Mr. Manos Llewellyn Computer Network and Security Controls - Assignment Example

? Contents Introduction 2 2 What is ISMS? 2 3 ISMS Scoping 4 4 Project Scope and Objectives 6 5 Mr. Manos Llewellyn Wired Network 7 6 Considerations and Recommendations for Mr. Manos Llewellyn Network 11 7 References 15 1 Introduction The computer network for Mr. Manos Llewellyn is not dispersed on a large scale, however the company wishes to provide web development and web services, enable and configure Secure Socket Layer, Domain hosting, Web Applications, develop E-Shops, develop Web Designs, incorporation of a software house, graphic designing, and digital viral marketing strategy. However, to support these services on the current network, several considerations are required in the following domains: Network Type i.e. client/server Network Technology i.e. size, speed, and scale requirements Network Cabling i.e. considering supported data rates and security Network Interfaces & Protocols Network Services Requirements Data and Network Security Requirements Network Performance Requirements Compatibility Requirements 2 What is ISMS? The ISMS for Mr. Manos Llewellyn should consist of Policies, Processes, Guidelines, Standards, and tools. Likewise, in order to make this system a successful for Mr. Manos Llewellyn, it contains five key elements. The first component is CONTROL. The control establishes a framework and distributes responsibilities in order to develop an environment for implementing the ISMS for Mr. Manos Llewellyn. The next key element is PLAN. The Plan defines the service level agreements as per business requirements, foundation of contracts, operational level agreements, and policy statements for Mr. Manos Llewellyn. All these components included in the planning are based on the requirements of the business. After the completion of control and plan, the next key element is to IMPLEMENT all these components. Implementation involves creating knowledge and consciousness along with categorization and listing of assets. Moreover, personnel security and physical security related to theft is implemented. Likewise, implementation element also involves security related to network, applications and computing devices. In addition, configuration and management of access rights and contingency planning of security incident processes is also a part of this element. All of the three elements control, plan and implement lays a foundation of a structure for Mr. Manos Llewellyn. After the deployment of ISMS structure, the next key element is EVALUATE. The evaluation consists of internal and external auditing of the processes that are implemented in the previous three phases. Moreover, self-assessment is also conducted, along with security incident evaluation. For instance, if there is a breach in security, the security management processes ensure to deal with security incidents. The last key element is MAINTAIN. This phase frequently monitors processes including security management, new threats, vulnerabilities and risks. These elements, do not only monitors these processes, but also improve processes where required , and if there are certain processes that needs to be improved for Mr. Manos Llewellyn, the ISMS cycle start from the first key element i.e. CONTROL. 3 ISMS Scoping A good definition of ISMS is defined as (Humphreys 2007) “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system”. The goal is to protect the information for Mr. Manos Llewellyn, as well as its customers. The ISO/IEC has established two standards that emphasize of ISMS. The ISO/IEC 17799 is a code for information security management. It is the framework or a system that is based on certain processes, to ensure that organizations achieve their information security management objectives i.e. ISMS. The second standard is ISO/IEC 27001 is associated with several different factors including (Calder 2009): Implemented in the organization to originate security requirements and goals Implemented within the organization in such a manner that security risk management bears less cost Implemented within the organization for guaranteed deployment of compliance with laws and regulations Implement a process framework within the organization for deployment and management of controls in order to meet particular security objectives Defining new processes for information security management The scope for ISMS can be implemented on one or more than one department. The issues are clearly identified as there are no security baselines or security controls available that may lead to mismanagement of network, vulnerable data and assets along with vulnerable database security. Sensitive data is located at the sensitive data room. As per current scenario, the most critical data is residing in the sensitive data room and the server some. Hubs are used instead of switches, as switches are installed on the backend of some hubs. Sensitive traffic is routed to all departments of Mr. Manos Llewellyn. There are two Apache Servers running on Linux, Windows 2003 Server with active directory configured, two file servers, and one shared network printer, 1 backup server for backing up data on servers, one SAMBA server for making Windows and Linux environment understandable and one remote server. Figure A and B shows bad and a good scope for the given network. Figure A (ISMS Bad Scope) Figure B (Practical Scope) 4 Project Scope and Objectives Mr. Manos Llewellyn has intent of updating the current network for meeting the functional and scalability requirement. For achieving the desired outcome, the network will be equipped with latest technology equipment i.e. network devices, system hardware and software.. The implementation of software technology includes the 27001 ISMS consideration. The hardware and security technology implementation includes Cisco routers, firewalls, switches and ‘access points’. Mr. Manos Llewellyn has currently one branch and the long term future plan of the company is to provide services that are named as: 4.1 Web Services Web development SSL certificates Domain Hosting Web Applications E-Shops Web Design 4.2 Software House Software development Software testing Graphics Design Digital Viral Marketing Strategy 5 Mr. Manos Llewellyn Wired Network Before implementing the local area network for Mr. Manos Llewellyn, selection of appropriate computing and network devices is essential. The implementation review begins from the initial stage as there are not legacy networks available. 5.1 Network Topology Star topology is recommended for Mr. Manos Llewellyn computer network. Star Topology is now a globally adopted standard that is used by almost every organization. One of the major features for this topology is the centralized utilization of network resources that may lead to efficient network management, easy network administration, and centralized configuration and troubleshooting. Moreover, the star topology that works on client / server architecture also facilitates centralized security management, along with efficient utilization of network protocols, services and directory services. The network implementation cost can be saved by provisioning the core systems located centrally. The security controls and backup systems are also located centrally for better troubleshooting and management. Example of the star topology is available in Fig 1.1. 5.2 Network Cables In order to implement the star topology, there is a requirement of data cable with fast data transmission speed. CAT 5 is the recommended option, as it caters the current and future scalability requirements of the company. Likewise, it supports data as well as voice transmission on a twisted pair. There are 4 copper twisted pairs in the cable and data/voice transmission speed is from 100 Mb/sec to 1000 Mb/sec on a full duplex mode (Category 5 Cable. 2007). As per the requirements, employees will utilize remote services, email services, data backups and traditional file transfers and CAT 5 cable is up to the task. Depending on the distance and speed comparison, data transfer rates starts declining after 100 meters. 5.3 Network Devices A router is considered to be a core routing device that routes and process data packets and deliver them to their required destination. Moreover, routers can be connected to one or more networks, as different subnets can be defined on the configuration console. For meeting scalability of Mr. Manos Llewellyn network, routers are scalable and can expand the network by connecting branch offices or remote offices. Routers are able to route data packets in a super fast speed by maintaining a routing table that tells the router to use static routes or OSPF protocol. Moreover, various other commands are configured, for instance, dynamic routing protocol is configured for automating the exchange of data packets with other available routers within the network. The maximum transmission unit (MTU) that is called as a data transmission gauge is considered for maintaining operational efficiency of the network. For establishing remote connectivity, email service, file service and maintaining security, router is preferred. As the Primary site includes the core devices for the network to be operational and efficient, Cisco 3845 integrated service router will fulfill all the network requirements. 5.4 Considering Cloud Computing for Mr. Manos Llewellyn Public computing is a traditional approach where the resources are accessible on the Internet. Third party providers, known as the cloud vendors, organize the hosting for these resources on the Internet. The services and resources on this cloud are accessible to the public and groups of various industries (Bento, Aggarwal 2012). On the other hand, hybrid cloud comprises of a mixture of all types of clouds i.e. public, private and community. Most organizations deploy this type of cloud as it provides a range of options in the context of accessibility. By incorporating hybrid clouds, issues such as PCI compliance can be eliminated (Bento, Aggarwal 2012). 5.5 Cloud Computing Service Models Cloud computing consists of applications that are represented as a service on the web and the provision of hardware / software services provided by companies operating data centers. Likewise, the services provided over the Internet are referred as (Software as a Service) ‘SaaS’. There are few sellers who use the term (Infrastructure as a service) ‘IaaS’ and (Platform as a service) ‘PaaS’ in order to demonstrate their products and services. However, these terms are avoided and not accepted globally, due to variation (ARMBRUST, FOX et al. 2010). The Commerce Department’s National Institute of Standards and Technology (NIST) have illustrated some helpful definitions that focus on three concepts (Ryan 2010): Cloud infrastructure as a service ‘IaaS’ consists of provisioning elementary computing resources. Cloud software as a service ‘SaaS’ access software application that operates on a cloud infrastructure. Cloud platform as a service (PaaS) provides the accessibility to users for implementing and developing applications with programming language and tools supported by the providers. The core components of a cloud are consists of the data center hardware and software. When these resources are made available to the public, they are referred as public clouds and the service provided by the cloud is called as utility computing. Moreover, private clouds are only available to private organizations and are not accessible by public. Accordingly, cloud computing is the combination of ‘SaaS’ and utility computing (ARMBRUST, FOX et al. 2010). 6 Considerations and Recommendations for Mr. Manos Llewellyn Network Cloud computing is increasingly becoming popular due to its promising cost saving benefits. As the cloud leverages office and business automation in the cloud makes it eminent for less downtime and availability of business automation along with avoiding or transferring risks to third parties. However, there is a big risk as well, because the cloud provider network can also be hacked, risking confidential data of hundreds of companies that are subscribed for cloud computing services. Google apps is one of the most popular cloud computing applications before it was hacked and compromised by hackers located in China (Bisong, Rahman 2011). The security and privacy in cloud computing is associated with data storage and data protection. Moreover, monitoring the utilization of resources available on the cloud by the service providers is also included. In order to secure the data on the cloud, it can be stored internally in the organization’s premises. Moreover, the Sarbanes-Oxley Act (SOX) in the US and Data Protection directives along with the EU are only two compliances from many other compliance concerns related to data and application of cloud computing. Moreover, EU has backed up with a legislative data protection for the entire member across the globe. However, the US data protection differs from EU, as it varies in each state (PLI search results). Moreover, the service provides incorporates the highest level of security in the clouds by their inbound technical intelligence, but these measures are affected due to government regulations country by country. For instance, if a cloud computing service provides is located within a country, the service provider is bound to slipshod provisions on privacy that may lead the involvement of the government enforcement agencies to peek in the hosted data of a particular organization. The identified issues for the current scenario are: {Security Issue No 1}: Their is absence of data backup policy {Security Issue No 2}: There are no workarounds, as well as absence of a Disaster recovery plan {Security Issue No 3}: There are no procedures and processes for support services of servers requiring maximum availability. {Security Issue No 4}: There is no mechanism for monitoring network traffic for vulnerabilities and anomalies that may penetrate in mission critical systems {Security Issue No 5}: There is no baseline security for the local are network. For instance, Firewall It is important for Mr. Manos Llewellyn to address the identified weaknesses within the computer network, as any vulnerability can be invaded by a cyber attack or virus, resulting in unavailability of critical systems. As mentioned earlier, the presence of required policies will be the first step before defining standards and procedures and embedding security controls in the current network environment. {Issue No 1}: As the organization is maintaining two file servers with a lot of backup storage that is classified as critical, there is a probability that if the server or data is compromised, business processes will be halted. Mr. Manos Llewellyn must first ensure availability of data residing on these systems and establish a data backup policy. Recommendation: For replicating data from the primary system to the backup system or storage device, disk mirroring will be feasible. There are various disk mirroring techniques available. One of them is Redundant Array of Inexpensive Disk (RAID). RAID drive will replicate the primary storage with the backup storage; as a result, both data locations will be synchronize. In case of failure from any one of the systems or storage location, the other storage device will do the job. {Issue No 2}: Natural Disasters cannot be avoided, as any storm or earth quake can cause significant damage to mission critical assets and data of the company. Recommendation: One of the solutions for the risk of natural disaster is to replicate or create data backup at a secondary different geographical location, which may be considered as an expensive control. This may be covered in the risk assessment program, where asset valuation and cost / benefit analysis are carried out. {Issue No 3}: As the core servers of Mr. Manos Llewellyn network are file server, backup server and SSH server, there is a requirement of maintain their availability to the business units. A BCP plan must be established for replicating business processing regardless of new premises of the organization. Moreover, Power outage must also be prevented to ensure availability. Recommendation: Recommendation: For ensuring a redundant power supply, Power over Ethernet technology can be used for making network devices and critical servers powered up. A comprehensive definition is available in network dictionary, which states as “Power over Ethernet (PoE) technology describes any system to transmit electrical power, along with data, to remote devices over standard twisted-pair cables in an Ethernet network. This technology is useful for powering IP telephones, wireless LAN access points, webcams, Ethernet hubs, computers, and other appliances where it would be inconvenient or infeasible to supply power separately.” {Issue No 4}: As business automation is carried out by information systems, there is a requirement of ensuring adequate protection of these systems, as they can be exploited by threats and vulnerabilities. One of the threats may be categorized as internal threats, logical threats and environmental threats. Recommendation: For preventing the network from logical threats i.e. unauthorized access, cyber threats and environmental threats, monitoring mechanisms are required for detecting network anomalies and vulnerabilities for containing the incident on initial basis. Moreover, the activity of employee actions and access to files needs to logged. {Issue No 5}: The current network scenario of Mr. Manos Llewellyn is lacking adequate security measures. Currently, there is no firewall for handling internal as well as external threats of the network. In order to handle threats and vulnerabilities, there is a requirement of a security device that may demonstrate minimum level of security i.e. Firewall, which may monitor internal network for possible threats. Recommendation: Intrusion detection system (IDS) is now considered more effective for detecting and monitoring anomalies and intrusions within the computer network. Firewall can be bypassed easily by advanced persistent threats, whereas, IDS detects all types of intrusions. Moreover, VLAN configuration also provides adequate protection in terms of securing data flow of different business units by encrypting them and separating them with each other. 7 References ARMBRUST, M., FOX, A., GRIFFITH, R., JOSEPH, A.D., KATZ, R., KONWINSKI, A., LEE, BENTO, A. and AGGARWAL, A.K., 2012. Cloud Computing Service and Deployment Models: Layers and Management. IGI Global. BISONG, A. and RAHMAN, S.M., 2011. An Overview of the Security Concerns in Enterprise Cloud Computing. International Journal of Network Security & Its Applications, 3(1), pp. 30-45. G., PATTERSON, D., CALDER, A., 2009. Implementing Information Security Based on ISO 27001/ISO 27002: A Management Guide. Bernan Assoc. HUMPHREYS, E., 2007. Implementing the ISO/IEC 27001 information security management system standard. Artech House. Power over Ethernet. 2007. Network Dictionary, , pp. 382-382. RABKIN, A., STOICA, I. and ZAHARIA, M., 2010. A View of Cloud Computing. Communications of the ACM, 53(4), pp. 50-58. RYAN, W.M., 2010. Insights into Cloud Computing. Intellectual Property & Technology Law Journal, 22(11), pp. 22-28. Read More