The construction firm named as "Plantain Building Company" is a national level house building company which buys land, constructs houses and sells to the general public sector. According to the scenario the company is divided into several regional offices but Cardiff Regional Office is the subject of this case study.
The main focus of this case study is the implementation of the foolproof security to the system and network so that all the confidential data should be in their proper domain. Presently all the systems can become victims of someone's conspiracy. As there are important and classified data on the systems, there should be proper security of that.
All the users are utilizing same login ID and email address that is a terrible mousetrap itself. Only the manager Theo Barratt has different email ID. All computing equipment is bought from the local computer company and the contract of maintenance is also with them.
Currently no security policy exists in the office so no one is responsible if a mishap happens. The main man assets of the organization are the 5 project managers who are responsible for different geographical locations. All of them have the access of the plans and specifications of the House Types. These house types are specific to this particular building company and each house type also has a detailed breakdown of the materials required to build each house.
The main database of house type is held in head Office but the way it is transferred to the regional offices is via CD-ROM and installed into the local system by the administrator. One of the curious observations is the land manager maintaining the bank of available land on the computer system without knowing that the system can crash anytime and he can lose the valuable information in seconds. Besides there is no security within the existing systems e.g sort of USB read only else data copying rights, it would be harmful for the sake of the company.
In the given scenario by doing research on the network security, information security and data protection rights would be defined under the certified rules. The major purpose of making the security policy is defined below:
GOALS:
To spread awareness in PLANTAIN BUILDING COMPANY users and vendors about their obligation for protection all data assets.
To ensure the security, integrity and availability of all PLANTAIN BUILDING COMPANY and customer data.
To establish the PLANTAIN BUILDING COMPANY baseline data security stance and classification scheme.
Policy Awareness:
The liability of an organization is to provide policy guidance to all the staff currently employed, or when they join the Plantain Building Company. Individual sections of the Policy will be updated as required and will be available on the Plantain Building Company Intranet site. All members of the Plantain Building Company are expected to be known with, and to comply with the Information Security Policy at all times. Any person who is caught violating the policy will be prosecuted according to law.
Current Computer Systems Operations:
As in the scenario there are 27 desktop PCs and printers that are connected to a central server. Each system is generally used by single user and the data on the network are easily accessed by them. In the current system every user has the same login and email IDs but only the Theo Barratt (Manager) has different login and email ID. There are number of computers that are too old but still administrative tasks are done by them.
The data storing device is none other than the existing computer systems instead of independent server where everyone can access the data but by means of login on to server only. There are several vital packages that are specifically used for calculating material requirements, CAD drawings and house types that can be easily accessed by each member of the company. The criterion for backup data is means of storing on disks kept in the office supplies store room.
As we have already sorted out the information from the scenario that there is no network security and data having a million worth can be accessed and intruded by any means. Theo Barratt has his own user login as he uses the computer system to access the financial information and statements which are held in Head Office. His system is networked with Head Office. There are number of financial records which are compiled and submitted via computer network.
There are specific house types concerning this house building company and the project managers are responsible to fulfill this task. The Project Manager has access to the plans and building specifications that the company builds. There are comprehensive schematic and structural information for the building of house types and correct amount of each building material. The main House Type data base is held in head office but a copy is held on the computer system locally and can be accessed by the Project Managers.
The procedure for sending updated house type data from Head Office to each regional office is on CD-ROMs and the privileges to copy that data to the local computer systems are possessed by administrator. There are various data security collapses in the system, anyone can plagiarize the data and can sold outside the firm. There is no restriction and not even a data server through which the data can only be accessed by authorized users. Even the big issue is there is no log maintenance so that data traffic can be figured out by any means.
Security Vulnerabilities:
Blyth and Kovacich (2006) suggested that there are varieties of security vulnerabilities in the computer system in IT world. But the specifics which suitably implement in the certain environment are given below.
Types of Vulnerabilities:
Physical Vulnerability
Natural Vulnerability
Hardware / Software Vulnerability
Media Vulnerability
Communication Vulnerability
Human Vulnerability
Physical vulnerability states that there could be chances of physical damage that may be harmful for the environment and most prominently for the official data which possess no backup in the given scenario.
Natural Vulnerability states that there are no chances of saving of data if natural disaster occurs. In this case there is no human hand involved but still the vulnerability has its peak. This type of vulnerability has less probability but still it could be dangerous.
Hardware / Software vulnerability states that there are still chances of involvement of malware or virus into the systems which may cause to corrupt data. There are still chances of stealing hardware from the systems as seems like no physical security.
Media Vulnerability, it is one of the important factors that is the source of saving data. Currently there is an exchange of CDs through head office to up gradation of data in regional offices. As it doesn't seems professional and safe so there should be a network through which an up gradation process should be done.
Communication Vulnerability, mostly people ignore this factor and freely communicate even outside the office premises. But it is the key point of loosing data. There should be every one legally bound not to spread the words that are official.
Human Vulnerability recognizes about the human mistakes which a person can done in full senses or may be out of senses within or outside of an organization. It is always a big threat to an organization. There must be workshops within the premises of an organization on enlighten of human vulnerabilities.
There are certain more vulnerabilities but according to the known scenario precise of them are explained above. Vulnerability Management is the process to figure out all the steps which involves the betterment of an organization.
Vulnerability Management:
According to Nicolett & Williams (2005), Vulnerability management is a process that can be implemented to make IT environments more secure and to improve an organization's regulatory observance posture. The certain steps of Vulnerability management process are given below:
Policy to make sure defining the preferred state for device configurations, user identity and resource access.
Baseline your environment to identify vulnerabilities and policy compliance.
Prioritize mitigation activities based on external threat information, internal security posture and asset classification.
Shield the corporate environment, prior to eliminating the vulnerability, by using desktop and network security tools.
Mitigate the vulnerability and eliminate the root causes.
Maintain and continually monitor the environment for deviations from policy and to identify new vulnerabilities.
The technology provided by vulnerability management vendors can be used to automate various aspects of the vulnerability management process. The three main technology categories are:
Vulnerability Assessment
IT Security Risk Management
Security Information & Event Management (SIEM)
Vulnerability Assessment
Vulnerabilities can be defined as the open pathways through which threat can be override and exploit the critical assets. The three main components of the vulnerability are Risk, Threats and Cost of asset.
The mathematical formulation of risk is:
Risk = Threat x Vulnerability x Cost of Asset
Vulnerability assessment (VA) provides basic and discovery functions in support of vulnerability management. Vulnerability Assessment products scan an endpoint and attempt to determine vulnerable conditions based on a database of known vulnerabilities. When your security group documents the weakness of the network and host infrastructure, you can begin to make decisions on how to eliminate the root cause of the majority of exploits, reduce the potential attack vectors and limit the impact of a security incident.
"eEye Digital Security, Internet Security Systems, McAfee, nCircle, Qualys, Sourcefire, StillSecure and Tenable Network offer remote auditing capabilities that do not require agents or credential passing. The ability to audit without agents or credential passing is a key requirement for many security organizations". (Nicolett & Williams, 2005),
IT Security Risk Management
Risk management is one of the major factors among others because it is used to sort out the most possible risks or threat in the system and would be helpful to mitigate or realization of the real threat before the incident occur. The main purpose of IT security risk management is to figure out IT security risk and prioritize restorative actions. These products combine asset classification data, rooted security policy functions, current external threat data and the results of third-party VA scans to support cumulative risk analysis and vulnerability mitigation. Security risk management tools provide varying degrees of entrenched support for asset categorization and security configuration policy management. The analysis produced by these tools attempts to quantify the IT security business risk for resource groups that are aligned to business functions. Risk management function also provides workflow for mitigation, as well as validation that vulnerability has been eliminated.
These tools have the ability and can provide asset saving methods, categorize assets, generate risk-rating reports, execute alleviate workflow and monitor status. Most products in this category integrate VA data from third-party products, and directly provide varying levels of support for security configuration policy auditing.
SIEM (Security Information & Event Management)
SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. This technology is used to filter event information into data that can be acted on for the purposes of incident response and forensic analysis. The need to support regulatory observance has become the new market driver for the SIEM technology providers.
General Description:
Attacks on multiple fronts:
Your data is being attacked on multiple fronts. Hardware or software flaws can corrupt files and put the actual bits and bytes at risk. Viruses and worms can attack files and server processes. Data can even be stolen by thieves (employees) with a USB drive and physical access.
Perimeter security measures provide the first layer of protection. But determined attackers have evolved spyware, Trojans, key loggers and other methods to deliver malicious code to your network interior. Authorized users can unintentionally vector malicious attacks through Internet downloads that bypass perimeter security.
"A recent attack on the London offices of the Sumitomo Mitsui bank used key loggers to steal access codes as part of an attempt to steal more than £220 M ($423 M). This kind of threat can also put corporate data at risk-including financial records-that can not only damage corporate credibility, but may also put your business at risk of prosecution" (Endpoint Security Management, Landesk Solution)
Risk and Information Security:
Risk:
Jack. A Jones, stated that Risk is the likelihood that something bad will happen that can cause harm to an information asset. In order to understand the risk and its assessment it is stated that the employees who are concerned with the security information system in an organization must be familiar with the types of intruders and computer crimes.
Types of Intruders:
Insiders: These people work with the organization and have access to system and resources.
Novice: These are beginners; they have less knowledge and less experience with computers. They are not very dangerous because they rarely commit crimes.
Apprenticeship: They have more knowledge and they know how to get in and out of the system.
The professionals: They are well trained professionals. They are very good at inflowing and getting out of the system without anyone's knowledge. The reason is that they have access to sensitive data in an organization.
Types of Computer Crimes
Leakage: It is a process of picking up signals from network cable. In this case the thief must be physically present to record the leaked data. To overcome this ISO must keep record of the computer use and old data in order to trace the source of leaked material.
Piggybacking: When an authorize person allows others to have access to the confidential data either physically or electronically. ISO should keep a detailed log which shows a pattern of unauthorized access.
Wiretapping: It is a process of monitoring the telephone and internet conversations by illegal means. The best defense is to encrypt the data before transmitting it.
The Salami Technique: It is a process of stealing money repeatedly in small quantities. It is performed by employees who handle financial transactions.
Trojan horse: They are like viruses. They are used to damage the system rather than trying to have an unauthorized access. The defense is to keep the backup copy of the original program listing.
Trapdoors: These are mainly used during program development. It allows the programmer to transfer control of the program into a region normally used to store data. The best way to guard is to check program listings.
Logic bombs: It is a piece of code that is intentionally inserted into a software system to perform abnormal function when certain conditions are met. It is closely related to viruses and Trojan horses.
There are also some other sources of danger that an ISO must keep in mind. They range from simple accidents to natural disasters such as earthquake, floods, fire, electricity shutdown and more.
Proposal Resolution:
Multiple resolutions can be provided according to the given scenario. There should be restricting access control to all the employees of an organization to prevent any unethical dilemma. Human nature is inquisitive about those things which are not in access. Access control within an organization is the most prioritize job to save the data, the relevant data should be accessible to the employees of their own domain besides giving only read or execute rights to them. This will slightly improve towards saving data from outer world.
Policy:
What Is a Policy?
There are different ways or terminologies to describe an information security policy. According to BERR, Department for Business Enterprise & Regulatory reform stated that in the USA, e.g it is common to use the term 'policy' for documents that are often described in the UK as 'standards'. This can lead to misunderstanding.
Corporate information security policy
Specific policies
Standards
Procedures
Corporate Information Security Policy:
A corporate policy sets out an organization's principles regarding information security. It should be timeless in that it should alter little from year to year. Corporate policy must:
be clear and unambiguous
include statements covering:
Scope
Legal and regulatory obligations
Roles and responsibilities
Strategic approach and principles
Approach to risk management
Action in the event of a policy breach.
The policy should be endorsed at the highest level - for example, by the MD or Chief Executive.
Specific Policies:
The specific policies change more rapidly than corporate policies. As they are more detailed they need to be reviewed more regularly. Examples of specific policies include:
Information classification
Access control
Operations
Incident management
Physical security
Human resources
Third-party access
Business continuity management
Standards:
Security standards provide guidance towards achieving specific security policies, often related to particular technologies or products. They are used as a benchmark for audit purposes and are derived from:
Industry best practice
Experience
Business drivers
Internal testing
They must be reviewed regularly to ensure that new releases and vulnerabilities are addressed.
Examples of standards include:
Firewall configurations
Connectivity protocols
Procedures:
Procedures should be:
Clear
Unambiguous
Up-to-date
Tested
Documented
Examples of procedures include:
Incident reporting
Incident management
User ID addition/removal
Server backup
According to BERR (Department for Business Enterprise & Regulatory Reform), Policy needs commitment from the management, procedures that can be supported by the management, an appropriate technical framework within which it can be implemented, above all the authority who is responsible implement all those procedures, a means by which compliance can be checked and a legally agreed response in the event of it being violated.
Sound policies or strategies are the foundation for good information security. Their role is to provide focus and direction and act as the element that binds all aspects of information security management.
Access Control Matrix:
According to Gollmann (2006) access rights can be defined individually for each combination of subject and object quite simple in the form of an access control matrix.
Bill.doc edit.exe files.com
Project Managers
-----------
Execute
Execute, Read only
Theo Barratt
Read, Write
Execute, Edit
Execute, Read, Write
Gollmann Access Control Matrix
As looking into the above table it is clearly believed that there are certain rights to each member of the organization which they have to follow, else according to policy of the company the action will take place. Currently there is no existing policy for any member of the company, no one knows about their rights to access the corporate data and how to secure it. If anyone will sell out the company's data which includes billion worth structures the company's morale will go down exponentially in the market. There are more destructive methods to take control of the builder schematics, corporate data and most prominent the financial records. Although it exists in different system it can be accessed by intruder due to poor security.
Implementable Solution in Plantain Building Company: (Recommendations)
After having research on several virtual systems solution provider and with the promising information security, Cloud is providing the real time virtual data base information security system. It has the capability of configuring firewall with the company's requirement and end to end administrative capabilities. Every end user will have their own virtual system with the login and with several GB data storage capacity as per the company's policy.
It could be possible to provide all administrative rights to the Theo Barratt (Manager) and according to company's policies he could apply and amend it. As Theo Barratt is not professional IT person, hence Cloud has the best GUI and it can easily understand by the slight professional person. Monitoring is the best way to control the traffic and utilization of the bandwidth; cloud is also giving rights to the administrator to control the data limit.
Cloud is providing firewall configuration scheme in which the administrator can create a wall between private and public clouds. Hence there are fewer chances to get a victim of spam's and virus attacks.
Key Benefits of Cloud Enterprise:
It will provide unlimited amount of computing power for high profile software's in private networks.
It is entirely automated computing system that can provide better data security.
It will simplify and accelerate service delivery by combining self-service provisioning with a catalog of custom built and pre-defined machine images.
It will provide the real time reporting capabilities within the cloud environment to ensure enhanced information security.
The cloud will provide IP based office solution so it can be virtually accessed by anyone with the authorized login.
Cloud IPS/Firewall:
One of the basic requirements to secure the private virtual network from the public network and cloud IPS/Firewall is providing the right solution in a very economical way.
The cloud IPS/Firewall is different from other network security solution because it is designed to protect the web based applications at the edge of the internet; it shields an organization network from application layer attacks and prevents the corporate and customer data.
Application based attack is the major vulnerability for organizations today. Cloud IPS/Firewall has the capability to secure application layer based attacks.
Cloud IPS/Firewall has the extensive capacity compared to usual firewalls system.
The Cloud Firewall is $150 per month with one terabyte of traffic and additional traffic is $0.05 per GB. This includes full layer-7 protection. It is economical for the companies like Plantain Building Company.
Virtual Private Network (For Theo Barratt)
The best and economical way to access office network from home or mobile location is the implementing of WAN. To access office network only VPN software is required and it should be installed on each client PC that needs to access. It will be accessed by those only who have authorized login and valid VPN software in their system. So it could not be accessed by those who do not possess the software. Hence Theo Barratt can access the office network from his home location.
Conclusion:
Hence, the case study according to me after being examined appropriately has proposed the right resolution because the given scenario does not provide any alternate path if the current system collapse. After having a lot of things in mind including information security, backup systems, remotely accessed facilities and the most important financial data records, the economical and suitable solution has been proposed. There are variety of ways to implement the resolution which bring harmony in the network and safety of the data. VPN is the safest and cheapest resolution to provide separate network within a network, in this case Theo Barratt needs to work at home and hence provided the easiest way to connect online to the official data.
