In this lesson, I'll discuss the introduction to practical computer security.
So, by the end of the lesson,
I'll explain what practical computer security is,
and why we have a need for computer security.
So, you should be able to discuss those as well and explain why
we need computer security for any industry that you may be working in.
My definition of practical computer security is the means in
which computer security is applied in an everyday setting.
So, I've been doing this for a number of years,
and I've been doing it in the industry.
Not so much from theory,
but we have to understand theory in order to apply computer security to any industry.
Many certifications focus on theory and understanding how to implement security controls.
So, bottom line is that if you end up putting all the controls you can in place,
you're going to end up forcing people into another situation,
that actually allows them to not do their work.
And which leads to, really, insecurity.
I'll talk about this here in a second.
Managing too much computer security,
or putting too many computer security controls in place,
may lead to too much management or burden on your I.T.
department or the security department in the end.
Let's talk about what happened about 10 years ago at the university.
Let me define network access control.
Network access control basically forces a user to identify themselves on the network.
So, this could be done through a lot of different means,
or technical controls, rather.
What it also can do is employ other techniques to control the flow of data,
or put certain controls on users or on user's computers.
So, what happened was that the solution was very black and white.
We required users to put anti-virus and anti-spyware on their computers.
It had to be running,
and it had to be completely up to date.
So, let's say that your anti-virus was out of date by maybe a couple of hours,
because anti-virus definitions update,
roughly, three, four, five times a day.
Well, if you didn't have the latest ones,
it was going to throw you into quarantine.
Additionally, Windows had to be updated fully as well.
So, if you were missing one patch,
you would be kicked off the network.
What it did is;
and we had this only implemented on the wireless network,
because students back then only were using wireless.
And not a majority of them were using wired,
or we had a lot of problems with wired connections.
But what happened was you would connect to the wireless network,
identify who you were,
the system would check your computer,
and if you had any problems it would throw you into;
it would kick you off the network.
You would reconnect into a different segmented,
what we call VLAN,
or virtual local address network, for segmentation.
And then you were allowed to update or comply with the policies.
And then kicked you off the network again,
once you had those met,
scanned your computer, then you were good to go.
So, that whole process took around 15 minutes.
Imagine if you were a student coming onto the campus the very first time,
or even during the middle of a semester,
or a faculty member,
and they started teaching class.
And they wasted 15 minutes trying to get on the network.
It was a real burden on users.
What eventually happened was that we saw
a 45-55% shift in the way that users were using the network.
So, 55% of the users would actually jump off the secure network,
which allowed you access to everything,
and they would go to the open network.
The open network was designed to only
allow a few web sites through and nothing that was secure.
So, and then they would use VPN then to get around that port restriction that they had.
So, what we did back there in about 2008,
is replaced that solution with a solution that allowed a three day grace period.
So, the system would check your computer.
Says, hey, I'm going to warn you that your Windows Update is out of date,
but I'm going to continue to allow you to access the network.
So, that three day grace period allowed us to be more secure in the long run,
even though we were intentionally making
the computer insecure by not having the user update.
So, we saw a shift between the 45% that were actually using the secure network to
95% of users that were using the secure network once we put that solution in place.
Securing computers is tough.
Many things have to be taken into account when applying computer security.
For example, a user needs to share files with another user.
You may have a solution that you use in your whatever industry that you're using.
At the university, we use one drive, for example.
However what if you're used to using Dropbox?
Or what if you're used to using box.com?
Or SpiderOak?
Or another file sharing or collaboration software?
There is a corporate solution out there.
And the reason why we put those in place is because of security.
We need to have users be educated,
instead of just putting a solution on them.
Maybe we're not explaining how to use the tool right,
but computer security is hard.
We have to take many things into account.
The reason why we use one drive is because it's secure.
Who owns that data?
We have an enterprise agreement that says we own that data.
And it's better for the user in the long run,
if they use the corporate version of whatever file sharing software that we're using.
So, that's just one example of where computer security,
not only can be a burden on the IT department,
but it also could be a burden on the user as well.
So, all that needs to be taken into account.
Let's talk about the need for security.
There are two main reasons why we have a need for security, in my opinion.
The first is information.
We need to protect information.
This includes intellectual property and personal information.
In the past I've seen where
some of the research that we've been doing as
the University has been attempted to be broken into,
from threats and attacks from China that have stolen credentials
from a UCCS student to get into our research database.
And I've also seen personal information being
stolen as well from all kinds of different people.
We have students, we have faculty, we have staff.
When I was in, not in the university setting,
I saw information being stolen in a number of different ways there.
Another reason we have security in place is safety.
Think about the safety of people and the safety of systems.
Why do we have life safety systems?
What happens if a phone system isn't working because it wasn't backed up?
Or because there was a power outage,
and we didn't have universal or uninterrupted power supply?
Think about the safety of systems as well.
This goes both to the technical side of the system,
but it also goes into the physical side.
If I don't lock a room or I don't lock the data center door,
then how secure are my systems?
What if something is stolen?
Or knocked over because it's put in the wrong place.
So, there are two real reasons in my opinion why we need computer security.
Information and again, safety.
How do we protect that information is narrowed down into three key points,
and we'll be talking about these in the lessons next week,
confidentiality, integrity and availability.
All computer security components
or computer systems in general have to be protected on all of these three levels.
If we don't have one of these levels in place,
we're going to have a problem with the overall security of the system.