Managing Security Threats to Communication Networks

Recent advancements in communication technologies have transformed human society, allowing people to bank, read, launch, and run relationships and enterprises from their laptops and mobile phones. Unlike old-fashioned messaging networks that relied on copper wire infrastructure and were plagued by slow speeds and unreliability, today's communications technology makes connectivity not only quick, effective, secure, and dependable, but also inexpensive and available 24 hours a day, seven days a week. People thousands of miles away can not only send and receive undistorted text and visual messages in fractions of a second but they can even video chat/conference in real-time. Most of these advances have been made possible by fiber optic cables and satellites, which despite being invented more than 50 years ago, have only recently been successfully applied to communications. Unfortunately, this technology is also used by unscrupulous people to access information, steal, harm, destroy, and compromise people’s right to privacy, their money, relationships, and reputations. System problems can also pose similar threats to information security. Only by taking appropriate steps to manage these problems can the future of communications technology be assured, as insecure networks and attacks create mistrust and, therefore, less use. This requires innovative technological solutions and behavior modification.

Keywords: telecommunications, communications, security, technology

Managing Security Threats to Communication Networks

The Internet has revolutionised global communication by connecting people on a scale unimaginable fifty years ago. New programs, software, and platform applications have been popularized via social media. However, this rapid uptake has also created serious security concerns for individuals and organizations as unscrupulous individuals use information about Internet sites that individuals have accessed (Viega et al., 2002) and data mining technology to invade privacy rights. They do this largely by accessing the complex algorithms that are used to develop online profiles (metadata) of all individuals who access the Internet via search engines or social media platforms. State surveillance, hacktivist groups, and state sanctioned espionage in different countries as well as rules and regulations enacted under the guise of terrorism to access people’s personal data make it vital to take electronic communications networks and their security seriously (Stallings, 2006).

In light of this, the current paper will examine the issue of how to manage and improve communications network security.



Discussion topics will include:

The identification of potential vulnerabilities in a communications network.

The role of information communications security experts.

The laws that govern the safety of communications networks.

Measures that can be enacted in the event of communications network security breaches.

The paper will examine the following sub-topics in detail as part of the above themes:

Contextual information:



This will include some preface information on electronic communications networks and security iterating development.



Threat assessment:

This section will analyze common threats to the safety of communications networks.

Advances in cyber-attacks on communication networks:

This section will include an analysis of cyberspace terrorism and the motives for safety breaches in communication networks.

Use of secure communications channels through secure firewalls:

Cisco Networks’ secure communications will be examined in this section.

Privacy invasion in communications networks and social media platforms.

Biometric measures: is the iris or fingerprint more secure for authorized communications links?

Security control for a secure communications network.

The paper will conclude with a comprehensive discussion on the above topics, supported by research and explanations.



Communications Networks

It is almost impossible to measure the effect that advances in communications technology have had on the human civilization. Millions of individuals use Local Area Networks (LAN) and (Wide Area Networks) WAN to communicate using their computers, governments use Internet-based programs to manage public sphere activities, such as traffic and cyber based social media, applications are used by almost anyone with a cellphone or tablet. This is made possible by new undersea and local area network fibre optics that connect the Internet to the home as well as by satellite connections, which do not have any physical limits and are free from external interference. The communication revolution has also been made possible by advances in hardware accessories and software. In addition, networking functions more efficiently due to wireless networking (as opposed to wired networks) (Aronson, 2004).

The current technologies are a vast improvement on their predecessors. The architecture of the Internet is more powerful and cheaper than the traditional copper wire networks offered by landline phones (Aronson, 2004), although both initially used the same infrastructure for connection – the telephone system. Printing and stationery costs are reduced, as are those associated with traditional distribution methods, such as hiring personnel and vehicles to deliver documents. Hardware costs are also reduced. Fax machines and home-use modems for example, are now almost obsolete.

The Internet is also popular because it enhances organizational communication networks, enabling it to deliver more for less. Management uses Internet-based tools such as emails and intranets to communicate with staff, manage stock and resources, and measure performance.









Network Security Threats

It is a well-known fact that using a communication network opens an individual or organization up to attacks due to sharing, system complexity, and unknown perimeters and paths. Anonymity makes it possible for an attacker to launch an attack from miles away without ever coming into direct contract with the computer system, its users, or administrators (Pfleeger & Pfleeger, 2003). Indeed, this may be one of the reasons why cybercrime has risen so sharply. It is easier to launch a cyber attack than a physical one.

Storing files in network hosts that are user remote also makes them vulnerable to attack. When data is stored remotely, the file or data may pass through several hosts before the user receives it. This is complicated by the fact that although the administrator of one host may observe several security policies, they can not control other network hosts. Consequently, an attack may originate from anywhere and pass to any host. Networks also make it possible for workload and resource sharing, which creates access avenues. In addition, computer operating systems (OS) are complex, which makes failsafe security nearly impossible. A network control/operating system is even more complex than an OS, and this increases security threats (Pfleeger & Pfleeger, 2003). In addition, the Internet and the www require communication technologies that are more complex and, consequently, need more bits for transmission. This drives up costs in other areas, such as hiring personnel and hardware (servers etc.).

As a result of the above, the expandability of a network can translate into uncertainty about its boundaries. A single host may be a node on two separate networks and resources present in one network will be more accessible to users on the other network. This uncontrolled or unknown group (with possible malicious users) can be a threat to security. The existence of several paths from a particular host to another can also endanger security, as control over message routing is reduced (Pfleeger & Pfleeger, 2003). Poorly configured hosts and their accompanying servers can also constitute threats to network security. Fortunately, an isolated home user or an office with few employees is not likely to be a target for cyber-based attacks, even when adding a network, and managing security threats is likely to be an easier, more cost-effective exercise. Most will simply purchase an ‘off the shelf,’ standardized security management system that requires little upkeep beyond the installation of regular updates. The companies that create these systems generally have very little interactivity with their clients and no expense is needed to raise security awareness. In contrast, large organizations may need to expend large parts of their communication and marketing budgets on changing user behavior (training), since most attacks are unwittingly unleashed by unsuspecting employees who click on unsafe links or fall prey to social engineering scams. In order to be effective, the positive rewards of adhering to policy must be highlighted. Some organizations may even consider offering incentives to employees for assimilating knowledge about the threats and altering their information management behavior. Since information security is a vast subject, training and/or workshops may need to be implemented to ensure that all employees are aware of the threats.

Senior management is advised to partner with their Human Resource Divisions, as well as line management in these exercises to monitor incoming email, limit social media access, draft policies, and manage transgressors (staff who access personal emails in company time). They may also need to balance overspend on overprotecting.

Identification of Potential Vulnerabilities

A vulnerability is a part of a system that makes it vulnerable to attack. Most IT Departments use vulnerability scanners to help identify, define and classify security holes (vulnerabilities) in a server, computer, communications infrastructure or network. They do this by locating patches missed on target systems and reporting related vulnerabilities. Scanners can also identify outdated software versions, misconfigurations and missing patches.

Vulnerabilities that constitute network threats include unnecessary services, software defects, unsecured accounts and misconfigurations. Vulnerability scanners that have been tested and used successfully include McAfee Vulnerability Manager, Retina Network Security Scanner, Nessus Vulnerability Scanner from Tenable and Nexpose Vulnerability Management from Rapid (Awad, Hassanien & Baba, 2013).



The human element in creating system vulnerabilities must also be guarded against by means of raising awareness and taking steps to mitigate them.

Privacy Invasion

Privacy invasion, which can be regarded as unauthorized access by a person/s into the affairs, information and/or physical ‘space’ of another, constitutes a major threat to persons via communication networks and social platforms. All entities (individual and group) have the right to protect information (sensitive or not) about themselves, as do organizations, and control what is made public. Privacy is separate from, but linked to personal space, which can be invaded in a variety of ways and purposes, such as by attorneys who use jurors' social accounts to vet them. Sexual predators and hackers may also use a victim’s personal information (Smith, 2012) for nefarious ends. Spoofing, impersonating, sniffing, mapping, hijacking and social engineering are also tools that are used to attack individuals and organizations.

Privacy is enshrined as a constitutional right and its interceptence and or/violation, whether lawfully or unlawfully, is regarded as a serious offense. All organizations requesting personal information from their customers/potential customers are required to treat it responsibly and must be accountable for rights infringements, abuse and/or compromizing it. Most are prohibited from selling it and must prevent unathorized personnel, even from within the same company, from using it. However, the phenomenon of business intelligence, which means the sale of personal information to companies for marketing purposes, proves that this practice is alive and well. This practice fuels the global economy.

Ensuring that information is secure means that organizations must take decisions on what customer information should be private and what should not and implement appropriate measures and safeguards to protect them. On an individual level, this is less easy to police as protection is only provided by the government in the form of legislation. In the case of minor children, for example, parental controls are only as effective – within the home space – as the parents themselves, and criminals can easily take advantage by luring a child via another computer that the parent cannot monitor.



Cyber-attacks

Cyber-attacks, which target information hosted on computers, constitute another threat to the security of communications networks, particularly for large organizations such as governments. While a good number of the attacks are modest (such as self-replicating worms and emails containing Trojan horses), the threat that they pose continues to raise concern. Victims may have their information altered or destroyed. They can also have essential data, such as credit card details or passwords stolen. Files can be stolen, deleted or modified. It is often difficult to contain malicious messages because they seem genuine and appeal to people’s sympathies. They usually contain attachments or links to websites that are unsafe and disguised as legitimate, and users may access these in ignorance. Once an attacker gains access to a victim's computer networks and systems, they will invariably infect it for the abovementioned purposes. Attacks can take many forms, such as malware (malicious software), phishing, which aims to access personal, sensitive or confidential information for financial profit, identity theft and denial of service, which is becoming increasingly prevalent. This entails sending large volumes of traffic to computer systems, consuming the system’s resources and causing it to eventually crash (Butts & Shenoi, 2014). Cyber-attacks become cybercrime when a person, organization or government becomes a victim and suffers harm or loss.



Motives for Safety Breaches

People attack government or organization communications networks for a variety of reasons, including revenge, hate (i.e. emotions), personal gain, and for the sake of entertainment/ ‘joyrides’. A good number of misdirected youngsters are motivated by peer pressure and seek to break organizational computer networks to demonstrate their ‘competence’ and show off. Others are driven by greed and financial gain, while still others are motivated by ignorance (Kizza, 2015). The range of motives for cyber-attacks against large organizations and governments may also include political or religious action. In view of this it is suggested that organizations limit the amount of personal stationery in emails, for example, and adopt a ‘one corporate image’ rule. Addressing the motives for safety breaches will require a broader approach to tackling the socio-economic issues that cause them, and can only be undertaken in co-operation with government, schools, non-government organizations, faith based and civil organizations. In some instances, it may even require intergovernmental co-operation and the discarding of agendas or need to engage in espionage.



Securing the Communications Network

Effective security in a communications network refers to the creation of environments that are secure for several resources. A resource can be regarded as secure if it is guarded against external and internal unauthorized access. Computer system protection must therefore be provided for the tangible objects (hardware) and the intangible object (software) or data and information in the system. There are a variety of methods to protect communication networks such as authentication, access control, integrity, confidentiality, and nonrepudiation (Kizza, 2015). These must take their lead from the organization’s policies, which should be communicated to all users in a simple and digestible form. Dependable software solutions should form part of an effective strategy against network security threats. These must be complemented by behavior modification campaigns such as those mentioned above, since an attack often requires a willing victim to be successful. If users are aware of threats, they can take steps to manage them. Creating proper security protocols can also help mitigate security threats.



Hardware Access Control

Hardware access control is a security system component that comprises pre-provided identification to the user. Simply put, it limits who gains access to what services. Examples include identification cards, visual event monitoring, video surveillance, passwords and biometric identification. The latter includes voice and iris recognition as well as fingerprints and appears to be the fastest growing choice for large organizations. Despite its emotional appeal, iris scanning is not foolproof and many commercial iris scanners can be fooled using a high quality image in place of an actual human eye. It is noteworthy that these scanners are not yet deployed in government offices or at airports/harbors (immigration points). Currently, fingerprint recognitions scanners offer the most advanced level of security, although passwords remain popular given that they are used remotely and require less capital expenditure on scanners. It is important to note that both are not entirely secure. Fingerprint scanners can be fooled in much the same way as iris scanners and passwords are regularly hacked. Ongoing research into new hardware security technologies is a necessity. Finger vein recognition could be a viable option to explore.



Software Access Control Systems/ Firewalls

Software access control falls into two categories: remote and Point Of Access (POA) monitoring. In the former, terminals are linked by either telephone lines, modem and wireless connections (Kizza, 2015). Firewalls are also installed to protect software from unintended users’. They monitor and control network traffic, detect threats and report on them. In essence, they constitute a barrier between an organization and the cyber environment in which it operates i.e. the Internet. Firewalls are very popular, and are used by large organizations such as the Cisco Network. However, they are vulnerable to tunneling by hackers. POA monitoring makes it possible to monitor staff personal activities using a PC-based application. The application gathers and stores access events, other system operations events and download access rights (via terminals).

All user computers should be defended by appropriate and legitimate antivirus software, secure coding and operating systems. Companies that use industry standard, reputable software suppliers in this regard also benefit from the latest research and development in communications security and have the assurance of having an accountable partner. Any internal coding (or programming) should guard against defects, bugs and logic flaws, be user tested and comply with standards.



Confidentiality/Security Controls for Secure Communications Networks

Confidentiality/security controls for secure communication networks protect system information and data from disclosure to unauthorized personnel. When data leaves a client computer via a network, it can be channeled into an insecure environment. This means that the recipient cannot fully trust that there are no third parties who eavesdrop, survey hard drive information, gather metadata or browse private or company data for sensitive information. Confidentiality/security controls therefore use encryption algorithms (cryptography) to protect data in transit (Kizza, 2015). Again, these are subject to attack and continuous innovation is required to manage the risk. As almost all Internet traffic can be monitored for illegal activity, this counter-surveillance must be maintained.



Role of Communications Security Experts

Due to increased threats to telecommunications security, the demand for information communication security experts has increased throughout the globe. These individuals protect information systems, including infrastructure and network, safeguard asset and financial information, customer data and other critical systems information. Alternative job titles include Information security/risk/incident managers, and they are usually employed in Information Technology Departments. Many of them consult privately. These degree qualified individuals design, develop and test software and security devices to ensure that organization and client information and products are safe (Chandana, 2013). They often work with computer forensics analysts in private and public sector organizations, as well as the police and law and security enforcement agencies. Demand for these individuals is expected to grow over the next decade.



Laws Governing the Safety of Communications Network

The Communication Assistance for Law Enforcement Act (CALEA) was enacted on 25 October 1994 to prevent law enforcement agencies from invading people’s privacy using electronic surveillance measures. The act requires telecommunications carriers to allow law enforcement agents to conduct electronic surveillance once they have a court order or other form of legal authorization. The CALEA statue defines telecommunication carriers as facilities, equipment or services that enable a subscriber or customer to terminate, originate or direct communications (Ward, Kelly, & Anderson, 2017).

The Title 6 U.S. Code § 194 provides for the enhancement of public safety communications interoperability. In addition, the Data Protection Act of 1998 (DPA) provides individuals with rights that are specific to matters of their personal information and places specific obligations on the organizations responsible for personal information processing (Information Commissioner's Office, 2012).



The importance of legislation in enabling government to investigate and prosecute threats to national security cannot be underestimated, given the war on terror. It gives government agencies such as immigration and police the tools necessary to monitor social activities, recognize and monitor threats, and prevent and investigate criminal and terror activities. For example, the Communications Assistance for Law Enforcement Act empowers government to monitor all Internet traffic by requiring that all American telecommunication providers install packet capture technology. However, the debate over whether ‘Big Brother’ should be watching and how far its reach should be, is ongoing, with many counter groups such as the American Civil Liberties Union protesting that government surveillance impinges too far into the personal and political freedoms that Americans value so highly.

On an organizational level, companies need to ensure that they have the appropriate policies in place to mitigate threats. These should discourage personal web surfing and/or shopping during working hours and indicate the penalties for transgressors and/or discipline measures to be followed. Alternatively, an organization may take a policy decision to limit Internet access to certain ‘safe’ sites, such as its own intranet and or www sites, with all links to external sites therein permanently blocked. Access to more sites could form part of an incentive scheme for employees who achieve and show that they are responsible. Managers also need to be a key part of the solution to secure networks and should be trained appropriately. It is suggested that security awareness be included as part of the induction package for new employees and/or included as key performance areas in job descriptions. Certainly, each employee must be informed that their online activities at work are subject to surveillance.

Employees must be made aware of the importance of information as a company asset and their duty in protecting it. This includes the need to recognize their role in safeguarding records and preventing lawsuits. Effective information management principles and awareness of applicable legislation should be included in all job descriptions in the future.

Responding to Communications Network Security Breach

When a network security breach occurs in an organization, the IT Department should immediately implement a breach management plan. This should be ready in advance so as to minimize time delays, panic and damage. An effective plan should incorporate the following four critical elements (Information Commissioner’s Office, 2012):



Containment and Recovery

Data security breaches demand not just an initial response to investigate and control the situation but a recovery plan that involves damage litigation where necessary.

Assessment and Classification of Threat

It is important to assess potential severe consequences to the individual/organization, the seriousness of the situation and the likelihood of it reccurring (Information Commissioner's Office, 2012) before making containment decisions.

Some security breaches do not cause major damage but simply inconvenience people in need of the data and/or program to perform their jobs/functions. This may have an adverse effect on the bottom line given that business may be disrupted until operations resume.

Notification of Breach

Managing security breaches effectively involves informing affected inter-organizational departments about them in an appropriate manner. All angles must be thought of. For example, if the email server is compromised, how will management communicate with staff? It may be necessary to retain manual messaging systems as a complement/failsafe tool e.g. public announcement systems and/or trained floor supervisors for crisis communications. It may even be an option to use sms technology or secure the services of a crisis management firm. However, notification should not serve as an end in itself. Ideally, it should have another clear purpose, such as enabling the affected party to take steps to protect themselves, allowing legal bodies to function or offering advice and resolving complaints.

Evaluation and Response

It is critical that not only are the causes of the breach managed but the effectiveness of a suitable response. If the breach has been caused by ongoing or systemic problems (in whole or part), dealing with it as a once off event and continuing with a business as usual approach will not be effective. Similarly, if inadequate or unclear breach management policies interfere with the response, a review and update of these must be undertaken (Information Commissioner's Office, 2012).



Conclusion

Advancements in telecommunications have improved the quality of life for millions of people throughout the world by enabling them to communicate faster and more efficiently. Unfortunately, they have also increased security threats to personal privacy, organizational information and government infrastructure. In so doing, they inadvertently pose a threat to the security of nations. Besides the emotional and nefarious motives discussed in this paper, the increase in security breaches is largely due to the fact that security measures to protect hardware and software have not kept up with advancements in technology. It is therefore vital to allocate the funding necessary to continue research into better methods of protection, particularly as it impossible to completely eliminate all threats. As evidence shows, mitigation measures against future threats can assist. Organizations and companies must understand this and prioritize appropriately.

References

Aronson, J. D. (2004). Causes and consequences of the communications and internet revolution. Internet Revolution, 1-39.

Awad, A. I., Hassanien, A. E., & Baba, K. (2013). Advances in security of information and communication networks. Cairo: Springer.

Butts, J., & Shenoi, S. (2014). Critical infrastructure protection VII. Arlington: Springer.

Chandana. (2013, June 17). Key roles & responsibilities of IT security professionals. Retrieved from https://www.simplilearn.com/it-security-professionals-key-roles-responsibilities-article

Information Commissioner’s Office. (2012). Guidance on data security breach management. Information Commissioner’s Office.

Kizza, J. M. (2015). Guide to computer network security. London: Springer.

Pfleeger, S. L., & Pfleeger, C. P. (2003, March 28). Security in networks. Retrieved from http://www.informit.com/articles/article.aspx?p=31339&seqNum=2

Smith. (2012, March 7). Privacy invasion: Social media monitoring required to attend college or to be hired? Retrieved from http://www.networkworld.com/article/2221850/microsoft-subnet/privacy-invasion--social-media-monitoring-required-to-attend-college-or-to-be-hired.html

Stallings, W. (2006). Cryptography and network security: Principles and practices. Pearson Education India.

Viega, J., Messier, M., & Chandra, P. (2002). Network security with OpenSSL: Cryptography for secure communications. O’Reilly Media, Inc.



Ward, D., Kelly, J., & Anderson, K. (2017, February 9). Communications assistance for law enforcement act. Retrieved from https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/general/communications-assistance