He Department Of Resettlement And Compensation

Published Date: 02 Nov 2017

This report provides an evaluation of a security assessment carried out for the department of resettlement and compensation, a unit of the Federal capital development agency (FCDA), that deals with land leases and resettlement of people living in unsafe areas. It is a large organization with two divisions located in the same building. Due to the fragility of its operations, that is, dealing with private information owned by the government and the people, the importance of confidentiality, integrity and availability of information and services cannot be over emphasized.

The organization recently decided to carry out a holistic assessment of its assets, to determine the threats posed to the assets, the existing vulnerabilities in its infrastructure and the impact security breaches will have on the overall system. The project as carried out in response to a directive from the head office(FCDA) to perform security assessments in each of the four departments due to the recent rise in unauthorized information disclosure and data modification. The result of this assessment will determine the implementations and policies to be put in place towards a more secure and dependable system.

The method of analysis was an in-house vulnerability and risk assessment and was carried out in three phases. Firstly, a small assessment team of four was put together and they proceeded to the information gathering stage where a careful evaluation of the requirements and observations of key personnel were put together and four critical assets were identified. These assets are said to be critical to the daily operation in the organization. They are

Confidential paper documents

AGIS application

Computers

Land information database

Several vulnerable areas were identified; these vulnerabilities if exploited could significantly impact the organization budget if exploited, whereas solving them now will have very little impact on the organizations budget. The team generated a list of threats and vulnerabilities in form of a table and assessed the risk impact in four levels: very high, high, moderate and low. The assessment produced four very high impact areas that require immediate attention and three high impact areas that should also be treated as early as possible. The very high impact areas were as a result of the absence of a good authentication policy, unrestricted user privileges and lack of a good firewall system, which acts as a barricade for the network against the intrusion of malicious software.

At the end of the assessment, which was the third phase, some control measures were recommended and also some components required by the organization for a secure and dependable operation were suggested. Among the recommendations were important policies to be put in place, hardware controls e.g. Biometrics scanners to augment the existing authentication system, antivirus scanners for software and back-up power supplies in the case of a power failure. Most vulnerabilities were due staff negligence and lack of polices and these can be controlled by raising the level of security awareness among staff and ensuring they abide by the proposed policies.

1. Introduction

Information security is paramount in most organizations today due to the advancement in technology and the frequent rise in network and information security attacks. The Confidentiality, integrity and availability of information in an organization must not be compromised, hence the need for regular security assessments to ascertain that these security requirements are met.

This report is based on a security assessment carried out from the 25-27th of March 2013 for the federal capital territory agency (FCTA). The FCTA is a government agency whose mandate is to oversee the infrastructural and physical development of the new Federal Capital of Nigeria. The FCTA is committed to paying special attention to inclusivity, functionality, design and aesthetics. The FCTA is divided into seven departments (subsidiaries), which carry out specific functions. These departments are very large and each function as an individual unit.

The need for a security assessment in each of the departments arose because of the incessant rise in information theft and the loss of data integrity in some cases across the agency. Each department was charged to carry out a holistic security assessment and recommend control measures for the security issues discovered.This report is based on the assessment of the department of resettlement and compensation under the FCTA umbrella. A small team consisting of four key individuals from three divisions of the department was put together to carry out various assessment activities and an in-house vulnerability and risk assessment approach was used to carry out the broad security evaluation. `

1.1 Purpose

The Purpose of this assessment is to identify threats to the organization’s assets and to produce control measures to counter these threats thereby reducing the risk of the vulnerabilities being exploited. For this purpose, the organization’s critical assets were first identified and the vulnerabilities that could be exploited by threats to these assets were deduced and these have been given in form of threat profiles. Deductions, recommendations and suggested information policies will be given at the end of this report. Also, this document will serve as a reference and guideline for future assessments.

1.2 Scope

The scope of this assessment covers the two divisions of the department of resettlement and compensation. The Information gathering processes where carried out to highlight the critical areas for assessment.

The following activities are within the scope of this project

Identification of potential members of the team required to assess and deliver solution.

Evaluation of the organizations assets and information infrastructure to assess security.

Identification of Key (critical) assets and the personnel/user in charge of these key systems.

Identification of potential threats to the key assets and the infrastructure/organizational vulnerabilities e.g. weak policies and practices, components.

Identification of infrastructure vulnerabilities.

Identification of Risks that will occur if the threats exploit the vulnerabilities

`Proposals

1.3 Background Information

The FCTA is a government agency whose mandate is to oversee the infrastructural and physical development (planning, design and construction) of the new federal capital of Nigeria and also ensure that it conforms to/surpasses the standard of new capital cities around the world. The FCTA is committed to paying special attention to inclusivity, functionality, design and aesthetics. The FCTA is divided into four departments which include:

Engineering;

Survey & Mapping;

Resettlement & Compensation;

Mass Housing;

This report focuses on the assessment carried out for the department of resettlement and compensation alone.

The Department of Resettlement and Compensation is charged with the responsibilities of policy formulation, guidelines and implementation of resettlement schemes, payment of compensation for crops, economic trees and structures.  The creation of the department provides the opportunity to bring under one umbrella all issues pertaining to resettlement and compensation which hitherto had been fragmented in the Department of Urban and Regional Planning, Development Control and Land Administration.

The Department is located in a single building and has two divisions, these are:

Planning , Resettlement and Compensation

Valuation, Monitoring and logistics

The Department runs on one LAN consisting of user pcs which run the software, file servers and active directories. They are connected by switches and a router that connects the system to the internet. The department runs a website where people login to apply for compensation and log complaints.

This project is aimed at carrying out a broad security assessment for FCTA, identifying their critical assets and their current threats and vulnerabilities, and recommending policies that should be implemented to prevent these vulnerabilities from being exploited by the existing threats.

2. Technical Approach and Methodology

The approach used to carry out the security assessment was an in-house vulnerability assessment approach carried out in three phases. The first phase involved the analysis of the current system and information gathering. This was done by facilitating a knowledge elicitation workshop where personnel from the two divisions were in attendance, it provided an avenue for brainstorming and interaction in order to gather useful information about organizational assets. This information was gathered by the team and used to create the threat profiles. The second phase involved identifying infrastructure vulnerabilities and Risk analysis. The third phase involved the development of security strategies and control measures. A proposed information policy will be given at the end of this report.

PHASE I

3. Security Assessment Team

The key users and personnel in charge of the critical assets were chosen as team members based on their knowledge of the organisation and their familiarity with key systems. This team comprised of the

Head of the valuation and compensation division

Senior administrative officer

Monitoring and logistics team leader

System Administrator

As part of their duties, they aided in the information gathering processes; determining staff requirements and current practices, that led to the identification of important assets in the organisation, threats to these assets, the security requirements of the assets, the current security practices, and in the identification of vulnerabilities in the system. All these information were put together to produce threat profiles for these critical assets and formed a basis for the proposed controls and policies.

4. Identification of Organizational Assets

After gathering information from key organisational personnel and thoroughly evaluating results, the following lists the assets available to the department of resettlement and compensation. This is a generic list containing assets which have been unanimously identified as beneficial to the organisation by the staff. They are classified as information, software, physical assets and people assets.

Information Assets

Databases: containing Land information database, owners, payment details etc

Physical Data files: Business and continuity plans, logs.

Archived information

Software Assets

AGIS application: a custom Geographical information system

Operating systems

Physical Assets

Computing equipment: computers, server, laptop

Storage media : Magnetic tapes, disks

People Assets

System Administrator

4.1 Identification of Key Assets

After further analysis of the requirements and other information gathered from managerial and operational areas of the organisation, five critical assets were identified. These are highly relied upon systems which perform functions essential to maintaining a reliable operation of the organisation and without which normal operations in the organisation will come to a halt. [1] They were compiled using information gathered from the senior management and staff from the operational areas and are given below, with a brief explanation on why they are important. The requirement table which led to the identification of these assets is contained in the appendix.

Table 2: Critical assets and description

CRITICAL ASSET

REASON FOR SELECTION

Confidential paper documents

Consists of important land files and documents, financial records and archived information.

Land information Database

The databases contain important land information(details of property and their owners) which need be securely stored

AGIS application

This software is used by the planning and monitoring division for organizing, planning and monitoring settlement areas

Computers

Staff need the computers to run applications, for communication and for data processing

Web server

The webserver hosts the website, through which clients apply for compensation and log complaints. These activities are crucial to the organisation.

5. Threat Profile

This table gives an overview of the threat attributes pertaining to the critical assets and the outcome of the threat.

Table 3: Threat profile table derived from NIST [2]

THREAT ACTIONS

ASSET

ACCESS

ACTOR

MOTIVE

OUTCOME

Denial-of-service launched by human attacker

Land-information

Database

AGIS software

Network

Internal

Deliberate

Loss, Destruction

Data modification

External

SQl injection attacks

Web server

Network

External

Deliberate

Modification, disclosure

Power outage

Computers

Physical

Internal

Accidental

Interruption

Loss, Destruction

External

Malicious program run by human attacker

AGIS application

Network

External

Deliberate

Modification

Interruption

Loss, Destruction

System

Misconfiguration

Computers

Physical

Internal

Accidental

Interruption

Loss, Destruction

Disgruntled/unenlightened

Employees having access to key systems

Paper Records

Client Database

Network

Physical

Internal

Accidental

Disclosure

Deliberate

Modification

Loss, Destruction

Natural disasters

e.g fire, earthquake,

mice

Paper records

Computers

All equipment

physical

External

Accidental

Loss, Destruction

Interruption

PHASE II

6. VULNERABILITY AND RISK ANALYSIS

To effectively carry out a security assessment, the impact of the risk in relation to the likelihood of the risk occurring will have to be determined. This qualifies the risks and tells the organisation which areas require immediate attention and otherwise. A risk impact matrix developed by the NIST was used for a qualitative risk analysis.

The key information technology components of the department of resettlement and compensation under the FCTA are categorised as software, hardware and network components. Within these components, especially the network, are vulnerabilities that can be exploited by the identified threats to the organisation’s critical assets.

Listed below are the vulnerabilities discovered after careful evaluation and review of the critical assets, interviews with the organisations personnel and current practices. These infrastructure vulnerabilities if exploited will result in system failure and will affect productivity levels within the organisation. They are considered important and should be addressed immediately.

Non-existent information policy

Description

Every Organisation should have an information policy guiding the operation within the organisation, and should be enforced with strict adherence. Currently, FCTA does not possess firm information security policies such as password policies and employee termination policies. An information policy forms the basis of a successful security implementation

Risk: Errors are likely to be encountered without strategic guidelines. Also the organisation runs the risk of protecting low value assets to the detriment of the high value assets because of improper planning and a non-existent guideline.

The network runs without a good Firewall system

Description

A firewall is a very important component in any network. It prevents various kinds of intrusion and malware attacks that can easily access networks and cause damage. There are two kinds of firewalls, an inbuilt software-based firewall and a hardware firewall. SunCity enterprise runs a network consisting of user pcs and servers without a hardware firewall to protect the entire network. According to information gathered, some individual workstations have software-based firewalls running but some systems do not. The firewalls have not been installed or have ignorantly been turned off by users to allow some unsafe programs run.

Risk: Without a firewall, malicious programs can gain entry into the network. This can invariably cause damage to the entire network.

Users have unrestricted privileges

Description:

Staff in the department of resettlement and compensation can download third party software without the need to obtain permission. These software and applications may be unsafe and harbour malware which can infest the system. A malware can delete, modify or capture private information. Remove user privileges or set permissions to control download.

Risk: Users can download software with malicious codes and can lead to a denial of service attack causing network down time and loss of information which leads to loss of revenue.

Inadequate authentication policy

The company currently uses only user IDs and passwords for security and access control and these are easily compromised due to carelessness and ignorance. Introducing another level security in addition to User IDs and passwords will improve the current level of security e.g. biometrics. Also, system time outs should be introduced. With this implementation, the system controls automatically logs a user out if it detects inactivity over a certain amount of time after login.

RISK: Private information can get into the wrong hands if the passwords for the key systems are compromised. The Organisation will lose vital information and the trust of its clients.

Private information are left unencrypted in databases

Encryption gives added security to information stored in a database. If an intruder is able to pass through the database security, the information in the database will be unreadable, unless the intruder has access to the key, which is very unlikely. The organisation possesses confidential information in its databases and they are unencrypted.

RISK: Data theft and modification can cause the organisation to lose its integrity and clients lose confidence in the organisation. The FCTA body, which is a government agency, will lose its credibility.

No back-up power source available

The company is reliant on the government provided electricity and have not provided an alternative source of power for backup in the event of an electricity shortage or power failure.

RISK: power failure will interrupt activities, leading to loss of data and network down time.

6.1 SUMMARY OF RISK ASSESSMENT RESULTS

Table 4: Risk assessment results

THREAT/ THREAT

ACTION

VULNERABILITY

EXISTING

CONTROLS

LIKELIHOOD

OF OCCURENCE

IMPACT

OVERALL RISK

RECOMMENDED

CONTROLS

1

Unauthorized system access

Unrestricted

Privileges

None

High

Major

Very High

Set adequate user privileges

2

Malware which can modify or destroy data

Absence of a good firewall system

Software firewalls only

medium

severe

Very High

Install hardware firewalls where necessary

Ensure Operating system firewalls are always on.

3

Disclosure, theft or modification of private information

Inadequate authentication policies

The Use of any six characters or more for passwords

High

Major

Very high

Impose the use of alphanumeric and special characters

Passwords must be changed periodically

Introduce system time outs

Use of biometrics in addition to passwords for high level users

4

Destruction of paper documents in the event of a natural disaster

No back up or duplicates in another location

None

Low

severe

High

Keep a backup of all important documents in another location

5

Information theft

Private information are left unencrypted in database

None

Medium

Major

High

Database encryption

6

Power failure affecting the availability of the GIS software

No back-up power source

None

Low

Major

Moderate

Provide backup power sources e.g. UPS.

PHASEIII

7. PROPOSED CONTROL MEASURES AND RECOMMENDATIONS

No system can be totally infallible or risk free but the likelihood of threats being able to exploit vulnerabilities can be reduced by taking specific security measures. Given below are control measures that should be adopted to ensure security incidences are brought to a minimum. They have been classified into hardware, software, Administrative and Physical controls.

HARDWARE CONTROLS

Biometric scanners: A biometric scanner uses the unique physical characteristic of a user for authentication E.g. finger prints, eye lenses or voice. [3] This can be used in addition to the normal passwords as an additional security measure for key staff.

Hardware firewalls: in addition to the existing software firewalls, a hardware firewall is required for packet filtering, hardware firewalls should be used in conjunction with software or operating system firewalls [4]. Or alternatively, a router with an inbuilt packet filtering system should be used in place of a regular router.

Intrusion detection systems :

SOFTWARE CONTROLS

Use of anti-virus scanners : antivirus scanners will screen malicious contents and block their entry into the systems

Ensure that all software are up to date: a regular software update will provide protection against threats. The GIS and operating systems should always be up to date

Restrictions on the download and use of third party software : this will avoid the ignorant download of malicious contents and provide more control for the network

Encryption of data

ADMINISTRATIVE CONTROLS

Create and enforce an information policy that addresses the specific needs of the organisation and is in compliance with the FCTA security goals

Policies should be reviewed periodically and updated

Set privileges for different user types

Organise security trainings and workshops for key asset owners and staff

Create a business continuity plan that documents how the organisation will continue to function in the event of a security incident

PHYSICAL CONTROLS

Locks should be provided for Paper file cabinets.

Automated entry systems should be provided as an added security measure for the rooms where critical assets are located.

A backup or an alternative power supply should be made available, because of possible damage to data or media by sudden loss of power.

7.1 PROPOSED SYSTEM ARCHITECTURE

The proposed network architecture diagram below shows a cross-sectional plan of system arrangements in the building with biometric enabled systems and firewall.

RouterSub- Server

Switch

Sub-Server

Division1

Division 2

Figure 1: Network Architecture Showing the arrangement of finger print enabled Clients & firewall.

7.2 HARDWARE COMPONENTS TO BE PURCHASED

These are the recommended hardware to be purchased in addition to the already existing components for added the security requirements to be achieved. The cost

7.2.1 FINGERPRINT READER

M2SYS have an out-of-box system in place to integrate fingerprint biometric technology with existing applications and so this is the system of choice. The M2SYS USB Fingerprint Reader comes bundled with its SDK and User Licenses, depending on how many user licenses are purchased.

7.2.2 IRIS SCANNER OPTION

A Panasonic BM-ET200 iris scanner is an iris scanner model from Panasonic biometric security family. This iris scanner security system offers more accurate, faster, non-contact entry/exit control utilizing biometric technology for iris recognition [5]. Besides that, another security measurement like voice activation features also includes which can be set in 3 different user settings and wide variety of languages including English, French, German, Japanese and Swedish Panasonic Iris Readers deliver fast and accurate system enrolment and authentication without the need for any physical contact. This option is more costly than the fingerprint option and should be implemented based on the availability of funds.

7.2.3 HP LAPTOP DV5T

Laptops with inbuilt finger print readers, CPU: Core Duo/ 2.0 GHZ/ FSB800; LAN / WLAN/ DVD-RW/ CARD READER/ 14.1" WIDE LCD. Laptops or office use only and which should not be allowed out of the building.

7.2.4 FIREWALL

A cisco ASA 5505 firewall edition bundle is recommended. This firewall is a high performance device that delivers SSL, IPSEC VPN and other networking services. It is very efficient and will serve adequately.

8. INFORMATION POLICY

This information policy provides management direction and support for information security throughout the organisation.

Users must change their passwords quarterly. The same passwords cannot be repeated.

Offices where private information is held shall be given an appropriate level of physical access control and only authorised staff shall be granted access

Risk assessments must be performed before a new system is introduced, to assess the impact of the use of that system to the overall system.

Information assets of any new systems must be identified, classified and documented.

All current staff must undergo a security enlightenment training and new staff should pass through a security training before resuming normal duties

All information asset owners must ensure that their systems are well backed up and that all security measures are in place. They will be held responsible for any loss due to negligence.

Third parties who are given access to information systems must agree to comply with the laws and regulation of organisation and must read the information policy before proceeding.

All staff must comply with the information security policy and defaulters will be appropriately penalised.

9. CONCLUSION

This security assessment was carried out to identify security lapses and possible threats to the organisations critical assets. This assessment helped to identify vulnerabilities within the system and the risks involved if these vulnerabilities were to be exploited by threats. Security assessments should be carried out regularly as control measures may become outdated or inefficient over time. In addition, the rise in technological advancements also comes with more sophisticated attacks. All these should be put into consideration when implementing the Information policy. We advise that the recommended controls are implemented as soon as possible as the cost of damage prevention is considerably less than the cost of damage control.