EXAMPLE 2 SECURITY ASSIGNMENT

EXAMPLE 2 SECURITY ASSIGNMENT - TABLE OF CONTENTS STUDENT

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: TABLE OF CONTENTS STUDENT ASSESSMENT/ASSIGNMENT COVER SHEET.ERROR! BOOKMARK NOT DEFINED. STUDENT ASSESSMENT/ASSIGNMENT RECEIPT ...................................ERROR! BOOKMARK NOT DEFINED. TABLE OF CONTENTS ............................................................................................................................. 1 EXECUTIVE SUMMARY .......................................................................................................................... 2 ISSUED IDENTIFIED................................................................................................................................. 2 ANALYSIS.................................................................................................................................................... 3 PLANNING .................................................................................................................................................. 3 POLICY AND PROGRAMS....................................................................................................................... 5 POLICY ....................................................................................................................................................... 5 PROGRAMS ................................................................................................................................................. 6 PRACTICES ................................................................................................................................................. 7 PROTECTION ............................................................................................................................................. 7 ASSESSING RISK.......................................................................................................................................... 7 CONTROLLING RISK .................................................................................................................................... 8 MECHANISMS USED .................................................................................................................................... 8 PEOPLE AND PROJECTS......................................................................................................................... 9 PERSONNEL ................................................................................................................................................ 9 CONCLUSIONS........................................................................................................................................... 9 RECOMMENDATIONS ........................................................................................................................... 10 REFERENCE: ............................................................................................................................................ 10 WEB: ........................................................................................................................................................ 10 BOOK: ...................................................................................................................................................... 11 1 Executive Summary The Digital revolution of the 21st Century has not been achieved without its consequences. Real time business requirements and economic drivers have forced rapid changes to the methods used to conduct business-to-business and business to client communication. The Internet has now become a convenient and economic deployment medium for global business. With the ever-increasing number of connections and growth of the Internet, security has become a big issue for the corporate environment (Introduction). The New York Times, Newspaper Company has faced the big threat to personal security. It is believed that misconfigured proxy servers allowed access to its intranet from its internet site. Through this report I am going to discuss that how the New York Times Company secure their computers and database from external/internal security threats. I have based my recommendation on thoughts of various author and security experts and we have live example of NYT Company they have big fair of lose of confidential data from their online intranet. Issued Identified The New York Times on Wednesday confirmed a computer hacker broke into its internal network, accessing files and folders containing personal information of some of its biggest op-ed contributors. Acting on a whim, 21-year-old California hacker Adrian Lamo found seven misconfigured proxy servers that served as doorways between the Internet and the company's private intranet. Once he got in, Lamo breached weaknesses in the password policies of the New York Times to expand his access to a database of op-ed contributors, which included social security numbers of people like former U.N weapons inspector Richard Butler, former Clinton aide James Carville, radio personality Rush Limbaugh, Microsoft kingpin Bill Gates, and New York City mayor Mike Bloomberg. New York Times spokeswoman Christine Mohan confirmed the breach and said an active investigation was underway. "The New York Times Company takes the security of its network very seriously...We will take appropriate steps if necessary to ensure the security of our network," she told at New York. 2 Mohan said the company had not contacted Lamo or had not yet identified the source of the intrusion although it is widely known that the hacker immediately contacted the media company with the help of a journalist from company website. Although the latest breach happened behind the scenes, it highlights the potential security nightmares facing companies that do business on the Internet. (NY Times Internal Network Hacked) Analysis Planning Security Security is the state of being free from danger or injury. Security is very important for every organisation. The information which the company stores are very confidential, as it can create a great impact on company, if it falls in wrong hand. The company, whose security is not good, surely has to face downfall. This security threat problem can be overcome by assuring that every thing has been configured well. Company should have firewall between intranet and external internet. Which should be checked daily basis for technical problems and it should be configured accordingly. The problem in NY Times was that they had proxy sever running on the intranet but it was not properly configured that’s why the hacker became successful to enter in the company database. NY Times need to ensure above mentioned measures. Contingencies Contingency plan is the primary step we should considered establishing a secure information system. The overall process of preparing for unexpected events is called contingency planning. The main goal of contingency plan is the restoration to normal modes of operation with minimal cost and disruption to normal business activities after an unexpected event. Contingency plan ensures that continuity of information systems 3 availability to the organization even in the face of the unexpected event (Whitman 2004, p.65) There are several steps required for contingency planning Choose the contingency plan strategy. Identify methods to deal with each potential disaster, outline a plan to prepare for and react to that disaster. If there is improper security than it will be very easy to hack the intranet of NY times. Controlled access of computers should be given to the employee during off-shift hours. In order to overcome natural disaster , regular backup’s should be taken and stored at different site, so company can be made live within few days of the disaster. If the disaster is man-made, then it should be investigated that the personnel who is trying to hack the system is NY Times employee or some external person. If it is internal company’s employee then the person should be sacked from the job and proper security should be arranged in the company, so another employee does not do that thing. To be safe from the fir, fire resistant/noncombustible materials should be used for: buildings, partitions, walls, doors and furnishings. Smoke detector system tested periodically. Automatic carbon dioxide fire extinguishers, Water fire extinguisher should be in use. To make sure the security of all software and documentation secured: Backup files stored off-site regularly, Restricted access to operating software, Restricted access to production software, Access to systems software limited by terminal address, Multilevel access to files controlled by: • levels of security • breakdowns within files • restrictions read-only, write-only Security software and access codes validated, Monitor log maintained of access to sensitive data files, monitor unauthorized attempts to sensitive data files, Passwords used to identify terminal users, Passwords changed frequently, Operating system security bypass protection built-in, Operating system change 4 control and tests following maintenance, program load, etc.(Guidelines for contingency planning). Company should have some reserve fund in event of disaster so the business can be restored on its normal modes of operation with minimal disruption. Policy and programs Policy The security policies is an executive level document that outlines the organizations approach and attitude towards information Provide security access controls that limit or detect access to critical system components to guard against loss of NY Times systems integrity, availability, confidentiality, and accountability. Everyone should be made aware with the security procedures. Staff should always check e-mail and fax numbers before sending confidential information. All the data should be encrypted before being transmitted All the hardware’s and software’s should be checked daily in order to be more secured. In case of NY Times, This was the main lope hole for hacker because proxy server was not configured and checked. Keeps on changing the passwords regularly if any employee is quit, immediately his account should be locked and deny the access to all hardware’s and software’s. The Responsibilities of all employees of the NY Times: • Change your password immediately when login first time in the NY Times system. • Never share your login and password with any body else. If you think your password has been known by some body else change it immediately. • Make sure before login the system that nobody watching your finger on keyboard. 5 • Always make sure that there is no disk, floppy in the drive or any USB drive connected to the USB port of the system. • Always logoff when leaving the system. Programs A security program is series activities to protect information security, is an entire set of personal, plans, policies and initiatives related to information security (Whitman 2004, p.156). The possible way to put the decryption mechanism in secure hardware, and then hope that this shows the professionals down by a few years (Bruce Schneier 2000, p.308). Some steps that required for good programs. Education Training. An education for users may provide to express how to recognize hacker’s false information. Vulnerability assessment. Discover possible weakness exists in the system. Risk assessment and management-For testing and implemented the system in to company. After identification plan the solution to reduce risk to a minimum. System testing- Simulation of incidents to evaluate an effective secure system. Policies- To ensure that entire organization is under the management of security policy. Planning. To plan an information security plan, project management approaches may be used in the process where entire organization will be involved. Measurement- Using all possible data collective tools to weigh a information environment. Implementation of new system and software’s in the company- When the system is properly tested then it will be implemented by Administrator. 6 Practices It shows day to day function carried out by people. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practice. Organizations must make sure that they have met a reasonable level of security in all areas, and that they have adequately protected all information assets, before improving individual areas to meet the highest standards (Whitman 2004, p.231). Protection Assessing risk The term threat can be used in several different ways, but it refers to a possible attack — what could happen. Descriptions of threats often include both the nature of the possible attack; those who force to commit it, and the possible consequences if the attack is successful. The best known type of attack on the network of NY Times is hacking internal intranet. Potential threats may now come from many sources — amateur or professional hackers using the Internet, organized crime, terrorists, and other newspaper company can be interested in hacking the database of NY Times. Because the information in the system of NY times can be worth of millions of dollars. Big threat to NY Times is from internal employees who are working in side the organisation. They can copy the confidential data very easily from the organisation systems. 7 Remote access of the employees to the organisation internal database can be proved very harmful. Because employees home computer can be hacked. NY Times intranet also has threat from viruses. A significant and increasingly sophisticated kind of attack — dubbed “social engineering” by hackers — involves finding and exploiting weaknesses in how people interact with computer systems (Jeffrey 2002, p. 1). Such social vulnerabilities can include weaknesses relating to policy, procedures, and personnel Controlling risk Risk can be controlled by applying the following risk control strategies: Apply safeguards that eliminate or reduce the remaining uncontrolled risk for the vulnerability (avoidance). Transfer the risk to the other areas or to outside entities (transference). Reduce the impact should the vulnerability be exploited (mitigation) Understanding the consequences and accept the risk without control or mitigation (acceptance). To control the risk to vulnerability of NY Times some steps need to be taken. Firstly the employee of NY times will not have the remote access to the server which has confidential information. Confidential files or information will be stored in the separate system to which no body will able to access remotely. Fire wall will be implemented to control the external attack on the internal intranet. Antivirus software’s will be installed on every system of the organisation to notify about virus attack and to heal the affected files. Employee will be trained to recognize the hacker attack. . Mechanisms used However, several proposals have been made to improve the security of intranet of NY Times: They include Ensuring that accepted security protocols are followed appropriately, 8 Improving security standards and authentication of the every employee of the NY Times. Use of open source computer code, and Improvements in verifiability and transparency. This can do the trick for the security issue raised in this essay. People and projects Personnel Perhaps the most important single factor in determining the vulnerability of a NY Times is the people involved. It is they who must implement security policies and procedures and defend against any attacks. If they are not adequately skilled and trained, they may be unable to prevent, detect, and react to security breaches, and they may themselves be more vulnerable to a “social engineering” attack. In addition, it can be particularly difficult to defend against attack by an insider, so background checks and other controls to minimize that risk are especially important. Conclusions The expansion of networks globally has allowed business to be conducted via the Internet. Current trends suggest there are clear indications that security needs to be considered very seriously by any business that has access to the Internet (Dr. Gerald L Kovacich (1998)). At the same time crime continues to increase as threats of economic espionage, technology oriented terrorism and information warfare becomes sophisticated. Each system connected to the Internet is subject to attack. To protect the business from problems associated with the Internet, some technical issues relating to security have been discussed in this assignment. As we have seen that “NY times” has faced big security threat to their network. By gone through the whole problem and doing its analysis I have made some recommendation as per my knowledge, if the whole policy and recommendations will be followed then they can consider themselves to be secured 9 but no site is absolutely secured but giving guidance and making employees aware of security issues can only help to protect it. Security policies are there to let the employee know the do’s and don’ts. Recommendations According to me the recommendations are as under. NY Times should follow the all policies and procedure to ensure the security of their organisation and its network. Human failure should not be neglected administration of network should have strict recommendation to check the all hardware’s running with the network. Proper proxy servers and firewalls need to be deployed so the external network threat can be minimized. Virus and intrusion detector software’s need to be installed on the computers. Authentication of every person should be checked. Every person should have authorize and minimal access to the confidential data. There should be six digits PIN, special characters in password, Retina scan, should be included as digital signature. In many situations some solutions may not work in particular environment but those who are practical and accepted they should be implemented. Reference: Web: “Introduction” web site Securitydocs Viewed on June 3, 2005 < www.securitydocs.com/Security_Policies> “NY Times Internal Network Hacked” web site Atnewyork Viewed on June 2, 2005 <http://www.atnewyork.com/news/article.php/982161> 10 “What is security” web site smartcard basics Viewed on June 3, 2005 <http://www.smartcardbasics.com/security.html>. “Guidelines for contingency planning” web site of Department of information resources Viewed on June 3, 2005 < http://www.dir.state.tx.us/TIC/dir_info/cntngcy.htm#appendixb> Book: Whitman, ME & Matt ford, HJ 2004, Management of information security, Course Technology, Thomson Learning, Boston, MA. Bruce Schneier 2000, Secret and lies digital security in a Network, New York. Jeffrey W. Seifert, Computer Software and Open Source Issues: A Primer, CRS Report RL31627, 5 November 2002, p. 1. Dr. Gerald L Kovacich (1998), Information Systems security officer’s Guide, Butterworth-Heinemann (USA) 11 ...
View Full Document

This note was uploaded on 02/15/2010 for the course ITC 594 taught by Professor Peterdalmaris during the Three '10 term at Charles Sturt University.

Ask a homework question - tutors are online