We have been required as part of the “Information Security Management” module to perform a security report which, in this particular case, will focus in the implementation of an information security plan for a determinate company sited in Renfrewshire.
The company selected for our research focuses its enterprise activities in the computing sector, and provides a wide range of computing and networking services such computer repairs, sales and assembly , networking services and online IT support for other companies and particulars.
The company, sited in Renfrewshire and founded in founded in 2018 has accepted to cooperate in our Information Security project and agreed to reveal certain information, granting certain access to some of the IT systems located in their main office.
However, private information about employees, third parties and other information considered “classified” was put away from our domains from the first interview with this company’s director.
As part of our commended tasks, our team will visit this company several times along the next weeks to compile details about information assets, current information security implementations (such policies, educational and technological), personnel involved in the information security management·also, all personnel of this company will be informed about the importance of performing Risk Controls and TVA worksheets during the development of this project if required.
The overall idea is to know, examine, identify and understand what information assets the company has and the level of threat they are exposed to, to offer a realistic and economically viable security plan that could be implemented once our report is finished.
This plan should include at some point a Business Impact Analysis (BIA), an Incident Response Plan( IRP) , a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP),which may be added to the report in subsequent steps.
The report will include recommendations about how to protect the three main information characteristics in the company; confidentiality ,integrity and availability, information about SETA (Security Training and Awareness) programs and it’s expected from our side to meet all points explained in our first interview.
The company , sited in Renfrewshire , offers a large range of computing and networking services, and cordially accepted letting us performing several interviews and visits to their premises in order to accomplish our assignments.
A brief observation of the premises allows us to expose a quick description of their information assets, before starting an in-depth analysis the company; this is made up by several computing and networking devices such workstations, routers, servers, switches·and fortunately we have been granted with certain level of access to them. We could notice in our first visit that they have a web server attached to their network, which stores company, providers and customer’s related information, and will be one of our main devices to look after of.
This company makes use of several universally known first brands of hardware and software such of Cisco Systems ,Microsoft OS and branded computers, fact that will ease substantially our researches and investigations, as specifications and features of these devices can be obtained in detail using rudimentary research techniques.
The number of employees working in this company’s main office makes it the type of company we were looking for; 10 employees working in four different departments: Direction, Sales, Purchases and Accounting. This fact allows us to explore in future visits other security-related aspects such Staff Policies, company procedures·
As an explanatory note we will declare that access to personal information, certain devices, working habits of employees and taking pictures within the offices have been denied .
Along the initial visit to the company’s premises, we exposed our investigation methods to the company’s director looking for acceptance. These methods include observation, physical assets analysis, information assets identification and interviews with key personnel.
With their permission, and after a preliminary interview, we rapidly could identify all the physical assets placed in the offices , and a special location for networking devices, servers and backup solutions. Therefore, we proceeded to create an initial physical assets list that we would complete
later. Using our notes, we performed a company equipment’s research in order to get a precise description of each elements and their market value, which will be explained in detail in the next project’s steps.
All the information obtained was compared with the current manufacturer’s products information available to all public on Internet. In terms of information assets electronically stored, we identified two servers (for company data and web hosting) and one NAS (Network Attached Storage) backup device. However, the 10 workstations placed along the different departments weren’t considered as a main or “crucial information asset” as this company uses the data server to store all files, documents, policies, logs·using systems such off-line files , shadow copies and regular backups.
*Dell Server and WD NAS in detail
We also recreated with Cisco Packet Tracer the company’s network logical topology, to explain them later and in-place what nodes or devices are more susceptible to attacks, losses or how the current network redundancy and fail-over measures may affect negatively or positively to their business.
Using a logical topology diagram is really useful when explaining accurately how and where attacks can take place affecting the information systems and their content and provides a better and easier way to understand the overall operations of the current network.
Even, we can virtually simulate possible attacks through known and unknown system’s vulnerabilities, making possible to precisely quantify how they could affect the network traffic and how systems’ performance could be impaired, evaluate possible solutions, calculate costs applying these solutions (Costs and Benefits Analysis or CBA) ·
Tools as VirtualBox or VMware may be used to test and show the impact of malware/viruses/worms in the performance of the company systems (servers and workstations),also other threads such DOS attacks (Denial of Service Attacks), DNS Spoofing or Man in the Middle attacks.
Optional security resources such Honeypots and Sandboxes will be mentioned, but not implemented.
We tried to clarify from the first moment what are the most likely reasons that could lead to a data breach and loss in the company. Along the interview, we asked to the company’s manager about what technologies, policies or staff training programs are implemented to protect information assets (directly or indirectly), and if there was any known tolerated/mitigated weaknesses or misconfiguration of these systems.
Unfortunately, we couldn’t get access to some classified documents and personal information from employees, having been established here our jurisdiction.
This is a summary of answers/questions made in the interview, focusing in relevant security the aspect we found more relevant:
We have 10 workstations and two servers.
Well ,I don’t know exactly but I will provide you with those details in the next interview.
No, we don’t have a printer server.
No, we just use a software solution.
Desktop computers should use Windows 7 and the servers Windows Server 2008.
Mostly Microsoft Office. We also use specialized accounting software for some departments.
Yes. We use Wix, Dreamweaver and EU Hosting and Microsoft Expression.
Yes, he use WiX platform and EU Hosting.
No, wi-fi or access points are not used in our company.
I have to check·I don’t know it.
We use a room to store routers, servers and backups devices..
Yes, not often but from time to time.
Yes. They have no restrictions in terms of file extensions.
No. We apply security policies, but we don’t audit employees .
Some user have access to certain types of changes and modifications.
Yes. Main social media websites is blocked from our office’s desktop.
We need to backup company’s data daily.
We perform the backups here, but we take them away from the office’s premises.
Mostly Avast Antivirus..
No, we don’t.
Yes , we use the built-in Windows OS solutions.
Yes, we need to keep our servers working under any power fluctuation anomalies.
Yes. RAID 1.
After a brief visit to the company’s premises and having the opportunity of interviewing the director, we can conclude there are several weaknesses in the company’s systems that ,not being critical , should be considered, as their information systems may be compromised at different levels. We agreed to come back in further inspections to determine more accurately and address these possible exploitable flaws, providing a more in depth report and proposing solutions. We also requested information about any NIDPS or HIDPS systems that could be in process of implementation in a short or long term , to offer additional advises.
So far , we had access to most of the areas in the company which hold information devices and we have been informed about the current security implementations and some basic information which may establish a good base to start developing our information security report.
Although the company’s director acted openly providing us a sufficient amount of details , we expect him to authorise us to review security and company policies which could expose weaknesses in systems, procedures and standards along the development of the report.
Our intention is to make them aware of the importance or securing their systems in other to avoid company losses and assure the normal company business continuity for a long-term period.
The current security environment in this company could be defined as “fair”, and referring to the information electronically stored,”basic”. Focusing in computing and networking devices, the information stored is secured by Windows software firewall, ACLs for routers and MAC port protection on switches.
All workstations are also protected by well-known anti-virus protection (Avast Business and Malware-Bytes),built-in solutions such Windows Defender ,firewall rules ,computer policies, periodic backups and operation systems are automatically updated.
Despite of we couldn’t get access to any company Security Policy, we were told about some restrictions for employees that are, according with many studies, the “greatest threat for any information assets within an enterprise environment”.
This restrictions are blocking the access to social media websites, and not allowing members from the staff to log on in any computer after working hours. This is implemented by Windows Server Management “Group Policies” and Access Control Lists on the routers. They also have implemented NTFS and Sharing permissions which limits the access to personnel to some company’s information areas.
To perform Backups, this company is using a WD-6TB NAS unit and portable-external USB drives of 1TB of capacity, and has configured automatic backups through Windows Server 2008;
As failover system, this company uses a RAID 1 (Mirroring) configuration in both servers so, any impairment on any of the main hard-disks storing critical information will remain safe in a secondary unit.
We tried to focus only in the most relevant physical assets within the company to conform our assets list, discarding any expendable, inexpensive or trivial device or equipment which in normal circumstances do not compromises the information assets security.
Therefore, our list contains only devices which store , maintain, manage or address information inside and outside the company’s premises, or represents an entry point for potential attackers. These systems are routers, switches, workstations, servers and backup solutions.
For a more accurate presentation of future potential losses, we calculated the total cost of such devices however, the sum of the costs of all these devices do not represent the total costs of loses for a company in case of a data breach; this calculated by other means (Risks Assessments and Controls, CBAs·) which determine the value of the information assets with more precision.
As cited before, we could identify several information technology assets which could be compromised by a potential attacker. We tried to focus on the most relevant ones to make any further transition or systems upgrade process economically viable.
We can extract from the C.I.A table which systems are more likely to provoke a severe impact in this company.
Between all the organisation assets, the most critical devices storing information are indeed the servers. Any attack, data breach or systems impairment aiming these systems would provoke catastrophic loses and even legal consequences.
As these devices store all the information from clients, company internal documentation and providers, the loss of such information could literally make the company inoperable. Also, by the EU General Data Protection Regulations (GPDR) , this company is obliged to report any data breach within 72 hours of discovery in order to avoid legal issues, fact that we carefully and politely informed about, assuming that they already are up to date in legal terms.
These devices are also the main profitable systems within the company, as all transaction or business operations are made through their management and control, also the most expensive elements to replace. One of the two web sites under the management of this company is hosted by a server dedicated and configured for such function, and it’s the main via to contact with an important part of their clients.
Any data breach could cause a critical impact in this company, and not only in the operational side; the reputation of the company could be severely affected if a data breach takes place, exposing client’s personal and financial information to cybercriminals which could use this information for monetary purposes or to commit further offences.
👋 Hi! I’m your smart assistant Amy!
Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.get help with your assignment