Running head: UNIT 1 RESEARCH PROJECTUnit 1 Research ProjectEddie S. JacksonKaplan UniversityIT540: Management of Information SecurityKenneth L. Flick, Ph.D.09/23/20141
2UNIT 1 RESEARCH PROJECTTable of ContentsAbstract . . 3Part I . . . . . 4Laptops . . 4Desktops. . 4Sensitive Data on Hard Drives. . 5Email. . .5Passwords. . . . 6Operating System Integrity. . . 6Mobile Phones . . 7Backups. . 8Unlocked Computers. . . 8Servers . . 8Part II. . . . . . . 9Areas of Concern. . 9Incomplete Aspects of Security Policy . .9Inaccurate Sections of Security Policy . 10Inaccurate Sections of Security Policy . 10Ill-advised Aspects of Security Policy . 11References . . . . 12
3UNIT 1 RESEARCH PROJECTAbstractThe unit one research project presents a two-part assignment that deals with information securityconcepts. In part one of the assignment, a list of ten technology-based objects are to be listed,relative security threats acknowledged, and then a security policy drafted to reduce or moderatesuch threats. In part two of the assignment, a mock security policy is to be reviewed for missing,incomplete, inaccurate, and ill-advised aspects in the given policy. The main components of thepolicy include email, encryption, shared folders, backups, portable devices storage devices, andpasswords. Due to the many elements of the security policy, further research was in order toperform a proper security policy analysis.Keywords: POP, SMTP, PGP, SSL, passwords, portable storage
4UNIT 1 RESEARCH PROJECTUnit 1 Research ProjectPart IThe main objective of Part I of the assignment is to list ten company devices or systemsthat need to be protected by information security. These technology-based items must be linkedto a potential threat, as well as a proposed security-related policy given to mitigate the possiblethreat. The ten items that have be selected for a security policy analysis are: laptop hardware,desktop hardware, the email system, sensitive data being stored on hard drives, end-userpasswords, operating system integrity, mobile phones, company backup tapes, walk-up access toemployee desktops, and company servers.Laptops. Laptop computers offer the mobility of moving around inside and outside ofthe company, and permit the employee to work in an online and offline fashion. The associatedthreat of using laptop computers is the hardware being lost or stolen. To reduce the loss ofequipment, and ultimately loss of company revenue, it is the company’s policy to installComputrace on all laptops. Computrace is part of the MCLA Laptop Initiative and is known aspersistent software (MCLA, n.d., para. 1). Computrace works by embedding itself in the BIOSand on hard drive of the computer, which acts an Internet beacon. And, in the event that a laptopis lost or stolen, a company can work directly with the local authorities to recover the laptop.Desktops. Desktop computers usually sit on end-user’s desks, inside the companyitself. Even though the computer is within the walls of the organization, the actual hardwarecould be carried out the front door; this would result in loss of inventory, as well as a breach insecurity. To mitigate the direct theft of the equipment, most computers are outfitted withsecurity-based slots, where a security cable can be attached to the device itself. Once the securitycable is in place, the cable can be looped around a portion of the desk, a pole, or even mounted tothe floor. The desktop security policy will state that the high-carbon steel Kensington Desktop
UNIT 1 RESEARCH PROJECT5and Peripherals Locking Kit be purchased and attached to each desktop (Kensington, n.d.).Email. The Email system is essential to many of the daily business processes at acompany. One particular area of concern is Email messages being hijacked or read duringtransmission. To protect messages in transit, the SSL (Secure Sockets Layer) security protocolhas been selected. SSL encrypts the communication stream between the sender and recipient ofthe Email message (SSL, n.d., para. 1). At its core, SSL operates by utilizing a certificate. A SSLcertificate contains all the necessary details that allows point A to send secure messages to pointB, and vice versa. It is important to note, that without implementing SSL, the Email messagewould be sent in plaintext, which any level of electronic eavesdropping could exploit. Thus, theEmail security policy mandates that all email transmissions, POP (receiving email) and SMTP(sending email) must have the SSL option selected in whichever email client is being used(Microsoft, n.d., para. 1).Sensitive data on hard drives. It is common practice at many organizations to accesssensitive data stored on server hard drives, as well as laptop and desktop hard drives. There is agenuine threat that this sensitive data (perhaps client financial or healthcare information) couldsomehow end up in the wrong hands or outside the company. In the case where hard drives thathave sensitive data are lost or stolen, the data on the drives must remain secure. To guarantee thehighest level of hard drive security, a full hard drive encryption strategy is recommended,specifically Microsoft’s Bitlocker Drive Encryption. Bitlocker protects the entire hard drive byencrypting the hard drive and storing cryptographic information in a TPM chip, or TrustedPlatform Chip (Microsoft, para. 1). The TPM is a special chip on the motherboard that works tosecure the hard drive by using a tamper-resistant technology. By implementing Bitlocker on allcompany hard drives, the stored data is protected against outside or offline attacks.
UNIT 1 RESEARCH PROJECT6Consequently, the hard drives policy states that all company hard drives will have the Bitlockersoftware installed.Passwords. Maintaining end-user password security is critical to granting the rightperson to the right network resources. The primary weakness in passwords is the cracking ofsimple or commonly used passwords. Once a hacker has cracked a password, computer systemsand company data have been compromised. To reduce the probability that a password can becracked, password complexity and expiration rules are in order. The task of password complexityand password resets could become the responsibility of the end-user; however, this may lead tocompromised security due to human error or negligence. The best practice method for enforcingpassword complexity and expiration rules is to use software policy, specifically group policy(Microsoft, n.d.). Group policy allows several password complexity requirements to be enforced;these would include: enforce password history; maximum password; minimum password age;minimum password length; and passwords must meet complexity requirements (Microsoft, n.d.,para. 1). Implementing this kind policy allows the system administrator to require an end-user’spassword to contain alphanumeric characters, upper and lower case letters, special characters,and Unicode characters. Thus, the password security policy dictates that all passwords mustadhere to the group policy.Operating system integrity. Companies run on laptops, desktops, and servers–andthese devices run on operating systems. Operating systems, which manage tasks, memory,software, and hardware, are constantly under attack by the hacker community through viruses,worms, malware, etc. (GFC Learn Free, n.d., para. 1). These attacks constitute a serious threat tothe daily workflow and operations within the business. To mitigate such a wide range of possiblethreats, it is critical that the operating systems be patched. This can be accomplished using
UNIT 1 RESEARCH PROJECT7software such as Microsoft’s Windows Server Update Services (WSUS). WSUS, which is a freeadd-on from Microsoft, permits a company to schedule and deploy critical updates, securitypatches, and application updates to a fleet of computers (Tech Target, n.d., para. 1). By keepingmachines up-to-date, the operating systems maintain the highest levels of integrity, and reducethe chances of known exploits having an impact on work processes. And, due to this increasedoperating system integrity, the operating system policy states all machines must receive updatesat least once a month.Mobile phones. Mobile phones, or the more common term of smartphones, offer thefunctionality of many computer-based services and features at the touch of a user’s fingertips;this can be great for multi-tasking, checking Email messages, and working on the go. However,with this increased mobility and functionality also come new security threats. A lost or stolenmobile phone can compromise security by allowing private company Email messages, clientdata, and contact lists to be wide-open to the public. To protect this data on mobile devices,passwords could be placed on phones; however, a clever hacker can get around a password. Abetter solution would be to remotely erase the data on the phone upon notification that the deviceis missing (the device can also be disabled at the same time). Different mobile vendors havevarious software solutions to perform this wipe functionality; for example, Apple uses theiCloud; Google Android uses Android Lost; and the Windows phone can be erased and disabledby accessing the website http://www.windowsphone.com/en-us (Lendino, 2012). Consequently,the mobile phone security policy will state that all company mobile phones must be erased anddisabled as soon as the phone has been established as missing.Backups. Company backups are the data backups done to tape and hard drives. Therelative threat associated with backups is when they are stored offsite; the backups could
UNIT 1 RESEARCH PROJECT8possibly be lost, stolen, or damaged. Backups are vital in the case of a disaster recovery or theloss of data onsite; backups are required to restore business continuity. The offsite storage couldbe handled by the company, but this increases the chances of a breech in security. A best practicesolution would be to use a reputable offsite data management and backup service, such as IronMountain. Iron Mountain specializes is data backup, storage, and disaster recovery, while at thesame time offering highly secure pickup and delivery of data backups (Iron Mountain, n.d.).Thus, due to the importance of offsite backups, the backup policy mandates the use of IronMountain as the primary servicer for data management, daily pickups, and facilitation of datarestorations.Unlocked computers. No matter how complex a password is, if an end-user walksaway from their desk with their computer unlocked, security can be compromised. The mainthreat of unlocked workstations, while end-users are away, is that anyone could just walk up tothe computer and gain unauthorized access to network resources. Moreover, sensitive companyand client information could be stolen. To protect against unauthorized access to networkresources, the desktop usage policy states that screensavers must be activated ten minutes afterthe computer is idle, as well as all personnel being required to lock their machines while awayfrom their desks; this will be strictly enforced via warnings and write-ups (Microsoft, n.d., para.1).Company servers. Another area of major concern is protecting physical access tocompany servers. Company servers contain the core applications, databases, and shared files ofthe organization. The theft or damage to any one of the servers could prove catastrophic tobusiness operations. Thus, all company servers will remain behind locked doors, with limitedaccess. Specifically, the servers will be contained within a data center with built-in perimeter
9UNIT 1 RESEARCH PROJECTsecurity. The data center security solution is from ASSA ABLOY, which offers blast, wind, andfire protection, as well as digital locks, identity management, and key systems (ASSA ABLOY,n.d.). Because maintaining tight security around and into the data center is critical to businessoperations security, the company server policy will mandate all servers be protected in a datacenter designed by ASSA ABLOY.Part IIThe second part of the assignment segues into reviewing the Acme security policy, andidentifying the missing, incomplete, inaccurate, and ill-advised portions of the policy. The mainobjectives of Part II of the assignment is to create an awareness towards weak security policy,and to research best practices as it relates to the design and implementation of informationsecurity policies.Four major areas of concern. The four major areas of concern are end-user passwords(User Account Security Vulnerability), company backups (Physical Access Vulnerability), emailsecurity (Mail System Vulnerability), and provisioning proper access to company resources(Internal Vulnerability) (T&M, n.d.).Incomplete aspects of the security policy. When considering laptop computers andscreensavers with enabled passwords, what is missing from the original policy statement isexactly how long the computer idles before the workstation will automatically lock; arecommended idle time limit would be ten minutes, which can be enforced through local ordomain group policy (Microsoft, 2009, para. 2). The second incomplete policy has to do with theAcme company backups, which are being stored offsite in a secured location. What is missingfrom the policy is how often the backups are done, who they are done by, and who has access tothe backups. A suggested backup strategy would include the backup operator performing a full
UNIT 1 RESEARCH PROJECT10backup on Monday, and incremental backups throughout the rest of the week; and using IronMountain to store backups offsite (Comodo, n.d., para. 1).Inaccurate sections of the security policy. When considering portable storagedevices, such as USB flash drives and Firewire disk drives, it is important to recognize that theuse of such devices pose a considerable threat to security. The original Acme policy stated thatusing portable devices with encryption would be acceptable, however this is inaccurate. Portablestorage devices are still prone to theft, hardware failure, and being infected with malware(Schwartz, 2011). There is also the scenario where a drive may not be encrypted, sensitive clientwas stored on the device, and the device was lost or stolen. Thus, the portable device securitypolicy should state portable devices should never be used to store client or company information.The second inaccurate security policy has to do with screensavers. The Acme policy stated thatlaptops were to have password enabled screensavers and that users were to switch on theirscreensaver to lock the workstation while away; screensavers are not usually initialized by theend-user, thus cannot be used by the user to lock a computer. A better security policy wouldenforce the screensaver to auto-lock after ten minutes, as well as include a clause that states theend-user must manually lock their computers [while away] by using the menu driven options orhotkeys such as pressing the Windows L buttons on the keyboard (Microsoft, n.d.).Inaccurate sections of the security policy. The Acme password security policysuggests that choosing an uncommon word as a password is acceptable; this is incorrect.Password selection is more than just not choosing a common dictionary word. Passwords shouldbe chosen wisely, however the user password compliance must be enforced using policy, such asgroup policy. For example, a best practice password policy would mandate that a user passwordbe a mixture of letters and numbers, one special character, and one upper case letter (Microsoft,
UNIT 1 RESEARCH PROJECT11n.d., para. 1). The second inaccurate section of the security policy deals with security sensitivitylevels. The Acme policy states suggested security sensitivity levels should be unrestricted andclient sensitive; these do not support a wide enough sensitivity range and are not consideredindustry standard. More adequate, commercially-based sensitivity levels would be publicdisclosure, internal, confidential, and strictly confidential (Brother, n.d.). There are also privatesector security levels of unrestricted, confidential, secret, and top secret; however, these securitylevels are not recommended in this security policy (Oracle, n.d., para. 4).Ill-advised aspects of security policy. Acme is to perform periodic backups, which areto be stored offsite with shared access; the ill-advised aspect of the security policy is the sharedaccess portion. Company backups should only be available to backup operators and disasterrecovery personnel; otherwise there is a risk of stolen or damaged backups. The second illadvised policy deals with the administrator account being given out to consultants. Theadministrator account should never be given out, other than to system administrators and thosedirectly responsible for the daily maintenance and administration of company equipment (such astechnical support analysts that work for the company). All other personnel should have anaccount created, which is then added as a member to the suggested group nameConsultants Group; this group will delineate administrative access to its respective members.Using this strategy, the consultants have the ability to do their job, while the local administratoraccount remains secure.
12UNIT 1 RESEARCH PROJECTReferencesASSA ABLOY. (n.d.). Data Center Security Solutions from ASSA ABLOY. Retrieved ions/Data-Center-Solutions/Brother. (n.d.). To properly manage and protect information. Retrieved 75814.aspxComodo. (n.d.). Selecting the backup type. Retrieved from http://help.comodo.com/topic-9-1455-4993-.htmlGFC Learn Free. (n.d.). What is an operating system? Retrieved from http://www.gcflearnfree.org/computerbasics/2Iron Mountain. (n.d.). Services. Retrieved from n. (n.d.). Desktop and peripherals locking kit. Retrieved fromhttp://www.kensington.com/us/us/v/4482/1664/ dino, Jamie. (2012/4/12). How to remotely disable your lost or stolen phone. Retrieved 0.aspMicrosoft. (n.d.). Best practices for enforcing password policies. Retrieved 741764.aspxMicrosoft. (n.d.). BitLocker Drive Encryption overview. Retrieved ta/BitLocker-Drive-EncryptionOverviewMicrosoft. (n.d.). Enforcing strong password usage throughout your organization. Retrieved 75814.aspx
UNIT 1 RESEARCH PROJECT13Microsoft. (2009/10/30). Group policy settings for personalization. Retrieved 17164(v ws.10).aspxMicrosoft. (n.d.). How to quickly lock your computer and use other Windows logo shortcut keys.Retrieved from http://support.microsoft.com/kb/294317Microsoft. (n.d.). POP3, SMTP, and other e‑mail server types. Retrieved . (n.d.). Use your Windows password for your screen saver password. Retrieved dows-password-for-screensaverpassword#1TC windows-7MLCA. (n.d.). Computrace. Retrieved from http://techhelp.mcla.edu/index.php/Computrace SoftwareOracle. (n.d.). 18.104.22.168 Classification Levels. Retrieved fromhttp://docs.oracle.com/cd/E23943 01/doc.1111/e10640/c06 classifications.htmSchwartz, Matthew. (2011/8/8). How USB sticks cause data breach, malware woes. Retrievedfrom 37SSL. (n.d.). What is SSL? Retrieved from http://info.ssl.com/article.aspx?id 10241T & M. (n.d.). Information Systems Security Audit. Retrieved from rityAudit.phpTech Target. (n.d.). Windows Server Update Services (WSUS). Retrieved nition/Windows-Server-UpdateServices-WSUS
highest level of hard drive security, a full hard drive encryption strategy is recommended, specifically Microsoft's Bitlocker Drive Encryption. Bitlocker protects the entire hard drive by encrypting the hard drive and storing cryptographic information in a TPM chip, or Trusted Platform Chip (Microsoft, para. 1).