• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Info Security
 

Info Security

on

  • 1,373 views

This is a project I completed while working on my Master's Degree in Information Systems Management.

This is a project I completed while working on my Master's Degree in Information Systems Management.

Statistics

Views

Total Views
1,373
Views on SlideShare
1,368
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 5

http://www.linkedin.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Info Security Info Security Document Transcript

    • ‘Web-Tech Home Improvement’ An Analysis of the Information Security Infrastructure For an E-Commerce Home Improvement Company. SE571 – Term Project Course Project Final Report Chris McCoy Keller Graduate School of Management DeVry University 3/13/2007
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. SE571 - Course Project Presentation to the Board of Directors – WTHI (Web Tech Home Improvement) Members of the Board, it is a pleasure to address you today on the subject of Corporate Information Security. As you may be aware, the security of information here at WTHI is critical to the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales channel that allows our customers to receive their home improvement items faster than they would from our other online competitors. I would like to share with you a quote from the recent InfoSec conference held in Florida at the end of March, “Attackers probably have less interest these days in bringing down large numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman, senior technology manager in corporate information security at Boston financial services firm State Street.”1 (As cited in Network World, 2007) These words from Mr. Sweetman should be considered our call to arms to improve the current state of our corporate security. It is a loud and powerful wakeup call that we can not ignore. In order to maintain our competitive advantage, expand our marketing channels and improve upon our abilities for future growth, we must first consider the improvement of those safeguards necessary to protect our vital technological resources; Our four distribution centers, supply chain systems, our e-commerce database information and our datacenters, containing the equipment needed to support the transactions from which we generate and grow revenue via our most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from ‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between 1 Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921). 2
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong is maintaining a powerful, secure, well monitored environment where our physical and information assets are protected in an ongoing process. We have made great strides, but the time to take great action is now. This report will discuss the current status of our physical and information security infrastructure and the steps we must take to improve these systems to better protect our data and maintain our leadership position in the ‘Home Improvement Appliance’ market. There are 2 major components that make up the security of our information enterprise. First is the physical security of our 4 locations. Our ability to perform adequate video surveillance and access control at each of these sites is critical to protecting our information and physical assets. Second is the protection of our data, databases and complete information systems infrastructure. Finally, a third component is necessary to tie these two items together: Increased Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to support the need for additional bandwidth and security required by the new technologies introduced later in this report. Following a comprehensive analysis of the security here at WTHI, we have determined that the existing security infrastructure must be improved if we are to continue our competitive advantage. To ignore this critical need could cost us this leadership position in the market or worse, compromise the integrity and security of our data. A recent report from our CFO indicates that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e- commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”, “Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales, 3
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com” (www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive advantage as we come one step closer to losing our market share in the online home improvement market. With our current Information Technology and Information Security infrastructure, there is no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s presentation is to show you where we are, where we need to be, and what we need to do to get there in terms of a Capital Investment in the Security of our Physical and Informational Assets. Though the picture painted here is not pretty, there is good news. The proposed plan of Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of equipment shown in today’s presentation. . To begin our presentation, we will look at the physical security in place at all four of our distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide on site security guards and camera monitoring. Today, these security guards continue to work hard to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft. There are two major technology components in the Physical Security Plan: 1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock, elevators and specific internal areas such as the Warehouse and Computer room where access should be restricted. A need to control access using individual employee badges is identified below. 2. Closed Circuit Video Camera Surveillance of the critical access areas including the main entrance, parking lot, lobby, computer room, loading docks, and inside warehouse. 4
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The diagram below shows the current state of the camera surveillance and physical perimeter access control (none) in place and identifies areas where security weaknesses exist. This diagram identifies four weaknesses in our current facilities security plan: 1. There is No way to track who is in the building at any given time of the day. 2. The Camera System reports to a local camera monitor and is recorded locally to video tape, but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will be no record kept of the security video. 3. The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas such as the Data Center. 5
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 4. The camera systems are antiquated and need to be replaced. Identifying minor details in the video image is difficult. A security solution is required to mitigate the risk of an intrusion into our buildings and theft of our information systems and assets. A network-based video solution is recommended to help better manage the perimeter access to all four of WTHI’s facilities. In an article from the “Journal of Housing and Community Development” the important value of investment in such a system is highlighted, as Stennett and Wren (2006) observe, "By supporting access control and other systems, network video can improve their effectiveness and even generate additional return-on investment on those technologies.”2 Technology Solution With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a digital video recorder where their signal format is transformed from analog to digital, then stored on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This recorder will offload its digital video across the network to a central server in the Chicago Office once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital storage capacity that will allow the recorder to continue to capture video in the event of a network outage where the regular transfer of footage cannot be completed at its scheduled time. 2 Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131). 6
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The following diagram provides a visual representation of the proposed video solution: Note that the Camera system can now be monitored locally and remotely. The digital capability allows deeper analysis of the video with more sophisticated analysis tools in order to identify intruders and unauthorized access. 7
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost information for proposed solution: Solution Digital Video Vendor info Vicon Systems Alternative Security (4) 9-camera complete systems w/cameras and DVR's @ $2,699.00 Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 ea= $10,796.00 36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above) Central Console $1,352.65, joystick control Central Console $1,352.65, joystick unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65 EMC Clariion Ax (500 Gb expandable EMC Clariion Ax (500 Gb expandable Digital Video Archive archive) $6,000.00 archive) $6,000.00 Total Cost - Video: $ 56,251.00 $ 18,348.65 A diagram of the proposed DVR Centralized monitoring system is shown below: 8
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed IP address. Once the unit is configured, with its IP information it can communicate with the Master Control unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive video for a predetermined time so it can be accessed later if needed for legal review. (Continued on next page) Physical Access to Buildings and Facilities 9
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The second major component of physical security at WTHI is the physical access control to all WTHI’s buildings. The current model of physical access control consists of a security guard seated at the main security desk in the lobby of each of our four locations. This guard asks all employees to show a badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go, only the date they were at our office. Fortunately, technological advances in building security systems will allow us to move forward with a new system that will provide WTHI with an elaborate means for tracking employee and visitor movement throughout the building. This new system will involve issuance of a new employee badge for every employee at each site. The badge will have the Company logo, employee name and picture as well as the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special device designed to read the information from this chip (called a badge reader) will be installed at every perimeter access point in each location. An additional badge reader will be installed in the elevator and on the outside main entrance door to validate after-hours and weekend access. These readers will have a keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a few inches from the reader. The reader will beep and small display window will prompt the employee to enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee. When access is granted, the reader sends a message to the control panel to unlock the door. If the employee’s access is denied, the door will remain locked. Note, not all employees should be given access to all areas. For example, warehouse employees have no need to enter the data center; however, an IT employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be trained in the use of badge reader systems. Additional fingerprinting and training will be required for warehouse employees, as the warehouse perimeter access units will have an additional biometric fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for others is discouraged by security, and can be tracked on the camera system. Should a security officer 10
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. observe an employee allowing others to enter through the same door, the manager of the employee who swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations will be reported to HR. The diagram below shows placement of access point badge readers for all critical access areas: 11
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. (Continued on next page) Cost Information – Badge Access System Due to limited pricing availability of components, a mixed solution cost from 2 vendors is shown: Solution Perimeter Badge Access Control Software House Ccure Badging System Vendor info $1,000.00 (4) = $4,000.00 Cost info Control Panels $450.00 (8) $3,600.00 ACTAtek badge readers $790.00 (26) = $20,540.00 ACTAtek Fingerprint and HID ProxI/II Combo badge and biometric readers $ 1,590.00 (8) = $12,720.00 Door Strikes - $175.00 (32) $5,600.00 Door Relay units - $179.00 (32) $5,728.00 Total Cost - Badge Control System $ 52,188.00 Central Control of Panel Access Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing the connectivity of the panels into the central control facility. 12
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Physical Security Plan Purchase and Contract Requirements including SLAs The implementation of this 2 part solution will be a combined integration project for IT and a selected vendor. Required actions to complete the implementation of this solution include: 1. Negotiate purchase price (based on cost information included above) for all equipment including cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center. A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for each location). A digital fingerprint component is also required for fingerprinting employees (to be used with the biometric readers installed on the warehouse doors.) 13
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring station equipment. 3. Negotiate discount on tech support contract based on volume purchase for all badge control system equipment including door locks, badge readers, control panels. 3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office locations. 4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control panels, including central control system at Chicago security office. 5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data. This purchase will also require a technical support contract to cover hardware and software support for management of the device. 6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a maximum response from the monitoring company of 10 minutes and an immediate call to local police when no response is received from the local warehouse manager within 10 minutes. 7. SLA: Technical Support contracts for the Video and Badge Systems: a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR failure, where no video is captured, a 3rd party security company will be contracted to provide security officers to patrol the entire location and watch perimeters and warehouse activity until the replacement DVR is delivered and setup. 14
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or reported failure, 24 hour hardware replacement for failed component at any site. Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open (Door cannot be locked due to system failure). Example of a company that provides this service is “Securitas” http://www.securitasinc.com/ 8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure based on the contract amount for each contract. This penalty amount will be consistent with industry rates for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract will be subject to further legal action. WAN Firewall Infrastructure (Existing): One of our key security vulnerabilities is founded in the way our offices communicate across the wide are network. Twelve years ago, this network was considered cutting edge, and served a great purpose in transacting business communication between the offices. Today, it is a limitation to our continued revenue growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue in a secure environment while maintaining a state-of-the art electronic supply chain management with our vendors and partners. 15
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. A diagram containing the current wide area network configuration is shown below. 16
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. As indicated in the above diagram, each site has its own firewall connected to a local ISP circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one ‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today, this solution will not meet the requirements of our fast-paced electronic commerce model of business on the Internet. The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to the WAN is central to the successful implementation of a new security protocol within WTHI. The need for 17
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more secure and rapid transfer of data between sites. (Continued on next page) A diagram of the proposed WAN solution is shown here: 18
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of creating a larger bandwidth, better protected solution without the overhead of decentralized firewall management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the local office WAN circuits in order allow the network to carry the additional traffic loads generated by the added video and badge access solutions and also the replication of Antivirus updates. The data traversing the new WAN must also co-exist with regular replication of the e-commerce database between the Chicago and Dallas sites. This replication must be completed regularly to provide a failover solution for business continuity, should a disaster strike the Chicago region. 19
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by centralizing control of the e-mail server in the Chicago Data Center. The contract and requirements for this upgrade are as follows (cost information follows): 1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to provide such MPLS VPN Service at the corporate level to support all four sites. 2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB) primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC. Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the Network Operations Center will have the capability to monitor bandwidth utilization following the implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a consideration for increasing the available bandwidth should be initiated. If it is determined that the largest partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be considered. 3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of these sites. 4. Network Engineering will need to create new routes at each Core switch to match the new MPLS Network Routes. 5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and Receiving are handled only during regular business hours) System downtime would produce a negative impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows: a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation) b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of 20
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. monthly circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly charge on the 4 T1 backup circuits.. …..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on backup circuits for the entire duration of the outage d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater than 3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally) 21
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the business traffic as it is used by the new WAN. 22
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. (Continued on next page) Cost of WAN Solution: 23
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Solution WAN - MPLS Service and broadband circuits Vendor info telcoIQ usa access $400.00 per month per site - $1,600.00 Cost info per month for all 4 sites not available Total Cost per month: $1,600.00 per month n/a Circuits DS3 - partial Circuits and T1's Vendor info telcoIQ usa access $1,250.00 per month (6Mb) 4 bundled Cost info T1's DS3 full 1,500 per month Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00 Total Telecom Data Circuit Charge for all sites per month: $ 8,500.00 Cisco 3725 Multiservice WAN Routers 6500.00 x (5) Two are needed in Chicago) 32,500.00 Total WAN investment for all sites, per month $ 10,100.00 Total WAN ROUTER Purchase: 32,500.00 Central Chicago Internet Gateway With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model is changed from individual site access to centralized access through the Chicago Gateway. This gateway consists of a load balanced high traffic firewall solution designed to control individual site Internet access traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS ‘Cloud’ to move all traffic to and from Chicago The new Internet Gateway diagram is shown below: 24
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Selection of Vendors Switches, Routers, Firewalls, IDS: 1. Switches and Routers The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about continuing the relationship with Cisco systems as our Router and Switch IT Vendor. 2. Firewalls Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer 25
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic throughput is required to support the new centralized firewall and internet gateway solution. Cost Information for Firewalls and Routers to support the Internet Gateway : Solution Firewall Vendor info Nokia SonicWall Pro Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f Cost info $16,000.00 $10,371.00 Total Cost - Firewalls $16,000.00 $10,371.00 3. IDS (Intrusion Detection System) According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred. Because complete prevention of intrusions is unlikely, detective controls have become an important element in a firm’s overall security architecture.”3 WTHI has never implemented any means of detecting intrusion into its information systems. This means that the implication for lost revenue and data is high. To mitigate any further damage due to possible intrusion, a detection system is needed for better monitoring of the corporate networks and information assets. Cost Information for IDS: 3 Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 26
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Solution Intrusion Detection Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00 ethernet taps (560.00 ea) x 6 = ethernet taps (560.00 ea) x 6 = $3,240.00 $3,240.00 total cost - IDS $ 78,240.00 $ 83,240.00 Service Level Agreement: For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the software application running on the IDS servers. A 24 hour hardware replacement should be included in this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected data. VPN/Remote Access The current Remote Access Solution in place is a Microsoft VPN client based solution. Examination of the existing authentication system has revealed a significant security weakness that will allow a hacker to guess a username and password to gain access to corporate resources. A more complex solution is required to insure that VPN client connections are limited to authorized personnel only. The diagram below shows the current VPN remote access model. Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago. A VPN session independent of a direct dialup modem is required to access the system. Current Remote Access using Microsoft PPTP Client The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication. While this method of access provides a secure channel, the protection of user and password information is not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a valid username and guessed password. A better solution is required to prevent potential security breach via 27
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds. To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of this number makes it almost impossible for a thief to guess the password. The diagram shown below illustrates the current model of remote client VPN authentication using the traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and SecurID solution. 28
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Proposed Remote Access using Cisco VPN Client: 29
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Service Level Agreement: For this implementation two technical support contracts are needed. The first will provide the Cisco VPN solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing routers and switches. The addition of a new VPN router will be added to the existing support contract. A negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy on hardware of 24 hours. 30
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Information: VPN Software, Access Token System and VPN Router Cisco VPN Solution Vendor info Cisco Client Access License 40.00 (500 users) $ 2,000.00 Cisco 7204 VXR VPN Router $ 6,000.00 Total Cost - Cisco VPN $ 8,000.00 Solution SecurID Fobs Vendor info RSA CryptoCard Cost info $45,000.00 $68,000.00 Authentication Manager Enterprise License: $50,000.00 Windows Starter Kit $500.00 Total Cost - Authentication Tokens $95,000.00 $72,000.00 Policy Changes with regard to resources and users:: The next several policy changes do not involve any purchase cost. However, they do require man-hour cost to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000 (Windows 2003 is not an upgrade consideration for this project). 31
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The access of these groups to corporate resources on the domain is limited to the needs of their group. In accordance with Microsoft’s Active Directory Best Practices 4 Windows User Account Logon Password Policy Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The current system in place allows users to choose and keep their passwords indefinitely. A new system is needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to 4 .Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12, 2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx 32
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a password. We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than others.”5 Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT department can print network diagrams to its color printers, but not to the Black and White laser printers in the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but not to those in IT. Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally selected the printer of a different department (in which several employees who were to be terminated worked); this could create a big potential problem. Locking down printers to their specific groups helps to prevent such situations from happening. Similarly, printing of Salary information to the Shipping and Receiving department for an employee who was to receive his annual review, might end up in the hands of a co-worker, and create confidentiality issues. File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific to each department. For example: the IT group can access shares on its own folders on the File server, but not order processing or shipping documents. Accounting and Finance can access its tax document files and shares on the File server, but not HR’s folders and documents. 5 Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361). 33
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Applications: An Accounting employee can access the Solomon financial server, but this is not accessible to IT. Troubleshooting an issue on such an application server would require the presence of an accounting employee. Network Security at the Router Level (ACL Controls for VLANS) Often there are scenarios that require the Network Engineering team to lend a hand in securing data channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and malicious infrastructure protection ACLs should be deployed at network ingress points.”6 For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that encounter this ACL are dropped. The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office of WTHI. All other offices have a similar core switching architecture. 6 Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf 34
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Note, a WAN upgrade is mentioned for strong consideration in this report. See local switching architecture change impacted in the diagram below. 35
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Proposed router site implementation based on the new WAN framework 36
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The new framework will continue with the same core configuration; however the new WAN circuits will require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring the DS3 circuit into the Data Center area. Internet Browsing Limitations The current Information Security policies do not limit Internet Browsing. Employees at all four offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last 2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4 offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have 37
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance has suffered and many users have called the help desk to report “poor network performance”. Although the consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network performance. Proposed Solution: Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics policy regarding proper use of IT resources and appropriate web-browsing. The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram shown previously in this report. The Legal department has agreed to revise its ethics policy in coordination with the IT department. This revised plan will determine the criteria used to filter websites. Some suggested criteria include: Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be added to this list following a full review of the new plan. A sample screen that a user would encounter when attempting to access a banned/filtered site would appear similar to the one shown here: 38
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Comparison Information – Web Filter: Solution Web Browsing Filter Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance $4,000.00 (1) add 2,000.00 for 1 year Cost info support and updates 1,000 users, 1 year, $10,010 direct Total Cost - Web Filter $ 6,000.00 $ 10,010.00 AntiVirus Software and Microsoft Updates The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution. Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT 39
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. staff has done its best to configure each desktop to automatically update virus definitions, this does not always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus definition downloads often fail due to network congestion. The same problem exists for Microsoft Security updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements. To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy to force each desktop computer to download updates during non-business hours. A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the MPLS Private Network will provide. A diagram of the proposed solution is shown below: 40
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 41
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Comparison – Enterprise Level Antivirus: Solution Corporate Antivirus Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense Cost info 1000 licenses 1000 licenses $ 60,800.00 $ 55,090.00 (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one poweredge 2650 Dell poweredge 2650 Antivirus Server Hardware $ 10,000.00 $ 10,000.00 Total cost - Antivirus $ 70,800.00 $ 65,090.00 E-mail Spam Filtering: Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG (www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of attempts to steal passwords or other important personal information from corporate customers, up more than 25% from December and up 5% above the previous record, set in June of last year.”7 In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail server architecture in place. This decision is centered on cost reduction to create more budgetary focus on the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for employees in all departments where time is better spent conducting company business rather than deleting 7 Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1249851201). 42
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or compressed file containing the executable file. With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended. Cost Comparison Information – Spam Filter: Solution Anti-Spam Filter Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100 $4,000.00 (4) $16,000.00 plus 8,000.00 $2,000.00 (4) $8,000.00 plus 2 Cost info for 1 year support and updates years extended support Total Cost - Antispam $ 24,000.00 $ 13,021.60 (Continued on next page) The diagram below outlines the connectivity of the spam filter at each location. 43
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Oracle Database Security 44
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Within this report, many security solutions are recommended to ultimately protect the data of the company’s databases. These solutions offer the most protection at each perimeter of the Information Systems Infrastructure. A critical consideration is the application level security of the Database Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing reputation for leading the industry in e-commerce database management products. The use of Oracle’s security features will insure the database at a final core level against attacks and data theft. Oracle adds an additional layer to database security through its own technology resource center. As indicated by Oracle Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates (CPU), on dates announced a year in advance and published on the Oracle Technology Network. The patches address significant security vulnerabilities and include other fixes that are prerequisites for the security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World XE.”8 Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428) provides a comprehensive list of potential database security issues and resolutions. This list includes items such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of service.”9 With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle recommended solutions. A critical component to this risk management solution will be a new WTHI Information Technology policy in cooperation with the Database Administration group and Network Operations staffs to follow published Oracle security recommendations and patch all reported vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7 8 Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 9 Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 45
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of database administration experience. Database backups are performed nightly, and a full database replication is done daily with the Dallas datacenter. Business Continuity Planning WTHI has a solid plan for continuation of business in the event of a major technical outage at the main Chicago data center. The plan for business continuity consists of a complete operations failover from Chicago to Dallas. To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20 minutes in the event such service is required. Local personnel in Dallas are trained to take over main operations from Chicago. Key management personnel have an emergency travel budget to temporarily relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to continue operations, and there is no requirement to upgrade or change the plan at this time. With continuous innovation in the Information Technology and Security fields, this plan should be revisited annually to identify new opportunities for improvement. Disaster Recovery Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail, and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled forward’ to restore data that may have been damaged during a server outage. All servers are configured with a RAID capability and spare hardware replacements are kept ready and available at all sites should the need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate control facility, and these may be recalled at any time if for any of the four offices as needed. At present time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the 46
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. plan at this time. With continuous innovation in the Information Technology and Security fields, this plan should be revisited annually to identify new opportunities for improvement. Summary List of Recommendations: 1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a Perimeter Security Access Control (Badge Reader) System 2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage. 3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based. 4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway. 5. Enforce Password Policy on all Domain Accounts: a. Require password change every 90 days b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters. 6. Implement an Intrusion Detection system. 7. Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours Download Cycle for MS-Security Patches. 8. Limit Web Site Browsing with a Web Filter Appliance. 9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN. 10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers. 11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website. 12. Standardize Anti-virus software to Enterprise, server based version. 47
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Conclusion The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with increased bandwidth. The physical access control and video surveillance solutions will utilize more bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the existing Windows 2000 Active Directory environment will tighten desktop security by and enforce restriction on resources so that the appropriate groups and departments will access only the resources required to conduct daily business. This will also allow IT administrators to enforce a new global password policy for number and type of characters and fixed password renewal requirement. The server based anti- virus model will decrease the internet traffic at each office by centralizing virus definition updates on a master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and “youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will increase security by randomizing the second part of the user password in the Authentication process. It will also strengthen the reliability of the VPN hardware solution by moving away from a server based solution to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new 48
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. technology developments and innovations in the field of security that might better protect the infrastructure and help to maintain the company’s competitive advantage. A line item budget consideration is strongly suggested to continue the needed updates to these technologies needed for maintaining security of the company’s physical and informational assets. References 1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921). 2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131). 3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12, 2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx .5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361). 6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf 7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116. Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861). 8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document ID: 1025469841). 9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1249851201). 10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007 from: http://download- east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428 49
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature Set Retrieved April 12, 2007 from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx 13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from: http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf Appendix A: Cost Information Budget Requirement - Capital Asset Equipment Investment: $442, 079.00 Budget Requirement - Recurring Service Charges: $10,100.00 per month Cost Information Solution WAN - MPLS Service and broadband circuits Vendor info telcoIQ usa access Cost info $400.00 per month per site - $1,600.00 per not available month for all 4 sites Total Cost per month: $1,600.00 per month n/a Circuits DS3 - partial Circuits and T1's Vendor info telcoIQ usa access Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00 Total Telecom Data Circuit $ Charge for all sites per 8,500.00 month: Cisco 3725 Multiservice WAN 6500.00 x (5) Two are needed in Chicago) 32,500.00 Routers Total WAN investment for all $ sites, per month 10,100.00 Total WAN ROUTER Purchase: 32,500.00 Solution Cisco VPN Vendor info Cisco Client Access License 40.00 (500 $ 2,000.00 users) Cisco 7204 VXR VPN Router $ 6,000.00 Total Cost - Cisco VPN $ 8,000.00 Solution Firewall 50
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Vendor info Nokia SonicWall Pro Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f Cost info $16,000.00 $10,371.00 Total Cost - Firewalls $16,000.00 $10,371.00 Solution SecurID Fobs Vendor info RSA CryptoCard Cost info $45,000.00 $68,000.00 Authentication Manager Enterprise License: Windows Starter Kit $500.00 $50,000.00 Total Cost - Authentication $95,000.00 $72,000.00 Tokens Solution Digital Video Vendor info Vicon Systems Alternative Security Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 (4) 9-camera complete systems w/cameras and DVR's @ $2,699.00 ea= $10,796.00 36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above) Central Console $1,352.65, joystick control Central Console $1,352.65, joystick unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65 Digital Video Archive EMC Clariion Ax (500 Gb expandable archive) EMC Clariion Ax (500 Gb expandable $6,000.00 archive) $6,000.00 Total Cost - Video: $ 56,251.00 $ 18,348.65 Solution Perimeter Badge Access Control Vendor info Software House Ccure Badging System Software House Ccure Badging System $1,000.00 (4) = $4,000.00 $1,000.00 (4) = $4,000.00 Cost info Control Panels $450.00 (8) $3,600.00 Control Panels $450.00 (8) $3,600.00 ACTAtek badge readers $790.00 (26) = ACTAtek badge readers $790.00 (26) = $20,540.00 $20,540.00 ACTAtek Fingerprint and HID ProxI/II Combo ACTAtek Fingerprint and HID ProxI/II badge and biometric readers $ 1,590.00 (8) Combo badge and biometric readers $ = $12,720.00 1,590.00 (8) = $12,720.00 Door Strikes - $175.00 (32) $5,600.00 Door Strikes - $175.00 (32) $5,600.00 Door Relay units - $179.00 (32) $5,728.00 Door Relay units - $179.00 (32) $5,728.00 Total Cost - Badge Control $ 52,188.00 $ 52,188.00 System Solution Corporate Antivirus Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense Cost info 1000 licenses 1000 licenses $ 60,800.00 $ 55,090.00 51
    • SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Antivirus Server Hardware (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one Dell poweredge 2650 poweredge 2650 $ 10,000.00 $ 10,000.00 Total cost - Antivirus $ 70,800.00 $ 65,090.00 Solution Anti-Spam Filter Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100 Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for $2,000.00 (4) $8,000.00 plus 2 years 1 year support and updates extended support Total Cost - Antispam $ 24,000.00 $ 13,021.60 Solution Web Browsing Filter Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance Cost info $4,000.00 (1) add 2,000.00 for 1 year 1,000 users, 1 year, $10,010 direct support and updates Total Cost - Web Filter $ 6,000.00 $ 10,010.00 Solution Intrusion Detection Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00 ethernet taps (560.00 ea) x 6 = $3,240.00 ethernet taps (560.00 ea) x 6 = $3,240.00 total cost - IDS $ 78,240.00 $ 83,240.00 52