Information And Data Security

Published Date: 02 Nov 2017

AYODEJI OLAYEMI

K1211798, Networking and Information Security

[email protected]

Executive Summary

This report brings to your notice, all the risk assessment carried out in your organisation, as well as the security and information threats that can be exploited by anyone with a criminal mind to undermine this organization and cause it to fail.

The report focused on the vulnerabilities that are easy to exploit and the type of threat they present when exploited. Given the size of the organisation and the number of users in it, certain loopholes exist that needs to be blocked to avoid exploitation by internal or external users or forces.

There are two main attackers we need to plan for and they are ready to exploit the organisation when given the opportunity to strike and they include: the organizations staff’s (which can be planted in to learn your trade secrets or extract valuable information from your servers given their level of interaction or competence) and secondly the External influence, this can come in form of attackers (hackers into your servers to steal information or data or trade secrets or new drug processing procedures), or use the social media in lieu of friendship to gain advantage to internal processes and structures, making it easy to redirect attacks at more important functional staffs to either steal or corrupt their work by form of discrediting, tampering and blackmail of the official concerned.

Every possible security loophole is discussed and a solution on how to block or limit the loophole is given. A page on information policy that should be put in place to safeguard against further external attacks and insider abuses by staff’s committing the blunders or causing the blocked loophole to be open again.

2.0 TECHNICAL DETAIL

2.1 Abstract

Security of information has become utmost priority in key organizations like banks, insurance companies, health care organisations and many more; this is due to many faces of attackers or hackers or crackers that seek to compromise their network and steal valuable data not limited to money, but key information’s to use against the owner for identity theft or possibly espionage.

The purpose with which this report is given is based on conducting a security and information assessment of a private hospital having over a thousand patients and has a work-force of over 90 staffs.

The report would focus on closing all loopholes identified and provide a counterweight to balance-out all threats from coming up at a later time and would draw up a policy statement that should conform in line with the company’s vision and mission statements.

2.2 SCOPE OF PREFERENCES

Information is generated everyday and as such needs to be stored and protected against different attacks, be it physical (i.e. theft) or natural (water damage, fire, animals loitering around the complex like rats and insects). For different attacks, the medium of the attack can be classified based on the threat they pose and the vulnerability associated with the storage or protected assess in place to prevent damage or theft.

We shall expound on the different threats and vulnerabilities that can happen or that are lacking in control presenting a potential harmful risk to the organization.

To prevent an attack, we need to understand how the information or data is threatened and various compromises that exist in the system, to find a way to counterbalance the attacks and proffer a better solution that can withstand the test of time and environment.

3.0 RISK ANALYSIS

The threat or risk analysis of major occurrence can be grouped based on the factor that influences its outcome; the two (2) main concerns are Natural Disasters and Man-made disasters (or human threats)

3.1 Natural disasters

Nature has a way of regulating itself, and has such, when people or buildings are in its path; destructions and loss of lives are bound to occur as a result. In this part of the world, common natural disasters are not limited to fire, water, snow; to which any other can happen at any other time without warning.

Therefore to be well protected against the issue of natural borne disasters, there is a need to have a fail-safe system in place at all time, information or data back-ups should be handy and be safely handled to prevent unwarranted loss of valuable information in the back-up drives. Cases abound in which during period of natural disasters, office documents or data go missing as a result of unauthorized staff or an outsider coming in to help salvage or rescue people often make away with valuable office information and data drives.

Should a building be sited in a natural disaster prone area, effort be made to secure and evaluate potential threats in the surroundings and a mitigating solution in place, waiting for disaster day won’t be good at all, but putting in place flood protection techniques that may include water-tight blocks be used for critical information equipments and fail-safe over-riding controls to shut off power when flooding occurs. Secure and remote connection to backup data via high-speed internet connection. The risk of natural disasters should be quantified as quickly as possible and know what aspects of the evacuation plan is to be carried out by members of the team not to appeared disoriented when a situation or condition happens.

In essence, have a disaster recovery plan in place and other safety options for operators of the disaster recovery options.

3.2 HUMAN THREATS

Humans are the life-blood of any organization and they are the weakest link in killing it. Many employees are aware of loopholes in a security net casted over an office and as such as quick to point out venerable points to management when giving the opportunity.

The idea of having a malicious insider is a rather compromising situation and which can be found out using the mechanics of time and patience to know what type of information is lost and how the leakage or loophole is being used. Business competitions in a particular industry with a main goal of increasing capital market share and dominance, often result to staff poaching from other competitors in the market or industry and therefore promote spying or information hijack from smaller companies, doing better than the big names in the market or vice-versa. The game usually includes poaching staff in company A, offering them, higher wages than their present salary or other forms of inducement or even blackmail to get the necessary information requested of them.

And as such, to counter-balance any activity of information hijack or espionage by internal staffs of an organization, staffs need to be monitored whenever they are within the confines of the office and what level of access they have to a particular document or information per time, covert cctv cameras be installed and recorded to watch fidgeting or odious staffs when they about to access important company’s information that often relate to their job descriptions.

Where risk of important company’s data can be taken from, policy to include none physical use of USB ports on data drives of the company’s servers, different LAN grouping from the staff LAN network, and anyone accessing the file server should have a time of entry and the duration spent and possible areas of the file server accessed during the time in, to ascertain what was accessed and who accessed it to know who can be monitored if a case arise in the future.

Information or valuable data, should not reside on employee laptops or desktops, a central file server with adequate security clearance be implemented to guard against possible theft of either the laptop or vandalism of the office by other means.

Also staffs are to be made accountable and knowledgeable of different actions and to be held responsible for actions arising from the miss-use of a certain of company policy or deviation from standard operating plan, which can have adverse effect on the survivability of the company both in the short and long term run, like damages to the brand name or identity of the company in short.

In accessing Human threats, advanced vulnerability exist when staffs are assigned workstations to work with, as this presents a key challenge in administration and control. Any criminal having adequate knowledge of our the internet and some programming functions work or operate, they can come in to infect or affect the operation of the company concern, being that at one point in the internal network of the company, there would be a gateway that links to the internet to assist users in performing and maximising productivity of the users well. Therefore the following sub-heading discusses the different threats and are grouped based on how they affect and can be used to compromise a system or network.

3.3 Network Access

How various staff accesses the Network can be compromised if an intelligent and crook attacker knows what he wants to get in a particular network space.

3.3.1 Password policy

Staff should endeavour not to use similar password for network access, there should a policy of password expiring probably after 2-3 weeks of use and staffs or network users not use previously used password.

Password policy should include other means of accessing an account and through the use of a combination of password or authentication device that seeks to authenticate a person at the end of a system or computer. User accounts need not resident on a particular system or device, but should be made or configure to be device free, and each user should not reveal what his/her username or password is to another person or even the network administrator.

The network administrator needs to use strong authentication and encryption based keys to encrypt password files and databases that resides on the network servers and should even change the filename to deflect an attacker from using known ideas or keyword to call for the password file name on the server.

3.3.2 Firewalls

The network administrators should put in place strategies that prevent unauthorised packets from entering the network environment, by various means, any data packet that does not originate from the inside network be blocked, while internet bound packets can go freely and come back, but any form of packet, seeking way paths into entering a network and if such packet or user has no sense of direction in navigating to the desired area, this may indicate there is an attacker on the network looking for a loophole to exploit or enter through.

3.3.3 File servers

Are to be protected, any information not meant for public domain should not be found here and the file server should be such that, it should use mac address filtering to only allow known and inside configured mac address access and use its services.

3.3.4 Hackers

Should the network be a constant hit for hackers (i.e. financial institutions), dummy servers be made, and installed before the firewall, such that it would trick the would be hackers that accessing the real thing, whereas information and data contained may be incorrect or outdated to deflect or throw off and passing wrong details to hackers hoping to hurt the inside network.

Security policy should be configured on each router or access node to the network to only allow inbound communication or traffic originating from the inside allowance to access the file servers, while an administrator should always analyse packets or datagrams that passes through the firewall to the outside world or internet.

3.4 Security Management

This is about making the internal network secure by taking into cognisance the effect of a break-in and the security services that one can use to access a given network to ensure control, integrity and non-repudiation as the case and situation may be.

3.4.1 Biometric access: - using certain and combined features of biometric access system to prevent unlawful access to a controlled part of an office building or room containing secured or top secret files, which can have a negative effect on an office or organisation if leaked or sold to a competitor. This form of access control should be such that it disallows spoofing or manipulation of the system, it can be or have a fingerprint scanner which is standard, and or a eye scanner or a head scanner to compare the width and length of the person with the stored data before granting access.

Computer drives and devices not often used can be protected this way against unauthorized access by staff or workers in a particular organisation. Any material or device not used or has been fully used for a critical purpose or learning should be kept securely and filed away from prying eyes to avoid untoward later on embarrassments.

3.4.2 Data Fraud: - some certain types or classification of data can either bring a business down or make it pay heavily for brand destruction or defamation. Any data device that can be accessed or logged into to retrieve sensitive information needs to be protected and guarded in the most rigours ways, wish may include access control authentication to be placed on it, or even if an ex-staff was working on a company project, any data that he has worked with, the data generated should be retrieved from such persons, as it can be costly later on. Most importantly, data drives not used should be either wiped clean or removed from the network to prevent malicious data or viruses from entering and corrupting the data or information contained in it.

3.4.3 Social Engineering: - Attack can come in through various means and social engineering can be one of such ways. Social media sites needs to be blocked on office internal network, such that any form of internet based interaction during the work period can be curtailed effectively. If not blocked or restricted, care and warming’s be handled over to the respective staffs with corresponding consequence for falling victim or to be manipulated through the social media. This presents a need to be careful while interacting and be mindful of whatever question or suggestions is posed to them to do on their network or give out secrets or data; most social media, interactions come through a network of friends, and can be deadly or embarrassing should a member of staff have his/her social media profile hacked and the same profile credentials used to attack the company’s internal network all because the staff use similar credentials across board.

3.4.4 Viruses and Malware: - These two vices have wrecked enough devices and network through their mode of operation. Care should be taken, that unsolicited network requests or updates download via mails or browsing through the internet are screened or subjected to the company’s antivirus scanner or database to be sure, virus or malware don’t disguise as real apps or mail, to cause failure or corrupt the company’s internal network operation. The company should use verified antivirus software’s and updates from time to time to maintain the integrity of their network as the adverse effect of this two vices can be destructions for the company to bear, and it may lead to loss of potential man-hours and incur additional expenses should it happen.

4.0 Information Policy

The company has to execute a set of policy as guiding principles as regards use of information or data within the work environment. This policy should be made visible and accessible to all members of staff and should also include possible punishment or consequences for mishandling or working against theses policy.

For the purpose of this security assessment, the following policy should be adhere to and modified to reflect present day circumstances and permeate through the premises of the company’s building or office.

A) Every member of staff is expected to be documented into the biometric access control system.

B) Every member of staff should not use the same username and password, if they have access to different servers (i.e. ICT take note)

C) Every member should not engage in social interactions while on premises.

D) Every workstation should undergo assessment every weekend to make sure their antivirus software’s are up to date.

E) Access to the central file server, should be done remotely, with permission from the network administrator authorizing use.

F) Data drives and backups are to be securely placed in airtight and waterproof containers to guard against incidents.

G) To use company data or information, express authorization shall come from the board.

H) Every staff should report any misdeavour with the use of company data or information.

I) every old company file sheet should be destroyed by shredding and burning as soon the file is declassified.

J) Network administrators must ensure adequate back-up at all times.

K) Routine services should not bring down the internet or the company servers during work periods.

L) Maintenance of servers and network device should conform to relevant standardization acts or policy.

M) Every wireless hotspot should be shielded away or directed from internal servers.

N) Network administrators should verify all cookies and security files to be correct and be identified before allowing access to reside on company’s workstation and should be deleted as soon as possible after use.

O) Installation of a proxy server, to handle any web request and counterbalance all intruding access.

P) File sharing with the web should be disabled and the mail server configured to reject attachment from the inside network; only allow the screened body of the mail to go to the web.

Q) Before any mail attachment is accessed, origin of the mail should be known, good antivirus signatures to scan it before opening the content to avoid downloading viruses and malware to the network.

5.0 Recommendation

Recommendation follows stringent measures to provide staff’s with adequate training to know what to do and how to behave or respond to some certain internal or external influences. Management must make it a priority to always evaluate security policy from time to time, to know how well, their staffs are keeping it and are using the policy to guide their actions in and around the office or organisation buildings.

Periodic reviews and meeting should come into effect once a month, so that staff can tell management want is lacking or missing or is perceived to be a loophole, so that such vulnerability can be effectively blocked and taken care off. The management of the company should not penalize a first time offender, but rather recommend a query report, warning or caution; and when repeated again, further discretion should be used by the management to deal with the staff so as not to victimize or weaken the morale of the remaining staff.

5.1 Conclusion

security assessment should cover all vital parts or functions a business does, in as much as a business has to interact with outside persons or organizations, there is a need for caution when competition is fierce and espionage is rifled in a particular industry or sector.

Security assessment helps a company or organisation to know the leaking points or weak point, so that an intruder just learning how the company operate would not be able to penetrate or strike a huge blow that can crumble the business or make it suffer a big loss in brand profile or patronage.

This kind of assessment is recommended to be conducted at intervals, at points of a new arrival of goods or persons, so that the enemy won’t use a period of new entrants to strike or obtain valuable information through special trained moles planted within an organization.