We need to obtain for ourselves what we provide for the decision-makers of our business: a basic understanding of the issues involved, and enough information to enable us to perform sound planning and budgeting. This is a road that our IT counterparts have been walking for more than a decade. They can help us out.
It would be wise on our part to enable productive discussions by taking a little time to understand some of the basics of computer and network security. We need to be able to stay awake during those discussions without having to prop our eyelids open or drink five gallons of coffee.
The purpose of this article, and those that will follow on this subject, is to provide us with a comfortable familiarity with key aspects of computer and network security. Sound good? Let’s get started.
A network is a group of two or more computers linked together so that information and requests can be passed between the computers. Information can be text, programs, audio, video, spreadsheets, databases, files, etc. Requests can be you (the computer user) asking for information, calling up a Web page, sending an e-mail, etc. Requests can also be the computers coordinating between themselves, like this:
“What is your status?”
“Do you have this file?”
“Can you send it to me?”
“How long is it?”
“Are you ready?”
“Did you get it?”
“Yes, got 20,000 bytes!”
Computers are very efficient and fast, and do a lot of coordinating as we operate them, but as they have lots of bandwidth and speed, we hardly notice most of the time.
Computers send information and requests over a network in packets. There is a limit on how much information the computers can put in each type of packet, just like we have varying sizes of FedEx envelopes and boxes. Only so much information can fit in each.
Because there is a limit, the computer may have to break up large quantities of information and send them in several packets. Each of these packets is marked as “1 of X packets” — just like in our shipping procedures we would mark a set of packages that go together. This enables the destination computer to know if all the packets were received, and it also enables the computer to reassemble the total information in the correct order.
Some of the communication procedures that computers follow enable the transmission of information to be well-controlled, and other procedures enable the communication to take place over the Internet. Thus, those procedures are called Transmission Control Protocol and Internet Protocol, or TCP/IP for short, and simply IP for even shorter. An IP-enabled security system is one whose communications can be handled by standard networks, because the computers and security devices follow the right communications procedures.
Standards-Based Networks Are Affordable
This is where economics enters the picture. Our computers and security devices do not have to manage how they communicate with one another over distances large and small. They let the network perform that job, and the job is performed well because the network consists of devices that are dedicated to nothing but handling the communications in a fast and robust manner. Using common technology for communications lowers the cost of our security systems. This approach is what enables our businesses to have a proliferation of different information systems working together affordably to support the business. It is a good strategy, and now our security systems can take advantage of it, too.
Everything is a Computer
Here is a little secret that IT knows. It is not really a secret, but it is so basic to everything “IT” that they simply do not think to tell us about it. So as far as we are concerned, it has been a secret. When it comes to the network, everything is a computer. Every device that is part of a network is a computer of one kind or another. These devices may be called a something else (i.e. router, switch, server, host, firewall, etc.), but they are still just computers. They are built with computer chips.
Some of the chips have computer instructions on them and are called firmware chips. This is to distinguish them from software instructions — which are called “soft” because they are easily erasable and changeable while on a tape or a disk drive.
Once put in a chip, the instructions cannot be changed or can only be changed in limited ways, which makes them more “firm” than software.
Firmware chips hold the instructions of what to do. Other chips are memory chips that store the information being handled. A few of the chips are processing chips (like the familiar Pentium chip, which is a CPU or central processing unit chip). The processing chips perform the work according to the instructions in the firmware.
Other chips handle the input and output of information, called I/O chips. Put them all together and you have a computer — a device that can send and receive information, and can process and store that information according to the instructions on its chips.
That is what all the network devices do. Each type of device has a dedicated function with regard to handling the information on the network. We do not call the network devices “computers” even though they are, just like we do not refer to the individuals who run a train system as “people” — we call them conductors, brakemen, switchmen and engineers. Similarly, we call the network devices by specific names based on the roles that they perform.
This is the first of a series of articles designed to de-mystify network and IT security for physical security directors. The next article in the series will take a closer look at network devices and their roles, including security roles.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS) (www.go-rbcs.com).
Jim Litchko, CAS, is a senior information systems security author and strategic advisor. He has more than 25 years experience assessing and developing information technology (IT) security solutions. He has held senior executive positions and advised executives at several of the largest commercial IT security companies. During his 20-year Navy career as a surface warfare and cryptographic officer, he lead efforts supporting military actions in the Atlantic, Pacific, European, Mediterranean, African, and Middle East Theaters of Operations. Since 1988, he has been an instructor for computer and network security at Johns Hopkins University, the MIS Training Institute, and the National Cryptologic School. Mr. Litchko has authored or co-authored the following books: “KNOW Your Life,” “KNOW IT Security,” “KNOW Cyber Risk,” and “Cyber Threat Levels Response Handbook.”