Team Members
Introduction
Company Overview
The company that will be assessed for the project is Dalton, Walton, & Carlton, Inc., which is located in Kansas City, in Mo house. It is in the business of architecture and has approximately 250 employees who are distributed in four cities within the region. The main office in Kansas houses approximately 100 employees and is housed in the main suburb of a neighborhood where security is not regarded as a main concern. An assessment of the security needs will be undertaken and worked on in order to have a secure organization where information assets are safe.
IT Infrastructure
The IT infrastructure of Dalton, Walton, & Carlton, Inc. makes use of Microsoft servers and PCs. They also have Mac computers, which are used to undertake design work. They make use of an active directory in their server requests. They also have a web server that is used to manage their web site. In addition, there are various servers that are used for various applications and processes. They have four file servers that are used for managing files and four MySQL database servers that are used to manage the database requests and processes from the various units. There are also four servers that host the applications that are used in design work. For email exchange services, they have Microsoft Exchange servers, two of which are used in managing email requests.
Moreover, there are 20 servers, which are located in the main office, and which run on a Windows 2008 server. Out of the 20 servers, 12 are made to run virtually on three physical servers and the updates to the various products and operating systems are run from the main office. The Microsoft updates are set to run once a month, although some applications miss running the updates. For example, the third-party applications like Adobe Acrobat are never updated. Each satellite office has been set to have our servers which are used to store files and run local application. The local offices also have decentralized wireless networks that connect to the production networks. Each employee has a desktop computer that has been installed with the Windows 7 operating system. The human resource personnel also have laptops that are used for undertaking interviews.
In addition, the company has outsourced its email filter applications and human resource applications to third-party companies. The network has also been set so that it is behind a gateway router and firewall and an antivirus software has been installed, but it is not automatically updated across the organization. Most employees usually work from remote locations and only use their password and to gain access to corporate systems that are used by the organization. There is also an IT director who has five staff members working full time and out of these five full time employees, one works on security tasks part time.
Scope
Dalton, Walton, & Carlton, Inc. have security issues that need to be considered. The issues that are found in this company are both external and internal. This paper will analyze the security issues that are found within the company. “Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to myriad threats while meeting demanding uptime, reliability and performance objectives” (Gillick, 2005, par 6).
Issues to be Considered
In the recent past, computers were stolen from the office. Data security through file security has not been taken seriously. The loss of files and intellectual property rights have been reported. Two employees have been reported to have left the company to work for the organization’s biggest competitors and vendors have been allowed to access the premises of the company without any authority. The resetting of the passwords is undertaken by using a generic password, Chiefs2011.
Risk Assessment
Internal Security Issues
The router and the gateway in the company have been set up without a DMZ. This mechanism is used to filter access requests so that the requests that are suspect are avoided and denied access to the network. This mechanism is lacking in the company. Another security issue is that of access control. There is no control of who accesses the network of the company. This is the reason why the vendors of Dalton, Walton, & Carlton, Inc. still have access to the network from whichever place they are. This is a security issue that should be corrected. The vendors can breach the data integrity agreement by accessing critical data from the company network and show the competitors. There should be an access control policy in the company so that vendors access the network by using passwords of administrators. After the vendors finish with what they are doing, the administrators can then change the password. By implementing this simple step, the network will be more secure. In the current state, there is no accountability for access and thus it is a security issue that should be considered. One of the goals in our design is to make sure that the management of traffic will be kept away from the production network so that the chances of being intercepted when transmitting are eliminated by all means. The ideal way that this could be achieved is that we could make sure that each device should have a physical port on the management VLAN.
Another security issue that the company faces is that the network design still lacks the framework/infrastructure that we will use to manage the network. For this to be achieved, we will need to have in place at least one management workstation, one ftp server, and at least one syslog server. It is evident that we also need to have a password management server that will be used to manage the passwords that will be used for authentication purposes.
Another internal issue of concern is that of account passwords and . An issue that was discovered is that when resetting lost passwords, one password was issued to all employees during the reset process. What should be done is to have the system generate the password automatically. This way, the password reset process is secure and the password is known by the users alone.
External Security Issues
An external security issue that is common and prevalent in this company is that of an insecure wireless network. No security measure has been taken to secure the network to prevent intruders from accessing the wireless network, which is used by the human resource personnel. The wireless SSID is broadcast and there encryption is not used on the access point. Since the network is open, anyone within the wireless range has access to the system. There should be a security policy in place for the wireless network that includes a security mechanism like the use of WPA2 .
Another external security issue that is evident within the company is that of unsecured doors and entry points. This is the reason why computers were stolen with much ease. Some type on entry accountability system needs to be added to account for when occupants leave and enter the building. Also needed is the addition of surveillance equipment for added protection. Implementation of computer locks for laptops and secure servers and routers in a closed room with keyed or swipe access is needed. There should be strong locks and security personnel manning the premises of the company at all times of the day. This way, physical loss of the hardware would not have occurred.
Management and Implementation
Cost-Benefit Analysis
This section describes the preliminary cost benefit analysis of the Dalton, Walton & Calton Inc. project. This is necessary to determine the required funding for the completion of the project (Perkins, 1994, p.45). The associated costs and benefits of the entire life of the project are analyzed.
Summary of Results
The company added in its benefit and cost analysis the capabilities of taking new security measures. While strengthening the security measure of the company, significant benefits are added, and the levels of uncertainties are reduced (Greenberg, 2000, p.120).
Preliminary cost benefit analysis results (values in Millions)
The cost benefit analysis is the comparison of finances of the estimated costs of the project and the benefits of the security system. Infrastructure procurement costs are the costs that are incurred during the deployment of security measures, pre-deployment and during the post deployment periods. These costs are exclusive of the installation costs. Development of IT systems cost are the costs that the company will undergo when upgrading the IT systems and purchasing of new systems, as well. In these costs, the installation costs are included. The employee costs are the costs that the company undergoes when paying the employees who are involved in the installation. They include the allowances of the employees and their net pay. The supply services costs are the costs that the company undergoes when they pay suppliers of the required materials. Other costs are the costs that may arise or the company may incur during the project that are not classified as any of the above. Such costs may include the transport costs.
Budget Constraints of the Company
Budget constraints are the challenges a customer faces when purchasing materials using the available funds. The customer may prefer another item due to the budget constraints (Arkin, 2001, p.213). Similarly, Dalton, Walton & Calton Inc. security project is faced by budget constraints of the company.
Today the cost of security has really gone up dramatically. The company has a lower budget compared to the costs that it will have to undergo to complete the project. Therefore, it will be difficult for it to deploy the security technologies in breadth and scope. These budget constraints have been experienced by the company for a long period now. The company plans to take a security strategy that will balance the resource constraints. Aside from the funds constraints, some of the constraints that the company may face are lack of enough education on network security. The company plans to evade this problem by taking half of employees for training on network security. Lack of money has made the company not develop network security since it was started however; the company now plans to use the little funds it has to see completion of this project. This will mean the company will have to use the least funds possible.
Previously the company had started a project on updating the system security, but the project could not be completed because of the budget constraints it faced at that time. Therefore, the company has now cut down on some costs since there some security measures that were already put down in the previous project.
Security Proposal
Physical Countermeasures
There are hardware, detection and reporting countermeasures that will be addressed effectively in different parts of the Dalton, Walton & Carlton Inc. Project. The security programs will protect the company and the entire assets. This will be possible through managing the risks through discovery of threats and estimation of the risks that accompany the assets. The solutions will provide some directions for activities through framing security information policies, procedures and baselines. The solutions ensure security in the devices of the company through ensuring password management in the hardware devices. The solutions offer adequate physical control in the different departments in the organization and control the access of individuals into the facilities (John, 2008, p.42).
The controls will involve lock of systems to protect the facility perimeter. Monitoring of intrusions will serve effectively as environmental controls of the company. The vulnerability of unauthorized access in software and hardware is prevented through application of the solutions. Protection against entry into the business environment avoids opportunities for the attackers. The solutions protect the company against potential dangers on the systems. The solutions ensure that the countermeasures of procedures that could mitigate the risks are in place. For example, the solution of ensuring that there are strong passwords managed in the company help in protection of the company’s information. Keeping software that is up to date will be a solution effective in hardware maintenance (Mell, 2006, p.30).
The solutions will address confidentiality measures in the company by monitoring network systems and maintaining high levels of secrecy about information of the company. The counter measures addressed in confidentiality are such as storing data and transmitting it in encrypted manner, use of networking padding, implementation of strict access mechanisms and training of the personnel about the best procedures. The solutions will address the problem of availability of data and information to individuals. It addresses threats that can arise from device failure, harsh environmental conditions, and service denial attacks. Countermeasures addressed on the availability of data include maintenance of backups in replacement of systems that have failed, monitoring of network traffic and use of the firewall to protect devices (Rebecca, 2001, p.21).
The solutions will effectively manage detecting of any possible attacks in the company on different aspects that face the company. The detection of network attacks is placed, and solutions to the attack developed. Risk management is ensured through establishing risk acceptance levels and documenting the risk assessment procedures. The issue specific addresses the specific issues that make the management feel the need for a detailed explanation to build comprehensive structures. It helps the employees to understand how they can understand and comply with the issues on security. The solutions present decisions from the management that shows specific characteristics on computers and networks security. Thus, is inclusive of the applications that can be installed in workstations. For example, the policies that gives a description on the use of data bases and their protection (Warnock, 2004, p.23).
The solutions will also address the management of information technology management and development through reduction of costs. Information technology services are improved by application of the solutions of security maintenance in the company thus improving the productivity. The communication process is made easy by implementation of the solutions. Therefore, reporting of security threats and dangers is easy and efficient. Monitoring of the information that comes into and out of the company is made easy and faster. With all these hardware, detection and reporting countermeasures addressed the company’s project will be a success (John, 2008, p.45).
Software-based Countermeasures
Basing on the history of Dalton, Walton & Calton Inc. project, as an architecture firm that is situated in four cities, in terms of IT infrastructure, there is a crisis. This is attributed to the poor management of their IT systems. The firm has access to Microsoft servers and PCs, which are accompanied by Mac computers and all these, are used for the work of designing. It possesses an Active Directory, two Microsoft Exchange servers for email, four servers that house their architecture applications, a Web Server for Internet web site, a training server, five MS SQL Database servers, and four servers that are used as file shares. The firm suffers from lack of security for their data as their data files and folders have been reported as lost. Onsite staffs have been employed at each location and aside from providing IT support; they have other responsibilities (May et al., 2001, p. 115-129).
According to Tiri and Verbauwhede (2006), the application of cryptography makes the analysis of the security of the system simple (p. 1197-1208). This is possible by the use of a direct attack and an information-theoretic metric. Through the use of cryptosystems, an automatic protection of the software implementations occurs. The framework used specifically illustrates the identifiable critical instructions that are necessary for the implementation of the cryptosystems power analysis attacks. This in turn, transforms the software by the use of specific countermeasures in order to protect the instructions that are perceived as vulnerable. Thus, it is represented in form of steps.
The first step deals with the identity of the instructions needed for a cryptographic algorithm. The step that comes second involves the application of a software counter-measure to the identified instructions. Last but not least, the theoretic metrics are formed for security purposes. With the introduction of a systematic methodology that could be used for the automatic application necessary, using the available software countermeasures is possible and a demonstration of its effectiveness is evident. This is because; the software countermeasures are applied on AES software that runs on an 8-bit AVR type of microcontroller (Barbosa et al., 2009, p. 259-281). Indeed, this application of cryptography provides a software countermeasure that is capable of controlling the circuit and architectural design that make up the hardware platform.
Remote Authentication and Web Security
Dalton, Walton, & Carlton, Inc is currently facing a lot of problems in maintain its information in their computer systems due to incidences of insecurity. A few years back the company lost some of its computers that contained crucial company information through theft. Dalton, Walton, & Carlton, Inc management seems not to take the issue of data security seriously since they allow access of all company information to its staff anywhere. The present business environment is facing stiff competition and leakage of a company’s information to the rivals’ acts as a weapon to outdo the affected company. In addition, companies with weak remote authentication systems face incidences of web insecurity since internet hackers easily access their information (Bosworth, 2009). According to Anderson (2008; 41), an organization should have a strong remote authentication strategy that offers an effective defense tool in order to secure data and private information.
Dalton, Walton, & Carlton, Inc IT infrastructure consists of Microsoft server and personal computers (PCs). The company manages their website using a main web server that controls other servers that are accessible to the company staff. The main problem facing the company’s data and information security is that outside vendors are allowed access to the systems without authorization. This places the company in many risks of losing its private information to the outside or evil parties. Dalton, Walton, & Carlton, Inc carries out design work meaning that leakage of info ration to the outside world would cost the organization a lot as some people might steal their designs, or change them. On the other hand, protection of the company’s intellectual property is rendered weak because they have no perfect way of retracing their stolen designs since they are not password protected.
On the other hand, lack secure access to the company networks exposes it to possible thefts and corporate frauds that lead to loss of sensitive data. Due to consumer demands and pressure in complying with the prevailing situations organizations look for new ways of strengthening their authentication techniques, internal control, and identification management (SafeNet, 2009; 6-7). Dalton, Walton, & Carlton, Inc allowed vendors access to their systems without considering the possible outcomes and dangers associated with sharing the main server password. Moreover, Dalton, Walton, & Carlton, Inc have third party companies who make use of their servers in various operations. Organizations use internet-enabled authentication programs that enable their employees’ access to the information using the company’s computers. The company trusted its employees to the extent that the management allowed free access to all network security systems. Some employees left the company and joined the rival company indicating that they had stolen crucial information from Dalton, Walton, & Carlton, Inc.
Dalton, Walton, & Carlton, Inc should come up with an authentication process that allows only access to company computers within the compound in order to reduce instances of data leakages. In addition, the company’s network servers are password protected, but all the employees can access these computers making it easier for them to get away with some desktop and laptop computers. In addition, the company lacked fraud detection software that has the capability of sensing any unwanted authentication to the system and block the user immediately. According to Symantec Corporation (2011), various systems are available that most companies use in preventing access of unwanted parties to their network servers. Security authentication systems allow organizations to maintain high security standards through controlled remote authentication.
Restoration and Recovery
Contingency planning. Contingency planning is the preparation or arrangement done in order to deal with any risks that may occur. It is a plan mainly to deal with any eventuality in an organization. The plan is essentially a strategy that is intended at managing risks that are likely to be faced. Any organization has its contingency plan that will prepare them for any risk likely to happen in the course of operation. The contingency plan may differ with an organization depending on the risk that they are liable to face (Knutson, Alexander, & American Management Associations, 1981, p 12).
In the context of Dalton, Walton, & Carlton, Inc., contingency planning is an essential element in their operation. Contingency planning can assist them in preparation against any risk. The risks that they face are data security, physical theft and personnel loss. The company can use contingency planning in order to curb all these risks.
In the context of contingency planning implementation, the company can deal with the risks to appropriate preparation. The company can deal with data security through applying high data security levels. This will protect any data from being accessed by inappropriate parties. The company can deal with physical theft by employing a security firm that will protect their premises and be liable for any hardware losses. This will prevent anyone from stealing the company assets. The company can also deal with personnel loss through signing long term contracts with good pay and benefits to their personnel. This will make the personnel be dedicated to the firm.
Disaster Recovery Planning (DRP). Disaster Recovery Planning is a set of measures that are developed by an organization in order to safeguard any Information Technology infrastructure against any disaster. The set of measures are usually documented by the organization. The document plan mainly contains the actions that will be implemented in case of a disaster occurs. The actions are meant to cover the organization from the disaster, during the disaster or after the disaster since the disaster cannot be speculated to take place in a given timeline due to its unpredictable nature (Hiatt, 2000, p 60).
In the context of Dalton, Walton, & Carlton, Inc., disaster recovery planning is essential in the process of protecting the company from any man-made disasters. The main man-made disasters in relation to IT infrastructure are all technological vulnerabilities, for example, power failure.
In the context of disaster recovery planning implementation, the company needs to perform a risk assessment and determine recovery strategies. Then they will document a written plan after collecting data. The documented plan will then be tested after testing criteria and procedures have been developed. Finally, the plan will be assessed so as to obtain approval. In the case of power failure, rate of power failure will be done hence weigh the need of having a backup power source so as to protect the IT infrastructure against damage.
Business Continuity Planning (BCP). Business Continuity Planning is the process of setting up strategies that will assist the business to prevent itself from any threat and be able to recovery from it. This is usually a crucial plan that will prevent the collapse of a business in case a disaster strikes (Barnes, 2001, p 68).
In the context of Dalton, Walton, & Carlton, Inc., a business continuity planning will assist the company to recover from possible threat like technical issues. In the context of business continuity planning, the company can set up strategies in order to maintain technical resources in times of threat. The company will set up a solution design that will encompass the acquisition of material and skilled staff. The company will purchase technical equipment that can perform technical recovery.
Summary and Conclusion
This paper discussed the security risks that exist in Dalton, Walton, & Carlton, Inc. where such risks involved security issues with regards to physical and system access. In this regard, the writers of this paper performed a risk assessment in order to determine how the risk issues will be addressed. A cost-benefit analysis was also performed and based on its results, a proposal was presented for addressing the security issues identified. In particular, this paper included proposals for the physical countermeasures, the software-based countermeasures, the remote authentication and web security, and the restoration and recovery.
References
Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems,
(2nd ed). (pp. 811-910) New York: John Wiley & Sons Publishing, Inc.
Arkin, H. (2001). Financial Analysis Tools and Techniques: A Guide for Managers. US: McGraw Hill.
Barbosa M., Moss A., and Page D. (2009). Constructive and destructive use of compilers in elliptic curve cryptography. Journal of Cryptology. 22(2).
Barnes, J. C. (2001). A Guide to Business Continuity Planning. Chichester: John Wiley.
Bosworth, S. (2009). Computer security handbook (5 ed., Vol. 2). New Jersey: John Wiley and Sons.
Gillick, T. (2005). Assessment and Mitigation of Risks to Physical Security, Information
Security, and Operational Security. Retrieved from
http://www.facilitiesnet.com/security/article/Taking-Security-To-the-Next-Level--2566
Goodrich, M., & TamassiaRachel. (2011). Introduction to computer security. New Jersey: Keberos.
Greenberg, B. (2000). Cost Benefit Analysis:Concepts and Practice. New York: Prentice Hall.
Hiatt, C. J. (2000). A Primer for Disaster Recovery Planning in an IT Environment. Hershey, Pa: Idea Group Pub.
John, A. (2008). Intrusion Detection Technologies. Pittsburg: Carnegie Mellon Publishers.
Knutson, J., Alexander, L., & American Management Associations. (1981). Contingency Planning. New York: Extension Institute, American Management Association.
May D., Muller H.L., and Smart N. P. (2001). Non-deterministic processors. In Information Security and Privacy - ACISP'01. 4(6).
Mell, K. (2006). Guide to Intrusion Detection and Prevention Systems. Washington: National Institute of Standards and Technology.
Perkins, F. (1994). Practical Cost Benefit Analysis: basic Concepts and Applications,. Melbourne: MacMillan.
Rebecca, B. (2001). Intrusion Detection Systems. Washington: National Institute of Standards and Technology.
SafeNet. (2009). Strong Authentication: Securing identities and Enabling Business. pp. 6-7.
Retrieved from http://www.safenet-inc.com/uploadedFiles/About_Safenet/Resource_ Library/Resource_Items/White_Papers_-_SFDC_Protected_EDP/DownloadAsset(6).pdf
Symantec Corporation. (2011). 5 Essential Steps for Implementing Strong Authentication in the
Enterprise. Retrieved from http://www.altimate-group.fr/blobs/com.cardiweb.cardiboxv6
.cm.business.Article/2022234026881869033/file/1/whitepaper-strong-authentication-steps.pdf
Tillich S. and Grow J. (2007). Power analysis resistant AES implementation with instruction set extensions. In Cryptographic Hardware and Embedded Systems (CHES). 6(7).
Tiri K. and Verbauwhede I. (2006). A digital design for secure integrated circuits. IEEE Transactions on CAD of Integrated Circuits and Systems. 25(7).
Warnock, K. (2004). Detection and Security tools. Herndon: Information Assurance Technology Analysis Center.
