Download Risk Assessment for IT Security in EMC Company: Identifying and Mitigating Risks and more Lab Reports Career Counseling in PDF only on Docsity! PROGRAM TITLE: SECURITY UNIT TITLE: Unit 05: Security ASSIGNMENT NUMBER: 2 ASSIGNMENT NAME: EMC Cloud Solutions SUBMISSION DATE: ………………………………………. DATE RECEIVED: ……………………………………………. TUTORIAL LECTURER: …………………………………… WORD COUNT: …………………………………………….. STUDENT NAME: BUI THI HOAI STUDENT ID: BKC18310 MOBILE NUMBER: 0936168487 Summative Feedback: Internal verification: Ngắt Trang Contents I. INTRODUCTION EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in VietNam. A number of high-profile businesses in VietNam including Esoft Metro Camps network, SME Bank VietNam, and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also, EMC is a selected contractor for VietNam, The Ministry of Defense for hosting government and defense systems. EMC’s central data center facility is located at VietNam along with its corporate head office in Hanoi. Their premises at Hanoi is a six-story building with the 1st floor dedicated to sales and customer services equipped with public wifi facility. Second- floor hosts the HR, Finance, and Training & Development departments, and the third floor hosts a boardroom and offices for senior executives along with the IT and Data Center departments. Floor 4,5,6 hosts computer servers that make up the data center. 1. Potential impact to the organization when there is an improper firewall system and VPNs. 1. The firewall system. Many companies install firewalls on each server because it is like a security system used to protect important information. A firewall is a software program used to prevent unauthorized access. When there is unauthorized access or from another private network, the company is at risk because they may obtain all internal information. So to prevent most companies from using firewall systems. Firewalls are tools that can be used to increase the security of computers connected to the network. By installing a firewall system. Firewalls have many different possibilities. The main ability it has is that it can enhance security by allowing for detailed control of system functionality. Defend resources Validate access Manage and control network traffic Record and report on events Act as an intermediary The firewall Policy Firewall policy is a set of rules that includes how to use this software so it’s easy to handle the software. This an application that is designed to control the flow of internet protocol (IP). And the firewall policy has contained the types of firewalls and Firewall Architectures. When we talk about the types of firewalls there are various kinds types, they are Packet filters Proxy servers Application gateways Packet Filters: A packet filter is a firewall that reviews each packet for user-defined filtering rules to control whether to pass or block it. For example, the filtering rule might need all Telnet requests to be dropped. Using this information, the firewall will block all packets that have a port number 23 (the default port number for Telnet) in their header. Filtering rules can be built on source IP address, destination IP address, Layer 4 (that is, TCP/ UDP) source port, and Layer 4 destination port. Thus, a packet filter makes decisions based on the network layer and the transport layer. Proxy Servers: A proxy service is an application that redirects users’ requests to the real services based on an organization’s security policy. All message between a user and the actual server occurs through the proxy server. Thus, a proxy server performs as a communications broker between clients and the real application servers. Because it performs as a checkpoint where requests are validated against specific applications, a proxy server is usually processing intensive and can become a bottleneck under heavy traffic conditions Application Gateways: An application gateway is a proxy server that offers access control at the application layer. It performs as an application-layer gateway between the protected network and the untrusted network. Because it works at the application layer, it is talented to examine traffic in detail and, therefore, is considered the most secure type of firewall. It can stop certain applications, such as FTP, from incoming the protected network. It can also log all network actions according to applications for both accounting and security audit purposes. 2. Virtual private network (VPN) VPN is a secure tunnel between two or more devices to prevent web traffic, snooping, interference, and censorship. A VPN uses data encryption and other security mechanisms to prevent unauthorized users from accessing data and to ensure that data cannot be modified without detection as it flows through the Internet. It then uses the tunnel process to transport the encrypted data across the Internet. Tunnel is a mechanism for encapsulating one protocol in another protocol. In the context of the Internet, tunnel allows such protocols as IPX, AppleTalk, and IP to be encrypted and then encapsulated in IP. Similarly, in the context of VPNs, tunnel disguises the original network layer protocol by encrypting the packet and enclosing the encrypted packet in an IP envelope. This IP envelope, which is an IP packet, can then be transported securely across the Internet. At the receiving side, the envelope is removed and the data it contains is decrypted and delivered to the appropriate access device, such as a router. The VPN policy VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to handle this tunnel. This is an application that is designed to control web traffic from snooping, interference, and censorship. And the VPN policy has contained the types of VPNs and VPN Architectures When we talk about the types of VPN there are various kinds types, they are: Access VPNs provide remote users such as road warriors (or mobile users), telecommuters, and branch offices with reliable access to corporate networks. Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure manner. 3. How improper firewalls and VPNs impact the EMC company? EMC is a well-reputed cloud solution provider. EMC cloud solution Company provides SAAS, PAAS, LAAS to their customers. EMC company is doing transactions with external countries when doing those transactions firewalls and VPNs are the two software that is very important to install. Because when doing transactions through networks some unauthorized accesses can be attacked to the network system, not only that some other private networks also can attack the network system. When it gets attacked by other accesses, they can get important information about EMC company, especially by the competitors. If the competitors EMC company get the details about the company it’s a huge risk to the company to prevent these kinds of risks the firewalls are very important to install. And if there are improper firewalls also, we have to face these risks The other reason was the existence of improper VPNs it’s the other problem that arises when doing online transactions because when we doing online transactions without using proper VPNs sometimes there might have web traffic, snooping and interference by these web traffics transaction can’t do properly it may buffer. From the improper VPNs the reputation of the EMC company might get damaged because of that we have to install proper VPNs Ngắt Trang 2. How would benefit DMZ, Static IPs, and NAT? 1. DMZ (Demilitarized Zone) A demilitarized zone (DMZ) is a perimeter network that protects an organization’s internal local area network (LAN) from untrusted traffic. A common DMZ meaning is a subnetwork that sits between the public internet and private networks. It exposes external-facing services to untrusted networks and adds an extra layer of security to protect the sensitive data stored on internal networks, using firewalls to filter traffic. The end goal of a DMZ is to allow an organization to access untrusted networks, such as the internet while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for the Domain Name System (DNS), File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers, in the DMZ. These servers and resources are isolated and given limited access to the LAN to ensure they can be accessed via the internet but the internal LAN cannot. As a result, a DMZ approach makes it more difficult for a hacker to gain direct access to an organization’s data and internal servers via the internet. 2. Static IP A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a computer by an Internet service provider (ISP). IP addresses are useful for gaming services, website hosting, or Voice over Internet Protocol (VoIP). Speed and reliability are key advantages. According to a static address is constant, systems with static IP addresses are vulnerable to data extraction and higher security risks. Private Network: the computers and servers on the trusted network should be equipped with software like virtual private network (VPN), which allows for remote work with secure data transmission 4. Network Monitoring System Network monitoring is a critical IT process where all networking components like routers, switches, firewalls, servers, and VMs are monitored for fault and performance and evaluated continuously to maintain and optimize their availability. One important aspect of network monitoring is that it should be proactive. Finding performance issues and bottlenecks proactively helps in identifying issues at the initial stage. Efficient proactive monitoring can prevent network downtime or failures. Network monitoring is generally carried out through software applications and tools. Network monitoring services are broadly used to detect whether a given Web server is operative and connected properly to networks worldwide. Many servers that make this job provide a more complete visualization of both the Internet and networks. And there many benefits to Network monitoring system the main three benefits are: Protecting your network against attackers: The network monitoring system identifies distrustful traffic, thereby authorizing owners to act fast. A network monitoring service is able to provide a broad overview of an SMB’s entire IT infrastructure so that nothing is misused. Today, exploits are more sophisticated and advanced and are able to target a system in a diversity of ways. Monitoring antivirus and firewall solutions separately firewalls solutions separately may leave security gaps. Keeping Informed without in house staff: A network monitoring service will send warnings and information to an SMB owner as issues arise. Otherwise, an SMB may need to either effort to their network security themselves or hire a full-time IT employee- Which could be very costly. Data breaches can be more harmful and more expensive the longer they go without being noticed. Optimizing and monitoring your network: Many small business owners are expected to rapid growth. This growth cannot be possible if parts of their IT infrastructure are over-loaded or slowed. Network monitoring services will map out the infrastructure of a small business, showing an SMB owner area of development and any issues that currently need to be addressed. Ngắt Trang IV. LO3 Review mechanisms to control organizational IT security. 1. Discuss risk assessment procedures Risk means a dark situation that we will face in the future. These risks may occur due to the results of mankind. Most of the risks can happen to the organization due to the faults of the workers in the organization so as an owner of the organization the owner should assess the risks Risk assessment means the term used to the overall process for identity and analysis the hazards and risk that going to occur to the company or organization, Analysis and evaluate the risk associated with that hazard. So, by identifying and analyzing the risk we have to determine the appropriate or control the risk when the hazards cannot be eliminated. We can identify certain kinds of risks through looking at our workplace by identify the things, situation, process, etc. That may Couse harm to the people. After we identify the risk to avoid this risk from the organization when this determination is made, we can next decide what measures should be there or in the organization to effectively eliminate or control the harm happening to the organization. 2. Explain data protection processes and regulations as applicable to an organization. Any company or organization has a lot of important data. So when that data is leaked to a competitor, it is possible that the company or organization will inevitably be attacked. So, data protection a must in every organization. These are some of the used full information that reputed companies have: The type of customers they have Number of customers they have Banking information Information about the assets So, these kinds of information got leaked from the business or organization that may occur a huge risk to that organization. So, there are many ways to protect these kinds of important data they are: Fixing CCTV cameras Employee monitoring system 3. Summarization of ISO 31000 risk management law. 1. What is the law? An organization or company to maintain operations needs to comply with the regulations and laws. So what is the law? Law means a certain kind of imperative to be taken by the head of the organization to minimize errors, frauds, and related problems among employees working in the organization. Implementing laws is a difficult task that is done by the CEO of the company because he should know how to implement suitable laws for the workers. When the low get high some employee might not work properly or when there are fewer laws also the worker might not properly. Forget the work done by the workers the CEO must think from his perspective, the company’s perspective, and the employee’s perspective then he can continue his organization or the company peacefully without any mistakes, frauds, and federations. Every CEO is looking to reduce the risks that coming towards his organization for that he should implement lows and regulations continuously but there are guidelines when implementing lows for the risks, that guidelines when are in ISO 31000 – 2018 2. Summarization of ISO 31000: 2018 related to EMC company The ISO 31000: 2018 is consisting of risk management guidelines, providing principles and frameworks to manage risks in EMC company. When the CEO of the EMC company is following those ISO 31000: 2018 law it easy to handle the EMC company. Because all the guidelines and frameworks are in it. Any business-like small scale and large-scale business or companies can use this ISO 31000: 2018 law. By using this ISO 31000: 2018 law can help the EMC company to increase the likely hood of achieving objectives. And can easily identify the strength and weaknesses of the EMC company. These things are involved in the vision and mission of the EMC company. However, ISO 31000: 2018 act cannot be used for certification purposes. But it provides guidance for internal and external audit programs By maintaining or following this ISO 31000: 2018 law the owner of the EMC company can compare the risks, Threats that come towards the EMC company. In other words, the CEO of the EMC company can compare the threats that he faced in the past with the new threats that come towards. And another benefit the owner of the EMC company has was it can compare its risk management practices with an internationally recognized Benchmark providing sound principles for effective management and corporate governance. Another benefit It has was the Owner of the EMC company can identify the risks before they effected to the company. From these benefits, EMC company can move forward without any threats and risks. And the owner of the EMC company can take decisions before there is a risk attack or threatened attack. 3. ISO 31000: 2018 Risk Management If the EMC company is affected by the risks the EMC company can have consequences in terms of economic performance and professional reputation as well as the environment safely and social outcomes. If the threats or risks get effected to the economic performance of the EMC company it a huge loss for the company because customers will reject the company and the banks who give loans to the company may be rejected and finally, the employees who are dependent on the EMC company get affected. After the economic performance, it gets affected the professional reputation. If the EMC company is dealing or doing transactions with foreign countries the professional reputation is highly important. If it gets damaged due to the threats or risks attacks those countries also starting to reject the company. Because of these reasons managing risks effectively helps the EMC company to perform well in an environment full of uncertainty 4. Possible impacts to organizational security resulting from an IT security audit In some companies, there are security audits, which means this audit is there to check whether the security system is working in a proper manner. If there is no audit system to examine the security system also might get corrupted by the above things and points, we can tell that there is a huge impact to the organization's security from the IT security audits. Ngắt Trang 5. IT security Audit An IT security audit involves an IT specialist examining an organization’s existing IT infrastructure to identify the strength of its current security arrangements and pinpoint any potential vulnerabilities. Firewalls should provide secure administrative access with administration access limited, if probable, to only networks where administration connections would be likely to initiate. Unnecessary service and application should be prohibited using the firewall. The organization should use 'hardened' systems for firewall platforms, or appliances. Modifications to firewall rules must be recorded and the records must identify the administrator performing the modification and when the modification occurred. Firewall must keep records of rejected traffic. Data breach measures Files and folders should be designated and confidential using password when sharing on drives. Without the administration approval no removable drives, CD or DVD are allowed to insert into computers and devices of the organization. Physical security All the server rooms of the organization should be guarded with a security guard and 24hour surveillance cameras should be used to monitor them. The whole organization is inspected with the use of 24-hour surveillance cameras. Smart cards are used for the entry into server rooms and special access rooms. All the smart cards should be renewed every year. Finger print access is used when the staff enters to the organization. Discarding of Information Technology Properties IT resources, such as network servers and routers, often contain sensitive data about the Organization's network infrastructures. When such assets are withdrawn, the following guidelines must be followed: Any asset tags or stickers that identify the organization must be removed before discarding. Electronic media (e.g., tapes, disk drives, multifunction devices, copiers, etc.) will be destroyed by physical demolition. Demolition will be noted in records. 2. Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum uptime for its customers. Disaster recovery plan is a plan which includes how to continue their organizational processes even after a disastrous situation. Any organization has to face a disastrous situation at a point of their business lifetime so to successfully face the situation the organization should have a plan. Disasters can be natural disasters, technological defects and human involvements. Disaster recovery plan should include following details Prioritized list of assets and inventory. Assets, inventory should be prioritized according to their value for the organization and should be listed. So, at a disaster stage what assets should be preserved the most can be understood. How long a data loss or system dropdown can be tolerated. If a system dropdown or data loss how long the operations of the business will have to be halted and how can we recover should be planned. This allows the organization to be ready for any disaster condition. Responsibilities should be shared. Responsibilities should be shared so that only one or two won’t be responsible for the whole organization. Like daily backups in each sector should be assigned to persons from those sectors. If so after a system outage if the data cannot be recovered he will be responsible not the whole team. Communication plan Proper communication plan should be created. During a disastrous situation communication is a vital part. If the phone and email services dropdown some other communication methodology should be implemented so the staff can know about the ongoing situation. Backup plan Backup plan of the organization should be a very effective one. Employees should be trained for daily, monthly or weekly backup procedures. Apart from the server in the work site there should backup server in a geographical location which has less tendency for destruction due to natural disasters. Handling sensitive information Sensitive information should be handled carefully. If demolishing them they should be in such a manner that they can’t be recovered. And they should be stored with password protection ‘Creditors, directors, employees, government and its agencies, owners / shareholders, suppliers, unions, and the other parties the business draws its resources’ are the main branches of any organization. Discuss the role of these groups to implement security audit recommendations for the organization. Security audit is understanding the vulnerabilities in the current security plan to create a much better plan than the present one. Performing a proper security audit can improve the defense system of the organization. According to Eitan Katz (2017), security audit can be performed in 5 steps. Outline Your Audit Firstly, the auditor has to list out the assets of the organization which mostly comprise of computer equipment, customer data and other important documents. After listing the security parameters should be defined which allows to differentiate assets into two sectors as assets which need audit and which do not. Because it is not very reasonable to audit all assets. Outline Your Threats Next the list of threats should be defined. Threats can be of negligent human errors, malware and logical attack, password insecurities and natural disasters. Along with considering the threats the auditor has to look for how these can affect the organization’s performance. Evaluate Existing Security Performance Now the auditor must look into the present security structure and evaluate it. Here the security structure must be tested with simulating conditions and check for loop holes. It is better to allow an external company to do this task because the internal staff can sometimes pretend that there’s no any issues. Ranking (Risk Scoring) In this step all the threats are ranked according to their priority. the risks with higher threats are ranked in upper levels whereas minor threats are ranked in lower levels. Also when ranking some factors like history of the organization, current trends in security sector and rules and regulations should be considered. Prepare Security measures Finally, after observation done in the previous steps the auditor can suggest and formulate security measures. Such measures that can be taken are educating the employees regarding the security threats the organization is facing and will face in future, tighten passwords, provide access controls like fingerprint and smartcard, email related protection, more improved backup plans and constant monitoring of the network. Ngắt Trang VI. References https://www.fortinet.com/resources/cyberglossary/what-is-dmz https://study.com/academy/lesson/trusted-network-solutions-environment-technologies.html https://www.manageengine.com/network-monitoring/basics-of-network-monitoring.html https://cheekymunkey.co.uk/what-is-an-it-security-audit/ https://www.myassignmenthelp.net/sample-assignment/unit-5-security https://www.urgenthomework.com/sample-homework/emc-cloud-solutions-unit-5-security