data security with firebase, Assignments of Computer Security

data security with for instudent

Typology: Assignments

2020/2021

Uploaded on 06/20/2021

kiran-gautam
kiran-gautam 🇳🇵

5 documents

1 / 75

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Security assignment 2018
Table of Contents
Part: 1..........................................................................................................................................2
Introduction of scenario.............................................................................................................3
identify types of security risks to an organization.....................................................................4
Describe organizational security procedures..............................................................................6
Propose a method to assess and treat IT security risks...............................................................9
Part: 2........................................................................................................................................13
Introduction..............................................................................................................................13
Identify the potential impact to IT security of incorrect configuration of firewall policies and
third-party VPNs......................................................................................................................13
Firewall.................................................................................................................................13
Impact of wrong configure of firewall.................................................................................15
third-party VPNs..................................................................................................................15
Impact of wrong configure of VPN......................................................................................17
Show, using an example for each, how implementing a DMZ, static IP and NAT in a network
can improve Network Security.................................................................................................18
Discuss three benefits to implement network monitoring system with supporting reasons.....24
Part: 3........................................................................................................................................29
Discuss risk assessment procedures.........................................................................................29
Explain data protection processes and regulations as applicable to an organisation..............35
Summarise the ISO 31000 risk management methodology and its application in IT security.
..................................................................................................................................................38
Discuss possible impact to organisational security resulting from an IT security audit..........42
Impact of IT security to organization...................................................................................42
Part: 4........................................................................................................................................46
design and implement a security policy for an organisation....................................................46
1.Organizational security:.....................................................................................................46
1 | P a g e K I R A N G A U T A M
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b

Partial preview of the text

Download data security with firebase and more Assignments Computer Security in PDF only on Docsity!

Table of Contents

Summarise the ISO 31000 risk management methodology and its application in IT security.

  • Part: 1..........................................................................................................................................
    • Introduction of scenario.............................................................................................................
    • identify types of security risks to an organization.....................................................................
  • Describe organizational security procedures..............................................................................
  • Propose a method to assess and treat IT security risks...............................................................
  • Part: 2........................................................................................................................................
  • Introduction..............................................................................................................................
  • third-party VPNs...................................................................................................................... Identify the potential impact to IT security of incorrect configuration of firewall policies and - Firewall................................................................................................................................. - Impact of wrong configure of firewall................................................................................. - third-party VPNs.................................................................................................................. - Impact of wrong configure of VPN......................................................................................
  • can improve Network Security................................................................................................. Show, using an example for each, how implementing a DMZ, static IP and NAT in a network
  • Discuss three benefits to implement network monitoring system with supporting reasons.....
  • Part: 3........................................................................................................................................
  • Discuss risk assessment procedures.........................................................................................
    • Explain data protection processes and regulations as applicable to an organisation..............
  • Discuss possible impact to organisational security resulting from an IT security audit.......... - Impact of IT security to organization...................................................................................
  • Part: 4........................................................................................................................................
  • design and implement a security policy for an organisation.................................................... - 1.Organizational security:.....................................................................................................
  1. System security:................................................................................................................ 52
  2. Email security:.................................................................................................................. 55
  3. Internet security:............................................................................................................... 58
  4. Hardware security:............................................................................................................ 60
  5. Third party security.......................................................................................................... 61 list the main components of an organisation disaster recovery plan, justify the reason for inclusion................................................................................................................................... 62 Discuss the roles of stakeholders in the organization to implement security audit recommendations...................................................................................................................... 65 References................................................................................................................................ 69 Part: 1 Before you start the implementation of the IT security measure for the organization, you need to assess the IT security risks in the organization. You need to consider various aspects of

identify types of security risks to an organization. While using network there is a different type of risks which to be faced by the organization. the main job of the organization is to overcome the risk. In this task, I am going to explain what is the risk have to face by the bank. The risk is a vulnerability is a week sport in a network which may be exploited by a security threat. Risks are the possible significances and impact on undresses weaknesses. Risk assessment is made to control important potential security breaches to addresses now rather than future. Here I have listed of the risk for the organization. (TechRepublic, 2018)

1. Unauthorized access of the user Unauthorized access to computer material can occur. For an example when a person gains access to a computer through a telecommunication network, or when an employee access information on their employer’s computer which they are not entitled to access. This type of the user can damage data which will cause loss to the organization. they cause a computer to perform any function with internet to secure access to any program or data held in any computer or to enable any access to be secured. The access they intend to secure or to enable to be secured is unauthorized. (InBrief.co.uk, 2018)  Unauthorized access by employees In an organization, every employee has different right to access the system according to the requirement. When reception tries to access the account of the customer and change the mount or money of the user than that is unauthorized access by employee. Reception only has right to change the information of customer according to the requirement.in this case they are not themselves entitle to control access of the kind in question to the program or data from any person who is so entitled  Authorized access, unauthorized purpose When an employee who has authorized access to a computer user it for an unauthorized purpose, such as doing private work or research not connected to their employment the question arises as to whether this is unauthorized access. 2. Damage or destruction(physical) When any server, hard disk, CPU etc are physical damage or destruction due to various reason is called damage made by physical. Theft, burglary and vandalism are some example of physical damage. When somebody stole some important document or any part from the

organization or bank. theft and burglary are a bundled deal because of how closely they are related robbery and burglary are of the maximum common type of physical security threats. Vandalism is described as any interest that includes the planned destruction, harm or defacement of the general public or private properties of the bank. If the server room or the bank is damage due to different reason then there will be loss of time and money for the organization. (Reed, 2018)

3. DOS Attacks In a DOS (Denial-of-Service) attack, bank website or any net service provided by the bank may be rendered inaccessible to users. Often, those attacks are usually use against businesses for money or blackmail purposes. Maybe the foremost familiar version is DDoS (Distributed Denial of Service), that includes bombarding the server with traffic and requests to overcome and close up the system of bank.by which the system and its defenses will be automatically down, an unwanted person has the potential to remove information or hold your operation surety. Do not enable bank to be terrorized by these pc security threats. If you don’t have one already, formulate a study decide to safeguard your business’s vital information and shield the resources. (Today, 2018) 4. Naturally occurring risks. When damage is done by natural disaster like flood, landslide, earthquake etc then every plan fails there. For the organization selection of the land should be done according to the land structure. When bank by the land near the river then in the rainy season there is chance of the flood which can’t be control all the work will be pending and the will be physical damage of the system due to the flood. If the land in between two mountain there will be chance of the landslide will the structure of the organization and damage the other hardware part also.so we can’t control the natural disaster we can make back up plan. (Reed, 2018) 5. Threat on application Banks use application which are developed by the organization or third-party application. Bank may not be aware of vulnerabilities that are exist in the application. From the third- party application user may get hack or the account information may get changed by the authorised user. Third-party application may can use harm to the bank which can make loss for the bank. For example, use of the antivirus or any application for the security of

Notwithstanding, a great deal of clearness might be acquired by in the meantime exploitation subjective and quantitative methodologies. estimation customarily leaves the arbitrary and rare occasions in analysis results though analysis thinks about them. Quantitative analysis is normally included with quantifiable amounts like weight, length, temperature, speed, width, and loads of a great deal of. the data might be communicated in an exceedingly forbidden kind or any portray representation exploitation diagrams or graphs. Quantitative data might be delegated ceaseless or particular, and it's ordinarily acquired exploitation studies, perceptions, examinations or meetings. There are, in any case, restrictions in estimation. for instance, it might be hard to reveal nearly new thoughts exploitation estimation which is wherever analysis comes into the condition to seek out "why" a particular advancement occurs. that is the reason the procedures are commonly utilized in the meantime.  Qualitative analysis is concerned with the analysis of learning that can't be measured. this kind of learning is concerning the comprehension and bits of knowledge into the properties and traits of items (members). analysis will get a more profound comprehension of "why" a specific advancement occurs. The analysis might be used related to gauge or go before it. rather than with measure that is confined by bound grouping tenets or numbers, qualitative data analysis might be wide extended and multi- faceted. Furthermore, it's abstract, clear, non-factual and alpha in nature. because of analysis tries to incite a more profound comprehension, the exploration labourer should be thorough with whichever physical properties or qualities the investigation is predicated on. Customarily, the exploration specialist could have an association with the members wherever their qualities are unveiled. in an exceedingly measure the qualities of items are generally unrevealed. the standard data examined qualitatively grasp shading, sexual orientation, status, taste, appearance, and a lot of extra as long in light of the fact that the data can't be processed. Such data is acquired exploitation meetings or perceptions. There are confinements in analysis. for instance, it can't be acclimated sum up the populace. modest examples are used in partner unstructured methodology and that they are non- agent of the general populace in this way the strategy can't be acclimated sum up the total populace. that is wherever measure into the factor.  Business continuance A business continuity plan (BCP) could be a consider to encourage ensure that business procedures will proceed all through a period of crisis or fiasco. Such crises or catastrophes would potentially encapsulate a chimney or the other case wherever business isn't prepared to

happen underneath conventional conditions. Businesses must investigate all such potential dangers and devise BCPs to ensure proceeded with tasks should the risk become a reality. (Techopedia.com, 2018)

  1. Analysis of hierarchical dangers
  2. A rundown of the essential undertakings required to keep the association tasks streaming
  3. Easily found administration contact data
  4. Explanation of where work force ought to go if there is a terrible occasion
  5. Information on information reinforcements and association site reinforcement
  6. Collaboration among all features of the association 7. Buy-in from everybody in the association  Backup/restoration Backup and recovery allude to the technique for sponsorship up information just in the event of a misfortune and fixing frameworks that empower that learning recovery because of information misfortune. Sponsorship up learning needs reiteration and chronicling workstation information, so it's available just if there should be an occurrence of data cancellation or defilement. learning from partner degree prior time could exclusively be recouped if it's been verified. Information backup might be an assortment of fiasco recovery and might be a piece of any catastrophe recovery set up. (Techopedia.com,

information backup can't always re-establish the majority of a framework's learning and settings. for example, PC bunches, dynamic registry servers, or data servers may have additional assortments of catastrophe recovery because of a backup and recovery probably won't be prepared to rebuild them completely. Today an excellent deal of information will be protected once mistreatment cloud storage, which suggests archiving on a neighborhood system's disk drive or mistreatment storage device isn't necessary. Mobile devices, specifically, will be founded mistreatment cloud technologies, permitting knowledge to be recovered mechanically.  Audits An audit is a target examination and investigation of the money related articulations of an organization to frame sure that the records are a decent and right outline of the exchanges

 Group the similar incidents and identify treads in hazards reports. ii. Decide who may be harmed and how. We need to identify some group of people in our business which could be harmed by physical assaults, threats, intimidation. We should also think about all the individuals in the work place at any period of the time which may also include people who doesn’t have any regular shifts or working platforms some of the example are security staff, maintenance staff and other. Some of the staff who may be risk of experiencing work- related are:  Young workers and trainees New staff or young worker may be more risk at the initial base of the working in the bank or any organization. Due to lack of the training they might not be able to deals with different customer like angry, robbery. They might not be able to know the dangerous situations.  Temporary workers They are also at more risk because they don’t have fixed about their job. They might have less information about the working process of the bank or the organization than permanent staff.  Night shifts workers All the later worker or night shifts worker may be at great risk and more violent occur during whole night. certain day of the week or time are more unsafe. For example, opening and closing time are particularly risk time to any bank or organization.
iii. Assess the risks and take action The main aim of this stage is to know about how we can manage the risk of harm from work-related violence for the bank or the organization. We need to make sure that we have reduced risks so far is reasonably practicable. At the stage of risk assessment, we need to establish whether there is a signification risk of the violence in our business. we can also look at sickness absence, figures, staff turnover, injury etc. (Hse.gov.uk, 2019) iv. Made a record of the things In this stage we have to identified measure which are already taken to keep the staff safe for the bank or the organization which could have to improve things in the future. We

also need to decide how we are going to put these actions in the place according to requirement. We have to decide how we are going to implement any of the identified action in risk assessment and we have to ensure this communicated to all staff. if our employ five or more people have a legal duty to record the signification finding of our risk assessment. Finding should be fit for the purpose. v. Review the risk assessment With the help of staff and monitoring incident rates and controls measures, we will be able to judge weather our control is efficient or not. Manager and respect staff are responsible for the oversee the process and development reporting procedures. Our risk assessment should be reviewed regularly to ensure that risk of the staff being harmed by work-related violence. There is no legal time frame for when we should review our risk assessment. Monitor and reviews  Check that we control measure are working.  Reviews our assessment in case things have change and record the signification findings with our risk assessment document. Methodology: scenario or asset-based risk assessment An asset-based risk assessment inspects risk by checking on a foundation's assets. Asset- based risk assessments are most intently connected with IT, data security, and Gramm-Filter Bliley Act (GLBA) and information protection since superficially these territories appear to be most firmly attached to physical assets. With regards to IT security, the FFIEC Data Security Handbook characterizes assets as "equipment, programming, data, and associations." This may incorporate significant applications, general emotionally supportive networks, high-sway programs, physical plant, mission-basic frameworks, work force, hardware, or a sensibly related gathering of frameworks. an asset-based risk assessment starts with a rundown of assets. Each recorded asset is exclusively evaluated to decide potential dangers and vulnerabilities just as the viability of existing controls. The outcome is a not insignificant rundown of dangers and controls by asset. (Berman, 2019)  Avoid the risk by eliminating it entirely You can likewise change your arrangements totally to keep away from the hazard. keep away from risk This is a decent methodology for when a hazard has a conceivably substantial effect on your undertaking. For instance, if January is the point at which your

Part: 2 Once the assessment of the risks and proposal for its remedy has been made you need to describe IT security solution for the organization such as VPNs, firewall, DMZ with a suitable implementation example. You need to:

  1. Identify the potential impact to IT security using firewall and VPNs and make aware of the repercussion of incorrect configuration of firewall policies and third-party VPNs.
  2. Show through an example in simulated environment, how implementing a DMZ, Static IP ad NAT in a network can improve Network Security.
  3. Discuss how network monitoring systems can benefit the security of IT of the organization. You need present at least three advantages.
  4. Finally investigate how a 'trusted network' may be the part of an IT security solution. Introduction In this part I will explain the potential impact of IT security of incorrect configuration of firewall polices and third party VPNS for the bank. What negative effect it can cause. I design networking design of the bank with the expiation of DMZ, static IP and NAT in a network. How we can improve network security of the bank and benefits to implement network monitoring system with help of supporting reason for a bank. Identify the potential impact to IT security of incorrect configuration of firewall policies and third-party VPNs. Firewall. Firewalls guard a Network of Computers from being Compromised, Denial of Service and elective Attacks from Hackers endeavouring to Intrude the system from outside. A Firewall might be inside the kind of a Hardware or a bundle on a pc, also. A Firewall must be associated with at least two Network Interfaces, one that is intended to be ensured (Your Internal Network) and elective that is Exposed to Attacks (Generally Internet). A Firewall likewise can be thought of as a course sent between the two Networks. (Community.cisco.com, 2018) How Firewalls work?

Firewall look at all the data bundles going through them to work out in the event that they meet the standards laid out by the ACL (Access the executives List) made by the head of the system. Just, If the information Packets are permitted according to ACL, they'll be Transmitted over the association. Firewalls for the most part moreover keep up a log of crucial Activities in inside the Network. A Network Administrator will plot what's indispensable for him and gather the Firewall to make the Logs thus. Firewall can filter contents on the basis of Address, Protocols, Packet attributes and State. Firewalls generally only Screen the Packet Headers. Types of FirewallsPacket Filtering Firewalls Packet Filtering Firewalls are unremarkably Deployed on the Routers that associate the inside Network to net. Packet Filtering Firewalls will exclusively be upheld on the Network Layer of OSI Model. Packet Filtering Firewalls chip away at Rules characterizes by Access the executives Lists. They check every one of the Packets and screen them against the establishments sketched out by the Network Administrator according to the ACLs. In the event that on the off chance that, any packet doesn't meet the components then that packet is conceived and Logs are refreshed concerning this data. Administrators will deliver their ACLs on the thought Address, Protocols and Packet traits.  Circuit Level Gateway Firewalls Circuit level gateways are conveyed at the Session layer of the OSI display and that they screen sessions like convention 3 approach affirmation to decide if a mentioned alliance is real or not. Major Screening occurs before the connection is Established. Information sent to a PC outside the system through a circuit level course appears to have begun from the dish. This aides in influencing a covering to shield the non-open system from outcasts.  Application-level Gateway Firewalls application level gateways chip away at the applying layer of the OSI model and supply insurance for a specific Application Layer Protocol. Intermediary server is that the best case of Application Level Gateways Firewalls. Application level dish would work only for the conventions that is sorted out. for example, in the event that we will in general introduce a web intermediary based for the most part Firewall than it'll exclusively

be formed. All in all, can we truly need VPNs? extremely, positive we will in general do! VPNs give an essential support of organizations, governments, military associations, and even individuals. VPNs give secure access to your local space network. while not VPNs, getting to touchy information remotely wouldn't be potential. VPNs empower 2 or a great deal of networks to be associated along. for example, a branch work environment of a bank set in Sagebrush State and its central station put in Lone-Star State associate with one another through the web immovably to share their assets, (for example, bank explanations, contract records, and so on.) together. With a VPN, every area is intelligently associated along joined exploitation the web solidly as its spine. Envision applying for a home value credit wherever your work should be snail-sent back to the organization central station for survey. It will take as long as seven days! anyway with VPNs, the house advance is almost quick investigated by the bank's home office paying little respect to anyway so much isolated the branch work environment and furthermore the bank central station are. (Study.com, 2018) There are 3 types of virtual private networks (VPNs). the most widely recognized ones are remote access VPNs or virtual private dial-up networks (VPDNs). These are client to-LAN associations utilized once staff of an association who are in remote areas need to interface with the organization's private network. an association that desires to arrange a remote-get to VPN at times redistributes to relate degree mystic marvel or undertaking administration provider. The clairvoyant wonder sets up a NAS (network get to server) and moreover gives remote clients the code they have for his or her PCs. At that point clients simply dial the NAS utilizing a charge assortment and access the network through their VPN buyer code. VPNs supply a fair third-party administration for scrambled, secure associations between remote clients at interims a non-open network. The other 2 styles of VPN are each website to- webpage, which implies that different mounted destinations are associated over an open network (like the Internet). A site-to-site VPN needs extensive scale encoding and committed instrumentality. partner degree PC network (secret key ensured site for organization workers)- based VPN associates PC network to PC network once an association needs to append various remote associations in a single private network. partner degree extranet-based VPN associates PC network to PC network between different firms, (for example, clients and providers) all together that they'll include a common climate. (Garden and Hardware, 2018)

Impact of wrong configure of VPN In default setting VPN has frail verification component like PAP in PPTP and a few people does not design validation by any stretch of the imagination. This prompted VPN seize by utilizing existing client or mimicking existing record. By VPN seizing programmer can erase, change, include information of bank. There is another issue caused because of frail confirmation which is known as man-in-center assault. This assault impacts on traffic between two communicators. Because of this assault programmer can screen, alter and erase the information of both the sender and beneficiary party. In extranet VPN organization erroneously introduce VPN door outside of the DMZ. This ought to be maintained a strategic distance from on the grounds that other association organization can enter in to inner network and can look for touchy information without consent for their benefit. By putting VPN inside the DMZ in Sunrise Bank, its organization can just enter in to dmz network and information in web network will be ensured. (Infosec.gov.hk, 2018) VPN customer parameter utilized for IPsec VPN verification. Customer parameters like pre-shared key is utilized in IPSec VPN confirmation for security reason. By and large, this sort of customer parameters are not to be changed except if framework face issue. On the off chance that network administrator superfluous change its parameter than customer won't ready to associate with the VPN. Henceforth, customer request parameters by means of open telephone, email which can result in to breaking of security parameter to obscure individuals. This sort of issue prompt unapproved access to the bank framework to take vital information. Subsequently, this sort of design ought to be maintained a strategic distance from. (Dnsthingy.com, 2018)

In PC networks, a DMZ (demilitarized zone), , likewise normally called a periphery network or a screened subnetwork, could be a physical or legitimate subnet that isolates an inside local area network (LAN) from various untrusted networks, ordinarily the net. Outer confronting servers, assets and administrations are set inside the zone. In this way, they're available from the net, anyway the rest of the inside neighbourhood stays aloof. This gives an additional layer of security to the neighbourhood since it confines the intensity of programmers to legitimately get to inward servers and information by means of the web. (SearchSecurity, 2018) The greatest advantage to a DMZ is in disconnecting all obscure Internet solicitations to the servers on the DMZ and never again permitting them into your interior system. In any case, some extra advantages to sending a firewall with a DMZ can enable you to more readily comprehend what occurs in your system and along these lines expands security:  Reviewing DMZ traffic  Finding an IDS on the DMZ  Restricting steering refreshes between three interfaces  Finding DNS on the DMZ