CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

The Need for Network Security

With the recent unparalleled growth of the Internet has come a greater degree of exposure to personal information, government secrets, and confidential data as well as corporate information assets. Network systems are at a greater degree of exposure to attack than ever before. Attackers are posing an increasing threat to the capabilities of businesses to function efficiently and securely. Attackers are no longer only individuals external to the network who are solely interested in gaining access to the network to either deface a web page or disrupt operations. Increasingly, attackers are individuals within the network.

There are many reasons for the increasing threat to networks. One reason is the ubiquity of the Internet. As more and more companies and households go on line, the number of vulnerable systems available to an attacker grows at an incredible pace. Furthermore, this same ubiquity of the Internet facilitates the exchange of knowledge and experience on a global scale. In the past, networks were designed to provide connectivity only to known parties, such as business partners and authorized clients, and the closed network was not necessarily connected to the public Internet. This is no longer the case. Today's open networks require connectivity to the Internet for e-commerce and telecommuting needs.

Additionally, more and more companies are realizing the benefits of conducting business across the Internet. Whether these benefits are through an e-commerce website or in applications such as e-learning and customer service, the need for security on increasingly open networks has become a fundamental aspect of business in today's economy.

Another reason for the increasing threat to networks is the pervasiveness of easy-to-use operating systems and development environments. More and more sites containing information and, in some cases, malicious code are readily available to would-be attackers. This has significantly reduced the required level of knowledge and experience to successfully attack a network.

New regulations are coming into effect in the United States with such legislation as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act. HIPAA, enacted in 1996, was brought about as an effort at healthcare reform during the Clinton administration. This law requires the Department of Health and Human Services (HHS) to develop standards and guidelines that will provide for the standardization of the electronic data interchange of specified administrative and financial transactions. Additionally, HHS also must develop standards and guidelines to protect the security and confidentiality of patient health information.

GLBA, enacted in 1999, specifies requirements that are similar to HIPAA but applicable to financial institutions with regard to customer information. Finally, the Sarbanes-Oxley Act of 2002 specifies that corporate officers and corporate boards can be held accountable for the security of their systems and their networks. The security of the corporate network ties directly into the protection of investments covered by this new law.