Teppi tvet

TTLM Unit Build Internet Infrastructure

College

Teppi tvet College

IT service Management Level V

Unit of Competence: build internet infrastructure

Module Title: building internet infrastructure

y.m Page 1
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

MODULE TITLE: Building Internet Infrastructure

1. Plan and organize internet infrastructures
Introduction
The Internet is a global system of interconnected computer networks that use the standard
Internet protocol suite (TCP/IP) to serve several billion users worldwide. It is a network of
networks that consists of millions of private, public, academic, business, and
governmentnetworks, of local to globalscope, that are linked by a broad array of electronic,
wireless and opticalnetworkingtechnologies. The Internet carries an extensive range of
information resources and services, such as the inter-linked hypertext documents of the World
Wide Web (WWW) and the infrastructure to support email.

Most traditional communications media including telephone, music, film, and television are
being reshaped or redefined by the Internet, giving birth to new services such as voice over
Internet Protocol (VoIP) and Internet Protocol television (IPTV). Newspaper, book and
other print publishing are adapting to Web site technology, or are reshaped into blogging and
web feeds. The Internet has enabled and accelerated new forms of human interactions through
instant messaging, Internet forums, and social networking. Online shopping has boomed both for
major retail outlets and small artisans and traders. Business-to-business and financial services on
the Internet affect supply chains across entire industries.

The origins of the Internet reach back to research commissioned by the United States
government in the 1960s to build robust, fault-tolerant communication via computer networks.
The funding of a new U.S. backbone by the National Science Foundation in the 1980s, as well as
private funding for other commercial backbones, led to worldwide participation in the
development of new networking technologies, and the merger of many networks. Though the
Internet has been widely used by academia since the 1980s the commercialization of what was
by the 1990s an international network resulted in its popularization and incorporation into
virtually every aspect of modern human life. As of June 2012, more than 2.4 billion people over
a third of the world's human population have used the services of the Internet; approximately 100

y.m Page 2
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

times more people than were using it in 1995, when it was mostly used by tech-savvy middle and
upper-class people in the United States and several other countries.

The Internet has no centralized governance in either technological implementation or policies for
access and usage; each constituent network sets its own policies. Only the overreaching
definitions of the two principal name spaces in the Internet, the Internet Protocol address space
and the Domain Name System, are directed by a maintainer organization, the Internet
Corporation for Assigned Names and Numbers (ICANN). The technical underpinning and
standardization of the core protocols (IPv4 and IPv6) is an activity of the Internet Engineering
Task Force (IETF), a non-profit organization of loosely affiliated international participants that
anyone may associate with by contributing technical expertise.
The Internet Infrastructure: General perspective
Traditionally, the Internet infrastructure has been divided into backbone and access networks,
with the interface between these two parts of the infrastructure being managed by Internet
Service Providers (ISPs).

The backbone is made of high-speed routers/switches interconnected by large-capacity fiber-

optic links. Backbones can be divided into large national/international backbones and smaller
more local regional/metropolitan backbones. New technologies for backbones are mostly in the
area of all-optical networks. Backbone operators serve mainly ISPs and large or medium
companies with complex communications needs, typically requiring high capacity links to the
Internet and the interconnection of several geographically distant facilities. In terms of industry
structure, this is a market with a relatively small number of operators. There are less than 50
national backbones in the entire North America. The backbone business requires very large
investments and enjoys considerable economies of scale due to the cost of installing fiber. Small
backbone operators do not usually install fiber cables themselves, preferring to lease dark fibers
from others.

The access infrastructure, connecting businesses and households to regional and national
backbones, is currently the most critical aspect of the communications networks that support the
y.m Page 3
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Internet. Although large corporations can afford sophisticated high-capacity access links, the
existing access solutions for residential customers and small businesses rely mostly on the public
switched telephone network (PSTN). This network, which was built to carry voice, is not
adequate for data communications. It suffers from a bandwidth bottleneck in the local loop and
network access requires the setup of a telephone connection that ties up a telephone line from
end-to-end for the entire period that the network link is active.

Several always-on broadband access solutions have been recently developed in response to these
problems, including Digital Subscriber Line (DSL), cable modems, fixed wireless and satellite.
The large number of homes and small business going on-line, together with the increased
requirements of the most recent Internet applications has drawn substantial attention to this
market. The rollout of broadband access network is still in its initial phase and it requires a large
investment in the years to come in order to bring the benefits of the Internet and advanced data
services to households and small businesses.

Internet service providers constitute the Interface between backbones and access networks. Their
main service is to terminate a large number of access connections from their customers and to
offer connectivity to national backbones.
Today, access connections are in their large majority switched telephone circuits using voce-
grade modems. These narrowband access links are terminated at modem banks and statistically
multiplexed into a packet-switched IP network, allowing a large-number of connections to
efficiently share a high-speed pipe to a backbone. The core services offered by ISPs include also
administration of IP addresses for their customers and management of cashing systems, which
are used to improve the speed at which content is delivered. ISPs offer other complementary
services as e-mail, web hosting, content filtering, news boards and chat rooms. Although these
services do not have to be necessarily offered by ISP, they are usually bundled in the Internet
access package. Some ISPs further leverage their relation with the customer by offering portals
to content and e-commerce.

y.m Page 4
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

When compared to the access or the backbone, the market for ISPs is very competitive with
more than 8,000 companies in the US alone. Most ISPs are local, but there are a few large ISPs
with Points of Presence (POPs) all over the country that controls a large share of the market. The
high degree of competition in this market is due to its low barriers to enter. Starting an ISP with a
small number of POPs does not require a large investment and the technology for traditional
access based on modems has already been completely standardized. Many ISPs prefer to
outsource the physical access to the Internet from wholesalers and focus on the business of
reselling access and other higher-margin complementary services to their customers.

With the emergence of broadband access technologies, the interface between the telephone
network and the Internet, which has been the traditional core business of ISPs, disappears. It
becomes more difficult to draw the line dividing the access from the backbone and to define
what an ISP is. These technologies are packet-switched by nature and the concentration of
packets from several end-users into high-bandwidth shared links is performed at the access level,
or at least at a level that has been traditionally been part of the access.

Technology
Protocols
Thecommunications infrastructure of the Internet consists of its hardware components and a
system of software layers that control various aspects of the architecture. While the hardware can
often be used to support other software systems, it is the design and the rigorous standardization
process of the software architecture that characterizes the Internet and provides the foundation
for its scalability and success. The responsibility for the architectural design of the Internet
software systems has been delegated to the Internet Engineering Task Force (IETF). The IETF
conducts standard-setting work groups, open to any individual, about the various aspects of
Internet architecture. Resulting discussions and final standards are published in a series of
publications; each called a Request for Comments (RFC), freely available on the IETF web site.
The principal methods of networking that enable the Internet are contained in specially
designated RFCs that constitute the Internet Standards. Other less rigorous documents are simply

y.m Page 5
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

informative, experimental, or historical, or document the best current practices (BCP) when
implementing Internet technologies.

The Internet standards describe a framework known as the Internet protocol suite. This is a
model architecture that divides methods into a layered system of protocols. The layers
correspond to the environment or scope in which their services operate. At the top is the
application layer, the space for the application-specific networking methods used in software
applications, e.g., a web browser program uses the client-server application model and many file-
sharing systems use a peer-to-peer paradigm. Below this top layer, the transport layer connects
applications on different hosts via the network with appropriate data exchange methods.
Underlying these layers are the core networking technologies, consisting of two layers. The
internet layer enables computers to identify and locate each other via Internet Protocol (IP)
addresses, and allows them to connect to one another via intermediate (transit) networks. Last, at
the bottom of the architecture, is a software layer, the link layer, that provides connectivity
between hosts on the same local network link, such as a local area network (LAN) or a dial-up
connection. The model, also known as TCP/IP, is designed to be independent of the underlying
hardware, which the model therefore does not concern itself with in any detail. Other models
have been developed, such as the Open Systems Interconnection (OSI) model, but they are not
compatible in the details of description or implementation; many similarities exist and the
TCP/IP protocols are usually included in the discussion of OSI networking.

The most prominent component of the Internet model is the Internet Protocol (IP), which
provides addressing systems (IP addresses) for computers on the Internet. IP enables
internetworking and in essence establishes the Internet itself. IP Version 4 (IPv4) is the initial
version used on the first generation of today's Internet and is still in dominant use. It was
designed to address up to ~4.3 billion (109) Internet hosts. However, the explosive growth of the
Internet has led to IPv4 address exhaustion, which entered its final stage in 2011, when the
global address allocation pool was exhausted. A new protocol version, IPv6, was developed in
the mid-1990s, which provides vastly larger addressing capabilities and more efficient routing of

y.m Page 6
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Internet traffic. IPv6 is currently in growing deployment around the world, since Internet address
registries (RIRs) began to urge all resource managers to plan rapid adoption and conversion.

IPv6 is not interoperable with IPv4. In essence, it establishes a parallel version of the Internet not
directly accessible with IPv4 software. This means software upgrades or translator facilities are
necessary for networking devices that need to communicate on both networks. Most modern
computer operating systems already support both versions of the Internet Protocol. Network
infrastructures, however, are still lagging in this development. Aside from the complex array of
physical connections that make up its infrastructure, the Internet is facilitated by bi- or multi-
lateral commercial contracts (e.g., peering agreements), and by technical specifications or
protocols that describe how to exchange data over the network. Indeed, the Internet is defined by
its interconnections and routing policies.

Fig 1: TCP/IP protocol layers

Routing

y.m Page 7
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Internet service providers connect customers, which represent the bottom of the routing
hierarchy, to customers of other ISPs via other higher or same-tier networks. At the top of the
routing hierarchy are the Tier 1 networks, large telecommunication companies which exchange
traffic directly with all other Tier 1 networks via peering agreements. Tier 2 networks buy
Internet transit from other providers to reach at least some parties on the global Internet, though
they may also engage in peering. An ISP may use a single upstream provider for connectivity, or
implement multihoming to achieve redundancy. Internet exchange points are major traffic
exchanges with physical connections to multiple ISPs.

Computers and routers use routing tables to direct IP packets to the next-hop router or
destination. Routing tables are maintained by manual configuration or by routing protocols. End-
nodes typically use a default route that points toward an ISP providing transit, while ISP routers
use the Border Gateway Protocol to establish the most efficient routing across the complex
connections of the global Internet.

Large organizations, such as academic institutions, large enterprises, and governments, may
perform the same function as ISPs, engaging in peering and purchasing transit on behalf of their
internal networks. Research networks tend to interconnect into large subnetworks such as
GEANT, GLORIAD, Internet2, and the UK's national research and education network, JANET.

y.m Page 8
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Fig2. Internet Connectivity Distribution & Core

General structure
The Internet structure and its usage characteristics have been studied extensively. It has been
determined that both the Internet IP routing structure and hypertext links of the World Wide Web
are examples of scale-free networks.

Many computer scientists describe the Internet as a "prime example of a large-scale, highly
engineered, yet highly complex system". The Internet is heterogeneous; for instance, data
transfer rates and physical characteristics of connections vary widely. The Internet exhibits
"emergent phenomena" that depend on its large-scale organization. For example, data transfer
rates exhibit temporal self-similarity. The principles of the routing and addressing methods for
traffic in the Internet reach back to their origins in the 1960s when the eventual scale and
popularity of the network could not be anticipated. Thus, the possibility of developing alternative
structures is investigated. The Internet structure was found to be highly robustto random failures
and very vulnerable to high degree attacks.
Governance
y.m Page 9
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

The Internet is a globally distributed network comprising many voluntarily interconnected

autonomous networks. It operates without a central governing body. However, to maintain
interoperability, the principal name spaces of the Internet are administered by the Internet
Corporation for Assigned Names and Numbers (ICANN), headquartered in Marina del Rey,
California. ICANN is the authority that coordinates the assignment of unique identifiers for
use on the Internet, including domain names, Internet Protocol (IP) addresses, application
port numbers in the transport protocols, and many other parameters. Globally unified name
spaces, in which names and numbers are uniquely assigned, are essential for maintaining the
global reach of the Internet. ICANN is governed by an international board of directors drawn
from across the Internet technical, business, academic, and other non-commercial communities.

ICANN's role in coordinating the assignment of unique identifiers distinguishes it as perhaps the
only central coordinating body for the global Internet. The government of the United States
continues to have a primary role in approving changes to the DNS root zone that lies at the heart
of the domain name system. On 16 November 2005, the United Nations-sponsored World
Summit on the Information Society, held in Tunis, established the Internet Governance Forum
(IGF) to discuss Internet-related issues.

The technical underpinning and standardization of the Internet's core protocols (IPv4 and IPv6)
is an activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely
affiliated international participants that anyone may associate with by contributing technical
expertise.

Services
 World Wide Web
Many people use the terms Internet and World Wide Web, or just the Web, interchangeably, but
the two terms are not synonymous. The World Wide Web is a global set of documents,
images and other resources, logically interrelated by hyperlinks and referenced with

y.m Page 10
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Uniform Resource Identifiers (URIs). URIs symbolically identifies services, servers, and
other databases, and the documents and resources that they can provide. Hypertext Transfer
Protocol (HTTP) is the main access protocol of the World Wide Web, but it is only one of the
hundreds of communication protocols used on the Internet. Web services also use HTTP to allow
software systems to communicate in order to share and exchange business logic and data.

World Wide Web browser software, such as Microsoft's Internet Explorer, Mozilla
Firefox, Opera, Apple's Safari, and Google Chrome, lets users navigate from one web page
to another via hyperlinks embedded in the documents. These documents may also contain
any combination of computer data, including graphics, sounds, text, video, multimedia and
interactive content that runs while the user is interacting with the page. Client-side
software can include animations, games, office applications and scientific demonstrations.
Through keyword-driven Internet research using search engines like Yahoo! and Google, users
worldwide have easy, instant access to a vast and diverse amount of online information.
Compared to printed media, books, encyclopedias and traditional libraries, the World Wide Web
has enabled the decentralization of information on a large scale.

The Web has also enabled individuals and organizations to publish ideas and information
to a potentially large audience online at greatly reduced expense and time delay. Publishing
a web page, a blog, or building a website involves little initial cost and many cost-free services
are available. Publishing and maintaining large, professional web sites with attractive, diverse
and up-to-date information is still a difficult and expensive proposition, however. Many
individuals and some companies and groups use web logs or blogs, which are largely used as
easily updatable online diaries. Some commercial organizations encourage staff to communicate
advice in their areas of specialization in the hope that visitors will be impressed by the expert
knowledge and free information, and be attracted to the corporation as a result. One example of
this practice is Microsoft, whose product developers publish their personal blogs in order to
pique the public's interest in their work. Collections of personal web pages published by large
service providers remain popular, and have become increasingly sophisticated. Whereas
operations such as Angelfire and GeoCities have existed since the early days of the Web, newer

y.m Page 11
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

offerings from, for example, Facebook and Twitter currently have large followings. These
operations often brand themselves as social network services rather than simply as web page
hosts.

Advertising on popular web pages can be lucrative, and e-commerce or the sale of products
and services directly via the Web continues to grow.

When the Web began in the 1990s, a typical web page was stored in completed form on a web
server, formatted in HTML, ready to be sent to a user's browser in response to a request. Over
time, the process of creating and serving web pages has become more automated and more
dynamic. Websites are often created using content management or wiki software with, initially,
very little content. Contributors to these systems, who may be paid staff, members of a club or
other organization or members of the public, fill underlying databases with content using editing
pages designed for that purpose, while casual visitors view and read this content in its final
HTML form. There may or may not be editorial, approval and security systems built into the
process of taking newly entered content and making it available to the target visitors.
 Communication
Email is an important communications service available on the Internet. The concept of
sending electronic text messages between parties in a way analogous to mailing letters or
memos predates the creation of the Internet. Pictures, documents and other files are sent as
email attachments. Emails can be cc-ed to multiple email addresses.

Internet telephony is another common communications service made possible by the

creation of the Internet. VoIP stands for Voice-over-Internet Protocol, referring to the
protocol that underlies all Internet communication. The idea began in the early 1990s with
walkie-talkie-like voice applications for personal computers. In recent years many VoIP systems
have become as easy to use and as convenient as a normal telephone. The benefit is that, as the
Internet carries the voice traffic, VoIP can be free or cost much less than a traditional
telephone call, especially over long distances and especially for those with always-on
Internet connections such as cable or ADSL. VoIP is maturing into a competitive

y.m Page 12
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

alternative to traditional telephone service. Interoperability between different providers

has improved and the ability to call or receive a call from a traditional telephone is
available. Simple, inexpensive VoIP network adapters are available that eliminate the need
for a personal computer.

Voice quality can still vary from call to call, but is often equal to and can even exceed that of
traditional calls. Remaining problems for VoIP include emergency telephone number dialing and
reliability. Currently, a few VoIP providers provide an emergency service, but it is not
universally available. Older traditional phones with no "extra features" may be line-powered only
and operate during a power failure; VoIP can never do so without a backup power source for the
phone equipment and the Internet access devices. VoIP has also become increasingly popular
for gaming applications, as a form of communication between players. Popular VoIP clients
for gaming include Ventrilo and Teamspeaks. Wii, PlayStation 3, and Xbox 360 also offer VoIP
chat features.
 Data transfer
File sharing is an example of transferring large amounts of data across the Internet. A
computer file can be emailed to customers, colleagues and friends as an attachment. It can
be uploaded to a website or FTP server for easy download by others. It can be put into a
"shared location" or onto a file server for instant use by colleagues. The load of bulk downloads
too many users can be eased by the use of "mirror" servers or peer-to-peer networks. In any of
these cases, access to the file may be controlled by user authentication, the transit of the file over
the Internet may be obscured by encryption, and money may change hands for access to the file.
The price can be paid by the remote charging of funds from, for example, a credit card whose
details are also passed – usually fully encrypted – across the Internet. The origin and authenticity
of the file received may be checked by digital signatures or by MD5 or other message digests.
These simple features of the Internet, over a worldwide basis, are changing the production, sale,
and distribution of anything that can be reduced to a computer file for transmission. This
includes all manner of print publications, software products, news, music, film, video,
photography, graphics and the other arts. This in turn has caused seismic shifts in each of the
existing industries that previously controlled the production and distribution of these products.

y.m Page 13
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Streaming media is the real-time delivery of digital media for the immediate consumption
or enjoyment by end users. Many radio and television broadcasters provide Internet feeds
of their live audio and video productions. They may also allow time-shift viewing or listening
such as Preview, Classic Clips and Listen Again features. These providers have been joined by a
range of pure Internet "broadcasters" who never had on-air licenses. This means that an Internet-
connected device, such as a computer or something more specific, can be used to access on-line
media in much the same way as was previously possible only with a television or radio receiver.
The range of available types of content is much wider, from specialized technical webcasts to on-
demand popular multimedia services. Podcasting is a variation on this theme, where usually
audio material is downloaded and played back on a computer or shifted to a portable media
player to be listened to on the move. These techniques using simple equipment allow anybody,
with little censorship or licensing control, to broadcast audio-visual material worldwide.

Digital media streaming increases the demand for network bandwidth. For example,
standard image quality needs 1 Mbit/s link speed for SD 480p, HD 720p quality requires 2.5
Mbit/s, and the top-of-the-line HDX quality needs 4.5 Mbit/s for 1080p.

Webcams are a low-cost extension of this phenomenon. While some webcams can give full-
frame-rate video, the picture either is usually small or updates slowly. Internet users can watch
animals around an African waterhole, ships in the Panama Canal, traffic at a local roundabout or
monitor their own premises, live and in real time. Video chat rooms and video conferencing are
also popular with many uses being found for personal webcams, with and without two-way
sound. YouTube was founded on 15 February 2005 and is now the leading website for free
streaming video with a vast number of users. It uses a flash-based web player to stream and show
video files. Registered users may upload an unlimited amount of video and build their own
personal profile. YouTube claims that its users watch hundreds of millions, and upload hundreds
of thousands of videos daily.

y.m Page 14
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Access
Common methods of Internet access in homes include dial-up, landline broadband (over
coaxial cable, fiber optic or copper wires), Wi-Fi, satellite and 3G/4G technology cell
phones. Public places to use the Internet include libraries and Internet cafes, where
computers with Internet connections are available. There are also Internet access points in
many public places such as airport halls and coffee shops, in some cases just for brief use while
standing. Various terms are used, such as "public Internet kiosk", "public access terminal", and
"Web payphone". Many hotels now also have public terminals, though these are usually fee-
based. These terminals are widely accessed for various usages like ticket booking, bank deposit,
online payment etc. Wi-Fi provides wireless access to computer networks, and therefore can
do so to the Internet itself. Hotspots providing such access include Wi-Fi cafes, where would-
be users need to bring their own wireless-enabled devices such as a laptop or PDA. These
services may be free to all, free to customers only, or fee-based. A hotspot need not be limited to
a confined location. A whole campus or park, or even an entire city can be enabled.

Grassroots efforts have led to wireless community networks. Commercial Wi-Fi services
covering large city areas are in place in London, Vienna, Toronto, San Francisco, Philadelphia,
Chicago and Pittsburgh. The Internet can then be accessed from such places as a park bench.
Apart from Wi-Fi, there have been experiments with proprietary mobile wireless networks like
Ricochet, various high-speed data services over cellular phone networks, and fixed wireless
services. High-end mobile phones such as smartphones in general come with Internet access
through the phone network. Web browsers such as Opera are available on these advanced
handsets, which can also run a wide variety of other Internet software. More mobile phones have
Internet access than PCs, though this is not as widely used. An Internet access provider and
protocol matrix differentiates the methods used to get online.

An Internet blackout or outage can be caused by local signaling interruptions. Disruptions of

submarine communications cables may cause blackouts or slowdowns to large areas, such as in
the 2008 submarine cable disruption. Less-developed countries are more vulnerable due to a
small number of high-capacity links. Land cables are also vulnerable, as in 2011 when a woman
y.m Page 15
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

digging for scrap metal severed most connectivity for the nation of Armenia. Internet blackouts
affecting almost entire countries can be achieved by governments as a form of Internet
censorship, as in the blockage of the Internet in Egypt, whereby approximately 93% of networks
were without access in 2011 in an attempt to stop mobilization for anti-government protests.
Users
Overall Internet usage has seen tremendous growth. From 2000 to 2009, the number of
Internet users globally rose from 394 million to 1.858 billion. By 2010, 22 percent of the
world's population had access to computers with 1 billion Google searches every day, 300
million Internet users reading blogs, and 2 billion videos viewed daily on YouTube.

The prevalent language for communication on the Internet has been English. This may be a result
of the origin of the Internet, as well as the language's role as a lingua franca. Early computer
systems were limited to the characters in the American Standard Code for Information
Interchange (ASCII), a subset of the Latin alphabet.

Fig3.Internet users per 100 inhabitants

y.m Page 16
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

After English (27%), the most requested languages on the World Wide Web are Chinese
(23%), Spanish (8%), Japanese (5%), Portuguese and German (4% each), Arabic, French
and Russian (3% each), and Korean (2%). By region, 42% of theworld's Internet usersare
based in Asia, 24% in Europe, 14% in North America, 10% in Latin America and the
Caribbean taken together, 6% in Africa, 3% in the Middle East and 1% in
Australia/Oceania. The Internet's technologies have developed enough in recent

years, especially in the use of Unicode, that good facilities are available for
development and communication in the world's widely used languages. However,
some glitches such as mojibake (incorrect display of some languages' characters)
still remain.

Fig4. Internet users by language

In an American study in 2005, the percentage of men using the Internet was very
slightly ahead of the percentage of women, although this difference reversed in
those under 30. Men logged on more often, spent more time online, and were more
likely to be broadband users, whereas women tended to make more use of
y.m Page 17
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

opportunities to communicate (such as email). Men were more likely to use the
Internet to pay bills, participate in auctions, and for recreation such as downloading
music and videos. Men and women were equally likely to use the Internet for
shopping and banking. More recent studies indicate that in 2008, women
significantly outnumbered men on most social networking sites, such as Facebook
and Myspace, although the ratios varied with age. In addition, women watched
more streaming content, whereas men downloaded more. In terms of blogs, men
were more likely to blog in the first place; among those who blog, men were more
likely to have a professional blog, whereas women were more likely to have a
personal blog.

According to Euromonitor, by 2020 43.7% of the world's population will be users

of the Internet. Splitting by country, in 2011 Iceland, Norway and the Netherlands
had the highest Internet penetration by the number of users, with more than 90% of
the population with access.

y.m Page 18
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Fig5. Website content languages

Social impact
The Internet has enabled entirely new forms of social interaction, activities, and
organizing, thanks to its basic features such as widespread usability and access. In the first
decade of the 21st century, the first generation is raised with widespread availability of
Internet connectivity, bringing consequences and concerns in areas such as personal
privacy and identity, and distribution of copyrighted materials. These "digital natives"
face a variety of challenges that were not present for prior generations.
Social networking and entertainment
Many people use the World Wide Web to access news, weather and sportsreports, to plan and
book vacations and to find out more about their interests. People use chat, messaging and email
to make and stay in touch with friends worldwide, sometimes in the same way as some

y.m Page 19
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

previously had pen pals. The Internet has seen a growing number of Web desktops, where users
can access their files and settings via the Internet.

Social networking websites such as Facebook, Twitter, and MySpace have created new
ways to socialize and interact. Users of these sites are able to add a wide variety of
information to pages, to pursue common interests, and to connect with others. It is also
possible to find existing acquaintances, to allow communication among existing groups of
people. Sites like LinkedIn foster commercial and business connections. YouTube and
Flickr specialize in users' videos and photographs.

The Internet has been a major outlet for leisure activity since its inception, with entertaining
social experiments such as MUDs and MOOs being conducted on university servers, and humor-
related Usenet groups receiving much traffic. Today, many Internet forums have sections
devoted to games and funny videos; short cartoons in the form of Flash movies are also popular.
Over 6 million people use blogs or message boards as a means of communication and for the
sharing of ideas. The Internet pornography and online gambling industries have taken advantage
of the World Wide Web, and often provide a significant source of advertising revenue for other
websites. Although many governments have attempted to restrict both industries' use of the Internet,
in general this has failed to stop their widespread popularity.

Another area of leisure activity on the Internet is multiplayer gaming.[61] This form of
recreation creates communities, where people of all ages and origins enjoy the fast-paced world
of multiplayer games. These range from MMORPG to first-person shooters, from role-playing
video games to online gambling. While online gaming has been around since the 1970s, modern
modes of online gaming began with subscription services such as GameSpy and MPlayer.Non-
subscribers were limited to certain types of game play or certain games. Many people use the
Internet to access and download music, movies and other works for their enjoyment and
relaxation. Free and fee-based services exist for all of these activities, using centralized servers
and distributed peer-to-peer technologies. Some of these sources exercise more care with respect
to the original artists' copyrights than others.
y.m Page 20
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Internet usage has been correlated to users' loneliness. Lonely people tend to use the Internet as
an outlet for their feelings and to share their stories with others, such as in the "I am lonely will
anyone speak to me" thread.

Cybersectarianism is a new organizational form which involves: "highly dispersed small groups
of practitioners that may remain largely anonymous within the larger social context and operate
in relative secrecy, while still linked remotely to a larger network of believers who share a set of
practices and texts, and often a common devotion to a particular leader. Overseas supporters
provide funding and support; domestic practitioners distribute tracts, participate in acts of
resistance, and share information on the internal situation with outsiders. Collectively, members
and practitioners of such sects construct viable virtual communities of faith, exchanging personal
testimonies and engaging in collective study via email, on-line chat rooms and web-based
message boards."

Cyberslacking can become a drain on corporate resources; the average UK employee spent 57
minutes a day surfing the Web while at work, according to a 2003 study by Peninsula Business
Services. Internet addiction disorder is excessive computer use that interferes with daily life.
Psychologist Nicolas Carr believe that Internet use has other effects on individuals, for instance
improving skills of scan-reading and interfering with the deep thinking that leads to true
creativity.
Electronic business
Electronic business (E-business) involves business processes spanning the entire value
chain: electronic purchasing and supply chain management, processing orders
electronically, handling customer service, and cooperating with business partners. E-
commerce seeks to add revenue streams using the Internet to build and enhance
relationships with clients and partners.

According to research firm IDC, the size of total worldwide e-commerce, when global
business-to-business and -consumer transactions are added together, will equate to $16
y.m Page 21
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

trillion in 2013.IDate, another research firm, estimates the global market for digital products and
services at $4.4 trillion in 2013. A report by Oxford Economics adds those two together to
estimate the total size of the digital economy at $20.4 trillion, equivalent to roughly 13.8% of
global sales.

While much has been written of the economic advantages of Internet-enabled commerce, there is
also evidence that some aspects of the Internet such as maps and location-aware services may
serve to reinforce economic inequality and the digital divide. Electronic commerce may be
responsible for consolidation and the decline of mom-and-pop, brick and mortar businesses
resulting in increases in income inequality.
Telecommuting
Remote work is facilitated by tools such as groupware, virtual private networks, conference
calling, videoconferencing, and Voice over IP (VOIP).It can be efficient and useful for
companies as it allows workers to communicate over long distances, saving significant
amounts of travel time and cost. As broadband Internet connections become more
commonplace, more and more workers have adequate bandwidth at home to use these tools
to link their home to their corporate intranet and internal phone networks.
Crowdsourcing
Internet provides a particularly good venue for crowdsourcing (outsourcing tasks to a
distributed group of people) since individuals tend to be more open in web-based projects
where they are not being physically judged or scrutinized and thus can feel more
comfortable sharing.

Crowdsourcing systems are used to accomplish a variety of tasks. For example, the crowd
maybe invited to develop a new technology, carry out a design task, refine or carry out the
steps of an algorithm (see human-based computation), or help capture, systematize, or
analyze large amounts of data (see also citizen science).

y.m Page 22
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Wikis have also been used in the academic community for sharing and dissemination of
information across institutional and international boundaries. In those settings, they have been
found useful for collaboration on grant writing, strategic planning, departmental documentation,
and committee work. The United States Patent and Trademark Office uses a wiki to allow the
public to collaborate on finding prior art relevant to examination of pending patent applications.
Queens, New York has used a wiki to allow citizens to collaborate on the design and planning of
a local park.

The English Wikipedia has the largest user base among wikis on the World Wide Web and ranks
in the top 10 among all Web sites in terms of traffic.
Politics and political revolutions
The Internet has achieved new relevance as a political tool. The presidential campaign of
Howard Dean in 2004 in the United States was notable for its success in soliciting donation via
the Internet. Many political groups use the Internet to achieve a new method of organizing in
order to carry out their mission, having given rise to Internet activism, most notably practiced by
rebels in the Arab Spring.

Identify requirements

Computer Hardware Required for Internet & Internet Access Components

 Telephone Modem

A telephone modem is a device that converts the signals from your computer into a series of
sounds and transmits them across the phone line. A telephone modem on the other side of the
connection converts these sounds back to a signal the computer can understand, allowing the
computers to communicate.

y.m Page 23
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Dial-up connections are still widely in use despite faster connections being available to 89
percent of the U.S. population. Referred to as narrowband connections, these connections are
slower and usually do not stay connected at all times.
 Network Interface Card

Broadband connections provide much faster access to the Internet then narrowband connections.
There are multiple types of broadband connections, including DSL, satellite, and cable access.
Each of these types of access involves connecting to an access point using either a wired
Ethernet connection or a wireless connection.

A Network interface card (NIC) allows you to connect an Ethernet cable to your computer from
an access point. Communication to the access point travels through this cable. Connections using
a wired NIC require that an Ethernet cable be connected from the computer to the access point at
all times during Internet use. Network interface cards can be built in to the computer or
purchased as an external device that you plug in to the computer.
 Wired Access Points

Computers using a NIC and Ethernet cable connect through an access point. Access points are
generally either routers, cable modems, or DSL modems that provide a link between the Internet
service provider and your physical computer.

NIC-based connections are widely used in local area networks, such as groups of computers in
businesses. They can be used in homes, but many users prefer to use wireless connections for the
added mobility.
 Wireless Access Points

A wireless access point allows you to connect to an access point without using a physical
connection. Wireless access can be configured in your home using a wireless router and a
computer with a wireless interface. Wireless interfaces can be installed within the computer or
purchased separately as a USB or PCI device that can be plugged in when needed. Many

y.m Page 24
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

businesses, such as hotels and coffee shops, provide free wireless access in their buildings for the
use of their customers.

Internet Protocol (IP)

Internet Protocol (IP) is a packet-switched protocol that performs addressing and route selection.
As a packet is transmitted, this protocol appends a header to the packet so that it can be routed
through the network using dynamic routing tables. IP is a connectionless protocol and sends
packets without expecting the receiving host to acknowledge receipt. In addition, IP is
responsible for packet assembly and disassembly as required by the physical and data-link layers
of the OSI reference model. Each IP packet is made up of a source and a destination address,
protocol identifier, checksum (a calculated value), and a TTL (which stands for "time to live").
The TTL tells each router on the network between the source and the destination how long the
packet has to remain on the network. It works like a countdown counter or clock. As the packet
passes through the router, the router deducts the larger of one unit (one second) or the time that
the packet was queued for delivery. For example, if a packet has a TTL of 128, it can stay on the
network for 128 seconds or 128 hops (each stop, or router, along the way), or any combination
of the two. The purpose of the TTL is to prevent lost or damaged data packets (such as missing
e-mail messages) from endlessly wandering the network. When the TTL counts down to zero,
the packet is eliminated from the network.

Another method used by the IP to increase the speed of transmission is known as "ANDing." The
purpose of ANDing is to determine whether the address is a local or a remote site. If the address
is local, IP will ask the Address Resolution Protocol (ARP), discussed in the next section, for the
hardware address of the destination machine. If the address is remote, the IP checks its local
routing table for a route to the destination. If a route exists, the packet is sent on its way. If no
route exists, the packet is sent to the local default gateway and then on its way. [An AND is a
logical operation that combines the values of two bits (0, 1) or two Boolean values (false, true)
that returns a value of 1 (true) if both input values are 1 (true) and returns a 0 (false) otherwise].

Install and Configure the Email Server in Windows Server 2003

Introduction
y.m Page 25
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

This tutorial will help you to install and set up a few email accounts, by using the built-in POP3
Service in Windows Server 2003. I will assume you have basic knowledge about the Windows
Server family and Mail Servers, but I have tried to make this tutorial as easily comprehensible as
possible. The tutorial has been tested on Windows Server 2003 Enterprise Edition but should
also work on Windows Server 2003 Standard Edition. I will not cover MX records and other
similar things in this release.

To follow this tutorial you need a stand-alone server. You can of course use a Domain
Controller, but that assumes you understand when to not follow the tutorial and use other settings
(i.e. authentication method).

Set-up an FTP Server on Windows 2003 Server

y.m Page 26
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Setting up an FTP server on Windows 2003 Server is a pretty simple process. Why would you
need an FTP server? Well, if you are hosting websites you might want to allow designers and
customers access to their webfolders (not me… no one accesses my server but me but you can..
) and an FTP server is a great way to allow them access. OR some Commercial Copiers have
a scan to FTP or SMB service so, you could install an FTP server to allow a central place to save
scanned documents. Needless to say there are many reasons why you might need one and with
Server 2003 it’s “Easy Cheesy”.

The Microsoft FTP server depends on the Microsoft Internet Information Services (IIS), so IIS
and the FTP Service must be installed on the computer. To install IIS and the FTP Service,
follow these steps:

These instructions can also be found at Microsoft’s Support site.

NOTE: In Windows Server 2003, the FTP Service is not installed by default when you install
IIS. If you already installed IIS on the computer, you must use the Add or Remove Programs
tool in Control Panel to install the FTP Service.

1. Click Start, point to Control Panel, and then click Add or Remove Programs.
2. Click Add/Remove Windows Components.
3. In the Components list, click Application Server, click Internet Information Services (IIS)
(but do not select or clear the check box), and then click Details.
4. Click to select the following check boxes (if they are not already selected):
Common Files
File Transfer Protocol (FTP) Service
Internet Information Services Manager
5. Click to select the check boxes next to any other IIS-related service or subcomponent that
you want to install, and then click OK.
6. Click Next.
7. When you are prompted, insert the Windows Server 2003 CD-ROM into the computer’s
CD-ROM or DVD-ROM drive or provide a path to the location of the files, and then
click OK.
8. Click Finish.

You have now installed the IIS and FTP services but before you can start using your new FTP
you must configure it. To configure the FTP Service follow these steps.

To configure the FTP Service to allow only anonymous connections:

1. Start Internet Information Services Manager or open the IIS snap-in.

2. Expand Server_name, where Server_name is the name of the server.
3. Expand FTP Sites
4. Right-click Default FTP Site, and then click Properties.
5. Click the Security Accounts tab.

y.m Page 27
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

6. Click to select the Allow Anonymous Connections check box (if it is not already
selected), and then click to select the Allow only anonymous connections check box.
When you click to select the Allow only anonymous connections check box, you
configure the FTP Service to allow only anonymous connections. Users cannot log on by
using user names and passwords.
7. Click the Home Directory tab.
8. Click to select the Read and Log visits check boxes (if they are not already selected), and
then click to clear the Write check box (if it is not already cleared).
9. Click OK.
10. Quit Internet Information Services Manager or close the IIS snap-in.

The FTP server is now configured to accept incoming FTP requests. Copy or move the files that
you want to make available to the FTP publishing folder for access. The default folder is drive:\
Inetpub\Ftproot, where drive is the drive on which IIS is installed.

Anonymous access only is not a good way to leave your newly installed FTP server if your intent
was to give users the ability to upload files and not merely to download. So, in the next couple
of days we’ll go over setting up virtual FTP sites and assign usernames and passwords to access
each as well as giving those users read and write access to their folders.

y.m Page 28
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

y.m Page 29
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

y.m Page 30
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

y.m Page 31
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

y.m Page 32
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

y.m Page 33
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

LO3
Test security and internet access
Introduction

This is the first in a series of four articles devoted to discussing about how information security policies
can be used as an active part of an organization's efforts to protect its valuable information assets. In a
world that is essentially technology driven; where the latest IIS exploit is countered with a mad rush to
install the relevant patch and where the number of different operating systems in a network exceeds the
number of hairs on the security administrator's head that haven't turned gray, policies give us an
opportunity to change the pace, slow things down and play the game on our own terms. Policies allow
organizations to set practices and procedures in place that will reduce the likelihood of an attack or an
incident and will minimize the damage caused that such an incident can cause, should one occur.

Many people see policies as an afterthought; a tasty dressing to be added to a veritable technology-salad
of firewalls, virus scanners and VPNs, all lightly sprinkled with just a touch of IDS. This is wrong. In this
series I'll attempt to explain why policies should be the basis of a comprehensive Information Security
strategy, and how policies can be an effective, practical part of your digital defense systems.

What is a Policy?

The nicest definition for 'policy' that I could find is from the American Heritage Dictionary of the English
language. It reads:

"A plan or course of action, as of a government, political party, or business, intended to influence and
determine decisions, actions, and other matters"

In practical security terms, I define a policy as a published document (or set of documents) in which the
organization's philosophy, strategy, policies and practices with regard to confidentiality, integrity and
availability of information and information systems are laid out.

Thus, a policy is a set of mechanisms by means of which your information security objectives can be
defined and attained. Let's take a moment to briefly examine each of these concepts. First, we have the
information security objectives:

 Confidentiality is about ensuring that only the people who are authorized to have access to
information are able to do so. It's about keeping valuable information only in the hands of those
people who are intended to see it.
 Integrity is about maintaining the value and the state of information, which means that it is protected
from unauthorized modification. Information only has value if we know that it's correct. A major
objective of information security policies is thus to ensure that information is not modified or
destroyed or subverted in any way.

y.m Page 34
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

 Availability is about ensuring that information and information systems are available and
operational when they are needed. A major objective of an information security policy must be to
ensure that information is always available to support critical business processing.

These objectives are globally recognized as being characteristic of any secure system.

Having broadly defined the reasons for implementing a security policy, we can now discuss the
mechanisms through which these objectives can be achieved, namely:

Philosophy

This is the organization's approach towards information security, the framework, the guiding principles of
the information security strategy. The security philosophy is a big umbrella under which all other security
mechanisms should fall. It will explain to future generations why you did what you did.

Strategy

The strategy is the plan or the project plan of the security philosophy. A measurable plan detailing how
the organization intends to achieve the objectives that are laid out, either implicitly or explicitly, within the
framework of the philosophy.

Policies

Policies are simply rules. They're the dos and the don'ts of information security, again, within the
framework of the philosophy.

Practices

Practices simply define the how of the organization's policy. They are a practical guide regarding what to
do and how to do it.

In the sections that follow I'll be examining each of these mechanisms more closely.

In Praise of Policies: What Benefits Do Policies Offer?

In the previous section we covered briefly what a policy is and, more specifically, what an information
security policy is. From this brief description it should already be clear that, when it comes to policies, I
mean business. And in IT this usually translates to a sizeable investment in time, money and human
resources. Don't kid yourself; effective policies are no quick fix. The question on everyone's lips has got to
be: "Yes, but what can I do with a policy that I can't do with Snort 1.7 on my favorite Bastion Linux
install?" Here are some of the things policies will do for you that you'll struggle to achieve with technology.

The Boss Can Do It

Most technological controls are the responsibility of the IS manager, the network administrator or some
poor sod who didn't get her leave application forms in on time. Policy, on the other hand, is the
responsibility of upper management. This thinking is consistent with company law in most countries that

y.m Page 35
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

says it's the responsibility of the directors of a company to protect its assets on behalf of the
shareholders. As such, the development of a policy includes the ancillary benefit of making upper
management aware of and involved in information security. This should make it a higher organizational
priority, which can only increase the level of security throughout the company.

They Provide a Paper Trail in Cases of Due Diligence

In some industries your company may have legal obligations with respect to the integrity and
confidentiality of certain information. In many cases the only way you can prove due diligence in this
regard is by referring to your published policies. Because policy reflects the philosophy and strategy of
your company's management it is fair proof of the company's intention regarding information security.
Interestingly, an audit against a security standard works on exactly this principle of 'intention'.

They Exemplify an Organization's Commitment to Security

Because a policy is typically published, and because it represents executive decision, a policy may be just
what is needed to convince that potential client / merger partner / investor exactly how clever you really
are. Increasingly companies are requesting proof of sufficient levels of security from the parties they link
to do business with. Once again, a security policy is exactly the place to start.

Practical Benefits of Security Policies

OK, so much for the soft and fuzzy stuff. We said policies can play a practical role in securing your
information assets. Here's how.

They Form a Benchmark for Progress Measurement

Policy reflects the philosophy and strategy of management with regard to information security. As such it
is the perfect standard against which technology and other security mechanisms can be measured. For
example, if you want to know whether your brand new "Hack 'em Back" ultra firewall (performance tested
by Russian cosmonauts on Mir) was really worth the price of a small Caribbean island, then check
whether it's implementing the controls stipulated in the policy. Similarly, to determine whether the new IT
manager is effectively investing her IT security budget, measure her progress against the policy. And
here's the best part: if the policies are correctly formulated and carefully integrated into your employment
contracts, then any transgressions against the policy, such as surfing porn on the company's network,
can be punished according to a pre-established agreement that the employee has signed off on. An
information security policy thus serves as a measure by which responsible behavior can be tested and
suitably punished.

They help ensure consistency

The biggest challenge facing security managers today is not how to negotiate a 512 bit RSA public key
exchange using Diffie-Hellman and self-signed certificates (everyone can do that these days). No, the
challenge is ensuring that the sysadmin in the Tahiti branch gets off the beach in time to load the patch
for the IIS Unicode exploit on the web server and avoid yet another embarrassing defacement
onwww.tahiti_branch_of_my_respectable_company.com. A well-implemented policy helps to ensure

y.m Page 36
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

consistency in your security systems by giving a directive and clearly assigning responsibility and, equally
important, by stipulating the consequences of failing to fulfill those responsibilities.

They Serve as a Guide to Information Security

A well-designed policy can become an IT administrator's Bible. Sadly, not everyone who will ever attach a
computer to your network understands the threat of TCP sequence number guessing attacks against
OpenBSD. Fortunately, your IP network security policy will ensure that machines are always installed in a
part of the network that offers a level of security appropriate to the role of the machine and the information
it hosts.

They're Define Acceptable Use

People can be either the strongest or the weakest link in any information security system. Although
training, positive enforcement and technology can all play a role in making people a part of the solution
and not part of the problem, in the end there's nothing like a big stick for bringing people over to your way
of thinking. An integrated policy can be just such a stick in that it serves as a measure of performance
according to which responsible people can be measured and potentially disciplined. By clearly defining
what can and cannot be done by users, by pre-establishing security standards, and by ensuring that all
users are educated to these standards, the company places the onus of responsibility on users who can
no longer plead 'ignorant' in case of transgression of the policy.

They Give Security Staff the Backing of Management

The objectives of information security are often at ends with the desires of system users. How many times
has a user thanked you for disabling Active X in her browser and blocking access to Napster? Often
security staff face resentment and opposition from people in more senior positions to themselves. The
policy, as a directive from top management, empowers security staff to enforce decisions that may not be
popular amongst system users. Armed with a policy your security administrators can do their jobs without
having to continuously justify themselves.

Policy Power - Making Policies Work

OK, OK you're sold. You've seen the light and decided to seriously undertake the implementation of
information security policies in your own organization. But how? In the sections that follow I'll try to share
with you some of the tricks of the security policy trade.

Defining the Objectives

What Are the Policies Actually Protecting?

Before making decisions regarding the Information Security strategy (long or short term) organizations
need to have a sound understanding of their unique risk profile. Risk consists of a combination of
information resources that have value and vulnerabilities that are exploitable. The magnitude of the risk is
the product of the value of the information and the degree to which the vulnerability can be exploited.

y.m Page 37
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

As long as the organization has information that has value that information - and by extension, the
organization - will be subject to risk. The function of any information security control mechanism (technical
or procedural) is to restrict that risk to an acceptable level. This is also true for policies. Policies are a risk-
control mechanism and must therefore be designed and developed in response to real and specific risks.
Thus, a comprehensive risk assessment exercise must be the first phase of the policy development
process. The risk assessment should identify the weakest areas of the system and can be used to define
specific objectives.

Of course there is also a sheet-bombing approach to policies and generic policy documents are freely
available on the Internet and from various commercial resources. Although there are a number of issues
that can be dealt with in a generic manner one should be very careful of this approach. A policy that says
too much is no better then a policy that says nothing at all. Organizations must be prepared to enforce
every stipulation your policy makes (I'll say more about this later in this paper) so policies must be
focused and specific.

Security administrators need to define objectives for their particular organization, based on the value of
that information and the specific risks that information faces.

Setting the Stage

Next Time: Creating an Environment that Supports Security Objectives

Policies in themselves are ineffective and their potential to be effective is directly proportional to the
support they receive from the power structures of the organization. Thus there is a flow of authority that
stems from upper management and expresses itself in the implementation of the stipulations of the
policies. For this flow to happen certain fundamental changes may have to be made to the structures and
culture of your organization. The bigger the organization, the more important these changes become. In
the next article in this series, we will discuss some of the organizational conditions that are necessary in
order to ensure that information security policies are effective.

Introduction to Security Policies, Part Two: Creating a

Supportive Environment
Created: 23 Sep 2001 • Updated: 03 Nov 2010
Language Translations
Machine Translations
 Deutsch
 Français
 Español
 日本語
 简体中文

00 Votes
inShare0

by Charl van der Walt

y.m Page 38
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Introduction to Security Policies, Part Two: Creating a Supportive Environment

by Charl van der Walt
last updated September 24, 2001

As we concluded the first article of this series, we pointed out that policies in themselves are
ineffective; their effectiveness is directly proportional to the support they receive from the
organization. Thus it is crucial that the organization be aware of the importance of security
policies and create an environment in which security is given a high priority. The bigger the
organization, the more important this support becomes. This article will go over a few of things
that can be done to ensure that security policies given the full support of the management of the
organization, which will thereby increase the efficacy of the policies.
Management support
I've touched on the importance of management buy-in a few times now already but it's worth
stressing again. One of the biggest challenges facing security people is to convince
management of the importance of their involvement in the process. Once again risk assessment
and penetration testing can help with this. Without the buy-in of management at a high level the
policy development process is unlikely to succeed.
Organizational structure
No matter what the size of the organization, a policy should always have an owner. While the
titles or acronyms may vary from organization to organization, the roles, duties and obligations
should be fairly consistent throughout. For the sake of this discussion, I will call this person the
'security officer' or 'SO'. It is the responsibility of the security officer to oversee the creation,
distribution, and implementation of security policies. In this sense, the SO plays the role of
intermediary between management and the user base. It's obvious then that the SO should
report directly to the organization's highest level of control - the board of directors or even the
chief executive.
Because the SO ultimately carries corporate responsibility for information security it is often
sensible for him or her to be a member of the board. In a small or medium organization the role
of SO may not constitute a full portfolio but could simply be an added responsibility. However,
no matter how small your organization, the SO role should be clearly assigned and the
responsibilities precisely described. As owner of the policy the SO has a number of
responsibilities including, but not limited to, the management and distribution of the security
policy.
Typically the SO is responsible for aspects of security in the organization, not just issues
relating to policy. It may be that the management structures in your organization have to be
adjusted to make provisions for the new role. In large organizations that are still early in the
security cycle we often propose the creation of a security team or task force (STF) to take
responsibility for the security process. Such a team typically consists of the SO, a project

y.m Page 39
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

manager (PM) and a collection of business, technology and security specialists. The functions
of the STF include:
 Defining security strategy;
 Creating a mission statement and project plan;The investigation of a formal accreditation
program (more on this later);
 Defining the corporate security policy;
 Defining system specific policies (more on this also);
 A user awareness program; and,
 The appoint of Security Auditors.The structure of the STF is depicted in the diagram
below:

Financial Support
The security process will always require an investment in time, human resources and finance.
Without sufficient financial commitment any security effort is bound to fail. The same is true
for the policy development process.
In acquiring funds for the implementation of policies we once again see the value of a
comprehensive risk assessment exercise. A properly implemented risk assessment should give a
good indication of the risk to which your organization's information resources are exposed, the
potential financial losses that may stem from any degradation of those resources may cause,
and the role that policies can play in mitigating that risk. These indicators, combined with a fair
understanding of the value of your information resources (possibly also gained from the
assessment) should provide enough objective data to motivate and scope a financial investment
in security.

y.m Page 40
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

A Culture for Security

A chain is only as strong as it's weakest link, and the weakest link in a security system is often
the end user. Such problems are exemplified by a new generation of products that allow users
to bypass "that pesky" firewall by subscribing to a service that tunnels TCP traffic over HTTP
via a Java Applet that runs in any browser. I quote:

"ABC is a general-purpose tunnel that allows you to pass through that firewall. ABC works by
mapping your network requests into web request to our server, so if you can read this page,
you can use ABC! ? The uses for ABC are limited only by your imagination. It can pass
anything that uses TCP!"
That means that even if your firewall allows only HTTP requests out, and those only via a
proxy that expects user authentication, a clever user can still do whatever she wants on the
Internet. If your users don't understand the value of your information assets and the risks that
these kinds of technologies represent, then you'll be fighting a losing battle. You need to create
a culture in your organization that is conducive to the implementation of security policies. I
refer to this as "Selling Security" - and it's enough of a subject for an article on its own - but
here are some strategies that administrators should consider in order to create an organizational
culture that will place primacy on security:
1. User Education - Administrators can consider launching an internal advertising campaign
explaining the value of the corporate information, the risks that it faces, the role of the policies
and the responsibilities of the individual users. They may consider using a series of slogans like
"Your password is you!"
2. Focus on managers - Management usually sets the tone for the workers underneath them and
most passionately enforce the things they personally believe in. Convince the management of
the need for security and half the struggle is won.
3. Be up front with staff - Employees are generally loyal towards the companies they work for,
so being honest with staff about security and the impact it has on the organization will usually
help to win people over to the security cause. One way to do this is to publish the results of
security assessments and audits, or to play open cards about hacking and other security
incidents.
4. Positive reinforcement - Because a well-designed policy allows for measurability, staff can
now be rewarded for good security practice. Security administrators could consider the
implementation of an incentive scheme per department that's based on the results of an annual
security audit? Remember, a rule without punishment is just good advice?
5. Negative reinforcement - If the incentive of positive reinforcement does not instill a sense of
urgency, admins can consider going the other way. Firms may want to consider taking
disciplinary action against staff for non-compliant or negligent behavior. Once again, policies

y.m Page 41
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

introduce measurability and make this sort of action possible. They also give employees clear
guidelines of acceptable behavior, and clearly spell out the consequences of breaching those
guidelines.
6. Acceptance and Signoff - All staff should be made to sign a document stating their
acceptance of the principles of the security policy. This forces staff to read and understand the
policy and gives your organization legal recourse in the case of security breaches.
Using a Classification System
In developing the information security policies, security personnel will need to be able to
distinguish between various groups of people, computers and information that have differing
value and differing requirements in terms of security. This is a form of classifying information
in terms of its accessability to people within the organization. A statement like "Only
authorized staff are permitted access to confidential data" isn't worth the disk segment its saved
unless it is clearly stated who is "authorized" and what data is considered "confidential". This is
no simple task: a large area of work has been done in the security field to answer exactly those
two questions. This work has resulted in development of security "classification" systems -
models by which information resources and people are assigned classification levels which are
then used to describe what people will be allowed access to what resource classifications.
Formal Classification Systems
Let's briefly explore two such systems, just by way of example:
1. The Military Model [1]
In military circles, it is common for information to be classified into five levels:
 top secret
 secret
 confidential
 restricted
 unclassified
These levels form an ordering with top secret at the top, and unclassified at the bottom. Users
are also assigned a classification, and the following rule is applied: "To have access to a
document, the user must have a classification at the same level as, or higher than, that of the
document." These levels are sometimes known as the rank of the information (or user).
Access to military information is also governed by the need- to- know principle, which places
information in compartments. Compartments may extend across security levels, and
information and users may belong (have access) to a number of compartments.
The full classification of both information and users is therefore defined by the pair [rank,
compartments].

y.m Page 42
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

In the case of users, the [rank, compartments] pair is called the security clearance of the user.
2. The Bell-LaPadula model [1]
Bell-LaPadula is essentially a simplified version of the Military model and is designed to be
slightly more user-friendly and appropriate to the commercial organizational environment. Bell
LaPadula relies on the fact that there exists a partial ordering of security classifications/
clearances.
If c(O) is the classification of the (data) object and c(S) is the clearance of the (user) subject
then two simple rules (known as "properties") apply.
1. The Simple Security Property (ss): A subject (S) may have read access to an object (O)
only if c(O) < c(S)
2. The "*" Property (star): A subject (S) who has read access to an object (O) may have
write access to another object (P) only if c(O) < c(P)
The first rule is fairly straightforward: no one may receive a piece of information unless their
clearance is at least as high as the classification of the information they are accessing
The second rule states that information obtained from an object may only be passed to another
object if the classification of the target object is at least as high as that of the source object. This
is intended to prevent the so-called "write-down" effect in which the classification level of
information is gradually diluted as it is passed between data objects (e.g. files) of different
classifications.
Your Own Classification System
Now, all of this may seem just a little complex. That's because it is. Such a formal approach
may not be necessary in all organizations; however, those in charge of developing security
policies should develop a classification system as well as a supporting rule set that will support
the requirements and objectives of the organization.
In the next few paragraphs I'll outline a simple system that can be applied to both information
and information technology and is flexible enough to work in most types of organizations.
Later, I will refer to this classification system when I give some example policies.
Ownership
Every piece of corporate data is assigned to an owner. By default, the owner is the creator of
the data or the person who loaded the data onto the organizations systems. If it is not clear who
the owner is, ownership then defaults to the originator or the administrator of the system on
which the data resides. The owner of a computer system is defined as the head of division
requesting the installation of equipment.
Classification
All data has a default classification (refer to the sections that follow) but with sufficient

y.m Page 43
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

justification, the owner of the data may change the classification. Data may only be changed
with sufficient justifiable reason. The user will ultimately be held responsible for data that has
been reclassified. If the user is not sure about changing the security level, the Security Manager
or divisional manager should be consulted. The person changing the security level will be held
responsible for changing the level and must therefore be able to justify the decision.
Computers are classified in a similar way as data. Each computer has an owner defined as the
head of the division requesting the installation of the equipment and it's the function of the
equipment owner to classify all equipment under his or her control. Classification is done in
consultation with the owner (or an assigned representative) and the Security Manager but the
Security Manager must make the final decision. There may be a predefined list of
classifications for computers in the network security policy. In addition to computers
themselves, specific services or processes can also be classified. For example, on a UNIX
machine used to host web a public web site, the web server may be classified in one way whilst
the telnet server has a much higher security level.
The Security Manager must also classify segments of the network and physical locations on the
premises to ensure that computers are connected at the correct location on the network.
Clearance
Finally, all users and potential users should be classified. A user's classification is called
a Clearance Level and is used to determine what data and resources a user may have access to.
In general, access is only allowed when the clearance is the same level or higher than the
classification of the item being accessed (data, equipment or physical locations).
Security Levels
Let's review the security levels. You must define and describes levels of classification that
make sense and are appropriate to your organization. I've already listed the levels typically used
in the military model. Another approach may be as follows:
 Unclassified: Considered publicly accessible. There are no requirements for access control
or confidentiality.
 Shared: Resources that are shared within groups or with people outside of your
organsiation. This can include mail servers that are accessible from the Internet, servers
that are accessible from customers and routers that link you to your ISP. Data that is
legitimately accessed by outside people or groups can be classified as shared and users
from outside organizations that have legitimate access to internal resources could also be
classified as shared.
 Company Only: Access to be restricted to your internal employees only.
 Confidential: Access to be restricted to a specific list of people. For someone to have
access to data or resources classified as 'Confidential' they must be cleared at this level and
they must be included in the access list for this resource. The owner of the object (data or
computer) is responsible for managing the access lists.

y.m Page 44
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Not only data but also Users are clearedaccording to this system. Every user requiring access to
your systems must receive clearance first. This includes employees, contractors, consultants
etc.
An example Access Matrix
Once you've finalized a classification system a simple access matrix can then be drawn up:

Access Control Matrix

OBJECT
USER
(Data, Equipment, Physical Location)
Unclassified Shared Customer Only Confidential
Unclassified Allowed Denied Denied Denied
Shared Allowed Allowed Denied Denied
Company Only Allowed Allowed Allowed Denied
Confidential Allowed Allowed Allowed Refer Access List

A matrix such as the one above can form a guide when writing a policy and the example
policies given in this document do make use of this system.
Rules for technology
The matrix above deals with user access to objects. To describe where equipment is connected
to the network, there is a very simple rule:
The Very Simple Rule:
1. Equipment may never be connected to a network segment with a different security level
to that of the equipment.
2. Equipment may never stand in a physical location with a lower security level than that of
the equipment.
Default Classifications
It was mentioned previously that objects could have default classifications. The idea behind
default classifications is to minimize the workload on users and security staff whilst still
ensuring that the proper security controls are always applied.
Here is an example of default classifications:

Default Classifications
Object Type Default Classification To Change Classification

y.m Page 45
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Data Company Only User discretion and responsibility

Equiptment Company Only Request to Security Officer
Network Segment Company Only Request to Security Officer
Physical Location Company Only Request to Security Officer
User Unclassified Request to Security Officer

Of course, all of the above serve as examples only. Obviously, final decisions of classification
must lie with the Security Officer and the Security Task Group described earlier in this paper.
Next time?
This concludes the second installment in our four-part series discussing security policies. In the
next installment, we will be looking at structuring and implementing policies in a manner that
will ensure that they are effective and practical.

Introduction to Security Policies, Part Three: Structuring Security

Policies
Created: 08 Oct 2001 • Updated: 03 Nov 2010
Language Translations
Machine Translations
 Deutsch
 Français
 Español
 日本語
 简体中文

00 Votes
by Charl van der Walt

Introduction to Security Policies, Part Three: Structuring Security Policies

by Charl van der Walt
last updated October 9, 2001

This is the third in a four-part overview of security policies. In the first article, we looked at what policies
are and what they can achieve. In the second article, we looked at the organizational support required
to implement security policies successfully. In this installment, we shall discuss how to develop and
structure a security policy.

Structuring your policy: How do we put it all together?

y.m Page 46
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

An effective classification system can help to make your security policies simpler and easier to develop;
however, if they are to be implemented in a large organization that employs a diversity of technologies,
the development of policies will still require a lot of work. It is essential that the policies be structured
and packaged in such a way that they are as light as possible, without missing any important issues. By
"light" I mean that they should be:

 Light, not weighing. Not using too many trees.

 Simple and practical.
 Easy to manage and maintain.
 Easy to access by people seeking specific information.

To meet these requirements, I typically recommend that a policy be split into a number of smaller
policies and that these be arranged in a hierarchical fashion. The 'smaller' policies I refer to are known
and position papers and they contain specific policies regarding (yes, you guessed it) specific issues
and specific systems. Because each one of these position papers is focused, it can be kept short and
practical, can be written by a specialist and can easily be modified or updated without having any effect
on the rest of the policy.

The Security Framework Document

Although each position paper may be written by a different author - typically a specialist in that field - we
still want all the papers to subscribe to some fundamental principles. These principles (what I call the
security philosophy) should be laid out in a single document known as the Security Framework paper.
This paper, along with the classification system, creates a framework of values and principles upon
which each other document should be based. It can be considered an overview or an outline of the
Policy as a whole. The Security Framework also forms a kind of default policy that can be referred to
whenever there is doubt or in cases where there is no current policy paper relevant to a particular
system. This concept is depicted in the following diagram:

y.m Page 47
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Let's examine each element of this framework in turn:

The Security Framework paper defines a minimum set of organizational security requirements that is
applicable to all management, staff and external consultants. The document defines a set of concepts
and principles that are designed to ensure the protection of all information assets, and the technologies
used to store and transmit them. No decisions regarding the security of information and information
technology (IT) should be made without careful consideration of, and due compliance with, the concepts
and principles described in the Security Framework document.

The Security Framework document should cover at least the following important points:

1. The value of information and the organization's commitment to information security.

2. The classification system, which was discussed in the second article in this series.
3. The principle of accountability that states clearly that users and administrators will be held
accountable for behavior that impacts the security of information.
4. The designation of authority to the Security Officer and security-related people in the organization
as is appropriate.
5. The principle of individual responsibility of all system users for the security of information
resources.
6. The organization's approach to security reviews; for example, how often they will take place, who
will perform them, etc.

The function and responsibilities of the Security Officer (SO) have already been covered in some detail
in the second article in this series. The SO assumes ultimate responsibility for security in the
organization. It is his or her job to guide, advise and review the organization's security policies and
procedures. The Security Framework document thus usually falls under the SO's jurisdiction, as does
the management and distribution of the various position papers. In a large organization, the SO may
have a dedicated Document Manager on her team, someone whose specific responsibility it is to ensure

y.m Page 48
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

that all the policy documents are kept current, that changes are properly controlled and that users have
free and easy access to all necessary security information.

Position Papers

Position papers are written to address the a specific aspect of the security policy such as the security of
some specific technology, or security in a particular situation. For example, one might have a position
paper covering the secure configuration of Windows 2000 member servers that are connected to the
Internet, as well one describing the process to be followed in the event of a breach of security measures
(commonly known as a security incident.)

The position papers address these specific security issues in a way that is concise, practical and easy
to understand. They should also address the issues in ways that are directly relevant to the
organization. Because these papers are so focused they can be kept short and to the point. They are
easily modified and can be written by someone who is an expert in that particular field. Exactly what
topics should be covered varies from organization to organization: I make some comments on this
question in the Policy Content section a little later in this article.

Policy Owner

The Policy Owner is the person responsible for the maintenance and integrity of a given policy
document. No changes may be made to a document without the express permission of the Policy
Owner. The name of the Policy Owner must be clearly displayed on the document and the document
should always be dated and signed by the owner. Having a Policy Owner ensures consistency in policy
and accountability for the validity and efficacy of that particular aspect of the policy.

Security Datasheets

I typically recommend that each IT system have a security datasheet. The datasheet document lists
specific settings and parameters that ensure the security of the system. Whereas the Security
Framework document and the various position papers refer to policy in general, the datasheet
introduces the details that should be applied for each system. Each system or host should have a
datasheet that is managed by the system owner and is subject to the principles of this document and
the System Paper.

It is the responsibility of information and technology owners and users to obtain the relevant papers
from the SO or the STF and ensure that the standards defined therein are correctly implemented on the
systems they control.

Technical Guides

Technical guides are another set of useful documents, although they are not actually policies. Technical
guides outline the implementation, operation, configuration and administration of specific systems. They
can be bought off-the-shelf or the organization can commission experts to write them. They can be

y.m Page 49
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

stored along with the policies and referred to by the position papers. For example, instead of using a
position paper to describe exactly how Solaris-based Apache Web servers should be configured, the
organization can write or even purchase a guide that covers exactly that. Again, this contributes to the
modular nature of security policies and makes them both easier to use and easier to manage.

System Owner

In the section about classification in the second article in this series, we referred to the concept of
ownership. The System Owner is the person responsible for the technical management of a given IT
system. It is his or her responsibility to ensure that the specifications of the Security Framework
document and the relevant position papers are implemented and maintained. It is also the System
Owner's responsibility to decide on the classification of the system, should it differ from the default. The
name of the System Owner is given in the datasheet for each system and should clearly displayed
whenever a user accesses the system and on or near the system itself where it can easily be seen.

Policy Content

Now that the framework of the security policy is in place, readers may be wondering just what they
should say. There is no set answer for this question, as it depends on the organization in question. The
policies must be based on the real requirements identified by the security risk assessment that the
organization should have performed. But everyone loves a shortcut, so here are two:

1) What the Position Papers Should Say

Scope - precisely what issue, organizational unit or technological system that the paper cover.

Validity - each policy should have a limited lifespan and be reviewed on a regular basis.

Ownership - a name and contact details for the 'owner' of the document, as described earlier in this
paper.

Responsibilities - a description of who is responsible for which elements of the security of the system
or issue being covered. This is important if one wants to enforce accountability.

Supporting Documentation - a reference to other documents higher or lower in the policy structure, for
example, the Security Framework document or a specific Technical Guide.

Position Statement - what you actually want to say about the issue (kind of the hard part.)

Review - whether, when and how security reviews will be performed on the systems in question.

Compliance - a statement regarding the consequences of non-compliance with the policy.

2) Policies for Free

There are a number of good examples of policies to be found on the Web, both for free and at a price.

y.m Page 50
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

One excellent resource for position papers is Mr. Charles Cresson Woods' comprehensive book -
"Information Security Policies Made Easy", which is available from Baseline Software . Although my
feeling is that Mr. Cresson Woods' policies are (for the most part) too generic, his book can give you an
idea of what should be covered and there definitely are some policies that can be used. The book
comes with a CD that has the policies in electronic format for easy copy-and-pasting.

What Topics should the Position Papers Cover?

Here's a list of position papers that should exist for most organizations:

 Physical Security
 Network Security
 Access Control
 Authentication
 Encryption
 Key Management
 Compliance
 Auditing and Review
 Security Awareness
 Incident Response & Disaster Contingency Plan
 Acceptable Use Policy
 Software Security

Assessing Policies

Once an organization has a system of security policies in place, it will be necessary to determine the
efficacy of the policies within the context of the organization. The proper way to do this is, of course, via
another risk assessment exercise, thus completing the security cycle. However, it may be possible to
properly assess the policies without having to go through the entire risk assessment process. The
following is a list of simple questions security personnel can use to assess how effective the policy will
be for their particular organization. These are typically also the questions that auditors and security
analysts will be asking themselves as they review your security mechanisms.

1. Does the policy have a clearly defined scope? Is it clear to which system and which people the
policy is applicable?
2. Is the policy comprehensive in terms of the defined scope it means to address? Are all systems
and issues sufficiently covered?
3. Does the policy clearly define responsibilities? Is it clear to the end-user, the line-manager and
the various administrators exactly what his or her responsibilities are? Is it clear who is
responsible for various aspects of security?
4. Is the policy enforceable? Can it be applied in a concrete manner so that the compliance is
measurable?
5. Is the policy adaptable? Can it be easily changed to address new risks and new technologies?

y.m Page 51
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

6. Is the policy having its desired effects?

7. Is the policy universally known and understood within the organization? Is the policy well
distributed, is there an awareness of the policy and is its content understood?
8. Does the policy comply with law and with duties to third parties? Is the organization fulfilling its
statutory obligations?

Global Best Practice: Measuring Policies Against International Standards.

At least one good reason for an organization to have security policies is to display that it is taking all
reasonable steps to ensure the confidentiality and integrity of its information assets. This is particularly
important for publicly-listed companies, for companies in the process of mergers and acquisitions, and
for companies seeking investors and business partnerships. As security becomes more of a public
relations concern, large organizations will require their e-business partners to comply with a set of
operating regulations that ensure that appropriate levels of security are maintained. For example,
industry leaders like VISA have already begun this process with their partners.

What are "appropriate levels of security" then? These levels are often dictated by standard-setting
organizations, such as The International Organization for Standardization. A security standard contains
a list of required controls that need to be in place in order to ensure appropriate levels of security. When
an organization has effectively implemented the controls prescribed by the standard it can apply for
certification of standard adherence or compliance from the standard's governing body. One standard
that is frequently used in security circles is BS 7799. Issued by the British Standards Institute (BSI) in
the United Kingdom, which has been incorporated into the ISO standard set. ISO 17799 comprises 137
control objectives that must be achieved before an organization can apply for certification to the
standard.

Implemented properly, standards like ISO 17799 can significantly further an organization's IT security
objectives, but readers should be aware that this is not the only available security standard today. It is
important for an organization embarking on the long and hard (and expensive!) route to certification to
understand what the envisaged security standard will offer them and their business partners in the long
run.

If an organization is considering structuring your policies within the framework of a security standard like
ISO 17799, here are some issues the it should consider addressing:

1) Recognition - If a major purpose of certification is to assure customers of the organization's security

readiness, the certification chosen must be highly regarded by the target market. This is probably the
single most important factor.

2) Focus - The various certification programs tend to focus on different aspects of IT security. For
example, GMITS takes a business-oriented approach whilst ITSEC tends to focus on technology. A
certification path needs to be chosen that is compatible with your organization's own security objectives.

3) Local presence - Apart from the standards body itself the process of certification typically requires

y.m Page 52
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

the participation of two other parties - the process consultant who will lead you through to certification
and the assessors who make the certification approval. You must determine if the correct people are
available to be in your country or state to do this work. This is of course particularly important for the BSI
standards.

4) Cost - The cost of the certification must be weighed up against the value it offers.

5) Endurance - The certification process should have long-term benefits that outweigh the costs. This
means:

 The effects of the process should be practically tangible (the systems should be more secure
afterward)
 The process should not have to be repeated too often.

6) Objectivity - It is generally not a good idea to be officially audited by companies that also sell
security products. However, this is not a black-and-white issue and most security companies today offer
both services and products successfully.

Conclusion

This concludes our discussion of designing and structuring security policies. In the next, and final,
installment of this series devoted to developing effective security policies, we will walk through a couple
of examples of security policies.

Introduction to Security Policies, Part Four: A Sample

Policy
Introduction to Security Policies, Part Four: A Sample Policy
by Charl van der Walt
last updated October 22, 2001

This is the fourth in a four-part overview of security policies. In the first article, we looked at
what policies are and what they can achieve. The second article looked at the organizational
support required to implement security policies successfully. The third installment discussed
how to develop and structure a security policy. This installment will take a look at a few
examples of security policies.
An IP Network Security Policy
This section contains an example of a position paper for an IP network for a fictitious company
that we shall call "Foobar". The policy documented here makes extensive use of the system of

y.m Page 53
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

classification that was explained in part two of this series. This system of classification should
be well understood before continuing.
Intent Statement
The intent of this policy is to ensure that all systems installed on the Foobar network are
maintained at appropriate levels of security while at the same time not impeding the ability of
Foobar users and support staff to perform their work. The purpose is:
 to define where equipment is to be placed on the network;
 to define who may access network equipment;
 to define how access to this equipment is to be controlled; and,
 to define how data traveling over the network is to be protected.
Applicability
This policy applies to:
 any IP networks (existing and future) to which Foobar network equipment is connected;
 all equipment connected to the networks mentioned above;
 any IP networks across which Foobar data travels;
 data in transit over any of the above-mentioned networks;
 network administrators managing the equipment;
 project leaders requiring new equipment to be connected to the network; and,
 all users utilizing equipment that is connected to the network.
This includes, but is not limited to:
 the User LAN - 2.3.4.0/24;
 the SERVER LAN - 2.3.5.0/26;
 the Backup SERVER LAN - 2.3.5.64/26; and,
 all backbone services, Switches, ADSL, Internal Dial-Up, etc.; and,
 remote sites.
This policy will also apply to all equipment connected to the networks mentioned above, and
all Foobar employees using any of this equipment.
Statement of Foobar's Position
The security policy is based on the principles and guidelines described in the
Foobar Information Security Framework document. All Foobar network equipment (routers,
servers, workstations etc) shall be classified according to the standard Foobar classification
scheme and placed in a network segment appropriate to its level of classification. Access to
these segments must be controlled in an appropriate manner. Whenever data travels over a
network segmentation of a lower security classification then the data shall be protected in
manner appropriate to its classification level.

y.m Page 54
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Classification
In accordance with the Foobar Information Security Framework document, all users, hosts and
data must be classified as security level 1 (unclassified), 2 (shared), 3 (company only) or 4
(confidential). All physical network segments, IP subnets and other IP traffic carriers must be
classified in the same way. All data travelling on an IP network must be classified, and all users
using network equipment or requesting data over the network must be assigned a level of
clearance according to the same system.
It is the function of the person designated as the equipment owner to have all equipment under
his or her control classified. The owner is defined as the head of division installing the
equipment. Classification is done in consultation between the owner (or an assigned
representative) and the Security Officer, but the final decision shall lie with the Security
Officer.
For a description of the Foobar system of security level classification, the concept of ownership
and the role of the Security Manager, refer to the Foobar Information Security Policy
Framework document.
Network Segmentation
1. Unless otherwise stated in the security policy or in the Information Security Policy
Framework all network segments are classified Level 1 - Unclassified.
2. The classification of network segments is given in the section of this article
entitled Discussion of Classifications, which follows.
3. A network segment can only be classified as another security level with approval of the
Foobar Security Manager. Its new level of classification must be recorded in this
document and all divisional heads must be notified.
4. Wherever a network segment connects to another network segment with a different
security level, then the connection between the two networks must be controlled by an
approved trusted point. A trusted point is equipment capable of regulating the flow of
traffic between two network segments in a manner appropriate to the classification of the
networks. Trusted points are covered in detail in the section that follows.
5. No network equipment may be connected to a network segment that is not of the same
security level as the equipment itself.
6. The Foobar Security Officer may also choose to segment two networks of the same
security level.
Trusted Points
1. The trusted point used to segment two networks shall be appropriate for the network with
the highest security level.
2. The default behavior of a trusted point must be to deny all IP traffic between the network
segments it protects.
3. At the discretion of the Foobar Security Manager, the default behavior of the trusted

y.m Page 55
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

point may be to allow all traffic out from the network with the higher security level
whilst denying all traffic in.
4. At the discretion of the Foobar Security Manager, the trusted point may be configured to
allow specific into the network with the higher security level.
5. All trusted points must be completely under the control of the Security Manager. Access
to any trusted point shall only be granted with the explicit permission of the Security
Manager and under his or her close supervision.
6. There are a number of technologies that can act as trusted points. They are divided into
the following categories:
 Network Level Control: TCP wrappers, host.allow lists, filter routers, network-level
firewalls, V-LAN switches etc.;
 User Level Control: application proxies, user-level firewalls etc.; and,
 Strong User-Level Control: token-based user authentication systems, certificates
etc.
Whenever there is a connection that skips over one security level the strong user level
control must be used. Even if strong user control is used, a connection may never skip
more than one security level.
Control of traffic must be exercised in the manner listed below:
For connections into Unclassified classified segments
From Control Type Comment
Unclassified No controls
Shared No controls
Company Only No controls With the exception of the Internet
Confidential No controls
For connections into Shared classified segments
From Control Type Comment
Unclassified No controls
Shared No controls
Company Only No controls
Confidential No controls
For connections into Company Only classified segments
From Control Type Comment
Unclassified Via a proxy: Network level control to This allows both for things like incoming
and from the proxy. SMTP and user dial-in.

y.m Page 56
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Direct: Strong user-level control

Shared Network level control
Company
No controls
Only
Confidential No controls
For connections into Confidential classified segments
From Control Type Comment
Unclassified Not permitted
Shared Not permitted
Company Only Strong user-level control
Confidential No Control

Data in Transit
1. Data moving on the network between any two network-components is considered to be
"data in transit". This also includes all control and management sessions.
2. All network technologies are regarded as either "safe" or "unsafe" in their native state
(i.e. without any encryption). The only networks regarded as safe by Foobar are Frame-
Relay PVCs (as used on the Foobar backbone) and switched Ethernet LANs. All other
network types are regarded unsafe.
3. All data in transit over an unsafe network segment that has a classification lower than the
classification of the data must be protected by data encryption. Data in transit over a safe
network segment may be encrypted at the discretion of the Security Officer.
4. Encryption of data in transit may take any of the following forms:
 network encryption, in which data is encrypted at the IP layer (for example, with
IPSec);
 session encryption, in which data is encrypted at a TCP layer (for example, with
SSL);
 message encryption, in which blocks of data are encrypted before they are sent (for
example, with SMIME); and,
 data encryption, in which the entire data package is encrypted before it is
transmitted (for example, with file encryption).
Encryption systems used must offer strong encryption (more then 100 bit encryption
keys) and use internationally recognized encryption algorithms. The choice of the crypto-
algorithm is the responsibility of the Security Officer and is laid out in Foobar's position
paper on Cryptography.
Access to the Internet

y.m Page 57
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Access to the Internet from Foobar networks is considered a special case and is dealt with as an
issue on its own in the position paper on Internet Access.
Discussion of Classifications
Classification of Users
1. Every user is designated as unclassified until his or her classification is explicitly
changed with the written approval of the Security Officer.
2. When a new employee joins Foobar, a request is made by the employee's manager to the
Security Officer for a new level of clearance. It is the responsibility of the manager to
justify the requested level of clearance.
3. Unless there is strong justification, all new employees shall be cleared for the
level Foobar Only, but only after they have signed an employment contract including
acceptance of this policy and non-disclosure forms.
4. The Security Officer is responsible for managing and controlling the record of clearance
levels for all personnel.
5. It is the responsibility of all system owners and system administrators to determine the
security level of a given user before granting that user access to any system.
6. It is the responsibility of the user to know his or her own clearance level and to
understand the rights and limitations associated with that clearance.
Classification of Equipment
1. All computing equipment must be given a classification by the Foobar Security Officer.
2. Classifications for existing Foobar equipment are as follows:
 all user workstations, file-servers, print-servers etc should be classified as
"Company Only";
 all Server LAN servers and other hosts used in the management of the Foobar
backbone infrastructure or Foobar internal network infrastructure will be classified
as "Confidential";
 all backbone equipment (including switches, remote access servers, ADSL chassis
etc) that is not located on Foobar premises will be classified as "Shared"; and,
 all equipment used in the transfer of data to and from the Internet will be classified
as "Shared".
The Security Officer must maintain a complete list of the classifications of all computing
equipment in the Foobar network and in the Foobar backbone.
Classification of Networks
The Foobar Security Officer must classify every network segment that constitutes part of the
Foobar infrastructure. A complete list of the classifications of all network segments in the
Foobar network and in the Foobar backbone is maintained by the Security Officer.
Classifications for existing Foobar network segments are as follows:
 The Foobar User LAN located is classified as Company Only.

y.m Page 58
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

 The SERVER LAN & backup SERVER LAN are classified as Confidential.
 The Foobar Frame-Relay Backbone is classified as Shared.
 The Remote sites are classified as Shared.
 The SERVER LAN and the Portal Segment are classified as Shared.
Classification of Data
Any Foobar user with legitimate access to Foobar data may, with sufficient justification,
change the classification of the data. The user may only change the classification of data if
there is sufficient, justifiable reason to do so. Users will be held strictly responsible for these
decisions.
All newly created data must be classified "Company Only" until it is reclassified by a user, who
does so on his or her own prerogative. Users are held solely responsible for any data whose
classification they change. Classifications for existing Foobar data are given below:
 Foobar business information (memos, financial documents, planning documents etc)
should be classified as "Company Only";
 Foobar customer data (contact details, contracts, billing information etc) should be
classified as "Company Only";
 network management data (IP addresses, passwords, configuration files, etc.) should be
classified as "Confidential";
 human resources information (employment contracts, salary information, etc.) should be
classified "Confidential";
 Published information (pamphlets, performance reports, marketing material, etc.) should
be classified "Shared";
 E-mail between Foobar employees should be classified "Foobar Only"; and,
 E-mail between Foobar employees and non-Foobar employees should be regarded as
"Unclassified".
Classifications: Roles and Responsibilities
1. It is the responsibility of the user to:
 know his or her own clearance level and to understand the rights and limitations
associated with that clearance;
 ensure all the data he or she works with is correctly classified;
 ensure that he or she understands the restrictions associated with the data he or she
is working with; and,
 ensure all the data he or she works with is housed and protected appropriately.
It is the responsibility of all system owners and system administrators to:
 determine the security level of a given user before granting that user access to any
system;
 verify the classification of the equipment they manage; and,
 verify that the equipment is installed and protected in accordance with its
classification.
It is the responsibility of each divisional manager to:

y.m Page 59
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

 obtain clearance for employees in his or her divisions;

 clarify the classification of data on systems under his or her control;
 clarify the classification of equipment under his or her control and to ensure that
those systems are correctly installed; and,
 ensure all employees in that division understand and implement this policy;
It is the responsibility of the Security Officer to:
 approve all classifications
 maintain a list of all classifications
 approve the final layout of the Foobar network and backbone
 control and manage all trusted points
 determine the type of cryptographic protection to be used for data in transit

Compliance
1. Any user accessing a data, equipment or a physical location with insufficient clearance
can face disciplinary action, dismissal and criminal or civil prosecution.
2. Any user allowing access to a system that he or she controls for someone with
insufficient clearance can face disciplinary action, dismissal and criminal or civil
prosecution.
3. Any person connecting equipment that is not classified to the network or connecting
equipment to an inappropriate part of the network or in an inappropriate location can face
disciplinary action, dismissal and criminal or civil prosecution.
4. Any person transmitting data over any network without the appropriate cryptographic
protection for that data can face disciplinary action, dismissal and criminal or civil
prosecution.
5. Any person changing the classification of data in a way that is reckless, irresponsible or
in any damaging to Foobar, their share holders or any of their clients can face
disciplinary action, dismissal and criminal or civil prosecution.
Points of Contact and Supplementary Information
1. For a description of the Foobar system of security level classification, users should refer
to refer to the Foobar Information Security Framework document;
2. The security policy should also provide contact details for the Foobar Security Officer.?
For enquiries regarding the classification of data, equipment, network segments or physical
locations or the clearance level of users, interested parties should be directed to contact the
Foobar Security Officer.
Conclusion
This has been a long series of articles and a lot of material was covered. Let me try to
summarize the important points should remain stuck in your mind:
1. If policies are properly implemented, they can become an effective and efficient part of
your information security arsenal. Because policies secure the 'human element', they

y.m Page 60
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

address an element of your risk profile that is seldom touched by technology.

2. There are no silver bullets in security, and the same is also true for information security
policies. Your policies should be written to counter your specific risk profile and should
be based on the findings of a security risk analysis exercise.
3. Policies can only be effective in a corporate environment that makes information security
a high priority. It may be necessary to make some far-reaching changes to your
organizational structure and culture before policies can effectively achieve the
organization's security objectives. Foremost among these changes are the designation of
responsibility and the commitment of funds.
4. Your policies must be designed 'for the people' and be easy to access, use and
understand. To facilitate this, I suggest that the documents be structured in a hierarchical
fashion with documents having different levels of detail. Responsibility for the
management of this document tree should be specifically assigned.
5. Although the actual content of policy documents should vary radically from organization
to organization, there are some fundamental principles that each policy should enforce.
These principles have been discussed in this series of articles.
Once your policies have been implemented you will have a structured, formal framework to
guide your security strategy and according to which the progress of process can be measured.

Using Windows Security

Center
Applies to Windows Vista
In this page
 Firewall
 Automatic updating
 Malicious software protection
 Other security settings
Windows Security Center can help enhance your computer's security by checking the status
of several security essentials on your computer, including firewall settings, Windows
automatic updating, anti-malware software settings, Internet security settings, and User
Account Control settings. If Windows detects a problem with any of these security essentials
(for example, if your antivirus program is out of date), Security Center displays a notification

y.m Page 61
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

and places a Security Center icon in the notification area. Click the notification or double-
click the Security Center icon to open Security Center and get information about how to fix
the problem.

Windows Security Center

Firewall
A firewall can help prevent hackers or malicious software (such as worms) from gaining
access to your computer through a network or the Internet. A firewall can also help stop
your computer from sending malicious software to other computers.Windows checks if your
computer is protected by a software firewall. If the firewall is off, Security Center will display
a notification and put a Security Center icon in the notification area. For more information
about using a software firewall, seeWhat is a firewall?

To turn on Windows Firewall

1. Open Security Center by clicking the Start button , clicking Control Panel,
clicking Security, and then clicking Security Center.
2. Click Firewall, and then click Turn on now. If you are prompted for an
administrator password or confirmation, type the password or provide confirmation.

Notes

 If you have a firewall other than Windows firewall, check the information that came with the
firewall or go to the manufacturer's website to find out how to turn it on.
 Windows does not detect all firewalls. If you are sure that you have a firewall installed and
turned on, you can clickShow me my available options to stop receiving notifications
from Security Center about your firewall. If you do this, Windows will not monitor your
firewall status or alert you if it is off.

y.m Page 62
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Top of page
Automatic updating
Windows can routinely check for updates for your computer and install them automatically.
You can use Security Center to make sure Automatic updating is turned on. If updating is
turned off, Security Center will display a notification and put a Security Center icon in the
notification area. For more information about automatic updating, see Change how
Windows installs or notifies you about updates and What are updates?
To turn on automatic updating

1. Open Security Center by clicking the Start button , clicking Control Panel,
clicking Security, and then clicking Security Center.
2. Click Automatic updating, and then click Turn on now. If you are prompted for
an administrator password or confirmation, type the password or provide confirmation.

Top of page
Malicious software protection
Malicious software (malware) protection can help protect your computer against viruses,
spyware, and other security threats. Security Center checks if your computer is using up-to-
date antispyware and antivirus software. If your antivirus or antispyware software is turned
off or out of date, Security Center will display a notification and put a Security Center icon
in the notification area. For more information about how anti-malware software can help
protect your computer, see Using anti-malware software to help protect your
computer.
To install or update your anti-malware software

1. Open Security Center by clicking the Start button , clicking Control Panel,
clicking Security, and then clicking Security Center.
2. Click Malware protection, click the button under Virus protection or Spyware
and other malware protection, and then choose the option that you want.

Note

 Windows does not detect all antivirus and antispyware software. If you are sure that you
have anti-malware software installed, it is turned on, and it is up to date, you can click I
have an antivirus program that I'll monitor myself or I have an antisypware
program that I'll monitor myself to stop receiving notifications from Security Center
about your anti-malware software. If you do this, Windows will not monitor your anti-
malware software status or alert you if it is off.

Top of page

y.m Page 63
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Other security settings

Windows checks your Internet security settings and User Account Control settings to make
sure they are set at the recommended levels. If your Internet or User Account Control
settings are changed to a security level that is not recommended, Security Center will
display a notification and put a Security Center icon in the notification area.
To restore Internet settings to recommended levels

1. Open Security Center by clicking the Start button , clicking Control Panel,
clicking Security, and then clicking Security Center.
2. Click Other security settings.
3. Under Internet security settings, click Restore settings.
4. Do one of the following:
 To automatically reset the Internet security settings that are at risk to their
default level, click Restore my Internet security settings now.
 To reset the Internet security settings yourself, click I want to restore my
Internet security settings myself. Click the security zone you want to change
settings for, and then click Custom level.

To restore User Account Control settings to recommended levels

1. Open Security Center by clicking the Start button , clicking Control Panel,
clicking Security, and then clicking Security Center.
2. Click Other security settings.
3. Under User Account Control, click Turn on now. If you are prompted for an
administrator password or confirmation, type the password or provide confirmation.

y.m Page 64
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Understanding security and

safe computing
If you connect to the Internet, allow other people to use your computer, or share files with
others, you should take steps to protect your computer from harm. Why? Because there are
computer criminals (sometimes called hackers) who attack other people's computers.
These people can attack directly, by breaking into your computer through the Internet and
stealing your personal information, or indirectly, by creating malicious software to harm your
computer.

Fortunately, you can help protect yourself by taking a few simple precautions. This article
describes the threats and what you can do to defend against them.

Protect your computer

These are ways to help protect your computer against potential security threats:

 Firewall. A firewall can help protect your computer by preventing hackers or malicious
software from gaining access to it.

 Virus protection. Antivirus software can help protect your computer against viruses,
worms, and other security threats.

 Spyware and other malware protection. Antispyware software can help protect
your computer from spyware and other potentially unwanted software.

 Windows Update. Windows can routinely check for updates for your computer and
install them automatically.

Use a firewall
A firewall is software or hardware that checks information coming from the Internet or a
network and then either turns it away or allows it to pass through to your computer,
depending on your firewall settings. In this way, a firewall can help prevent hackers and
malicious software from gaining access to your computer.

Windows Firewall is built into Windows and is turned on automatically.

y.m Page 65
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

How a firewall works

If you run a program such as an instant messaging program or a multiplayer network game
that needs to receive information from the Internet or a network, the firewall asks if you
want to block or unblock (allow) the connection. If you choose to unblock the connection,
Windows Firewall creates an exception so that the firewall won't bother you when that
program needs to receive information in the future.

Use virus protection

Viruses, worms, and Trojan horses are programs created by hackers that use the Internet to
infect vulnerable computers. Viruses and worms can replicate themselves from computer to
computer, while Trojan horses enter a computer by hiding inside an apparently legitimate
program, such as a screen saver. Destructive viruses, worms, and Trojan horses can erase
information from your hard disk or completely disable your computer. Others don't cause
direct damage, but worsen your computer's performance and stability.

Antivirus programs scan e-mail and other files on your computer for viruses, worms, and
Trojan horses. If one is found, the antivirus program either quarantines (isolates) it or
deletes it entirely before it damages your computer and files.

y.m Page 66
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

Windows does not have a built-in antivirus program, but your computer manufacturer might
have installed one. If not, there are many antivirus programs available. Microsoft offers
Microsoft Security Essentials, a free antivirus program you can download from
the Microsoft Security Essentials website. You can also go to the Windows 7 security
software providerswebsite to find a third-party antivirus program.

Because new viruses are identified every day, it's important to use an antivirus program
with an automatic update capability. When the program is updated, it adds new viruses to
its list of viruses to check for, helping to protect your computer from new attacks. If the list
of viruses is out of date, your computer is vulnerable to new threats. Updates usually require
an annual subscription fee. Keep the subscription current to receive regular updates.

Warning

 If you don't use antivirus software, you expose your computer to damage from malicious
software. You also run the risk of spreading viruses to other computers.

Use spyware protection

Spyware is software that can display advertisements, collect information about you, or
change settings on your computer, generally without appropriately obtaining your consent.
For example, spyware can install unwanted toolbars, links, or favorites in your web browser,
change your default home page, or display pop-up ads frequently. Some spyware displays
no symptoms that you can detect, but it secretly collects sensitive information, such as the
websites you visit or the text you type. Most spyware is installed through free software that
you download, but in some cases simply visiting a website results in a spyware infection.

To help protect your computer from spyware, use an antispyware program. This version of
Windows has a built-in antispyware program called Windows Defender, which is turned on
by default. Windows Defender alerts you when spyware tries to install itself on your
computer. It also can scan your computer for existing spyware and then remove it.

Because new spyware appears every day, Windows Defender must be regularly updated to
detect and guard against the latest spyware threats. Windows Defender is updated as
needed whenever you update Windows. For the highest level of protection, set Windows to
install updates automatically.

Windows Defender is antispyware software that's included with Windows and runs
automatically when it's turned on. Using antispyware software can help protect your
computer against spyware and other potentially unwanted software. Spyware can be
installed on your computer without your knowledge any time you connect to the Internet,
and it can infect your computer when you install some programs using a CD, DVD, or other

y.m Page 67
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

removable media. Spyware can also be programmed to run at unexpected times, not just
when it's installed.

Windows Defender offers two ways to help keep spyware from infecting your computer:

 Real-time protection.‍‍Windows Defender alerts you when spyware attempts to install

itself or to run on your computer. It also alerts you when programs attempt to change
important Windows settings.
 Scanning options. You can use Windows Defender to scan for spyware that might be
installed on your computer, to schedule scans on a regular basis, and to automatically
remove anything that's detected during a scan.

When you use Windows Defender, it's important to have up-to-date definitions. Definitions
are files that act like an ever-growing encyclopedia of potential software threats. Windows
Defender uses definitions to alert you to potential risks if it determines that software
detected is spyware or other potentially unwanted software. To help keep your definitions up
to date, Windows Defender works with Windows Update to automatically install new
definitions as they're released. You can also set Windows Defender to check online for
updated definitions before scanning. For information about keeping your definitions up to
date and how to manually download the latest definitions, see Keep Windows Defender
definitions up to date.

 Open Windows Defender by clicking the Start button . In the search box,
type Defender, and then, in the list of results, click Windows Defender.

Update Windows automatically

Microsoft regularly offers important updates to Windows that can help protect your
computer against new viruses and other security threats. To ensure that you receive these
updates as quickly as possible, turn on automatic updating. That way, you don't have to
worry that critical fixes for Windows might be missing from your computer.

Updates are downloaded behind the scenes when you're connected to the Internet. The
updates are installed at 3:00 A.M. unless you specify a different time. If you turn off your
computer before then, you can install updates before shutting down. Otherwise, Windows
will install them the next time you start your computer.

To turn on automatic updating

1. Open Windows Update by clicking the Start button . In the search box,
type Update, and then, in the list of results, click Windows Update.
2. Click Change settings.

y.m Page 68
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

3. Make sure Install updates automatically (recommended) is selected.

Windows will install important updates for your computer as they become available.
Important updates provide significant benefits, such as improved security and
reliability.

4. Under Recommended updates, make sure the Give me recommended updates

the same way I receive important updates check box is selected, and then
click OK.

Recommended updates can address non-critical problems and help enhance your
computing experience. If you're prompted for an administrator password or
confirmation, type the password or provide confirmation.

Install the latest version of your web browser and keep

it up to date
Using the latest version of your web browser and keeping your browser up to date are two of
the best ways to prevent trouble online. In most cases, the latest version of a web browser
contains security fixes and new features that can help protect your computer and your
privacy while you're online.

Also, many web browsers offer security updates periodically. So be sure to install updates
for your browser whenever they're available.

If you have Internet Explorer, you can get updates for it automatically using Windows
Update. If your computer isn't set up to automatically receive updates, you can manually
request these updates by using Internet Explorer. Click the Safety button, and then
click Windows Update . Follow the instructions on the screen to check for updates.

Turn on your browser's security features

Many web browsers have security features that help you browse the web safely. So it's a
good idea to find out what security features your browser has and make sure they're
enabled.

If you have Internet Explorer, here are some of the security features that are available:

 SmartScreen Filter, which can help protect you from online phishing attacks, fraud, and
spoofed or malicious websites. For more information, see SmartScreen Filter:
frequently asked questions.

y.m Page 69
 Teppi tvet
TTLM Unit Build Internet Infrastructure
College

 Domain highlighting, which lets you more easily see the real web address on websites
you visit. This helps you avoid deceptive or phishing websites that use misleading web
addresses to trick you. The true domain you're visiting is highlighted in the address bar.
 Manage Add-ons, which lets you disable or allow web browser add-ons and delete
unwanted ActiveX controls. For more information, see How do browser add-ons
affect my computer?
 Cross site scripting (XSS) filter, which can help prevent attacks from phishing and
fraudulent websites that might attempt to steal your personal and financial information.
For more information, see How does Internet Explorer help protect me from
cross-site scripting attacks?
 A 128-bit secure (SSL) connection for using secure websites. This helps
Internet Explorer create an encrypted connection with websites run by banks, online
stores, medical sites, or other organizations that handle sensitive customer information.
For more information, see How to know if an online transaction is secure.

For more information about protecting your computer and your privacy while you're online,
go to the Microsoft Securitywebsite or the Microsoft Online Safety website.

Use a standard user account

When you log on to your computer, Windows grants you a certain level of rights and
privileges depending on what kind of user account you have. There are three different types
of user accounts: standard, administrator, and guest.

Although an administrator account provides complete control over a computer, using a

standard account can help make your computer more secure. That way, if other people (or
hackers) gain access to your computer while you're logged on, they can't tamper with the
computer's security settings or change other user accounts. You can check your account
type after you log on by doing the following:

The steps that you should follow will vary, depending on whether your computer is on a
domain or a workgroup. To find out, see "To check if your computer is on a workgroup or
domain" in What is the difference between a domain, a workgroup, and a
homegroup?

Tips for safely using e-mail and the web

 Use caution when opening e-mail attachments. E-mail attachments (files attached
to e-mail messages) are a primary source of virus infection. Never open an attachment
from someone you don't know. If you know the sender but weren't expecting an
attachment, verify that the sender actually sent the attachment before you open it.

y.m Page 70
Teppi tvet
TTLM Unit Build Internet Infrastructure
College

 Guard your personal information carefully. If a website asks for a credit card
number, bank information, or other personal information, make sure you trust the
website and verify that its transaction system is secure.
 Be careful when clicking hyperlinks in e-mail messages. Hyperlinks (links that
open websites when you click them) are often used as part of phishing and spyware
scams, but they can also transmit viruses. Only click links in e-mail messages that you
trust.
 Only install add-ons from websites that you trust. Web browser add-ons allow
webpages to display things like toolbars, stock tickers, video, and animation. However,
add-ons can also install spyware or other malicious software. If a website asks you to
install an add-on, make sure that you trust it before doing so.

y.m Page 71