The task contains some concepts about the Total Cost of Ownership and Annualized Loss Expectancy. For a company TCO and ALE have to define in the task. Total cost of ownership (TCO) is a financial terms. The purpose of the term is to determine direct and indirect costs of a product or system in the company or organization.
Total Cost of Ownership (TCO) and Annualized Loss Expectancy (ALE)
It is a management accounting method or concept. TCO is used to calculate full cost accounting or even others economic cost. Total Cost of Ownership refers include purchasing, installing, supporting and IT hardware and software costing for a specific time or duration.
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy (ALE) is financial calculate role or method is used to helps for calculating expectancy loss of a retail company. The formula is
ALE = SLE*ARO
Here
SLE= Simple Loss Expectancy (ALE)
ARO= Annualized Rate of Occurrence (ARO)
a) Calculate the TCO for their current system.
b) Calculate the ALE for this system.
c) To prevent such breaches, you have estimated that they require a security administrator for 2 days per week (the annualized salary for this administrator would be the same as for the others). Calculate their annual savings if they employed a part time security administrator.
Calculate the TCO for their current system
Costing of 8 web servers in 5 years ($15,000*8) = $120000
And
Costing of 2 database server in 5 years ($25,000*2) =$50000
Total cost of web servers and database servers in 5 years
= ($120000+$50000) =$170000
Total cost for support = ($ 1500 * 8 + 2500 * 2) = $ 17000
The total 3 employees salary = ($ 40000 * 3) = $ 120000
The annual cost for support and employs = ($ 17000 + $ 120000) = $ 137000
Cost for 5 years = ($ 137000 * 5) = 685000
So Total Cost of Ownership (TCO) per 5 years = ($ 170000 + $ 685000)
= $ 855000
Total Cost of Ownership (TCO) = $ 855,000 (Answer)
Calculate the Annualized Loss Expectancy (ALE) for this system
1 year = 365 days = (365 * 24) hours = 8760 hours
Annual turnover is = $ 46000000
Their turn over per hour is = ($46000000 / 8760) = $ 5250 (approximately)
Total security breach recovery= 10 hours
So the SLE = ($ 5250 * 10) = $ 52500
For each breach they have cost 0.2% of TCO = ($ 855000 * 0.2%) = $ 1710
ARO = ($ 1710 * 3) = $ 5130
ALE = (SLE + ARO) = ($ 52500 + 5130) = $ 57,630
The Annualized Loss Expectancy (ALE) = $ 57,630 (Answer)
To prevent such breaches, you have estimated that they require a security administrator for 2 days per week (the annualized salary for this administrator would be the same as for the others). Calculate their annual savings if they employed a part time security administrator.
The salary of security administrator in the 1 year =$40,000
1 year=52weeks
Here 1 year (without holiday) = (52*5) = 260 working days
So salary of security administrator in 1 day = ($40000/260) =$153.846
Total working days of security administrator is = (52*2) =104 days
So annually total cost for security administrator = ($153.846*104) =$16000
Total Saving cost
=The Annualized Loss Expectancy (ALE) - Cost of security administrator
= ($57630-$16000) =$41630 (Answer)
Summary: I think TCO and ALE is the important terms of a financial company or organization that helps to know estimate of cost. TCO in the financial benefit analysis, it provides a cost basis for determining the economic investment. To do the task I followed everything very carefully.
Task 2
Introduction: In the task ideal network architecture has to explain and also justify. Here I will try to do the task very well. That helps me to understand about ideal network architecture and also understand each components of the ideal network architecture.
Network architecture: Network architecture design is a high-level design of a communications system, including the choice of hardware, software, and protocols and other requirements.
Figure: Ideal network architecture
Network architecture is a kind diagram. It is a fully complete computer communication network. It provides many advantages for a real network establishing. It provides a framework and technology foundation for building and managing, designing, monitoring a communication network. To design a network layering is an important matter. Layering is a new network design system. It divides the communication tasks into a number of smaller parts.
Anyone is free to design hardware and software based on the network architecture.
The network architecture and design can help anyone to gain the technical leadership skills. When an organization need to design and implement high-quality networks, which support business must needs. To do this I will learn how to maintain, troubleshoot and design, Internet, intranet, and extranet connections, and also including local- and wide-area networks. The task will also build my knowledge of how to develop security.
Network architecture can provide only an idea of framework for communications between computers to computers. It cannot provide a specific methods and communication. Actually the communication is defined by various ways such communication protocols, hardware, software etc.
Basic computer network components
Computer network means a way of data communications system. Network architecture interconnects some components. So when I design the network architecture I included some components. Such as PC, NIC, Hub, Switch, Router etc. The details of these components are given in the below:
PC
PC stands for personal computer. Computer is the main component of networking world. Without PC it is impossible to think a network. For many purpose computer is used in the IT world. Now a day's maximum things are depended on the computer.
NIC
NIC stands for Network Interface Card. Jack forty five or registered jack eleven standard for NIC. The cable to provide a carrier for the signals is either shielded or unshielded. When computer connect to the internet the NIC should send pulses that try to make the acceptable speed of connection between the modem/router worldwide sites. NIC has a Media access control.
Hub
An Ethernet hub, active hub, network hub, repeater hub or hub is a device. It is used for making connection between multiple twisted pair or fiber optic Ethernet devices together. Hubs work at the physical layer (layer 1) of the OSI model. Hub is a form of multiport repeater. Repeater hubs also participate in collision detection, sending a jam signal to all ports if it detects a collision.
Router
A router is a device that we used to interconnect two or more computer networks and others definition "A router is a networking device whose software and hardware are used for routing and forwarding information." If data packet contains address information, a router can determine the source and destination addresses are on the same network. Additionally it can determine others network data and data packet must be transferred from one network to another. As a result multiple routers are used in a large collection of interconnected networks. A router has two or more network interfaces.
Switch
A network switch is a networking device. It can be used to connect network segments. The term commonly refers to a network bridge that processes and routes data at the data link layer (layer 2) of the OSI model. Switch is an intelligent device unlike hub. Because switch forward data only one port whom is acceptable the data. Switch can know this from source addresses, when I know source addresses it find out only destination addresses to send data.
Cables and others devices
In the cable network cable must be needed. But if wireless network cable is not mandatory, here many devices may use.
Summary:
In the task I have design ideal network architecture and I also describe maximum used component of a network. To do the task I have learned much idea about networking system. In this task I showed web application network diagram that is said in the task for existing system.
Task 3
Introduction
The task is made about foot printing of a retail company's web site. Footprinting refers a method that helps to get information of computer system. In this task it is said that one retail company website have to scan for checking some weak point of website. The purpose of footprinting is to prevent threat from hacker. If a company does not make enough security it may victim by attacker.
Footprinting
Footprinting is the process of gathering data from a specific network environment, usually for the purpose of finding ways to attack into the environment in computer security system.
To footprinting of a website requires some requirements. These requirements are given in the below:
Network enumeration
Nmap tool
Organizational queries
Ping sweeps
Network queries
Operating system identification
Point of contact queries
Port Scanning
DNS queries
Registrar queries
In this task I follow some steps to footprinting an organization website. It is the retail company the company's web address is www.coop-bookshop.com.au/bookshop/home/homepage.html . The company sells many types book via online. There are many types' books in the website.
Nmap ("Network Mapper")
Nmap is free and open source (license) utility software for network mapping. The utility tool is used in network inventory, managing service upgrade schedules, and service uptime or monitoring host. Nmap can determine the available host on the network with its services, and also can detect which OS they are running.
To do the task I use nmap. Firstly I install the software for doing the task. The installing processes are given in the below:
Figure: Nmap installing process
It is the first step of installing Nmap. The installing process of this software is simple general software.
Figure: Nmap installing process
In this step we can define the features and components of Nmap. I selected all components of Nmap.
Figure: Nmap installing process
In this steps of installation process destination folder can be selected as simple software installation
Figure: Nmap installing process
Here installing process is running.
Figure: Nmap installing process
This is the final step of Nmap installing process. I finished the installing process by just clicked Finish button.
The processes of footprinting are given in the below:
To scan a website firstly I choose a website. The company mainly maintains the book selling system. To foot print this website a use nmap. To do it I download nmap from Internet. After downloading I started the scan process of website.
Website Address: www.coop-bookshop.com.au/bookshop/home/homepage.html
Figure: Foot printing process
To san the website simply I use the URL of this website. In the target box I did past the URL and scan.
Figure: Foot printing process
In the step I was show some nmap output of the website from the step I know that the scan system may occur by ping scan and I also noticed four ports opened.
Figure: Foot printing process
Here the output of nmap scan contains more information about the website.
Figure: Foot printing process
It is another screen shot of foot printing. Nmap outputs are shown in the screen shot. The step contains the details information of output.
Figure: Foot printing process
When I scan the website I was following all information very carefully. After showing the result of nmap output I show the port/status. Here I see TCP ports 80 443 are opened. I show the status by this screen shot.
Figure: Foot printing process
It is the screen print of network topology status.
Figure: Foot printing process
Host details is another option to know the host details. Here two are opened. The process scanned 1099. From here it is also possible to know about operating system, addresses, hostnames, ports used etc.
Figure: Foot printing result
It is the last step of footprinting. In this step short result is shown about the basic footprinting.
Summary
In task I scan a retails company website. I think this task is very important for more secure of information. The purpose of this task is found the weakness point of a website. Because, attacker uses some weak points of target host to attack. By using footprint it is possible to know the weak points and it can be protected from attacker.
Task 4
Introduction:
In this task I have to do analysis and solve some Security & Password Policy for the retail company. Security & Password Policy are the important matter for a retail company or organization. Because without is the sensitive information and other security may lose integrity. There are many parts of Security & Password Policy. Now I am describing briefly about Security & Password Policy in the below
Security
Security means is the protection of a retail company or organization from an attack. In the computer world, security means some techniques for ensuring that stored data in a computer cannot be access, read, modify without permission and authorization. Most security system refers data encryption and passwords. Data encryption is the translation of plan text data into a form complexity data.
Password Policy
Password means is a secret, important word or phrase of a user. It is used to access a particular program or system in the computer. The password helps for ensuring unauthorized users. Unauthorized users do not access the computer. Additionally, in the data files and programs password may require. Simply, the password should be something that nobody can guess the password properly. There are some parts of password policy such as Enforce Password History, Maximum Password Age, Minimum Password Age etc. Some of parts are given in the below:
Figure: Password and security policy
Enforce Password History
This policy helps to ensure that a password cannot re-use. An admin of Retails Company can use this policy to use a wider variety of passwords. In the policy a same password cannot be used over and over. In the policy number are between 0 and 24. Without 0 others any number will save the password policy.
Maximum Password Age
This policy refers an expiration date for user passwords. The duration of the policy is between 0 and 42 days. The value of the policy at 0 is equivalent to setting the passwords to never expire. Mostly the policy is used for 30 or less in one month.
Minimum Password Age
This policy contains a minimum number of days. For this policy password all time may in the short duration. The Minimum Password Age is always less than the Maximum Password Age. If the Maximum Password Age is not enabled or set to 0, the Minimum Password Age can be used for any number between 0 and 998 days.
Minimum Password Length
The policy is used to identify the minimum password length. User cannot use very short password for this policy. As a result the security becomes higher. It any one try to break password it is not possible easily. An admin of a retail company can easily use longer passwords. It is more secure for a company. With this policy setting, admin can assign a minimum number of characters for account passwords. For the policy number can be anything from 0 to 14. But it is recommended minimum of 7 or 8 characters for sufficiently secure.
Password Must Meet Complexity Requirements
If the 10-character password is "password" and the 7-character password is "mi@1&lM", the 7-character password is much more difficult to guess or break. If password contains such as symbol it is harder to guess or break. The complexity requirements are given in the below:
Password should not contain any parts of the user's account name or full name.
The minimum password length should be at least six characters.
The combination of password may Uppercase and Lowercase characters (A through Z and a through z)
Base 10 digits (0 through 9)
Password should contains special characters and symbols (for example, &, $, #, %)
Store Password Using Reverse Encryption
The policy helps to encrypt any password .It makes the overall password security very secure.
Verify New Password Settings
Passwords verify is another security policy for a retail company or organization. When new passwords create it is should verify.
Summary
In the task 1 I learned about security and password policy. To expert about security and password policy this task is very important. In this task I refer security and password policy for a retail company. If the roles maintain, a company must be secure from any kinds of security and policy threat.
Task 5
Introduction
Email system is the part of a company or business organization. Without email system the business system cannot properly. But if the email system is unsecure, business become harmful and a company become loss. So email security is the hard of business because more and more data, information keep in the email. As a result secure email system is must need for a business organization or retails company. In this task I will try to solve and discuss about the secure email system.
When company use email for exchange sensitive data to internal and external site of company which require secure for data and information. Without secure email sensitive data may stole. For this reason company become harmful. Here I will try to provide solution about email threat.
Email is a communication medium. Electronic mail is called email or e-mail. Email system is a method of transferring data and information across the Internet or other computer networks. Email all time transfer and receive digital message. Store-and-forward model are based of email systems. When mail works Store-and-forward model are must need. Store-and-forward model are acceptable to email server computer systems. Basically, emails are transmitted between one user's devices to another user's computer. For this communication both computers to be stay online at the same time.
There are two parts of email message the message header, and the message body. The message header contains some information about source address and destination address and contains also other important information. The message body contains the main information.
Security of email
Email security means communication about the protection of data. The communication of secure email use encrypted method to exchange data and message and information.
From the details of above we can understand that for effective communication a secure email system must need for a retail company and other business organization. For security of email now I am try to provide some method. These are given step by step in the below:
Using Encrypted message
Encryption is the method of converting information into a complex form, so that it is understandable only to someone who knows how to 'decrypt' it to obtain the original data or message. Encrypted data in mail system helps for security. When an attacker try to seek real data it is impossible to read data if it is encrypted data. So encrypted message system should be use, when a company wants to use a secure email. So a company or organization should use the encryption method to improve the email security. Encryption is also used to protect data and information in transition, for example data being transferred via networks, wireless microphones, mobile telephones, wireless intercom systems etc.
Using Some email accounts
Some small retails company and business organization are used one email address for all purpose data communication. For this reason organization lost some valuable information. To effectively communication some email addresses should use for different type of communication. I think for a retail company or organization should have minimum of three email addresses. The three email account works may different as need. The work account should be used exclusively for work-related communication. The second email account should be used for personal communication and conversations, and the third email account should be used as a general communication. The third email account means that is used for general communication it can also use other employee of company and organization.
Closing the browser after logging out
It is the big problem. Sometime users don't care about the matter. But it is essential for any user. Now a days most browser can memories the event of browsing. When users are checking email at a library or office users not only need to log out of your email when checking are done, but you users need to make sure to close the browser window completely. Some email services and some browser display username but not password even after logging out. So users should aware about this matter should obey this role.
Securing networks and SSL protocol
A secure network is essential for a security email system. Without network security email security is not possible. Secure Sockets Layer (SSL) is an encryption protocol. The SSL is used to do a secure communications and user authentication over open, unsecured networks. Internet is the example of unsecure network. For transferring secure information SSL is must need. For example when a user submits credit card details online it become unsecure if there are no SSL protocol. So to build up a secure email system for a retail company secure network and SSL protocol must be needed.
Delete browser cache, history and passwords.
After using mail, it is important that user remember to delete the cache, history, and passwords of browser. Some browsers automatically keep history of all the web pages that user has visited, and some keep track of any passwords and personal data or message that user enter. If the attacker can understand about the real information and data it can be stolen. Another important matter is that the new internet users must be aware of how to clear a public computers browser cache. For doing this work if user using Mozilla's Firefox, simply press Ctrl+Shift+Del. Opera users need go to Tools>>Delete Private Data. And users of Microsoft's Internet Explorer need to go to Tools>>Internet Options then click the 'Clear History', 'Delete Cookies', and 'Delete Files' buttons.
Remember about the telephone option
Sometime users forget telephone option for instant communication. But it is very important that for a few time communication and short secure communication telephone is the best way. Sometime when users write an email it may need long time. But if the commutation is simple and timeless it should use telephone. If anyone compare the telephone option and email option for instant communication users must find telephone option as best way. So for a retail company and organization telephone is far to more secure.
Sending email to right people
Some employee in the company use email as personal communication. But it is very illegal way. For the fix purpose and fix people email should use. Sometime recipient plan to stole information of a company, but he is May some familiar with the employee of the company such people may harmful for company. I think such people are not acceptable for sending email. To secure this way the head of company must be seek such as problem.
Using hard and complex password
In the retail company users use mostly easy password, but it is not secure system for this company. User must not use the password part of company name and other familiar person name in the company. Attacker use computer programs and guess about the password. Attackers can create method which is generally common English words and number. The combination of the method helps to guess a password. So when creating a password use complex and uncommon number and letter combinations. The combination is not form a word found in a dictionary. In the password upper case and lower case character must use. A strong password refers minimum of eight characters. The password must be as meaningless as possible.
Access control
A company should have access control role. According the role employee has different right to access email. Access control makes any organization more reliable and more improve.
Back up
For more email information some time users delete email. To do this user must need to think about it. If the emails are not important so user can delete these emails but if it is important users should keep the email for future time.
Using the Blind Carbon Copy (BCC) option.
By using the BCC company may get some benefit. When user put a person's email addresses in the BCC: rather than the CC: box, the recipients can't see the addresses of the other email recipients. It has to do when users send email to more person for providing data, message and information. But new email user cannot use the function properly. New users use to window for sending email because it is the default window of any email address.
Using digital signature
Digital Signature is a kind of method that provides secure email communication and encrypted communication. Digital signatures are also used to implement electronic signatures. In some countries, including the India, United States, and European Union countries, electronic signatures have legal popularity. Digital signature makes our life easier and improves the communication security. For a retail company digital signature is must need. But the companies fail to gain this digital signature for financial problem and may other problems. A digital signature can identify the source email address and destination addresses. Further digital signature provides more facility for secure communication via email.
My thinking about secure email
To establish a secure email system I recommend some tips and techniques mentioned in the above. I more recommended digital signature for email security. I think Digital signature can provide enough security for email system. Digital signal also help to authentication of user. So there are many facilities in the digital signal. If a retail company or organization wants to secure email, they must need digital signature. Additionally, there are many email secure tools in the Internet world. These tools provide specific facility of email for securing email communication.
Summary
The task is best for email security system. The task is made to provide knowledge to student about email security. Here I mentioned some tips and tricks for solving the threat of email security. To do this task I learned many things about email security. Really in the practical life it is very important. Because there are many sensitive information are transferred via email. Basically in this task I try to solve some email security related problem. This is a very good experience for me.
Summary of Assignment:
There were five tasks in this assignment. Each is task is made provide vast knowledge of security. The assignment is made to provide full ability for Internet security. To do the assignment I analysis problems, identify security risks and evaluate alternative solutions. In this task I described various kinds of security standards. In understand security process step by step to do this assignment. I think any student can learn about security, problem detection, solution problem etc.
