This document provides an analysis of the information security infrastructure of an e-commerce home improvement company called Web-Tech Home Improvement (WTHI). It finds that the company's current physical and information security systems are insufficient and need improvement. Specifically, it identifies weaknesses in physical access controls, video surveillance, and the need to upgrade outdated security systems. The document proposes improvements to the security of WTHI's four distribution centers and information systems to better protect customer data and maintain the company's competitive advantage in the home improvement market.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Computer Usage Policy
Password Policy
Email Usage Policy
Social Media Policy
Remote Access Policy
Data Classification and Handling Policy
Incident Response Policy
Business Continuity and Disaster Recovery Policy
These policies help protect business assets and define expected
employee behavior. They should be reviewed and updated regularly.
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across North America and employs over 1,600 people. As the Computer Security Manager, you are responsible for protecting GFI's information systems and data. However, the CEO believes IT can be outsourced to cut costs, leading to budget and staff cuts that concern the COO. You must address security issues to convince the CEO of the value an internal IT department provides.
This document provides an overview of information security best practices for small businesses. It discusses the importance of information security for small businesses, common threats such as cybercrime and malicious software. It outlines the key components of information security as people, processes, and technology. It provides recommendations for security policies, backups, access controls, firewalls, software updates, and secure practices for email, wireless networks, and online activities. The document emphasizes establishing security as a foundational part of running a successful small business.
View on-demand recording: http://securityintelligence.com/events/how-vulnerable-is-your-critical-data/
Data infrastructures are highly dynamic, with changes in accounts, configurations and patches occurring regularly. Within your data infrastructure you need to understand the data. Not all data is the same. You need to protect the data that is considered high risk. However, most organizations lack the centralized control or skilled resources to review changes systematically to determine if they have introduced security gaps. While there are no silver bullets, there are key steps organizations can take to understand and reduce their risk and lower TCO.
In this presentation, Luis Casco-Arias, Senior Product Manager for IBM Security Guardium, describes best practices for:
- Assessing vulnerabilities and exposures
- Locking down critical data in various environments
- Aligning remediation workflows to prevent breaches and policy violations
Security solutions for a smarter planetVincent Kwon
This document summarizes IBM's security strategy and solutions for enabling a smarter planet. It discusses how security must be built into new technologies from the start to enable innovation while managing risks. IBM's approach focuses on foundational security controls, compliance, and helping customers securely adopt new models like cloud computing and virtualization.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Computer Usage Policy
Password Policy
Email Usage Policy
Social Media Policy
Remote Access Policy
Data Classification and Handling Policy
Incident Response Policy
Business Continuity and Disaster Recovery Policy
These policies help protect business assets and define expected
employee behavior. They should be reviewed and updated regularly.
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across North America and employs over 1,600 people. As the Computer Security Manager, you are responsible for protecting GFI's information systems and data. However, the CEO believes IT can be outsourced to cut costs, leading to budget and staff cuts that concern the COO. You must address security issues to convince the CEO of the value an internal IT department provides.
This document provides an overview of information security best practices for small businesses. It discusses the importance of information security for small businesses, common threats such as cybercrime and malicious software. It outlines the key components of information security as people, processes, and technology. It provides recommendations for security policies, backups, access controls, firewalls, software updates, and secure practices for email, wireless networks, and online activities. The document emphasizes establishing security as a foundational part of running a successful small business.
View on-demand recording: http://securityintelligence.com/events/how-vulnerable-is-your-critical-data/
Data infrastructures are highly dynamic, with changes in accounts, configurations and patches occurring regularly. Within your data infrastructure you need to understand the data. Not all data is the same. You need to protect the data that is considered high risk. However, most organizations lack the centralized control or skilled resources to review changes systematically to determine if they have introduced security gaps. While there are no silver bullets, there are key steps organizations can take to understand and reduce their risk and lower TCO.
In this presentation, Luis Casco-Arias, Senior Product Manager for IBM Security Guardium, describes best practices for:
- Assessing vulnerabilities and exposures
- Locking down critical data in various environments
- Aligning remediation workflows to prevent breaches and policy violations
Security solutions for a smarter planetVincent Kwon
This document summarizes IBM's security strategy and solutions for enabling a smarter planet. It discusses how security must be built into new technologies from the start to enable innovation while managing risks. IBM's approach focuses on foundational security controls, compliance, and helping customers securely adopt new models like cloud computing and virtualization.
ZS Infotech is an IT support services and security solutions provider located in Selangor, Malaysia. They offer a full range of IT services customized for businesses, including acting as the client's internal IT department. Their services include IT staff augmentation, endpoint security, cyber security, risk management, and infrastructure management. For IT staff augmentation, they provide additional IT expertise on an as-needed basis. Their endpoint security protects company devices from threats. Cyber security helps secure companies from online threats. They assess risks and help with risk mitigation. And they manage clients' IT infrastructure services.
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
The document discusses the critical importance of infrastructure systems like power plants, water treatment facilities, and transportation. It notes that these systems now face growing cybersecurity risks like Stuxnet and other attacks that could endanger lives and cause billions in damages. The document provides examples of past attacks on infrastructure systems dating back to the 1990s that impacted facilities like power plants and water treatment. It emphasizes that infrastructure systems are becoming more exposed to threats as they become more networked and integrated.
It is never possible to guarantee that a company is totally secure or that a breach will not occur, however implementing the latest tools and providing ongoing, end-user education will minimize those risks and allow companies to focus more on growing their business rather than repairing it.
This document provides an overview of network security for small to medium sized companies. It discusses how the nature of threats has evolved with increased connectivity, requiring companies to implement layered security strategies. The document outlines key aspects of a security program, including security plans and policies, operations, risk management, access control, and disaster recovery. It emphasizes the importance of a centralized security policy and identity management system to efficiently govern security across all company locations and domains. Overall, the document presents concepts and processes for protecting company assets and maintaining business continuity through a unified security approach.
The cybercriminals, hackers, data thieves - whatever you want to call them - know all about your data management challenges and know how to take advantage. They've been very clever at finding new ways to breach and extract data faster than ever. It can takes weeks and months to discover a breach by which time the damage has been done. So what's needed is a way of sensing what is happening or what might happen with real time monitoring and alerting - and even real time prevention across all your data, across the entire enterprise. IBM InfoSphere information protection solutions can help reduce the costs and risks of breaches with a more proactive and preventative approach to ensuring the security and privacy of all your data, regardless of platform and data source across the entire enterprise.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
The document contains summaries of various publications covering topics such as small business security, endpoint protection performance, hydraulics and pneumatics design, medical device design, machine design, motion system design, VoIP phone systems, IT management, data protection, malware protection, data compression, database security, retail operations, network infrastructure, security software, recruitment tools, and social recruiting tools. Each summary is 1-3 sentences describing the purpose or focus of the publication.
As you move your IT Infrastructure into the cloud, how secure can you expect your applications to be? Join Alert Logic and Internap on this webcast for an enlightening discussion on the state of cloud security and how it impacts security management decisions, especially in the context of deploying infrastructure to hosted and cloud environments.
A 5 step guide to protecting backup data by Iron MountainPim Piepers
This document discusses the growing problem of data theft and security breaches. It provides the following key points:
- Data theft and security breaches have been issues since the inception of business computing, but they have become far more common in recent years due to factors like money to be made from stolen data and the increased accessibility of confidential information.
- While organizations invest heavily in perimeter security like firewalls, internal threats are underprotected as storage infrastructure and backup data remain insecure. Backup encryption is rarely used despite tapes containing sensitive data.
- To properly address data security risks, the document recommends that organizations develop comprehensive security strategies that integrate storage protection best practices, including encrypting backup data.
Managing and administering software updates remains one of the most challenging and resource-intensive tasks an IT Department undertakes on a daily basis. This white paper examines the important role played by patch management to help organizations keep their PC real estate fully up-to-date with the latest security patches, without unduly compromising reliability, productivity, security and data integrity.
Hiring Guide to the Information Security Professionamiable_indian
The document provides an overview of the information security profession and guidance for hiring information security professionals. It discusses the expanding role and types of jobs in the field, ideal traits for professionals, typical career paths, how to craft job descriptions and the importance of certifications. The document is a hiring guide intended to help HR, recruiters and hiring managers better understand the scope of the information security profession and find qualified candidates.
IBM Security Systems presents security intelligence as a multi-dimensional approach to securing information resources. Security intelligence provides comprehensive insight by collecting, normalizing, and analyzing data from users, applications, and infrastructure. This real-time monitoring allows organizations to understand normal behavior and detect anomalies to identify security incidents. Security intelligence solutions from IBM offer extensive data sources, deep intelligence, and exceptionally accurate and actionable insights.
This document provides a summary of a presentation on IBM's MobileFirst Reference Architecture. The presentation focuses on management and security capabilities for mobile applications and devices. It discusses challenges for enterprises in developing, deploying and managing mobile apps at scale. The MobileFirst Reference Architecture provides architectural patterns, use cases and best practices for integrating mobile solutions with cloud, enterprise and SAP systems while meeting requirements for industries like banking, telecom and government. It aims to help organizations accelerate mobile project delivery.
Often when organizations are expanding rapidly, they do not give sufficient and necessary focus on information security aspects and guidelines, specifically IP protection.
The document provides an overview of ADP/IT position of trust designations required for government contracts involving IT services or access. It defines ADP and IT, outlines the three position levels (I, II, III), and explains the history and basis in public law and directives like DoD 5200.2-R. It also summarizes compliance with standards including DISA STIG, NIST 800-53, and outlines roles and responsibilities that must be defined in contracts to ensure oversight and monitoring of external service providers.
Horizon Data Center Solutions provides secure, stable and scalable IT infrastructure as a service (IaaS) provider. It operates three tier III data centers with redundant power and networking. Horizon was the first IaaS provider to receive Authority to Operate from the US government, demonstrating its data security and compliance with standards like SAS 70 and NIST 800-53. It offers infrastructure as a service, including compute, storage and networking resources that are customized and can scale easily for customer needs.
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cybersecurity USA October 6th and 7th
Sacramento California USA
Identify, protect, detect, respond and recover.
All stakeholders have a new responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure. Public and Private partnerships are paramount and information sharing on an international level a priority. We will be addressing key areas of vulnerability, threat detection, mitigation, and planning for the Energy and Water Sector.
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
Horizon Data Center Solutions provides secure, scalable infrastructure-as-a-service from its three tier III data centers. It offers solutions for global enterprises, US federal government agencies, and mid-market companies. Horizon completed stringent audits to receive an Authority to Operate from the US government, demonstrating its data security and compliance capabilities.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxbudbarber38650
Global Asset, Inc. (GAI) is a financial company that manages thousands of customer accounts across North America. As the Computer Security Manager, you are responsible for protecting GAI's information systems and networks. However, the CEO wants to outsource more IT functions to cut costs. Two past security incidents resulted in lost customer data and revenue. You must make the case for maintaining internal security capabilities to protect GAI's systems and data.
ZS Infotech is an IT support services and security solutions provider located in Selangor, Malaysia. They offer a full range of IT services customized for businesses, including acting as the client's internal IT department. Their services include IT staff augmentation, endpoint security, cyber security, risk management, and infrastructure management. For IT staff augmentation, they provide additional IT expertise on an as-needed basis. Their endpoint security protects company devices from threats. Cyber security helps secure companies from online threats. They assess risks and help with risk mitigation. And they manage clients' IT infrastructure services.
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
The document discusses the critical importance of infrastructure systems like power plants, water treatment facilities, and transportation. It notes that these systems now face growing cybersecurity risks like Stuxnet and other attacks that could endanger lives and cause billions in damages. The document provides examples of past attacks on infrastructure systems dating back to the 1990s that impacted facilities like power plants and water treatment. It emphasizes that infrastructure systems are becoming more exposed to threats as they become more networked and integrated.
It is never possible to guarantee that a company is totally secure or that a breach will not occur, however implementing the latest tools and providing ongoing, end-user education will minimize those risks and allow companies to focus more on growing their business rather than repairing it.
This document provides an overview of network security for small to medium sized companies. It discusses how the nature of threats has evolved with increased connectivity, requiring companies to implement layered security strategies. The document outlines key aspects of a security program, including security plans and policies, operations, risk management, access control, and disaster recovery. It emphasizes the importance of a centralized security policy and identity management system to efficiently govern security across all company locations and domains. Overall, the document presents concepts and processes for protecting company assets and maintaining business continuity through a unified security approach.
The cybercriminals, hackers, data thieves - whatever you want to call them - know all about your data management challenges and know how to take advantage. They've been very clever at finding new ways to breach and extract data faster than ever. It can takes weeks and months to discover a breach by which time the damage has been done. So what's needed is a way of sensing what is happening or what might happen with real time monitoring and alerting - and even real time prevention across all your data, across the entire enterprise. IBM InfoSphere information protection solutions can help reduce the costs and risks of breaches with a more proactive and preventative approach to ensuring the security and privacy of all your data, regardless of platform and data source across the entire enterprise.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
The document contains summaries of various publications covering topics such as small business security, endpoint protection performance, hydraulics and pneumatics design, medical device design, machine design, motion system design, VoIP phone systems, IT management, data protection, malware protection, data compression, database security, retail operations, network infrastructure, security software, recruitment tools, and social recruiting tools. Each summary is 1-3 sentences describing the purpose or focus of the publication.
As you move your IT Infrastructure into the cloud, how secure can you expect your applications to be? Join Alert Logic and Internap on this webcast for an enlightening discussion on the state of cloud security and how it impacts security management decisions, especially in the context of deploying infrastructure to hosted and cloud environments.
A 5 step guide to protecting backup data by Iron MountainPim Piepers
This document discusses the growing problem of data theft and security breaches. It provides the following key points:
- Data theft and security breaches have been issues since the inception of business computing, but they have become far more common in recent years due to factors like money to be made from stolen data and the increased accessibility of confidential information.
- While organizations invest heavily in perimeter security like firewalls, internal threats are underprotected as storage infrastructure and backup data remain insecure. Backup encryption is rarely used despite tapes containing sensitive data.
- To properly address data security risks, the document recommends that organizations develop comprehensive security strategies that integrate storage protection best practices, including encrypting backup data.
Managing and administering software updates remains one of the most challenging and resource-intensive tasks an IT Department undertakes on a daily basis. This white paper examines the important role played by patch management to help organizations keep their PC real estate fully up-to-date with the latest security patches, without unduly compromising reliability, productivity, security and data integrity.
Hiring Guide to the Information Security Professionamiable_indian
The document provides an overview of the information security profession and guidance for hiring information security professionals. It discusses the expanding role and types of jobs in the field, ideal traits for professionals, typical career paths, how to craft job descriptions and the importance of certifications. The document is a hiring guide intended to help HR, recruiters and hiring managers better understand the scope of the information security profession and find qualified candidates.
IBM Security Systems presents security intelligence as a multi-dimensional approach to securing information resources. Security intelligence provides comprehensive insight by collecting, normalizing, and analyzing data from users, applications, and infrastructure. This real-time monitoring allows organizations to understand normal behavior and detect anomalies to identify security incidents. Security intelligence solutions from IBM offer extensive data sources, deep intelligence, and exceptionally accurate and actionable insights.
This document provides a summary of a presentation on IBM's MobileFirst Reference Architecture. The presentation focuses on management and security capabilities for mobile applications and devices. It discusses challenges for enterprises in developing, deploying and managing mobile apps at scale. The MobileFirst Reference Architecture provides architectural patterns, use cases and best practices for integrating mobile solutions with cloud, enterprise and SAP systems while meeting requirements for industries like banking, telecom and government. It aims to help organizations accelerate mobile project delivery.
Often when organizations are expanding rapidly, they do not give sufficient and necessary focus on information security aspects and guidelines, specifically IP protection.
The document provides an overview of ADP/IT position of trust designations required for government contracts involving IT services or access. It defines ADP and IT, outlines the three position levels (I, II, III), and explains the history and basis in public law and directives like DoD 5200.2-R. It also summarizes compliance with standards including DISA STIG, NIST 800-53, and outlines roles and responsibilities that must be defined in contracts to ensure oversight and monitoring of external service providers.
Horizon Data Center Solutions provides secure, stable and scalable IT infrastructure as a service (IaaS) provider. It operates three tier III data centers with redundant power and networking. Horizon was the first IaaS provider to receive Authority to Operate from the US government, demonstrating its data security and compliance with standards like SAS 70 and NIST 800-53. It offers infrastructure as a service, including compute, storage and networking resources that are customized and can scale easily for customer needs.
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cybersecurity USA October 6th and 7th
Sacramento California USA
Identify, protect, detect, respond and recover.
All stakeholders have a new responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure. Public and Private partnerships are paramount and information sharing on an international level a priority. We will be addressing key areas of vulnerability, threat detection, mitigation, and planning for the Energy and Water Sector.
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
Horizon Data Center Solutions provides secure, scalable infrastructure-as-a-service from its three tier III data centers. It offers solutions for global enterprises, US federal government agencies, and mid-market companies. Horizon completed stringent audits to receive an Authority to Operate from the US government, demonstrating its data security and compliance capabilities.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxbudbarber38650
Global Asset, Inc. (GAI) is a financial company that manages thousands of customer accounts across North America. As the Computer Security Manager, you are responsible for protecting GAI's information systems and networks. However, the CEO wants to outsource more IT functions to cut costs. Two past security incidents resulted in lost customer data and revenue. You must make the case for maintaining internal security capabilities to protect GAI's systems and data.
The document discusses best practices for physical security in data centers from the perimeter ("curb") to the core (server racks). It emphasizes that physical security is critical given how much organizations rely on data. A "curb to core" approach is recommended to secure the entire facility through layers of protection from the property boundary to the critical server infrastructure. Standards like HIPAA, PCI DSS, and NERC mandate data protection but allow flexibility in implementation. The document outlines physical security measures for perimeter, entrance, interior spaces, critical infrastructure areas, server cages, and server racks.
The document summarizes and compares IBM and EMC's strategies for information infrastructure. It finds that IBM takes a more holistic, solution-oriented approach to address all customer needs, while EMC maintains a stronger product focus through its disk, security, and content management business units. The document also notes that IBM can provide a more complete set of hardware, software, services and financing to support customers' information infrastructure transformations.
Centuric is an IT outsourcing company that has been in business since 2001. They offer a range of managed services and products focused on network security, compliance, and infrastructure buildouts. Their goal is to help clients focus on their core business by taking ownership of their IT needs. Centuric works with leaders in technology and has experience delivering solutions to both regulated and commercial industries. They aim to provide around-the-clock support and innovative solutions to reduce costs and risks for their clients.
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI.docxaryan532920
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United
States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan
application approval, wholesale loan processing, and investment of money management for their customers.
The diagram below displays the executive management team of GFI:
Figure 1 GFI Executive Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical and operational
security of GFI’s corporate information systems. Shortly after starting in your new position, you recognize
numerous challenges that you will be facing in this pursuit.
Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John
Thompson has been swept up in the “everything can be solved by outsourcing” movement. He believes
that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at
fractions of the cost associated with creating and maintaining an established internal IT department. In fact,
the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can
be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT
department and recently presented a proposal to his senior management team outlining his plan to greatly
reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of
Directors as soon as he has made a few more refinements in his presentation.
COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on
technology services combined with a diminishing IT footprint gravely concerned Mike Willy, and he
begged to at least bring in an Information Security expert with the experience necessary to evaluate the
current security of GFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the
Confidentiality, Integrity, and Availability of GFI’s information systems were compromised – bringing the
company to its knees – then having to rely on vendors to pull him out of the mess.
COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the
past a few years:
• In 2013, the Oracle database server was attacked and its customer database lost its confidentiality,
integrity, and availability for several days. Although the company restored the Oracle database
server back online, its lost confidentiality damaged the company reputation. GFI ended up paying
its customers a large sum of settlement for their loss of data confidentiality.
• In 2014, another security attack was carried out by a malicious virus that infected the entire
CEO
John Thompson
Vice President
Trey Elway
Executive
Assistant
Kim Johnson
...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...Symantec
Today’s data centers are transitioning into software-defined data centers (SDDC). In the SDDC, the core elements of the infrastructure—storage, server and compute, networking, databases, and business applications—are virtualized and delivered as services. The deployment, provisioning, configuration, management and operation of the entire infrastructure is abstracted from hardware and implemented through software. The infrastructure resources across the stack are application-centric, and customers have the ability to provision IT assets across their public cloud, private cloud, and on-premise domains. These SDDC capabilities are intended to enhance an enterprise’s ability to quickly respond to new opportunities and emerging threats.
Cloud & Big Data - Digital Transformation in Banking Sutedjo Tjahjadi
Datacomm Cloud Business Overview
Making Indonesia 4.0
Digital Transformation in Banking Industry
Introduction to Cloud Computing
Big Data Analytics Introduction
Big Data Analytics Application in Banking
"In this issue of “The 10 Most Trusted Companies in
Enterprise Security” Insights Success has shortlisted
those enterprise security providers which are providing
solutions that are systematically profile and
contextualize security threats with a level of detail and
granularity that has never been achieved before."
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
Over the past 2 decades, the information technology infrastructure has gone through an exponential change with the introduction and evolution of new technologies and trends. Organizations previously having their data on-premise and their infrastructure comprising of multiple server machines on multiple server racks and dedicated client personal computers (PCs) are moving towards cloud computing & virtualization to Smartphone and tablets. This rapid advancement and constant change, although increasing productivity for the organizations is resulting in a rising number of challenges and security issues for the organizations, their managers, IT administrators and technology architects. This paper discusses the future IT infrastructure components and the challenges & security issues that arise after their implementation that needs to be taken care of in order to get the full advantage of IT.
A Non-Confidential Slide Deck for CSR-Support and its dba Cyber Support Solutions. We have a proprietary solution to stop Data Breaches and allow personal liberties from the same computer terminal.
We are witnessing an onslaught of attacks coming in from highly organized cybercriminals. It is so bad, in fact, that the situation was recently described by U.S. Secretary of State, John Kerry as, “…pretty much the wild west…”.
By United Security Providers
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxbudbarber38650
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United
States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan
application approval, wholesale loan processing, and investment of money management for their customers.
GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages
(approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational
performance through automation and technological innovation has propelled the company into the big leagues; GFI
was only recently profiled in Fortune Magazine.
The executive management team of GFI:
CEO
John Thompson
Vice Presidnet
Trey Elway
Executive
Assistant
Julie Anderson
Executive
Assistant
Kim Johnson
Executive
Assistant
Michelle Wang
CFO
Ron Johnson
COO
Mike Willy
CCO
Andy Murphy
Director of
Marketing
John King
Director of HR
Ted Young
Figure 1 GFI Management Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Computer Security Manager educated, trained, and hired to protect the physical and operational
security of GFI’s corporate information system.
You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m
annual budget, a staff of 11, and a sprawling and expansive data center located on the 5
th
floor of the
corporate tower. This position is the pinnacle of your career – you are counting on your performance here
to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so
significantly lacking from the executive team.
There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity –
that is, she feels the IT function can be nearly entirely outsourced at fractions of the cost associated with
creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT
from becoming a core competency since so many services can be obtained from 3
rd
parties. Since the CEO
has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s
budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you:
maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s
act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology
combined with a diminishing IT footprint gravely concerned Jacobson, and he begged to at least bring in a
manager to whom these obligations could be delegated to. Jacobson’s worst nightmare is a situation where
the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the
company to its knees – then having to .
Executive panel discussion at the 2010 BDPA Technology Conference on "Federal IT Initiatives".
Panel members: John James (US Navy), Bob Whitkp (US Navy), Tony McMahon (IRS) and Dr. Anthony Junior (US Navy)
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
The CompTIA Cybersecurity Analyst+ certification (also known as CySA+) is a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. It focuses on security analytics and the actual application of security solutions in real-world situations.
Tim Warren is the Lead Engineer and Vice President of Information Security at Neuberger Berman, a financial services company. His role involves managing the company's information security program, which aims to maintain the confidentiality, integrity and availability of information systems and data. Common information security roles include Chief Information Security Officer, Security Engineer, and Information Security Analyst. The field is growing due to increased demand to protect against cyber threats like ransomware, phishing, and identity theft.
Capstone Project. This was a group effort to build a Networked Point of Sale system for a small pharmacy chain in the Ohio Valley. The major selling point was compliance with Federal Regulations surrounding Ephedrine sales.
The document proposes a wireless infrastructure solution for 10 ABC Sporting Goods retail store locations consisting of:
1) A WLAN implemented in each store using Cisco switches, wireless controllers, and access points.
2) A WWAN using Cisco routers and firewalls to interconnect the 10 stores.
3) A mobility solution allowing remote sales personnel to access the network and databases using handheld devices.
There is an actual interview in this project, but names of the company and the engineer and associated products and aquisitions were changed for legal protection purposes.
The document provides a technical discussion and recommendations for implementing a wireless network solution for the ABC chain of sporting goods stores. It discusses implementing separate WLAN, WWAN, and mobility components. For the WLAN, it recommends installing Cisco 4500 series switches with PoE and Cisco 1240AG series access points in each store. A Cisco PIX 506E firewall is also recommended for each store. The WWAN would connect the 10 stores using Cisco 2800 routers with 3G WWAN cards and external antennas from Verizon Wireless. The solution would allow remote employees to access inventory and process orders using smartphones.
1) WTHI is implementing an enhanced corporate security plan across its 4 locations to address issues with its existing security systems and wide area network (WAN).
2) The plan includes upgrading the video surveillance, badge access control, WAN, firewalls, intrusion detection, web filtering, anti-spam, antivirus, and VPN.
3) The total capital cost is $442,079 and annual recurring costs are $131,200 but the revenue generated would cover these costs within a few hours, demonstrating a quick payoff period. Failing to upgrade security could result in network downtime costing $45,000 per hour.
Chris McCoy offers technology consulting services to help businesses achieve their vision by building stronger, faster networks and securing information while reducing costs and streamlining objectives. With over 10 years of industry experience in network design, data center infrastructure, and project leadership, Chris's mission is to add business value through reliable and scalable technology solutions that improve productivity and continuity. Chris's vision is to leverage strategic approaches to technology in order to lower costs and create competitive advantages for clients.
1. ‘Web-Tech Home Improvement’
An Analysis of the Information Security Infrastructure
For an E-Commerce Home Improvement Company.
SE571 – Term Project
Course Project
Final Report
Chris McCoy
Keller Graduate School of Management
DeVry University
3/13/2007
2. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
SE571 - Course Project
Presentation to the Board of Directors – WTHI (Web Tech Home Improvement)
Members of the Board, it is a pleasure to address you today on the subject of Corporate
Information Security. As you may be aware, the security of information here at WTHI is critical to
the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home
Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales
channel that allows our customers to receive their home improvement items faster than they would
from our other online competitors.
I would like to share with you a quote from the recent InfoSec conference held in Florida
at the end of March, “Attackers probably have less interest these days in bringing down large
numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman,
senior technology manager in corporate information security at Boston financial services firm
State Street.”1 (As cited in Network World, 2007)
These words from Mr. Sweetman should be considered our call to arms to improve the
current state of our corporate security. It is a loud and powerful wakeup call that we can not
ignore. In order to maintain our competitive advantage, expand our marketing channels and
improve upon our abilities for future growth, we must first consider the improvement of those
safeguards necessary to protect our vital technological resources; Our four distribution centers,
supply chain systems, our e-commerce database information and our datacenters, containing the
equipment needed to support the transactions from which we generate and grow revenue via our
most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from
‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between
1
Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from
ABI/INFORM Global database. (Document ID: 1247736921).
2
3. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong
is maintaining a powerful, secure, well monitored environment where our physical and
information assets are protected in an ongoing process. We have made great strides, but the time
to take great action is now.
This report will discuss the current status of our physical and information security
infrastructure and the steps we must take to improve these systems to better protect our data and
maintain our leadership position in the ‘Home Improvement Appliance’ market.
There are 2 major components that make up the security of our information enterprise.
First is the physical security of our 4 locations. Our ability to perform adequate video surveillance
and access control at each of these sites is critical to protecting our information and physical
assets. Second is the protection of our data, databases and complete information systems
infrastructure. Finally, a third component is necessary to tie these two items together: Increased
Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to
support the need for additional bandwidth and security required by the new technologies
introduced later in this report.
Following a comprehensive analysis of the security here at WTHI, we have determined
that the existing security infrastructure must be improved if we are to continue our competitive
advantage. To ignore this critical need could cost us this leadership position in the market or
worse, compromise the integrity and security of our data. A recent report from our CFO indicates
that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e-
commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in
revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and
mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”,
“Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales,
3
4. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com”
(www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive
advantage as we come one step closer to losing our market share in the online home improvement
market. With our current Information Technology and Information Security infrastructure, there is
no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s
presentation is to show you where we are, where we need to be, and what we need to do to get
there in terms of a Capital Investment in the Security of our Physical and Informational Assets.
Though the picture painted here is not pretty, there is good news. The proposed plan of
Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the
required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN
service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of
equipment shown in today’s presentation. .
To begin our presentation, we will look at the physical security in place at all four of our
distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and
Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide
on site security guards and camera monitoring. Today, these security guards continue to work hard
to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to
provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft.
There are two major technology components in the Physical Security Plan:
1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock,
elevators and specific internal areas such as the Warehouse and Computer room where access
should be restricted. A need to control access using individual employee badges is identified
below.
2. Closed Circuit Video Camera Surveillance of the critical access areas including the main
entrance, parking lot, lobby, computer room, loading docks, and inside warehouse.
4
5. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The diagram below shows the current state of the camera surveillance and physical perimeter
access control (none) in place and identifies areas where security weaknesses exist.
This diagram identifies four weaknesses in our current facilities security plan:
1. There is No way to track who is in the building at any given time of the day.
2. The Camera System reports to a local camera monitor and is recorded locally to video tape,
but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will
be no record kept of the security video.
3. The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas
such as the Data Center.
5
6. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
4. The camera systems are antiquated and need to be replaced. Identifying minor details in the
video image is difficult.
A security solution is required to mitigate the risk of an intrusion into our buildings and theft
of our information systems and assets.
A network-based video solution is recommended to help better manage the perimeter access to all
four of WTHI’s facilities. In an article from the “Journal of Housing and Community
Development” the important value of investment in such a system is highlighted, as Stennett and
Wren (2006) observe, "By supporting access control and other systems, network video can
improve their effectiveness and even generate additional return-on investment on those
technologies.”2
Technology Solution
With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a
digital video recorder where their signal format is transformed from analog to digital, then stored
on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This
recorder will offload its digital video across the network to a central server in the Chicago Office
once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital
storage capacity that will allow the recorder to continue to capture video in the event of a network
outage where the regular transfer of footage cannot be completed at its scheduled time.
2
Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help
Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March
12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131).
6
7. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The following diagram provides a visual representation of the proposed video solution:
Note that the Camera system can now be monitored locally and remotely.
The digital capability allows deeper analysis of the video with more sophisticated analysis
tools in order to identify intruders and unauthorized access.
7
8. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost information for proposed solution:
Solution Digital Video
Vendor info Vicon Systems Alternative Security
(4) 9-camera complete systems
w/cameras and DVR's @ $2,699.00
Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 ea= $10,796.00
36 PTZ Cameras @ $463.85 ea =
$16,698.60 n/a (included above)
Central Console $1,352.65, joystick control Central Console $1,352.65, joystick
unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65
EMC Clariion Ax (500 Gb expandable EMC Clariion Ax (500 Gb expandable
Digital Video Archive archive) $6,000.00 archive) $6,000.00
Total Cost - Video: $ 56,251.00 $ 18,348.65
A diagram of the proposed DVR Centralized monitoring system is shown below:
8
9. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video
Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed
IP address. Once the unit is configured, with its IP information it can communicate with the Master Control
unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive
video for a predetermined time so it can be accessed later if needed for legal review.
(Continued on next page)
Physical Access to Buildings and Facilities
9
10. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The second major component of physical security at WTHI is the physical access control to all
WTHI’s buildings. The current model of physical access control consists of a security guard seated at the
main security desk in the lobby of each of our four locations. This guard asks all employees to show a
badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or
military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current
date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front
desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go,
only the date they were at our office.
Fortunately, technological advances in building security systems will allow us to move forward
with a new system that will provide WTHI with an elaborate means for tracking employee and visitor
movement throughout the building. This new system will involve issuance of a new employee badge for
every employee at each site. The badge will have the Company logo, employee name and picture as well as
the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special
device designed to read the information from this chip (called a badge reader) will be installed at every
perimeter access point in each location. An additional badge reader will be installed in the elevator and on
the outside main entrance door to validate after-hours and weekend access. These readers will have a
keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a
few inches from the reader. The reader will beep and small display window will prompt the employee to
enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee.
When access is granted, the reader sends a message to the control panel to unlock the door. If the
employee’s access is denied, the door will remain locked. Note, not all employees should be given access
to all areas. For example, warehouse employees have no need to enter the data center; however, an IT
employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be
trained in the use of badge reader systems. Additional fingerprinting and training will be required for
warehouse employees, as the warehouse perimeter access units will have an additional biometric
fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for
others is discouraged by security, and can be tracked on the camera system. Should a security officer
10
11. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
observe an employee allowing others to enter through the same door, the manager of the employee who
swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations
will be reported to HR.
The diagram below shows placement of access point badge readers for all critical access areas:
11
12. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
(Continued on next page)
Cost Information – Badge Access System
Due to limited pricing availability of components, a mixed solution cost from 2 vendors is shown:
Solution Perimeter Badge Access Control
Software House Ccure Badging System
Vendor info $1,000.00 (4) = $4,000.00
Cost info Control Panels $450.00 (8) $3,600.00
ACTAtek badge readers $790.00 (26) =
$20,540.00
ACTAtek Fingerprint and HID ProxI/II
Combo badge and biometric readers $
1,590.00 (8) = $12,720.00
Door Strikes - $175.00 (32) $5,600.00
Door Relay units - $179.00 (32) $5,728.00
Total Cost - Badge Control
System $ 52,188.00
Central Control of Panel Access
Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a
request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing
the connectivity of the panels into the central control facility.
12
13. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Physical Security Plan Purchase and Contract Requirements including SLAs
The implementation of this 2 part solution will be a combined integration project for IT and a
selected vendor. Required actions to complete the implementation of this solution include:
1. Negotiate purchase price (based on cost information included above) for all equipment including
cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center.
A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for
each location). A digital fingerprint component is also required for fingerprinting employees (to be used
with the biometric readers installed on the warehouse doors.)
13
14. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment
purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring
station equipment.
3. Negotiate discount on tech support contract based on volume purchase for all badge control system
equipment including door locks, badge readers, control panels.
3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office
locations.
4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control
panels, including central control system at Chicago security office.
5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data.
This purchase will also require a technical support contract to cover hardware and software support for
management of the device.
6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to
monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be
included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a
maximum response from the monitoring company of 10 minutes and an immediate call to local police
when no response is received from the local warehouse manager within 10 minutes.
7. SLA: Technical Support contracts for the Video and Badge Systems:
a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of
reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR
failure, where no video is captured, a 3rd party security company will be contracted to provide security
officers to patrol the entire location and watch perimeters and warehouse activity until the replacement
DVR is delivered and setup.
14
15. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or
reported failure, 24 hour hardware replacement for failed component at any site.
Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed
Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open
(Door cannot be locked due to system failure). Example of a company that provides this service is
“Securitas” http://www.securitasinc.com/
8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure
based on the contract amount for each contract. This penalty amount will be consistent with industry rates
for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract
will be subject to further legal action.
WAN Firewall Infrastructure (Existing):
One of our key security vulnerabilities is founded in the way our offices communicate across the wide are
network. Twelve years ago, this network was considered cutting edge, and served a great purpose in
transacting business communication between the offices. Today, it is a limitation to our continued revenue
growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue
in a secure environment while maintaining a state-of-the art electronic supply chain management with our
vendors and partners.
15
16. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
A diagram containing the current wide area network configuration is shown below.
16
17. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
As indicated in the above diagram, each site has its own firewall connected to a local ISP
circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via
an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which
was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one
‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes
down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today,
this solution will not meet the requirements of our fast-paced electronic commerce model of business on
the Internet.
The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and
tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies
from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to
the WAN is central to the successful implementation of a new security protocol within WTHI. The need for
17
18. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology
solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more
secure and rapid transfer of data between sites.
(Continued on next page)
A diagram of the proposed WAN solution is shown here:
18
19. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of
creating a larger bandwidth, better protected solution without the overhead of decentralized firewall
management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core
component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the
local office WAN circuits in order allow the network to carry the additional traffic loads generated by the
added video and badge access solutions and also the replication of Antivirus updates.
The data traversing the new WAN must also co-exist with regular replication of the e-commerce
database between the Chicago and Dallas sites. This replication must be completed regularly to provide a
failover solution for business continuity, should a disaster strike the Chicago region.
19
20. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to
Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by
centralizing control of the e-mail server in the Chicago Data Center.
The contract and requirements for this upgrade are as follows (cost information follows):
1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to
provide such MPLS VPN Service at the corporate level to support all four sites.
2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial
DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB)
primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC.
Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the
Network Operations Center will have the capability to monitor bandwidth utilization following the
implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a
consideration for increasing the available bandwidth should be initiated. If it is determined that the largest
partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be
considered.
3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of
these sites.
4. Network Engineering will need to create new routes at each Core switch to match the new MPLS
Network Routes.
5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and
Receiving are handled only during regular business hours) System downtime would produce a negative
impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows:
a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation)
b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of
20
21. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
monthly
circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly
charge on the 4 T1 backup circuits..
…..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on
backup
circuits for the entire duration of the outage
d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater
than
3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally)
21
22. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the
business traffic as it is used by the new WAN.
22
23. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
(Continued on next page)
Cost of WAN Solution:
23
24. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Solution WAN - MPLS Service and broadband circuits
Vendor info telcoIQ usa access
$400.00 per month per site - $1,600.00
Cost info per month for all 4 sites not available
Total Cost per month: $1,600.00 per month n/a
Circuits
DS3 - partial Circuits and T1's
Vendor info telcoIQ usa access
$1,250.00 per month (6Mb) 4 bundled
Cost info T1's DS3 full 1,500 per month
Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00
Total Telecom Data Circuit
Charge for all sites per
month: $ 8,500.00
Cisco 3725 Multiservice
WAN Routers 6500.00 x (5) Two are needed in Chicago) 32,500.00
Total WAN investment for
all sites, per month $ 10,100.00
Total WAN ROUTER
Purchase: 32,500.00
Central Chicago Internet Gateway
With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion
Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to
analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model
is changed from individual site access to centralized access through the Chicago Gateway. This gateway
consists of a load balanced high traffic firewall solution designed to control individual site Internet access
traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from
each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS
‘Cloud’ to move all traffic to and from Chicago
The new Internet Gateway diagram is shown below:
24
25. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Selection of Vendors Switches, Routers, Firewalls, IDS:
1. Switches and Routers
The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support
contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about
continuing the relationship with Cisco systems as our Router and Switch IT Vendor.
2. Firewalls
Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology
consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer
25
26. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A
new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic
throughput is required to support the new centralized firewall and internet gateway solution.
Cost Information for Firewalls and Routers to support the Internet Gateway :
Solution Firewall
Vendor info Nokia SonicWall Pro
Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f
Cost info $16,000.00 $10,371.00
Total Cost - Firewalls $16,000.00 $10,371.00
3. IDS (Intrusion Detection System)
According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security
context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them
from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred.
Because complete prevention of intrusions is unlikely, detective controls have become an important
element in a firm’s overall security architecture.”3
WTHI has never implemented any means of detecting intrusion into its information systems. This
means that the implication for lost revenue and data is high. To mitigate any further damage due to possible
intrusion, a detection system is needed for better monitoring of the corporate networks and information
assets.
Cost Information for IDS:
3
Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology
Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database.
(Document ID: 836085061).
26
27. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Solution Intrusion Detection
Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance
Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00
ethernet taps (560.00 ea) x 6 =
ethernet taps (560.00 ea) x 6 = $3,240.00 $3,240.00
total cost - IDS $ 78,240.00 $ 83,240.00
Service Level Agreement:
For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the
software application running on the IDS servers. A 24 hour hardware replacement should be included in
this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could
indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected
data.
VPN/Remote Access
The current Remote Access Solution in place is a Microsoft VPN client based solution.
Examination of the existing authentication system has revealed a significant security weakness that will
allow a hacker to guess a username and password to gain access to corporate resources.
A more complex solution is required to insure that VPN client connections are limited to authorized
personnel only. The diagram below shows the current VPN remote access model.
Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago.
A VPN session independent of a direct dialup modem is required to access the system.
Current Remote Access using Microsoft PPTP Client
The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication.
While this method of access provides a secure channel, the protection of user and password information is
not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a
valid username and guessed password. A better solution is required to prevent potential security breach via
27
28. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to
leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The
token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds.
To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the
password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of
this number makes it almost impossible for a thief to guess the password.
The diagram shown below illustrates the current model of remote client VPN authentication using the
traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and
SecurID solution.
28
29. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Proposed Remote Access using Cisco VPN Client:
29
30. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Service Level Agreement:
For this implementation two technical support contracts are needed. The first will provide the Cisco VPN
solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote
Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise
with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that
downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center
works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access
outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN
for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing
routers and switches. The addition of a new VPN router will be added to the existing support contract. A
negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy
on hardware of 24 hours.
30
31. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Information: VPN Software, Access Token System and VPN Router
Cisco VPN
Solution
Vendor info Cisco
Client Access License 40.00 (500
users) $ 2,000.00
Cisco 7204 VXR VPN Router $ 6,000.00
Total Cost - Cisco VPN $ 8,000.00
Solution SecurID Fobs
Vendor info RSA CryptoCard
Cost info $45,000.00 $68,000.00
Authentication Manager Enterprise
License: $50,000.00 Windows Starter Kit $500.00
Total Cost - Authentication
Tokens $95,000.00 $72,000.00
Policy Changes with regard to resources and users::
The next several policy changes do not involve any purchase cost. However, they do require man-hour cost
to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first
drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000
(Windows 2003 is not an upgrade consideration for this project).
31
32. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The access of these groups to corporate resources on the domain is limited to the needs of their group. In
accordance with Microsoft’s Active Directory Best Practices 4
Windows User Account Logon Password Policy
Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for
protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The
current system in place allows users to choose and keep their passwords indefinitely. A new system is
needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by
Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to
4
.Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx
32
33. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a
password.
We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently
long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than
others.”5
Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to
any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT
department can print network diagrams to its color printers, but not to the Black and White laser printers in
the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but
not to those in IT.
Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent
critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally
selected the printer of a different department (in which several employees who were to be terminated
worked); this could create a big potential problem. Locking down printers to their specific groups helps to
prevent such situations from happening. Similarly, printing of Salary information to the Shipping and
Receiving department for an employee who was to receive his annual review, might end up in the hands of
a co-worker, and create confidentiality issues.
File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific
to each department. For example: the IT group can access shares on its own folders on the File server, but
not order processing or shipping documents. Accounting and Finance can access its tax document files and
shares on the File server, but not HR’s folders and documents.
5
Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS
EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
Document ID: 1140500361).
33
34. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Applications: An Accounting employee can access the Solomon financial server, but this is not accessible
to IT. Troubleshooting an issue on such an application server would require the presence of an accounting
employee.
Network Security at the Router Level (ACL Controls for VLANS)
Often there are scenarios that require the Network Engineering team to lend a hand in securing data
channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and
thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical
documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and
malicious infrastructure protection ACLs should be deployed at network ingress points.”6
For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet
on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that
encounter this ACL are dropped.
The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office
of WTHI. All other offices have a similar core switching architecture.
6
Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists.
Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf
34
35. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Note, a WAN upgrade is mentioned for strong consideration in this report.
See local switching architecture change impacted in the diagram below.
35
36. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Proposed router site implementation based on the new WAN framework
36
37. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The new framework will continue with the same core configuration; however the new WAN circuits will
require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring
the DS3 circuit into the Data Center area.
Internet Browsing Limitations
The current Information Security policies do not limit Internet Browsing. Employees at all four
offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last
2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4
offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during
work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com
and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have
37
38. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance
has suffered and many users have called the help desk to report “poor network performance”. Although the
consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network
performance.
Proposed Solution:
Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics
policy regarding proper use of IT resources and appropriate web-browsing.
The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram
shown previously in this report.
The Legal department has agreed to revise its ethics policy in coordination with the IT department. This
revised plan will determine the criteria used to filter websites. Some suggested criteria include:
Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be
added to this list following a full review of the new plan.
A sample screen that a user would encounter when attempting to access a banned/filtered site would appear
similar to the one shown here:
38
39. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Comparison Information – Web Filter:
Solution Web Browsing Filter
Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance
$4,000.00 (1) add 2,000.00 for 1 year
Cost info support and updates 1,000 users, 1 year, $10,010 direct
Total Cost - Web Filter $ 6,000.00 $ 10,010.00
AntiVirus Software and Microsoft Updates
The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution.
Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running
a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT
39
40. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
staff has done its best to configure each desktop to automatically update virus definitions, this does not
always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are
times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus
definition downloads often fail due to network congestion. The same problem exists for Microsoft Security
updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements.
To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy
to force each desktop computer to download updates during non-business hours.
A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from
its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the
MPLS Private Network will provide. A diagram of the proposed solution is shown below:
40
41. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
41
42. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Comparison – Enterprise Level Antivirus:
Solution Corporate Antivirus
Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense
Cost info 1000 licenses 1000 licenses
$ 60,800.00 $ 55,090.00
(3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one
poweredge 2650 Dell poweredge 2650
Antivirus Server Hardware
$ 10,000.00 $ 10,000.00
Total cost - Antivirus $ 70,800.00 $ 65,090.00
E-mail Spam Filtering:
Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than
simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG
(www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of
attempts to steal passwords or other important personal information from corporate customers, up more
than 25% from December and up 5% above the previous record, set in June of last year.”7
In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail
server architecture in place. This decision is centered on cost reduction to create more budgetary focus on
the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually
allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one
redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for
employees in all departments where time is better spent conducting company business rather than deleting
7
Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM
Global database. (Document ID: 1249851201).
42
43. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or
compressed file containing the executable file.
With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is
recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended.
Cost Comparison Information – Spam Filter:
Solution Anti-Spam Filter
Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100
$4,000.00 (4) $16,000.00 plus 8,000.00 $2,000.00 (4) $8,000.00 plus 2
Cost info for 1 year support and updates years extended support
Total Cost - Antispam $ 24,000.00 $ 13,021.60
(Continued on next page)
The diagram below outlines the connectivity of the spam filter at each location.
43
44. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Oracle Database Security
44
45. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Within this report, many security solutions are recommended to ultimately protect the data of the
company’s databases. These solutions offer the most protection at each perimeter of the Information
Systems Infrastructure. A critical consideration is the application level security of the Database
Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing
reputation for leading the industry in e-commerce database management products. The use of Oracle’s
security features will insure the database at a final core level against attacks and data theft. Oracle adds an
additional layer to database security through its own technology resource center. As indicated by Oracle
Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates
(CPU), on dates announced a year in advance and published on the Oracle Technology Network. The
patches address significant security vulnerabilities and include other fixes that are prerequisites for the
security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle
Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite,
PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World
XE.”8
Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428)
provides a comprehensive list of potential database security issues and resolutions. This list includes items
such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of
service.”9
With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle
recommended solutions. A critical component to this risk management solution will be a new WTHI
Information Technology policy in cooperation with the Database Administration group and Network
Operations staffs to follow published Oracle security recommendations and patch all reported
vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations
will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7
8
Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
9
Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
45
46. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of
database administration experience. Database backups are performed nightly, and a full database
replication is done daily with the Dallas datacenter.
Business Continuity Planning
WTHI has a solid plan for continuation of business in the event of a major technical outage at the main
Chicago data center. The plan for business continuity consists of a complete operations failover from
Chicago to Dallas.
To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas
office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20
minutes in the event such service is required. Local personnel in Dallas are trained to take over main
operations from Chicago. Key management personnel have an emergency travel budget to temporarily
relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to
continue operations, and there is no requirement to upgrade or change the plan at this time. With
continuous innovation in the Information Technology and Security fields, this plan should be revisited
annually to identify new opportunities for improvement.
Disaster Recovery
Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail,
and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled
forward’ to restore data that may have been damaged during a server outage. All servers are configured
with a RAID capability and spare hardware replacements are kept ready and available at all sites should the
need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate
control facility, and these may be recalled at any time if for any of the four offices as needed. At present
time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the
46
47. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
plan at this time. With continuous innovation in the Information Technology and Security fields, this plan
should be revisited annually to identify new opportunities for improvement.
Summary List of Recommendations:
1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a
Perimeter Security Access Control (Badge Reader) System
2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage.
3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based.
4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway.
5. Enforce Password Policy on all Domain Accounts:
a. Require password change every 90 days
b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters.
6. Implement an Intrusion Detection system.
7. Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours
Download Cycle for MS-Security Patches.
8. Limit Web Site Browsing with a Web Filter Appliance.
9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN.
10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers.
11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website.
12. Standardize Anti-virus software to Enterprise, server based version.
47
48. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Conclusion
The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to
the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN
technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with
increased bandwidth. The physical access control and video surveillance solutions will utilize more
bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet
Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of
the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the
existing Windows 2000 Active Directory environment will tighten desktop security by and enforce
restriction on resources so that the appropriate groups and departments will access only the resources
required to conduct daily business. This will also allow IT administrators to enforce a new global password
policy for number and type of characters and fixed password renewal requirement. The server based anti-
virus model will decrease the internet traffic at each office by centralizing virus definition updates on a
master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by
allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The
addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth
utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and
“youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will
increase security by randomizing the second part of the user password in the Authentication process. It will
also strengthen the reliability of the VPN hardware solution by moving away from a server based solution
to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new
48
49. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
technology developments and innovations in the field of security that might better protect the infrastructure
and help to maintain the company’s competitive advantage. A line item budget consideration is strongly
suggested to continue the needed updates to these technologies needed for maintaining security of the
company’s physical and informational assets.
References
1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved
April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921).
2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can
Help Increase Security at Public Housing Authorities. Journal of Housing and Community
Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database.
(Document ID: 1183865131).
3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
2007 from
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx
.5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS
EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
Document ID: 1140500361).
6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control
Lists.
Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf
7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116.
Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861).
8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring
Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document
ID: 1025469841).
9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007,
from ABI/INFORM Global database. (Document ID: 1249851201).
10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007
from: http://download-
east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428
49
50. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature
Set Retrieved April 12, 2007 from:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx
13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from:
http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf
Appendix A: Cost Information
Budget Requirement - Capital Asset Equipment Investment: $442, 079.00
Budget Requirement - Recurring Service Charges: $10,100.00 per month
Cost Information
Solution WAN - MPLS Service and broadband circuits
Vendor info telcoIQ usa access
Cost info $400.00 per month per site - $1,600.00 per not available
month for all 4 sites
Total Cost per month: $1,600.00 per month n/a
Circuits
DS3 - partial Circuits and T1's
Vendor info telcoIQ usa access
Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month
Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00
Total Telecom Data Circuit $
Charge for all sites per 8,500.00
month:
Cisco 3725 Multiservice WAN 6500.00 x (5) Two are needed in Chicago) 32,500.00
Routers
Total WAN investment for all $
sites, per month 10,100.00
Total WAN ROUTER Purchase: 32,500.00
Solution Cisco VPN
Vendor info Cisco
Client Access License 40.00 (500 $ 2,000.00
users)
Cisco 7204 VXR VPN Router $ 6,000.00
Total Cost - Cisco VPN $ 8,000.00
Solution Firewall
50
51. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Vendor info Nokia SonicWall Pro
Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f
Cost info $16,000.00 $10,371.00
Total Cost - Firewalls $16,000.00 $10,371.00
Solution SecurID Fobs
Vendor info RSA CryptoCard
Cost info $45,000.00 $68,000.00
Authentication Manager Enterprise License: Windows Starter Kit $500.00
$50,000.00
Total Cost - Authentication $95,000.00 $72,000.00
Tokens
Solution Digital Video
Vendor info Vicon Systems Alternative Security
Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 (4) 9-camera complete systems
w/cameras and DVR's @ $2,699.00
ea= $10,796.00
36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above)
Central Console $1,352.65, joystick control Central Console $1,352.65, joystick
unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65
Digital Video Archive EMC Clariion Ax (500 Gb expandable archive) EMC Clariion Ax (500 Gb expandable
$6,000.00 archive) $6,000.00
Total Cost - Video: $ 56,251.00 $ 18,348.65
Solution Perimeter Badge Access Control
Vendor info Software House Ccure Badging System Software House Ccure Badging System
$1,000.00 (4) = $4,000.00 $1,000.00 (4) = $4,000.00
Cost info Control Panels $450.00 (8) $3,600.00 Control Panels $450.00 (8) $3,600.00
ACTAtek badge readers $790.00 (26) = ACTAtek badge readers $790.00 (26) =
$20,540.00 $20,540.00
ACTAtek Fingerprint and HID ProxI/II Combo ACTAtek Fingerprint and HID ProxI/II
badge and biometric readers $ 1,590.00 (8) Combo badge and biometric readers $
= $12,720.00 1,590.00 (8) = $12,720.00
Door Strikes - $175.00 (32) $5,600.00 Door Strikes - $175.00 (32) $5,600.00
Door Relay units - $179.00 (32) $5,728.00 Door Relay units - $179.00 (32)
$5,728.00
Total Cost - Badge Control $ 52,188.00 $ 52,188.00
System
Solution Corporate Antivirus
Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense
Cost info 1000 licenses 1000 licenses
$ 60,800.00 $ 55,090.00
51
52. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Antivirus Server Hardware (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one Dell
poweredge 2650 poweredge 2650
$ 10,000.00 $ 10,000.00
Total cost - Antivirus $ 70,800.00 $ 65,090.00
Solution Anti-Spam Filter
Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100
Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for $2,000.00 (4) $8,000.00 plus 2 years
1 year support and updates extended support
Total Cost - Antispam $ 24,000.00 $ 13,021.60
Solution Web Browsing Filter
Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance
Cost info $4,000.00 (1) add 2,000.00 for 1 year 1,000 users, 1 year, $10,010 direct
support and updates
Total Cost - Web Filter $ 6,000.00 $ 10,010.00
Solution Intrusion Detection
Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance
Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00
ethernet taps (560.00 ea) x 6 = $3,240.00 ethernet taps (560.00 ea) x 6 =
$3,240.00
total cost - IDS $ 78,240.00 $ 83,240.00
52