UNIT 11. P4 Security plan: (definition from wiki.internet2.edu) a documented approach that addresses how an organization will implement security measures. But in the case of the I.T world: (definition from garlic.com) a document that is published by the line manager of an IT system and presents the means by which that manager intends to secure the system. An (I.T) security plan for a business, would include several, if not all of the security measures described in the previous PowerPoints for the unit, the tasks P3, and M2 cover this well. Purpose The purpose of this report is to show the “standard operating procedures” relating to “cyber security”. It contains a comprehensive overview of the different security measures, plans and procedures. This relates to a business with lots of online activity, as well as other activities, like phone, and face-to-face communication; an example of this would be a solicitors company. Current security measures The business that I am talking about will be a solicitors company, as a solicitors company they will have a branch for face-to-face communication with customers, and as a place to store information and conduct day-to-day business. As a building several physical security measures are already in place. As well as some cyber- security measures. Cameras There are 2 outdoor security cameras, covering the front and back exit. There are also 2 indoor cameras, covering the manager’s office and the workers area. The cameras are checked when necessary. Virus protection The business has a firewall to the computers, but it not updated regularly. They all have Avast anti-virus paid version. This covers spam-filters, and virus protection.
1. UNIT 11. P4 Security plan:(definitionfromwiki.internet2.edu)
adocumentedapproachthataddresseshow an organizationwill
implementsecuritymeasures. But in the case of the I.Tworld:
(definitionfromgarlic.com) a documentthatispublishedbythe line
managerof an IT systemandpresentsthe
meansbywhichthatmanagerintendstosecure the system. An (I.T)
securityplanfora business,wouldinclude several,if notall of the
securitymeasures describedinthe previousPowerPointsforthe unit,the
tasksP3, andM2 coverthiswell. Purpose The purpose of thisreport
isto showthe standard operatingproceduresrelatingtocyber
security.Itcontainsa comprehensive overview of the
differentsecuritymeasures, plansand
procedures.Thisrelatestoabusinesswithlotsof online activity,aswell
asotheractivities,like phone,andface-to-face
communication;anexampleof thiswouldbe asolicitorscompany. Current
security measures The businessthatI am talkingaboutwill be
asolicitorscompany,asa solicitorscompanytheywill have a branch for
face-to-face communicationwithcustomers,andasa place to store
information and conductday-to-daybusiness.Asabuildingseveral
physical securitymeasuresare alreadyin place.Aswell assome
cyber-securitymeasures. Cameras There are 2
outdoorsecuritycameras,coveringthe frontandback exit.There are
also2 indoor cameras,coveringthe managersoffice andthe
workersarea.The camerasare checkedwhen necessary. Virus protection
The businesshasa firewall tothe
computers,butitnotupdatedregularly.Theyall have Avastanti-
viruspaidversion.Thiscoversspam-filters,andvirusprotection. Updates
Software isnotupdatedregularly;itisupdatedwhenthe employee
remembers.A servercouldfix this,butit isnot usedproperly. Backups
Backupsare completedbutnotregularly. Theycontainabackupof the
previousserverstate,this includesall data,butno data isback up to
the cloud. Internet The internetissetup to be wireless,andhasno
passwords,thisallowsanyone toaccessthe network.NoMAC filtering
issetup
2. UNIT 11. Assets Assetsof a businesscanvary,but
forsolicitors,the assetscouldbe the customerdata,and the trade
secrets.The businesscouldhave itsfiguresforitsfinancial
department.Itcouldalsohave itsown
marketingstrategies.Assetsshouldbe secured securely.
Differentassetsare: 1. Computers 2. Customerdata 3.
Businessdocuments 4. Electrical equipment 5. Premises Risks In a
businessthe risksshouldbe minimised,todothisa risk
assessmentmustfirstbe carriedout,an example isbelow. 1. Physical
threats Theft of data Damage to hardware 2. Cyber-threats
Malware---Spam Hardware failure Spyware Viruses Hackers 3. Natural
disasters 4. Staff a. Give up passwords through social engineering
b. Personal vendetta against you
3. UNIT 11. Security Measures 1. Prevention a. Firewall b.
Anti-Virusprogram i. Spyware removal ii. Virusremoval c.
OperatingSystem i. UpdatingO.S d. Removal of data e. Staff i.
Stoppingpossible theft opportunities 2. Protection a. Staff i.
Limitingtheiraccess ii. Correct training iii.
Forcingpoliciesonstaff b. Encryption c. Backups 3. AccessControl a.
Administratorrights b. DAC c. MAC d. PrioritisingRAM 4. Cloud
4. UNIT 11. M3/D2 (and P5) Prevention Firewall The use of a
firewall,is thatof a preventativemeasure.The
firewall,isdesignedtofilteroutwhatis authorisedandwhatisnot. The
internettraffic,goingthroughthe computer(s) isfilteredbythe
firewall,itstopsunauthorisedaccesstothe system, butallowsthe access
of the webpage youwere tryingto load. Anysingle computerhasa
firewall,butanetworkof computers,linkedthroughthe use of aserver.
Is able touse the networkfirewall,thisallowsgreatercontrol of
whatispermittedandwhatisnot, so the playingof gamesbythe
employees,couldbe stoppedonthe networkfirewall,insteadof
individuallygoingroundtoeachcomputerto blockit.
OperatingsystemslikeWindowshave abuiltinfirewall,butthe
router(huborswitch) youare using, alsoprovidesone. Thisisthe waythe
serversimmediatelyblockunwantedinternetaccess,and
trafficwhichmaypotentiallyslowdownthe bandwidthof yournetwork. A
firewall shouldbe updatedtothe
mostrecentversion;thisensuresthatitisworkingtothe bestof
itsability.A firewallshouldbe includedforanyonline activity. Due to
the fact thatno viruseshave beenfoundoveradurationof time (A full
systemscanwas regularlyconductedtocheckforthe presence of
viruses),the firewall hasandcontinuestodoitsjob of keepingthe
systemsafe. Anti-Virus software Spyware removal The use of spyware
isfromthat of a hacker;it allowshim/heraccessintoyoursystem, toread
on files,inmostcases,the affectedisunaware of this.Ina
businessworldthiscanbe tragicas it allows a
competitordetailsaboutyouandyourcustomers,andit alsobreachesthe
data protectionact. Thiscouldleadto a fine,orevena court
sentence.
5. UNIT 11. Most anti-virussoftware comesbuiltintoremove all
typesof malware,whichincludesspyware.But for itto do thisyoumust
update the software tothe latestversion. In a businessworld,the
employeemaypurposelyorforgetfullynotdothe regularupdates,soanti-
virusfor businesses(aserver) isrequired,itallowsaccess tothe
anti-virus,fromremote access.The benefitof
serveranti-virusisthatitupdatesand scans,accordingto the
servermanager,sono sabotage ispermitted. Virus Removal As itwas
statedbefore,the use of anti-virusincludes the removalof
spyware,andviruses.Viruses can affectan all mannerof
differentthings,because virusisabroadterm, itencompassesmany
typesof threats,but itcouldinclude the removal,of sensitive
datawhistalsotakingitforitself. The use of a
server-wideanti-virusisusuallyapayfor option,butitis
ultimatelyworthit,if itkeeps your andyour customersdatasafe. The
software shouldbe regularlyupdatedandbe made to doroutine scans,to
make sure nothing goesontothe systemandno virusislefton the
system.Anyinternetactivityshouldresultinthe
anti-virusprogramspresence. Afterroutine scanswere
completed,noviruseswere found,otheritems,suchastrackingcookies were
foundandwere removedeasily.Thisshowsthatthe
anti-virussoftwarehasdone itsjob effectively.
6. UNIT 11. Operating System The OS containsitsown setof
defencesagainstattacks,suchas a firewall,andconstantpatches(see
below). Updating OS Patchesforflawsinthe OSand the securityof the
systemare free andare rolledoutbythe provider, theyare
usuallyself-updating. Buttheycanbe changedto notdo-so.Thiscan be
stoppedbyone of twothings,administratorrightsforeachcomputer,orby
havingthe entire systemlinkedupvia server,the serveradminwould
control the updates,thisisaformof the administratormethod(itsa
formof admininitself).Butithasone benefit,itcancontrol all the
computersat one,insteadof goingroundeach one individually. Afterthe
updateswere installed,there werelittle tonone
forreportedbugs,andnosecurityflaws that people are aware of.
Althoughanupgrade to a laterO.S maybe neededinthe nearfuture
asWindows7 will eventually run out of supportfromMicrosoft. Removal
of Data The removal of data properly,
iskeytoaverting,accidentallylosingcustomerorbusiness data/secrets.
Fora businessdataiseitherstoredonthe cloudand/ora HDD, the HDD can
be wiped of anydata by eitherdestroyingthe drive,orbydeletingthe
partitionthatitisheldon.For the sake of cash-flow,re-usingthe drive
wouldbe wiser. If data is storedon the cloud,a simple delete
woulderase the data,because the datawouldbe held by large
companies,the chancesof anyattack of theirservicesisminimal.
7. UNIT 11. Althoughthisprogramwas installedonanUSB stick,it
isan easy to use example usinganapplication to be able to
securelyremove files,soastheyare notable to be broughtback by a
hacker (comparedtobeingputin the normal recyclingbin). Staff Staff
isa bigsecurityflawamongbusinesses,andsopart of itis describedhere
underthe prevention section,andthe otherpart is underthe
protectionsection. Preventing possible theft opportunities Staff
can eitherbe bribedintogoingagainstyou,ortheycan be
trickedintogivingawayinformation, otherreasonslike apersonal
vendettaare aroundbutare notas commonas the firsttworeasons
mentioned. If a rival
companywantedinformationfromyou,theycouldbribe
yourstaff,thiscouldbe togive theiraccount passwords,orto retrieve
informationanddeleteitafterwards.Whatthe rival companydoeswiththe
informationisuptothem, but itcouldbe tosteal a
patentedtechnology,or to informall of
theircustomersabouttheircheaperrates. To stop the
informationtheft,constantpasswordchangesmustbe enforced,aswell
asDACaccess control (showninlaterpages),othersystemslike
MACandAdministratorrights,thesecouldhelp preventtheft. Social
engineeringiswhenanemployeeis
trickedintogivingawayinformation,passwordsor securityquestionsare
possibilities,waystocounterthisare to use a worke-mail thatyouset
upand change passwordsautomatically,andtotrainyourstaff
intoresistingsocial engineering.
8. UNIT 11. Protection Staff Limiting their usage For full
details,thisiscoveredabove underthe
sectionPrevention---Staff---Preventingpossible theft opportunities
Under the parental settingsfunction,thiscannotbe accessedbythe
standarduser,onlythe administratorcanuse
thisfunction.Withthisyoucan control the time limitswhichthe
usercanlog on.But much more can be done,asshownbelow. Correct
training For full details,thisiscoveredabove underthe
sectionPrevention---Staff---Preventingpossible theft
opportunities
9. UNIT 11. Forcing policies on staff For full
details,thisiscoveredabove underthe
sectionPrevention---Staff---Preventingpossible theft opportunities
Encryption If data is to be transferredforsome reason,viaa
removable orportable media(USBmemorysticks, portable
HDDs,laptops,etc.).Thenincase of theftor loss,of the data; it
mustbe encrypted. Encryptionisa processof
encodinginformationsoasonlyauthorisedpartiescanaccessthe media.
Unfortunately,mediacanbe decoded,sothe
informationisreadabletounauthorisedusers.Strong
encryptions(sometimesmilitarygrade maybe needed) wouldbe
needed,thisiswhere the
encryptionisalsoencrypted,againandagain.Mediaisnotrecommendedtobe
movedabout, thisis whymuch data isstoredon the cloud,where there
isstrongencryptionsandthe mediaisaccessible to the
authorisedusersanywhere. If data is transportedbya portable
mediastorage.Thenitmustbe encryptedwithappropriate
encryptionsoftware. All USB sticksusedbythe companyare now
Lexardrivesthatcome withSecure 2 free of charge.
Thisallowsanencryptionof data.But for more sensitive datathatmustbe
moved,a more secure applicationisneeded(of course the databeing
transportedshouldalsobe savedtoanother,secure location).Secure 2isa
wayof encryptingdatawitha passwordtostop hackersand theifsfrom
seeingyourdata. Backups Sometimesanattackmay notbe to steal
data,but to just delete itoff of yoursystems,if your
businessisverycustomeroriented
(likeasolicitors),thencustomerdetaillosscouldpotentiallyruin
10. UNIT 11. your business,andputitona
standstill.Havingrecentbackupsof yourdata can ensure thatan attack
doesnot ruinyourbusiness.A recentbackupcouldmeanonlyminimal
data(ornone) islost. Thiswouldonlyhaltyourbusinessfora few
hours,notweeks! All businessesthathave acomputersystemshouldbe
requiredtokeepregularbackupsinthe case of a cyber-attack.
Thisscreenshotwastakenbefore
itwasconfigured,todoautomaticbackups(asshown),butitcan alsobe
usedtorestore data,and if for some reasonthe mostrecentbackup
iscorrupt, thena prior backupcan be used! It has beenankeyway of
protectingagainst theft.
11. UNIT 11. Access Control Administrator rights All
companiesthathave a computersystemshoulduse the
administratorfunctionality(admin). Adminisa way of
stoppingregularusersof
changingsettingsandaccessingunwantedfiles.With modernO.Ss like
Windows7youcan not onlystopthe reversal of the
changestosettingsbutyou can onlyallowthe login,andusage of
functionswithinacertaintime period,sothere wouldbe no access to the
computersoverlunch,orafter hourswhere there isno-one tosupervisethe
staff. Adminrightshave a huge range of possibilities,andshouldbe
usedaccordinglywithall businesses. A usercan be made
administrator,thisgrantsmore poweroverthe
otherusers,anditalsogrants more depthintothe system. Noactual data
shouldbe kepton the adminaccount,as it the account firstto be
attackedby hackers. DAC DAC
(Discretionaryaccesscontrol);isamethodof controllingthe accessof
filesandsettingsamong a server.DACis discretionary,soitisupto the
author of the documentwhomhasrightsand whom doesnt.A usercan be set
usingthe useraccountson the OS, or the actual MAC addressof the
computer.A DAC setupwouldbe essential
foramulti-tieredbusiness,withdifferentbranchesof products. A
solicitorscompanymaynotneedtouse DAC, butif there are several
branches,withashared server,thenaDAC setupmay be worthwhile. The
DAC setupforthe server,isshownbelow.Itcanbe usedfromprograms suchas
Microsoft Office.Itallows the authortochoose userwhomcan read
and/orwrite.
12. UNIT 11. MAC MAC
(mandatoryaccesscontrol),isbetterdescribedonthe P3PowerPointforthe
unit.Thiswould be good fora companywhohas staff on roughlythe same
level of expertise,withnotmanylevels,to
theirbusinesshierarchy.Thisisbecause the userisgivenalevel
suchassecretor top secret,and wouldthenbe able toaccess
fileswiththe correspondingorlowersecuritytag.Soa solicitors
companycouldhave all of the basicemployeesable
toaccessbasicfiles,whereasthe managercould access all of that
plusevenmore secretfiles. MAC and DAC can be usedtogetherwhere
necessary. Thishas beenusedwell inthe servertostopstaff
compromisingthe integrityof the businessescyber security,andassets.
Prioritising RAM If the systemallowsyoucanprioritise
RAMforcertaintasks,thiswouldallow youtoisolate
privilegedprocessesfromnon-privilegedprocesses,thiscouldallow
youtoonlyallow RAMfor certainapplications,and
sonounauthorisedapplicationswhichcouldpossiblybe aviruscanbe used
effectively. Thiswouldbe an essential piece
forasbusinesswhomisusingthe internetandcomputersformost
day-to-dayoperations.Itcouldpreventpotentialproblems,savingyoutime
andmoney.
13. UNIT 11. Cloud The cloud isa useful tool tonegate the
costsof any maintenance andrepairstoa small local server. Usingthe
cloudfromtrustedsourceslike Google,andMicrosoft,couldsave
moneyastheylookafter your data foryou,and as theyare
verybigcorporations,the software usedtoprotecttheirdatais
immense.The businesscouldalsobenefitfromthe extrasthathavingthe
cloudserverbrings. Althoughif the businessinternetisdownfora
periodof time,resultscouldbe catastrophicasno data couldbe
accessed. Weighingupthe prosand cons.If the companyhas trust
intheirISP,thenusinga cloudbasedserver couldbe the bestwayto
go.
14. UNIT 11. P6 The securityplanput inplace. Has improvedthe
securityof the businessdramatically.Fromthe side of physical
security,analarmsystemshouldhave putintoplace,aswell aslocksforthe
computers to stopthemfrom beingstolen. Whenit comesto
cyber-security,the updatesinstalledstoppedall
knownsecurityflaws,andthe use of an
antivirusfoundandremovedviruseswhenplacedontothe computer(aspartof
a test),italso made usingthe webmuch safer. The use of
encryptionsoftware wasexcellent,butjustasa precaution,if more
sensitive datawasto be transported,thena betterpiece of software
wouldbe used,togive militarygrade encryption. The backups were
good,astheyprovide acheap,quickmeansof restoringdata. The access
control methodshave workedperfectly amongthe server.The DACandMAC
system workswell,tostopunwantedeyeslookingintobusinessdocuments.
Usinga cloudbasedsystem,the dataisnow safe fromany
majordisasters,suchasearthquakesand tsunamis.Thisisbecause
everythingstoredonthe cloudisstoredinseveral placesaroundthe globe.
The level of protectionfromthese
servicesisimmense,anddoesnotneedtesting.