Information Systems Security, 16:47–53, 2007
Copyright © Taylor & Francis Group, LLC
ISSN: 1065-898X print/1934-869X online
DOI: 10.1080/10658980601051490
Designing Networks that Enforce
Information Security Policies
Alex Malin, CISSP
Los Alamos National Laboratory,
Los Alamos, NM, USA
One boy is eating peanut butter off a spoon. Another boy is munching on a
bar of chocolate. One of them trips and slips. “Hey, you put peanut butter in
my chocolate.” “Well you put chocolate in my peanut butter.” They’re both
angry until they taste the combination. Both boys smile as they eat.
Americans of a certain TV generation will remember the commercial
for a candy bar that combines chocolate with peanut butter. The notion
that a child who doesn’t like chocolate will touch peanut butter, or visa
versa, is universal. In the world of networking there has been a similar
phenomenon.
Once upon a time and not long ago, network infrastructure managers
generally were adamant that network devices should not do security. Routers should route and switches should switch. Routers shouldn’t be firewalls
and shouldn’t mirror traffic for intrusion detection. Switches shouldn’t VLAN
or generate flow records. While there have always been exceptions and
grey areas, there were many who believed that chocolate and peanut butter
should never touch.
Convergence of Network Infrastructure
and Network Security Devices
Address correspondence to
Alex Malin, CISSP.
E-mail: amalin@lanl.gov
When vendors first shipped network infrastructure gear that was loaded
with security features, customers were understandably skeptical. There were
performance issues –memory and CPU were costly and precious. For many,
the added complexity of configuring and maintaining security features wasn’t
worth the cost. Resistance was also philosophical and sometimes territorial.
While the debate between lovers of chocolate and lovers of peanut butter
may be eternal, there is no question that attitudes in the network operations center are changing. After witnessing mobile malicious code bringing
a network to its knees, network managers understand in a tangible way that
they have a stake in making security work. Information security managers
are increasingly being heard when they articulate the ethos that security is
a business enabler.
Meanwhile, the integration of security features into network infrastructure devices has matured considerably. Network switches and routers subdivide networks and may be configured to restrict traffic between zones
to enforce security policies. They create and enforce VLANs and provide
47
stateful firewalls for single ports or groups of ports.
Network infrastructure devices prioritize traffic to
meet availability requirements for critical systems
and enhance the security of services such as VOIP.
They sniff traffic and may be configured to generate
flow records used to identify indicators of malicious
activity and to characterize traffic for network forensics investigations. Network devices may participate
in complex identity management schemas, detecting
when users or systems connect to the network and
then segregating or quarantining systems or users to
strictly enforce security policy criteria.
Vendors are more reliably delivering security features at an acceptable cost. Network infrastructure
devices will be increasingly capable of enforcing
information security policies and demonstrating
compliance. A new generation of network engineers is better equipped to configure and maintain
a complex system of security in myriad networking
devices. New software simplifies the task of configuration management. When business managers ask
network and information security managers the relatively simple question–can you prevent a worm from
infecting us again—the answer is probably still a bit
too complex and may depend on technology that is
still some years from full maturity. But the answer
clearly includes the integration of security capabilities into network infrastructure components.
Opportunity for Information
Security Managers
As more security managers become involved in
the selection of network infrastructure components,
there is a greater opportunity to forge an alliance
with network and business managers and to participate meaningfully in network design. This raises
the question—how may this increasing influence be
leveraged to meet the broader objectives of an information security program?
The intent of this article is to offer information
security managers an approach to secure network
design that is aligned with an information assurance
program’s objectives and is readily communicated to
management colleagues. This article advocates making security policy enforcement a central element
in network design. It defines a set of principles and
provides examples for segmenting computer systems
Malin
into security policy zones, leveraging the capabilities
of network components to enforce security policies
more effectively.
Networks That Enforce
Information Security Objectives
The central idea of the architecture proposed
here is that computer networks should be split into
distinct network zones. These zones should be organized with the primary objective of articulating and
enforcing appropriate security policies. In this context, security policies include all information security
objectives that may be addressed through technical
mechanisms.
In the typical flat computer network, where every
client workstation can reach every other workstation
and server, there is an implicit assumption that a common security policy applies to all computer systems.
The reality is that not all computer systems and computer users warrant this implied trust. Can every system that connects with the network be trusted with
the same level of confidence? Can every computer
system be securely configured and maintained with
equal facility? Does every computer system have an
identical requirement for system availability? Are the
integrity and confidentiality requirements of all data
identical? Do all computer users need equal access to
all systems and all data processed and stored on the
network? A network segmented into security policy
zones makes these various levels of trust explicit. It
also facilitates identifying the variations in risk related
to different classes of computer systems and mitigating these risks through technical measures.
Dr. Peter Stephenson, a writer, consultant and
researcher, describes the theoretical foundations for
this concept in several articles referenced at the end
of this work.
He defines a security policy zone as a network
segment for which the same security policy may be
defined for all computer systems within that zone.
Stephenson’s central idea is to identify computer
systems that share a common security policy and
place these systems into distinct network zones.
To accomplish this, systems are evaluated by their
criticality, the type of information they process
and store, various requirements for secure system
configuration and maintenance, and the relative
48
trustworthiness of users who access these computer
systems or the information they store. All systems in
a security policy zone share a common policy and
relative priority for many aspects of technical information assurance.
An architecture based on security policy requirements facilitates a clear assessment of risk for each
zone and the application and enforcement of protection mechanisms that are appropriate for each class
of computer assets. The segregation of systems into
security policy zones leverages the capabilities of
networking devices to enforce policies more effectively. By clarifying the various requirements for
confidentiality, integrity, and availability for each
network zone, we may more easily map information security goals to tangible objectives. Mitigation
efforts are more easily identified and prioritized.
And since most technical measures may be audited,
it also greatly simplifies the task of defining metrics
that demonstrate continuous improvement in meeting these goals.
Network Zones and
System Availability
Not every network manager will readily agree
that networks should be segmented. A flat network
simplifies the task of routing and switching packets
between source and destination. A network infrastructure device that restricts traffic to meet security objectives in effect slows down the delivery of
packets, raises questions about the reliability of the
network, and complicates the task of troubleshooting network problems. The information security
manager should acknowledge the tradeoffs between
the benefits of splitting networks into discrete zones
and the added costs and complexity associated with
schemes that segment the network. It is natural for
the network manager to ask, “What is in it for me?”
The best way to demonstrate the value of security
policy zones to the network manager is likely in
the area of system availability. Two instances where
these benefits are easily articulated are in the creation of high-availability network segments and the
prevention and mitigation of worms. These will each
be examined in some detail.
Assuring the availability of network-critical systems
and services may easily justify the costs associated
49
with filtering internal network traffic. The creation of
a high-availability network zone simplifies the task
of devising policies that protect these systems, leverages the capabilities of network devices to apply
technical measures that mitigate threats to system
availability, and facilitates defining metrics that demonstrate success.
One example of a high-availability zone may be
termed the utility zone, consisting of communications infrastructure (telephone, computing), physical plant infrastructure (electricity, heating, cooling),
and the safety and security infrastructure (ambulance, fire, police, 911, security badging systems).
These and other systems essential to an organization’s operations may be isolated from other network elements, providing stronger assurance that
the computer systems that are critical to the delivery
of utility systems and services are protected appropriately and that related communications are appropriately prioritized.
Most network routers and switches can be configured to prioritize packet delivery for communications to or from specified network segments or
VLANs. The creation of a utilities network zone is
the critical first step toward prioritizing these communications. The utilities zone may be further subdivided to create zones that reflect an organization’s
priorities and values. For example, systems that are
essential for life and safety may be given highest
priority for TCP/IP communications.
Another likely high-availability zone would consist
of the systems on which all other network services
depend. In most network environments this would
include DNS, authentication, and directory systems.
A network design based on the concept of security
policy zones isolates systems so that like protection
strategies may more easily be identified and applied.
Firewall filters set at the router or switch provide a
technical means of enforcing these policies along
the principle of least privilege. Ingress filters can
allow only DNS-related traffic to the DNS servers,
for example. Egress filters may be applied to prevent
and detect attacks on these critical servers.
The high-availability zone also provides a means
to protect critical servers and services when a new
threat emerges. In many network environments,
operational requirements may dictate the patching
schedule for high-availability systems. In some organizations, there is a reluctance to scan these systems
Designing Networks that Enforce Information Security Policies
for vulnerabilities. This may yield a diminished
degree of assurance for the systems that are most
important to an organization. When firewall filters
enforce the principle of least privilege, exposure to
new threats at the network layer is reduced. In environments where high-availability systems cannot be
patched immediately, ingress/egress filters may also
be reconfigured quickly to apply a workaround that
mitigates a new threat.
Defense Against Worms
Segmentation of the network can also add significantly to a multi-layered defense against worms. A
network separated into security policy zones combats the spread of mobile malicious code in several
important ways.
By isolating classes of systems most likely to
become infected with malicious code, and by establishing choke points in the network between these
higher-risk segments and the rest of the network,
we have an opportunity to prevent the spread of
an infection to the remainder of the network. The
architecture proposed here provides a mechanism
to identify and isolate systems (e.g., laptops and
remote access) that put other systems at risk. In a
network architecture that defines both high-availability zones and high-risk zones, classes of systems
that have high-availability requirements may be protected from less trustworthy zones. This raises the
likelihood that high-availability requirements will be
realized when worms breach perimeter defenses.
By leveraging firewall capabilities in network
infrastructure devices, we may prevent the spread of
mobile malicious code at relatively little cost. Many
worms exploit weaknesses in services that listen on
easily identified ports, including 135, 137, 139, and
445. In many network environments, a firewall filter
placed between high-availability and high-risk zones
may be configured to block this traffic. In environments where some traffic on these higher risk ports
is necessary, ingress and egress filters may be configured to explicitly allow this traffic to a limited
set of sources and destinations while blocking this
port traffic to and from all other hosts. This adds a
layer of protection to high availability systems and
reduces the risk that a worm infection will lead to a
network-wide denial of service.
Malin
Commercial intrusion prevention appliances that
detect and block attack code provide a strong layer of
defense between high-risk zones and the remainder
of the network. If the intrusion prevention vendor
puts sufficient resources into signature development
and maintenance, these devices can offer a significant defense against the entry of worms into the
network and against the spread of worms that have
breached gateway defenses. As the convergence of
network infrastructure and network security devices
continues to mature, we may expect intrusion prevention capabilities to be bundled into many network infrastructure devices.
The segmentation of the network into security
policy zones creates choke points that are ideal
locations for deploying intrusion detection systems.
The capabilities of network infrastructure devices
may be combined with intrusion detection systems to detect and prevent the spread of malicious
code and limit the likelihood that a denial of service results from a worm infection. For example, if
a computer in a security policy zone that consists
of laptop computers attempts to connect to 1,000
other systems on port 445 in under a minute, it is
fairly likely that it has been infected. Many routers
and switches are capable of generating flow statistics that can be used to characterize malicious traffic. When combined with software processes that
identify infections, an infected computer may be
automatically blocked at the switch or put into quarantine for remediation.
Controlling Access to the LAN
Computers that connect from remote locations
raise questions with regards to confidence and trust.
These systems may reside on networks that are not
as well protected as the enterprise network. The host
computers may not be as securely configured or as
well maintained as computer systems directly under
the control of one’s own organization. There are few
technical mechanisms to assure that remotely connected host computers are in compliance with an
organization’s security policies.
In a flat network, where any workstation can
reach every other workstation and server, it is significantly more difficult to apply technical measures
that address variations in assurance and trust. A
50
etwork segmented into security policy zones pern
mits the architect to address variance in risk posed
by different channels of network access. Access from
locations that are less inherently trustworthy may
be grouped into distinct security policy zones. This
may include VPN, dialup, and partner or subsidiary
connections.
Wireless networking is another example of network access that may be inherently less trustworthy.
By isolating network connections such as wireless or
VPN into separate segments or VLANs, it becomes
easier to apply security policies to these connections
that are commensurate to their level of trust. It is
also easier to change this policy quickly in response
to future threats.
Once a network has been segmented into security
policy zones, the communications between zones
may be studied to identify network traffic that is
necessary and legitimate. Ingress and egress filters may then be applied to permit this traffic and
block all other traffic, based on the principle of least
privilege.
The security policy zone architecture facilitates
the application of technical measures to mitigate
risk posed by variations in assurance and trust. Traffic may be filtered based on the principle of least
privilege. Intrusion detection and intrusion prevention devices may be placed at chokepoints between
security policy zones to protect information confidentiality, integrity, and availability. A network
segmented into security policy zones allows the
architect to identify classes of systems that are inherently less trustworthy, place these systems in distinct
network zones, restrict traffic between zones, and
monitor and audit traffic to enforce and demonstrate
compliance.
Protecting Information
Confidentiality and Integrity
Many organizations have policies that identify
higher protection requirements for specified classes
of information. In many environments, law or regulation requires this. Multinational organizations must
comply with an array of local laws and regulations.
Security policy zones present a significant opportunity to protect data confidentiality and integrity and
to demonstrate compliance requirements.
51
Computers that process and store sensitive information may be placed in distinct security policy
zones. This facilitates the deployment of protections
commensurate with the value of the data protected
and allows for more finely tuned prioritization of
host security measures. Logical access to these segments may be restricted to computer users who
have authorized access to these classes of information. For example, all users should generally have
ready access to web-based information on benefits
or human resources policies, but access to confidential human resources information may be restricted
appropriately. An analysis of this sort lends itself
to the easy identification of potential violations in
security policy. By placing like information systems
into discrete zones, traffic flows between zones may
more easily be filtered and restricted to comply with
an organization’s security requirements.
Implementation of VLANs is a common approach
to the creation of information protection zones.
Many organizations approach the problem of identifying information protection zones by creating
departmental VLANs. For example, all desktop
computers and information servers belonging to
the accounting department may sit on a common
VLAN. Filters are set so that most other user VLANs
cannot route to the accounting department’s VLAN.
This presents a network layer barrier to prevent
accidental or deliberate disclosure or alteration of
sensitive information.
In environments where confidentiality of data in
transit must be assured, network devices such as
routers may be configured to provide point-to-point
encryption. The confidentiality of information that
is passed over wireless networks may be assured by
encrypting traffic between wireless clients and wireless access points.
Server Zones and System
Administrator Zones
In many organizations, there are important differences in the requirements that govern the protection
of host computers and servers. Separating servers
into a distinct security policy zone facilitates the
clarification of policy appropriate to this zone and
strengthens an organization’s ability to the enforce
policy through network infrastructure devices.
Designing Networks that Enforce Information Security Policies
How quickly do server patches need to be applied
as compared with workstations? How often do servers need to be scanned for vulnerabilities as compared with workstations? Are there more exceptions
to the common policy based on operational requirements? Are there different flavors of operating systems? Are there different requirements for server
availability? The complexity of managing servers
adds to the challenge of configuring and maintaining hardened systems throughout the enterprise.
Separating servers into a distinct zone (or zones)
facilitates the establishment of measures to protect
these systems appropriately.
Placing the desktop computer systems used by
system administrators in a distinct security policy
zone addresses several risk factors related to system
administration. System administrators have a unique
level of access to business-critical systems and information. The establishment of a system administrator
zone facilitates auditing the actions taken by those
with authorized system administrator access. It also
provides a network layer of defense that reduces the
likelihood that an unauthorized user can accidentally or maliciously gain root access to servers, limiting exposure in a situation where an adversary gains
or abuses access to the LAN.
Once server and system administration zones have
been established, access to the server zone may be
restricted to the network zone or VLAN used by system administrators. Access to the system administrator zone may likewise be restricted to reduce the
likelihood that an unauthorized user may gain logical access to a system administrator’s workstation.
The chokepoints in the network created by the
establishment of these zones are ideally located
to detect attempted or successful attacks directed
against these important segments. They may also be
used to audit system administration actions, offering a layer of deterrence against abuse. They also
enhance our capacity to demonstrate compliance
and continuous improvement through metrics.
Host Security
This article has described an architecture based
on security policy zones. It has described how
Malin
etwork infrastructure devices may add additional
n
layers of defense, enforcing inter-zone routing policies at zone borders and preventing and detecting
the propagation of malicious activity. The last section
of this article describes how an architecture based
on security policy zones may serve to strengthen
host security.
Host security represents the final layer of defense
against attack. The redistribution of hosts into
security policy zones may improve host security in
three important areas: requirements for each zone
are more clearly defined; policies directly address
the unique needs of each zone; and efforts to
harden, scan, and patch systems are more readily
prioritized.
In many organizations, the advent of mobile malicious code has exposed weaknesses in system hardening and patching. Worms exploit weaknesses in
system configuration, often targeting default settings
that expose systems to vulnerabilities. Worms typically attack systems that have known vulnerabilities
for which security patches are available but have not
been installed. Newly built systems are particularly
at risk.
Few organizations can achieve 100 percent compliance with policies that govern system configuration and security patching. It is an open question
whether the current model for distributing critical
security patches will ever attain 100 percent saturation. In an environment where consistent hardening
and patching may not be attainable, better prioritization is needed to provide a higher degree of assurance that more critical systems get the attention they
need.
The security policy zone architecture directly
addresses the need to identify the security policy
requirements for various classes of computer systems.
In many computing environments, institutional security policies that describe hardening requirements
are more generalized and cannot address unique
needs. Systems are scanned on a schedule that cannot address diverse needs. With the segmentation of
systems into security policy zones, the requirements
and scheduling for hardening, scanning, and patching systems may more appropriately reflect the risk
to each zone and each zone’s purposes and unique
needs.
52
References
Biography
Stephenson, P. (2004). The Application of Formal Methods to Root
Cause Analysis of Digital Incidents. International Journal of Digital
Evidence, 3:1.
Stephenson, P. (2003). Modeling of Post-Incident Root Cause Analysis.
International Journal of Digital Evidence, 2:2.
Stephenson, P. (2001). S-TRAIS: A Method for Security Requirements
Engineering Using a Standards-Based Network Security Reference
Model. http://www.sreis.org/old/2001/papers/sreis018.pdf.
Alex Malin, CISSP, is an intrusion detection system
architect and incident response manager for Los Alamos
National Laboratory. His interests include assuring information confidentiality through technical controls and
integrating security into network design.
53
Designing Networks that Enforce Information Security Policies
Running head: INFORMATION SECURITY
1
Information Security
Name
Institution
Professor
Course
Date
INFORMATION SECURITY
2
First Source
Source: Okenyi, P. O., & Owens, T. J. (2007). On the Anatomy of Human Hacking. Information
Systems Security, 16(6), 302-314. doi:10.1080/10658980701747237
Documentation style: APA
Authors: Okenyi P.O and Owens T.J
Thomas J. Owens is a doctor at the Brunel University London in the college of
engineering, Design, and Physical sciences. Since February 2014until March 2018, Tom was an
Executive Vice President of Real Estate at Cinemark Holdings Inc. Mr. Owens is also a Coowner at Thomas J Owens and Margaret E Richards Trust. As from 1996, Mr. Owen has served
in Executive positions in various companies and organizations dealing with information
technology and other technological development aspects.Lastly, Owens is currently conducting a
research fixated on Security and Network Security of Wireless Communications, a course he also
teaches in London. Okenyi P.O. is also a doctor who has worked with SWH IT security, HSBC
Technologies, Inc. Before his entry to the HSBC, Okenyi worked the Credit Suisse Asset
Management New York (CSAM NY) and as a part of the IT Risk team in Credit Suisse First
Boston New York (CSFB). Dr. Peter Okenyi additionally has worked as a senior security
consultant for eFortresses which is located in Atlanta, Ga. eFortresses is a firm that deals with
information technology Risk management whose headquarter is in Atlanta. The profiles of the
two doctors described above are a clear indication that they are the best.
Publisher: Taylor & Francis Group, LLC
Taylor & Francis Group, LLC is an international academic publisher that is well-known
and recognized with offices all over the world. The group is world-leading both academic and
professional publisher that cultivates knowledge through the creation of efficient and effective
partnerships with a commitment to quality. Taylor & Francis Group publishes books, journals
and online articles for all academic study levels as well as professional development across a
wide range of disciplines and subjects. The group’s journals are quality and peer-reviewed
usually published under the Routledge and Taylor and Francis Imprints. An access program that
is purely open is offered by the group’s newest part, Cogent OA. The publisher’s information
and journals are available in archives that are trusted and can also be accessed through
subscription databases.
Accuracy
The published information in the journal is not only accurate but also of high quality. The
information contained in the journal has been peer-reviewed and can readily be availed or
accessed from the APUS library. At the end of the journal, a list of references has been provided
so that any interested parties having any doubts can confirm what has been presented by the two
doctors, Okenyi and Owen.
Current Information
The information in the journal, pages 302-314 was published online on the 19th of
December 2007. The abstract can be accessed free by anyone but to gain full access one is
INFORMATION SECURITY
3
required to register so that they can access the entire document at a certain fee. The information
provided was based on factual data and figures but since its publication online in 2007, it has not
been updated.
Objectivity
Issues in the journal are treated in a fair way and there is no side that seems to have been
addressed more or less than the other. The issues addressed by the two doctors address human
hacking as being a type of interruption that is nontechnical and profoundly relying on the
manipulation of human beings.
Second source
Malin, Alex. Information Systems Security. Jan2007, Vol. 16 Issue 1, p47-53. 7p. DOI:
10.1080/10658980601051490.
The journal is has been peer-reviewed at APUS library.
Documentation Style: APA
Author: Alex Malin, CISSP.
Alex Malin, CISSP is an architect in intrusion detection systems and also a manager of
incident Responses for the National Laboratory of Los Alamos. Alex has a wide range of
interests which include assuring the confidentiality of information through technical controls and
the integration of security into various designs of networks. Alex's immense interest and
confidence in these areas make him an expert in the general field of information systems.
Publisher: Taylor & Francis Group, LLC.
The publisher, Taylor & Francis Group, LLC commits to partner with authors that are
world-class, from renown researchers, leading scientists, scholars, and professionals who operate
at the top of their various fields. As a team, the group publishes in all areas of social sciences,
science, behavioral science, medicine sectors, technology, and humanities.The group currently
stands as among the world leading publishers of books, eBooks, textbooks, reference works and
scholarly journals like this one. The group’s offices network has expanded since its formation to
include numerous representatives in New York, Boca Raton, Singapore, Tokyo, Kuala Lampur,
New Delhi, Johannesburg, Melbourne, and Philadelphia. The expansion has helped the group’s
staff be in a position to provide expertise locally and offer editors support. Societies, authors can
be offered customer service that is efficient and tailored to the company’s library colleagues all
over the world.
Accuracy
The information provided in the journal is very accurate and corresponds with other
various resources that have historically been reliable. The journal describes an architecture that is
based on different zones of security. Network infrastructure devices as described by the author
can add more defense layers, enforcing routing policies of inter-zones at zone borders thus
preventing and detecting malicious activities propagation.
INFORMATION SECURITY
4
Reliability of the information provided
The information provided by Alex Malin in the journal has been peer-reviewed and
contains a list of references that one can use to confirm that the provided information is correct
in case of any doubts. Considering the immense experience that the author, Alex Malin, has, the
information provided is factual with no errors.
Current information
The journal was published in Jan/Feb 2007 (pages 47-53) and has not been updated ever
since. What Alex, the author, presented are facts and updating them would mean changing the
truth of what is already in existence. A preview of the journal can be accessed online but the full
document can only be accessed from institutions’ libraries and the APUS library upon request.
Objectivity
In designing networks that enforce information security policies, every side and angle has
been considered with all of them being treated the same and none is more regarded than the
other. Security of networks is something that long time ago was not considered as the population
was less and technology had not fully been embraced. The central objective of the journal was
that computer networks needed to be split into various network zones that are distinct. A point
reached when network infrastructures and network security devices had to converge for a better
solution. The issue of network security has been addressed fairly with all sides being keenly
attended and without any bias.
Running head: INFORMATION SECURITY
1
Information Security
Name
Institution
Professor
Course
Date
INFORMATION SECURITY
2
First Source
Source: Okenyi, P. O., & Owens, T. J. (2007). On the Anatomy of Human Hacking. Information
Systems Security, 16(6), 302-314. doi:10.1080/10658980701747237
Documentation style: APA
Authors: Okenyi P.O and Owens T.J
Thomas J. Owens is a doctor at the Brunel University London in the college of
engineering, Design, and Physical sciences. Since February 2014until March 2018, Tom was an
Executive Vice President of Real Estate at Cinemark Holdings Inc. Mr. Owens is also a Coowner at Thomas J Owens and Margaret E Richards Trust. As from 1996, Mr. Owen has served
in Executive positions in various companies and organizations dealing with information
technology and other technological development aspects.Lastly, Owens is currently conducting a
research fixated on Security and Network Security of Wireless Communications, a course he also
teaches in London. Okenyi P.O. is also a doctor who has worked with SWH IT security, HSBC
Technologies, Inc. Before his entry to the HSBC, Okenyi worked the Credit Suisse Asset
Management New York (CSAM NY) and as a part of the IT Risk team in Credit Suisse First
Boston New York (CSFB). Dr. Peter Okenyi additionally has worked as a senior security
consultant for eFortresses which is located in Atlanta, Ga. eFortresses is a firm that deals with
information technology Risk management whose headquarter is in Atlanta. The profiles of the
two doctors described above are a clear indication that they are the best.
Publisher: Taylor & Francis Group, LLC
Taylor & Francis Group, LLC is an international academic publisher that is well-known
and recognized with offices all over the world. The group is world-leading both academic and
professional publisher that cultivates knowledge through the creation of efficient and effective
partnerships with a commitment to quality. Taylor & Francis Group publishes books, journals
and online articles for all academic study levels as well as professional development across a
wide range of disciplines and subjects. The group’s journals are quality and peer-reviewed
usually published under the Routledge and Taylor and Francis Imprints. An access program that
is purely open is offered by the group’s newest part, Cogent OA. The publisher’s information
and journals are available in archives that are trusted and can also be accessed through
subscription databases.
Accuracy
The published information in the journal is not only accurate but also of high quality. The
information contained in the journal has been peer-reviewed and can readily be availed or
accessed from the APUS library. At the end of the journal, a list of references has been provided
so that any interested parties having any doubts can confirm what has been presented by the two
doctors, Okenyi and Owen.
Current Information
The information in the journal, pages 302-314 was published online on the 19th of
December 2007. The abstract can be accessed free by anyone but to gain full access one is
INFORMATION SECURITY
3
required to register so that they can access the entire document at a certain fee. The information
provided was based on factual data and figures but since its publication online in 2007, it has not
been updated.
Objectivity
Issues in the journal are treated in a fair way and there is no side that seems to have been
addressed more or less than the other. The issues addressed by the two doctors address human
hacking as being a type of interruption that is nontechnical and profoundly relying on the
manipulation of human beings.
Second source
Malin, Alex. Information Systems Security. Jan2007, Vol. 16 Issue 1, p47-53. 7p. DOI:
10.1080/10658980601051490.
The journal is has been peer-reviewed at APUS library.
Documentation Style: APA
Author: Alex Malin, CISSP.
Alex Malin, CISSP is an architect in intrusion detection systems and also a manager of
incident Responses for the National Laboratory of Los Alamos. Alex has a wide range of
interests which include assuring the confidentiality of information through technical controls and
the integration of security into various designs of networks. Alex's immense interest and
confidence in these areas make him an expert in the general field of information systems.
Publisher: Taylor & Francis Group, LLC.
The publisher, Taylor & Francis Group, LLC commits to partner with authors that are
world-class, from renown researchers, leading scientists, scholars, and professionals who operate
at the top of their various fields. As a team, the group publishes in all areas of social sciences,
science, behavioral science, medicine sectors, technology, and humanities.The group currently
stands as among the world leading publishers of books, eBooks, textbooks, reference works and
scholarly journals like this one. The group’s offices network has expanded since its formation to
include numerous representatives in New York, Boca Raton, Singapore, Tokyo, Kuala Lampur,
New Delhi, Johannesburg, Melbourne, and Philadelphia. The expansion has helped the group’s
staff be in a position to provide expertise locally and offer editors support. Societies, authors can
be offered customer service that is efficient and tailored to the company’s library colleagues all
over the world.
Accuracy
The information provided in the journal is very accurate and corresponds with other
various resources that have historically been reliable. The journal describes an architecture that is
based on different zones of security. Network infrastructure devices as described by the author
can add more defense layers, enforcing routing policies of inter-zones at zone borders thus
preventing and detecting malicious activities propagation.
INFORMATION SECURITY
4
Reliability of the information provided
The information provided by Alex Malin in the journal has been peer-reviewed and
contains a list of references that one can use to confirm that the provided information is correct
in case of any doubts. Considering the immense experience that the author, Alex Malin, has, the
information provided is factual with no errors.
Current information
The journal was published in Jan/Feb 2007 (pages 47-53) and has not been updated ever
since. What Alex, the author, presented are facts and updating them would mean changing the
truth of what is already in existence. A preview of the journal can be accessed online but the full
document can only be accessed from institutions’ libraries and the APUS library upon request.
Objectivity
In designing networks that enforce information security policies, every side and angle has
been considered with all of them being treated the same and none is more regarded than the
other. Security of networks is something that long time ago was not considered as the population
was less and technology had not fully been embraced. The central objective of the journal was
that computer networks needed to be split into various network zones that are distinct. A point
reached when network infrastructures and network security devices had to converge for a better
solution. The issue of network security has been addressed fairly with all sides being keenly
attended and without any bias.
Purchase answer to see full
attachment