, “Using the Security Rating Scale” from Ch. 12, “Assessing System Security,” of Network Defense and Countermeasures: Principles and Practices.
Using the “Security Rating Scale”, outlined at the beginning of this chapter, rate the security of your campus, home, or work computer systems and network.
Provide clear reasons for each of your ratings on the scale, as well as recommendations for ways to improve the system’s security.”
Ensure that your document is 2-3 pages and includes charts.
Security rating scale below, feel free to use fictional scenarios in regard to campus, home or work computer systems and networks.
Evaluating the Security Risk in Chapter 1, “Introduction to Network Security,” we provided a method for assigning a numeric value to your system’s security risk based on several factors. In this section we will expand upon that system. Recall that we evaluated three aspects of your system: Attractiveness to attackers Nature of information Level of security The system being evaluated was given a numeric designation between 1 and 10 for each of these factors. The first two are added together, and then the third number (level of security) is subtracted. The lower the number, the more secure your system; the higher the number the greater your risk. The best rating is for a system that: Receives a 1 in attractiveness to hackers (i.e., a system that is virtually unknown, has no political or ideological significance, etc.) Receives a 1 in informational content (i.e., a system that has no confidential or sensitive data on it) Receives a 10 in security (i.e., a system with an extensive layered, proactive security system complete with firewalls, ports blocked, antivirus software, IDS, anti-spyware, appropriate policies, all workstations and servers hardened, etc.)This hypothetical system would get a score of 1 + 1 – 10, or –8. That is the lowest threat score possible. Conversely, the worst rating is for a system that: Receives a 10 in attractiveness (i.e., a well-known system that has a very controversial ideological or political significance) Receives a 10 in informational content (i.e., a system that contains highly sensitive financial records or classified military data) Receives a 1 in security (no firewall, no antivirus, no system hardening, etc.)This system would get a 10 + 10 – 1, or a 19. Such a hypothetical system is, in effect, a disaster waiting to happen. As a systems administrator, you are unlikely to encounter either extreme. Evaluating system attractiveness to hackers is certainly quite subjective. However, evaluating the value of informational content or the level of security can be done with simple metrics. To evaluate the value of the informational content on your systems, you have to consider the impact of such data being made public. What would be the worst-case scenario of that data being made public? Table 12-1 divides data into categories, based on worst-case impact, and gives examples of types of data that fit that specification.