Upload
sahil-umatia
View
1.448
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Organization must keep their policy updated, analyze and make necessary changes to the current security implementation to avoid violating strict standards. The organization must ensure that each and every employee has knowledge about the security policy and its assets. Employees must be trained and aware about company’s security procedures and how to protect themselves and company’s services and data. Each IT asset of an organization must be secure. IT assets can include servers, network, hardware’s, software’s internet use and other important assets like portable drives. Anything related to IT must be secure and should have specific, standard, guidelines and policy for its use. The preceding section will explain how to secure an organization IT assets by creating general risk assessment, threat mitigation implementation and code of ethics in an organization to keep its organization network, data, assets and employees protected.
Citation preview
Computer Security
Final Exam Assignment
APRIL 15, 2013
Sahil Umatia Final Exam Assignment ID # 200232449
ContentsINTRODUCTION...........................................................................................................................................2
Securing Physical access..............................................................................................................................3
1. Lock Server Rooms...........................................................................................................................3
2. Set up surveillance...........................................................................................................................3
3. Use Rack Mount Server...................................................................................................................4
4. Lock your Workstation.....................................................................................................................4
5. Protect your portables.....................................................................................................................4
6. Protect Printers................................................................................................................................4
7. Shred unused documents................................................................................................................5
Securing Wireless Network..........................................................................................................................5
1. Enable Encryption............................................................................................................................5
2. Set password for router...................................................................................................................5
3. Change SSID.....................................................................................................................................6
4. Enable MAC filtering........................................................................................................................6
5. Do not disable SSID broadcast.........................................................................................................6
6. Disable Remote Login......................................................................................................................6
Securing Server and Systems.......................................................................................................................7
1. Installation and Deployment...........................................................................................................7
2. Securing Operating System..............................................................................................................8
3. Secure Install and managing the server...........................................................................................9
Creating Security Policy...............................................................................................................................9
1. Risk Identification..........................................................................................................................10
2. Security Policy Development.........................................................................................................11
3. Compliance Monitoring and Evaluation.........................................................................................12
Conclusion.................................................................................................................................................13
References:................................................................................................................................................14
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
INTRODUCTION
Information security has been one of the most difficult and sensitive area that has been discussed
across all organization around the world. Information security has been one of the most complex
and challenging task to run a business successfully on a global scale. Organizations are
increasingly relying on information technology to give their customers best service and provide
value satisfaction to their stakeholders. This can be only done if their organization IT assets are
secure. So as a part of becoming a successful organization, security should be an important
perspective. Organization must analyze their current security practice to identify threats and
protect their customer and employees from such security threats.
Organization must keep their policy updated, analyze and make necessary changes to the current
security implementation to avoid violating strict standards. The organization must ensure that
each and every employee has knowledge about the security policy and its assets. Employees
must be trained and aware about company’s security procedures and how to protect themselves
and company’s services and data. Each IT asset of an organization must be secure. IT assets can
include servers, network, hardware’s, software’s internet use and other important assets like
portable drives. Anything related to IT must be secure and should have specific, standard,
guidelines and policy for its use.
The preceding section will explain how to secure an organization IT assets by creating general
risk assessment, threat mitigation implementation and code of ethics in an organization to keep
its organization network, data, assets and employees protected.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
Securing Physical access
Physical security is the foundation of any organization. Physical security is the protection of
hardware’s, data, and network from physical harm like theft. Some organization overlook
physical security in terms of software and technical issues like viruses and software issues. But
physical security can be breached without any technical knowledge. And if it happens there can
be a huge loss to the organization in terms of data, cost and customer value. By following below
steps, physical security breach can be stopped to some extent.
1. Lock Server Rooms
The server room is the heart of an organization. If someone does any mischief in the
server room like touching the cables and if somehow the cables get removed, the server will be
down. Ensure that you have a lock for a server room. A digital lock or swipe lock can do the
work. Put a sign on the server entrance door, that if the server is unoccupied, the door should be
locked. Ensure that you have proper policies set for the server room, like who can enter the
room, who has access keys of the server room, penalties for violating the policy.
2. Set up surveillance
Just locking up server room is not enough. Locks and door can be crashed easily, you just
need to be strong guy. Set up surveillance alarm system, when some tries to get into the server
room forcefully, the alarm would start sounding. Setup a surveillance camera which records
every second of the server room. So you have a better history who entered the server room and
when.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
3. Use Rack Mount Server
Rack mount servers take less server room space. They are small, lighter and several
servers can be stacked and loaded in one rack. The rack can be then locked, bolted, making it
impossible to move or steal it.
4. Lock your Workstation
Make sure you lock your workstation before you leave. You workstation may include
important files that can be misused or deleted. Your workstation may be connected to network
and the attacker can send important files via internet.
5. Protect your portables
Your pen drive or Portable Hard Drive may contain sensitive and important about
yourself or about the organization. Don’t keep your portables in open place. Instead keep it in a
safe place and lock it. Encrypt your hard drive with password. Bit Locker can do the work.
Policy should be created to keep the organization data within and not to be taken outside of
organization.
6. Protect Printers
Printers might be a security risk too, because some latest printers save a copy of the
document on their on-board memory chips. So if an hacker gets access to the printer, he might be
able to retrieve recently printed important document from the printers. So it’s better to safeguard
the printer as done for servers and workstations.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
7. Shred unused documents.
It’s better to shred unused documents or papers whether it’s important or not, rather than
just dumping in the garbage. A policy should be created for shredding unused documents, so
employees get a habit of this.
Securing Wireless Network
Wireless LAN has brought incredible productivity inside and outside the organization. Many
applications like back office and front office rely heavily on wireless LAN and allows the
organization to benefit their employees with wireless connectivity. But challenges occur and
security threats increases when you’re offering such a benefit to a large organization.
Although many IT administrator are aware of securing WLAN, but WLAN security itself is not
enough to protect the organization. Whether the company has hardwired or Wi-Fi setup, threats
can still occur. And one of those is rouge access point, where an attacker add another access
point which is behind the firewall. The attacker can then view or edit the packets before it
reaches to the organization. By following the steps below, it’s possible that you can avoid these
type of threats.
1. Enable Encryption
Use 128-bit of encryption or higher. There are two different types of encryption WEP and WPA.
WEP is weak and can be cracked easily within few minutes with software’s available online.
WPA is strong and uses TKIP encryption while WPA2 uses AES which is stronger than WPA.
2. Set password for router
Change the default password for the router. Use a random long password that cannot be easily
guessed like include small letter, caps letter, numbers and special characters. That makes it
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
difficult to crack the password. If you’re using weak password, then it might be cracked within a
day using pre-computed tables like rainbow tables.
3. Change SSID
Change the default SSID name of your network. The SSID is the identifier name which identifies
your network, so you can connect to it. Using the default SSID name will know that the router
was setup by a novice and the attacker will try to brute force. This will make it worst, if you’re
using a default password.
4. Enable MAC filtering
MAC address is the physical address of the device. Filtering MAC address will only allow
specific devices to access the network. You can disable or permit certain MAC address to access
the network.
5. Do not disable SSID broadcast
Disabling SSID broadcast will not allow you organization employee to connect to your network.
Disabling SSID will hide your network name. On other hand, disabling SSID is safe from hacker
that try to wardrive the network.
6. Disable Remote Login
Remote login can give anyone access to router setting remotely. This can be worst if an attacker
tries to brute force router access and you’re still using the default username and passwords. By
default it’s disabled on every router. Enable it only if you’re updating your router remotely and
disable it after the update is done.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
Securing Server and Systems
A server is a host that provides one or more service to other host for primary functions like file
sharing server, database server. The database service supports the web applications on web
server. There are many other servers in an organization like DNS server, Email Server, Directory
Services.
Threats may occur if there are bugs in operating system or the server system is vulnerable to
exploits and attacks due to lack of security patches. Threats can be from local employee in
organization or by an attacker from a remote place. Organizations should conduct risk
assessment and determine how strong the current security practice are. Every server and system
should be protected based on potential impact on the loss of confidentiality, integrity and
availability. The following basic steps should be taken to ensure the security of a server:
1. Installation and Deployment
Security should be considered before installation and deployment of server. This reduces the cost
of security assessment when done after the server deployment. A deployment and installation
plan often aids in identifying vulnerabilities.
- The first step is to identify the purpose of server. The server can be a Web server,
database server or an email server. This will help you to categorize the security
requirement of a server.
- Identify any network service software required to be installed both on server as well as on
client server
- Determine how the server will be manages and which users are authenticated to access
the server.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
- Setup necessary environment control to maintain humidity and temperature. Check for
backup power service, because if the power goes down the whole server can go down.
2. Securing Operating System
There are many types of operating system that can be used as a serve OS. The most popular are
Windows server and Linux [probably Ubuntu Server or Debian]. There are many ways to secure
an operating system. Suppose if you’re using a Linux operating system, you can follow the
following steps to harden the operating system:
- Keep the port 3306 closed. Because if the port is left open a hacker can try to exploit the
server using the port.
- Add appropriate file permission
- Disable SSHv1. This can be done by editing /etc /ssh/sshd_config and setting the
Protocol 2 by removing the hash sign.
- Disable SSH Password Authentication and allow access using Pubkey Authentication.
- Enable shell resource limits to prevent users from consuming server resources. Example:
DOS attacks.
- Create strong passwords by making use of lowercase, uppercase, numbers and special
characters.
- Change the root shell by editing /etc/passwd file and change the shellfrom /bin/bash to
/sbin/nologin. This will prevent access to the root shell and logs.
- Remove unnecessary files, application and network protocols.
- Install anti-virus/anti-spyware/anti-malware software’s to avoid viruses, rootkits,
spywares and malwares.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
- Setup an Intrusion prevention system or Intrusion detection system to avoid
remote/external attacks.
3. Secure Install and managing the server.
- Install the server software on a dedicated host or on a virtual machine to test the software
before installing it on the main server.
- Create a logical partition for server data and remove software which are not required like
gopher or FTP. And install server content on separate drive.
- Configure the server to listen only on TCP and UDP ports.
- Set an upload limit on the server, if your organization needs to upload files. Ensure that
there is some software which scans the uploaded file before uploading on the server.
- Configure the max number of connection. You might not want your server to get a DOS
attack.
- Check the server logs regularly and check if there was any intrusion or any suspicious
activity.
- Protect the log files, so if an attacker attacks the server, the attacker cannot get access to
the log files to alter the data.
- Back up your server regularly, so if any worst condition arises, you can always restore
your server.
Creating Security Policy
Security policy is a document that list down guidelines for the protection of the assets and ensure
that it must be followed so that the organization assets faces minimal risk. It’s a set of statements
that defines how to safeguard an organization information. The policy defines specific rules for
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
computer access and securing IT assets in an organization. Security policy is a combination of
procedures, standards and guidelines.
A security policy provides equal amount of trust by balancing no trust. For instance, trusting
some of the people some time. Control is the second element that needs to be balanced because
security need and culture plays a major role deciding level of control.
The security policy cycle consist of three phase for development and maintenance of a security
policy.
1. Risk Identification
The first phase is the Risk Identification, which is a systematic evaluation of the exposure
of assets to attackers. It basically identifies what need to be protected, evaluation of
threats, how strong the current protection is and what should you do about it. There are
four steps for Risk Identification:
Asset Identification: Asset identification is identifying positive economic value
of an asset. The type of assets may include hardware, personnel, physical assets or
software’s. This is one of the most critical step in identification. You can
determine an asset relative value by finding how critical is the asset to the
organization, how much would it cost to the organization and other important
factors.
Threat Identification: This treat is not just limited to an attacker but also
includes act of God. Any threat which exist against an asset. It can be better
understand by creating a threat model, which constructs scenarios of the type of
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
threats that an asset can face. A threat model is an attack tree which visualizes
how an attack may occur to an asset.
Vulnerability appraisal: This takes a screenshot of the current security in the
organization. Every asset is examined with respective to every threat. This also
depends on the background of the assessor.
Risk assessment: This basically determines the damage that would result from an
attack. This assessment require a realistic assessment with respect to several
attack. The risk assessment can be determined using Single Loss Expectancy and
Annualized Loss Expectancy. Once this is calculated the probability of a
vulnerability needs to be calculated.
2. Security Policy Development
This is the second phase of a security policy cycle. In this phase a policy document is
outlined which defines appropriate behaviour of users, tools required, foundation for
action in response to inappropriate behaviour. And this can be developed using setting up
a list of standards to be followed and guidelines to be implemented. Users must have
positive attitudes and must willingly follow the rules. There are four elements that should
be included in development of a security policy.
Due Care: In this element obligation is imposed on owners and operators to
practice reasonable care of the asset and take necessary steps to protect them.
Separation of duties: In this element one person monitors another person actions.
No person have complete control from initialization to completion. This requires
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
separating administrative, development and user functions for regular security
checks.
Need to know: In this element it restricts who has access to the information. Only
those employees have access whose job function depends on that particular job.
This is conducted at a management level of organization and not by any
individual.
Policy creation: The policy should be concise and easy to understand, outlines
how violation should be handled. The policy should be implementable and
forcible. The team should first decide the scope that states who is covered by the
policy and outline goals which states what the policy tries to achieve. Before
deployment give employees two weeks to review and comment on the policy.
3. Compliance Monitoring and Evaluation
This is the third phase of the security cycle which makes it necessary to ensure that
policies are consistently implemented and followed. This involves verifying that controls
are being implemented. If new threats occurs changes should be made in the policy.
There are two steps to follow in monitoring and evaluation.
Incident Response: This will outline the actions to be performed when a security
breach occurs. Most of them will just include the composition of IR team. There
are 5 members in IR team – Senior Management, IT Personnel, Corporate
counsel, Human resources and Public relations. The IR team must quickly decide
how to handle the incident, find the cause of attack, inspect the attack and
implement recovery procedure.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
Code of ethics: The code of ethics encourages members to strictly adhere the
rules within their function. The code of ethics states the values and principles that
each employee should follow. The code of ethics helps clarify ethical obligations
and responsibility.
One effective way to create policy is to make it clear, concise and easy to comply with as
possible. Overly complicated policy encourages the employee to bypass the policy. It’s important
that every organization should have security policy. In large organizations policies can be
divided into sub policies to enforce security policy. Hence a top level security policy is essential
in any organization because sub policies and rules are meaningless without it. Therefore every
organization should have all three phase of a security policy cycle to make the organization
systematic and create a methodologies to run it safe and secure.
Conclusion
Every organization must have a security plan, whether it’s a company with 5 employees or 100
employees. Security plan always helps to identify vulnerability in an organization and helps them
to analyze and prioritize them. Security always starts at physical level and ends at managing
security policy. The will help the organization in identifying, adopting and improve security in
an organization.
Georgian College. CNSS. 2012 – 2013
Sahil Umatia Final Exam Assignment ID # 200232449
References:
"10 Physical Security Measures Every Organization Should Take." TechRepublic. N.p., n.d. Web. 18 Apr. 2013.
http://www.techrepublic.com/blog/10things/10-physical-security-measures-every-organization-should-take/106
"Policy, Personnel, and Equipment as Security Enablers." Securing the Organization: Equipment and Access. N.p., 23 Oct. 2012. Web. 18 Apr. 2013.
http://www.ciscopress.com/articles/article.asp?p=378142&seqNum=11
"Why You Need a Security Plan (and What It Should Contain)." Why You Need A Security Plan. N.p., 19 Apr. 2013. Web. 18 Apr. 2013.
http://www.binomial.com/security_plan/why_you_need.php
Georgian College. CNSS. 2012 – 2013