Rapid data services limited

1,200 views

Published on

This is a report I done for city&guids ICT system security policy Level 3 (7266/7267-511)

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,200
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rapid data services limited

  1. 1. Rapid Data Services Limited<br />The Thames<br />London.<br />(020)000000<br />Rees Phillips<br />CAD Centre<br />Cardiff<br />(02920)388817<br />Dear Mr. Ashford:<br />As we agreed previously, I have prepared this report for your company, Rapid Data Services Limited, London, at present residing on the banks of the river Thames in an old grain warehouse, that after analysis of the site and current set-up of your computer systems, I conclude that apart from inadequate security, you need to rectify your power needs, access, and security both internally and externally. This report pinpoints your buildings failings and how you can rectify these problems either here at the first Rapid Data housing, or in the future as it will give you an idea of what precautions you should be making to any new establishments. Also included <br />Background information.<br />Rapid Data services is a successful company with an excellent reputation in their field, they provide a range of services which include remote data backup, data storage facilities, web site hosting and remote server location among other internet based services. Their clients range from banks and small businesses to individuals and other financial institutions both in the UK and around the world, these clients can access their information remotely over the internet, and also administer their accounts when needed internationally and so Rapid Data Services provide an invaluable service that their clients rely upon on a daily basis. Additionally Rapid Data is now the world leader in third party payment collection for e-commerce, handling payments and transactions on behalf of companies that are two small to handle credit and debit card payments on their own. In a typical day Rapid Data Services Limited processes around 750,000 such transactions for customers in the UK and around the world.<br />Summary of Rapid Data Thames Bank housing.<br />Firstly, to reduce the risk from any physical threat we need to increase the security surrounding Rapid Data to include an alarm system, which is connected to an outside agency for monitoring, security personnel to be present at all times if the public are going to be allowed into the building to gain access to accounts, computer terminals, staff, sales personnel, technicians etc., also 24hr surveillance via security cameras need to cover both the inside and outside of the building, and then we need to look at fire risks and how to reduce them, also as your site is beside the Thames we would need to protect it from any flooding that may occur, these are environmental issues which present a real risk to the overall security of your business and to handle the increase in business and to protect against any power loss, a uninterrupted power supply should be in place.<br />The other main areas for change are intrusion measures needed to be in place to restrict any and all unauthorised access by undesirable persons, hackers, spammers, thieves and theft of any data that is of importance to the company and its clients, also this report will give consideration to the fact that it may be cheaper to use an already established server housing company than to risk the extreme costs that may be involved when planning to initiate a world class data storage facility to include major clients and many smaller clients who will entrust all their data to your company and the level of security that these clients would expect.<br />Threat assessment.<br />Threats to Rapid Data Services Limited are two fold, firstly there is the physical risks that are presented, which includes the buildings security, risk from intruder, fire, and flood, also risks from personnel.<br />These points are physical by nature and so a physical approach is needed starting with:<br /><ul><li>Establish a Key Control Policy If you don't know who is holding keys to your doors, or if keyholders can make duplicates without your permission, then you have a serious hole in your security plan. Once you have physically secured your doors, the next step is to keep them secure by establishing a key control policy. As for internal doors they need to be secured at all times.
  2. 2. Install an Alarm SystemPhysical security measures such as deadbolt locks are designed to keep intruders out. If they get in, however, you need to know about it. A monitored alarm system serves two basic purposes: First, it can trip a siren that will scare an intruder away; Second, it alerts law enforcement professionals who can respond to your break-in.
  3. 3. Assign a Floor MarshallA Floor Marshall is a volunteer in your organization whose job it is to approach unrecognized visitors and make sure that they have a legimate purpose to be on your premises. A Floor Marshall also gives other employees a go-to person for reporting suspicious individuals.
  4. 4. Employ a permanent security guard
  5. 5. This has advantages over a volunteer because having staff whose sole responsibility is to guard the entrance and monitor the surveillance system and intercept any visitors is not going to be doing something else at the wrong time, a volunteer may.
  6. 6. Install an Electronic Access Control SystemMechanical locks tell no tales. By upgrading your door locks with an Electronic Access Control System, you will gain a record of who opened, or attempted to open, every door. This information will be extremely helpful if you need to investigate a security breach. In addition, an EAC system lets you instantly add or delete electronic keys. This elimates your exposure due to lost or stolen keys, and also allows you to assign customized access privileges based on time, date, and authority level.
  7. 7. Use Video SurveillanceNot only does a camera system improve your ability to monitor your premises, it can also provide useful evidence and information if you need to investigate an accident, attack, or theft. Remember to keep employee privacy in mind as you implement your surveillance system.
  8. 8. Learn About CPTEDCrime Prevention Through Environmental Design (CPTED) is a set of design principles used to discourage crime. The concept is simple: Buildings and properties are designed to prevent damage from the force of the elements and natural disasters; they should also be designed to prevent crime. You can use these principles to improve home offices as well as high-rise buildings.
  9. 9. Fire and flood risks
  10. 10. As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken. And in the Rapid Data building one room is of great importance and no expence should be spared in securing this room from any and all threats.</li></ul>Laws and Regulations.<br />Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.<br />For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.<br />The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science, to name a few, which are carried out by Information Security Consultants.<br />Network Security.<br />Network security starts from authenticating the user, commonly with a username and a password. Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users.[2] Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network. Anti-virus software or an intrusion prevention system (IPS) help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies to protect resources, e.g. from denial of service attacks or an employee accessing files at strange times. Individual events occurring on the network may be logged for audit purposes and for later high level analysis.<br />Communication between two hosts using a network could be encrypted to maintain privacy.<br />One of the main threats to a network comes from outside the network through the internet, these attacks are made by unscrupulous individuals for many reasons, for example money, organised crime is now a serious threat to any business but especially data storage where people store all kinds of personal data that can be used against them, identity thieves and scammers also try to infiltrate systems for the information stored there. In our technologically advanced society we now have technologically advanced thieves who get paid to hack systems for information so that businesses can gain a corporate advantage over their competition, this unfortunately is a reality in today’s world. Some hackers are against all this information being stored in nondescript buildings and believe that it is being used for the wrong reasons by governments and unknown associations, these scammers are less well known and their purpose is to cause anarchy and disruption to as many people and businesses as possible, the other type of hacker is the schoolkid who just wants to impress his friends or post on a forum what he’s doing so all his cyber mates can poke around until such time as they are blocked. Whatever the reason and motivation for this it can cause a lot of distress and monetary loss, even closing down whole organisations (http://www.techeye.net/security/smooth-talking-hackers-take-down-companies-live) and these hackers are good at what they do so we need to stay up with current trends and employ good reputable help in dealing with this threat.<br />The kinds of data that is being stored at Rapid Data Services is mainly monetary, banks and e-commerce, so this would be a prime location for a criminal to focus their intentions as it contains all the information that the most scrupulous of hackers would be looking for and it has an out of date or nonexistent security policy and so present very little effort and/or risk for an accomplished hacker to invade. <br />The methods hackers use I will list for further consideration and so that in the future a policy can be drawn that will focus on the main weaknesses,<br />Port scanning<br />Port scanners are probably the most commonly used scanning tools on the internet. These tools scan large IP spaces and report on the systems they encounter, the ports available, and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap).<br />Vulnerability scanners<br />Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. The most popular and best maintained vulnerability scanner available is Nessus.<br />Rootkits<br />The term rootkit describes a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. Some of the tasks performed by a rootkit are as follows:<br />Modify system log files to remove evidence of an intruders activities.<br />Modify system tools to make detection of an intruder’s modifications more difficult.<br />Create hidden back-door access points in the system.<br />Use the system as a launch point for attacks against other networked systems.<br />Sniffers<br />Network sniffing or just “sniffing,” is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it.<br />System Security and application security.<br />Hardware based or assisted computer security offers an alternative to software-only computer security. Devices such as dongles may be considered more secure due to the physical access required in order to be compromised.<br />While many software based security solutions encrypt the data to prevent data from being stolen, a malicious program or a hacker may corrupt the data in order to make it unrecoverable or unusable. Similarly, encrypted operating systems can be corrupted by a malicious program or a hacker, making the system unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering and unauthorized access.<br />There are various strategies and techniques used to design security systems. However there are few, if any, effective strategies to enhance security after design. One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.<br />Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle. This tells us that it is imperative to choose a good, reputable software suite from the beginning so as not to face unnecessary problems in the future.<br />Physical security and risks to data.<br /> I would like to pinpoint some issues regarding the physical security of the building, its contents and any and all data stored therein. Points that stand out after looking at the drawing include more stringent means of securing doors and any windows, locks on all doors including service entry points, sufficient backup if there is a loss of power, so secondary power supplies and UPS with an on site power source, the fire exit needs to be secured and accessible to any persons that are on the premises, also reorganising the layout to improve ventilation, design of the building floor may prove beneficial to many points. These are measures that need to be addressed firstly to ensure that all measures are taken to protect persons, property and your livelihood.<br /><ul><li>Unsecure building, doors not locked and open
  11. 11. inadequate alarm system
  12. 12. insecure entrances and exits
  13. 13. lack of surveillance cameras and staff
  14. 14. No fire procedure in place, no clear path to the outside
  15. 15. Fire extinguishers need to maintained and on site
  16. 16. Battery backups for the electrical equipment, UPS
  17. 17. Secondary power supply
  18. 18. Adequate ventilation
  19. 19. Inadequate storage facilities (nonexistent)
  20. 20. Raised flooring( for ventilation, access, floods and fire)
  21. 21. Flood prevention measures
  22. 22. Dedicated data back up</li></ul>To conclude.<br />To sum up the effects that not implementing some or all of these measures in the development of your business, you will only last so long in today’s high tech world if you continue without making changes, the most likely outcome is that you will eventually loose custom to a competitor with better security and a more secure facility, and at worse you will come under attack from a highly organised criminal who could cause yourself and your customers a great deal of loss and discomfort.<br />Summary of sites and sources <br /> Software Security Assurance - Wikipedia, the free encyclopedia MySpace Monitoring and Software Protection for Home and Business PCs <br />system security - Google Search<br />Smooth talking hackers take down companies live - Gift of the gab is better than a virus kit | TechEye<br />Real-life Scary Security Stories<br />network security stories - Google Search<br />Top 100 Network Security Tools<br />Network Security White Papers: Network Security Library<br />Network security - Wikipedia, the free encyclopedia<br />network security - Google Search<br /> Information security - Wikipedia, the free encyclopedia<br /> laws and regs data storage - Google Search<br /> Physical and Environmental Security (ISO 9) - Internet2 Wiki<br /> fire and flood protect my business. physical measures - Google Search<br />Fire & Flood Recovery | eHow.com<br />How can I protect my business from risk?<br />fire and flood protect my business - Google Search<br />Water Consultant, design and inspection<br />Fire & Water Protection UK Firefighting Equipment, Flood Control<br />Flood prevention measures and flood risk assessment | Flood Advice<br />fire and flood prevention measures in UK. who - Google Search<br /> fire and flood prevention measures in UK - Google Search<br />Emergency management - Wikipedia, the free encyclopedia<br />fire and flood prevention measures - Google Search<br /> Fire and Flood Solutions - How We Work<br />fire and flood prevention - Google Search<br />Building Security 101<br />Confidence and security-building measures - Wikipedia, the free encyclopedia<br />Security Engineering: A Guide to Building Dependable Distributed Systems Wiley Computer Publishing: Amazon.co.uk: Ross J. Anderson: Books<br />Security Engineering - A Guide to Building Dependable Distributed Systems - reviews<br /> security buiding - Google Search<br />Top 10 Enterprise Security Risks - www.esecurityplanet.com<br />

×