Objective: Identify, formulate, and solve technical and policy challenges in an InfoSEC position.
Background: Dave Dandy, Owner of David’s Dandy Doohickies (D.D.D.) has noticed that several of the intranet servers are located in the system administrator’s cube and have been for 3 months. The servers include these servers: a web server that hosts the HR system; an internal email server that routes mail destined for the “outside” to the world facing server in the DMZ; and an internal only ftp server used to hold proprietary design information on the new lone of framastats that D.D.D is developing.
The current server room at D.D.D. has no locks, cameras, or access lists. In fact, it still resembles the warehouse that it is housed in, lacking even a rudimentary fire extinguisher system. While there is a tape backup process, labels consist of small notes taped to each backup tape. There is also no centralized log management; list of who has administrative rights on any of the servers in the server room or outside the administrator’s cube.
Instructions: Remember there are three types of controls: administrative, technical, and policy. You first need to identify all of the security issues with D.D.D. Divide the issues identified into the three control categories. Each issue may over lap the categories and often do. For each issue, identify a specific technique in that control category to mitigate the issue. This is most easily done with a matrix but there are certainly many other acceptable ways.
You should seek controls that will provide the most security effectiveness for the money. That said, Dave will listen to reasonable proposals for spending his money.
Submit a matrix or other suitable way of expressing the relationship between issue, type of control, and type of mitigation. Use proper citations when appropriate, so a reference page will also be required. Remember that security must be cost effective as well as effective so use wisdom when deciding to use a control or a mitigation technique.
While there are non-access control issues that you may include, the focus should be on those issues related to access control as we have discussed during this course.
Note: this example may or may not follow the citation rules used by the school. You need to check the proper citation rules for yourself.
An organization has decided to implement a stronger password management system. For this one issue, a matrix could look like this:
Establish policy to require minimum length of 14 characters, mixed case and special characters (1997)
Enforce policy using PAM (2004).
Use OTP token to provide multi-factor RSA (2006)
Explanation of mitigation:
Pluggable Authentication Module (PAM) will allow verification and enforcement of more complex password rules than provided for in our current authentication system.
A One Time Password (OTP) token such as MyPw will allow inexpensive multi-factor authentication (www.MyPw.com).
(1997). "RFC-2196, Site Security Handbook." Request for Comments Retrieved February 8, 2005, from http://www.ietf.org/rfc/rfc2196.txt.
(2004) OATH Reference Architecture Release 1.0. Volume, DOI:
RSA (2006). Making the FFIEC Guidance Operational, Balancing Authentication Methods with Online Banking Risk, RSA.
|Grading Criteria Assignments||Maximum Points|
|Meets or exceeds established assignment criteria||40|
|Demonstrates an understanding of lesson concepts||20|
|Clearly presents well-reasoned ideas and concepts||30|
|Uses proper mechanics, punctuation, sentence structure, spelling, APA Format||10|