Company's Security on the Internet - Case Study Example

Security on the Internet Alicia Glenn Information Technology 9 Aug The presence of an effective Information Technology (IT) structure is a mandate for every organization. Contextually, the study aimed at determining the importance of integrating an appropriate security system to the network structure of XYZ Ltd. Through his study, inefficiency within the network structure of XYZ Ltd was found. However, reflecting upon the drawbacks, the organization appeared to have made multiple modifications within the security features of its networks for attaining the trust and the preference from its business partners. Besides, it has also been understood that the organization has taken appropriate measures to prevent any possible attacks from unauthorized sources. Security on the Internet Information technology and internet in the present scenario has become extremely important for every business organization. It has become the most appropriate means for carrying out long distance communication across global organizations. In addition, the continuous technological advancement is argued to inherent security risks. If the statistical reports are taken into consideration, multiple cases of online data theft and fraud can be brought up through which the safety and the integrity of internet can specifically be questioned (Koskosas et al., 2011). Moreover, by taking into consideration, the rising level of online attacks, it has become a challenge for the IT engineers to counter such unwarranted situations that might risk the integrity and survival of multiple organizations along with all the stakeholders associated with it. As a result, this report will focus towards evaluating the security issues identified within the IT structure of ‘XYZ Ltd.’ through which the inappropriate loopholes that existed within the system can be identified. Adding to that, the report will also emphasize on the available solutions through which such security issues are being resolved (Koskosas et al., 2011). Discussion Types of IT Security Issues Faced By XYZ Ltd As already discussed above, security issues within IT organizations has become a common trend. Reason for this cause can be provided by taking consideration of the level of data being accessed within these companies on daily basis. Adding to that, majority of the IT companies appears to have taken appropriate steps regarding minimizing the percentage of confidential data loss. As a result, the procedure of centralizing the operational data is often opted. Nevertheless, the procedure of centralizing the operational data is perceived to increase the risk of data loss from the central servers. Moreover, in order to carry out the daily functions, the organizations will have to grand its employees, access to the confidential data that further raises multiple risks such as data loss, redundant data updating and data corruption that might cost the company both in terms of financial and reputational losses (Jeena & Kumar, 2013). XYZ Ltd., being an IT company has been handling operations within multiple domains. With the intention of knowing more about the organization, a face to face interview was conducted with the 10 employees responsible for overseeing the IT function of the company. Based on the data obtained from the interview, it has been understood that this company has been majorly focused towards its banking domains through which it systematically regulates all the data and fund management operations carried out by the banks on daily basis (Lodha & Dhande, 2014). Employee’s Opinion on XYZ Ltd’s Data Security System In response to the first question “Elaborate your opinion on the data security standards of XYZ Ltd”, approximately 8 respondents made negative comments regarding the organization’s data security system getting frequently subjected to failures. Moreover, the reasons which were stated by the employees in the context of this issue reflected that increasing functionality and the data access by the banks, the companies IT structure has been facing multiple issues related to data loss (Popescu, 2010). Another reason which came out of their response was regarding the implementation of inappropriate and unreliable VPN tunneling techniques by XYZ Ltd., in order to provide its clients and employees of its other branches, the access to the centrally stored data. Within that 10 respondents, 2 respondents stated that the inappropriate encryption of the data being transmitted is the only reason through which external third parties can attain unauthorized access to the confidential organizational data (Popescu, 2010). Safeguard of Organizational Integrity For the second question, “Has the data integrity of this organization ever been compromised? Kindly elaborate” and the third question, “How has the organization resolved such security compromising situations?” approximately, 4 respondents state that there has been multiple situations where the reputation and the integrity of XYZ Ltd , has reached the verge of getting compromised. When asked for the reason, they replied that as being a small scale company, XYZ Ltd, lacks the funding capability for establishing effective data encryption systems and thus multiple instances has occurred when the confidential data of the clients almost got un-authoritatively accessed as a result of intentional system intrusion attacks. The respondents also stated regarding the withdrawing of the investment accounts by multiple investors due to the poor data privacy protocols of the company (Stoica et al., 2013; Bansode et al., 2013). Areas of Functional Domains Managed by XYZ Ltd For the fourth question, “What are the current functional domains of this company? If more than one, how the company is managing its multiple domains?” regarding the total number of functional domains managed by XYZ Ltd., approximately, all15 interviewed employees responded that in the current state, the company has been handling four main functional domains namely banking and financing, automobile manufacturing, electronic equipment manufacturing and the last one being logistics which has been a recent acquisition (Amare, 2013). Responses also came regarding the fact that XYZ Ltd. draws major portion of its business and revenue from the banking sector. Moreover, on being asked regarding how this company manages all the four functional domains, the respondents stated that the company has currently confined to the domestic markets of US and has got four branches within the states of Virginia, Texas, Missouri, Florida and Arizona. As per the interviewed employees, the branches within Virginia and Missouri are mostly involved towards managing all the large scale and small scale banking related processes. The branch located in the area of Texas is majorly focused towards managing all the manufacturing of electronic goods production. The Arizona branch handles the logistics operations undertaken by the XYZ Ltd., and the branch in Florida handles the critical processes associated with automobile manufacturing. The organization has also been providing software solutions to corporate and retail banking along with associated consultations (Amare, 2013). Implementation of Appropriate Firewall Techniques Responding to the fifth question, “Has this company implemented standardized firewall security measures within its server ports? Please provide some information” 7 of the interviewed respondents replied no whereas only 3 of the total respondents replied yes. The respondents also added up to this context, stating that, by taking into consideration the complexity of the data handled by this organization, it was necessary for XYZ Ltd., to implement the ‘Application-Proxy Gateway’ firewall through which, direct access to the organization’s IP address can be prevented which in turn will restrict the unauthorized access to the confidential data stored within the organization’s servers. But instead, XYZ Ltd, appeared to have implemented the ‘Simple Packet Filtering’ firewall through which the company regulates the flow of incoming and outgoing data packets as per its own structured security protocols (Bidkar, n.d.; Schultz, n.d.). Responding to the sixth question, “What kind of firewall has been installed by the company and why?” the 7 respondents stated that, since the firewall packet intercepting protocols and the data routing path determination protocols within XYZ Ltd., are static and are designed by the system administrators, so they lack the efficiency that can be attained within a dynamic system. Moreover, the respondents also stated regarding the ‘Simple Packet Filtering’ firewall as being less efficient in terms of intercepting the malicious contents within the incoming packets as a result of which the hackers easily get the chance of flooding out the entire organization’s data transmission band with inappropriate data, bringing the system to a complete halt. This further slows down the data transmission between the organization and the associated client domains and as a result, they start complaining regarding the inappropriateness of the system. The comments of the respondents in this context also included the possible risk of data corruption and data theft (Srikanth & Ramana, 2013). Organizational Data Storage Pattern Taking into consideration the seventh question, “Does XYZ Ltd. has a centralized data storage pattern or it maintains redundant data in its regional servers?” 5 interviewed respondents who appeared to be technicians responded stated that the company does have some major loopholes within its data storage procedures. While the remaining 5 respondents stated that they find the system appropriate. The respondents who appeared to be technicians stated that due to the past records of data mismanagement and loss the organization finally decided to store its entire data within the main servers of the master domain and each regional domain will only be allowed to access the data in a remote fashion where every user will have to log into the central server for attaining the required data (Tiwary, 2011). The respondents also stated that at one point this ensures prevention against data mismanagement but on the other hand increases the risk of unauthorized access on the central system. On further note, they stated that since the entire accessible data stores on the central server, so every time the state wise branches attempts to access the data, they make multiple replicas of the actual data and overloads the system as a result of which, the server crashes out. The multiple replicas produced as a result of daily functionality, also consume considerable level of organizational bandwidth and hamper the data transmission effectiveness. Moreover, 2 technicians also stated that due to the inappropriateness of the firewalls installed within the central servers, there always exists the risk of unauthorized intrusion within the central system that might result in exposure of the confidential organizational data (Tiwary, 2011). Implementation of Intrusion Detection System For the eighth question, “What kind of Intrusion Detection System (IDS) is implemented by this company?” 7 employees responded saying that the XYZ Ltd, appeared to have only implemented passive IDS at the network level and Host IDS for every platform where the employees operates. As per the respondents, the passive IDS system is only effective in terms of warning the operator regarding the any type of intrusion attack on the system rather than stopping it directly (Jyothsna et al., 2011). The 3 interviewed employees responded the same in case of host IDS as well and stated that only monitors and logs all the intrusion attacks on the system. On a broader aspect, each of the 15 respondents stated that without the implementation of an appropriate intrusion detection system such as active IDS and ‘Network Intrusion detection systems (NIDS)’, the organizational network will always address the risk of getting subjected to unauthorized and hazardous data intrusion attacks which in turn might harm the long term survival and reputation of XYZ Ltd (Jyothsna et al., 2011). Implementation of Intrusion Prevention System In respect to the ninth question, “Does XYZ Ltd uses any kind of Intrusion Prevention System (IPS)?” all 15 interviewed employees responded in favor of the company to a certain extent. As per the interviewed employees, the company appears to have considerable steps regarding safeguard from massive intrusion attacks such as ‘Ping to Death ‘attack and ‘SYN Flood’ attack (Chakraborty, 2013). But on the contradictory side, the intrusion prevention protocol implemented by XYZ Ltd., proves ineffective in terms of rebounding other intrusion attacks such as ‘Port Scanning ‘threat, ‘ARP Spoofing’ threat and ‘Buffer Overflow’ attacks that can also do considerable level of damage to the organization’s network system. Moreover, the respondents also stated that since the XYZ Ltd primarily deals with the management of banking and financial data, so it is an utmost necessity for the organization to implement an effective intrusion prevention system which will be capable to tackling every possible type of intrusion threat (Chakraborty, 2013). Applicable Mode of Employee Data Access In response to the tenth question, “What is the mode of employee data access?” 9 of the total interviewed respondents replied that they are provided with a unique ID and password through which they need to log in within the system and access whatever data they need for carrying out their daily operations. Adding to that, the respondents also stated that since during the start of the day, a major portion of the employee group log in and start accessing the data, the central domain system has to undergo intense level of pressure and thus there always occurs a risk of possible system crash. In relation to this issue, the employees also projected negative remarks regarding system slowdowns and client complaints (Conjecture Corporation, 2014). Intensity of Client Complaints Responding to eleventh question, “How often you receive system failure complaints from your clients?” regarding the frequency of client complaints, nearly 7 interviewed respondents stated that due to the slow pace of the network structure within XYZ Ltd., majority of the complaints come from the banking clients regarding cases such as server down and data alterations. The remaining 3 respondents stated that they often receive complaints from the other domains managed by this firm. Implementation of VPN Tunneling In response to twelfth question, “Does XYZ Ltd implements Virtual Private Network (VPN) tunneling technique for transmitting data? Kindly elaborate.” all 15 interviewed respondents replied that XYZ Ltd., does utilizes the VPN tunneling in context to allowing its employees, the facility of remotely accessing the files from the central domain. However, the respondents also stated that due to the inappropriate data encryption standards of the VPN system, often cases of data loss and theft comes up which in turn risks the integrity and the survival of the company (Wadhwa & Pal, 2013) Resolving the Issues of Internet Security Standards Responding to thirteenth question, “How according to you have the organization made efforts for resolving all the security issues within its network?” respondents stated that XYZ Ltd has projected multiple plans of upgrading the standard of its network security system within the tenure of the next 6 months. They also stated about the company’s plan of adapting to the dynamic dimensions of security rather than remaining confined to the static systems. As per the respondents, the company has already started reinforcing its confidential data through the implementation of safe and secure firewall systems. Through the implementation of the dynamic firewalls, the company will be able to monitor and alter the real time incoming and outgoing network traffic flow, rather than just relying on the standalone platform firewall systems which are only efficient in alerting the users and the domains regarding the identified unauthorized attack attempts. Adding to the above, the interviewed respondents also stated that XYZ Ltd appeared to have made multiple resolutions to its associated domains in context to minimizing the lags within its network system through which this organization will attain the capability of serving its clients with the best possible service (Wadhwa & Pal, 2013). Solution against Compromise of Confidential Organizational Data In addition, the respondents stated that the XYZ Ltd has recently integrated a proxy server through which it will be hiding the IP addresses of its central core servers from unauthorized access. Moreover, XYZ Ltd will be communicating and serving all its clients by establishing effective communication with them through the proxy server. The respondents appreciated this effort made by XYZ Ltd and also stated that although the entire process might turn out to be time consuming but, it will save them a great deal of effort in term of undertaking regular repairs of the data contents within the main server (Jeena & Kumar, 2013). In terms of maintaining confidentiality of the transmitted data, the respondents state that the company has shifted towards integrating the ‘IPSec protocol’ within their VPN tunneling procedure. As per the respondents, the company has claimed that through the implementation of the ‘IPSec protocol’, it will be able to by authenticate and encrypt each and every IP packet belong to the data stream that will be exchanged between the clients server platforms and the organization’s proxy server (Jeena & Kumar, 2013). Resolution of Issues from the Partner Domains Responding to fourteenth question, “Please provide your suggestions for further improvement in XYZ Ltd. Related to IT security issue.” the respondents stated about the recent resolutions made by the XYZ Ltd, in terms of installing additional server domains within all its state wise branches. The respondents also stated that with this initialization, the company intends to subsequently reduce the pressure of accessing data from the main server. As per the respondents, the company has instructed all its server domain controllers to store imitated copies of the employee accessible data on each regional data so as to reduce the level of data traffic flow within the organization’s bandwidth. This will reduce the possible chances of system hang-ups and crashes. The interviewed respondents have also stated multiple facts regarding the company’s resolution of establishing mergers with few more banking business partners for expanding its business process. Additionally, it was reckoned that the company in the current phase has been looking forward towards expanding rather than just developing its existing network systems. XYZ Ltd also appears to be opening few more branches within the areas of Texas and Arizona for serving the increasing number of clients (Amare, 2013; Popescu, 2010). Resolution Regarding Updating of Security Check on the Incoming and Outgoing Traffic In terms of improvising the security check on the incoming and the outgoing traffic, the respondents replied that, rather than remaining confined to the utilization of ‘Simple packet filtering’ firewall, the organization have started implementing dynamic and advanced firewall programs within its server. The respondents also stated that, by taking into consideration, the rising rate of intrusion attack on the central system and the existence of confidential banking and financial files within it, XYZ Ltd has finally come up with the resolution of integrating the ‘Application Layer Firewall’ and the ‘Application-Proxy Gateway Firewall’ within its data security protocols (Bidkar, n.d.) Besides, it has been observed from the interview that the installation of the aforementioned firewalls will be effective in context to preventing any form of attack or uploading of malicious executable files from any node that is in communication with the network. Few respondents with regard to the integration of the two above mentioned firewalls also stated that the company will have to upgrade their network bandwidth before deploying those firewalls due to the fact that, as being active in real time data processing and transmission, these firewalls can slow down the entire communication process. These firewalls can operates through the support of the proxy servers and has the capability of intercepting any malicious context through the network traffic before it reached the destination or before it leaves the transmitting node (Bidkar, n.d.) Data Storage Issue Resolution The interviewed respondents in context to the solution against the data storage issue replied that like past instance, the XYZ Ltd still prefers remote access for allowing its users, access to the operational data. However, as per the respondents, the company has brought about significant improvement within their data accessibility process so as to ensure the safety and the simplicity of the data being shared. Integration of additional domain servers within every state wise branches of XYZ Ltd can be considered as an example worth to be mentioned. The respondents in this context appeared to have mentioned critical points regarding the intention of the organization for undertaking this initiative (Tiwary, 2011). According to the respondents, the top ranking engineering within the organization came up with a solution that if multiple copies of the employee accessible data are kept within the local domains of each organizational branch then the pressure of regular employee login to the central server will gradually come down. Moreover, since the branch wise data access traffic will remain confined to the local domain servers, the chances of data loss and high bandwidth consumption will gradually come down as well. One positive comment from the respondents in this context has been regarding the fact that the implementation of the new upgrades has gradually pumped up the efficiency rate of the XYZ Ltd, both in terms of time and performance (Tiwary, 2011). The response from the respondents also included facts regarding improvisation in the workflow of the associated domains. As stated by the respondents, the reason for this improvisation is that, with the segregation of the overall data transmission load over the integrated servers, the data traffic flow through the organizational network bandwidth has subsequently reduced which in turn has enhanced the efficiency of the advanced firewall protocols for detecting and blocking the intentional intrusion attack on the central system without slowing it down. Moreover, as an advantage, the servers within the banking and financing domains remain active and functional for longer duration. This brings in positive remarks for XYZ Ltd from the functional domains (Tiwary, 2011; Sequeira, n.d.). Resolution of Issues against Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) On questioning the respondents regarding any improvement in the Intrusion Detection System (IDS), multiple positive responses have been attained regarding the continuous development of the existing IDS system from being passive to active IDS. As per the respondents, with the implementation of the active IDS, the organization’s network firewall will be capable of detecting and blocking all the emerging threats against the system without prior intimation to the system operator. Through this way the system will be robustly able to safeguard the confidential data that remains stored in the server data banks. The respondents also added up projecting facts regarding why XYZ Ltd has been planning for integrating the ‘Knowledge-based (Signature-based) IDS’ along with the ‘behavior-based (Anomaly-based) IDS’ within their network security protocols (InfoSec Institute, 2012; Jyothsna et al., 2011). The reason behind the integration of these two additional IDS within the organization’s network security protocols is that, the company appears to have planned for undertaking few more mergers within the banking and the financial sector. As a result of which, XYZ Ltd will have to reinforce its intrusion detection system failure to which might cost the company millions of dollars. The respondents also explained how the two above mentioned IDS will save the organizational data from unauthorized access. According to the respondents, these two IDS maintains a database of all the pre attempted and the newly attempted intrusion attacks on the system and based on the accumulated digital signatures from such attacks, it prevents future system intrusion attempts. These two intrusion detection systems are also highly effective in terms of tracing the IP addresses from which the intrusion attack gets initiated (Jyothsna et al., 2011). In context to the intrusion prevention system also the respondents appeared to provide multiple positive comments. As per the interviewed respondents, XYZ Ltd has undertaken significant level of improvement within their intrusion prevention system, but equipping it with updates with the help of which it can resist hazardous intrusion attacks on the system such as ‘Port Scanning ‘threat, ‘ARP Spoofing’ threat and ‘Buffer Overflow’ attacks that can also do considerable level of damage to the organization’s network system (Jyothsna et al., 2011). Solution of the Issues In Terms of Reducing Client Complaints In addressing this question, the respondents stated that they have noticed a massive decline in the percentage of client’s complaint. The respondents also stated that, previously, the clients use to complain multiple times in a day regarding cases such as slow system, inappropriate redundant data storage, loss of client data and multiple more. However, the respondents appeared to have witnessed a percentile decrease of 50% in the complaint rates in comparison to that of the previous scenario. The responses from the interviewed respondents also included multiple appreciations for the company regarding the bringing up of significant level of improvisation within its network security systems. However, they also stated that they want the company to be growing at a gradual rate and attaining multiple more business proposals in the coming days. Conclusion By taking into consideration, all the above facts, a detailed understanding can be obtained regarding the importance of installing an appropriate network security system for an IT company such as XYZ Ltd. The context finds much more significance, in case if the company has been handling banking and financial domains. It also needs to be understood that the database within the IT organizations such as XYZ Ltd comprises of confidential banking data and the exposure of which might damage the reputation of multiple clients. On important factors that should be taken into consideration is that with the continuous improvement within the field of technology and business process, the risk of attacks on the security of the systems are also gradually increasing. Thus, bringing about continuous improvement within the data storage and management systems are must for every IT organizations that operates with the credential data of other organizations. With the existence of appropriate network security systems within an IT organization such as highly sensitive firewalls and appropriate intrusion detection systems, it becomes reliable for other investing organizations to share their data so as to carry out the necessary functions in an effective manner. References Amare, G. (2013). Information technology and business strategy alignment, and its impact on the performance of commercial banks in Ethiopia. Adama Science and Technology University, 1-12. Bansode, S. A., Jadhav, U. M., & Patil, N. K. (2013). Data leakage detection. Journal of Engineering, Computers & Applied Sciences 2(4), 30-34. Bidkar, P. (n.d.). What are some types of organizational firewalls? Retrieved from http://smallbusiness.chron.com/types-organizational-firewalls-71276.html Chakraborty, N. (2013). Intrusion detection system and intrusion prevention system: a comparative study. International Journal of Computing and Business Research 4(2), 1-8. Conjecture Corporation. (2014). What are the disadvantages of a VPN? Retrieved from http://www.wisegeek.org/what-are-the-disadvantages-of-a-vpn.htm InfoSec Institute. (2012). Network design: firewall, IDS/IPS. Retrieved from http://resources.infosecinstitute.com/network-design-firewall-idsips/ Jeena, R., & Kumar, S. S. (2013). Secure services for efficient online data storage using cloud computing. International Journal of Advanced Research in Computer Science and Software Engineering 3(11), 195-200. Jyothsna, V., Prasad, V.V. R., & Prasad, K. M. (2011). A Review of Anomaly based Intrusion Detection Systems. International Journal of Computer Applications 28(7) 26-35. Koskosas, I., Kakoulidis, K., and Siomos. C. (2011). Information security: corporate culture and organizational commitment. International Journal of Humanities and Social Science 1(3), 192-198. Lodha, S. R., & Dhande, S. (2014). Web database security techniques. International Journal of Advance Research in Computer Science and Management Studies 2(3), 300-305. Popescu, G. (2010). A comparative analysis of the secure virtual private network Tunneling protocols. Journal of Mobile, Embedded and Distributed System 2(2), 91-100. Srikanth, B., & Ramana, K. V. (2013). Firewall policy anomaly detection and resolution using rule based approach. International Journal of Innovative Research in Computer and Communication Engineering 1(3), 660-667. Stoica, M., Trif, S., Visoiu, A. (2013). Security solutions for privacy preserving improved data mining. Informatica Economică 17(3), 157-169. Sequeira, D. (n.d.). Intrusion prevention systems– security’s silver bullet? SANS Institute, 2002, 1-15. Schultz, E. E. (n.d.). Firewalls: an effective solution for internet security. Internet Security Threats, 1-8 Tiwary, D. K. (2011). Security And Ethical Issues In It: An Organization’s Perspective. International Journal of Enterprise Computing and B International Journal of Enterprise Computing and Business Systems 1(2), 1-13. Wadhwa, S., & Pal, K. (2013). Providing security in VPN by using tunneling and firewall. International Journal of Engineering and Advanced Technology 2(3), 381-382. Appendix Interview Questions The following interview questions were being designed to attain the reviews of the participants regarding the appropriateness of the information security system within XYZ Ltd. Through this interview questions, an attempt is being made for understanding the types of data security issues faced by XYZ Ltd and the level to which it has been successful in coping up with it. Network Security Review 1. Elaborate your opinion on the data security standards of XYZ Ltd. 2. Has the data integrity of this organization ever been compromised? Kindly elaborate. 3. How has the organization resolved such security compromising situations? 4. What are the current functional domains of this company? If more than one, how the company is managing its multiple domains? 5. Has this company implemented standardized firewall security measures within its server ports? Please provide some information. 6. What kind of firewall has been installed by the company and why? 7. Does XYZ Ltd. has a centralized data storage pattern or it maintains redundant data in its regional servers? 8. What kind of Intrusion Detection System (IDS) is implemented by this company? 9. Does XYZ Ltd uses any kind of Intrusion Prevention System (IPS)? 10. What is the mode of employee data access? 11. How often you receive system failure complaints from your clients? 12. Does XYZ Ltd implements Virtual Private Network (VPN) tunneling technique for transmitting data? Kindly elaborate. 13. How according to you have the organization made efforts for resolving all the security issues within its network? 14. Please provide your suggestions for further improvement in XYZ Ltd. Related to IT security issue. Read More