Protection Needed

The type and relative importance of protection needed for the LAN/WAN must be considered when assessing risk. LAN and WAN systems and their applications need protection in the form of administrative, physical, and technical safeguards for reasons of confidentiality, integrity, and availability.

Confidentiality

The system contains information that requires protection from unauthorized disclosure. Examples of confidentiality include the need for timed dissemination (e.g., the annual budget process), personal data covered by privacy laws, and proprietary business information.

Integrity

The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification, including the detection of such activities. Examples include systems critical to safety or life support and financial transaction systems.

Availability

The system contains information or provides services that must be available on a timely basis to meet mission requirements or to avoid substantial losses. One way to estimate criticality of a system is in terms of downtime. If a system can be down for an extended period at any given time, without adverse impact, it is likely that it is not within the scope of the availability criteria.

For each of the three categories of confidentiality, integrity, and availability, it is necessary to determine the relative protection requirement. These may be defined as:

•  High — a critical concern of the organization;

•  Medium — an important concern, but not necessarily paramount in the organization’s priorities; or

•  Low — some minimal level of security is required, but not to the same degree as the previous two categories.

Asset Values

A valuation process is needed to establish the risk or potential for loss in terms of dollars. The greater the value of the assets, the greater the potential loss, and therefore, the greater the need for security. Asset values are useful indicators for evaluating appropriate safeguards for cost effectiveness, but they do not reflect the total tangible and intangible value of information systems. The cost of recreating the data or information could be more than the hardware costs. The violation of confidentiality, the unauthorized modification of important data, or the denial of services at a crucial time could result in substantial costs that are not measurable in monetary terms alone. For example, the accidental or intentional release of premature or partial information relating to investigations, budgets, or contracts could be highly embarrassing to company officials and cause loss of public confidence in the corporation.

Asset valuation should include all computing-associated tangible assets, including LAN/WAN computer hardware, special equipment, and furnishings. Software, data, and documentation are generally excluded since backup copies should be available.

The starting point for asset valuation is the LAN/WAN inventory. A composite summary of inventory items, acquisition value, current depreciated value, and replacement value is one way to provide a reasonable basis for estimating cost effectiveness for safeguards. It should be noted that if a catastrophic loss were to occur, it is unlikely that any organization would replace all hardware components with exact model equivalents. Instead, newer substitute items currently available would probably be chosen, due to the rapid pace of technological improvements.

THREATS TO LAN/WAN SECURITY

A threat is an identifiable risk that has some probability of occurring. Threats are grouped in three broad areas: people threats, virus threats, and physical threats. LANs and WANs are particularly susceptible to people and virus-related threats because of the large number of people who have access rights.

People Threats

The greatest threat posed to LANs and WANs are people — and this threat is primarily from insiders. These are employees who make errors and omissions and employees who are disgruntled or dishonest. People threats are costly. Employee errors, accidents, and omissions cause some 50 to 60% of the annual dollar losses. Disgruntled employees and dishonest employees add another 20%. These insider threats are estimated to account for over 75% of the annual dollar loss experienced by organizations each year. Outsider threats such as hackers and viruses add another 5%. Physical threats, mainly fire and water damage, add another 20%. It should be noted that these figures were published in 1988, and since that time there has been a dramatic increase in virus incidents, which may significantly enlarge the dollar loss from outsider threats, particularly in the LAN/WAN environment. Some people threats include the following.

System administration error

This area includes all human errors occurring in the setup, administration, and operation of LAN systems, ranging from the failure to properly enable access controls and other security features to the lack of adequate backups. The possible consequences include loss of data confidentiality, integrity, and system availability, as well as possible embarrassment to the company or the individual.

PC operator error

This includes all human errors occurring in the operation of PC/LAN systems, including improper use of log-on/passwords, inadvertent deletion of files, and inadequate backups. Possible consequences include data privacy violations and loss of capabilities, such as the accidental erasure of critical programs or data.

Software/programming error

These errors include all the “bugs,” incompatibility issues, and related problems that occur in developing, installing, and maintaining software on a LAN. Possible consequences include degradation, interruption, or loss of LAN capabilities.