Network Domains and the Acceptable Use Policy (AUP)
Computer and Network Security
Instructor: Lynne Williams
Understanding the User Domain and AUP Policy Using CVE Articles
To better understand how vulnerabilities can affect network security in the user domain, research was conducted on Common Vulnerabilities and Exposures (CVE) articles of the user domain to identify common threats and risks associated with known vulnerabilities. Identified threats include  unauthorized intruders accessing the network and uploading/downloading information to and from the network,  valid users, with malicious intent that will sabotage or destroy applications or specific data on the network, or without malicious intent, that download personal data such as, photos, music or videos etc.… and  threats utilized by remote access users, such as, brute force attacks on login/password information and compromising stored data via data leakage due to a violation of the AUP, are directly related to common threats and risks found in networks according to CVE-2014-3282 and CVE-2014-3283 (2014). Another common threat found in CVE-2014-3281 is attackers luring untrained users to unsecure websites for phishing purposes to gain sensitive information about the user and/or the information stored on the network (CVE, 2014).
The risk associated with these vulnerable areas in the User Domain may cause the compromise of data confidentiality, integrity, and availability (CIA), by allowing unauthorized access to private user information, the loss of data integrity due to internal threats, and/or inhibiting availability for other authorized network users from accessing information (Leight & Hammer, 2006). To mitigate the risk of  unauthorized intruders gaining access remotely (CVE, 2014),  valid remote users accessing sensitive information for malicious intent (CVE, 2014), and  valid users being redirected to unsecure sights for phishing purposes (CVE, 2014), the utilization of encrypted remote access programs (SANS, 2008t), installing antivirus/anti-spyware software and intrusion detection components to identify suspicious behavior (SANS, 2014t), and implementing e-mail and Internet security filters, will significantly reduce the risk of unauthorized access to the network, as well as, malicious attacks by valid users and phishing (SANS, 2014i). In addition to this, user training/education for identifying and mitigating potential intrusion attempts and identifying potential phishing website redirections, the adherence to an Acceptable Use Policy (AUP) that most businesses develop for their network users to follow will increase security for the network, increase user accountability, and mitigate the risk of intrusions to stored data on the network (SANS, 2014i). To mitigate risk using an AUP, the business must require that all users adhere to the policy and states specific information of who can use the network, specific conditions that must how the network can be used, and the enforcement of consequences for actions taken by users that are not is accordance with the AUP. Specific conditions that the user must consent to which include, but are not limited to, routine monitoring of communications and activities of all users on the network; inspection and seizure of stored data; interception and search of all user activities; and that the network not be used for personal benefit or privacy invasion (JSS, 2014). Specific definitions of responsibilities, administration, and implementation of network security components are specified, as well as, definitions of acceptable and unacceptable usage (JHU, 2010), and enforcement of consequences for users that violate the policy, which include suspension and/or termination, depending on the severity of the violation (Georgetown, 2014). The following portion of this document is an example AUP for the XYZ Credit...
References: Compare Business Products. (2010, May 19). Regulatory compliance: Hipaa, sox, and glba. Retrieved from http://www.comparebusinessproducts.com/briefs/regulatory-compliance-hipaa-sox-and-glba
Georgetown University. (2014). Georgetwon university: University policies. Retrieved from http://policies.georgetown.edu/glba/sections/privacy
Johns Hopkins Institution, (JHU). (2014). Information technology policies. Retrieved from http://it.jhu.edu/policies/itpolicies.html
SANS Institute. (2014i). Internal threat - risks and countermeasures. Retrieved from http://www.sans.org/reading-room/whitepapers/threats/
Snoke, C. (2014). Small business internet security suites review: The advantages of using a small business security suite . Retrieved from http://internet-security-suite-review.toptenreviews.com/small-business-internet-security/
Wrenn, G. (2014). Acceptable use policies will minimize email risks. Retrieved from http://searchsecurity.techtarget.com/tip/Mail-Call-Setting-acceptable-use-and-security-expectations-will-minimize-e-mail-risk
Please join StudyMode to read the full document