all right now our next topic and again, a lot of this information is covered across different domains. Unified communications. So how can we take this distributed environment, which we all work today if you, your company has any sort of size to it? If you have more than one location, we're communicating across lands.
We are trying to create an interconnected environment that uses technology to help us all work together.
So some of the types of technology that we use to left me is very, very big today. Voice over i p allowing us to connects and voice traffic over i p links. We refer to that as telephony, doing video conferencing, voice conferencing, very, very important email
making sure that we provide secure email and we talk about that in the cryptography domain.
Instant messaging. Let me tell you, instant messaging is tough to secure their so many little instant messaging applications there that even as an admin, if I decide I don't want to allow it on the network,
there's not one particular port that instant messaging applications use. So I have to be knowledgeable.
And a lot of times the ways is is through training your users putting policy in place and then adding technical controls
as needed Web conferencing in video conferencing. You know, that's one of the ways that we unify our team members, but making sure that those communications air secure Certainly an element of concern.
Remote access. Yesterday we talked about Radius. You know, we talked about the idea of needing a centralized authentication server for folks connecting in remotely, whether it's VPN
or dial up or wireless devices, remote assistance that could be really dangerous because with remote assistance. And this is one of the technologies that's tremendously helpful. If you're a help desk representative being able to connect
to a user system and help them troubleshooter, show them how to perform a task.
But again, any kind, you're getting our users desensitized to allowing someone to connect into our system. There are a lot of social engineering attacks out there where someone purports to be a legitimate service provider. Here, click this link and let me show you howto access such and such on your system.
What I've just done is I've accessed that host system,
and who's to say when I'm gonna terminate that access so remote assistance is something from a risk standpoint, you really got to consider whether or not you're gonna allow in your network. But again, any of these desktop sharing goes along the same idea. If I'm giving a presentation,
I want to share my desktop out. You know, it makes meetings much better,
but we always consider threats and vulnerabilities.
Okay, Voight now voice over I p the greatest threat to avoid eavesdropping and then issues with authentication because voice again was not designed to, uh, inherently be secure. So we've added on since security mechanisms after the fact.
So some ideas about bringing VoIP onto your network
understand what the baseline function is? What are your baseline metrics? How does it perform? Under normal operations, VoIP can cause a lot of issues with congestion on your network. VoIP is a bandwidth hall,
so isolating it to its own segment's gonna become important. We talked about using routers or villains to do that, figuring out what the resource utilization that's necessary.
Thio implement voice
Kodak, Kodak stands for coder decoder and the ideas. When you're taking analog voice trying to put it over a digital line, you need some mechanism to perform the conversion of signal. That's kind of the idea with Codex making sure that you have
optimized network performance and a lot of times that comes through
traffic prioritization. We talk about traffic prioritization. Ah, lot of times we refer to quality of service que OS, and sometimes you hear the term traffic shaping. So with traffic shaping quality of service, what we want to do is we want to give priority
two things like Voight. Traffic, because voice
is, does necessarily require a lot of band with, and we want to make sure that our voice communications are as good as possible. You know, there's nothing worse than a tremendous amount of Leighton see with your voice calls Leighton seas, of course, a delay. You also have problems like jittering,
where it's a variable delay, so
you could never quite get into the rhythm of the call. But certainly those air concerns now, from a security standpoint, with void, I would look at encrypting Voight traffic and adding in authentication mechanisms as being two of the biggest security concerns.
Mobile devices, You know, we mentioned earlier, bring your own technology and bring your own device being very popular in many offices today, but the problem is with everybody bringing in their own device. We have all of these different platforms, all of these different security features, so it could be very, very challenging.
Have a good, consistent security policy.
But things we can do that all of these devices offer screen walk. If my system's not news for certain amount of time and it should be short a man, a con, ah, password or some other mechanism is required to unlock the screen, making sure that a strong password
and against very hard to put your policies out on these devices. So the key is training your users.
I know one of the things they love to ask about is remote white sanitization. There needs to be some means that if you're
tablet, if your cell phone, uh, winds up out of your possession and you can't locate it if it contains any sort of company specific, sensitive data, we've gotta have a means toe. Wipe that system clean to protect the, uh, the confidentiality of information.
Those devices most devices have. That means
thio cleanse the contents, and that's very, very important,
a device encryption. Many of these devices have mechanisms to encrypt data. We want to educate our users that company information should always provide, should always be protected with encryption. Now our last topic here securing the technology life cycle.
And regardless of which document you look at the steps of the security minute or the technology lifecycle, what's essential is that we know we should integrate security into every step off the technology life cycle.
when we're considering the life cycle of technology, it's much more than just the development. Let's say if we're talking about software, you know, there's ah set of faces associated with software development. But once the software's been developed and tested, it goes into operations. How do we make sure that the day to day function of the system
is secured and protected that it operates in Secure environment doesn't bring in any additional threats,
the maintenance of the system? You know, Theo, environments always changing. So do we need to update new threats emerge? We might need to patch the system. You need to make sure that we do that securely, and then the Decommissioning of a system. There should always be policy on how a system gets
We want to make sure that if it has sensitive data that the remnants of the data gets removed, we need to make sure that whether it gets migrated to a new database, whatever once a system is no longer in commission, once we're moving it out of production,
we need a set of steps to follow to make sure that we decommissioned that sense them
appropriately. And that should be part of policy
now with the system development life cycle and you'll find, you know, most life cycles will follow these steps requirements. If you'll remember, we talked about the problem piece where the customer defines their requirements with their expectations are for the product what they want the product to do.
Then we figure out how we're gonna make that work. This is in the planning seas of phase. Our team comes together and we figure out how we're gonna address the requirements. Eso Where's that's the problem piece. This is a solution peace, our team figuring out our approach in our plan to meeting the customer requirements.
I don't care what type of project you're working on. The goal of every project always to meet the customer requirements. No more, no less. So we've gotta understand and analyze thes requirements up here to make sure that we know properly how to meet those requirements
now with design and development. So we've planned out our project. We've got our project team put together. We've got a high level plan. We're gonna get down to the nitty gritty here, so to speak, where we're going to figure out the architecture of this system, the code that goes into it if its software,
the elements of hardware that are necessary
and then we're actually going to develop the product itself.
It goes to testing. Nothing goes into production without a thorough testing process. And often, quality assurance is involved in that testing. Never with the developers of software. The developers of a product be the ones that get the final say. This is a good product. We're gonna implement it.
So Q is often involved, and I've already mentioned ideas like certification
making sure the technical evaluation of the product is complete, and then accreditation management's acceptance. All right. Once we pass the q A tests, we roll it out and then we enter the maintenance phase again, patching monitoring those ideas and then reassessing
things fall out of the scope of value for us as an organization.
So how often do we go back and make sure that the product we've implemented meets the needs? And if it doesn't, that's when we bring in a Decommissioning set of procedures.
So ultimately, this chapter is talked about operations. Security is a whole. What are the things that we do within an organization? What are the roles that need to be fulfilled? Who does what, so to speak, making sure we honor separation of duties,
talked a little bit about the impact of a merger or an acquisition can have on an organization
making sure that we have controls in place for secure product development and design, whether it's software, hardware, any type of system, and then making sure that when we do implement a system, we secure that system throughout the entire phases of the life cycle, from inception all the way to disposal.
Hopefully, this was a helpful chapter for you