one with full access. Redundancy control is a feature in database system where in permission are granted to user and depending on these permission users can access the data.
3. Access control: This feature enables the database administrator to delegate different levels of accesses to its users which was not present in file system
4. Option to store persistent object: Database gives the option to save an object which can be referred to later.
5. Backup and migrate: Option to import and export.
6. Multiple user interface
7. Integrity constraints: Maintain relationship between tables.
8. Relationship among data
9. Flexibility: Can change the schema of the data.
10. Application development time is reduced

Q] What are key characters of relational database management systems?

Data was earlier stored in flat files. Where data was separated using delimeters.eg tab or ; or, or |. E.F Codd designed the relational database. Here data that is related to each other is stored in tables(relations). Relational database(db) has following characteristics:
– Table- called as Relation. Stores values. It can be related to another table. eg Table1 is of schools in Philadelphia. Table 2 is Fox school table.
– Here we can establish a relation. Fox School table is a subset of Table1.
– Attributes- They are the columns which define the characteristics of the relation. Eg.in Table 1 columns like School number, address, Name, contact number, state rank are the attributes.
– Tuple – it is the row in the table. Tuple is set of attributes that are related to each other.
e.g Table 1 (attribute, value)
Attributes (School number, address, Name, contact number, state rank)
Tuple (1231, 1800 Broad St, 901234569, Fox School of Business, 2)
– Primary key – There is a primary key in every tuple that makes it unique. Eg School number 1231 in our example.
– Relations – As the name suggests with help of primary keys you can establish a relation within two tables. Primary key can help join one – to- one or many – to many relations.
– Integrity – Relational tables follow various integrity rules that ensure the data stored in them is always accessible and accurate. The rules coupled with SQL enable users to easily enforce transaction and concurrency controls, thus guaranteeing data integrity.
– Optimized data – With unique identifiers, it is easy to search for data.
– Relational database is accomplished though structured query language, or SQL, which is based on relational algebraic principles.

Q] Key benefits of relational databases vs traditional file system?
Traditional RDBMS
1. Data stored in flat files separated by delimiters Data stored in tables, in rows and columns
2. One file cannot be related to another Relationships between tables can be shown
3. Data is not independent of each other Data is physically and logically independent
4. They lack structure Structured: Atomicity,Consistency,Isolation, Durability
5. Data is not easy to access as there is no identifier Easy to access and search

Traditional ||||||||||| RDBMS
1. Data stored in flat files separated by delimiters ||||||||| RDBMS: Data stored in tables, in rows and columns
2. Relation between files cannot be established ||||||||| RDBMS: Relationships between tables can be shown
3. Data is not independent of each other |||||||||| RDBMS: Data is physically and logically independent
4. They lack structure |||||||||||| RDBMS: Structured: Atomicity,Consistency,Isolation, Durability
5. Data is not easy to access as there is no identifier ||||||||||| RDBMS: Easy to access and search

Q] List risks associated with database management systems (DBMS)
1. Sensitive data if stored in plain text can be a big risk. e.g storing passwords
2. Maintaining concurrency of data
3. Frequent updates or version changes from the DB product can sometime create discrepancies in data
4. Data must be made available at all times
5. Access must be well controlled
6. To keep availability at all times , maintaining back up and recovery is must, which increases additional costs
7. Tracking redundant data

What are key characters of relational database management systems?

Some of the characteristics of relational database management systems are data being store within tables that have relationship with each other. The data is set up in tables, rows, or even columns and they all must relate to each other either by a primarily or foreign key. To view or find the data that are store, there must be a command that combines the table base on the relationship. So the data has to be related in order for the command to work. SQL is one example of relational databases. I worked with SQL in my old job and the codes use to find something would only work if the data were related.

Question 1: What are key characters of relational database management systems?

Relational database management systems are offer greater benefits than a traditional management system. Instead of a hierarchical database that uses a tree like structure, a relational database utilizes tables to store data. The name relational comes from the fact that different tables “relate” to one another which allows data to be accessed and manipulated in a number of ways. The text identifies the following database objects that allow users to access data in a relational database management system.

1. Table – Store rows of data in one or more columns
2. View – A select statement on top of a table or another view that creates a virtual table
3. Stored procedure/function – Procedural code that can be called to execute complex functionality within the database.
4. Trigger – Procedural code that is called when a table is modified.
5. Index – Mechanism to provide fast lookup of data.

Question 2: Key benefits of relational databases vs traditional file system?

One of the major benefits from a relational database vs a traditional file system is the ability to manipulate data and scalability. This is due to the fact that data is formatted into tables which allows the data to be reassembled and accessed without having to modify the entire database. Therefore, the structured query language (SQL) is used to pull information needed. Along with the ability to manipulate data much easier than a traditional file system, some other key benefits include reduction of data redundancy and increased data integrity. If I understand correctly, a traditional file system will need to organize data multiple times to get the results one is aiming for. Since the relational database utilizes a table, there are no multiple copies of the data. Likewise, one database that is controlled and monitored will have a much higher data integrity than multiple databases.

Question 3: List risks associated with database management systems (DBMS)

• Unauthorized users to the database
• Malware
• Unmanaged Sensitive Data
• Privilege Abuse
• Misconfiguration of database system

A list of database security threats can be found here:
https://www.imperva.com/docs/gated/WP_TopTen_Database_Threats.pdf

Good Laly. I think the key advantage of RDMS is simply that it provides a betters security overall. In fact, by splitting data into tables, certain tables can be made confidential. When a person logs on with their username and password, the system can then limit access only to those tables whose records they are authorised to view.

It’s good that you pointed out some disadvantages of the RDMS. Indeed, it is expensive to set up and maintain the database system. In order to set up a relational database, you generally need to purchase special software. If you are not a programmer, you can use any number of products to set up a relational database. It does take time to enter in all the information and set up the program.

I think the flexibility of an RDBMS presents a double-edged sword. By that I mean, experienced designers love it, but inexperienced designers can mess up the company’s data. For instance, an RDBMS does not force database designers to impose a coherent table structure; inexperienced programmers may design systems that create unnecessary complexity or limit the future development of the database through poorly chosen data types.

1. What are key characters of relational database management systems?

Some of the key characteristics of a RDMBS are as follows:
– Tables, rows, and Columns
– Primary and foreign keys
– Attributes to describe data
– Ability to create relationships between data with keys

2. Key benefits of relational databases vs traditional file system?

RDBMS’s prevent data redundancy, limit access by requiring logon credentials for authentication, prevent data losses by authorizing different levels of data manipulation to different users, offer portability of access from different locations, data is easier to manipulate to extrapolate information by users, and data is structured in a standard/uniform manner.

3. List risks associated with database management systems (DBMS)

Risks associated with DBMS’s are as follows:
– Improper privileges granted to users
– Single point of failure
– SQL Injection attacks
– Databases are a BIG target for hackers; especially with those storing PCI/PII type data
– Without proper checklists for auditors, DB’s could be missed in audits
– Default passwords for users that aren’t changed

What are key characters of relational database management systems?

“Database management systems (DBMS) maintain data records and their relationships, or indexes, in tables. Relationships can be created and maintained across and among the data and tables.”

One of the unique characteristics of a relational database is its primary key, which is a unique identifier assigned to every record in a table. An example of a good primary key is a registration number. It makes every record unique, facilitating the storage of data in multiple tables, and every table in a relational database must have a primary key field.

The primary key feature allows allow data to be linked over multiple tables which overcome the limitations of simple flat file databases that can only have one table.

Primary Key can join table in a one-to-one, one-to-many, many-to-many relationship

Relational databases enable users to delete, update, read and create data entries in the database tables. This is accomplished though structured query language, or SQL.

Source:
https://www.reference.com/technology/features-relational-database-4ae8a3b8d37ffafa#

Question 3: List risks associated with database management systems (DBMS)

– Excessive and Unused Privileges
– Malware
– Storage Media Exposure
– Database injection attacks
– Unmanaged sensitive data
– The human factor

To mitigate the risks associated with database management systems (DBMS), an organization can do the following:
– Managing user access rights and removing excessive privileges and dormant users
– Blocking malicious web requests
– Training employees on risk-mitigation techniques including how to recognize common cyberthreats such as a spear-phishing attack, best practices around Internet and e-mail usage, and password management.

More database vulnerabilities and solutions can be found in this website:
https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-threats.aspx

1. What are key characters of relational database management systems?

The key characters of relational database management systems are:

• A relational database is a collection of data items organized as a set of formally described tables from which data can be accessed easily.
• It is created using the relational model
• The software used in a relational database is called a relational database management system (RDBMS)
• It has access and control functions.
• It has management and security features such as:
 Rules
 Triggers
 A stored procedure
 Security

• Relational structure allows dynamic reformatting of the tables that drive data access, so that they are more flexible and adaptable to changing needs
 In Relational Databases, Data is organized into tables, columns and rows.
 A table is equivalent to a file, as it represents a collection of records.
 A row is a horizontal set of data fields or components. A column is a vertical set of data fields or components

• Examples of relational databases include:
 DB2
 Informix
 Lotus Approach

Q 2. Key benefits of relational databases vs traditional file system?

• Data independence (e.g. n-tier application)
• Reduction of data redundancy (via Normalization)
• Maximize data consistency (primary key/ foreign key)
• Reducing maintenance cost through data sharing
• Security Feature
• Enforce Data integrity

Q 3. List risks associated with database management systems (DBMS)

Following are the risk associated with the database management systems(DBMS):

• Easily guessed passwords
• Missing Patches
• Misconfigurations
• Excessive Privileges
• Web application attacks (SQL-injection)
• Insider mistakes
• Weak or non-existent audit controls
• Social engineering

Key benefits of relational databases vs traditional file system?

One of the key benefits of relational databases is that it allows flexible access to data by creating different queries or tables whereas a file system only allows predetermined access to data.

Relational database system is designed to coordinate multiple users accessing the same data at the same time, which will enhance productivities and efficiencies. A file system only allows one user to access to the files.

RDBMS can reduce redundancy associated with data, increase data integrity and flexibility, restricts unauthorized access, provide better backup and recovery functions whereas a file system might not have all these functions.

Wouldn’t a DBMS be less likely than the rest of a business’s network components to be infected by malware? My understanding is that most DBMS’s are well behind a network’s firewalls and IDS/IPS components, and that would make them much less likely to get infected.

I thought it was really interesting reading the textbook portion on DBMS’s about how many are open source. I think that is both a positive and negative aspect. Having the systems open source allows everybody easy access to the code which helps find vulnerabilities quickly. Once vulnerabilities are found those who discovery them either make the choice to alert others and create a patch, or they say nothing and now potentially have a path in the system wherever it is being employed to access data they otherwise wouldn’t be authorized to.

Ian – Can you elaborate “supports missing data in an organized logical way”? Thx

some of the risks you mentioned here were reduced significantly due to the technology advance in recently years. e.g. hardware and software resource requirement. 10 years ago, cost for storage and memory were very high, management needed to consider the resource allocation when implementing RDMS, but it changed significantly due to the low cost of hardware in these days.

Can you follow up a few controls that can mitigate the risks identified above?

please research what “data independent” means…

Through what process, a RDMS can reduce/eliminate redundant data?

What types of relationship may exist among tables within a database?

Correct. RDMS provides better security than unstructured data. However, it also made itself a target for malicious users. DBMS is usually an important IT audit entity within the audit universe.

How about the “relationship” please?

Said, prepare to elaborate each of the benefit listed during our next class…:)

RDMS provides better security features…but controls need to be implemented to prevent unauthorized users’ access. Can you identify some security controls related to a database system and explain during the class? Thx

List risks associated with database management systems (DBMS)
Ans: The common risks associated with DBMS are:
1. Excessive privileges: If a person is given more privileges than is required, he/she may misuse the access. Or failure to remove access for an employee who leaves the project or organization.
2. Legitimate privilege abuse: Users may abuse their legitimate privileges for unauthorized purposes.
3. Database Injection attacks: An input injection attack can give an attacker unrestricted privileges.
4. Malware: Can steal sensitive data through legitimate user laptop/device.
5. Storage media exposure: Failure to protect back up or a regular check on who is accessing the data and what sort of data even by low level privileged users can be a risk if not monitored properly
6. Exploitation of vulnerable database: Proper patches have to be updated regularly. And it takes months to update the database. During this time, it is vulnerable to external attacks.
7. Unmanaged sensitive data: Forgotten databases can contain sensitive data which can be exposed to threat if the required controls and permissions are not implemented
8. The human factor: Human negligence or lack of knowledge on the best practices can impose a great risk
Source: https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-threats.aspx

Pyria, challenge question: prepare to discuss types of database constraints during the class.

Paul – Think about what controls can be implemented to mitigate those risks…let’s discuss during the class.

Q1. What are key characters of relational database management systems?

-Table: is equivalent to a file, representing a collection of records. Rows and columns are horizontal and vertical sets of data fields.
-Trigger: activate a stored procedure when a table or field is inserted, updated, or deleted.
-Stored Procedure/Function: program written in language of DBMS and behave like any other program.
-View: manipulate the data to show users what they would like to see, without changing the data.

Q2. Key benefits of relational databases vs. traditional file system?

Key benefits of a relational database include the following:
-Data independence
-Reduced data redundancy
-Maximized data consistency
-Reduced maintenance costs (via data sharing)
-Increased security
-Enforced data integrity

Q3. List risks associated with database management systems.

Risks associated with database management systems include:
-Potential organizational conflict
-Target for hackers
-Required to be available at all times
-Misconfiguration

I agree that database management systems, while generally more secure than unstructured data, bring about a different set of risks. As you mentioned, DBMS are accessed from a variety of sources, which may not have the same security controls. This can potentially provide an easy entry-point for individuals who want to access to data and is a reason why security controls must constantly be monitored.

This is a great way to easily distinguish the differences between a traditional file system and RDBMS. This really highlights the benefits that can be gained from RDBMS, including data independence, increased accessibility, etc. Organizations should complete a similar comparison when attempting to decide the method of data storage that they want to implement.

Hi Yu Ming,

Good point that you brought up about training being an effective way to mitigate risks. My first thoughts seem to go to access controls and monitoring. However, simple training can teach employees the value of following policies and procedures as well as incorporate them as a vital part of information security. You can have the most sophisticated anti-virus/malware software, but if you can teach employees to avoid downloading malware then you are already one step ahead.

Hi Sean,

I think you bring up a good point that a major risk associated with DBMS, is that of being a big target for hackers. It seems like every other day a major company is being hacked, which I am sure not all compromises are reported. Since information is a valuable and easy to sell, databases are a huge target. It will be interesting to see how companies and IT professionals respond to the current environment of how frequent databases are being hacked.

Great post Binu!
You mentioned about SQL injection. In this attack the SQL query is exploited by entering an input that was not expected by the system. This input serves to the SQL query in such a way that it forms a different meaning of a query and gives us possibility to see data that we are not authorized for.

Similarly exploits are done to overflow the buffer. The input to a query/text box in form is given way beyond its capacity to hold characters. eg Name text box can hold say 30 characters but hacker will try to input 500 characters. The database and memory will not be able to handle that overflow and causes the program to crash.
The solution is to use secure coding practices. eg restricting number of characters that a input box can take.

Denial of service attacks are example attack where attacker inputs data in a database system beyond its capacity to handle so much that the program crashes. A distributed Dos is when multiple users flood data to the system.

I agree with you Said that databases are difficult to recover in case of failure.
Oracle has many database recovery techniques in place,
1. Control files – This is the file that software requires to access database. No one except Oracle can edit this file. The file contains time stamps, database logs, transaction logs. And we can refer to this file to recover data.
2. Back up – Database can be backed up on a regular basis. You can set in the system a periodic back up day and time, what part needs to be backed up and what should be the location of backup. This becomes human error free when controlled by the system.
3. Roll back statements – These statements can rollback to a point and retrieve the earlier data or perform operations to get the old data back.

Deepali, how database enforces integrity is interesting,
Domain integrity – Ensuring a domain gets selected range and type of values. eg If a phone number column must allow only numbers and special characters but not alphabets.
Triggers and Procedures They are the stored programs that run behind the system when a particular action is evoked. Eg. On delete of a entry the relative entries must be deleted. Say in a table of schools if entry for Fox school is deleted from Schools Master table, this entry must also be deleted from the Business Schools table.
Business Integrity – By running stored programs without knowledge of users checks can be performed to apply business rules.
Referential integrity – The use of primary keys to define unique records and foreign keys to establish relations enforces integrity.

1) What are key characters of relational database management systems?

A relational data base management system is a program that lets you create, update and administer a relational database. Compared to a manual database this is more flexible, compact and faster. It reduces the probability of inconsistent data.
– Data is displayed in tables, columns and rows
– It must support at least one language
– It must support insert, update and delete operations on sets
– Indexes are used to speed up data retrieval.
– Primary keys, foreign keys, and unique keys are called constraints and are created to enforce data integrity.
– Triggers are created to satisfy the business rules.
– Roles and privileges are used for security.

2) Key benefits of relational databases vs traditional file system?
Key benefits of relation databases vs traditional file system are that you can:
– search for multiple different data sets at once (or across different data sets)
– relational databases are computer based and much faster in terms of pulling information
– you can update many records very quickly
– many users can access the database
– you can restrict which users see which information or what actions they can perform in a database

3) List risks associated with database management systems (DBMS)
– Performance issues are difficult to predict
– Data integrity is difficult to ensure with shared databases
– Mainly privilege abuse
– Poor audit trail
– Failed or incomplete backups
– Weak authentication
– Not requiring passwords for databases or weak passwords
– Weak systems configurations

Nice responses Annamarie, in additional I feel like privilege abuse among employees is also another risk. If you do not have proper controls and security settings in place employees who may not require access to the data will be able to access it and use it in an unprofessional manner.

Q2: Key benefits of relational databases vs traditional file system?

– Relational databases system uses both the physical and the logical access to the data. On the other hand, a traditional file system only deals with the physical access.
– Relational databases system allows flexible access to data and multiple user access to the same data, whereas a traditional system is created to let predetermined access to data.
– Relational database controls redundancy, restrict the unauthorized access, provide back-up for recovery; but not in a traditional file system.

This is a great comparison. Certain organizations may be able to organize their data in a filing system, it just depends on the policies they have in place.The biggest difference I feel like in your points is establishing relationships between data. I feel like this point is key when discussing relational databases as the retrieval of related data can be very very helpful.

Very nice points, especially in mentioning that data must be available at all times .. this poses a risk when placing measures in place to ensure that the system is secure.

Hi Priya,

I think you brought up a really good real-life point that frequent updates can sometimes affect data’s discrepancies. This also happened to the companies I currently worked for. When I accessed to the database, I was often recommended to update the database management system, but the update might cause data discrepancies. There is a policy to restrict employees from updating the system.

Great post Annamarie, database system can easily become an attractive target for hackers because it stored a lot of business data including business competencies and client’s privacy and credit card information so we need proper controls and security to mitigate DBMS risks.

Mitigating controls for a DBMS could be:
– Managing user access rights and removing excessive privileges and dormant users
– Blocking malicious web requests

Hi Daniel,

You brought up a very interesting point that redundant data wastes space. That would be an important issue if it was 10 years ago where storage space was ridiculously expensive. Today, storage space is already affordable and nobody cares about running out of space, accept for their phone because of availability of database space. I believe when the data is redundant, it takes so much time for the computer users to manage and maintain the database in terms of data integrity.

Normalization method is a great way to reduce data redundancy, it can also result in greater overall database organization, consistency, flexibility of data, and better handle on database security.

What are key characters of relational database management systems?

Relational Database Management System organizes data into related rows and columns.

Features:

– It stores data in tables.
– Tables have rows and column.
– These tables are created using SQL.
– And data from these tables are also retrieved using SQL.

Key benefits of relational databases vs traditional file system?

A “relational database” is a database structured on the “relational” model. Data are stored and presented in a tabular format, organized in rows and columns with one record per row.

The traditional filing system (TFS) is a method of storing and arranging computer files and the information in the file (data). Basically it organizes these files into a database for the storage, organization, manipulation, and retrieval by the computer’s operating system.

• Flexibility: Because programs and data are independent, programs do not have to be modified when types of unrelated data are added to or deleted from the database, or when physical storage changes.
• Fast response to information requests: Because data is integrated into a single database, complex requests can be handled much more rapidly than locating data separately. In many businesses, faster response means better customer service.
• Multiple access: Database software allows data to be accessed in a variety of ways (through various key fields), by using several programming languages (both3GL and nonprocedural4GL programs).
• Lower user training costs: Users often find it easier to learn such systems and training costs may be reduced. Also, the total time taken to process requests may be less, which would increase user productivity.
• Less storage: Theoretically, all occurrences of data items need be stored only once, thereby eliminating the storage of redundant data. System developers and database designers often use data normalization to minimize data redundancy.

Q: List risks associated with database management systems (DBMS)?

-Easily guessed passwords
-Potential organizational conflict
-Target for hackers
-Required to be available at all times
–Failed or incomplete backups

What are key characters of relational database management systems?

RDBMS is a type of a system that organizes the data in related rows and columns.

> Users can query the data and receive widest range of output.
> The input, storage, alteration and deletion of data is done through SQL.
> Primary key (unique ID) is used to identify data in rows.
> “Data must be stored and presented as relations, i.e., tables that have relationships with each other, e.g., primary/foreign keys.”

Source: https://www.techopedia.com/definition/1235/relational-database-management-system-rdbms

Key benefits of relational databases vs traditional file system?

The traditional database is designed around a single table containing the data and it fails to support “big data,” like data gathered from various enterprise applications.

RDBMS incorporates multiple tables with methods for the tables to work together. If you need to store and manipulate data and allow multiple employees to have access to it simultaneously, then RDBMS is an excellent way to go about it. Other benefits include:

> mature development and administration tools
> best data modelling practices and physical database implementation
> support transactions

Source: http://www.tomsitpro.com/articles/rdbms-sql-cassandra-dba-developer,2-547.html

Question:　What are key characters of relational database management systems?

– Tables: each table includes one or more data categories in columns.
– Row: each row includes a unique instance of data for the categories defined by the columns.
– View: a user of the database could obtain a view of the database that fitted the user’s needs.
– Rules: rules define format and range of data that can be stored.
– Triggers: triggers can activate a DBMS stored procedure when a field, record or table is inserted, updated or deleted.

Source:
Week 3 slides deck
http://searchsqlserver.techtarget.com/definition/relational-database