Organization Network Security

Computer Security

Final Exam Assignment

APRIL 15, 2013

Sahil Umatia Final Exam Assignment ID # 200232449

ContentsINTRODUCTION...........................................................................................................................................2

Securing Physical access..............................................................................................................................3

1. Lock Server Rooms...........................................................................................................................3

2. Set up surveillance...........................................................................................................................3

3. Use Rack Mount Server...................................................................................................................4

4. Lock your Workstation.....................................................................................................................4

5. Protect your portables.....................................................................................................................4

6. Protect Printers................................................................................................................................4

7. Shred unused documents................................................................................................................5

Securing Wireless Network..........................................................................................................................5

1. Enable Encryption............................................................................................................................5

2. Set password for router...................................................................................................................5

3. Change SSID.....................................................................................................................................6

4. Enable MAC filtering........................................................................................................................6

5. Do not disable SSID broadcast.........................................................................................................6

6. Disable Remote Login......................................................................................................................6

Securing Server and Systems.......................................................................................................................7

1. Installation and Deployment...........................................................................................................7

2. Securing Operating System..............................................................................................................8

3. Secure Install and managing the server...........................................................................................9

Creating Security Policy...............................................................................................................................9

1. Risk Identification..........................................................................................................................10

2. Security Policy Development.........................................................................................................11

3. Compliance Monitoring and Evaluation.........................................................................................12

Conclusion.................................................................................................................................................13

References:................................................................................................................................................14

Georgian College. CNSS. 2012 – 2013


INTRODUCTION

Information security has been one of the most difficult and sensitive area that has been discussed

across all organization around the world. Information security has been one of the most complex

and challenging task to run a business successfully on a global scale. Organizations are

increasingly relying on information technology to give their customers best service and provide

value satisfaction to their stakeholders. This can be only done if their organization IT assets are

secure. So as a part of becoming a successful organization, security should be an important

perspective. Organization must analyze their current security practice to identify threats and

protect their customer and employees from such security threats.

Organization must keep their policy updated, analyze and make necessary changes to the current

security implementation to avoid violating strict standards. The organization must ensure that

each and every employee has knowledge about the security policy and its assets. Employees

must be trained and aware about company’s security procedures and how to protect themselves

and company’s services and data. Each IT asset of an organization must be secure. IT assets can

include servers, network, hardware’s, software’s internet use and other important assets like

portable drives. Anything related to IT must be secure and should have specific, standard,

guidelines and policy for its use.

The preceding section will explain how to secure an organization IT assets by creating general

risk assessment, threat mitigation implementation and code of ethics in an organization to keep

its organization network, data, assets and employees protected.



Securing Physical access

Physical security is the foundation of any organization. Physical security is the protection of

hardware’s, data, and network from physical harm like theft. Some organization overlook

physical security in terms of software and technical issues like viruses and software issues. But

physical security can be breached without any technical knowledge. And if it happens there can

be a huge loss to the organization in terms of data, cost and customer value. By following below

steps, physical security breach can be stopped to some extent.

1. Lock Server Rooms

The server room is the heart of an organization. If someone does any mischief in the

server room like touching the cables and if somehow the cables get removed, the server will be

down. Ensure that you have a lock for a server room. A digital lock or swipe lock can do the

work. Put a sign on the server entrance door, that if the server is unoccupied, the door should be

locked. Ensure that you have proper policies set for the server room, like who can enter the

room, who has access keys of the server room, penalties for violating the policy.

2. Set up surveillance

Just locking up server room is not enough. Locks and door can be crashed easily, you just

need to be strong guy. Set up surveillance alarm system, when some tries to get into the server

room forcefully, the alarm would start sounding. Setup a surveillance camera which records

every second of the server room. So you have a better history who entered the server room and

when.



3. Use Rack Mount Server

Rack mount servers take less server room space. They are small, lighter and several

servers can be stacked and loaded in one rack. The rack can be then locked, bolted, making it

impossible to move or steal it.

4. Lock your Workstation

Make sure you lock your workstation before you leave. You workstation may include

important files that can be misused or deleted. Your workstation may be connected to network

and the attacker can send important files via internet.

5. Protect your portables

Your pen drive or Portable Hard Drive may contain sensitive and important about

yourself or about the organization. Don’t keep your portables in open place. Instead keep it in a

safe place and lock it. Encrypt your hard drive with password. Bit Locker can do the work.

Policy should be created to keep the organization data within and not to be taken outside of

organization.

6. Protect Printers

Printers might be a security risk too, because some latest printers save a copy of the

document on their on-board memory chips. So if an hacker gets access to the printer, he might be

able to retrieve recently printed important document from the printers. So it’s better to safeguard

the printer as done for servers and workstations.



7. Shred unused documents.

It’s better to shred unused documents or papers whether it’s important or not, rather than

just dumping in the garbage. A policy should be created for shredding unused documents, so

employees get a habit of this.

Securing Wireless Network

Wireless LAN has brought incredible productivity inside and outside the organization. Many

applications like back office and front office rely heavily on wireless LAN and allows the

organization to benefit their employees with wireless connectivity. But challenges occur and

security threats increases when you’re offering such a benefit to a large organization.

Although many IT administrator are aware of securing WLAN, but WLAN security itself is not

enough to protect the organization. Whether the company has hardwired or Wi-Fi setup, threats

can still occur. And one of those is rouge access point, where an attacker add another access

point which is behind the firewall. The attacker can then view or edit the packets before it

reaches to the organization. By following the steps below, it’s possible that you can avoid these

type of threats.

1. Enable Encryption

Use 128-bit of encryption or higher. There are two different types of encryption WEP and WPA.

WEP is weak and can be cracked easily within few minutes with software’s available online.

WPA is strong and uses TKIP encryption while WPA2 uses AES which is stronger than WPA.

2. Set password for router

Change the default password for the router. Use a random long password that cannot be easily

guessed like include small letter, caps letter, numbers and special characters. That makes it



difficult to crack the password. If you’re using weak password, then it might be cracked within a

day using pre-computed tables like rainbow tables.

3. Change SSID

Change the default SSID name of your network. The SSID is the identifier name which identifies

your network, so you can connect to it. Using the default SSID name will know that the router

was setup by a novice and the attacker will try to brute force. This will make it worst, if you’re

using a default password.

4. Enable MAC filtering

MAC address is the physical address of the device. Filtering MAC address will only allow

specific devices to access the network. You can disable or permit certain MAC address to access

the network.

5. Do not disable SSID broadcast

Disabling SSID broadcast will not allow you organization employee to connect to your network.

Disabling SSID will hide your network name. On other hand, disabling SSID is safe from hacker

that try to wardrive the network.

6. Disable Remote Login

Remote login can give anyone access to router setting remotely. This can be worst if an attacker

tries to brute force router access and you’re still using the default username and passwords. By

default it’s disabled on every router. Enable it only if you’re updating your router remotely and

disable it after the update is done.



Securing Server and Systems

A server is a host that provides one or more service to other host for primary functions like file

sharing server, database server. The database service supports the web applications on web

server. There are many other servers in an organization like DNS server, Email Server, Directory

Services.

Threats may occur if there are bugs in operating system or the server system is vulnerable to

exploits and attacks due to lack of security patches. Threats can be from local employee in

organization or by an attacker from a remote place. Organizations should conduct risk

assessment and determine how strong the current security practice are. Every server and system

should be protected based on potential impact on the loss of confidentiality, integrity and

availability. The following basic steps should be taken to ensure the security of a server:

1. Installation and Deployment

Security should be considered before installation and deployment of server. This reduces the cost

of security assessment when done after the server deployment. A deployment and installation

plan often aids in identifying vulnerabilities.

- The first step is to identify the purpose of server. The server can be a Web server,

database server or an email server. This will help you to categorize the security

requirement of a server.

- Identify any network service software required to be installed both on server as well as on

client server

- Determine how the server will be manages and which users are authenticated to access

the server.



- Setup necessary environment control to maintain humidity and temperature. Check for

backup power service, because if the power goes down the whole server can go down.

2. Securing Operating System

There are many types of operating system that can be used as a serve OS. The most popular are

Windows server and Linux [probably Ubuntu Server or Debian]. There are many ways to secure

an operating system. Suppose if you’re using a Linux operating system, you can follow the

following steps to harden the operating system:

- Keep the port 3306 closed. Because if the port is left open a hacker can try to exploit the

server using the port.

- Add appropriate file permission

- Disable SSHv1. This can be done by editing /etc /ssh/sshd_config and setting the

Protocol 2 by removing the hash sign.

- Disable SSH Password Authentication and allow access using Pubkey Authentication.

- Enable shell resource limits to prevent users from consuming server resources. Example:

DOS attacks.

- Create strong passwords by making use of lowercase, uppercase, numbers and special

characters.

- Change the root shell by editing /etc/passwd file and change the shellfrom /bin/bash to

/sbin/nologin. This will prevent access to the root shell and logs.

- Remove unnecessary files, application and network protocols.

- Install anti-virus/anti-spyware/anti-malware software’s to avoid viruses, rootkits,

spywares and malwares.



- Setup an Intrusion prevention system or Intrusion detection system to avoid

remote/external attacks.

3. Secure Install and managing the server.

- Install the server software on a dedicated host or on a virtual machine to test the software

before installing it on the main server.

- Create a logical partition for server data and remove software which are not required like

gopher or FTP. And install server content on separate drive.

- Configure the server to listen only on TCP and UDP ports.

- Set an upload limit on the server, if your organization needs to upload files. Ensure that

there is some software which scans the uploaded file before uploading on the server.

- Configure the max number of connection. You might not want your server to get a DOS

attack.

- Check the server logs regularly and check if there was any intrusion or any suspicious

activity.

- Protect the log files, so if an attacker attacks the server, the attacker cannot get access to

the log files to alter the data.

- Back up your server regularly, so if any worst condition arises, you can always restore

your server.

Creating Security Policy

Security policy is a document that list down guidelines for the protection of the assets and ensure

that it must be followed so that the organization assets faces minimal risk. It’s a set of statements

that defines how to safeguard an organization information. The policy defines specific rules for



computer access and securing IT assets in an organization. Security policy is a combination of

procedures, standards and guidelines.

A security policy provides equal amount of trust by balancing no trust. For instance, trusting

some of the people some time. Control is the second element that needs to be balanced because

security need and culture plays a major role deciding level of control.

The security policy cycle consist of three phase for development and maintenance of a security

policy.

1. Risk Identification

The first phase is the Risk Identification, which is a systematic evaluation of the exposure

of assets to attackers. It basically identifies what need to be protected, evaluation of

threats, how strong the current protection is and what should you do about it. There are

four steps for Risk Identification:

Asset Identification: Asset identification is identifying positive economic value

of an asset. The type of assets may include hardware, personnel, physical assets or

software’s. This is one of the most critical step in identification. You can

determine an asset relative value by finding how critical is the asset to the

organization, how much would it cost to the organization and other important

factors.

Threat Identification: This treat is not just limited to an attacker but also

includes act of God. Any threat which exist against an asset. It can be better

understand by creating a threat model, which constructs scenarios of the type of



threats that an asset can face. A threat model is an attack tree which visualizes

how an attack may occur to an asset.

Vulnerability appraisal: This takes a screenshot of the current security in the

organization. Every asset is examined with respective to every threat. This also

depends on the background of the assessor.

Risk assessment: This basically determines the damage that would result from an

attack. This assessment require a realistic assessment with respect to several

attack. The risk assessment can be determined using Single Loss Expectancy and

Annualized Loss Expectancy. Once this is calculated the probability of a

vulnerability needs to be calculated.

2. Security Policy Development

This is the second phase of a security policy cycle. In this phase a policy document is

outlined which defines appropriate behaviour of users, tools required, foundation for

action in response to inappropriate behaviour. And this can be developed using setting up

a list of standards to be followed and guidelines to be implemented. Users must have

positive attitudes and must willingly follow the rules. There are four elements that should

be included in development of a security policy.

Due Care: In this element obligation is imposed on owners and operators to

practice reasonable care of the asset and take necessary steps to protect them.

Separation of duties: In this element one person monitors another person actions.

No person have complete control from initialization to completion. This requires



separating administrative, development and user functions for regular security

checks.

Need to know: In this element it restricts who has access to the information. Only

those employees have access whose job function depends on that particular job.

This is conducted at a management level of organization and not by any

individual.

Policy creation: The policy should be concise and easy to understand, outlines

how violation should be handled. The policy should be implementable and

forcible. The team should first decide the scope that states who is covered by the

policy and outline goals which states what the policy tries to achieve. Before

deployment give employees two weeks to review and comment on the policy.

3. Compliance Monitoring and Evaluation

This is the third phase of the security cycle which makes it necessary to ensure that

policies are consistently implemented and followed. This involves verifying that controls

are being implemented. If new threats occurs changes should be made in the policy.

There are two steps to follow in monitoring and evaluation.

Incident Response: This will outline the actions to be performed when a security

breach occurs. Most of them will just include the composition of IR team. There

are 5 members in IR team – Senior Management, IT Personnel, Corporate

counsel, Human resources and Public relations. The IR team must quickly decide

how to handle the incident, find the cause of attack, inspect the attack and

implement recovery procedure.



Code of ethics: The code of ethics encourages members to strictly adhere the

rules within their function. The code of ethics states the values and principles that

each employee should follow. The code of ethics helps clarify ethical obligations

and responsibility.

One effective way to create policy is to make it clear, concise and easy to comply with as

possible. Overly complicated policy encourages the employee to bypass the policy. It’s important

that every organization should have security policy. In large organizations policies can be

divided into sub policies to enforce security policy. Hence a top level security policy is essential

in any organization because sub policies and rules are meaningless without it. Therefore every

organization should have all three phase of a security policy cycle to make the organization

systematic and create a methodologies to run it safe and secure.

Conclusion

Every organization must have a security plan, whether it’s a company with 5 employees or 100

employees. Security plan always helps to identify vulnerability in an organization and helps them

to analyze and prioritize them. Security always starts at physical level and ends at managing

security policy. The will help the organization in identifying, adopting and improve security in

an organization.



References:

"10 Physical Security Measures Every Organization Should Take." TechRepublic. N.p., n.d. Web. 18 Apr. 2013.

http://www.techrepublic.com/blog/10things/10-physical-security-measures-every-organization-should-take/106

"Policy, Personnel, and Equipment as Security Enablers." Securing the Organization: Equipment and Access. N.p., 23 Oct. 2012. Web. 18 Apr. 2013.

http://www.ciscopress.com/articles/article.asp?p=378142&seqNum=11

"Why You Need a Security Plan (and What It Should Contain)." Why You Need A Security Plan. N.p., 19 Apr. 2013. Web. 18 Apr. 2013.

http://www.binomial.com/security_plan/why_you_need.php


http://www.binomial.com/security_plan/why_you_need.php

http://www.ciscopress.com/articles/article.asp?p=378142&seqNum=11



Education

Organization Network Security