Design System and Security Control - Essay Example

 Design System and Security Control Introduction After the development of the project plan for the installation, upgrade as well as the maintenance of the said network which is supposed to support the ACA Technology TM Inventory and control (ACAIC) system, the next step is the designing of the system security and controls for that network. The security model described below aims at ensuring that the security professionals are able to develop a strategy for protecting the availability, integrity as well as the confidentiality of the data in an organization’s IT system. Many are the times the data in the IT system is at risk from a number of sources. This includes user errors, malicious and non-malicious attacks, accidents as well as external attack from hackers, who try to gain access to the system and disrupt the various system operations hence rendering it useless, or data alteration or even data loss. There are a number of system security and control requirements that are required for the implementation of the ACA Technology. The system will need protection in terms of the following aspects of data. They system should ensure confidentiality. This implies that the system should hold information that requires its protection from any unauthorized disclosures. This includes personal information as well as business proprietary information. Authentication Secondly, authentication is another important aspect of any given system. This is defined as the act of establishing the identity of a given user as well as the host being used. The first objective of authentication is usually first to establish that the given person and/ or system which is attempting to gain access to the system has the permission to do so. The second objective is usually the gathering of the information detailing the way the particular user is gaining access to the system. There are usually a number of strategies that can be used to verify the identity of a given client. This includes the use of User id and password. This has been the most common and simplest approach for identifying the users since it’s usually full system-based. The second form of identity is the physical security device. In this case, a physical device i.e. smart cards, bank cards, computer chips are used to identify the identity of a given person. Some of the devices require the user to also supply a password or personal identification number (PIN) to verify their identity. The third method is by use of Biometric identification. This method uses the Biometric science that identifies a given person based on their physical characteristics. This includes voice recognition, palm, thumbprint identification as well as retinal scan. Authorization Thirdly is the authorization which is another vital aspect of system control. This is defined as the act of determining the access level that a particular user has to behavior and data. Under this aspect of system control, effective approaches to authorization need to be first established. A number of questions need to be addressed i.e. “What shall we control access to?” As we know it’s possible to implement secure access to both data and functionality for example access to monthly sales figures and the ability to fire a given employee respectively. While this is being done a number of factors need to be checked to ensure that the implementation is cost effective and conforms to the performance constraints. The second question that arises is “what rules shall be applicable?” to be in a position to answer this question effectively, the stakeholders requirements need to be factored in and included should be other security factors which the stakeholders may not be aware of. These factors will include; the connection type, update access, the time of the day, the existence, privileges level, global permissions etc. various authorization methods can be used which includes; authenticating by the given operating system, authentication by a network, authentication by secure socket layer protocol. Integrity Integrity being another form of system control is defined as the process of ensuring that the data presented represents a true valid master source. This protects it from improper data modification or destruction and ensures information non-repudiation and authenticity. Compromising integrity means accepting unauthorized modifications, insertion or destruction of the information. The integrity of a give system is aided by the underlying mechanisms if they are weak with regard to the control systems. This may range from alterations in the applications or false data being sent to the application. The access control levels, authentications, and authorization all affect integrity directly. Access control means making the data available to only persons with the permissions. Loss of this control means that there is an unauthorized entry which affects the integrity of the system. Authentication on the other hand aims at ensuring that the various entities are who they claim to be and not just malicious spoofing programs. A loss in authentication automatically leads to loss in confidentiality, integrity and system availability. Authorization on the other hand is granting a particular user, a program or a process the right to have limited control once authentication has been approved. This therefore means that the given entity has the right to read, write and execute. There are various methods for maintaining integrity which include: deep inspection of packet data, sequence numbering in proprietary protocols as well as host-based intrusion detection systems that normally record the changed, stored or running applications. Confidentiality Confidentiality is another important aspect and it means hiding the data from being seen by others or “preservation of authorized restrictions to information access and disclosure including means for personal privacy protection. Any unauthorized disclosure of the said information will lead to loss of confidentiality. The primary data that normally needs to be protected are the basic accounts and passwords in control system. This is because attackers normally identify the given account names and passwords if they are being transmitted in clear text and use the same information to gain access to the system. This therefore means that good control measures need to be incorporated and this is achieved by storing the given files in encrypted format. Information such as application code also needs protection from release. This is because there are some systems configurations that store the human readable code on the same network as the given control system. This might be an entry point for an attacker to gain access to the system. This therefore means that configuration files need protection to prevent attackers from the knowledge of the control, system operation. Availability This is usually defined as the act of providing the data when it’s needed or ensuring that there is timely and reliable access to and use of the information. Any loss of availability means the disruption of access to the use of the information from the information system. Availability is usually the highest priority of the control systems. Timeliness of the data being sent or received from a particular control system is important since the operators need to be assured that the data being sent or being received is genuine. To ensure availability and prevent control system failure, most control systems implement redundancy to ensure high rate of availability. Current security threats. Before the given security plan can be incorporated into the system, there is usually the need to do an analysis on the current infrastructure. These include the Desktop computers, the laptop computers, the printers, the servers, the Internet connection as well as the routers. After the careful review the following threats were identified. Malicious Insiders (rising threat) - the employees who have malicious intent are becoming the biggest threat to the organization. The proposal is therefore to conduct Employee Security Awareness Training. By coming up with a mandatory, monthly online course the employees are always aware that security is everyone’s responsibility. The best advice is to choose a training program that will offer up-to-date courses which ensure that the users understand the policies and the procedures. The course should in turn provide report to the management. Malware (Steady Threat): malicious softwares range from viruses, worms, and Trojan horses programs etc. most employees have been distributing the Malware due to the frequent insist to the sites hosting the Malware. The solution I therefore to use URL filtering, patch management as well as other protection methods. The employees should also be limited as to the sites they can visit by restricting them to only sites deemed to be safe. Employment of the patch Management and system AV & spy ware protection can further help in combating Malware threat. Exploited vulnerabilities (weakening threat): this is made possible by a weakening system or a system product which the hackers usually find easy to exploit. The solution is therefore to implement a Comprehensive Patch Management. This is by investing in a patch management solution that offers full visibility onto a network and covering all the operating systems as well s the vendors. Another useful tool is the Host-based Intrusion Prevention(HIPS) which is able to monitor the system by looking for anomalous behavior, applications that users are attempting to install, user escalation as ell as other non-standard events. Social engineering (Rising threat): by hacking into a system, one normally compromises a computer but with social engineering we compromise a human by tricking him/her into supplying their personal information and also the passwords. A number of communication methods are used in attempt to gain the information which range from telephone lines, mobile phones, text messaging, instant messaging, impersonation of the support/vendor staff and social network sites. The solution to this threat is by conducting Social engineering testing. In addition to conducting the employee training, awareness needs to be raised by hiring a firm to come and in and test your company employees for their resilience to social engineering. By the use of a third party, mock scenarios can be used to assess the vulnerability of a given system to a real attack. Careless employees (Rising threat): mistakes from careless or untrained members of the staff can contribute greatly to security compromise. This is caused by a poor economic climate which puts strains on the given employees hence causing them to cut corners or important duties. This finally leads to less formal employee training. The recommendation for this is conduction of employee training program Remote workers and road warriors (steady threat): nowadays telecommuting and mobile workers are on the rise. The solution to the above is by the use of Same System for Telecommuters As For on-Site employees. In addition security needs to be installed on the remote virtual private network as well as ensuring that remote users use the company issued systems with updated security patches and web content filtering. More over, provide easily accessible on-call tech support so that the employees wont resort to fixing issues themselves and thereby disabling the necessarily security measures. Lastly, isolation of work computers from the children should be encouraged to avoid downloading threats to computers along with the games. Unstable 3rd party providers (Rising threat): as the IT security expenses necessary to keep up with the growing threatscape as well as the regulatory environment, there has been a considerable decrease in revenues in the market. This has made many businesses to go out of business or cut corners which further leads to security compromise. The solution to the above is to consider streamlining the 3rd Party providers. This is by ensuring the use of those providers who have been in business for a long time, have seen the hard times before and have still managed to remain regulatory focused for those years. More information can be gotten from audited financial reports. Care should also be taken by choosing a firm that can offer multiple solutions via a single integrated portal hence gaining the benefits of economies of scale and reducing the burden on the existing staff members. Downloaded softwares including Open source and P2P files (Steady threat): IT administrators can download and install open source softwares and freeware in an attempt to save money which then leads to a huge waste of time in software configuration issues during fine tuning or data breach. The recommendation is usually to limit the download and system update administration to train IT professional. Limit should be made to users on what to download and which installation to make to their computers. By conducting regular updates to the system Av and spy ware protection also. By using HIPS (host-based intrusion system) one can monitor the system operations and note any anomalous behavior, applications attempting to be installed on the computer, user escalations as well as other non-standard events that can arise from time to time. Developing a Good Security Plan Before a security plan is adopted to a particular system, a broad view of the current security risks facing the given company need to be established and find measures of taking the prompt action to reduce the exposure. Experts agree that the first step in proving a strong security around access to vital corporate information is by developing a security plan “A good security plan is dynamic,” says Christopher Faulkner. This he notes that it can be built within a single day and hence it takes some time and enough effort to achieve it. The focus on any successful plan is by making sure good solid policies are created. Below is a brief description of what a good system plan entails or rather the best elements of a good security plan. Cover all bases: a good system plan should cover all the bases not just the wired and the wireless technologies. It should also include the authorization to applications and information access. By first identifying the assets being prevented its possible to create a security policy that protects the said asset. Conducting a Risk assessment: Another method of good security plan is by performing a risk assessment. This is done by ranking the company data and assets in priority in terms of their value loss should theft or breach befalls the said system. While a theft a given email may or may not be hazardous, a loss of customer credit card information or other proprietary information can be quite hazardous. By conducting priority levels in assets, it’s easy to map out the security investments needed for a good protection. This will indicate the wireless devices that can easily be attacked and the information assets that are under potential risk. For example if someone got access to a password, he/ she would need to be an expert to know how the system is designed and so in this case the system risk point is minimal Classify data: data should be classified in terms of what is classified as private, public, who has access to data, how the data is stored, how it is backed up. For example public information is that information the firm wouldn’t t mind if a competitor came to know of it. Private information on the other hand like products development information is private. When conducting security at this point, the type of back up being used should be considered to minimize the level of risk to the data Map out a policy: a clear outline need to be established around the security information. Frontline people shouldn’t know everything about the system. By incorporating checks and balances on should ensure that the proper policies and procedure are being adhered to when there is access to the information. All the people need to be made aware of the policies and the guidelines because if the frontline people are denied the information they may begin to fill the given gaps with their own imaginations. Put a Policy Leader in Place: one needs to pick a specific number of IT employee or business manager who are n charge of the security policy so that they can make the changes whenever new information is made available. The policy leader is responsible for the updating of the security policy on regular time basis as well as make changes any time he/she sees there are major changes within the company i.e. remote access capabilities. In addition if new applications come online or the compliance rules change the security policy needs to be updated. What a good policy includes: the security policy should describe what company data needs to be encrypted and the method for encryption (64-bit, 128-bit) as well as give an outline on who holds the access to the encryption keys. The security policy should also clearly include details about the passwords including how often they should be changed as well as ways to secure the passwords. Encryption of all sensitive data should be done so that information is protected even in the company lost some of its wireless assets or its movable media like the tapes etc. Don’t restrict Policy reach: one should not limit the security plan to the laptops as well as the traditional computers and network systems. Even as the PDA viruses make their way into the market, care should be taken to ensure that even the PDAs are also included n the security plan. This therefore means that the plan should outline information about the proper use of these devices on the network systems as well as the security precautions which should be taken by the users of the said devices. This includes the automatic updates. More so the best policy is usually to limit the access for outside devices. Connectivity Guideline Importance: any wireless device should have a clear policy that includes the information about proper connection policies, remotely or within the organization. For instance, a wireless device should not be exposed to the WLAN as well as the internal LAN at the same time since this exposes the company information to the outside world at the same time. Outline User Restrictions: the security policy should limit the as well as restrict the access of the wireless communications. It’s noted that by suing a wireless network, it’s mostly insecure since a lot of people “sniff” to get access to the network. This is why it’s advisable that for sensitive data communication should occur over secured links rather than relying on airwaves. Many hackers have been known for setting up “evil twin” access points which appear to be the popular hotspots of a given company which makes the access point signal to encourage the wireless users to try and gain access to the rogue device. Outline Impact of Policy Infractions: there should be clear enforcement or the stipulated ramifications if a certain policy fails to be followed. The IT leaders need to work closely with the HR as well as other business executives to map out infration violation punishments. The corporate data which is a company’s most vital data needs to be kept secure and any breach to this should be followed by a tough punishment. Other security measures The following security control measures can also be unveiled to curb the security breaches Antivirus protection: this is by ensuring all the PCs on the network have antivirus protection. There are plenty of them available from the internet Antispyware protection: this has become a common malicious program that difficult to detect and remove. Antispyware programs should therefore be used which should be updated frequently to be I n a position to monitor background processes. Firewall: A firewall should be incorporated to block unauthorized access to the computers as well as the networks. The firewalls can be the hardware or the softwares. Virtual private network: A VPN will create a tunnel between the computer and the unsecured public network such as the internet. Wireless security: if a business uses the wireless network at a minimum a password, WEP key can be used to prevent unauthorized access to the system. Secure hardware: this means that every company’s network needs to be protected by routers which have comprehensive built –in security mechanisms including the firewalls, VPN and an intrusion system Data Protection: one should implement regular backup’s procedures to safeguard the critical businesses as well as company data. References Benantar, M., 2006, Access control systems: security, identity management and trust models, Cape town, Springer. Clarkson, M., 2001, Developing IT staff: a practical approach, Capetown, Springer, p.171. Erbschloe, M., 2005, Physical security for IT, Capetown, Digital Press, p.91. Grumberg,, O. and Pfaller, C., 2008, Formal logical methods for system security and correctness Volume 14 of NATO Science for Peace and Security Volume 14 of NATO Security Through Science Series Volume 14 of NATO science for peace and security series: Information and communication security Volume 14 of NATO security through science series: Information and communication security, Capetown: IOS Press, p.319. Hitchcock, D., 2008, The step-by-step guide to sustainability planning: how to create and implement sustainability plans in any business or organization, London: Earthscan, p.173. Heiner, M., 2003, Formal techniques for networked and distributed systems, FORTE 2003: 23rd IFIP WG 6.1 International Conference, Berlin, Germany, September 29-October 2, 2003, proceedings, Volume 23 Lecture notes in computer science, Cape town, Springer, p.100. Lipsitz, L., 1973, Introduction to the systems approach Issue 3 of Educational technology reviews series, Cape town, Educational Technology,, p.133. Sekar, R. and Pujari, A., 2008, Information systems security: 4th international conference, ICISS 2008, Hyderabad, India, December 16-20, 2008 : proceedings Volume 5352 of Lecture notes in computer science LNCS sublibrary: Security and cryptology, New Mexico: Springer, p.100-144. Stavroulakis, P. and Stamp, M., 2010, Handbook of Information and Communication Security, Capetown: Springer, p.80-200. Whitman, M., 2011, Principles of Information Security, kariba: Cengage Learning, p.191. Gant, R and Towers, B. 2011 Student Perceptions of Personal safety: Kingston University February 2011, Kingston upon Thames, Kingston University. Jackson, J.2006, ‘Introducing fear of crime to risk research (online)’, LSE Research Online, viewed 11 November 2011, . Kilias, M. and Clerici, C. 2000, Different measures of vulnerability in their relation to different dimensions of fear and crime, British Journal of Criminology, Lazell, M. 2009, ‘Fixed CCTV Camera Locations’, British Criminology Journal, Vol.1, No.1, pp.44-45. Read More