Enhancing Enterprise Security - Assignment Example

Case Study Questions & Answers 1. In supporting the many activities the Dean performs every day, what information assets are available on his laptop? How would you categorise these assets? The Dean’s laptop has information assets such as faculty salary information, committee notes, email addresses, budget reports containing salary details of Saunders employees, and PowerPoint files that are used in various presentations. Also in the laptop were information assets such as the Social Security numbers, of the Dean, his wife, and their children and account number for the Dean’s personal bank accounts domiciled in India. Initially, the laptop also contained information such as class Social Security numbers that were used to identify students, as well as class rosters and student exam details and other records. However, the indicated that he had deleted the student details since he was not teaching that semester. The information assets can be categorized based on the policy used by RIT as private, confidential, internal or public. According to the RIT policy, private information is information that is confidential and which could be used for purposes of identity theft. Such information also has additional requirements relating to its protection. The information under the category of ‘private information includes social security numbers, taxpayer identification numbers, as well as other identification numbers. Also included under this category is information such as driver’s licence number and information relating to financial accounts, such as credit and debit card details as well as bank account numbers. The only private information relating to RIT stored in the laptop may have been the Social Security numbers used to identify students. However, at the time when the laptop was stolen the Dean had deleted these details from the laptop. Hence, it can be argued that no private information relating to RIT was stored in the laptop at the time when it was stolen. On the other hand, the laptop also had private information belonging to the Dean and members of his family, although this was not covered under the RIT policy. The information included the 16-digit account numbers for the Dean’s personal bank accounts in India and Social Security numbers, of the Dean, his wife, and their children. These details are regarded as the Dean’s own personal information, and thus, according to the RIT policy, the Dean was supposed to be in charge of the details’ security. The RIT policy also indicates that confidential information is “information that is restricted on need to know basis”. Such information includes employee records, employee personal details, and university identification numbers. Some of the confidential information that was in the Dean’s laptop includes faculty salary information and committee notes, which the dean noted was “confidential, but not really proprietary”. The laptop also had what can e classified as internal information. According to the RIT policy, internal information includes information that is restricted to staff, alumni, students, alumni, business associates, volunteers and others. The budget reports containing salary details of Saunders employees can be said to belong to the category of internal information. Lastly, according to the RIT policy, public information refers to information that can be accessed or communicated by anyone without restriction. Examples of such information that was in the laptop include email addresses as well as the PowerPoint files that were used by the Dean in various public presentations. Consider the COB security controls and incident response activities. 2. Describe the controls that were in place to protect the Dean and other staff from the type of incident depicted. Various controls were in place to protect the Dean as well as other staff from an incident such as where a person steal a personal computer and uses the information stored in the laptop to commit fraudulent activities. To start with, the Saunders IT Support maintained a standardised set of laptops, with the laptops being refreshed every five years. This means that Saunders IT Support had a policy of maintaining a standardised configuration for each of its laptops, and the laptops were frequently refreshed to ensure that their systems were up-to-date all the time. Secondly, IT Support was in charge of installing and updating most of the programs that the personal computers at the institution had. The IT Support was also in charge of scanning the computers for malware, and performing other device maintenance activities to ensure that the computers systems were protected from malware and other potential risks resulting from the environment in which the computers were used. IT Support also used LANDesk, which was asset management application that helped in maintaining records of each authorised user’s configuration, for instance the specific programs installed on each personal computer. These settings could be configured in accordance with each user’s preferences. For instance, the Dean’s laptop had been configured according to the Dean’s preferences. RIT also had a system called RIT Public Safety, which is a system that was used to alert IT users at the institution regarding any incident such the theft of a device or information. As well, the institution had Information & Technology Services (ITS), a business unit that provided technical support for students, staff and members of faculty. This unit helped students, staff and members of faculty in issues matters such as managing passwords and configuring replacement devices. For instance, after an incident such as theft of a laptop or passwords, the ITS would help in setting up a new passwords and configuring the replacement devices to the new settings. RIT also had a system that made it possible for an alert to be raised in case a machine that was stolen from users in the institution was used to connect to the Internet. The system was configured in such a way that when any machine belonging to the institution was turned on, it would attempt to reach the institution’s auditing servers. With this system in place, if some stole a computer from the institution and made an attempt to use it on the Internet, the IT experts in the charge at the institution would know. 3. For each control (you described in Q2) explain how effective (or ineffective) it proved to be, and how it could be improved. As noted above, Saunders IT Support maintained a standardised set of laptops, and the laptops were refreshed after every five years. What this implies is that Saunders IT Support had a policy of maintaining a standardised configuration for each of its laptops. There are various reasons that highlight the importance having standardised configurations as a way of centrally managing client personal computers. To start with, standardised configurations elaborate how client computers should be configured, which includes important options as well as application software (Boyle & Panko, 2015, p. 438). The standardised configurations can also entail managing the entire user interface. The effectiveness of standardised configurations is that such settings make it difficult for users to add unauthorised software or reduce lower the level of security that have been set for the computers (Boyle & Panko, 2015, p. 438). This means that by having standardised configurations for computers, opportunities for user errors as well as violations – either by the users or other parties – are reduced (Boyle & Panko, 2015, p. 438). Additionally, standardised configurations highly simplify troubleshooting and general maintain for personal computers (Boyle & Panko, 2015, p. 438). Therefore, in case someone tampers, intentionally or accidently, with any part of the computer configuration, it will be relatively easy for IT managers to diagnose the problem. Another point is that the laptops were frequently refreshed. The importance of this is that the systems would be up-to-date all the time and thus less prone to attacks by security risks such as malicious files. As regards IT Support being in charge of installing and updating most of the programs that the personal computers at the institution had, this was an effective measure because it reduced opportunities for or other parties to install or update the software in the computer. This in essence is an effective way of reducing instances of malware and other harmful programs being installed into the computers by any party. In particular, it has been noted that scanning personal computers on a regular basis, can make it possible to detect and remove any malware that could have gained access to a computer system some covert or unmonitored channel (Stewart, 2011, p. 194). This implied that the roles played IT Support can be regarded effective in relation to keeping computers safe from any kind of malicious software and other risks. Thirdly, the use of LANDesk, an asset management application that was used maintaining records of every authorised user’s configuration, can be regarded as an effective measure to ensure that the programs installed in each computer are known. This in a way makes it easy to detect any malicious software that is installed on any computer, thus enhancing the computer’s security. In regard to the use of RIT Public Safety as a control measure, this approach is good because it alerts users when ever there is an incident such as stolen information or devices. But RIT Public Safety can be compared to a fire alarm, which only alerts people about the presence of a fire but does not fight the fire. In other words, there is no specific information about what RIT Public Safety apart from alerting people about an incident. It is therefore likely the damage resulting from a theft may still be felt regardless of whether people are informed or not. Finally, the system that made it possible for an alert to be raised in case a machine stolen from users in the institution was used to connect to the Internet has strengths and weaknesses. One of the strengths is that it this measure would make it difficult for people, to use devices stolen from the institution on the Internet. On the other hand, it is possible that a thief could use the stolen device offline, or change its operating systems and still be able to use. Therefore, this system is not highly effective. This system can be improved by the use of tracking devices such as XTool Computer Tracker (EC-Council Press, 2017, p. 71; EC-Council, 2011). This tool enables global recovery of devices by helping a computer owner to search for a stolen device across the world by contacting different authorities, telephony companies, as well as Internet Service Provider. The tool keep track of a computer’s whereabouts on 27/7 basis (EC-Council Press, 2017, p. 71). 4. What extra preventive or detective controls would you recommend that COB put in place? Explain the potential benefits of each control. COB can put in place measure to detect system intrusion and information theft as well as the physical theft of computers. COB also needs to enhance its information backup systems so that the information that is stored in any computer used by the institution’s staff is backed up somewhere where it can be retrieved in case of the device is stolen. COB also needs to think about encrypting all sensitive information that is under its custody, such as student and staff social security number, credit and debit card number and bank account information. To detect and control system intrusion and information theft, there is need for COB to use tools such as firewalls and intrusion detection system to deter potential system intruders. A firewall is a barrier that has been designed to avert unauthorised access to or from a private network of computers. A firewall help in keeping bad things such as files or networks that are not trusted out and protects the good things in the system, such as sensitive data and files. The current trend as regards the use of firewalls is that organisation are moving towards the use of application-specific host-based firewalls such as those that have been specially made to run on a database or web server (Caballero, 2013, p. 393). On the other hand, intrusion detection systems can significantly enhance the security of computers and networks and also act as early warning systems for potentially malicious files or traffic that targets a given network of computer (Caballero, 2013, p. 393). The functioning of intrusion detection systems is based on the definition of intrusion detection, which is the process of keep an eye on the events that occur in a computer network or system as well as analysing these events for possible incidents that are breaches or impending threats of breach of policies regarding computer security, acceptable use policies of defined security practices. Thus, with intrusion detection, it is possible to detect instances of attacks such as malware, or unauthorised people trying to get access to a given system. Regarding physical threats such as theft of devices, COB needs to implement measures that helps deter theft of laptops. Since theft of electronic devices is a common occurrence at institutions like COB, students, staff and member of faculty can be required to use devices that ensure that their laptops are not easily stolen. For instance, there are laptops steel cable locks, laptop tie down bracelets and portable laptop carts that be used to deter the stealing of laptops. These devices provide security by making it difficult for someone to easily remove a laptop from where it has been placed (e.g. using the device to ‘fix’ the laptop on a table on which the laptop has been placed). The devices are secured using things like locks that require keys or keyed-in numbers to unlock them. If the Dean had used one of such devices, the person who stole his laptop would probably have struggled to get the laptop and possibly even left without taking it. COB can also consider using tracking and recovery systems such as XTool Computer Tracker, Ztrace Gold, the CyberAngel, STOP, Track Stick GPS tracking Device, and Computrace Plus (EC-Council Press, 2017; EC-Council, 2011). These tools embedded in laptops and use mechanisms such as the Internet and GPS to send signals from the stolen device, which will enable the equipment’s location to be traced (EC-Council Press, 2017, p. 71; EC-Council, 2011). This enables law enforcement officers to swing into action and recover the laptop. Some of these technologies, such as Ztrace Gold, are undetectable and cannot be removed from the hard drive of a laptop (EC-Council Press, 2017, p. 71; EC-Council, 2011). 5. What lessons should the two main players, Dave Ballard and the Dean, have learned from this episode? The first lesson is that there is need for all information stored in a computer to have a backup. Obviously, when the Dean’s laptop was stolen he experienced a lot of inconvenience because he had lost some information, part of which he could not retrieve and had to redo or get someone to help him redo the work. A notable point in the case study is where the Dean asked for his data to be restored in the replacement laptop that had received after the first laptop was stolen. In response, Francesco, the Manager of Technical Services for the College, noted that “RIT users are responsible for their own backups”, meaning that users are supposed to find their own way of having backup for the information that is stored in their laptops. This is risky given that if everyone is left to have their own backup, this system may not only be impractical but is also makes steal of the backed up data easy in case someone else finds it. In addition, having member of staff back up their data in their own way may be impractical since it is very easy for some members to fail do back up the data either because they are too busy of because it may be expensive for each member to find a way to have a data back up. Having a centralised backup system that is managed by COB would be a better way of ensuring that the data backup system is not only up-to-date but also effective. It is possible to have a system with backup and restore capabilities that will back up and restore both server and client information in a timely way (Caballero, 2013, p. 393). Also, backup procedures need to be in place, and to be restored regularly to ensure that all backup information is up-to-date (Caballero, 2013, p. 393). Without such a system, a relatively small issue that could be resolve within a short time, such as a stolen laptop can quickly escalate in to a disaster (Caballero, 2013, p. 393). Another lesson is that it is important not have sensitive information such as social security numbers and bank account information in machines that can be easily accessed by anyone. And if such information must be stored in a computer that can that other people may have access to such as through theft of the computer, then the data needs to be encrypted. It only happened that the Dean had deleted all information relating to students social security numbers and other details such as class rosters exam records and other documents before his laptop was stolen. If such information had had still been stored in the laptop, there is a high possibility that the thief or any other person who got access to the laptop could get access to those details. Encryption of data involves the translation of that data into a secret code. Encryption is regarded the most effective way to achieve data security since even if a person steals a laptop with information as the case of the Dean, the thief will not be able to access the information without a secret code of password that is required to decrypt the encrypted information. Based on the theft case, Dave Ballard and the Dean need to be aware that there are there are various solutions in the market that make it possible to encrypt sensitive data such as social security numbers and credit card details that are stored on a file server or inside a database server (Caballero, 2013, p. 393). The protection offered by such solutions guarantee information security even if some devices are stolen (Caballero, 2013, p. 393). References Boyle, R. J., & Panko, R. R. (2015).Corporate computer security (4th ed.). Essex: Pearson Education Limited. Caballero, A. (2013). Information Security essentials for IT managers: protecting mission-critical systems. In J. R. Vacca (Eds.), Computer and information security handbook (2nd ed.) (pp. 377-408). Waltham, MA: Morgan Kaufman Publishers. EC-Council Press. (2017). Ethical hacking and countermeasures: Secure network operating systems and infrastructures. Boston, MA: Cengage Learning. EC-Council. (2011). Network defense: Perimeter defense mechanisms. Clifton Park, NY: Cengage Learning. Stewart, J. M. (2011). Network security, firewalls, and VPNs. Sudbury: Jones & Bartlett Learning, LLC. Read More