Photo: Leeward Mountains, Oahu, Hawaii, March 2014.
Reflection on Cyber Security Ethics & Professionalism:
Policies & Threat Mitigation:
Intrusion Detection System:
Reflection on Cyber Security Ethics & Professionalism:
The two articles that I have chosen to focus on deal with Policies and Intrusion Detection Systems. Creating policies that encompass the security of software, hardware, customers, and employees ensures that the information of the company, customers, and the employees is safe. Policies that ensure the physical security of not only the company facilities, but also the customers and employees allows for a more professional environment. Policies will also let employees know what is and is not allowed to occur in the workplace. Most importantly good security policies will give the customers the confidence that their sensitive and proprietary information is being handled with care.
Policies that determine where the software and hardware can be from will further give employees and customers’ confidence that there information is not being mishandled. With the rise of Nation-State cyber actors like North Korea, Russia, China, and Iran conducting cyber-attacks on the United States and American corporations, it is important to invest in American made software and hardware to ensure the integrity of the products. Furthermore, using American products like CISCO products gives confidence to our customers in being qualified for potential government contracts.
Cyber Security is about ensuring that information, whether it is sensitive, proprietary, or classified information, is kept safe and secure from anyone that does not have the need to know. Cyber security is also about protecting the office environment from corporate espionage as well as the insider threat. It is important to restrict access in and out of the building at specific entry/exit points. It is also important to place safe guards at each user station to ensure that only the intended user of that computer is able to log in to the system and no one else. Further restricting server rooms to only the personnel that work in the server rooms will also help to secure information. Ensuring the physical security of hardware and personnel is just as important as securing software when it comes to securing information.
Cyber Security management is being able to secure information at every point. Whether it is buying hardware from a company that has a secure supply chain to having the proper physical security procedures of your companies business, it is important to have the policies in place to ensure that these things happen.
Policies that determine where the software and hardware can be from will further give employees and customers’ confidence that there information is not being mishandled. With the rise of Nation-State cyber actors like North Korea, Russia, China, and Iran conducting cyber-attacks on the United States and American corporations, it is important to invest in American made software and hardware to ensure the integrity of the products. Furthermore, using American products like CISCO products gives confidence to our customers in being qualified for potential government contracts.
Cyber Security is about ensuring that information, whether it is sensitive, proprietary, or classified information, is kept safe and secure from anyone that does not have the need to know. Cyber security is also about protecting the office environment from corporate espionage as well as the insider threat. It is important to restrict access in and out of the building at specific entry/exit points. It is also important to place safe guards at each user station to ensure that only the intended user of that computer is able to log in to the system and no one else. Further restricting server rooms to only the personnel that work in the server rooms will also help to secure information. Ensuring the physical security of hardware and personnel is just as important as securing software when it comes to securing information.
Cyber Security management is being able to secure information at every point. Whether it is buying hardware from a company that has a secure supply chain to having the proper physical security procedures of your companies business, it is important to have the policies in place to ensure that these things happen.
Policies & Threat Mitigation:
Creating a new on-site facility requires a clear policy to be in place that will address both physical and digital security systems. New physical security measures will need to be implemented to ensure only cleared personnel are granted access to the facility. Once those cleared personnel gain access to the facility there must also be security measures in place to ensure that only personnel with a need to know have access to the different compartments within the information technology system.
New physical security systems will need to be in place to mitigate risk to the physical environment. The physical security begins with ensuring the safety of personnel that work at the facility. Maintaining a well-lighted parking lot or parking structure that is monitored by recorded video surveillance will be a necessity to provide security for personnel and to protect against the insider threat. These video surveillance systems will also need to be implemented around the facility itself along with the entry/exit points. These surveillance systems will also need to be monitored by security guards so that there can be a quick reaction time to suspected crimes. (Bosworth, 2014)
A single main entry/exit point to the facility that requires proximity badge access and security staff to monitor personnel will also be required to make sure that non-privileged personnel are not gaining access to the facility. The security staff at the main entry/exit point will ensure that personnel are properly badging into the facility with proximity cards and not just piggybacking in with another employee. They will also be recording guests and visitors that enter the facility. Another policy that will need to be in place is the wearing of an official photo ID badge that must be visible at all times while in the facility. If an employee forgets there badge or has a guest they will be able to receive a temporary badge from the security personnel at the entry/exit point of the facility. These badges will also enable personnel to quickly ID individuals that may not belong in the facility, and can then contact the facility security manager of a possible non privileged person in the facility. (Bosworth , 2014)
The next policy that will need to in place for physical security is the use of a Common Access Card (CAC) to log into a user station. Each CAC card will have a password or personal identification number (PIN) unique to each user and will contain unique certificates and PKIs that will allow a user to login and be authenticated. This will allow the IT security professionals to maintain an audit trail. A log is required for each entry attempt to show the date and time, the ID of the person, and the action taken by the access control system. If access is denied and unable-to-identify events will trigger immediate alarms. Each person’s exit will also be authenticated and logged. (Bosworth, 2014)
A physical security plan will also need to take into account in cases of emergencies or natural disasters. Assuming the facility is in San Diego, some of the emergencies and natural disaster that will need to be prepared for include earth quakes, fire storms, rolling black outs, and heat waves. In all of these scenarios the new facility must be prepared to provide its own emergency power. The facility will need to own and maintain its own diesel power generators that can power the facility indefinitely. The power generators will also need to be synced so that they are able to kick on in the event of an electrical blackout without interrupting the power supply to the facility. Information Technology systems, to include user stations and servers, have temperatures that they are able to operate in. In the event of a blackout during a heatwave, user stations and servers can overheat if not kept properly cooled. This can result in the loss of millions of dollars in hardware as well as all the information stored. Another option to supplement electrical power to the facility is the use of solar panels. Solar panels can be placed in the parking lot used as both shade covers for the employees vehicles and producing energy for the facility. (Bosworth, 2014)
In developing an IT plan for the facility I will be discussing the type of network topology that will be implemented, the reference monitor, and the firewall that will be used. Developing a network plan begins with deciding on a network topology. In a bus topology, all devices are connected to a single electrically continuous medium: for this reason, this topology is also called a common cable or shared medium network. A bus is a simultaneous broadcast network, meaning that all stations receive a transmitted message at essentially the same time. Most business LANs employ a baseband bus where direct current (DC) signals are applied to the bus by the transmitter without any modification. Transmissions are on a baseband bus are broadcast bidirectionally and cannot be altered by the receivers. Buses are the oldest LAN topology and are generally limited in the type of medium that they can use. However, they do not usually suffer from single point of failure problems. (Bosworth, 2014) I will implement a WiFi network at the facility. A WiFi network will provide a lot more vulnerabilities that will need to be mitigated. In the initial standing up period of the facility the network administrators will require access to a WiFi network to access applications on tablets to test and verify network systems, user stations, and servers. (Bosworth, 2014)
When creating the IT system it is important to implement the reference monitor in the earliest stages. The reference monitor is a controlling element in the hardware and Operating System of a computer that regulates the access of subjects to objects on the basis of security parameters of the subject and object. (Bosworth, 2014) When some process makes an Operating System call, the reference monitor halts the process and figures out whether the call should be allowed or forbidden. An example of this is when the reference monitor will not permit a user with a Confidential login account to read a Secret document or write to an Unclassified document. (Schneier, 2004)
Within the Department of Defense (DoD) security policies are in place for multiple networks including the Unclassified network, the Secret network, and the Top Secret w/SCI network. Each network has a reference monitor that prevents non-authorized users to access information that they are not cleared to access. For example, a user has logged into the Top Secret network and wants to access information about North Korea. The user’s clearances and allowed accesses are sent to the reference monitor. The reference monitor sends the users request to the security kernel database, which is a file that lists the access privileges (security clearance) of each user and the protection attributes (classification level) of each object. (Bosworth, 2014) The security kernel database determines that although this user has a TS/SCI security clearance, the team that the user is assigned to works for Afghanistan. Since the user does not have a Need to Know (classification level), the reference monitor does not allow access to the document on North Korea that the user wanted to read.
Within the DoD security system the reference monitor uses the Bell-LaPadula Model. The Bell-LaPadula Model is a formalization of the multi-level security model used to restrict information flow in environments where users at multiple levels interact. In the DoD these security levels are as I listed above: Unclassified, Secret, and Top Secret. A user is cleared into a level, and that level is called the user’s security clearance. An object is classified at a level, and that level is called the object’s security classification. The goal is to prevent information from leaking, or flowing downward. (Bosworth, 2014)
With such a diverse group of persons being allowed access to the facility I would use the Bell-LaPadula Model for my reference monitor. Many artistic creative types may find this model over cumbersome and even may feel stymied by its restrictiveness. However, any military personnel or civilians that have worked in a military capacity will understand the need to create a more restrictive environment.
Once the network is up, the next step is to make sure that it is protected. Implementing a strong firewall along with an intrusion detection system and/or intrusion prevention system will mean the difference between having a secure network and going out of business, because someone has stolen all of your research. The tool that I have selected is Cisco Next-Generation Intrusion Prevention System (NGIPS). The Cisco NGIPS gives the consumer several appliance options. For a major online office supplies corporation I would select the Firepower 9000 series. This appliance gives the company the capability to conduct threat inspections up to 90 Gbps. It also includes AVC, with AMP and URL options, and Fail-to-wire interface. The Firepower 9000 also offers firewalls, and DDos mitigation. The main reason that I chose Cisco is because of the reputation. Cisco is used throughout the US government including the DoD. Cisco is able to provide a large corporation with real-time contextual awareness, advanced threat protection, global threat intelligence, and intelligent security automation. (CISCO, 2017)
Possible threats posed by the launching of the new facility include physical threats to personnel and IT systems, cyber-attacks, and the insider threat. As I have already discussed mitigating risks to possible physical threats to personnel and IT systems, I will be focusing on the cyber threat and insider threat. There are many types of cyber threats that can damage the information security system. Even with a robust firewall and IDS/IPS in place the system is still at risk.
A few of the cyber-attacks that I am concerned with include Compromising Emanations, Cyber Brute Force, Data Disclosure Attack, Denial of Service Attack, and Distributed Denial of Service Attack. Compromising Emanations is in essence eavesdropping. Eavesdropping can occur via electronic media directed against large scale electronic facilities that do not process classified National Security Information. The goal of compromising emanations is to collect classified and proprietary information that could be used to cause damage to the company’s reputation. Another concern is for the information to be stolen and used or sold to the highest bidder.
Cyber brute force attacks is when an unauthorized user gains access to the information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities. A way to mitigate the risk of a brute force attack is to put in place a policy to require users to have strong passwords that are 12 to 16 characters in length, and use capital letters, numbers, and special characters. Also, making users memorize there passwords instead of writing them down would contribute to a safer computing environment. (Bosworth, 2014)
Data disclosure attack is when an attacker uses techniques that could result in the disclosure of sensitive information by exploiting weaknesses in the design or configuration. Having a well-designed information security system is the best way to mitigate this risk. The attackers in a data disclosure attack are more interested in finding sensitive information like personal identifiable information (PII) and personal health information (PHI), proprietary information, or potentially embarrassing information in the form of memos or e-mails that can be disclosed to the public. When such information is disclosed to the public the company’s integrity and reputation is tarnished, sometimes beyond repair. Such an attack can also places the employees at risk of identity theft. (Bosworth, 2014)
Denial of Service Attack is when an adversary uses techniques to attack a single target rendering it unable to respond and could cause denial of service for users of the targeted information systems. These attacks are often very time consuming and financially costly for the company. A denial of service attack may also be tied to ransomware. This is when the user is denied service until a ransom is paid, often in bitcoin. Once the ransom is paid a password, key, or instructions will be sent on how to unlock the system. (Bosworth, 2014)
Distributed Denial of Service Attack is when an adversary uses multiple compromised information systems to attack a single target and could cause denial of service for users of the targeted information systems. This type of cyber-attack has become more common in recent years as firewalls and IDS/IPS systems have become more complex. This type of attack will also often be tied to ransomware. Unfortunately, paying the ransom becomes the most likely course of action for companies in order to prevent not only the loss of information, but also the loss of work hours by employees. (Bosworth, 2014)
As I stated before, a strong firewall and IDS/IPS system will help mitigate such cyber-attacks. However, sometimes preventing these cyber-attacks can be accomplished by implementing strong information security policies. Policy refers to the rules and regulations set by the organization focusing on results and not the means of achieving results. When applied to information security the goal is to protect information, often proprietary, against security breaches. Policy sets in place the controls, standards, and procedures that employees will need to follow for safe computing, and ultimately, protecting information systems. (Bosworth, 2014)
Information security policy needs to be expressed in definitive language and requires compliance by all employees, from the lowly data miner to the executives. Policy will use controls which are measures and safeguards used to protect systems against specific threats. Controls put in place include but are not limited to physical security of the building, employee security awareness, software development security, computer operations security, network and communication security, anti-malware measures, data destruction, incident response, and disaster recovery. All of these controls focus on combating specific threats to information security from employee ignorance to security of the computers and the networks to security response in the case of a natural disaster. (Bosworth, 2014)
Standards for information security are often widely accepted specifications and specific technical choices for implementing policies. In the DoD standards for information security can be exhausting to read. The DoD has published many papers and pamphlets on information security reporting and compliance mandates to include the security requirements guide, the security technical information guide, command cyber readiness inspections, and the security readiness review to name just a few. Although these standards are in depth and comprehensive, many are redundant and at times contradictory. The overabundance of standards put in place can also prevent actual work that needs to be done to ensure information security. Employees will be spending their work time conducting reviews and “training” instead of actually working on the job they were hired to do. (Bosworth, 2014)
Companies will put in place procedures for information security that must be followed by employees to prevent spillage of proprietary information. These procedures may include the use of common access cards (CAC) to access computer terminals, ID badges that must worn and in view at all times in special access areas, and restrictions on what employees may and may not view on the company computers. An example of these types of procedures that are in use today includes government employees being required to insert their CAC card into the computer terminal and type in their secure password in order to log on to the computer system. When a government employee leaves the computer for any length of time they must remove the CAC card, which locks the computer preventing anyone from viewing the information on the computer or even to log on.
Perhaps one of the most important information security policies that must be implemented and executed is mandatory information assurance training by all employees. The training will include what information you may and may not discuss outside of the facility, the wearing and use of IDs and badges, how and when to login and log out of a user station, what media devices may be used on the user stations, and what information to allowed and not allowed to be viewed on the user stations. By educating employees on the policies that are in place to help mitigate risk of nefarious activities the company can lower its risk of malicious attacks against the company and its employees significantly. If employees choose to not follow these policies then they must also be made aware of the repercussions. Employees must be made aware that if they knowingly disregard these policies they will be terminated from the company. Minor offenses like failing to remove their CAC card from the user station when they leave their work area should result in a discussion and perhaps mandatory retraining. If it persists then they also risk being terminated from the company. Employees can also be rewarded with bonuses and recognition in front of their peers for having the least amount of security incidences.
One other consideration that is relevant is whether or not this new facility will be handling classified information. Extra care will need to be taken to ensure the security of such a facility. A minimum of three levels of security must be used before an individual may even enter the facility. The entry/exit point for the facility will need to be guarded by armed security at all times. Once gaining access to the main facility a separate restricted area will need to be built. An outer door requiring a touch badge along with a PIN will be required to gain access. This door will allow the person to enter the entryway of the facility. At this location will be wall lockers where all electronic devices and all media recording devices must be stored. The employee will then need to once again use a touch badge and PIN to access the inner doorway. This will allow authorized personnel into the hallway of the restricted area of the facility. The person will once again need to use a touch badge to unlock the office door to which they work. Each of these touch badges logs specifically where the person is going to make sure that they are only going into areas and rooms where they are permitted. If the person needs to leave the restricted facility they must use the touch badge to unlock each door to exit the facility. CAC cards along with passwords and PINs will be required to access the UNCLASSIFIED, SECRET, and TOP SECRET networks. Once logged into the user station on anyone of the networks the user must have their PKIs verified by each of the programs they wish to have access to before being able to view the material. The user will also be required to lock the user station whenever they are not at their desk. Many more security procedures will need to be in place including the wearing of a photo ID badge and verification of proper security clearances by the facility manager upon first entry. If foreign personnel are to be in the building further precautions must be taken by the company to make sure that information does not leak, and unauthorized personnel are not piggybacking or shoulder surfing into the facility.
Mitigating risk to an information system must be of high priority for not only the company, but for each employee. Ensuring that comprehensive policies are in place and that employees are properly informed and trained on information security policies and procedures must be a high priority. Creating an efficient and secure network that is robust and protected from the hardware to the Operating System needs to be accomplished before the first employee sits at their work station. Investing in a strong firewall and IDS/IPS systems will help safe guard against cyber-attacks and save the company fiscally in the long term. Physical security systems must also be in place to protect not only the company but its employees. Information security systems cannot be protected by one individual or one program. It is the responsibility of every employee from the executive to the data miner.
New physical security systems will need to be in place to mitigate risk to the physical environment. The physical security begins with ensuring the safety of personnel that work at the facility. Maintaining a well-lighted parking lot or parking structure that is monitored by recorded video surveillance will be a necessity to provide security for personnel and to protect against the insider threat. These video surveillance systems will also need to be implemented around the facility itself along with the entry/exit points. These surveillance systems will also need to be monitored by security guards so that there can be a quick reaction time to suspected crimes. (Bosworth, 2014)
A single main entry/exit point to the facility that requires proximity badge access and security staff to monitor personnel will also be required to make sure that non-privileged personnel are not gaining access to the facility. The security staff at the main entry/exit point will ensure that personnel are properly badging into the facility with proximity cards and not just piggybacking in with another employee. They will also be recording guests and visitors that enter the facility. Another policy that will need to be in place is the wearing of an official photo ID badge that must be visible at all times while in the facility. If an employee forgets there badge or has a guest they will be able to receive a temporary badge from the security personnel at the entry/exit point of the facility. These badges will also enable personnel to quickly ID individuals that may not belong in the facility, and can then contact the facility security manager of a possible non privileged person in the facility. (Bosworth , 2014)
The next policy that will need to in place for physical security is the use of a Common Access Card (CAC) to log into a user station. Each CAC card will have a password or personal identification number (PIN) unique to each user and will contain unique certificates and PKIs that will allow a user to login and be authenticated. This will allow the IT security professionals to maintain an audit trail. A log is required for each entry attempt to show the date and time, the ID of the person, and the action taken by the access control system. If access is denied and unable-to-identify events will trigger immediate alarms. Each person’s exit will also be authenticated and logged. (Bosworth, 2014)
A physical security plan will also need to take into account in cases of emergencies or natural disasters. Assuming the facility is in San Diego, some of the emergencies and natural disaster that will need to be prepared for include earth quakes, fire storms, rolling black outs, and heat waves. In all of these scenarios the new facility must be prepared to provide its own emergency power. The facility will need to own and maintain its own diesel power generators that can power the facility indefinitely. The power generators will also need to be synced so that they are able to kick on in the event of an electrical blackout without interrupting the power supply to the facility. Information Technology systems, to include user stations and servers, have temperatures that they are able to operate in. In the event of a blackout during a heatwave, user stations and servers can overheat if not kept properly cooled. This can result in the loss of millions of dollars in hardware as well as all the information stored. Another option to supplement electrical power to the facility is the use of solar panels. Solar panels can be placed in the parking lot used as both shade covers for the employees vehicles and producing energy for the facility. (Bosworth, 2014)
In developing an IT plan for the facility I will be discussing the type of network topology that will be implemented, the reference monitor, and the firewall that will be used. Developing a network plan begins with deciding on a network topology. In a bus topology, all devices are connected to a single electrically continuous medium: for this reason, this topology is also called a common cable or shared medium network. A bus is a simultaneous broadcast network, meaning that all stations receive a transmitted message at essentially the same time. Most business LANs employ a baseband bus where direct current (DC) signals are applied to the bus by the transmitter without any modification. Transmissions are on a baseband bus are broadcast bidirectionally and cannot be altered by the receivers. Buses are the oldest LAN topology and are generally limited in the type of medium that they can use. However, they do not usually suffer from single point of failure problems. (Bosworth, 2014) I will implement a WiFi network at the facility. A WiFi network will provide a lot more vulnerabilities that will need to be mitigated. In the initial standing up period of the facility the network administrators will require access to a WiFi network to access applications on tablets to test and verify network systems, user stations, and servers. (Bosworth, 2014)
When creating the IT system it is important to implement the reference monitor in the earliest stages. The reference monitor is a controlling element in the hardware and Operating System of a computer that regulates the access of subjects to objects on the basis of security parameters of the subject and object. (Bosworth, 2014) When some process makes an Operating System call, the reference monitor halts the process and figures out whether the call should be allowed or forbidden. An example of this is when the reference monitor will not permit a user with a Confidential login account to read a Secret document or write to an Unclassified document. (Schneier, 2004)
Within the Department of Defense (DoD) security policies are in place for multiple networks including the Unclassified network, the Secret network, and the Top Secret w/SCI network. Each network has a reference monitor that prevents non-authorized users to access information that they are not cleared to access. For example, a user has logged into the Top Secret network and wants to access information about North Korea. The user’s clearances and allowed accesses are sent to the reference monitor. The reference monitor sends the users request to the security kernel database, which is a file that lists the access privileges (security clearance) of each user and the protection attributes (classification level) of each object. (Bosworth, 2014) The security kernel database determines that although this user has a TS/SCI security clearance, the team that the user is assigned to works for Afghanistan. Since the user does not have a Need to Know (classification level), the reference monitor does not allow access to the document on North Korea that the user wanted to read.
Within the DoD security system the reference monitor uses the Bell-LaPadula Model. The Bell-LaPadula Model is a formalization of the multi-level security model used to restrict information flow in environments where users at multiple levels interact. In the DoD these security levels are as I listed above: Unclassified, Secret, and Top Secret. A user is cleared into a level, and that level is called the user’s security clearance. An object is classified at a level, and that level is called the object’s security classification. The goal is to prevent information from leaking, or flowing downward. (Bosworth, 2014)
With such a diverse group of persons being allowed access to the facility I would use the Bell-LaPadula Model for my reference monitor. Many artistic creative types may find this model over cumbersome and even may feel stymied by its restrictiveness. However, any military personnel or civilians that have worked in a military capacity will understand the need to create a more restrictive environment.
Once the network is up, the next step is to make sure that it is protected. Implementing a strong firewall along with an intrusion detection system and/or intrusion prevention system will mean the difference between having a secure network and going out of business, because someone has stolen all of your research. The tool that I have selected is Cisco Next-Generation Intrusion Prevention System (NGIPS). The Cisco NGIPS gives the consumer several appliance options. For a major online office supplies corporation I would select the Firepower 9000 series. This appliance gives the company the capability to conduct threat inspections up to 90 Gbps. It also includes AVC, with AMP and URL options, and Fail-to-wire interface. The Firepower 9000 also offers firewalls, and DDos mitigation. The main reason that I chose Cisco is because of the reputation. Cisco is used throughout the US government including the DoD. Cisco is able to provide a large corporation with real-time contextual awareness, advanced threat protection, global threat intelligence, and intelligent security automation. (CISCO, 2017)
Possible threats posed by the launching of the new facility include physical threats to personnel and IT systems, cyber-attacks, and the insider threat. As I have already discussed mitigating risks to possible physical threats to personnel and IT systems, I will be focusing on the cyber threat and insider threat. There are many types of cyber threats that can damage the information security system. Even with a robust firewall and IDS/IPS in place the system is still at risk.
A few of the cyber-attacks that I am concerned with include Compromising Emanations, Cyber Brute Force, Data Disclosure Attack, Denial of Service Attack, and Distributed Denial of Service Attack. Compromising Emanations is in essence eavesdropping. Eavesdropping can occur via electronic media directed against large scale electronic facilities that do not process classified National Security Information. The goal of compromising emanations is to collect classified and proprietary information that could be used to cause damage to the company’s reputation. Another concern is for the information to be stolen and used or sold to the highest bidder.
Cyber brute force attacks is when an unauthorized user gains access to the information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities. A way to mitigate the risk of a brute force attack is to put in place a policy to require users to have strong passwords that are 12 to 16 characters in length, and use capital letters, numbers, and special characters. Also, making users memorize there passwords instead of writing them down would contribute to a safer computing environment. (Bosworth, 2014)
Data disclosure attack is when an attacker uses techniques that could result in the disclosure of sensitive information by exploiting weaknesses in the design or configuration. Having a well-designed information security system is the best way to mitigate this risk. The attackers in a data disclosure attack are more interested in finding sensitive information like personal identifiable information (PII) and personal health information (PHI), proprietary information, or potentially embarrassing information in the form of memos or e-mails that can be disclosed to the public. When such information is disclosed to the public the company’s integrity and reputation is tarnished, sometimes beyond repair. Such an attack can also places the employees at risk of identity theft. (Bosworth, 2014)
Denial of Service Attack is when an adversary uses techniques to attack a single target rendering it unable to respond and could cause denial of service for users of the targeted information systems. These attacks are often very time consuming and financially costly for the company. A denial of service attack may also be tied to ransomware. This is when the user is denied service until a ransom is paid, often in bitcoin. Once the ransom is paid a password, key, or instructions will be sent on how to unlock the system. (Bosworth, 2014)
Distributed Denial of Service Attack is when an adversary uses multiple compromised information systems to attack a single target and could cause denial of service for users of the targeted information systems. This type of cyber-attack has become more common in recent years as firewalls and IDS/IPS systems have become more complex. This type of attack will also often be tied to ransomware. Unfortunately, paying the ransom becomes the most likely course of action for companies in order to prevent not only the loss of information, but also the loss of work hours by employees. (Bosworth, 2014)
As I stated before, a strong firewall and IDS/IPS system will help mitigate such cyber-attacks. However, sometimes preventing these cyber-attacks can be accomplished by implementing strong information security policies. Policy refers to the rules and regulations set by the organization focusing on results and not the means of achieving results. When applied to information security the goal is to protect information, often proprietary, against security breaches. Policy sets in place the controls, standards, and procedures that employees will need to follow for safe computing, and ultimately, protecting information systems. (Bosworth, 2014)
Information security policy needs to be expressed in definitive language and requires compliance by all employees, from the lowly data miner to the executives. Policy will use controls which are measures and safeguards used to protect systems against specific threats. Controls put in place include but are not limited to physical security of the building, employee security awareness, software development security, computer operations security, network and communication security, anti-malware measures, data destruction, incident response, and disaster recovery. All of these controls focus on combating specific threats to information security from employee ignorance to security of the computers and the networks to security response in the case of a natural disaster. (Bosworth, 2014)
Standards for information security are often widely accepted specifications and specific technical choices for implementing policies. In the DoD standards for information security can be exhausting to read. The DoD has published many papers and pamphlets on information security reporting and compliance mandates to include the security requirements guide, the security technical information guide, command cyber readiness inspections, and the security readiness review to name just a few. Although these standards are in depth and comprehensive, many are redundant and at times contradictory. The overabundance of standards put in place can also prevent actual work that needs to be done to ensure information security. Employees will be spending their work time conducting reviews and “training” instead of actually working on the job they were hired to do. (Bosworth, 2014)
Companies will put in place procedures for information security that must be followed by employees to prevent spillage of proprietary information. These procedures may include the use of common access cards (CAC) to access computer terminals, ID badges that must worn and in view at all times in special access areas, and restrictions on what employees may and may not view on the company computers. An example of these types of procedures that are in use today includes government employees being required to insert their CAC card into the computer terminal and type in their secure password in order to log on to the computer system. When a government employee leaves the computer for any length of time they must remove the CAC card, which locks the computer preventing anyone from viewing the information on the computer or even to log on.
Perhaps one of the most important information security policies that must be implemented and executed is mandatory information assurance training by all employees. The training will include what information you may and may not discuss outside of the facility, the wearing and use of IDs and badges, how and when to login and log out of a user station, what media devices may be used on the user stations, and what information to allowed and not allowed to be viewed on the user stations. By educating employees on the policies that are in place to help mitigate risk of nefarious activities the company can lower its risk of malicious attacks against the company and its employees significantly. If employees choose to not follow these policies then they must also be made aware of the repercussions. Employees must be made aware that if they knowingly disregard these policies they will be terminated from the company. Minor offenses like failing to remove their CAC card from the user station when they leave their work area should result in a discussion and perhaps mandatory retraining. If it persists then they also risk being terminated from the company. Employees can also be rewarded with bonuses and recognition in front of their peers for having the least amount of security incidences.
One other consideration that is relevant is whether or not this new facility will be handling classified information. Extra care will need to be taken to ensure the security of such a facility. A minimum of three levels of security must be used before an individual may even enter the facility. The entry/exit point for the facility will need to be guarded by armed security at all times. Once gaining access to the main facility a separate restricted area will need to be built. An outer door requiring a touch badge along with a PIN will be required to gain access. This door will allow the person to enter the entryway of the facility. At this location will be wall lockers where all electronic devices and all media recording devices must be stored. The employee will then need to once again use a touch badge and PIN to access the inner doorway. This will allow authorized personnel into the hallway of the restricted area of the facility. The person will once again need to use a touch badge to unlock the office door to which they work. Each of these touch badges logs specifically where the person is going to make sure that they are only going into areas and rooms where they are permitted. If the person needs to leave the restricted facility they must use the touch badge to unlock each door to exit the facility. CAC cards along with passwords and PINs will be required to access the UNCLASSIFIED, SECRET, and TOP SECRET networks. Once logged into the user station on anyone of the networks the user must have their PKIs verified by each of the programs they wish to have access to before being able to view the material. The user will also be required to lock the user station whenever they are not at their desk. Many more security procedures will need to be in place including the wearing of a photo ID badge and verification of proper security clearances by the facility manager upon first entry. If foreign personnel are to be in the building further precautions must be taken by the company to make sure that information does not leak, and unauthorized personnel are not piggybacking or shoulder surfing into the facility.
Mitigating risk to an information system must be of high priority for not only the company, but for each employee. Ensuring that comprehensive policies are in place and that employees are properly informed and trained on information security policies and procedures must be a high priority. Creating an efficient and secure network that is robust and protected from the hardware to the Operating System needs to be accomplished before the first employee sits at their work station. Investing in a strong firewall and IDS/IPS systems will help safe guard against cyber-attacks and save the company fiscally in the long term. Physical security systems must also be in place to protect not only the company but its employees. Information security systems cannot be protected by one individual or one program. It is the responsibility of every employee from the executive to the data miner.
Intrusion Detection System:
One of your most important tools in information security is an Intrusion Detection System (IDS). Many modern systems can go beyond simply recognizing an attack or breach to automatically responding and preventing successful proliferation of the attack. There are several intrusion detection systems on the market. Some are free, and some are commercial products. For the first part of this discussion, you have been tasked with selecting and deploying an intrusion detection system for a major corporation that sells office supplies online. Next, you would like to protect your home network. Select a tool for both of these contexts and provide a rationale for your selection. Respond to at least two of your classmates that selected tools different from your own. What did you learn through reading their rationales? Do you agree with their selections? Why or why not?
The tool that I have selected for the major corporation that sells office supplies online is Cisco Next-Generation Intrusion Prevention System (NGIPS). The Cisco NGIPS gives the consumer several appliance options. For a major online office supplies corporation I would select the Firepower 9000 series. This appliance gives the company the capability to conduct threat inspections up to 90 Gbps. It also includes AVC, with AMP and URL options, and Fail-to-wire interface. The main reason that I chose Cisco is because of the reputation. Cisco is used throughout the US government including the DoD. Cisco is able to provide a large corporation with real-time contextual awareness, advanced threat protection, global threat intelligence, and intelligent security automation.
The tool that I have selected to protect my home network is SNORT. I chose SNORT for two reasons: one, it is cost effective. This means that it is free to download. For a grad student on a tight budget, free is music to my ears. The second reason that I chose SNORT is because it is also a part of Cisco. Specifically it is an affiliate of Cisco.
One of the major considerations that a cyber security professional must take into consideration is if the company creating the IDS tool is an American company. Not only do I want to support an American company and American workers, but the more important reason is an American company will have a more trusted product than say one from China or Russia. We are in an era of cyber security when State actors are on the rise. These State actors include North Korea, Iran, China, and Russia. As a cyber security professional I must always question the integrity of cyber security products that are being produced in any country that is trying to harm to the US. Therefore, I would never fully trust any cyber security products that are created outside of the US. Cisco is a reputable American company that has products that are used and trusted by the federal government, academic institutions, and major corporations.
The tool that I have selected for the major corporation that sells office supplies online is Cisco Next-Generation Intrusion Prevention System (NGIPS). The Cisco NGIPS gives the consumer several appliance options. For a major online office supplies corporation I would select the Firepower 9000 series. This appliance gives the company the capability to conduct threat inspections up to 90 Gbps. It also includes AVC, with AMP and URL options, and Fail-to-wire interface. The main reason that I chose Cisco is because of the reputation. Cisco is used throughout the US government including the DoD. Cisco is able to provide a large corporation with real-time contextual awareness, advanced threat protection, global threat intelligence, and intelligent security automation.
The tool that I have selected to protect my home network is SNORT. I chose SNORT for two reasons: one, it is cost effective. This means that it is free to download. For a grad student on a tight budget, free is music to my ears. The second reason that I chose SNORT is because it is also a part of Cisco. Specifically it is an affiliate of Cisco.
One of the major considerations that a cyber security professional must take into consideration is if the company creating the IDS tool is an American company. Not only do I want to support an American company and American workers, but the more important reason is an American company will have a more trusted product than say one from China or Russia. We are in an era of cyber security when State actors are on the rise. These State actors include North Korea, Iran, China, and Russia. As a cyber security professional I must always question the integrity of cyber security products that are being produced in any country that is trying to harm to the US. Therefore, I would never fully trust any cyber security products that are created outside of the US. Cisco is a reputable American company that has products that are used and trusted by the federal government, academic institutions, and major corporations.