Adrian, During this week’s discussion board, we will be discussing the specific recommendations that we would make based on personal researches and experiences. Afterwards, we will then discuss the impacts of the lack of access controls and auditing. Additionally, we will then discuss how can, technology be used as an enabler as well as a facilitator of effective access controls and auditing. Then we will discuss how to apply the lessons that we learned from that story to our own company problem. Discuss the specific recommendations that you would make based on your personal experience and research. First off, it is not a good idea to have multiple people on the same shared access due to situations like what was read in the story mentioned. To prevent something like this from happening soon, every employee needs his or her own personal account along with their own password and must have some type of log system to show who shared what on a date, time, and place so that there would not be another situation like what happened in the story that was read. There should be software set in place that works along the side of a DLP device to prevent people from sharing to a paste bin if they are not authorized to share that information. In order to secure the information, database prevention steps must be in place like safeguarding data, destroying deleted files that are stored physically or hard drives that needs to be erased that held important information as well as using some type of software to erase drives permanently, procedures need to be updated, employees should be trained and educated about security breaches and how to protect important information they are working with, control the computer usage by having restrictions on employees usage of the computers, secure computers by implementing passwords and time out functions per devices as well as not letting employees use personal information for their passwords that may get intercepted by cyber criminals, the software for the security of the system must be up-to-date regularly, unencrypted data transmissions must be stopped, and there must be no use of personal portable media such as flash drives, CD’s, DVD’s, or devices like that, which may place viruses on the network and/or they must not be used for personal reasons that have nothing to do with the organization and make sure those items are secured at all times if those items belong to the company (No Author, N.D.). Discuss the impact (from the perspective of various stakeholders) of the lack of access controls and auditing. The lack of access controls means there is no data security in which could lead to all types of negative situations that could cause a breach within the system, leaving the system vulnerable to information being placed in the wrong hands. When a system is not properly maintained or implemented, it could be catastrophic for that organization (Martin, J., 2018, February). How can technology be used as an enabler and facilitator of effective access controls and auditing? It has pretty much become an enabler since it provides many different services for many companies and organizations worldwide. It also provided awareness in which the awareness was increased due to the needs of access control. It has also safeguarded many of the companies and organizations assets. Information now must be reported for evaluations to an auditing specialist if any type of breach need attention immediately (Moore, R., 2017, June 12). How can you apply the lessons that you learned from the story to your own company problem? I can apply the lesson learned to my own company problem by making sure that everyone knows the effects of leaving information unsecure and sharing the wrong information on a share drive if it is important or personal information. I would choose to encrypt the information that is sent and make sure that each person has their own password and sign in name if they are trying to access the network. Furthermore, I would make sure that the proper training is provided to all the individuals to make sure that they are doing the right thing always but more importantly, keep important information out of the hand of cyber criminals. Security Management Document Shell 1 External Access Review Page 1 Security Management Document Shell 2 Table of Contents Project Outline and Requirements (Week 1) ..................................................................................................... 3 Overview of Organization ........................................................................................................................... 3 Need For information security..................................................................................................................... 4 What potential risks or issues that may exist ............................................................................................... 4 New challenges that exist with the new project to allow consultants to work on-site ................................. 5 IPO challenges ............................................................................................................................................ 6 (Week 2): Security Assessment......................................................................................................................... 7 (Week 3) Access Controls and Security Mechanisms....................................................................................... 10 (Week 4): Security Policies, Procedures, and Regulatory-TBD .................................................................... 15 (Week 5): Network Security-TBD ................................................................................................................. 16 References ....................................................................................................................................................... 17 External Access Review Page 2 Security Management Document Shell 3 Computer Systems Security Foundations Week 1: Introduction to Information Security Project Outline and Requirements (Week 1) Overview of Organization External Access Review Page 3 Security Management Document Shell 4 The company that is being chosen for this topic of discussion will be IBM security in which this company faces problems with cybersecurity threats daily. IBM is ranked third out of ten other companies in which CyberArk software ranks first and Cisco ranks 2nd to the top (Yogesh, B., 2018, May). IBM security systems in which is formerly known as ISS or Internet Security Systems was founded in 1994 by Chris Klaus in Atlanta Georgia and is considered to being a security software provider. The IBM ISS Company was acquired in the year of 2006 by IBM. Need For information security The reasons that we need information security is so that we could reduce various risk that may come about concerning information disclosure that may be unauthorized, destruction, and even modification. The risk must also be reduced to a certain level that is pretty must acceptable to that of business management. If we did not have information security, we could not evolve in the way that we do business. Information security is also there to keep information confidential or a secret. It could also be used to keep that information accurate. It can help with making the information available when it is needed. What potential risks or issues that may exist Some risks that may come about or may exist are technology that may have weak security, attacks within social media, mobile malware, third-party entry, neglect to proper configuration, security software in which is outdated, social engineering, lack of encryption, corporate data on devices that are personal, and security technology that is inadequate. Due to the fact that technology is being released every day, some devices does not have security plans External Access Review Page 4 Security Management Document Shell 5 to fight off unwanted guess. This can be a serious risk that could make the system vulnerable. When it comes to social media attacks, cybercriminals prey on sites such as Face Book in which they do what is known as a complex geographical attack that goes by the name of water holing. Many risk have been also seen by experts within various devices that are mobile. Cybercriminals target mobile devices on a daily which put these devices at the top of the list of being very vulnerable because more people have cellphones in this day and age. Outdated security software can cause problems within the network because companies may not have updates to their systems leaving the system to be very vulnerable. You must update the systems when it is needed in order to fight off unwanted guess (Krebs, B., 2015, September). Benefits that the company can gain from the new project is bringing new customers who would want to use the company because of the great reviews that the company has due to the success of protecting the important information previously for other companies. New challenges that exist with the new project to allow consultants to work on-site Some challenges that could very well exist within the new project are problems with Malware. Malware is generally used by a lot of people involved in cyber-criminal activities over networks that involves one or more people. It could be used to infiltrate an organization through what is known as spear phishing so that the cyber thief could still information that may be confidential. They use malware that is known as a RAT or remote access Trojan. Users are another challenge within the cyber world because they could become an inside threat that is accidental prone or either a malicious employee within the organization. This could be very harmful to a system especially if there is an admin that is mad at the company, they could erase a whole system with one keystroke. Budgets could also be a challenge to a system because if you do not acquire the proper budget that is needed for a cyber security program, the data could be breached by not acquiring the right program that is needed to support the companies External Access Review Page 5 Security Management Document Shell 6 system at hand that is needed to be protected. This is why IBM will work with institutes such as Ponemon to be able to produce what it cost for a Data Breach so that they could be able to show the organization what it would cost the company if the company is breached of its data. IPO challenges New challenges can easily come about when taking an organization public that can destroy the good standing of a company. By adding security posture as well as adding policies that are new can very well mitigate the problems that may exist. To avoid breaches, you must be able to maintain a network that is strong so that attackers that are new would not be able to breach the system. With the exposure that is added by the IPO, there will be exploitation of vulnerabilities and the company will be targeted. The challenges is to ensure that the standards exceed expectations without impacting the everyday problems in a harmful way. It will be imperative to increase security audits. External Access Review Page 6 Security Management Document Shell 7 (Week 2): Security Assessment Overview Within the IBM security, the internal network infrastructure security protocols are wired to a minimal in order to protect the assets. The company also does not separate the network interface between customers and workers throughout the home network. This causes a lot of vulnerability to the network so this particular area will need to be fixed in the near future. Previously mentioned, IBM security consultants will usually travel to the customer’s locations that are local for implementation of the software and so that they would be able to support the life cycle of the software. The companies desire to expand has already been discussed previously in the last section. Trying to operate on a larger scale than how the company has been operating will not work but the company is trying to come up with various solutions so that we could work with more customers who are not local. A great number of software, hardware, and process changes will be sought after in order to get a newer network infrastructure so that our company would be able to operate on a larger scale. Typical Assets Typical assets that need to be implemented through a software solution company are multi-redundant servers. Multi-redundant server’s typically covers tasks such as intranet, exchange, database, extranet, VPN’s, and printer/file sharing. Others that are needing to be implemented are various firewall layers in which is set in place in order to protect the data of the company on different levels within the infrastructure, operating systems, configure the security settings properly for the firewalls, implement the regulations for the physical security for things such as password security, and the Internet browser. Training programs for the employees will also need to be implemented along with the doors that have coded entry has to External Access Review Page 7 Security Management Document Shell 8 be implemented as well. To protect the server room from any catastrophic disasters such as floods or even fires, this room will also need to be protected on all levels. Current risk in the organization with no network segregation Some major risks that can be included within this topic are security risks. Some risks could be caused by trying to transfer data through flash devices when trying to work in a different area within the company such as an employee’s home network or even a customer’s location. There are not any regulations and rules that are current either that regards any type of security for the network such as InfoSec training and even any type of password rules. There is also no type of capabilities for data backup and even non-redundancy capabilities just in case there are any types of catastrophic disasters in which could cause failure to the hardware within in the organization due to any type of natural disasters such as wind damage, hurricanes, flooding, earthquakes, tornadoes, and/or any kind of random attack. There are not any type of single access points made within the organization either that has minimal security. In the minds of a software firm, there is nothing more important than the data or the assets that needs to be protected within your organization. If data becomes stolen, lost, ore even corrupted, Asynchrony Labs could possibly lose lots of customers or even potential customers to different firms or even worse than that, the credibility or reputation of Asynchrony Labs could be damaged forever causing a devastating blow that could ruin the career of the company, costing hundreds of jobs in an worse case scenario. Risks new consultant networks will create Due to the newly implementations, there will be more risk than ever that will increase and also will need to be looked at in the near future. An example of this may be if a Wi-Fi network is configured properly, it could very well add flexibility for the employees and even External Access Review Page 8 Security Management Document Shell 9 the customers but if it happens to not be done right to the fact that it is not segregated properly or even secured, there will be a bigger risk that the system will become more vulnerable. To add a extra layer of security, a VPN must be added to the network to help with mitigating this type of problem. Risk mitigation and security assessment During the risk assessment, we must focus on mitigating the various risk they may be associated to the assessment. When trying to protect data, there are three general questions that a person conducting the assessment must ask his or her self. The first question is who or what can or will be viewing the data? The next question is who or what can typically alter the data? And the final question is how can authorized applications/users typically gain the access to the data that you are trying to protect (No Author, N.D.). The type of test or security assessments that should be done is called a vulnerability assessment and a penetration test. A vulnerability assessment analyses the network for problems and the components of the infrastructure. This type of testing does not entail testing the whole system for vulnerabilities. A penetration test is known as what they call ethical hacking. It is used to secure and test the system against vulnerabilities in the future. External Access Review Page 9 Security Management Document Shell 10 (Week 3) Access Controls and Security Mechanisms Describe the access control mechanisms that are needed for each system and application described in IP2 During IP2, we talked about having Windows updates. In order to update Windows, we must implement RBAC (Role based access control) in which is also called role-based security. By choosing this type of security administration is a way to reduce cost. RBAC is simply a way to be able to regulate the access to a computer and even a network all depending on the different roles of the users within that company or organization. By choosing this type of role limits the control of the role that he or she was assigned (Chandramouli & Kuhn, Ferraiolo, 2007). Also during IP2, we talked about programming updates. For this portion we will be using what is called Discretionary Access control in which is used in order to be able to restrict an object’s access that is directed by a policy in which may be determined by the owner group of the object. An example of this may be a Unix file mode in which would be able to define the write, execute, and read permissions for the group, users, and others. By choosing to use DAC, the ownership of the object could very well be transferred easily to another user. The user will be able to determine the type of access the other user may have as well by External Access Review Page 10 Security Management Document Shell 11 choosing DAC. The user may be held with restrictions from having user access if there are many failed attempts while trying to access the system as well by having DAC implemented in the system. Virus software was also talked about in IP2. Role Based Access Control will be used for the virus software as well. By choosing this option lets the user gain many privileges that is within the role of that user. Again, the user will not be able to have total control over the role that he or she may have been assigned. For Spyware software, Role Based Access Control will also be used for this section due to the fact that this type of user also have privileges that were inherited that were tied within the roles of the user. This type of user will not have total control in her or his role as well. Firewall was another topic we discussed within IP2. We will be using what is known as extended ACL for this portion of the topic. This is set in place so that it could either permit or either denies various packets that are generally based on the destination IP address, the source, upper-layer, and port number protocols. This will help provide a range of control in which may be greater and will be a great solution when it comes to security of the firewall. Spam Email Servers were also talked about within IP2. We will be using DAC for this portion of the topic. The access control will be chosen based on the External Access Review Page 11 Security Management Document Shell 12 discretion of the user. The only person that can give access rights to any other user will be the owner and this will be based on the owner’s discretion. Backup Servers will also use DAC in which the access control will also be based on the discretion of the user. The same rules will apply like that of a Spam Email Server. Secret Key Policies will be using a RBAC due to the fact that the privileges will be inherited by the user’s but the user will not have total control over the roles that were assigned to he or she. Describe how the new expanded network can be protected through access control By choosing access control, it helps with the restriction of access to two important main components in which are authorization and authentication. By having authentication implemented in the program, it will generally show or either verifies if that person is who they say they are. It works hand to hand with authorization in which this section determines if that person should be allowed access to the data they are trying to access or either if they should be able to make a certain transaction or not. Without the two components, there will be no data security whatsoever. Access control is needed within organizations who chooses to access the Internet so if that organization has Internet that transfers data that is important, it is very important to inherit this method into the usage of the programs that are being used External Access Review Page 12 Security Management Document Shell 13 to prevent the system from being breach from unauthorized guest (Martin, J., 2018, February). Describe SSO and VPN technology SSO is considered to being an service for user authentication in which permits various users to be able to have login credentials in which may be a password and name so that they may be able to access various applications (Rouse, M., N.D.). A VPN is considered to be a private network extension that can be found through public and shared networks. A company can use a VPN by sharing the data between multiple computers so that it may be able to emulate the various properties of a private link that is point to point. Single Sign On can stop unauthorized users from gaining access to an users account due to the fact that they will need a password and user name to gain access to the system. External Access Review Page 13 Security Management Document Shell 14 External Access Review Page 14 Security Management Document Shell 15 (Week 4): Security Policies, Procedures, and Regulatory-TBD External Access Review Page 15 Security Management Document Shell 16 (Week 5): Network Security-TBD External Access Review Page 16 Security Management Document Shell 17 References Rouse, M., (N.D.). Single Sign-on. Retrieved from: https://searchsecurity.techtarget.com/definition/single-sign-on Martin, J., (2018, February 5). What is access control. Retrieved from: https://www.csoonline.com/article/3251714/authentication/what-is-access-control-5enforcement-challenges-security-professionals-need-to-know.html No Author, (N.D.). Discretionary Access Control. Retrieved from: https://www.techopedia.com/definition/229/discretionary-access-control-dac Ferraiolo, D., (N.D.). Role Based Access Control. Retrieved from: https://csrc.nist.gov/Projects/Role-Based-Access-Control External Access Review Page 17
Purchase answer to see full attachment