Priority number one should be hardening and the safeguarding of access and data integrity of the Oracle database servers housed as the main office In Restore, VA. And separately at the San Diego satellite office A comprehensive security policy will be developed and approved by management that will detail the specific guidelines administrators must follow when allowed adman access to company IT resources and services, and when and how those permissions should be denied or allowed.
Additionally, auditing and logging of critical events should be implemented utilizing a reliable SEEM (Security Information and Event Management) system. Moreover, control of user access from emote sites via the company intranet via Van’s and remote access via RADIUS should be strengthened and monitored for both qualitative and quantitative analysis and measuring. Cryptographic techniques will be enhanced and login and password requirements will be strengthened.
Of significant importance is the company web presence and corporate access to its knowledge base portal within the company intranet. The company web presence is of vital importance to allow customers to access information concerning the company’s products and services. The knowledge portal Is vital for company employees to have access to propriety information while retention their confidentiality, Integrity, and availability of the data. We will separate and hardened both the web server and the knowledge portal Vela firewalls and the use of DAM’S.
Overview Recommendations Our strategy will be defense in depth and will include multiple levels of security. By using a combination of policies, operations procedures, people, and security technologies we will significantly reduce risk by minimizing vulnerabilities. Three main principal shall be strictly enforced. Confidentiality Integrity Availability ; The restriction of unauthorized user access to data. Limited the modification or deletion of data to authorized users only. Protection against Mallard to insure 99. 9% system availability Hardening the database server: Hardening a server consists primarily of four basic locked server closet and access limited to restricted IT personnel only. B. Reducing the attack surface, I. E.. Limit the running protocol to only those services needed. Many of the unneeded services are identified below but this consultant recommends weekly use of the (CSCW) Security Configuration Wizard) be run to identify additional and timely unneeded services.
The database server will not have the following revise running: DNS RIP MAP POPS OSPF IGMP IGMP Telnet SSH FTP TFTP – Tornado Name Services – Routing Information Protocol – Internet Message Access Protocol – Post Office Protocol 3 – Open Shortest Path First protocol – Internet Group management Protocol – Internet Control Message Protocol – Remote computer connection protocol – Secure Shell Remote computer connection protocol – File Transfer Protocol -Trivial File Transfer Protocol HTTP – Hypertext Transfer Protocol HTTPS – Secured Hypertext Transfer Protocol ESMTP – Simple Mail Transfer Protocol c.
Enable Firewalls and disable or restrict emote access based on specific user needs from defined hosts. D. Installation and updating of antivirus software and application and operating system patches will occur nightly on a fixed automated schedule. System privileges for user should be lowered to conform to the “Policy of Least Privilege”. Users, resources, and application access will be given rights and permissions strictly on the basis as needed to perform or access necessary tasks.
GPO – Group policy objects will be inspected and re- evaluated to insure user permissions and rights with policy object are only those necessary to accomplish needed tasks. Enable Logging: All critical successful and unsuccessful events shall be logged and audited for skew and alerts of baseline metrics. (MAMBAS) Microsoft Security Baseline Analyzer will be implemented to engage auditing of critical metrics of user access and control. Separately, the Web Server should also be physically isolated into its own server closet and have access limited similarly to that of the database server.
Administrative Policies and Procedures: We will heretofore provide written rules that outline security requirements so as to inform the administrators know what security is to be implemented and let users thin the organization know what is expected of them. I-JAPE – User access Policy shall consist of the following components: Data – Data shall be protected by use of permissions and encryption of files, folders, and shares as well as registry permissions and active directory permissions.
Auditing -Access shall be tracked so as to identify what was done, when it was done, where it was done, and who did it. Clients and Servers – All client and server equipment shall have active and up to date antivirus software installed and functioning Network – Network access protection (NAP) shall be implemented to control access to he network and reduce vulnerability from snifters to capture and analyze confidential data. Wireless – Protocols and methods to ensure security and confidentiality of wireless connection shall be enforced and implemented.
Physical Security – All servers shall be in locked server rooms and access limited to those personnel identified with legitimate need. Principal of Least Privilege – Users, resources, and applications shall have access to their resources strictly limited to determination of quantitative and qualitative value of risk related to a situation and a recognized threat (also called hazard) will be determined. Qualitative Assessment: We will identify possible threats to our assets based on qualitative measurements of low, medium, or high.
Our Quantitative risk assessment will requires a calculation based on two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. This Quantitative risk assessment will include a calculation based on the single loss expectancy (SALE) of our assets (our database server, web server, and DNS server). This single loss expectancy can be defined as the loss of value to our assets based on a single security incident.
We will then calculate the Annulled Rate of Occurrence (ARE) of the threat to our asset. The ARE will be an estimate based on the data of how often a threat would be successful in exploiting a vulnerability. From this information, we will calculate an Annulled Loss Expectancy (ALE). This annulled loss expectancy will be a calculation of the single loss expectancy multiplied by the annual rate of occurrence, and how much Omega Research could estimate to lose from a compromised asset based on the risks, threats, and vulnerabilities we’ve identified.
Information Security Assurance: Strengths The use of Van’s gateways to encrypt intranet traffic in and out of the company provides a positive level of security for user access and control remote wireless . Unfortunately, it is not being used at all locations. Implantation of a RADIUS server to protect PETS access is also a positive implantation. Use lease line to access the ISP which provide a segment reasonably secure for eavesdropping. Use of an in-house DNS server helps protect against DNS poisoning or “spoofing”. Isolation of server equipment separate from everyday user equipment.
Separate Severs for mail, database, and priming functions Information Security Assurance: Weaknesses The internal policies and procedures regulating the use of least privilege for both administrators and group policy users are weak. Also the physical location of the actual servers needs to be separated and isolated. Additionally, firewall appliance are completely lacking and separate firewall protection should be placed and implemented at all ingress/outguess points and border routers. As Omega is the registered owner of the domain name Manchester. Mom it is vital the DNS server be isolated both physically and connectively so as to protect from tampering and DNS spoofing” (cache poisoning) by in-house users with elevated permission levels. Static in network MAC addresses will be applied. Information Security Assurance: Threats Risk occurs when threats exploit vulnerabilities. We can identify 5 specific threats that we will increase protection to defend against. We identify the following as possible threats: Intentional in-house disgruntled employees or former employees, accidents, earthquakes, fires, tornados, or other “Acts of God”. DOS) Denial of Service Elevation of Privilege Employee Tampering Spoofing of an authorized user’s identity Unauthorized employee disclosure of propriety information Information Security Assurance: Ten Vulnerabilities Vulnerabilities are weaknesses in our systems, our policies, procedures, and/or our people. We identify the following vulnerabilities that we will strive to strengthen. (PACE) port access control (802. Xx appliances) Authentication protocols – 3 factor, what you know, have, are.
Password Management Flaws – complexity, length, expiration, age, history Operating System upgrades and patches Isolation of Webster from internal network Employee training to prevent social engineering – prevent pushing attacks Restriction of use of thumb drives Control of Wireless Access Points (WAP) Isolation of database server from outside threats and internal tampering Controls of user input when accessing the database server to prevent buffer overflows Recommended Information Security Policies: We recommend a layered, defense-in depth approach to security that protects Omega Research’s data against threats.
This will ensure maximum protection of data and resources and will minimize the potential for compromise. The following rules and procedures that all persons accessing computer resources of Omega Research just adhere to in order to ensure the confidentiality, integrity, and availability of data.
User Access to Computer Resources: -We identify the roles and responsibilities of users accessing resources on the organization’s network. ;Procedures for obtaining network access and resource level permission ;Policies prohibiting personal use of organizational computer systems ;Passwords, 16 complex character minimum, change requirement every 120 days. Procedures for using removal media devices ;Procedures for identifying applicable e-mail standards of conduct ;Specifications for OTOH acceptable and prohibited Internet usage ;Guidelines for applications ;Restrictions on installing applications and hardware ;Procedures for Remote Access ;Guidelines for use of personal machines to access resources (remote access) ;Procedures for account termination ;Procedures for routine auditing ;Procedures for threat notification; and Security awareness training Baseline Architecture: The WAN Architecture for Omega’s research needs a moderate to severe level of upgrading.
First, we have identified that the peak load at the T-1 line at the main office in Restore, VA. Is at 80% during peak usage times. This is at critical capacity and should be immediately upgraded to a T-3 which will significantly increase data- communication leased line and offers the same data rate as symmetric DSL (1. 544 Mbps) having an optical T-3 line will significantly increase load capacity (yields 44. 736 Mbps total network bandwidth) and exponentially reduce the possibility of eavesdropping at the main corporate data link.
Additionally, although the load requirements of the Seattle office are not at critical stage, due to minimal cost efficiencies and future expansion expectations we recommend upgrading the kick ease line link from this office to the AT&T ISP provider to a T-1 . Upgrade to T-1 Upgrade to T-3 KICK Seattle Internet ISP Provider AT&T San Diego COM Restore, VA. Home Office Omega Research Current Main Office Design and Recommendations At issue with our current Network design is the accumulation of ALL of our server equipment in one place be served by a single switch and without any firewall protection.
This creates the potential for a “single point of failure”, both in the physical location of the equipment and the failure to prevent ingress of malicious software and persons. COM Internet VPN Gateway EST. Laptop IT Department Workstations (xx) ESMTP Mail Gateway File/ Print Server Exchange 2000 Mail Server Web Server DNS Oracle ii Server POX We recommend isolating different server components into separate locked closets and provide limited access only to those persons needed at only at those times needed.
Additionally, individual rooms will have specific firewall protection based on specific policies needed for that unique service. First, it is important that all three satellite office intranets access our Home Office through Van’s and we have indicated this thus in our diagram. Our wireless access will essentially remain the same except that the equipment that processes authorization for access will be isolated and ingress into the Home Intranet system will be filtered by a separate border firewall.
Omega Research Home Office – Restore, Virginia VPN Gateway COM Security Assurance Recommendations INTERNET VPN Gateway SAN DIEGO VPN Gateway SALEM VPN Gateway RASA Border Firewall Server Firewall Next, we combine and isolate our most vital asset, our database servers. We insert a specific firewall to protect them from outside intruders and back them up with dual tipped, mirrored RAID 10 servers. This server closet shall be physically secured and locked at all times and access limited to only those with need and only at those times needed.
Our firewall permits outbound data to the knowledge base on a one-way permission only and only as a daily update set on an automatic cycle. RAID 10 Mirrored And Striped Backup Here we isolate our web server and knowledge base data server physically and well as isolate traffic in and out using a DMZ and also with our main Border Firewall. Data is to be update into the knowledge base once per day and traffic into and out of the be server will be restricted with specific ingress and outbound filters and controls.