What are the most important IT security issues facing companies today? Have these changed in the last five years, and will they continue to change? How should companies prepare themselves for security threats and problems in the future?

What will be an ideal response?

Chapter 12 provides an extensive discussion of current and future security risks in Sections 12.6 (System Security Overview) and 12.7 (Security Levels). Some of the most important security issues facing companies today are related to topics already discussed, such as the BYOD movement, cloud computing, and pervasive malware. Increased social engineering (e.g., phishing attacks), ransomware, and cyber-espionage are examples of new security concerns (among many). To prepare for this dangerous future, companies should strive to ensure all their employees have a basic level of computing literacy, and a working knowledge of common security threats. In addition, security monitoring and threat remediation will have to become commonplace across the enterprise.
Instructors can refer to the list of issues in Question 9. In addition, the following is a checklist that a company might use to assess security and prepare for future security threats and problems:

Physical Security
• Survey the security of the computer room at various times and days of the week, and attempt to enter the computer room security perimeter.
• Assure that each entrance is equipped with a suitable security device.
• Determine whether all access doors have internal hinges and electromagnetic locks equipped with a battery backup system.
• Test biometric security devices, if any.
• Test video cameras and motion sensors, if any.
• Check each server and desktop computer case to determine whether it has a locking device.
• Try to identify any server or computer case that would permit the installation of a keystroke logging device.
• Determine whether tamper-evident cases are, or could be, used.
• Find out whether monitor screensavers are being used on any server or workstation that is left unattended. See if BIOS-level passwords, boot-level passwords, or power-on passwords are in use.
• Examine notebook computers to assure that each has been marked or engraved with the company name and address, or a tamper-proof asset ID tag.
• Determine whether notebook computers have a Universal Security Slot (USS) that can be fastened to a cable lock or laptop alarm.

Network Security
• Obtain samples of network traffic to determine whether it is encrypted, with special attention to wireless networks, if any.
• If encryption is being used, determine whether it involves public key encryption (PKE).
• Determine whether private networks that involve a dedicated connection are, or could be, used.
• Determine whether virtual private networks are, or could be, used.
• Conduct a port scan to learn the existence of any service or application that monitors, or listens on a particular port.
• Assure that system firewalls are installed and operating properly, and that suitable traffic control protocols are in place.

Application Security
• List each server-based application, determine the functions and services that it provides, and disable all unnecessary applications and services.
• Review the configuration for each application to identify any potential security holes.
• Assure that each application has input validation features to reduce potential security problems. Learn how application patches and updates are handled and documented, and determine whether automatic update services, if any, pose security risks.

File Security
• Document all file permissions to assure that appropriate access is available to authorized users, and blocked to all others.
• Determine whether managing file security through user groups would reduce vulnerability and risk.

User Security
• Review the entire subject of identity management to determine whether controls and procedures are in place to identify legitimate users and system components.
• Analyze password protection policies and procedures to assure that passwords are case-sensitive, have a minimum length, and a limited duration.
• Determine whether the firm could employ new technology similar to the AOL Passcode feature to reduce the chances of unauthorized access to the system.
• Determine whether search engines or other applications are creating security risks by allowing subsequent users to retrieve previously entered data or passwords.
• Test the firm’s defenses to a social engineering attack by requesting access to data or password information.
• Survey and observe users to assure that they are complying with all applicable security policies and procedures.

Procedural Security
• Establish clear managerial policies and controls.
• Build a corporate culture that stresses security.
• Define how particular tasks are to be performed.
• Stress employee responsibility for security.
• Guard against dumpster diving.
• Use paper shredders and instruct employees as to when, why, and how they are used.
• Develop a system of classification levels and communicate it effectively.