Hhewitt Networksecurity 1
77
Network Security 1 Errol Hewitt
-
Upload
errol-hewitt-mscp-ba -
Category
Documents
-
view
196 -
download
0
Transcript of Hhewitt Networksecurity 1
Network Security 1
Errol Hewitt
2
Table of Contents
Network Security (week 1)……………………………………………………………………………………………………2
PCF Organization………………………………………………………………………………………………………………….3
Provide an overview of the existing network architecture, including the following: Network.4
Topology……………………………………………………………………………………………………………………5 Protocols allowed………………………………………………………………………………………………………6 Connectivity methods………………………………………………………………………………………………..7 Network equipment…………………………………………………………………………………………………..8 Number of routers, switches, and other network equipments such as VPN,……………….9 Concentrators, proxies etc………………………………………………………………………………………….9
A summary of the current security devices in use on the network……………………………………….10
List the type of device, the vendor, and provide description on how the device is used. ……..11
Risk Analysis of the Network (week 2)…………………………………………………………………………………12
Conduct an inventory of devices within PCF’S network using appropriate tools…………………..13
Provide a summary of the number of desktops, laptops, network printers, and servers………14
Identify key assets i.e. sensitive information that needs special protection…………………………15
Prioritize each asset or group of assets and assign a value to each………………………………………16
Create a subsection that will identify and describe the risks within the environment………….17
Natural disasters with possible chance that it could occur…………………………………………………..18
Provide a list of the tools and methodology that you used to conduct the risk assessment…19
Threats (week 3)…………………………………………………………………………………………………………………20
Identify and select appropriate technologies to protect against the risks that were identified, and provide an explanation as to why the technology was chosen………………………………………21
Describe where you plan to place these technologies within the network and why…………….22
Identify additional software that will be required to monitor the network and protect key assets…………………………………………………………………………………………………………………………………..23
Identify any security controls that need to be implemented to assist in mitigating risks………24
Mitigate all of the risks that were identified during the assessment…………………………………….25
Network security policy (week 4)…………………………………………………………………………………………26
Identify what written policies need to be created for your organization………………………………27
For each policy, you will address how you plan to monitor the policy………………………………….28
For each policy, you will provide what you feel the appropriate punishment should be for violators. These punishment must be able to be enforceable, not just a threat…………………..29
For each policy, you will identify a timetable for when each policy should be reviewed and updated and who will do the review…………………………………………………………………………………..30
Identify the process of how your organization will identify an incident………………………………31
Identify the process for classifying the incident. What are the criteria for each classification within the organization?......................................................................................................32
Identify what the response will be for each classification identified……………………………………33
Identify a general plan to recover from the incident……………………………………………………………34
Identify a process for evaluating the incident response plan after each incident has been mitigated…………………………………………………………………………………………………………………………..35
Discuss how the incident response plan will be tested and updated………………………………….36
The security plan (week5)………………………………………………………………………………………………….37
Develop a plan to implement the security controls and policies that you identified in previous sections……………………………………………………………………………………………………………………………..38
Develop a plan to implement new security devices that are required to monitor the network and the policies that were created or updated…………………………………………………………………..40
Describe how these controls, policies, and security devices have addressed the key security areas of confidentiality, integrity, authorization, and non-repudiation cryptographic services…………………………………………………………………………………………………………………………….41
4
PCF Organization
PCF is an accounting firm that handles small and large corporation financial accounts.
The business includes accounts payables and receivables, auditing, financial analysis, and legal mitigation documents. The firm expanded over the years nationally, and internationally. It employs over three thousands employees, which include some workers who work off site offices in other locations. The headquarters is in Albany New York. PCF is staffed with people who have different levels of expertise, from CFO, CPA, IT, and lawyers. The employees who are offsite, interact 24/7 with the IT personnel and other specialist in the network system. As a result, of constant flow of information from PCF to clients of various corporations by way of the internet, it has become necessary to have policies, and a sound architectural infrastructure that will safe guard against any kind of internet vulnerabilities.
The organization installed over six thousand mainframe desktop which includes: Hewlett Packard, and IBM initially, then over time Dell, and Microsoft were added to the network. The operating system includes: Open Source, UNIX, and Windows. These systems are still used in the organization. Initially the design of the existing network architecture was very secure and over the years very little problems. However, as technology and the flow of information become complex, there is more demand for better written codes and upgrade of the network.
5
PCF Network
The network is essentially data that is constantly passing from one network system to another. Data is transferred in the form of packets which is to prevent too much data flowing all at once. The network connections between nodes are established to use either cable or wireless media. Devices are said to be networked together when one device is able to exchange information with the other device, whether or not they have a direct connection to each other.
Network Systems
The network includes the physical media used to transmit data signals, the communication protocols to organize network traffic, network size, topology, and the organization intent.
6
Topology
PCF local area network design is one that is efficient and profitable to meet the standard of the organization. It is peer – to – peer network which consists of thirty personal computers and printers with interface card. PCF has several locations in Albany New York, but share the same network. Every computer on the peer – to – peer network is equal; that is, no one computer is in charge of the other computers. Because peer – to – peer network is simple and inexpensive to setup, the organization installed the system.
Local area Network
7
Wide area network
Wide area network (WANs) has become an efficient way to do business with many clients who operate internationally. As a result, PCF has established a network that is cost effective to handle international matters.
WANs
8
Protocols allowed The communication that people have among themselves can vary but is still understood most of the time. However, when communicating with a computer, the language has to be correct. PCF expects proper communication within the system. The protocols that are used in the organization are:
Transmission Control and Internet Protocols (TCP/IP) – they are different procedures but are linked together in the system. The linking of protocols can complement one another in order to carry out some specific task, and especially when there are several layers of operations. Information that is sent over the internet, is generally broken up into smaller pieces or “packets”. This facilitates speedy transmission since different parts of a message can be sent by routes and then reassembled at the destination. It is helps to minimize the loss of information in transmission process.
User Datagram Protocol (UDP) – It is used together with Internet Protocol when small amounts of information are involved.
Simple Mail Transfer Protocols (SMPT) – is the most common protocol for sending mail. When configuring email clients, an internet address for an (SMTP) server must be entered.
Interactive Mail Access Protocol - (IMAP) allows for the reading of individual mailboxes at a single account and is often found in the business circle.
Hypertext Transfer Protocols - (HTML) it provides transmission in an encrypted form to provide security for security sensitive data. A web page uses the protocol http at the front of its URL.
File Transfer Protocol (FTP) It copies files over a network from one computer to another as well as provides for some simple file management on the contents of a remote computer.
PCF will install these protocols because of the language that has been established by international agreement and ensure that computers everywhere can talk to one another.
9
Connectivity methods
In the past the only way to communicate is by using a device, primarily a phone that has a cord. Today, many of us use cordless or wireless products to communicate with one another. The way we connect with one another can be:
Wireless – this connection is with a wireless router or network. The use of wireless methods to connect hotspots has increased largely I recent period. The hotspot allows you to connect to an available wireless network providing one has the relevant login information to a hotspot account.
Broadband – is applied if a computer is connected to a broadband modern (DSL). It requires login information such as users name and password. The information is provided by the ISP.
USB Tethering – consists of using the 3G internet connection from a suitable enabled mobile phone and sharing it with the computer it is connected to USB. The UBS allows data to flow from the mobile phone to the computer. It is found on android operating system mobile phones alongside few previous phones.
Bluetooth – allows the transfer to data between two Bluetooth enabled devices.
Connectivity methods
10
Network equipment
The equipments that are use in the organization are crucial to the business. Nearly everyone who uses a computer has lost data at some point or the other. It is necessary that PCF invest in reliable network equipments. Some equipments that are essential for the life of the organization are:
Netware – which has a long transaction tracking system (TTS). To protect files and databases in case of an unexpected system crash or power, it is necessary to have this equipment.
Uninterruptible power supply (UPS) is the best fault – tolerance method to prevent power problems causing data loss and component damage. This device is built into electrical equipment or a separate device that provides immediate battery power to equipment during a power failure.
UPS in Windows 2000/x2003 – The interconnection with UPS and Windows show they provide service for the organization. The relationship shows (1) how to send out notifications of a power failure (2) when to sound a critical alarm that the UPS is nearly out of power (3) the ability to run a program just before the UPS is out of power (4) whether to shut down the computer and UPS just before the UPS is out of Power.
NetWare 6.x - communicates through a serial port connection and AIOCOMX and UPS. When UPS_AIO are one can configure values as (1), how long to allow the computer to run on the UPS before NetWare shuts down, (2)when to send a shut down warning message to users,(3)the port to which the UPS is attached, and the type of signal sent from UPS.
Server
11
Routers, Switches, VPN, Concentrators and Proxies
The routers are essentially uses to connect different network segments together. They operate at the network layer of the operating system internet (OSI) model using the network address (IP) to route traffic and using routing protocols to determine optimal routing paths across a network. There are two advantages of using routers in the network:
They don’t forward broadcasts by default. They can filter the network based on layer 3 (network layer) (e.g., IP address.
Four router functions in the network can be listed as follows:
Packet switching Packet filtering Internetwork communication Path selection
Routers are really switches, they are called layer 3 switches, they use logical addressing and provide what is called packet switching. The main purpose of a switch is to make a local area network function better, optimize its performance, and provide more bandwidth for (LAN’s users).Switches don’t forward packets to others network as routers do, they “switch” frames from one port to another within the switched network.
Virtual private Network (VPN) – is the connection between two or more computers or devices that are not on the same private network. To ensure that the proper users and data session cross to a VPN device, data encapsulation and encryption are used.
Concentrators – Main function is to concentrate on the network segment connections together in one place. They also have some built in intelligence that enables them to monitor its ports. This prevents a port from disabling the entire network segment.
Proxies such as firewalls and other forms of IDS/IPS are devices that are used to protect the network from outside intruders.
12
A summary of the current security devices use on the network
A network must be of high quality, and in order for it to be that way the infrastructure has to be designed for that purpose. When an individual sits at his or her workstation they are beginning to face many challenges which include the information that move to the outside of the organization, and who is sending the information. Workstations are attractive targets for crackers because they are numerous and can serve as entry points into the network and the data that is commonly the target of an attack. Some security devices that PCF will use include:
Antivirus products- which are able to detect hackers who ready to compromise the system.
Switches- which is a layer 2 space that acts as a mesh where potentially the addition of a new device can create loops in the existing device interconnection.
Routers – which is a network traffic management device used to connect different network segment together. They operate at the network (layer3) of the OSI model by using the network address (IP) to route traffic, and using routing protocols to determine optimal routing paths across a network.
Although security is a term is sometimes superficially, the following steps will increase security immensely:
Remove unnecessary protocols such as Telnets, NetBIOS, IPX. Remove unnecessary software. Remove modems unless needed and authorized. Remove all shares that are not necessary. Disable unnecessary user accounts, ports and services If no corporate firewall exists between the machine and the interne, install one. Keep the operating system (OP) patched and updated.
13
List the type of device, the vendor, and provide description on how the device is used.
There is a list of device and vendors recommendations that PCF use in the organization. Many of them can be upgraded because of more advance technology. The organization is concern that sensitive information could be compromised at anytime. Some devices with protection capabilities are:
Intrusion Detection Systems (IDS)- which detects an attack and alerts or makes an alarm to IT personnel.
Intrusion Protection System (IPS)- this device takes action to modify the environment, stop the attack and reduce its effects.
Proxy Server-use to filter out undesirable traffic, and prevent employees from accessing potentially hostile website.
Anonymous Proxy- use to track cookies and other mechanism. It is designed to hide information about the requesting system and make a user’s web browsing experience anonymous information.
Caching Proxy-it keeps local copies of popular clients request and is often used in large organization to reduce bandwidth usage.
Content Filtering Proxy- examining each client request and compare it to an established acceptable use.
Honey pot- a device that looks, observes, and records information.
Vendors are of high priority to PFC. The equipment that are installed in the network system will decide the level of success of the organization. For one to decide on the type of vendor (s) the question will be how and why the device will be necessary.PCF will have several vendors that can complement one another. However, the reasons that will allow the purchasing department to decide on any vendor include the following:
14
Evaluate the technology and see if a purchase is necessary. Look at all the industries that offer products that the organization needs and
evaluate strengths and weakness Look for packages that will accomplish the goals of the organization The acquisition of large and midrange computers is fairly routine. If a firm has
an architecture in place, that architecture may dictate what new computer or other equipment to buy.
15
Conduct an inventory of devices within the PCF’S network using appropriate tools.
The use of network tools are generally useful for many individuals and businesses. They can be used for computer and wireless network. There are different types of tools that are appropriately used at any given time. Some tools are used for network, management, network security, network backup, and network monitoring.
Many of the tools overlap in their functions i.e. a complete set of network management tools includes security backup tools and monitoring tools. These tools are often helpful in monitoring the performance of a network, such as connections, server uptimes and downtimes. They are helpful in analyzing and reporting the activities going on in the network. This set of tools includes a user interface that allows management of one’s network remotely via the internet, a desktop client from another computer, or from a mobile device.
PCF uses a number of devices that usually require appropriate tools whenever repairs, replace or upgrades are needed. Some of the devices that are used include: servers, routers, modems, computers, firewalls, switches, hubs, and printers. The organization uses the “Web Server” because of the service that it offers. This web server allows someone to connect to the internet with a unique internet protocol address assigned by the internet service provider (ISP).The address identifies the computer’s location on the network. PCF chose the web server because of the consistent records of an uptime of 99.5% reliability.
The DSL router that is used throughout the system is a high speed internet service that competes with cable internet to provide online access to local customers. It operates over copper telephone lines like dial-up service, but is many times faster than dial-up. It does not tie up the telephone line.
The switches are the Cisco Meraki MX which makes it easy to deploy high quality infrastructure to large numbers of distributed sites. MX is cloud managed therefore installation and remote management is simple. The MX has a comprehensive suite of network services eliminating the need for multiple appliances. HP laser-jet pro multifunction printer is used because of its reliability.
16
Provide a summary of the number of desktops, laptops, network
Printers, Server.
The desktops that are used range from Hewlett Packer, Dell, Microsoft, and Apple. These desktops are used because they allow one to organize applications on up to other virtual desktops. It’s a way to read your email on one, browse the web on the second, and do work in ones productivity software on the third, without cluster of the windows that are not being used. There are over four thousand desktops that are used in the organization.
The laptops are the cordless Hewlett Packer, Apple, and Dell that are used in the organization because of their mobile capabilities. They are readily available and efficient, which make them more productive and efficient at all times. All employees must see to it that they are properly secure when they are not in use. Employees who conduct sales and accounting activities use laptops.
The HP laser Jet Pro multifunction printers are used because they are reliable and easy to use. The organization installed this brand of printer on the basis of good quality delivery. These multifunction laser printers deliver professional quality and offer the core workflow, wireless networking, and mobility features that are ideal for small and large business.
The windows servers that are used provides: (1) core protocols for network connectivity between computers and other Transmission Control Protocol/ Internet Protocol (TCP/IP) compatible . (2) automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). (3) name resolution services, such as Domain Name System (DNS) and WINS. Both (DNS/WINS) allow users, computer, applications and services to find the IP address of computer devices on the network using the network basic input/output system (NetBIOS).
17
Identify key assets i.e. sensitive information that needs special protection.
PFC is always concern with the protection of its assets and the way it will be protected. There are three subcategories that IT looks for when in the protection of its assets: Infrastructure, Human Resources, and Data.
Infrastructure has to be securely design to inhibit the entry of any hacker attack. A hacker is constantly probing the network to see who is there watching, and if possible to map the network system for future malicious attack. Hackers can be persistent when looking for vulnerabilities, this can be done from scanning systems for open ports, using commands such as ping and trace-route. It is therefore important that Information Technology personnel remain vigilant at all times to intercept intruders.
Data is the most important asset in the organization. There are sensitive information that are supposed to be protected. The software that store these information have to be well written and properly secure. Cyber intruders main concern is to invade the system for a number of reason (1) to comprise the system,(2) crash the system, or(3) take sensitive information entirely from the organization.
Human resource is always important in an organization. However, policies have to be upheld in order to maintain a viable organization. Employees who are not authorized to handle sensitive information must be forbidden to do so, only Public Relations personnel must answer questions pertaining to the organization. Employees are responsible for logging off his/her monitors at all times.
These three areas of the organization are important in the securing of the company’s assets.
18
Prioritize each asset or group of assets and assign a value to each.
The organization depends primarily on the data that is used throughout the network. Without the data the organization will not function. However, in the eyes of Information Technology (IT) personnel, anything of value,a useful valuable or thing, an advantage or resource. These qualities would include data, the systems that the data is contained on or the infrastructure that connects such systems. There is a symbiotic relationship among the data, infrastructure, and human resource. They all work together to coordinate the activities of the organization i.e. one can’t do without the other.
Most top level executives today are starting to see that all three pieces of this IT paradigm make up the whole, data, infrastructure, and the people who run them. If one doesn’t consider these three relationships or assets, then it is to not understand the full function of the organization. The times that PCF would have problems with its operation, was due to improper evaluation and misjudgment of its system.
19
Create a subsection that will identify and describe the risks within the environment including natural disasters.
Some of the risks that are expected in the operation organization can be identified as follows: Root Cause, Downstream Effect, and Natural Disasters.
Root Cause – This is people or even if a group’s processes and technology are flawless, human actions (whether accidental or deliberate) can put the business at risk.
Process- Flawed or badly documented processes can put the business at risk even if they are perfectly followed.
Technology-The Information Technology staff may precisely follow a perfectly designed process, yet fail to meet business goals because of problems with the hardware or the software.
Downstream Effect-The infrastructure can work properly but at too high a cost causing too little return on investment (ROI).
Performance-The infrastructure can fail to meet users’ expectations, either because the expectations were unrealistic, or because the infrastructure performs in correctly. The reliability of the system can also affect the user’s perception of the service’s performance.
The infrastructure can fail to provide the platform of the components needed for end-to-end services to function properly or even function at all.
Security- The infrastructure can harm the business by not providing enough protection for data and resources or by enforcing so much security that legitimate users cannot access data and resources.
Natural Disasters- Some factors are beyond the IT group’s control but can still affect the infrastructure in a way that harms the business. Natural events such as earthquake, fire, flood, and hurricane will cause serious damage to the system.
20
Provide a list of tools and methodology that you use to conduct the risk assessment.
Human error is the most frequent factor that is associated with a system failing to meet an organization potential. The type of input that is used by the organization is the responsibility of the designers or architects. Any mistakes or flaws that are made during the inception of the system infrastructure will possibly show up during some time of operation.
It is important that the people who are in charge of the system operations must be:
Knowledgeable- Understand the organization’s objectives and how to execute them. Training- Every employee must have regular seminars for their area of expertise. Authorization- Employees who are authorized to handle sensitive duties must be the
ones responsible for the organization’s properties. Feed Back- Get information from employees that will benefit the organization.
Return on investment can only be achieved when data, infrastructure, and human resources are working together. This can occur when the heads of the organization have the foresight: (1) to envision long term goals for the organization, (2) constantly upgrading the system, (3) look for the latest ideas or technologies to protect the operation, (4) and avoid hostile environments if possible.
Natural disasters are unavoidable, so it is important to establish mitigation plans at all times. The first step is to identify possible hazards of concern and make preparation in advance. The second step is to look at the cost that could occur and how to mitigate loss as much as possible, and third is what precautions to take for future hazardous events.
21
Identify and select appropriate technologies to protect against the risks that were identified and provide an explanation as to why the technology was chosen.
PCF’s confidentiality, and integrity rest solely on how clients assets will be cared for, so over the years the IT personnel’s responsibility is to provide safe ways to protect the various assets of the organization. Firewalls are used for enforcement in every area of the network. Some of the firewalls that are used include:
Stateful inspection firewalls- they keeps track of each network connection between internal and external systems using a state table which tracks the state and context of each packet in the conversation by recording which station sent what packet and when. They can expedite incoming packets that are responses to internal request. If a they receive an incoming packet that it cannot match in its state, it refers to its ACL to determine whether to allow the packet to pass.
Firewall Protection
Circuit gateway firewalls- they operate at the transport layer. Connections are authorized based on addresses. They prevent direct connections between one network and another. They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall and then allowing only authorized traffic, such as a specific type of TCP connection for authorized users, in these tunnels.
22
MAC Layer Firewalls- they are designed to operate at the media access control sub-layer of the data link layer of the OSI network model. This enables these firewalls to consider the specific host computer’s identity, as represented by MAC or network interface card address in its filtering decisions.
Hybrid Firewalls- they include a packet filtering firewall that is set up to screen all acceptable requests, then pass the request to a proxy server, which in turn request services from a web server deep inside the organization’s network.
Kernel proxy- it evaluates packets at multiple layers of the protocol stack by checking security in the kernel as data is passed up and down the stack.
Firewall
Network Operation
PCF chose to go with these technologies because of the high level of security that they offer. In the past the organization had problems with poorly security measures, that were due to weak software writing and limited tools available. Today the organization has capable, and dependable firewalls installation to handle security issues.
23
Describe where you plan to place these technologies within the network and why-cover all layers of the OSI model.
When planning for places to install technologies within the network system, the factors that one needs to consider are primarily determined by how the users need to access the various devices that will carry out the daily task. If cables need to be installed, a few important factors to know are: one has to be knowledgeable on where cables are located in order to know how cables are arranged when needing to both maintain and troubleshoot network infrastructure issues. When determining locations for cables and the routing strategy of the cable, one needs to know what the locations are and if any obstacles could affect the performance of the cables. If there are any obstacles, they must be bypassed.
The location for connectivity devices are important in the matrix of the operation. A number of factors will be considered in the layout of PCF. One needs to determine the locations of hubs and patches. The network’s size determines the location of the hubs, and patch panels and the amount needed. The size of the network and the protocols which one needs to utilize is determined by how connectivity is established (i.e. hubs and switches can be used to connect building floors, and routers can be used to create an internetwork.)
Servers need to be physically secured and protected from strikes and interruptions. There will be departmental servers for the network which will be locked in closets. Ultimately, the strategy is to place all servers in a central data center. It will be easier to physically secure servers when they reside in a single data center. The servers that need to be accessed by all users in the organization they must be placed where they can directly be connected to the backbone network.
Work station including computers will have easy access to the location where the printers will be, and printers that will release gases won’t be placed in locations in close proximity of users.
24
Identify additional software that will be required to monitor the network and protect key assets.
The safety of the organization constantly require additional ways to secure the system. In terms of the daily operation, there are tools that will be always available to mitigate the problems that will arise. Some ways to monitor the system include:
Scanners- (1)Port scanner offers a quick way to scan a range of addresses and find all live machines on the segment (2) NMAP- is used to check how sensitive the intruder detection system is, by running scans at various s stealth’s level (3) NLOG –it helps to organize and analyze the NMAP output. It makes it easy to sort the NMAP data in a single searchable data base.
Sniffer- It listens or sniffs packets on a specified physical network segment. This let one analyze the traffic for patterns, troubleshoot specific problems, and spot suspicious behavior. Some sniffers include : tcpdump, windump, and ethereal.
Routers- track the source of a perpetrator one finds in a log file and maintain a record. NCC-keeps track of scans for different companies with different configurations . Swatch- it can notify one of any event in the messages or syslog files that might indicate
a security problem, and schedule the scans and automatically run them. Open secure shell – It fixes problems by using both public keys and symmetric
cryptograph to encrypt the session starting from the first keystroke. GNUPG- it helps in protecting people privacy, and can be used for any application,
personal or commercial matters.
25
Identify any security controls that need to be implemented to assist in mitigating risks.
Security controls are technical or administrative safeguards against intruders that can cause damage the organization. These controls can be further broken down into preventative, detective, and corrective. Controls such as:
Preventative- is firewalls which are necessary to protect the network from outside intruders.
Anti-virus- allows for better software to be installed to make the system more robust or secure.
Detective- is monitoring the system which is using appropriate tools to fix problems when they are identified.
IDS- are any network mitigating devices that will provide the best possible solution in the network.
Corrective- is using the system that is best suited for the organization. Some systems that are designed for a certain purpose, might not work for another type of project.
Operating system upgrade- always know when to upgrade the system or design new software.
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
26
Mitigate all the risks that were identified during the assessment phase.
The problems that PFC will face can be the lack of proper and a well secure infrastructure. The servers will only be used for the organizations purpose and must be constantly monitored by the IT personnel. The network system will be local area network and wide area network. Both systems must operate independently of each other. This practice will help to mitigate vulnerabilities. It will be a way to track malicious perpetrators IP addresses.
The protocols will be the measures taken to allow for efficient working conditions. Protocols will be easy to follow, but must be adhered to, and enforced by the IT personnel. Protocol will be technical, and is human resource oriented. In terms of the technical aspect, IT must use the proper monitoring devices and adhere to the organization’s policy. Employee who perform duties that are highly classified must be authorized and properly authenticated. There must be constant check and balance between upper-level management and IT personnel.
27
Identify what written policies need to be created for your organization.
The organization has created policies that will foster proper working habits and better relationship among employees. The policies that are instituted are:
Policy (1) PFC will review its wireless encryption and confirm that they are using the appropriate level of encryption.
Policy (2) organization will keep a record of all laptop computers and ensure that any computers with remote access are encrypted.
Policy (3) organization must be aware of hacking that can occur from physical access to the server room as well as from external hacking.
Policy (4) employees must never click past security certificate warning screens. If it happens, (IT) must be notified immediately.
Policy (5) managers must be aware of “water cooler” talk among employees that may indicate a breach has occurred. This includes numerous employees complaining of fraud on personal accounts.
Policy (6) organization must ensure that they have a security response plan prepared in the event that some kind of incident does occur.
Policy (7) if management or employees notice any suspicious activity, local law enforcement must be contacted.
Policy (8) unauthorized employees aren’t allowed to handle sensitive information. Policy (9) passwords must be changed bi-annually. Policy (10) monitors must be locked if they are not in use. Policy (11) evaluate policies and make necessary adjustments. Policy (12)avoid dealing with hostile environments.
28
For each policy, you will address how you plan to monitor the policy
Policy (1) PCF responsibility for any form of encryption activities will be based on the type of activities that have been assessed. If there are malicious attempts on the system, which is a result of hackers compromising the system, tools such as “OPENSSH, and JOHN the RIPPER” will be used to monitor and identify perpetrators.
Policy (2) users of any computer must report the loss to Information technology (IT) personnel so that they can track discrepancy or malicious attack on the system. Daily entry to (IT) log must be made whenever users operates a personal computer.
Policy (3) in the case of physical access to the system namely servers, (IT) must install tools such as FPORT, LSOF, UNIX, and WINDOWS log files. These tools have forensic capabilities for (IT) to use in case of future investigations.
Policy (4) if users click beyond the security certificate warning screen, (IT) must establish a warning system that will alert employees of where they are on the system.
Policy (5) any actions show suspicious behavior must be reported immediately. Reporter will remain unanimous.
Policy (6) PFC will have response plan in case there is a disaster. Reproduction of software will be in place, servers that have capabilities to switch to remote servers in case of fire, flood or other disasters, and backup generators in case of electrical outage.
Policy (7) a business remains viable when there is the constant physical presence. Law enforce will perform the necessary precautionary measures when call upon.
29
Policy (8) all employees of PFC will know what their duties are and must adhere to the necessary protocols of the organization.
Policy (9) Hackers become frustrated with difficult encryption. However, over time they will decrypt them if they are not changed. Password must be changed bi- annually.
Policy (10) an unauthorized employee can become curious as well as hacker and decide to take advantage of sensitive information. Monitor for hackers, and termination for employees who deliberately abuse organization policy.
Policy (11) if some protocols are not effective for the organization, the adjustments must be made. Upper level management, IT personnel, and employee must assess and evaluate and arrive at policy change or some form of upgrade to the organization.
Policy (12) some organizations as well as countries can see PFC as an opportunity to do phishing and eventually find a way to gain entry to the organization’s network and obtain sensitive information. Constant monitoring and upgrading of the system must be high priority.
30
For each policy, you will provide what you feel the appropriate punishment should be for violators. These punishments must be able to be enforceable, not just a threat.
Policy (1) I f the appropriate level of encryption is not used because it was deliberately done, then the violator must be removed or fired. If it were a lack of training then training must begin immediately.
Policy (2) many organizations today do give laptops to their employees. PFC’s policy allows for routine investigation. If it is found that the lost of a laptop is the result of carelessness, that employee must be warned. If it is done a second time, the employee must be relieved of his or her position.
Policy (3) it can be difficult to find the hacker who wants to invade the system. However, if it is an employee who wants to commit a breach he or she must be reported to the legal authority and finally remove from the organization.
Policy (4) activities that are not authorized by the (IT), and upper level management must make the final decision of that employee fate.
Policy (5) employees who are having inappropriate discussion pertaining to the organization is in violation to the organization. If there are strangers nearby, there can be a breach in the making that could hurt the organization. Employees must be advised against “ water cooler” talk. If the behavior continues, the employee who is caught will be terminated.
Policy (6) at some point PCF will experience some kind of incident occurring. Once an incident happens, employees must immediately follow protocols. If (IT) wants the computers to be logged off or locked, employees must do so accordingly. Employee will be given a warning against negligent behavior. Refusing to comply to protocol will end in termination from the company.
31
Policy (7) any suspicious activities will guarantee the presence of law enforcement. Appropriate action will take place if there is a crime against the organization.
Policy (8) the employee who willfully handle or try to extract sensitive information will be immediately terminated from the organization.
Policy (9) failing to change password and leaving sensitive information on the computer will result in a warning follow by termination if continue.
Policy (10) carelessness will not be tolerated in the organization. There is enough problems with hackers trying to break into the system and remove information. A warning is given, follow with the removal from the organization.
Policy (11) it is upper level management, and (IT) who are responsible for the revision of the policies. Failing to make the proper assessments, evaluation, and necessary revision of the policy will be the ultimate removal of everyone in the organization when it goes under.
Policy (12) some organizations and countries are dangerous to do business with, either because of their geopolitical ideology. Sometimes these ideas can play into the organization’s progress. Many of them are bent on infiltrating the organization in order to get sensitive information. Failing to stop doing business with these can result in termination.
32
For each policy, you will identify a timetable for when each policy should be reviewed and updated and you will do the review.
Policy (1 ) if there is a critical incident which was caused by a malicious entry to the system, there must be a critical review to see what happens and how frequently the system should be monitored to mitigate future problems. (IT) personnel must be responsible for the reviewing of the policy twice a year.
Policy (2) supervisors of each department, and (IT) are responsible for all wireless, and laptop devices, that includes employees who have remote access. The inventory and the review of the various departments must be done bi-annually.
Policy (3) constant monitoring of servers, data, and other devices must be done. However, annual review of the policy must take place by authorize supervisors and (IT).
Policy (4) this occurrence seldom happens, so if there is a need to review the policy, only (IT) is responsible for such review whenever it is necessary.
Policy (5) employees must be warned against “ water cooler” talk. Upper level management, and supervisors must enforce the policy. If it is necessary to have a review, it has to depend on the frequency of occurrence.
Policy (6) flood, fire, hurricane, and severe winter conditions are major factors that can create havoc to the organization. The network can come to a halt if proper measures are not taken in case of factors. Upper level managers, supervisors, and (IT) must review policy annually.
33
Policy (7) Upper level management and law enforcement personnel must review policy when there are suspicious behaviors or activities. The reviewing of the policy depends on the imminent danger to the company.
Policy (8) authorize managers, supervisors, and (IT) are responsible for reviewing sensitive information bi-annually.
Policy (9) authorize managers, supervisors, and (IT) must see to it that employees passwords are updated and properly authenticated bi-annually.
Policy (10) supervisors or managers must make regular inspections of computer safety and have monthly review of the computers and network system.
Policy (11) an annual review of the entire list of policies must be audited and reviewed by upper level managers, supervisors, (IT), and some authorized employees.
Policy (12) Departments that are involved with international or local businesses must do annual review on ethical conduct. This must be done by upper level managers.
34
Identify the process of how your organization will identify an incident.
There are precautions that are necessary to take in the event of unfortunate surprises. PCF incident response and recovery team ( Upper level, IT, Supervisors, and Public Safety) has put in place a plan that requires one to be observant, report any suspicious activities, pay close attention to very sensitive assets, and see to it that employees follow protocols at all times. Some conditions that will help in identifying an incident, will be based on the deviation of the organization’s plan. PCF plan is based on one:
Preparation- setting up system to detect threats and policies for dealing with them, including identifying roles staff will play in incident response, and creating emergency contact list.
Identification- identifying what the threat is, and/or the effects it is having on your systems network, including keeping records of the time/systems involved/what was observed, and making a full system backup as soon after the intrusion was observed, as possible, to preserve as much information about the attack as you can.
Containment-limiting the effects of an incident by confirming the problem to as few systems as possible, freezing the scene so that nothing further happens to the compromised system(s) by disconnecting its network connections and possible console keyboard.
Eradication-getting rid of whatever the attacker might have compromise by deleting files or doing a complete system reinstall.
Recovery- getting back into business, by putting the system back into normal operations, reconnecting it to network, restoring from backup if necessary.
Follow-up: if possible, tightening security so that the intrusion cannot happen again, determining the “cost” of the intrusion based on staff time, lost data, and lost user work time.
35
Identify the process for classifying the incident. What is the criteria for each classification within the organization?
The incident response team will determine the degree of preparation. Pryor to an incident staff must ensure that everyone who will be involved is properly trained and has the formal tools for detecting and responding to the incident that might occur. If there is a security breach there will be the current external contact list of service providers and other organizations that need to be contacted during the security incident.
PCF will also have to focus on determining whether or not a security incident has occurred and, if one has determining the type and severity of the incident. Specific employees must be assigned for reviewing and documenting possible security breach and will develop an incident classification system (e.g. low, medium, high or severity). Everyone will know when the response team will be activated and when the organization’s management is notified that an incident has occurred.
The scope of any incident can range and spiral out of control if there is no set direction. There will be formal processes for determining whether or not law enforcement should be contacted about an incident and whether or not systems impacted by an incident should be allowed to operate. Individuals who are closely involved with systems operation must be aware of every function.
There will be a mitigation process for reviewing the possible cause any type of incident, to see the occurrence method and how it start (e.g. log review, camera data review, and other external behavior) PCF is expecting, once all the necessary evaluations are made there will be time to recover any type of lost to the organization and install tighter security measure.
36
Identify what the response will be for each classification identified.
PCF incident response team will conduct six steps: training protocol, problem recognition, controlling the site, remove tampered items, restore credibility, and mitigation plan.
Training protocol- individual who are involved with the response team are expected to listen to those who are in authority. Those who are responsible for data must follow the process of how to protect files and other sensitive information.
Problem recognition- be able to spot unusual events, report them immediately or make documentations on the way. If network tend to be slow, ask questions and be ready to get (IT) involve.
Controlling the site- panic will set in under all circumstances, if there is no sense of order. Individuals who are trained to handle all the affairs during the time of an incident (s) must be ready to give appropriate directives when call upon.
Remove tampered items-If it is shown that the incident (s) escalate to a forensic matter, then law enforcement must be involved before any tampered materials are removed.
Restore credibility- the organization has to get back to business so that clients will have confidence in the normal operation of the organization.
Mitigation plan- Network infrastructure will continue to be monitored and upgraded, employees negligence or natural disasters will be factors that PCF will look at carefully.
37
Identify a general plan to recover from the incident.
The recovery plan for PCF will involve an extensive analysis for the organization, which will include: (IT), infrastructure, data backup, resources, continuity requirements and disaster prevention methods. There will be phases that the organization will institute during the process. The phases and the plan are as follows:
Phase 1- data collection1. Project should be organized with timeline, resources, and expected output.2. Business impact analysis should be conducted at regular intervals.3. Risk assessment should be conducted regularly. 4. Onsite and offsite backup and recovery procedures should be reviewed.5. Alternative site location must be selected and ready for use.
Phase 2- plan development and testing1. Development of disaster recovery plan.2. Testing the plan.
Phase 3- monitoring and maintenance1. Maintenance of the plan through updates and review.2. Periodic inspection of the recovery plan.3. Documentation of changes.
Instructions on recovery plan
38
Identify a process for evaluating the incident response after each incident has been mitigated.
There are many ways to erect a process for evaluating incident response after incidents have been mitigated. However, PCF has decided to look at a few steps that are efficient as a process. The following steps have been used effectively before:
Define and map the system- understand what might go wrong in the network and how to restore it. Laying out the different functions that must be performed and how they link together defines the structure and bounds of the analysis (i.e. in case of a fire, have available areas for storage, and public safety personnel protecting sensitive materials.
Identify failure mode-this is the “observable manner in which a component fails” (Ebeling, 1997,p. 168) which in this case would be the ways that performance of different parts of the response system would break down. This is usually when staffing or error problem as well as equipments would break down.
Assess the probability of occurrence of different failure modes- The probability that an incident will occur is certain. However, the degree of failure is not, but preparation for failure and its cost must be considered. For example, if the failure mode of concern for response is a communications system breakdown and there are both primary and backup system, the probability of the failure would be the probability both system failed.
Assess the failure mode effects and their severity-this is generally the stage for questions and answers (i.e. what is the effect of the failure mode’s occurrence on overall system performance?).
Everyone of these steps be understood, protocols must be followed, careful documentations must be taken, an a full transparent report must be available to the clients.
39
Discuss how the incident response plan will be tested and updated.
The test and the updating of the incident response plan will show the effectiveness and the quality of service that will be delivered in the long run. The following highlights the next steps the organization will take in this scenario:
The person in charge of public relations (PR) must articulate PCF plan initial response to reporters or the public that at this stage that whatever rumor that is heard of a virus attack on the system, it is a “hearsay “. However, everything is under investigation.
Incident response team should contact (IT) to discuss the allegation and to formulate an in-depth response strategy.
The incident team leader should meet with (IT) to establish if there is a virus attack on the system. If the allegation is true, both incident team and (IT) leaders must document the incident and initiate additional data collection and analysis activities.
After additional data collection and analysis, if the claim is determined to be true, incident response and (IT) leads must establish a conference bridge to communicate the known and unknown, and action items to the incident response, (IT) team, and upper level management, following a need –to-know approach.
Once there is a resolution to the problem, and is found clear, the public relation personnel (PRP) must notify public to remove any doubt that is connected with the organization.
The public wants to know what are the strengths, and weaknesses, opportunities, and threats of the organization, programs, plans and processes in regard to the incident.
The organization must find ways to establish an environment that encourages testing and updating of the system.
40
Describe a plan to implement the security controls and policies that you identified in previous sections.
During the initial stage of PCF operation, there were little complications in doing business, not much security alarms to think about. However, as the business expanded and the demand for new technological implementation, there was a concern with security intervention. An assessment was made to investigate the working progress of the organization network infrastructure. The emphasis was primarily on the organization’s assets, in protecting the confidentiality, integrity, and availability of its information and information system. PCF has had significant weaknesses in the past and still has, even though improvements have been made in controls designed to protect, confidentiality, integrity, and availability (CIA) of their sensitive information and information system. The computer networks and system have many electronic access control vulnerabilities related to network management, users accounts, passwords , users right and files permission, auditing, and monitoring of security – related events.
PCF has decided to take some rigorous steps to mitigate these vulnerabilities by implementing new designs of intrusion detection system (IDS) which include firewalls, switches, routers, and better design servers. In addition, other steps will be to search for weaknesses that exist in other types of controls designed to physically secure computer resources. The organization will develop and implement a program that will exclusively track vulnerabilities in all areas of the network system.
There are protocols that must be adhered to for an organization to remain productive and viable. PCF must conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. Employees who are authorized to handle sensitive materials, are solely responsible. There must not be any discussion of sensitive information with neither authorized or unauthorized employees.
41
Develop a plan to implement new security devices and modify existing security devices that are required to monitor the network and the policies that were created or updated.
The constant attack on the network has allow for new implementation of security devices. These devices will be able to detect and have capabilities to handle vulnerability issues. Firewalls will be included in the implementation plan. However, other devices used such as:
Management device- there is a device known as (NOCPulse) monitors and reports the result to an off-site management center.It can alert you when something goes wrong. An employee can monitor his/her network from the company’s website.
Performance enhancement- with this approach, the secure shell (SSL) is involved. It provides data encryption authentication on both ends and messages integrity using certificate. Messages that are sent are protected while sent through the system.
Traffic management- If one is going to enhance performance,it helps to also know wha traffic needs enhancement and what doesn’t. Device such as NetScaler Request Switch can inspect the contents of traffic entering the network, and then depending on what it finds, direct it to the proper server or appliance. This allows one to aim traffic at devices that best handles it, and improving the network overall efficiency.
Load balances – traffic management devices sort traffic according to the characteristics of what’s inbound. Load balancers take their cues from what’s happening on the servers. These devices monitor the performances of a server. In some cases, the cost of the route to that server and choose a destination that will maximize performance or minimize cost or both. Because of the volume of traffic that must pass through the devices, load balancers must have very high performance.Going forward, the line between traffic management devices and load balancers will likely overlap, because their functions are so complimentary that a combination of the two tasks makes sense for users.
Storage – a solution is to offload storage processing from the servers to specialized storage appliances.
42
Describe how these controls,policies, and security devices have addressed the key security areas of confidentiality, integrity, authentication, authorition, and nonrepudiation cryptographic services.
The network system is that medium that conveys information and other data upon request. Many of these controls are either wire or wireless, and at point are invitations to vulnerabilities. The infrastructure is the main concern and more emphasis will be placed on making it more robust. Other additions will include the type of intrusion detection system (IDS) and individuals who are responsible for the handling of sensitive information. Some (IDS) will include: switches, hubs, routers, and cables. These controls will establish and regulate the relationship among the computer and the network system.
As for the policies that will be instituted there will be guidelines or protocols for re-enforcing and re-assuring the confidentiality, integrity, authenticity, authority, and non-repudiation of the organization.
In order to establish confidence in the organization, there must not be lingering and frequent mishap in the network this will be cause for concern to the clients. The organization must find ways to mitigate problems at all time. All employees must have passwords that are difficult for hackers, and must be changed bi- annually. (Information resources, 2006) (Rash, 2003) (Schou & Shoemaker, 2007)Those who are responsible in handling sensitive data or information must be properly authenticated and authorized by upper level management and authorized (IT) personnel.
References
Works Cited (Markey, 2012)Aven, T. (2008). Understand and describe risk.
Avolio, F. (2005). firewall and internet security the second hundred (internet) year.
Brooks, c. Maintaining and repairing PC. Praeson Education, ISBN: 970132409810.
Corazon, D. (2014). Network Monitor tools.
Dheelan Rai, S. Connection to computer network.
Drapkin, M. (2010). Policies and procedures.
Howlett, T. (2005). Open source Security tools. Pearson.
Information resources. (2006). GAO Report .
Jackson, b., sullivan, K. F., & Willis, H. H. (2012). Evaluating the reliability of emergency response system for large- scale incident operations. RAND Healty Quarterly.
Lammie, T. Publisher: John Wiley and Son Inc, ISBN: 9780132409810.
Licklider, J. (1962). Intergalactic Computer Network.
Lucas, H. (2005). Strategic decision making for manager. John Wiley and Son.
Manage your profile. (2014). Microsoft .
Markey, S. (2012). Testing your computer security incident response plan.
Napier, A. H., Judd, P. J., River, O., & Andrew, A. Course Technology; ISBN: 061906319X.
Northcutt, S. (2009). Security Laboratory.
Northcutt, S. (2009). Security Laboratory.
Prosise, C., & Mandia, K. Investigating computer crime. Mc Graw- Hill; ISBN:00723829 .
Rash, W. (2003). easing the load at the edge. Infoworld,Vol. 25, Issue, 12.
Russinovich, M., & Cogswell.Byrice. (2012). Desktop VS 2.0.
Schou, C., & Shoemaker, D. (2007). Information assrance for the enterprise: A road map to security. McGraw-Hill, ISBN:9780072255249.
Sensitive data definition. (2009). Virginia Community College.
Simonski. (2004). Threats and your assets- what is really at risk.
Steve, M. (2012). Testing your computer Security Incident Responnse Plan. ISACA .
Whitman, M. E., & Mattord, H. J. Cengage Learining; ISBN:9781111138219.
