Building a security strategy By Raef Mchaymech
Our Case of study This is the company that we need to secure its information system
The Assets • The Assets of the company: • Physical Assets: • The two Servers • The departments’ desktops • The manager’s laptop • The router • The switch • The cables (Communication medium) • Non-Physical Assets • These Assets are the electronic information and the data concerning the company
The non-physical Assets • The Business Confidential Information • Stock Data • Order Data • Account Data • Financial Data • The Personal Information • Employees’ Data (name, salary, …) • Clients’ Data (address, payments,…)
Classification The Assets: -------------- The Stock Server The Order Server The Bills department’s Desktops The HR department’s Desktops The IT department’s Desktops The Accounting department’s Desktops The manager’s laptop The router The switch The cables ------------- Stock Data Order Data Account Data Financial Data Employees’ Data Clients’ Data
The Threats • These are the threats that endanger the company
Some detailed Threats Unauthorized or Malicious Access Man in the middle attacks The usage of static routing and static switching • We can use firewall (hardware for higher security) • Disabling all the unneeded ports and enable only the ports that we use. E.g. port 80 for the web
Some detailed Threats Viruses Spyware Anti-spyware software should be installed on all computers and servers Network analyzer software to track all the network usage Constantly update • Antivirus software should be installed on all computers and servers • Constantly update for viruses’ definitions
Denial of Service Attack • The Solution: • Monitor the system for flooding messages • Disable or monitor the ICMP messages • Intrusion Detection System (IDS)
Espionage and Fraud • The Use of encryption is the best solution to preserve: • Confidentiality • Authentication • Integrity • The data should be transmitted encrypted • The data on the server should be saved encrypted • Sending data over secured communication protocols like SSL
Non-Malicious Threats Entering incorrect transactions Accidently delete data files Should exist a real-time backing up for critical data and daily transactions • The system should always shows a preview of the transactions • And always asks for confirmation in case of critical transactions, e.g. costumer payments. • An undo button if applicable
Accidents and disasters • These threats can’t be escaped • The best solution is to draw contingency plans • Backed-up data in somewhere else • E.g. one complete back up every week to a remote location using VPN • An alternative building for emergency that can fully or partially handle the works
Secure Databases • Use different roles for different departments to assure the authority, i.e. which database and what operations • Accounting Department is allowed to read, write and update the accounting database only • IT Department is not allowed to access any database. • Billing Department is allowed to read, write and update data in stock database. • HR Department is allowed only to read the data from accounting database.
Secure more Secure the router and the switch Secure Software All the software used in the company are secured with a login password for each user. • Use Strong Passwords • WPA encryption and not WEP • Add static routing and static switching to both router and switch. • Use access lists control for packet filtering.
The outside Thick walls ( can handle accidents, explosions,…) Strong barriers around the wall to not let vehicles come near the company For higher security we could consider putting external cameras Minimizing the number of doors that let you enter to the company, and in case of emergency doors, make them exit only. Protecting the resources that are outside (electricity generators,…)
The Inside Separating the guest room from the rest of the company Offer some low-level type of authentication on the entrance. ( the employees may show some badges even the guest can show some ID)
The Inside A security control room and a surveillance room. And this room should be highly protected (a thick door that opens only with biometrics of the security and the monitoring guys) The manager room should also be protected just like the monitoring room (biometrics of the manager is a good solution) There should be cameras covering everything in the company especially the doors because they should be opened remotely from the security control room after the identity of the person is authenticated by the monitoring guy. The servers room wall could be made from strong glasses or fabrics, in this way everything happens inside the room could probably be detected from other employees
The Inside There should be a door, an alley and then another door to enter to the servers room One of the two doors should be opened remotely from the monitoring room and the other one should be opened by a card (or biometric for higher security) identifying the employee A door cannot be opened if the second one is still open The system should count if someone entered and expect him to exit the room (do not accept the same card again to enter if you didn’t leave) The alley should not have blind spots (all covered by the cameras) If someone needs to enter to the servers room he needs to state clearly why
The Inside A direct link from the server S1 which is available to any one, to the server S2 which contains critical data is a big vulnerability point if this infrastructure is leaked outside the company And updating the data from S2 to S1, so the salesmen can know the exact amount of stock, can be done using the billing department, a software that uses real-time and consistent update can work around this problem All computers in the company must be protected with updated anti-viruses software, and especially the computers in the bills department
Cables • The cables are installed invisibly through walls to protect them from intentional or non-intentional damage.
What do we need else ? • The physical world and the logical world cost a lot of money, but they are not enough • The employees should be educated and security-aware • Organization-level security policies • Some rules: • There must be an inside man who is a security expert, do not depend only on outside security contacts • At least two sources for the main utilities • There should be a security officer in the company that has the authority to watch the employees and see if they obey the rules
Security management • The rules (continued): • There must be a security aware programs for the employees (educate them to take more precautions) examples: • To not leave their cars open • To take precautions when using USB flashes inside the company’s computers • To not share their passwords • To change their passwords from time to time • … • After all if the employees do not take precautions, the maximum level of hardware and software security will not be enough at all