IT Security Policy Design and Implementation: A Case Study of Wheelie Good, Assignments of Computer Security

You work as a trainee IT Security Specialist for a leading Security consultancy in Vietnam called FPT Information security FIS. FIS works with medium sized companies in Vietnam, advising and implementing technical solutions to potential IT security risks. Most customers have outsourced their security concerns due to lacking the technical expertise in house. As part of your role, your manager Jonson has asked you to create an engaging presentation to help train junior staff members on the tool

Typology: Assignments

2020/2021

Uploaded on 02/18/2021

nguyen-manh-tai
nguyen-manh-tai 🇻🇳

4.8

(20)

7 documents

1 / 32

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Higher Nationals in Computing
Unit 05: Security
ASSIGNMENT 2
Assessor name: PHAN MINH TAM
Learner’s name: Nguyn Thành Công
ID: GCS18694
Class: GCS0706A
Subject code: 1623
Assignment due: Assignment submitted:
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20

Partial preview of the text

Download IT Security Policy Design and Implementation: A Case Study of Wheelie Good and more Assignments Computer Security in PDF only on Docsity!

Higher Nationals in Computing Unit 05: Security ASSIGNMENT 2 Assessor name: PHAN MINH TAM Learner’s name: Nguyễn Thành Công ID: GCS Class: GCS0706A Subject code: 1623 Assignment due: Assignment submitted:

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date 2 May 2020^ Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Nguyễn Thành Công Student ID GCS Class GCS0706A Assessor name Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D

ASSIGNMENT 2 BRIEF

Qualification BTEC Level 5 HND Diploma in Computing Unit number Unit 5: Security Assignment title Security Presentation Academic Year 2019 – 2020 Unit Tutor Issue date Submission date 2 May 2020 IV name and date Submission Format Part 1 The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs, subsections and illustrations as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. The recommended word limit is 2,000–2,500 words, although you will not be penalised for exceeding the total word limit. Part 2 The submission is in the form of a policy document (please see details in Part 1 above). Part 3 The submission is in the form of an individual written reflection. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. The recommended word limit is 250–500 words, although you will not be penalised for exceeding the total word limit.

Unit Learning Outcomes LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. Assignment Brief and Guidance You work for a security consultancy as an IT Security Specialist. A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications. Part 1 In preparation for this task you will prepare a report considering:

  1. The security risks faced by the company.
  2. How data protection regulations and ISO risk management standards apply to IT security.
  3. The potential impact that an IT security audit might have on the security of the organization.
  4. The responsibilities of employees and stakeholders in relation to security. Part 2 Following your report:
  5. You will now design and implement a security policy
  6. While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan. Part 3 In addition to your security policy, you will evaluate the proposed tools used within the policy and how they align with IT security. You will include sections on how to administer and implement these policies. Learning Outcomes and Assessment Criteria Pass Merit Distinction LO3 Review mechanisms to control organisational IT security D2 Consider how IT security can be aligned with organisational P5 Discuss risk assessment procedures. M3 Summarise the ISO 31000 risk management methodology and

Table of Contents

  • Unit 05: Security ASSIGNMENT Contents
      1. Steps in a vulnerability assessment
      1. Detailed actions to be taken for each step
      • 2.1 Asset Identification.
      • 2.2 Threat Evaluation.
      • 2.3 Vulnerability Appraisal.
      • 2.4 Risk Assessment.
      • 2.5 Risk Mitigation.
      • 2.6 Vulnerability assessment actions and steps.
      1. Privacy Policy
      1. list risk identification step
      • 4.1 Reviewing Risk Identification
      • 4.2 Asset Identification.
      • 4.3 Threat Identification.
      • 4.4 Vulnerability Appraisal.
      • 4.5 Risk Assessment
      • 4.6 Designing the Security Policy.
  • P6 Explain data protection processes and regulations as applicable to an organisation.
      1. Basic steps to secure a host system.
      1. Why is host system security important?
      • 2.1 Website security.
      • 2.2 Payment safety
      1. Some antimalware software
      • 3.1 Bitdefender Antivirus Plus
      • 3.2 Kaspersky Antivirus
      • 3.3 F-Secure Anti-Virus.
      • 3.4 Norton Antivirus Plus
      1. Network security
      • 4.1 what is Network security?
      • 4.2 Types of Network Security
      • 4.3 Why is network security important?
  • P7 Design and implement a security policy for an organisation.
      1. The Security Policy Cycle.
      1. Types of Security Policies:
      1. Designing the Security Policy
  • P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion...
      1. Disaster Recovery Planning Process
      • 1.1 Human-induced accidents
      • 1.2 Unauthorized removal or copying of data or code from a system:
      • 1.3 Damage to or destruction of physical system assets and environment:
      • 1.4 Unauthorized use of a system:
      1. Develop a concise, continuous business plan:
      • 2.1 What is data backup?
      • 2.2 Audits:
      • 2.3 Testing procedures - operational impact:
      • 2.4 Business continuance:
  • REFERENCES......................................................................................................................................................

P a g e | 2 Step 3: Perform the Vulnerability Scan Third, Use the right policy on your scanner to accomplish the desired results. Prior to starting the vulnerability scan, look for any compliance requirements based on your company’s posture and business, and know the best time and date to perform the scan. It’s important to recognize the client industry context and determine if the scan can be performed all at once or if a segmentation is needed. An important step is to re-define and get the approval of the policy for the vulnerability scan to be performed. For the best results, use related tools and plug-ins on the vulnerability assessment platform, such as: Best scan (i.e., popular ports) CMS web scan (Joomla, WordPress, Drupal, general CMS, etc.) Quick scan Most common ports best scan (i.e., 65,535 ports) Firewall scan Stealth scan Aggressive scan Full scan, exploits and distributed denial-of-service (DDoS) attacks Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks Payment Card Industry Data Security Standard (PCI DSS) preparation for web applications Health Insurance Portability and Accountability Act (HIPAA) policy scan for compliance In case you need to perform a manual scan for the critical assets to ensure the best results, be sure to configure the credentials on the scanner configuration to perform a better and deeper vulnerability assessment (if the credentials are shared with the team). Step 4: Vulnerability Assessment Report Creation The fourth and most important step is the report creation. Pay attention to the details and try to add extra value on the recommendations phase. To get real value from the final report, add recommendations based on the initial assessment goals. Also, add risk mitigation techniques based on the criticalness of the assets and results. Add findings related to any possible gap between the results and the system baseline definition (deviations in any misconfiguration and discoveries made), and recommendations to correct the deviations and mitigate possible vulnerabilities. Findings on the vulnerability assessment are normally very useful and are ordered in a way to ensure the understanding of the finding.

P a g e | 3 However, it’s important to keep the following details in mind and realize that high and medium vulnerabilities should have a detailed report that may include: The name of vulnerability The date of discovery The score, based on Common Vulnerabilities and Exposures (CVE) databases A detailed description of the vulnerability Details regarding the affected systems Details regarding the process to correct the vulnerability A proof of concept (PoC) of the vulnerability for the system (if possible) A blank field for the owner of the vulnerability, the time it took to correct, the next revision and countermeasures between the final solution Armed with this basic list when performing a vulnerability assessment, the recommendations phase will reflect a complete understanding of the security posture in all the different aspects of the process. It will also deliver a better outcome for something that, in most cases, is a just a compliance tool.

2. Detailed actions to be taken for each step 2.1 Asset Identification. The first step in a vulnerability assessment is to determine the assets that need to be protected. After an inventory of the assets has been taken, it is important to determine each item’s relative value. Some organizations assign a numeric value (such as 5 being extremely valuable and 1 being the least valuable) to each asset 2.2 Threat Evaluation.  Determine the potential threats against the assets that come from threat agents.

P a g e | 5 2 .4 Risk Assessment. A risk assessment involves determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization. 2 .5 Risk Mitigation.  To determine what to do about the risks.  Risk can never be entirely eliminated.  Some risks must simply be accepted by default (war is an example of such a risk that cannot be protected against, and thus most assets cannot be insured against war), 2.6 Vulnerability assessment actions and steps.

P a g e | 6

3. Privacy Policy  A vulnerability scan searches a system for any known security weaknesses and creates a report of those potential exposures.  Several standard techniques can be used in mitigating and deterring attacks 4. list risk identification step 4.1 Reviewing Risk Identification  The first step in security policy cycle is to identify risks  Involves the four steps:  Inventory the assets. Determine what threats exist against the assets and by which threat agents.  Investigate whether vulnerabilities exist that can be exploited. Decide what to do about the risks.

P a g e | 8 4.4 Vulnerability Appraisal. After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats? Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity. 4.5 Risk Assessment  The final step in identifying risks is to perform a risk assessment  Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization  Each vulnerability can be ranked by the scale  Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability  Formulas commonly used to calculate expected losses are: Single Loss Expectancy Annualized Loss Expectancy  An organization has three options when confronted with a risk: Accept the risk

P a g e | 9 Diminish the risk Transfer the risk. 4.6 Designing the Security Policy. Designing a security policy is the logical next step in the security policy cycle After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks P6 Explain data protection processes and regulations as applicable to an organisation.

1. Basic steps to secure a host system. Step 1: Use a Firewall Make absolutely sure that your server has a firewall running all the time. A firewall is like a screen door to your porch. It blocks out flies, rodents, and other pests but you can still walk out and use your BBQ. If someone ever were to get into your server, which is very very likely, the first thing they're going to try and do is upload something to start a daemon or their own service like an IRC server or use a port to launch attacks to other systems. A firewall with egress and ingress protection can stop both incoming and outgoing attacks even when you're not aware of it. We recommend using APF on Linux systems or TinyFirewall on Windows Servers. These are software firewalls so there's no extra monthly cost like a hardware firewall. For very busy systems a hardware firewall is recommended so it takes the burden off your system CPU/RAM and resources to do the work. Know what ports are open and why to know how to block and unblock an IP. These are the basic things you need to understand in the daily security of your system. If someone from an IP begins a brute force attack you want to know how to stop them, right away.

P a g e | 11 defaults beside the /tmp line remove it and replace it with noexec,nosuid this will stop any executables from being allowed to run. Do the same for /dev/shm and make /var/tmp and shortcut (symbolic link) to /tmp. Step8: Intrusion Detection System (IDS) An intrusion detection system or IDS is like a burglar alarm on your server. It keeps a record of which files were changed when and alerts you of anything new or altered. This is critical because hackers usually try to replace binary applications like ps, top, netstat, and others. This means when you run this new version of ps or top to see processes running they make it so it actually HIDES their hacker software, even though it's running it won’t show up. Some IDS systems include TripWire, Snort and AIDE. Step 9: Review Processes Running and Remove Extra Software You can’t protect a system if you don’t know what’s on it. If a hacker adds an extra process that you see in PS but you wouldn’t notice if you didn’t know what should be there usually. Know what runs on your system and why which user. How does Perl or Apache run, under which user? You can check your processes usually with top or ps auxfww which gives you a tree view. Check these every time you log in to your server. Step 10 : Keep an Eye on the Servers Performance Know what speed your server is running at and how much bandwidth it uses on a daily basis. If an attacker compromises your system and you don’t know you’ll probably notice the system responding slowly or using a lot of bandwidth. If you don’t know what your system is usually like how will you notice something out of the ordinary. This is all common sense but some people never bother to check until they ask their provider after a system has been slow for 2 weeks – it’s usually too late then. Knowing your system makes you one step ahead of an intruder. Check it often and ask an expert if you’re ever over your head. There are MANY other things you can and should do to ensure your server is secure but these are a few basics that everyone should use.

2. Why is host system security important? 2.1 Website security. There are plenty of reasons for a hacker to want to infiltrate your website. If you run a popular ecommerce platform, people will be aware that a lot of money passes through your site, presenting a ripe opportunity for them to steal money. This has unfortunately happened many, many times in the history of the internet, and innocent people who’ve put their trust in websites have suffered. In 2015, independent makeup brand Lime Crime’s website was hacked, and thousands of customers suffered the exposure of their bank details to cybercriminals. It was alleged that the website was operating with an out-of-date SSL address – which is why you

P a g e | 12 should always check that yours is in-date. The company confirmed that malicious software was found on their servers. This is why high-security servers should be an absolute priority when choosing hosts for an online store or similar business, and why a highly secure cloud-based hosting platform could present a better option. 2.2 Payment safety To prevent such an event as the Lime Crime hack happening to you or your customers, one way to reduce the risk of your details being compromised online is to pay and accept payment via PayPal – a secure payment platform that protects your cash with the utmost security. It also offers extra consumer protection where scamming (like being sold non-existent goods) and refunds are concerned. So – bank detail hacks and identity theft are real issues for ecommerce sites to contend with, and as the owner of such a business, it’s your duty to guarantee that you are keeping your customers as safe as possible. It’s recommended that you stick to well-known, endorsed hosting sites, like Bluehost, Magento, and Squarespace, who are well-established and have the backing of large internet corporations such as WordPress right behind them.

3. Some antimalware software 3.1 Bitdefender Antivirus Plus BitDefender Antivirus Plus, the software that uses security and antivirus technologies, helps you completely remove viruses and threats, especially detecting and preventing viruses yet. be identified. BitDefender Antivirus Plus also helps to recover and clean infected files in the system. Especially, the speed of scanning the system, folders and files is extremely fast and does not slow down the system affecting other active applications. Now you can rest assured that you can surf the web safely without worrying about the dangers from the internet stalking your computer. In addition, BitDefender Antivirus Plus protects important data and prevents information leakage, protects users from suspicious websites and you can also chat online via Y! M an Full security and absolute security. 3.2 Kaspersky Antivirus Kaspersky AntiVirus is developed with all the features and technologies applied to help you remove viruses, malware, computer protection in a comprehensive and effective way. Kaspersky AntiVirus supports warning of websites containing viruses, malicious code, this feature is very useful for those who are curious to discover many websites on the internet without knowing that the website is safe for them to access or not.. Besides, Kaspersky AntiVirus automatically detects and prevents autorun.inf viruses from being created when the computer has connections to external storage devices such as USB, memory cards, CD / DVD. Another important feature of Kaspersky AntiVirus is to protect Email, messages ... without being dependent on your web browsers such as Firefox or Google Chrome, helping you protect important information. important in your Email, not to be discovered, stole passwords and email data