All submissions need to closely adhere to the below listed criteria; I will be stringent on accepting work.
Objective: Identify, formulate, and solve technical and policy challenges in an InfoSEC position.
Background: Dave Dandy, Owner of
David’s Dandy Doohickies (D.D.D.) has noticed that several of the
intranet servers are located in the system administrator’s cube and have
been for 3 months. The servers include these servers: a
web server that hosts the HR system; an internal email server that
routes mail destined for the “outside” to the world facing server in the
DMZ; and an internal only ftp server used to hold proprietary design
information on the new lone of framastats that D.D.D is developing.
The current server room at D.D.D. has no locks, cameras, or access lists. In fact, it still resembles the warehouse that it is housed in, lacking even a rudimentary fire extinguisher system. While there is a tape backup process, labels consist of small notes taped to each backup tape. There
is also no centralized log management; list of who has administrative
rights on any of the servers in the server room or outside the
Instructions: Remember there are three types of controls: administrative, technical, and policy. You first need to identify all of the security issues with D.D.D. Divide the issues identified into the three control categories. Each issue may over lap the categories and often do. For each issue, identify a specific technique in that control category to mitigate the issue. This is most easily done with a matrix but there are certainly many other acceptable ways.
You should seek controls that will provide the most security effectiveness for the money. That said, Dave will listen to reasonable proposals for spending his money.
Submit a matrix or other suitable way of expressing the relationship between issue, type of control, and type of mitigation. Use proper citations when appropriate, so a reference page will also be required. Remember
that security must be cost effective as well as effective so use wisdom
when deciding to use a control or a mitigation technique.
While there are non-access control issues that you may
include, the focus should be on those issues related to access control
as we have discussed during this course.
Note: this example may or may not follow the citation rules used by the school. You need to check the proper citation rules for yourself.
An organization has decided to implement a stronger password management system. For this one issue, a matrix could look like this:
Establish policy to require minimum length of 14 characters, mixed case and special characters (1997)
Enforce policy using PAM (2004).
Use OTP token to provide multi-factor RSA (2006)
Explanation of mitigation:
Authentication Module (PAM) will allow verification and enforcement of
more complex password rules than provided for in our current
A One Time Password (OTP) token such as MyPw will allow inexpensive multi-factor authentication (www.MyPw.com).
(1997). "RFC-2196, Site Security Handbook." Request for Comments Retrieved February 8, 2005, from http://www.ietf.org/rfc/rfc2196.txt.
(2004) OATH Reference Architecture Release 1.0. Volume, DOI:
RSA (2006). Making the FFIEC Guidance Operational, Balancing Authentication Methods with Online Banking Risk, RSA.