CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [30]
Real World Scenario
Creating a Corporate Connection to a Business Partner
Your company has just signed an agreement with a large wholesaler to sell your products. The wholesaler has an extensive network that utilizes a great deal of technology, which will benefit you and improve your profitability. You must design a network security topology that will allow you both access to some of each other’s systems and information while protecting the confidentiality of your own critical records and information. How might you accomplish this?
A good implementation would connect your network to theirs using a VPN across the Internet. You could use a secure tunneling protocol to ensure that unauthorized parties wouldn’t be able to sniff or access information streams between the companies. This approach would create an extranet environment for you and your new business partner.
The challenge lies in creating secure areas in your network that the wholesaler can’t access. You can accomplish this by establishing VLANs in your internal network that aren’t visible to the extranet. VLANs and network segmentation can be implemented using routers, firewalls, and switches.
Identifying Assets
Every business or organization has valuable assets and resources. These assets must be accounted for, both physically and functionally. Asset identification is the process in which a company attempts to place a value on the information and systems it has in place. In some cases, the process may be as simple as counting systems and software licenses. These types of physical asset evaluations are part of the normal accounting procedures a business must perform routinely.
The more difficult part of an asset-identification process is attempting to assign values to information. In some cases, you may only be able to determine what would happen if the information were to become unavailable or lost. If absence of this information would effectively shut down the business, the information is priceless. If you have this type of information, determining which methods and approaches you should take to safeguard it becomes easier.
You wouldn’t necessarily assign the same value to the formula for Coca-Cola that you’d assign to your mother’s chicken and rice recipe. The Coke formula would be worth a fortune to a person who stole it; they could sell it to competitors and retire. Your mother’s recipe would make a nice dinner, but it wouldn’t be valuable from a financial perspective.
Real World Scenario
Assign a Value to Data Assets
Think of yourself as a collection of data elements. Some of the data about you, such as your last name, isn’t of great value since it’s known by almost everyone you come into contact with. Other data, such as your Social Security number, should be closely guarded and is worth more than your name because you stand to lose more if it falls into the wrong hands. See if you can assign a value to each of these items and rank which is worth the most according to what would be most harmful in the hands of a miscreant:
1. Full name
2. Birth date
3. Telephone number
4. Passport number
If this data were spread across a number of databases on a computer system, you would naturally want to assign higher value to the databases containing the most sensitive data and then take more drastic steps to protect them than you would for those containing generic information.
Assessing Risk
There are several ways to perform a risk assessment or risk analysis. They range from highly scientific formula-based methods to a conversation with the owner. In general, you should attempt to identify the costs of replacing stolen data or systems, the costs of downtime, and virtually any risk factor you can imagine.
You can move to risk assessment only after completing the asset identification. After you know that databases containing information