431 Computer Security - Network Assessment Answer

Answer

Introduction

Businesses cannot pass by the benefits of modern innovations such as smartphones, laptops and cloud computing to their operations. Firms are enjoying a growth in mobility, return on investment and productivity at minimal expenses by using emerging technologies to store and manage their data. However, Security concerns are growing over the use of technologies in handling the data of companies. Company data is exposed to cyber-attacks, leaks or even loss in important data. As organizations embrace the modern technologies in their activities, they need to be aware of the risks they are exposed to when using the resources. Identifying the risks will help the management in developing security measures to mitigate the risks. The vulnerabilities if not checked may lead to losses or damage the reputation of the organization. A proper security measure needs to be arrived at by developing a strategy that guides cyber security experts in creating and installing the security measures. This will ensure all issues within the network are addressed (Pfaff et al, 2015).

JL Company looks to install mitigation measures to address its poorly secured network layout. The company has recently started selling online, and communicates with its clients through online services. The management at the firm also plans to add the number of staff in the firm creating a concern as to how users of the company’s network resources will interact and handle the firm’s data. The following is a report highlighting the solution that the company could consider to address their problems. After going through articles covering other industries facing similar challenges, I was able to find out a number of mitigation measures that can be incorporated within the network infrastructure to minimize cyber-attacks including; adding encryption steps to control gain of access to network resources, monitoring activities of users under a firm’s network and installing authentication procedures.

Network Security Design

When developing a network security design, a step by step approach is used (Oppenheimer, 2010). The structured steps assist in covering the major concerns that form part of the security design. Security measures that have been created in an unstructured manner will fail in securing assets and may not meet the objectives of securing all the firm’s network resources and data. The process of designing a security solution can be broken into steps that will effectively guide one to execute a proper and successful security measure. The steps include; Identifying the network assets, analyzing the security risks, looking at the security requirements and tradeoffs, developing a security plan, coming up with a security policy and developing an implementation strategy.

When identifying network assets, the risks that expose the assets to sabotage or illegal gain of access are established. The consequences that are brought by the risks are also identified. Network assets include the operating systems running on the firm’s network devices, data and applications. It also includes the devices connected under the network like smartphones and personal computers plus the network data that is transferred among network users. JL Company has five employees all who access the firm’s network resources while working in the firm’s premises. Devices under the company’s network run on the latest windows operating system that is regularly upgraded. The organization’s laptops are however not installed with any security software, creating a loophole for malicious applications and websites to send spam messages to devices under the network through the internet. The company also relies on an old server to hold its data which malfunctions in the event of a power surge, limiting users to access the network resources in the event of this power surges leading to a drag in operations. The company’s confidential data is also stored without using cryptographic techniques, this exposes the data to access by unauthorized personnel.

Analyzing Security Risks

The security risks are established next, this is done by conducting an analysis on any threats from unauthorized persons who take advantage of the unskilled personnel using the company’s network. The intruders can alter the data or create denial of service to the network resources for staff members or steal company data. JL Company is especially exposed to this kind of attack since all their staff members are not skilled in securing their network resources and data. Most are experiencing spam messages daily and the company has even been exposed to a ransom ware attack before. This are examples of attacks from intruders when they penetrate a network. The employees can gain access to each other’s email accounts and personal computers which is also intruding into the privacy of staff members. The company also does not encrypt the data stored and transferred within their network. This creates a threat for intruders to gain access to the data. Proper security measures should be put in place to check this vulnerabilities.

The step that follows next, is analyzing the security requirements and tradeoffs. The mitigation measures that will be put in place should have specific objectives and the cost of protecting the company’s data and network should be less than the expense of recovering the data if a threat occurs. The security measures should protect assets including; data confidentiality, restricting access only to permitted users, data integrity ,allowing only authorized users to modify data, plus data and system availability to ensure users have uninterrupted access to network components. JL Company’s network and data requires a security measure that will reduce the exposure of its data to third parties and control how the information is transferred within the company’s network. Also, the privacy of user’s while accessing the internet should be addressed to reduce malware attacks and spam messages.

A security plan is created next. This is a documentation that contains high-level detail of the company’s strategy in meeting the security requirements. The document contains the people, resources and tools needed to meet the implementation of the security requirements. Based on the company’s network assets and threats, cyber security experts develop a plan that will be relevant to the organization even in future. JL Company needs to create a plan that will include the network services that they will use such as email and wireless technologies and the network topology of the users connected within their network framework. Management needs to include the special administrators that will be added to the team to ensure the security of the network is established. They should also include the ways in which managers and all users will be involved to ensure data and network resources are secure. A successful security plan for the company will need to be supported by all staff members.

Developing a Security Policy

A formal statement containing the rules that users of the company’s network resources and company data must follow is known as a security policy (Cisco Systems, 2018). The policy directs managers, users plus the network administrators on the way they should conduct themselves when accessing and using company resources in the work premises. JL Company runs without a security policy. The employees at the company are not aware of the best ways to utilize resources and conform to ideal cyber security behaviors. For example, an employee recently inserted a flash drive they had picked from the car park into one of the company’s machines. This led to a virus attack that created a malfunction in the operating system of the affected device. If security policies that limit users from using removable gadgets within the company’s network had been put in place, the incident would not have happened. Security policies have several items including; an access policy highlighting the access privileges and rights for the network users, an accountability policy defining the responsibilities of the network users. The policy needs to include the accountability of damage in the event of a risk occurring through users’ negligence. The policy should also state how incidents are handled in the event of an attack, the personnel to contact and the actions to be taken. An authentication policy should also be included that defines guidelines for authenticating access to network resources within the premises or remotely (Watson, Woodruff, Neumann, Moore, Anderson, Chisnall & Murdoch, 2015)

Implementation Strategy to address the security Issues

The following are typical ingredients that can be included to boost the security of the network design for JL Company. The first step is to physically secure their network infrastructure and physical devices. This involves restricting access to primary network resources by ensuring they are kept in a locked room away from natural or human made disasters (Openheimer, 2010). The server, routers, switches and other devices connected within the firm’s network need to be installed in a safe environment avoiding misuse by unskilled staff members or unauthorized access by third parties who might alter the running configurations leading to problems. Authentication procedures should also be added to control gain of access to the network resources. The authenticating processes enables administrators to identify the person requesting network services. Users under the company’s network should all have a login ID and password that are authenticated by a security server (White. Fisch, & Pooch, 2017).To improve security, the one-time password systems can be implemented which requires users to change their passwords from time to time. This would be especially beneficial in securing JL company’s data seen as the administrator password has never been changed since its installation. Authorization measures should also be incorporated to regulate the actions of the authorized users in accessing the company’s network resources. This allows the company’s management to grant privileges to users and processes within their network system. When implementing authorization as a security measure, the network should be designed such that users have only the required minimum rights to access resources that will enable them to carry out their tasks. For JL Company, this would reduce the illegal access of personal emails and data among staff members, improving privacy and confidentiality of data (Perlman, Kaufman & Speciner, 2016).Users of the network also need to be trained through programs that warn them on the risks of carelessly using network resources, devices and applications, plus the risks of poor password practices (Shan & Liao, 2016)). Most of the security breaches that occur within JL Company are as a result of human errors (Xie, Hu, Fang,Li, & Liu, 2016). The company’s staff members are even reluctant to change their behaviors to improve cyber security, this is because most are ignorant of the risks brought by insecure network systems. Training them would be beneficial to both the company and the staff members.  Another option is acquiring cloud computing services from vendors selling this service. This provides a platform for the company to back-up their data and would not loss important data in the event of a damage to their primary server (Layton, 2016).

Costs incurred from implementing the security measures

The company will have to spend a substantial amount of capital in laying down a proper security measure to meet the risks it faces (Steinberg, 2011). New infrastructure such as servers, routers and latest software and antiviruses will need to be purchased and installed within the organization’s network layout. Some of these infrastructure are costly and may even require the management of JL Company to spend more in hiring experts to install, configure and maintain them. Acquiring cloud services from external vendors to back- up their data will also mean the management has to incur extra expenses in maintaining the service (Sandberg, Amin & Johansson, 2015).

Comparison of Alternatives

JL Company might choose to install a security measure that is already in existence by borrowing from another organization. Most firm’s handling a big amount of data have already implemented mitigation measures that secure their information and network resources. It would be easier for the management at JL Company to simply incorporate similar security measures to this firms as their solutions are already running reducing the risks of errors and failure. However, security measures are different and an approach implemented by one firm may not suit another company. JL Company will need to review their operations to come up with their own alternative that best works for them (Yang, Wang, Geraci, Elkashlan, Yuan & Renzo, 2015).

Summary

The management at JL Company is facing a crisis in managing its network resources. Risks of data loss, intrusion into the company’s network by third parties and unregulated access of network resources and data, expose the company’s assets to attacks. The firm needs to create a strong security measure to cover its network infrastructure. Developing a step by step approach in designing a security measure will surely assist the company to come up with the best alternative that covers majority of the risks (Pathan, 2016).

References

Cisco Systems. (2018). Five Steps to Securing Your Wireless LAN. Retrieved from Cisco Systems: https://www.cisco.com/c/dam/global/sv_se/assets/pdfs/smb/cdccont_0900aecd804909a5.pdf

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Openheimer, P. (2010, October 4). Security Mechanisms. Retrieved from Cisco: https://www.ciscopress.com/articles/article.asp?p=1626588&seqNum=2

Oppenheimer, P. (2010). Network Security Design. Retrieved from Cisco: https://www.ciscopress.com/articles/article.asp?p=1626588

Pathan, A. S. K. (Ed.). (2016). Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.

Perlman, R., Kaufman, C., & Speciner, M. (2016). Network security: private communication in a public world. Pearson Education India.

Sandberg, H., Amin, S., & Johansson, K. H. (2015). Cyberphysical security in networked control systems: An introduction to the issue. IEEE Control Systems, 35(1), 20-23.

Shan, Z., & Liao, B. (2016). Design and Implementation of A Network Security Management System. arXiv preprint arXiv:1609.00099.

Steinberg, S. (2011, July 7). 10 Ways to Keep IT Systems Secure. Retrieved from Entrepreneur: https://www.entrepreneur.com/article/219954.

Watson, R. N., Woodruff, J., Neumann, P. G., Moore, S. W., Anderson, J., Chisnall, D., ... & Murdoch, S. J. (2015, May). Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy (pp. 20-37). IEEE.

White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.

Xie, J., Hu, K., Fang, P., Li, G., & Liu, B. (2016, December). Design and implementation of the platform for collection and analysis of the Inpatient Medical Record Home Page of Traditional Chinese Medicine. In Bioinformatics and Biomedicine (BIBM), 2016 IEEE International Conference on(pp. 1399-1402). IEEE.

Yang, N., Wang, L., Geraci, G., Elkashlan, M., Yuan, J., & Di Renzo, M. (2015). Safeguarding 5G wireless communication networks using physical layer security. IEEE Communications Magazine, 53(4), 20-27.