The document discusses security measures for a solicitor's company including physical security cameras and locks, cybersecurity such as firewalls, antivirus software, and regular updates, access controls like administrator rights and discretionary access control, and backups stored on the cloud. While current security is adequate, improvements could include an alarm system, more secure encryption for sensitive data, and prioritizing RAM to isolate privileged processes. The security plan implemented has improved safety significantly but physical security could be strengthened further.
1. UNIT 11.
P4
Security plan:(definitionfromwiki.internet2.edu) adocumentedapproachthataddresseshow an
organizationwill implementsecuritymeasures.
But in the case of the I.Tworld: (definitionfromgarlic.com) a documentthatispublishedbythe line
managerof an IT systemandpresentsthe meansbywhichthatmanagerintendstosecure the
system.
An (I.T) securityplanfora business,wouldinclude several,if notall of the securitymeasures
describedinthe previousPowerPointsforthe unit,the tasksP3, andM2 coverthiswell.
Purpose
The purpose of thisreport isto showthe “standard operatingprocedures”relatingto“cyber
security”.Itcontainsa comprehensive overview of the differentsecuritymeasures, plansand
procedures.Thisrelatestoabusinesswithlotsof online activity,aswell asotheractivities,like
phone,andface-to-face communication;anexampleof thiswouldbe asolicitorscompany.
Current security measures
The businessthatI am talkingaboutwill be asolicitorscompany,asa solicitorscompanytheywill
have a branch for face-to-face communicationwithcustomers,andasa place to store information
and conductday-to-daybusiness.Asabuildingseveral physical securitymeasuresare alreadyin
place.Aswell assome cyber-securitymeasures.
Cameras
There are 2 outdoorsecuritycameras,coveringthe frontandback exit.There are also2 indoor
cameras,coveringthe manager’soffice andthe workersarea.The camerasare checkedwhen
necessary.
Virus protection
The businesshasa firewall tothe computers,butitnotupdatedregularly.Theyall have Avastanti-
viruspaidversion.Thiscoversspam-filters,andvirusprotection.
Updates
Software isnotupdatedregularly;itisupdatedwhenthe employee remembers.A servercouldfix
this,butit isnot usedproperly.
Backups
Backupsare completedbutnotregularly. Theycontainabackupof the previousserverstate,this
includesall data,butno data isback up to the cloud.
Internet
The internetissetup to be wireless,andhasno passwords,thisallowsanyone toaccessthe
network.NoMAC filtering issetup
2. UNIT 11.
Assets
Assetsof a businesscanvary,but forsolicitors,the assetscouldbe the customerdata,and the trade
secrets.The businesscouldhave itsfiguresforitsfinancial department.Itcouldalsohave itsown
marketingstrategies.Assetsshouldbe secured securely.
Differentassetsare:
1. Computers
2. Customerdata
3. Businessdocuments
4. Electrical equipment
5. Premises
Risks
In a businessthe risksshouldbe minimised,todothisa risk assessmentmustfirstbe carriedout,an
example isbelow.
1. Physical threats
Theft of data
Damage to hardware
2. Cyber-threats
Malware---Spam
Hardware failure
Spyware
Viruses
Hackers
3. Natural disasters
4. Staff
a. Give up passwords through ‘social engineering’
b. Personal vendetta against you
3. UNIT 11.
Security Measures
1. Prevention
a. Firewall
b. Anti-Virusprogram
i. Spyware removal
ii. Virusremoval
c. OperatingSystem
i. UpdatingO.S
d. Removal of data
e. Staff
i. Stoppingpossible theft opportunities
2. Protection
a. Staff
i. Limitingtheiraccess
ii. Correct training
iii. Forcingpoliciesonstaff
b. Encryption
c. Backups
3. AccessControl
a. Administratorrights
b. DAC
c. MAC
d. PrioritisingRAM
4. Cloud
4. UNIT 11.
M3/D2 (and P5)
Prevention
Firewall
The use of a firewall,is thatof a preventativemeasure.The firewall,isdesignedtofilteroutwhatis
authorisedandwhatisnot. The internettraffic,goingthroughthe computer(s) isfilteredbythe
firewall,itstopsunauthorisedaccesstothe system, butallowsthe access of the webpage youwere
tryingto load.
Anysingle computerhasa firewall,butanetworkof computers,linkedthroughthe use of aserver.
Is able touse the networkfirewall,thisallowsgreatercontrol of whatispermittedandwhatisnot,
so the playingof gamesbythe employees,couldbe stoppedonthe networkfirewall,insteadof
individuallygoingroundtoeachcomputerto blockit.
OperatingsystemslikeWindowshave abuiltinfirewall,butthe router(huborswitch) youare using,
alsoprovidesone. Thisisthe waythe serversimmediatelyblockunwantedinternetaccess,and
trafficwhichmaypotentiallyslowdownthe bandwidthof yournetwork.
A firewall shouldbe updatedtothe mostrecentversion;thisensuresthatitisworkingtothe bestof
itsability.A firewallshouldbe includedforanyonline activity.
Due to the fact thatno viruseshave beenfoundoveradurationof time (A full systemscanwas
regularlyconductedtocheckforthe presence of viruses),the firewall hasandcontinuestodoitsjob
of keepingthe systemsafe.
Anti-Virus software
Spyware removal
The use of spyware isfromthat of a hacker;it allowshim/heraccessintoyoursystem, toread on
files,inmostcases,the affectedisunaware of this.Ina businessworldthiscanbe tragicas it allows
a competitordetailsaboutyouandyourcustomers,andit alsobreachesthe data protectionact.
Thiscouldleadto a fine,orevena court sentence.
5. UNIT 11.
Most anti-virussoftware comesbuiltintoremove all typesof malware,whichincludesspyware.But
for itto do thisyoumust update the software tothe latestversion.
In a businessworld,the employeemaypurposelyorforgetfullynotdothe regularupdates,soanti-
virusfor businesses(aserver) isrequired,itallowsaccess tothe anti-virus,fromremote access.The
benefitof serveranti-virusisthatitupdatesand scans,accordingto the servermanager,sono
sabotage ispermitted.
Virus Removal
As itwas statedbefore,the use of anti-virusincludes the removalof spyware,andviruses.Viruses
can affectan all mannerof differentthings,because ‘virus’isabroadterm, itencompassesmany
typesof threats,but itcouldinclude the removal,of sensitive datawhistalsotakingitforitself.
The use of a server-wideanti-virusisusuallyapayfor option,butitis ultimatelyworthit,if itkeeps
your andyour customersdatasafe.
The software shouldbe regularlyupdatedandbe made to doroutine scans,to make sure nothing
goesontothe systemandno virusislefton the system.Anyinternetactivityshouldresultinthe
anti-virusprogramspresence.
Afterroutine scanswere completed,noviruseswere found,otheritems,suchastrackingcookies
were foundandwere removedeasily.Thisshowsthatthe anti-virussoftwarehasdone itsjob
effectively.
6. UNIT 11.
Operating System
The OS containsitsown setof defencesagainstattacks,suchas a firewall,andconstantpatches(see
below).
Updating OS
Patchesforflawsinthe OSand the securityof the systemare free andare rolledoutbythe provider,
theyare usuallyself-updating. Buttheycanbe changedto notdo-so.Thiscan be stoppedbyone of
twothings,administratorrightsforeachcomputer,orby havingthe entire systemlinkedupvia
server,the serveradminwould control the updates,thisisaformof the administratormethod(it’sa
formof admininitself).Butithasone benefit,itcancontrol all the computersat one,insteadof
goingroundeach one individually.
Afterthe updateswere installed,there werelittle tonone forreportedbugs,andnosecurityflaws
that people are aware of.
Althoughanupgrade to a laterO.S maybe neededinthe nearfuture asWindows7 will eventually
run out of supportfromMicrosoft.
Removal of Data
The removal of data properly, iskeytoaverting,accidentallylosingcustomerorbusiness
data/secrets. Fora businessdataiseitherstoredonthe cloudand/ora HDD, the HDD can be wiped
of anydata by eitherdestroyingthe drive,orbydeletingthe partitionthatitisheldon.For the sake
of cash-flow,re-usingthe drive wouldbe wiser.
If data is storedon the cloud,a simple delete woulderase the data,because the datawouldbe held
by large companies,the chancesof anyattack of theirservicesisminimal.
7. UNIT 11.
Althoughthisprogramwas installedonanUSB stick,it isan easy to use example usinganapplication
to be able to securelyremove files,soastheyare notable to be broughtback by a hacker
(comparedtobeingputin the normal ‘recyclingbin’).
Staff
Staff isa bigsecurityflawamongbusinesses,andsopart of itis describedhere underthe prevention
section,andthe otherpart is underthe protectionsection.
Preventing possible theft opportunities
Staff can eitherbe bribedintogoingagainstyou,ortheycan be trickedintogivingawayinformation,
otherreasonslike apersonal vendettaare aroundbutare notas commonas the firsttworeasons
mentioned.
If a rival companywantedinformationfromyou,theycouldbribe yourstaff,thiscouldbe togive
theiraccount passwords,orto retrieve informationanddeleteitafterwards.Whatthe rival
companydoeswiththe informationisuptothem, but itcouldbe tosteal a patentedtechnology,or
to informall of theircustomersabouttheircheaperrates.
To stop the informationtheft,constantpasswordchangesmustbe enforced,aswell asDACaccess
control (showninlaterpages),othersystemslike MACandAdministratorrights,thesecouldhelp
preventtheft.
Social engineeringiswhenanemployeeis trickedintogivingawayinformation,passwordsor
securityquestionsare possibilities,waystocounterthisare to use a worke-mail thatyouset upand
change passwordsautomatically,andtotrainyourstaff intoresistingsocial engineering.
8. UNIT 11.
Protection
Staff
Limiting their usage
For full details,thisiscoveredabove underthe section‘Prevention---Staff---Preventingpossible theft
opportunities”
Under the parental settingsfunction,thiscannotbe accessedbythe standarduser,onlythe
administratorcanuse thisfunction.Withthisyoucan control the time limitswhichthe usercanlog
on.But much more can be done,asshownbelow.
Correct training
For full details,thisiscoveredabove underthe section‘Prevention---Staff---Preventingpossible theft
opportunities”
9. UNIT 11.
Forcing policies on staff
For full details,thisiscoveredabove underthe section‘Prevention---Staff---Preventingpossible theft
opportunities”
Encryption
If data is to be transferredforsome reason,viaa removable orportable media(USBmemorysticks,
portable HDD’s,laptops,etc.).Thenincase of theftor loss,of the data; it mustbe encrypted.
Encryptionisa processof encodinginformationsoasonlyauthorisedpartiescanaccessthe media.
Unfortunately,mediacanbe decoded,sothe informationisreadabletounauthorisedusers.Strong
encryptions(sometimesmilitarygrade maybe needed) wouldbe needed,thisiswhere the
encryptionisalsoencrypted,againandagain.Mediaisnotrecommendedtobe movedabout, thisis
whymuch data isstoredon the cloud,where there isstrongencryptionsandthe mediaisaccessible
to the authorisedusersanywhere.
If data is transportedbya portable mediastorage.Thenitmustbe encryptedwithappropriate
encryptionsoftware.
All USB sticksusedbythe companyare now Lexardrivesthatcome with‘Secure 2’ free of charge.
Thisallowsanencryptionof data.But for more sensitive datathatmustbe moved,a more secure
applicationisneeded(of course the databeing transportedshouldalsobe savedtoanother,secure
location).Secure 2isa wayof encryptingdatawitha passwordtostop hackersand theifsfrom
seeingyourdata.
Backups
Sometimesanattackmay notbe to steal data,but to just delete itoff of yoursystems,if your
businessisverycustomeroriented (likeasolicitors),thencustomerdetaillosscouldpotentiallyruin
10. UNIT 11.
your business,andputitona standstill.Havingrecentbackupsof yourdata can ensure thatan
attack doesnot ruinyourbusiness.A recentbackupcouldmeanonlyminimal data(ornone) islost.
Thiswouldonlyhaltyourbusinessfora few hours,notweeks!
All businessesthathave acomputersystemshouldbe requiredtokeepregularbackupsinthe case
of a cyber-attack.
Thisscreenshotwastakenbefore itwasconfigured,todoautomaticbackups(asshown),butitcan
alsobe usedtorestore data,and if for some reasonthe mostrecentbackup iscorrupt, thena prior
backupcan be used!
It has beenankeyway of protectingagainst theft.
11. UNIT 11.
Access Control
Administrator rights
All companiesthathave a computersystemshoulduse the administratorfunctionality(admin).
Adminisa way of stoppingregularusersof changingsettingsandaccessingunwantedfiles.With
modernO.S’s like ‘Windows7’youcan not onlystopthe reversal of the changestosettingsbutyou
can onlyallowthe login,andusage of functionswithinacertaintime period,sothere wouldbe no
access to the computersoverlunch,orafter hourswhere there isno-one tosupervisethe staff.
Adminrightshave a huge range of possibilities,andshouldbe usedaccordinglywithall businesses.
A usercan be made administrator,thisgrantsmore poweroverthe otherusers,anditalsogrants
more depthintothe system. Noactual data shouldbe kepton the adminaccount,as it the account
firstto be attackedby hackers.
DAC
DAC (Discretionaryaccesscontrol);isamethodof controllingthe accessof filesandsettingsamong
a server.DACis discretionary,soitisupto the author of the documentwhomhasrightsand whom
doesn’t.A usercan be set usingthe useraccountson the OS, or the actual MAC addressof the
computer.A DAC setupwouldbe essential foramulti-tieredbusiness,withdifferentbranchesof
products.
A solicitorscompanymaynotneedtouse DAC, butif there are several branches,withashared
server,thenaDAC setupmay be worthwhile.
The DAC setupforthe server,isshownbelow.Itcanbe usedfromprograms suchas Microsoft
Office.Itallows the authortochoose userwhomcan read and/orwrite.
12. UNIT 11.
MAC
MAC (mandatoryaccesscontrol),isbetterdescribedonthe P3PowerPointforthe unit.Thiswould
be good fora companywhohas staff on roughlythe same level of expertise,withnotmanylevels,to
theirbusinesshierarchy.Thisisbecause the userisgivenalevel suchas“secret”or “top secret”,and
wouldthenbe able toaccess fileswiththe correspondingorlowersecuritytag.Soa solicitors
companycouldhave all of the basicemployeesable toaccessbasicfiles,whereasthe managercould
access all of that plusevenmore secretfiles.
MAC and DAC can be usedtogetherwhere necessary.
Thishas beenusedwell inthe servertostopstaff compromisingthe integrityof the businessescyber
security,andassets.
Prioritising RAM
If the systemallowsyoucanprioritise RAMforcertaintasks,thiswouldallow youtoisolate
privilegedprocessesfromnon-privilegedprocesses,thiscouldallow youtoonlyallow RAMfor
certainapplications,and sonounauthorisedapplicationswhichcouldpossiblybe aviruscanbe used
effectively.
Thiswouldbe an essential piece forasbusinesswhomisusingthe internetandcomputersformost
day-to-dayoperations.Itcouldpreventpotentialproblems,savingyoutime andmoney.
13. UNIT 11.
Cloud
The cloud isa useful tool tonegate the costsof any maintenance andrepairstoa small local server.
Usingthe cloudfromtrustedsourceslike Google,andMicrosoft,couldsave moneyastheylookafter
your data foryou,and as theyare verybigcorporations,the software usedtoprotecttheirdatais
immense.The businesscouldalsobenefitfromthe extrasthathavingthe cloudserverbrings.
Althoughif the businessinternetisdownfora periodof time,resultscouldbe catastrophicasno
data couldbe accessed.
Weighingupthe prosand cons.If the companyhas trust intheirISP,thenusinga cloudbasedserver
couldbe the bestwayto go.
14. UNIT 11.
P6
The securityplanput inplace. Has improvedthe securityof the businessdramatically.Fromthe side
of physical security,analarmsystemshouldhave putintoplace,aswell aslocksforthe computers
to stopthemfrom beingstolen.
Whenit comesto cyber-security,the updatesinstalledstoppedall knownsecurityflaws,andthe use
of an antivirusfoundandremovedviruseswhenplacedontothe computer(aspartof a test),italso
made usingthe webmuch safer.
The use of encryptionsoftware wasexcellent,butjustasa precaution,if more sensitive datawasto
be transported,thena betterpiece of software wouldbe used,togive ‘militarygrade encryption’.
The backups were good,astheyprovide acheap,quickmeansof restoringdata.
The access control methodshave workedperfectly amongthe server.The DACandMAC system
workswell,tostopunwantedeyeslookingintobusinessdocuments.
Usinga cloudbasedsystem,the dataisnow safe fromany majordisasters,suchasearthquakesand
tsunamis.Thisisbecause everythingstoredonthe cloudisstoredinseveral placesaroundthe globe.
The level of protectionfromthese servicesisimmense,anddoesnotneedtesting.