IT Network Security Engineering Resource

1. Network Security Overview
Secure computing and communications using a Layered Defense Strategy
An IT Engineering Resource
Version 1.2
D. E Jennings
April 2012

2. CONTENTS:
1.INTRODUCTION:...............................................................................................................................................3
2.HOW WE GOT TO THIS POINT:.............................................................................................................................3
3.PROTECTING THE COMPANY FROM CYBER CRIME:.................................................................................................4
4.SECURITY PLANS AND POLICIES:........................................................................................................................5
5.SECURITY OPERATIONS:....................................................................................................................................6
6.RISK MANAGEMENT:.......................................................................................................................................9
7.CATEGORIES OF RISK:....................................................................................................................................10
8.PERSONNEL SECURITY:...................................................................................................................................15
9.BUILDING SECURITY:.....................................................................................................................................16
10.ACCESS CONTROL:......................................................................................................................................17
11.TELECOMMUNICATIONS: ...............................................................................................................................20
12.NETWORK SECURITY....................................................................................................................................21
13.ARCHITECTURE............................................................................................................................................25
14.INTRUSION DETECTION SYSTEM (IDS)...........................................................................................................27
15.ELECTRONIC MAIL SECURITY: ......................................................................................................................29
16.DISASTER RECOVERY...................................................................................................................................31
APPENDIX I
Security Policy 35
APPENDIX II
Vulnerability Assessment 37
APPENDIX III
Roles Matrix & Organization Chart 38
APPENDIX IV
Typical Network Design 39
© Copyright: April 2012, D. E. Jennings Page 2 of 41

3. 1. Introduction:
This document presents a discussion of concepts, plans and process used to protect the assets and
maintain business continuity for a typical small to medium sized company. Although most of the
measures discussed here are applicable to the large and extremely companies, these
organizations usually have international locations and require additional measures not discussed
in this document.
The approach taken here differs from the traditional approach and to understand why, it is useful
to look very briefly at the history of Corporate Security. Before computer networks security was
a physical lockdown kind of thing. It was handled by the same people who managed other
physical requirements of the company. Because the primary threat has changed, we believe that
Security should now be managed by the Information Technology-Security department. In many
companies today there are two departments: Physical security where security guards man the
doors and the IT Security department where computer technicians keep the network safe. When
there is a split responsibility there is room for a gap. With two departments managing different
access lists, and different access procedures, there is the possibility of too much or too little
security. Most companies are suffering from this problem. The approach suggested in this paper
is to administer a unified policy for all security under one department, i.e. the IT Security
department. Therefore they would include physical security in their mandate. At the center of
security is an automated Identity Management System.
2. How we got to this point:
When corporate computer networks came into existence security did not seem to be an issue.
They were very big and very expensive, run by large institutions or the largest corporations only.
In the 1980’s, using a “dumb terminal” over dial up phone lines, from home, an employee could
access the corporate computing center across the country. It was possible to input data that would
be run as a “batch” file overnight and printed at the office in the morning - no passwords
involved. The probability of anyone getting in and doing damage was extremely small and they
really couldn’t do any damage. Computers were managed by a small group of very highly trained
professionals and the knowledge as to what they were doing was not known to the general
public. Then Atari and others invented computer game machines. Around that time the personal
© Copyright: April 2012, D. E. Jennings Page 3 of 41

4. computer was invented and then came dial up bulletin boards. Security was not built into
programs and hacking them was easy. Lots of cracked1 commercial software (mostly games)
appeared on bulletin boards. This went on for many years with computer cracked software and
games passing from one dial-up bulletin board to another. The International community “got it”
and computer uses all over world paid literally “$0.0” for quality software and games (and
continue to do so). Then the “internet” arrived. The number of “hackers” multiplied… the
amount of commercial (software, games, audio files, video, etc.) products being “cracked” is still
increasing. Hacking into high profile institutions was and is considered a “badge” of honor and
garners great admiration from fellow hackers. The monetary gain incentive is at least as enticing
as the “just see if you can do it” incentive.2 A report from the anti-virus company, Norton, said
most of us are not secure and the cost of all this in the US alone is over $139 billion dollars a
year. 3 So in spite of this background, companies have embraced the use of the internet to
conduct business in a big way. The same highway, known well and used by hackers to infiltrate,
is used by companies to conduct billions of dollars worth of business daily. Although the
benefits outweigh the risks, the risks are still there and must be … mitigated. Although the
threats from outside are enormous, the fact of life is that the greatest threat for small businesses
is from their own employees. 4
3. Protecting the company from Cyber Crime:
As we see in the preceding the type and severity of cyber crime is still evolving. Protecting the
company is always a challenge, and IT security departments must keep pace with the changing
threats.
The size of the company, the location and nature of the facilities, the number of locations and the
Information Technology (IT) requirements of each affect the level and type of security required.
For example a company that utilizes a mobile sales force will need encrypted laptops and robust
secure communications channels to enable sales teams to keep in touch with the office. Also, a
company with two geographically separated locations can use the other location as a data backup
facility for disaster recovery.
A centralized security policy and access control model is a model where all company locations
are governed by the same security policy. A decentralized model allows each domain (or
location) to control its own security. This may be advisable when there is a wide difference in
© Copyright: April 2012, D. E. Jennings Page 4 of 41

5. requirements from one location or domain to another. An example: one location must meet Top
Secret security requirements, and others may not. For most small to medium companies a
centralized policy is more efficient to administer and maintain.
This document is not the Security Policy, the Operational Security Plan, or the Business
Continuity Plan, but an overview of what goes into these and other documents.
4. Security Plans and Policies:
1. This document: A description of Security Plans and Operations.
2. Security Policy: Senior management’s directives to create an information security program to
protect the corporation’s assets, establish security related goals and security measures, as well as
target and assign responsibilities.5 The Security Policy contains sections on: Purpose, Scope,
Responsibilities and Compliance. It is a high-level statement of management’s intentions about
how security should be practiced within the organization. It identifies what actions are
acceptable, and what level of risk the company is willing to accept. Reviewed by Security
department and Corporate Management for updating every 1 year and approved by Corporate
Management.
3. Operational Security Plan.6 This document is the detailed plan that contains instructions for
putting the policy into action. It is basically a “manual” on how to get it done. It contains a
breakdown of each security measure implemented. Audience: Program Management, IT
Management, Program Operations Staff, IT Staff, Auditors. Reviewed by Security department
for updating every 6 months, The Operational Security Plan is developed and revised by Security
department, and approved Corporate Management.
4. Business Continuity Plan. (BCP) This is a plan to preserve the business activities when faced
with disruptions or disasters. The plan includes the identification of real risks, risk assessment,
and countermeasure implementation plans. Although many organizations use the phrases
Business Continuity Planning or Disaster Recovery Planning interchangeably, they are two
distinct disciplines. Though both plans are essential to the effective management of disasters and
other disruptive events, their goals are different. The goal of a BCP is for ensuring that the
business will continue to operate before, throughout, and after a disaster event is experienced.
The focus of a BCP is on the business as a whole, and ensuring that those critical services that
© Copyright: April 2012, D. E. Jennings Page 5 of 41

6. the business provides or critical functions that the business regularly performs can still be carried
out both in the wake of a disruption as well as after the disruption. In order to ensure that the
critical business functions are still operable, the plan takes into account the common threats to
their critical functions as well as any associated vulnerabilities that might make a disruption
more likely.
5. Disaster Recovery Planning (DRP) is considered tactical rather than strategic and provides a
means for immediate response to disasters. The DRP can be, but is not necessary within the
BCP. The DRP is developed by Security Department, and reviewed yearly with representatives
of each department and approved by Corporate Management. The DRP is exercised once a year.
(a simulated disaster is staged and response team must respond according to the plan enabling
continuity of operations.) For example, the plan to locate two manufacturing facilities in
different geographic areas in case one is disabled by a disaster is BCP and the plan to allow
workers to “work from home” via a secure Virtual Private Network (VPN) using virtual facilities
on secure databases is DRP. The DRP should be exercised at least yearly. The exercise (a
simulated disaster event) is planned on a weekend or time when normal business low… i.e. over
Christmas, or super bowl weekend, etc. For the exercise the normal facilities are disabled and the
“backup” plan to operate, possibly on a limited basis, goes into effect.
5. Security Operations:
The role of Security Operations is to:
1) Protect the assets both physical and information, of the organization.
2) Protect the employees from harm both inside the building and on the premises.
3) Enable company operations after a loss of functionality.
4) Accomplish this in a cost effective way that does not unduly hinder operations.
These goals are accomplished through the implementation a “Defense in Depth” layered plan of
physical, administrative, managerial, technical and operational controls.7 The methods of
layering defensive technologies included in defense in Depth (DiD) are physical, logical and
virtual security solutions. The information assets are secured to reduce the risk of loss of
confidentiality, integrity or availability.
© Copyright: April 2012, D. E. Jennings Page 6 of 41

7. Confidentiality provides a degree of assurance that data has not been made available or disclosed
to unauthorized individuals, processes, or other entities. In essence, it assures that data can only
be read or understood between trusted parties. Confidentiality can be breached or bypassed by
someone shoulder surfing, sniffing or network monitoring, stealing passwords, or social
engineering (an attacker posing as a trusted individual). In the network, confidentiality is
accomplished through encryption.
Threats to confidentiality include:
Hackers/crackers
Masqueraders/spoofing
Unauthorized user activity
Unprotected downloaded files
Network sniffing
Trojan horses
Social engineering
Integrity includes the issue of protecting against unauthorized modification or destruction of
information. It includes the assurance that data leaving point A and arriving at point B arrives
without modification and assures that point A and point B are who they claim to be.
The three basic principles used to establish integrity in the enterprise:
Need-to-Know Access - Users should be granted access only to those files and programs
they absolutely need to fulfill their duties. (Role based security)
Separation of Duties - No single person has control of a critical transaction from
beginning to end. Two or more people should be responsible for an entire critical
transaction.
Rotation of Duties - Job responsibilities should be periodically changed so that users will
find collaboration more difficult to exercise complete control of a transaction or subvert
© Copyright: April 2012, D. E. Jennings Page 7 of 41

8. one for fraudulent purposes. This also has many other beneficial effects including
redundancy and continuity of operations in the event of loss of key personnel.
Availability is the attribute that ensures the reliable and timely access of resources to authorized
individuals. The means the corporation is expecting IT resources:
Perform or function properly.
The IT resource or Network is available / accessible.
The IT resource or Network is available when it is needed.
Availability can be compromised by Denial-of-Service (DoS) attacks. These are actions by users
or attackers that tie up computing resources in such a way that renders the system unusable.
Availability is lost when natural disasters (fire, flood, earthquake) or human action (bombs,
strikes, malicious code) create loss of IT or Network capabilities.
Availability is also lost due to normal equipment failure. The IT security department works with
the IT Architect to ensure high availability design of the network. In some cases the IT
Architecture is within the Security Department as security and availability is paramount in the
network design.
The security department utilizes the Protect, Detect and React paradigm. In order to accomplish
this the department incorporates protection mechanisms and utilizes detection tools and
procedures and logs that allow the discovery, and ability to react and recover from attacks or
disasters. The security department focus is on People, Technology and Operations.
The company Security Policy (see overview - Appendix I) is the foundation of the security
operations of the company. The Security Policy, Operational Security Plan and Disaster
Recovery Plan is evaluated and updated if required on an annual basis. The updates are based on
data provided by the network information controls, re-evaluation of risks and stakeholder input
as to usability and effectiveness.
The Operational Security Plan includes the detail processes for physical security, access control,
telecommunications and network security, and operations security.
© Copyright: April 2012, D. E. Jennings Page 8 of 41

9. 6. Risk Management:
In order to determine what level of security an asset requires, we first identify and rank the assets
to be protected, and then determine what level of protection is required. This is accomplished by
a risk analysis, a risk assessment and a business impact analysis. These are completed by the
security team with the business unit management that has custody of the asset with an overview
of corporate management. Risk is a function of the likelihood of a given threat-source’s
exercising a particular potential vulnerability, and the resulting impact of that adverse event on
the organization. It’s interesting that the Federal Government has revised their Risk Analysis
approach to more closely follow industry standards.8
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking)
the vulnerabilities in a system.
A Risk Analysis involves identifying the most probable threats to an organization and analyzing
the related vulnerabilities of the organization to these threats.
A Risk Assessment involves evaluating existing physical and environmental security and
controls, and assessing their adequacy relative to the potential threats of the organization. See
example table in Appendix II.
A Business Impact Analysis involves identifying the critical business functions within the
organization and determining the impact of not performing the business function beyond the
maximum acceptable outage. Types of criteria that can be used to evaluate the impact include:
customer service, internal operations, legal/statutory and financial.
The Risk Analysis is the first step in the risk management methodology.9
1. Identify and prioritizing assets;
2. Identify vulnerabilities;
3. Identify threats and their probabilities;
4. Identify countermeasures;
5. Develop Cost benefit analysis;
6. Develop security policies and procedures.
© Copyright: April 2012, D. E. Jennings Page 9 of 41

10. Using the formula: Risk = Threat * Vulnerability. A risk analysis is completed for each corporate
asset.
Vulnerability assessment has many things in common with risk assessment. Assessments are
typically performed according to the following steps:
1. Cataloging assets and capabilities (resources) in a system.
2. Assigning quantifiable value (or at least rank order) and importance to those resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
7. Categories of Risk:
1. Damage - Results in physical loss of an asset or the inability to access the asset as in the
case of a cut in a network cable.
2. Disclosure - Disclosing critical information regardless of where or how it was disclosed.
3. Losses - Can be permanent or temporary, including the altering of data or the inability to
access data.
4. Physical damage - Can result from natural disasters or other factors as in the case of a
power loss or vandalism.
5. Malfunctions - The failure of systems, networks, or peripherals
6. Attacks - Purposeful acts whether from the inside or outside. Misuse of data, as in
unauthorized disclosure, is an attack on that information asset.
7. Human errors - Usually considered accidental incidents as compared to attacks that are
purposeful incidents.
8. Application errors - Failures of the application, including the operating system.
Application errors are usually accidental errors while exploits of buffer overflows or
viruses are considered attacks.
© Copyright: April 2012, D. E. Jennings Page 10 of 41

11. A Risk Assessment chart is used to rank the effect of threats and vulnerabilities that are
determined to be risks. Cost benefit analysis is used to determine when a risk is worthy of
mitigation. An earthquake although is very unlikely would have a catastrophic effect. Therefore
a plan for continuing operations in the event of an earthquake will be advisable, however the cost
of maintaining complete redundant facilities my not be warranted, unless the business is located
in a heavy earthquake zone.
The tables in the following pages are intended to show examples of how the risk analysis and
mitigation is documented. There is no one “correct” table. The analysis should drill down to the
level of detail that you will be able to manage. The team that conducts and reviews the assets
and risks will include department managers that have ownership of the assets. For personnel, we
suggest that a professional from the Human Resource (HR) department take the lead in the
personnel risk analysis by role.
The table below is an example of a Risk Assessment Chart for loss of personnel, in this
case the Chief Information Officer.
Risk: Loss of personnel: Chief Information Officer
Likelihood > A. Very B. C. Unlikely Mitigation:
Consequence Likely Somewhat
Likely
Catastrophic The market is Although the Two or more trained in this
in short CIO is being position within the company at all
supply, many recruited he/she times to mitigate the risk of loss
recruiters are is content and since it is a critical position and
contacting does not seem to difficult to replace. Retention
our CIO want to leave policy (bonus, vacation, etc.).
w/offers
Very Disruptive
Inconvenient
Note: The difference between “Very Likely” and “Unlikely” above is that the Corporate management is aware of
the first scenario and makes an effort to retain the CIO making the likelihood of he/she leaving “unlikely”. Never-
the-less in either case the result would be “catastrophic” so planning for his/her leaving is done by identifying a
“backup” person and making sure that person is able to assume the duties by using the policy of “rotation of
duties”.10 In this economy there is less likelihood of people changing jobs, however key positions should be looked at
in terms of duplication of capability and personnel retention. This is not necessarily a function of the security
department, however when risks such as these are identified they should be brought up to corporate management for
inclusion in the overall company risk management process.
Example of a Risk Assessment Chart for less critical roles.
Risk: Loss of personnel: Assistant Staff
Likelihood > A. Very B. Somewhat C. Unlikely Mitigation:
© Copyright: April 2012, D. E. Jennings Page 11 of 41

12. Consequence Likely Likely
Catastrophic
Very
Disruptive
Inconvenient Personnel for this This position, although very useful and
position are important to the company is not
available in the considered a high risk. Except for normal
marketplace. role documentation and training materials
other mitigation is not necessary.
For less critical roles, turnover is always inconvenient and may be very disruptive even though the positions are
quickly replaced. Therefore each role / position is looked at in detail and effort is made to ensure continuity of
operations and minimize the effects of loss of personnel.
Risk Assessment Chart for Information Technology / Computing and Network hardware.
Hardware failure (general)
Likelihood:  Very Likely Somewhat Unlikely Mitigation
Likely
Consequence:  (1) (2) (3) (1) (2) (3) (1) (2) (3)
Router - Core We can reduce the consequence to
inconvenient by deploying redundant
X routers or diverse paths. The failure rate is
a function of the equipment design and
environment.
Router - As the router controls less critical branches
Distribution of the network we might economize and
X
only utilize diverse routing to ensure high
availability.
Switch (non Diverse paths may be able to move the
X
redundant) consequence to “inconvenient”.
Server (non Servers are usually deployed in redundant
redundant) modes as the cost of servers had dropped
X
in relation to their critical use in the
network.
Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient
Hardware fails. Depending on the age, vendor, maintenance, environment (heat / cold) etc. Constant temperature is
usually preferred, as heating and cooling expand and contract metal and substrates that have different expansion
coefficients and can separate and crack. The life of equipment is variable. Redundancy for key equipment is almost
always cost effective. A much more detailed / extensive analysis should be completed for an actual risk analysis.
The consequence can be rated as: 1= Catastrophic, Major damage to the equipment and/or
facilities, interruption in operations for more than 48 hours, 2= Very Disruptive, interruption in
operations for up to 8 hours, 3= Inconvenient or little impact or interruption in operations.
The table below lists common Cyber Attacks and mitigation strategies. This table is pretty much
on the top of the list for evaluation and re-evaluation by the IT Security Department. This is what
they deal with on a day to day basis. New attacks are coming out daily. Operating systems
patches are automatically reviewed daily and updates made as required. Software version
numbers are important and tracked by date. All software used by the company must be
maintained and kept up to date with the latest release. There is a function in the Security IT
department devoted to this process.
© Copyright: April 2012, D. E. Jennings Page 12 of 41

13. Common Network Cyber Attacks
Likelihood:  Very Likely Somewhat Unlikely Mitigation
Likely
Consequence:  (1) (2) (3) (1) (2) (3) (1) (2) (3)
Denial of service Malformed bits / false IP addresses can be
mitigated by keeping OS up to date and
X
logging frequent connection attempts against
one service.
SYN Flood An overload of packets that have the SYN
flag set can be blocked by a firewall and
X
keeping the OS up to date and review of log
files.
Malware Up to date antivirus signatures are essential
in combating viruses, Trojans, worms,
spyware etc. Also restricting access to non-
essential web surfing, especially in critical
X branches of the network. Segmenting the
network critical assets. Restrict access to
administrator privileges on user computers to
keep unauthorized software off machines or
change security settings.
Social Engineering Servers are usually deployed in redundant
X modes as the cost of servers had dropped in
relation to their critical use in the network.
Port Scanning Firewall will protect from port scanning with
X
intention to infiltrate network.
ICMP abuse Packet Filtering via a firewall will block
X
abusive ICMP echo requests.
Host Attack A Proxy Server will keep attackers from
accessing IP addresses, hostnames and
X
passwords which can be used to find other
hosts to attack.
Man in middle VPN Virtual Private Network encryption can
attack keep an attacker from operating between
X
computers, impersonating one to intercept
communications.
New Files on Use system auditing software to control this
X
network as a behavioral monitor / block.
Remote Procedure Intrusion Detection System will defeat this
calls X threat as well as keeping OS patches up to
date.
Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient
The following table takes the credible threats from individual analysis charts in a summary form
on one chart. These charts are not meant to be exhaustive but rather illustrative of the process.
Example: Threat / Vulnerability and Mitigation Summary Table:
Vulnerability: Threat: Risk Assessment: Mitigation:
Probability
Consequence
© Copyright: April 2012, D. E. Jennings Page 13 of 41

14. Personnel Employees may be Mugging, theft, Unlikely / Cost benefit analysis
Injury while vulnerable between the panhandling or other Catastrophic makes lighting and
entering /leaving time they leave their personal attacks most locations - risk cameras feasible for
building vehicles and when they while alone walking is “unlikely” / this threat.
enter the building. to car. consequence can be
“catastrophic”
Personnel Key operation may be Loss of Likely / Catastrophic Make sure each
Resignations at risk functionality, leave role / duty has back
Key employees are
company, Illness at more likely to be up. Capture and
critical time. document key
recruited by other
companies. information.
Personnel Employees with access Sabotage, theft, Unlikely / Critical assets
Disgruntled to assets disruption of Disruptive identified and
inside teamwork Most lost assets – protected: Locked /
non critical, critical RFID tags similar to
assets must be those used in retail.
protected
Personnel Former employee with Sabotage, theft, Unlikely / Identity
Disgruntled passwords enabled logs disruption of Disruptive Management System
outside onto network via teamwork Although most and Log File review.
borrowed laptop or dial assets can be lost
in access. with only disruptive
consequences,
critical assets must
be protected
Social Sensitive information is PII theft can lead to Unlikely / Education and
Engineering vulnerable. Inadvertent identity theft. Disruptive periodic test /
release of Password release This has to be probing to keep
information… PII, can lead to actual evaluated employees alert and
passwords, etc. infiltration of the periodically, in most aware.
network cases this threat is
unlikely
Hardware Loss of Servers, Functionality / Unlikely / Utilize Redundant
failure routers, etc. through availability of the Catastrophic Equipment where
equip. failure cause heat network This can be feasible
lack of maintenance determined on an
equip by equip basis
Hardware theft Located in unlocked Sabotage or Unlikely / Keep in locked
tamper room Accessible to inadvertent damage Catastrophic secure environment
employees due to error After the initial
installation
equipment is often
ignored.
Software Category A: necessary Loss / tamper / out Unlikely / Very Backups must be
to company operations. of date Disruptive maintained. software
versions up to date
with patches,
antivirus protection.
Software Category B: used to Loss / tamper / out Unlikely / Keep non-critical
support / promote of date Disruptive software up to date
business with patches,
antivirus protection.
© Copyright: April 2012, D. E. Jennings Page 14 of 41

15. Information Key inventions – Theft – duplication Unlikely / Knowledge is most
intellectual property if in the hands of Catastrophic valuable.
competitor
Information Customer lists, PII Illicit use if in the Unlikely /
hands of Catastrophic
competitor / thief
8. Personnel Security:
Although not generally thought of in an IT Security Plan, Personnel security is always a part of
the overall security considerations, and with IT Security responsible for the entire company
security this becomes part of their responsibility. The main thrust here is to make sure employees
are safe. Vulnerabilities exist mostly while moving between the parking lot and the building.
The other aspect of security involving personnel is the risk to the company when personnel end
their employment with the company (voluntarily or otherwise). Several security issues are
involved with employees who move on. These are mostly handled by with the help of the
automated Identity Management System.
Security starting at the parking lot is designed to accomplish two things. First: physical security
or safety of employees. The plan is designed to protect employees from the threat of personal
harm when they are between their cars and the building. This is accomplished by the use of 8ft.
high fencing integrated into landscaping and color coordinated to be less visible, intrusion
detection sensors, cameras and lighting. The parking lots will have cameras installed at locations
that enable viewing of activity anywhere in the lots. The entire area, building and parking lot
will be fenced and lighting and cameras will be deployed in strategic areas. This will enhance
the landscaping which will be designed to enhance security, leaving areas near the windows and
building entrances free of large shrubs so as to enable greater visibility.
Physical security is closely connected with Identity Management and starts with vehicle
identification. The parking lots will be for employee use only. There will be a separate lot for
visitors and clients. The employee lots will have Radio-Frequency Identification (RFID)
transceivers installed and each employee will be issued tags (also called transponders) that will
enable identification of their vehicles as they enter the lots. 11 There is one entrance at each
location and the receptionist in the building who also functions as a security officer will have a
© Copyright: April 2012, D. E. Jennings Page 15 of 41

16. picture and name of employee on her screen before they enter the front entrance. (Captured by
the RFID system) If he/she sees a different person enter she will deal with that in a different
way. Visitors may not be in the system until they have visited the first time and been identified
and put in the database. First time visitors are treated slightly different from 2nd time visitors and
employees. In each case the goal is to have flawless security and we want the person to feel
good about the security measures and tolerate if not enjoy their participation in the process. We
also do not want to delay a legitimate entry. Trained and motivated security personnel are
essential to this process. One option is to institute a Rotation of Duties with all other roles in the
company with the security point person which will enable all employees to appreciate the role of
security. Front desk security would be a duty everyone would be able to enjoy. This would
increase security awareness and allow everyone in the company eventually to meet everyone
else.
9. Building Security:
Windows and doors to the outside will be alarmed to a central alarm system. During business
hours there will be one entrance for employees to enter the building. At that location they will
use their RFID badge to open a door. Once inside there is a lobby where they will be allowed
into the building after showing their ID badge to the receptionist. This process is two factor
security, RFID badge and personal recognition by a human.
After hours the building will be locked and secure by 24 hour security monitoring. The security
monitoring will include the grounds, the parking lot and cameras at strategic locations within and
outside the building. The cameras will be on a 24/7 recording schedule and archived and a
regular schedule. Those who require after hours work must have prior approval and will be
admitted by the security guard on duty.
Sensitive rooms within each building will be secured from general employee access. Each
employee RFID badge will give them access to specific areas divided by department. The
Human Resources department will have a lobby area with soundproof rooms where employee
interviews will be conducted. Also the finance area will have an area where non-finance
employees will be admitted without having to enter the restricted “Finance” area which is
restricted to finance employees only. Conference rooms, cafeteria, restrooms, etc., will be open
to the general employee population.
© Copyright: April 2012, D. E. Jennings Page 16 of 41

17. 10.Access Control:
Access control is enabled by an efficient Identity Management system.12 Identity Management is
the management of user credentials and the means by which users log on to corporate network
resources. With the emergence of phishing attacks good identity management became essential
in maintaining the CIA triad. Phishing exploits the difficulty of properly identifying and
authenticating identities. The evolution of identity management follows the progression of
Internet technology closely.
Typical identity management functionality includes the following:
1. User information self-service
2. Password resetting
3. Management of lost passwords
4. Workflow
5. Provisioning and de-provisioning of identities from resources
Identity management also addresses the age-old 'N+1' problem — where every new application
may entail the setting up of new data stores of users. The ability to centrally manage the
provisioning and de-provisioning of identities, and consolidate the proliferation of identity
stores, all form part of the identity management process.
Identity management starts with the risk assessment to determine the need for particular controls
to properly protect information, applications, and infrastructure as required. These controls set
the lifecycle security objectives for creating and maintaining an identity, verifying and
authenticating an identity, granting permissions and authorities, monitoring and accountability,
and auditing and appraisal of the identity management processes.
The identity management system defines the control objectives required to enforce the security
policy:
1. Identification: The process that creates an entity and verifies the credentials of the
individual, which together form a unique identity for authentication and authorization
purposes).
© Copyright: April 2012, D. E. Jennings Page 17 of 41

18. 2. Authentication: Verifies credentials to support an interaction, transaction, message, or
transmission).
3. Authorization: Grants permissions by verifying the authenticity of an individual’s
identity and permissions to access specific categories of information or to carry out
defined role based tasks).
4. Accountability: The process that records the linkage between an action and the
identity of the individual or role who has invoked the action, thus providing an
evidence trail for audit or non-repudiation purposes).
5. Audit: The process that examines data records, actions taken, changes made, and
identities/roles invoking actions which together provide a reconstruction of events for
evidential purposes). The control objectives above serve the requirement to provide
an auditable chain of evidence.
Using the Identity Management system, each employee is given access to physical locations,
network locations, information databases, etc. based on their role and classification. Each role
and title will imply certain tasks and levels of authorization to perform particular tasks. An
example of a Role table is in Appendix III . Access to the required resources will be based on
those roles. The identity management system enables efficient deployment of employees and
removal of employees when they no longer are required to have the access or they leave the
company.
Maintaining access control in the enterprise requires several components for each category of
access
control. There are three main categories of access control:13
Administrative:
1. Policies and procedures - A high-level plan that lays out management’s plan on how
security should be practiced in the company. It defines what actions are not acceptable
and what level of risk the company is willing to accept.
© Copyright: April 2012, D. E. Jennings Page 18 of 41

19. 2. Personnel controls - Indicate how employees are expected to interact with corporate
security, and how non-compliance will be enforced.
3. Supervisor structure - Defines the overall company hierarchy. Each employee has a
supervisor they report to and that supervisor has a superior they report to. This chain of
command dictates who is responsible for each employee’s actions.
4. Security awareness training - Users are usually the weakest chain in the security chain.
Proper training on security issues can instill access control usage on the network.
5. Testing - Test access controls on the network to determine their effectiveness (or
ineffectiveness).
Physical:
1. Network segregation - Defining segregation points can help enforce access controls on
ingress or egress to the segment.
2. Perimeter security - Defines how the perimeter of the company will be enforced such as
guards, security badges, fences, gates.
3. Computer controls - Defines the physical controls on computer systems such as locks on
systems to deter theft of internal parts, removal of floppy to deter copying.
4. Work area separation - Separation of work areas based on type of use such as server
room, wiring closets, experimental room.
5. Data backups - This physical control is used to ensure access to information in case of
system failure or natural disaster.
6. Cabling - Protecting the cabling from electrical interference, crimping, and sniffing.
Technical:
1. System access - Controls that determine how resources on a system are accessed such as
MAC architecture, DAC architecture, username/password, RADIUS, TACACS+,
Kerberos.
2. Network architecture - Defines logical network segmentation to control how different
network segments communicate.
© Copyright: April 2012, D. E. Jennings Page 19 of 41

20. 3. Network access - Defines access controls on routers, switches, and network interface
cards, and bridges. Access control lists, filters, AAA, and firewalls would be used here.
4. Encryption and protocols - A technical control that encrypts traffic as it courses through
untrusted network segments. Protocols could include IPSec, L2TP, PPTP, SSH,
SSL/TLS.
5. Control zone - A specific area in the enterprise that surrounds and protects network
devices that emit electrical signals. Electrical signals emanate from all computer systems
and travel a certain distance before being drowned out by interference from other
electrical fields. Control zones are both a technical and physical control.
6. Auditing - Tracks activity as resources are being used in the enterprise.
11.Telecommunications:
Along with access to the network from the company intranet, employees may gain remote access
via a remote log-on through a secure Virtual Private Network (VPN).
Virtual Private Networks (VPNs) are secure private connections created using a public network.
They are virtual in the sense that the public network is seen as a single hop between networks
allowing the two networks to be virtually connected. They are private in the sense that data sent
over the public network cannot be viewed by un-trusted personnel. Encryption techniques create
the privacy.
The four main VPN protocols are in use today:
Layer two Forwarding (L2F) is a protocol developed by Cisco that supports the creation of
secure virtual private dial-up networks (VPDNs) over the Internet.
Point to Point Tunneling Protocol (PPTP) is a network protocol developed by Microsoft that
enables the secure transfer of data from a remote client to a private enterprise server by creating
a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual
private networking over public networks, such as the Internet.
© Copyright: April 2012, D. E. Jennings Page 20 of 41

21. Layer 2 Tunnel Protocol (L2TP) is an Internet Engineering Task Force (IETF) standard that
combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding
(L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).
IPSec - The Security Architecture for the Internet Protocol is designed to provide interoperable,
high quality, cryptographically based security for IPv4 and IPv6. The set of security services
offered includes access control, connectionless integrity, data origin authentication, detection and
rejection of replays, a form of partial sequence integrity, confidentiality through encryption, and
limited traffic flow confidentiality. The IP layer provides these services, offering protection in a
standard fashion for all protocols that may be carried over IP, including IP itself.
When the Identity Management System is used, the VPN access is seamlessly integrated with the
Identity Management System.
12. Network Security
Attackers are continuously attempting to gain access to corporate resources for profit or fun.
Once the security world obtains an understanding of the exploit used, the application, algorithm,
or protocol is updated to mitigate the threat. Attackers then try different avenues of attack, which
leads to an endless exploit/mitigation loop.
Examples of Network Attacks:
Smurf: This is an attack with three entities: the attacker, the victim, and the amplifying network.
The attacker spoofs, or changes the source Internet Protocol (IP) address in a packet header, to
make an Internet Control Message Protocol (ICMP) ECHO packet seem as though it originated
at the victim’s system. This ICMP ECHO message is broadcasted to the amplifying network,
where all active nodes send replies to the source (the victim). The victims system and network
become overwhelmed by the large amounts of ECHO replies.
Fraggle: This is the same type of attack as the Smurf attack, except here the attacker broadcasts a
spoofed UDP packet to the amplifying network, which in turn replies to the victim’s system.
Denial of Service (DoS): This attack consumes the victim’s bandwidth or resources, causing the
system to crash or stop processing other packets. DoS attacks are carried out by attackers with an
intent to stop legitimate users from accessing certain resources. Their intent is malicious and not
designed to obtain information. DoS attacks are usually the most formidable of attacks to deal
© Copyright: April 2012, D. E. Jennings Page 21 of 41

22. with as they usually involve very large amounts of traffic that may or may not look on the wire
as valid transmissions. Knowing how these attacks are sculpted and executed will allow network
administrators to better deter them on their networks. Mitigation of DoS attacks can be
performed at the ISP egress router into the company via rate limiting, via NIDS, HIDS, and by
have up to date security patches and hot fixes installed on all critical servers and systems. To
mitigate this type of attack, input-checking included in the login subsystem can easily stop this
the DoS attack.
Distributed Denial of Service (DDoS): This is a logical extension of the DoS attack. The attacker
creates master controllers that can in turn control slaves/zombie machines, all of which can be
configured to attack a single node.
DNS DoS Attacks: In this attack a record at a domain name server (DNS) server is replaced with
a new record pointing at a fake/false IP address.
Cache Poisoning: Here the attacker inserts data into the cache of the server instead of replacing
the actual records.
A buffer overflow is a software-based attack created when a program does not check the length
of data that is inputted into it, which will then be processed by the CPU. A buffer overflow exists
when a particular program attempts to store more information in a buffer memory storage than it
was intended to hold. Since the buffer was only intended to hold a certain amount of data, the
additional data overflows into a different area of memory. It is this different area of memory
where overflows cause the problem.
Brute force attacks occur when a cracker attempts to obtain the correct password for an account
by trying every conceivable value hoping to stumble across the correct one. Administrators have
known about brute force attacks for many, many years and have come up with ways to mitigate
these types of attacks. One of the easiest methods is to rename the administrator account to
something else. In this way the cracker must know two things, the account name and the
password. Administrators will also create passwords of at least eight characters in length. This
technique helps because it takes time to brute force an attack on a password that is at least eight
characters long. Hopefully, the administrator will notice the attack and take precautionary steps
to block the cracker. The length of the password and number of possible values a password may
© Copyright: April 2012, D. E. Jennings Page 22 of 41

23. have will delay the success but not stop this attack. Also, imposing a delay of say 20 seconds
between failed attempts or locking the account after 10 failed attempts deters this type of attack.
Dictionary attacks are another form of brute force attacks and take advantage of a well-known
flaw in the password authentication scheme. That flaw is the fact that many people use common
words as the password for an account. Attackers exploit this fact by using a source for common
words (the dictionary) to try to obtain a password for an account. They simply try every possible
word in the dictionary until a match is found. Proper password usage is key to the mitigation of
this attack. Dictionary attacks are usually mitigated by systems that use pass phrases instead of
passwords.
Spoofing: Attackers can use many different types of spoofing attacks, but they all use spoofing
for one reason, which is to impersonate another host. Sometimes the attacker does not care who
he or she is impersonating; the attacker only cares that the packet he or she is transmitting does
not identify him or her. Other times the attacker knows exactly what host he or she wants to
impersonate and wants the return traffic to reach this host. A spoofing attack on a password
system is one in which one person or process pretends to be another person or process that has
more privileges. An example would be a fake login screen also called a Trojan horse login. In
this attack, the attacker obtains low-level access to the system and installs a malicious code that
mimics the user login screen. On the next attempt to login, the user enters his username and
password into the fake login screen. The malicious code then stores the username and password
in a certain location or may even email the information to an email account. The Trojan horse
then calls the correct login process to execute. To the user, the entry appears to be an incorrect or
mistyped username or password and he or she will try again. When they do, of course, they are
let into the system.
DNS spoofing attacks work by convincing the target machine that the machine that it wants to
contact (for example, www.makebigchecks.com) is the machine of the attacker. When the target
issues a DNS query, it could be intercepted and replied with the spoofed IP address, or the query
could reach the DNS server, which has been tampered with in order to give the IP address of the
cracker’s host, rather than the real server’s IP address. Either way the target receives a false IP
address of the target and will attempt to contact it.
© Copyright: April 2012, D. E. Jennings Page 23 of 41

24. Sniffing: The act of sniffing is the use of a program or device that monitors data traveling over a
network. Sniffing is hard to detect because as a passive attack, it only receives information and
never sends out information. The goal of sniffing is to capture sensitive information such as a
password in order to perform a replay attack at a later time. Mitigation against sniffing attacks
can include using a switched infrastructure, using one-time passwords, or enabling encryption.
In a Transmission Control Protocol (TCP) takeover attack, the cracker will attempt to insert
malicious data into an already existing TCP session between two hosts. In this type of attack, the
attacker is either attempting to inject false data into the conversation, or take over the session
completely. This type of attack is usually used in conjunction with a DoS attack to stop the host
it is impersonating from sending any further packets. The DoS attack against the impersonated
host will itself be using spoofed packets. In this way, the attacker will hide his or her identity
from the host he or she took over the TCP session from, while the opposite end still believes its
ongoing session is with the original host.
A pseudo flaw is an apparent loophole deliberately implanted in an operating system or program
as a trap for intruders. Pseudo flaws are inserted into programs to get attackers to spend time and
energy attempting to uncover weaknesses in programs that they hope will allow them to gain
access to other parts of the system. Because these are deliberate flaws, the attacker can spend
weeks attempting to exploit the flaw, before he or she becomes discouraged and moves on to
different parts of the program.
Alteration of Authorized Code: Attackers often write small programs that create a patch in
authorized code. Take a program that will not execute until the user enters a valid serial number
or authorization code. The attacker does not have this information, yet still wants to execute the
program. Using his or her knowledge of programming and off-the-shelf software, the attacker
can identify where in the program the subroutine that performs authorization is called from. The
attacker then writes a program that modifies that very same area of the program, but instead of
calling the authorization subroutine, the instructions are now a series of NOPs (no operations).
This alteration of authorized code simply bypasses the authorization subroutine and begins
executing the program.
Flooding is the process of overwhelming some portion of the information system. This could be
bandwidth on a serial link or memory in a router or server. There are many uses of flooding for
© Copyright: April 2012, D. E. Jennings Page 24 of 41

25. attackers. Attackers could hide their attacks in a flood of random attack packets, they could
attempt to overwhelm a switch’s Address Resolution Protocol (ARP) table, or they could
perform DoS attacks. SYN floods are an example of flooding used in a DoS attack. SYN floods
take advantage of TCP’s three-way-handshake. In this DoS attack, the attacker sends many
thousands of half-formed or embryonic TCP connection requests (SYN packets), usually with a
spoofed source address, to the target server. The server that receives these connection requests
sets aside a small amount of memory for each connection, and replies with an SYN-ACK to the
spoofed address. The spoofed host (if it exists) receives the SYN-ACK packet and discards it.
This leaves the server with an open or a half-formed connection, which will remain so for three
minutes as it waits for the connection to complete. A few open connections will not cause harm
to a server, but thousands upon thousands of open connections, each using a small amount of
memory, will quickly consume all available resources on the server. When all resources are
consumed, the server will no longer respond to the SYN requests of the attacker. Unfortunately,
the server will also not respond to any SYN request from a valid user, which is what the DoS the
attacker is trying to accomplish.
These attacks are always changing and methods of mitigating them are also changing.
13. Architecture
An example network architecture for a single location is located in Appendix IV. The network is
segregated into 7 sub-networks which include the 10 functional areas.
Fundamental Firewall Designs
Firewall design has evolved, from flat designs such as dual-homed host and screened host, to
layered designs such as the screened subnet. The evolution has incorporated network defense in
depth, incorporating the use of DMZ and more secure networks.
A Bastion host is any host placed on the Internet which is not protected by another device (such
as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack.
Bastion hosts usually provide a specific service, and all other services should be disabled.
A Dual-homed host has two network interfaces: one connected to a trusted network, and the
other connected to an untrusted network, such as the Internet. This design was more common
© Copyright: April 2012, D. E. Jennings Page 25 of 41

26. before the advent of modern firewalls in the 1990s, and is still sometimes used to access legacy
networks.
Screened Host Architecture is an older flat network design using one router to filter external
traffic to and from a bastion host via an access control list (ACL). The bastion host can reach
other internal resources, but the router ACL forbids direct internal/external connectivity. The
difference between dual-homed host and screened host design is screened host uses a screening
router, which filters Internet traffic to other internal systems. Screened host network design does
not employ network defense-in-depth: a failure of the bastion host puts the entire trusted network
at risk. Screened subnet architecture evolved as a result, using network defense in depth via the
use of DMZ networks.
DMZ Networks and Screened Subnet Architecture. A DMZ is a dangerous “no-man’s land”: this
is true for both military and network DMZ. Any server that receives traffic from an untrusted
source such as the Internet is at risk of being compromised. We use defense-in-depth mitigation
strategies to lower this risk, including patching, server hardening, NIDS, etc., but some risk
always remains.
Network servers that receive traffic from untrusted networks such as the Internet should be
placed on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZ
host may be compromised: the DMZ is designed to contain the compromise, and prevent it from
extending into internal trusted networks. Any host on a DMZ should be hardened. Hardening
should consider attacks from untrusted networks, as well as attacks from compromised DMZ
hosts. A “classic” DMZ uses two firewalls, also called a screened subnet dual firewall design. In
this design two firewalls screen the DMZ subnet. A single-firewall DMZ uses one firewall. This
is sometimes called a “three-legged” DMZ. The single firewall design requires a firewall that can
filter traffic on all interfaces: untrusted, trusted, and DMZ. Dual-firewall designs are more
complex, but more secure. In the event of compromise due to firewall failure, a dual firewall
DMZ requires two firewall failures before the trusted network is exposed. Single firewall design
requires one failure.
© Copyright: April 2012, D. E. Jennings Page 26 of 41

27. 14.Intrusion Detection System (IDS)
An important tool in network defense is the Intrusion Detection System (IDS). An IDS utilizes
audit records of all activities on a system. An IDS has three basic components: a sensor (agent),
an analyzer, and a security interface (also called the director). The sensor collects information
and forwards it to the analyzer. The analyzer receives this data and attempts to ascertain if the
data constitutes and attack or intrusion. The security interface, which is usually a separate device,
displays the output to the security administrator configures the sensors in the network. There are
two basic types of intrusion detection mechanisms: Network-based Intrusion Detection Systems
(NIDS) and Host-based Intrusion Detection Systems (HIDS).
Intrusion detection devices attempt to identify any of the following types of intrusions:
Input Validation Errors
Buffer Overflow
Boundary Conditions
Access Validation Errors
Exceptional Condition Handling Errors
Environmental Errors
Configuration Errors
Race Conditions
NIDS: Protects an entire network segment and is usually a passive device on the network. Users
are unaware of NIDS existence unless they learn about it through the general security training
sessions. NIDS cannot detect malicious code in encrypted packets, and is cost effective for mass
protection. It requires its own sensor for each network segment.
HIDS: Protects a single system. It uses system resources (CPU and memory) from the system
and provides application level security. An advantage of HIDS is that it provides day-one
security. Intrusion detection is performed after decryption so it is used on servers and sensitive
workstations, but is costly for mass protection.
© Copyright: April 2012, D. E. Jennings Page 27 of 41

28. The two forms of Intrusion Detection:
Profile-based Intrusion Detection (Also known as anomaly detection): In profile-based
detection, an alarm is generated when activity on the network goes outside of the profile. A
profile is a baseline of what should be considered normal traffic for each system running on the
network. A problem exists because most systems do not follow a consistent profile. What is
normal today, might not be normal tomorrow.
Signature-based Intrusion Detection: In signature-based detection, a signature or set of rules is
used to determine intrusion activity. An alarm is generated when a specific pattern of traffic is
matched or a signature is triggered. Typical responses to an attack include the following:
Terminating the session (TCP resets)
Block offending traffic (usually implemented with Access Control Lists - ACLs)
Creating session log files
Dropping the packet
IDS Examples:14
Tripwire scans files and directories on Unix systems to create a snapshot record of their
size, date, and signature hash. If you suspect an intrusion in the future, Tripwire will
rescan your server and report any changed files by comparing the file signatures to the
stored records. Tripwire was an open-source project of Purdue University, but it
continues development as a licensed package of Tripwire Security Systems
(www.tripwiresecurity.com ).
Snort ( www.snort.org ) is an open-source intrusion detection system that relies upon raw
packet capture (sniffing) and attack signature scanning to detect an extremely wide array
of attacks. Snort is widely considered to be the best available intrusion detection system
because of the enormous body of attack signatures that the open source community has
created for it. The fact that it’s free and cross platform pretty much ensures that the
commercial IDSs won’t develop much beyond where they are now. Snort was originally
developed for Unix and has been ported to Windows.
© Copyright: April 2012, D. E. Jennings Page 28 of 41

29. Demarc PureSecure ( www.demarc.com ) is a best-of-breed network monitoring and
intrusion detection system descended from Snort. PureSecure is a commercial product
that uses Snort as its intrusion detector, but it adds typical network monitoring functions
like CPU, network, memory, disk load, ping testing, and service monitoring to the
sensors that run on every host. Demarc creates a web-based client/server architecture
where the sensor clients report back to the central Demarc server, which runs the
reporting website. By pointing your web browser at the Demarc server, you get an
overview of the health of your network in one shot. Demarc can be configured to alert on
all types of events, so keeping track of your network becomes quite easy. Demarc’s price
is $1,500 for the monitoring software, plus $100 per sensor.
Network Flight Recorder (NFR, www.nfr.com ) was one of the first inspector based
intrusion detection systems on the market and was originally offered as a network
appliance. Now available as both software and network appliances, NFR has evolved into
a commercial product very similar to Snort in its capabilities. However, since it is a
commercial product, NFR can consult with you directly to analyze intrusion attempts, to
train your staff, and to provide product support for its products.
15.Electronic Mail Security:
E-mail access was one of the first protocols defined under the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol suite. The two main mail protocols are Post office
Protocol 3 and Simple Mail Transfer Protocol.
Post office Protocol 3 (POP3) is a lightweight e-mail client using TCP port 110, used to receive
e-mail from a server.
Simple Mail Transfer Protocol (SMTP). Is an effective mail transfer protocol, but not very
secure. SMTP uses port 25 and is used to send e-mail from client to server and server to server
forwarding.
© Copyright: April 2012, D. E. Jennings Page 29 of 41

30. SMTP protocol defines the mechanism a sender uses to connect to, request, and send e-mail to
the server. SMTP was an effective protocol, but is riddled with security holes. SMTP can be
identified as using TCP port 25 on the network. SMTP takes up a lot of overhead. The Post
Office Protocol version 3 (POP3) was created as a means of reducing the required overhead for a
single workstation. POP3 is intended to permit a workstation to dynamically access a mail-drop
on a server host. SMTP is used to send e-mail from an e-mail client to an e-mail server and POP3
is used to receive e-mail from the e-mail server to the e-mail client. POP3 can be identified as
using TCP port 110 on the network.
When e-mail first came into existence, e-mail messages were meant to be pure text only
messages. As the Internet started to grow, graphic files, audio files, Hypertext Transport Protocol
(HTTP), were a part of mail. The Multipurpose Internet Mail Extensions (MIME) protocol was
developed to handle these. MIME allows a one-time modification to e-mail reading programs
that would enable the program to display a wide variety of messages types. This e-mail extension
allows you to view dynamic multitype email messages that include color, sound, animations, and
moving graphics. The drawback of MIME is that it also lacks adequate security. E-mail was still
subject to the same old hacks, such as sniffing and replay. Secure MIME (S/MIME) was created
to enable a more secure MIME.
S/MIME provides cryptographic security services for electronic messaging applications by
providing authentication, message integrity, non-repudiation of origin (using digital signatures),
and privacy and data security (using encryption). Using S/MIME is the preferred way of securing
e-mail as it traverses the Internet.
Public Encryption of E-Mail messages - PGP
PGP uses a public key cryptosystem. In this method, each party creates an RSA public/private
key pair. One of these keys is kept private (the private key), and one is given out to anyone in the
public Internet (the public key). What one key encrypts, only its partner private key can decrypt.
© Copyright: April 2012, D. E. Jennings Page 30 of 41

31. This means if user X obtains user Y’s public key and encrypts a message destined to user Y
using its public key, the only person in the universe who can decrypt the message would be user
Y, as he or she has the corresponding private key. PGP is a hybrid cryptosystem in that before
encryption is performed the e-mail data is first compressed. Compression not only makes an e-
mail message smaller, it also removes any patterns found in plain text, which mitigate many
cryptanalysis techniques that look for these patterns. PGP performs the following security
measures: confidentiality, data integrity, and sender authenticity.
Secure Web based mail: For a small business utilizing a free open mail server has some
advantages. Yahoo, for example has teamed with Zixit Corporation, a company that enables
secure, certified email to any recipient. 15
16. Disaster Recovery
Sometimes called Business Continuity Planning, the Disaster Recovery Plan is the tactical
actualization of BCP. The DRP is the operational plan and is a requirement for the corporation
that has the goal of remaining in business after a natural or manmade disaster. In this section we
discuss the back up and restore plan and strategies for business continuity. First a listing of the
types of events that might occur:
Sabotage Bombings Loss of Electrical Power
Arson Earthquakes Storm
Security Incidents (major) Fire Communication system outage
Strike (labor unrest) Flood Unavailability of Key Employees
The planning committee (DRP team) is made up of management and technical experts from each
area of the company meet at regular intervals. This team will hold yearly a disaster recovery
exercise and participate in periodic probes and assessments of the company security practices
and technologies.
The general process of disaster recovery involves responding to the disruption; activation of the
recovery team; ongoing tactical communication of the status of disaster and its associated
© Copyright: April 2012, D. E. Jennings Page 31 of 41

32. recovery; further assessment of the damage caused by the disruptive event; and recovery of
critical assets and processes in a manner consistent with the extent of the disaster.
Respond: First there must be an initial response that begins the process of assessing the damage.
Speed is essential during this initial assessment. There will be time later, to more thoroughly
assess the full scope of the disaster. The initial assessment will determine if the event in question
constitutes a disaster. An alternate data center may be required. If there is doubt that an alternate
facility will be necessary, then the sooner this fact can be communicated, the better for the
recoverability of the systems. The initial response team should also be mindful of assessing the
facility’s safety for continued personnel usage, or seeking the counsel of those suitably trained
for safety assessments of this nature.
Activate Team: If during the initial response to a disruptive event a disaster is declared, then the
team that will be responsible for recovery needs to be activated.
Communicate: One of the most difficult aspects of disaster recovery is ensuring that consistent
timely status updates are communicated back to the central team managing the response and
recovery process. In addition to communication of internal status regarding the recovery
activities, the organization must be prepared to provide external communications, which involves
disseminating details regarding the organization’s recovery status with the public.
Assess: Though an initial assessment was carried out during the initial response portion of the
disaster recovery process, a more detailed and thorough assessment will be done by the disaster
recovery team. The team determine the proper steps necessary to ensure the organization’s
ability to meet its mission and Maximum Tolerable Downtime (MTD).
Reconstitution: The goal of the reconstitution phase is to recover critical business operations
either at primary or secondary (recovery) site. If an alternate site is used, adequate safety and
security controls must be in place in order to maintain security continuity. In addition to the
recovery team’s efforts at reconstitution of critical business functions at an alternate location, a
salvage team will be employed to begin the recovery process at the primary facility that
experienced the disaster.
One key to data recovery and business continuity is the data backup process. Holding data
backups at safe locations is a major requirement. Another aspect of DRP becoming more
© Copyright: April 2012, D. E. Jennings Page 32 of 41

33. prevalent is where two companies agree to be the “backup” facility for the other. This can be
where industries are similar and each company will set aside an area for the business continuity
of the other. This may not work for dire competitors; however the cost benefit of these plans is
such that cooperation among rivals is actually becoming cost effective. (see reciprocal
agreement, below)
The Alternate or Secondary (recovery) site:
A redundant site is an exact production duplicate of a system that has the capability to seamlessly
operate all necessary IT operations without loss of services to the end user of the system. A
redundant site receives data backups in real time so that in the event of a disaster, the users of the
system have no loss of data. It is a building configured exactly like the primary site and is the
most expensive recovery option because it effectively more than doubles the cost of IT
operations. To be fully redundant, a site must have real-time data backups to the production
system and the end user should not notice any difference in IT services or operations in the event
of a disruptive event.
A hot site is a location that an organization may take time to relocate to following a major
disruption or disaster. It could be a datacenter with a raised floor, power, utilities, computer
peripherals, and fully configured computers. The hot site will have all necessary hardware and
critical applications data mirrored in real time. A hot site will have the capability to allow the
organization to resume critical operations within a very short period of time (hours). Hot sites
can quickly recover critical IT functionality. However, a redundant site will appear as operating
normally to the end user no matter what the state of operations is for the IT program. A hot site
has all the same physical, technical, and administrative controls implemented of the production
site.
A warm site has readily-accessible hardware and connectivity, but it will have to rely upon
backup data in order to reconstitute a system after a disruption. It may have a datacenter with a
raised floor, power, utilities, computer peripherals, and fully configured computers. Because of
the extensive costs involved with maintaining a hot or redundant site, many organizations will
elect to use a warm site recovery solution. These organizations will have to be able to withstand
© Copyright: April 2012, D. E. Jennings Page 33 of 41

34. a Maximum Tolerable Downtime (MTD) of at least 1-3 days in order to consider a warm site
solution. The longer the MTD is, the less expensive the recovery solution will be.
A cold site is the least expensive recovery solution to implement. It does not include backup
copies of data, nor does it contain any immediately available hardware. After a disruptive event,
a cold site will take the longest amount of time of all recovery solutions to implement and restore
critical IT services for the organization. It could take weeks to get vendor hardware shipments in
place so organizations using a cold site recovery solution will have to be able to withstand a
significantly long MTD. A cold site is typically a datacenter with a raised floor, power, utilities,
and physical security, but not much beyond that.
Reciprocal agreements are a bi-directional agreement between two organizations in which one
organization promises another organization that it can move in and share space if it experiences a
disaster. It is documented in the form of a contract written to gain support from outside
organizations in the event of a disaster. They are also referred to as Mutual Aid Agreements
(MAAs) and they are structured so that each organization will assist the other in the event of an
emergency.
For each of these scenarios frequent testing for a simulated disaster and the associated recovery
is absolutely essential.
In this paper we have given a brief overview of some of the aspects of corporate security. We
touched on physical security, network security, Identity Management and disaster recovery.
There is no one correct way to maintain a secure operation. The emphasis should be on cost
appropriate measures rather than the latest technological gimmick, lots of training to keep
awareness of employees of the threats and risks. There should be a minimum of disruption to
employees and their normal operations.
© Copyright: April 2012, D. E. Jennings Page 34 of 41

35. APPENDIX I
Security Policy: (Overview)
1.1 Goal: Secure and maintain company integrity, assets and personnel with minimum disruption
to core operations.
Updates: The security department will facilitate semi-annual meetings to update this
policy. Feedback will be solicited from each department.
Manufacturing Facilities:
2.0 Network assets (Listed)
2.1 Human Resources
2.2 Research and Development
2.3 Engineering
2.4 Corporate Management
3.0 Roles:
Each Role is defined by: Task definitions and detail, education and training requirements,
certification requirements, particular compliance requirements (Fire Safety, OSHA, HIPPA,
Sarbanes Oxley, etc), pay and benefits scale, all maintained by the HR department.
Security Levels: Each role will imply at least two security levels (Role - A) and (Role - B). The
“A” level will be used for the employee who is completed the six month evaluation period
required for each role. The Role definitions for each department will specify which function “B”
level employee can complete alone and which would need to be completed with the oversight of
an “A” level employee in the same role. For example creating or deleting corporate folders for
data storage, creating, moving or modifying corporate data. The actual role detail is developed
by management of the particular department and maintained by the Human Resources
department. Corporate management develops the roles in the Management level I and
Management level II roles. See appendix III for a matrix of Roles.
4.0 Security Breach:
© Copyright: April 2012, D. E. Jennings Page 35 of 41

36. The list of information assets that requires protection and the level of protection is negotiated
between the department heads and the Security department after the Risk Analysis has been
completed by the management team with the facilitation of the Security Department. A security
breach may or may not involve the actual release of information. Logs for each security
measure are one of several sources of discovery used to identify a security breach. In the event
of a security breach specific actions are to be taken and are different for each type of breach.
Details are enumerated in the Security Policy. For example if a breach in Personally Identifiable
Information, PII occurs the response team completes a specific process. PII refers to information
that can be used to distinguish or trace an individual’s identity, e.g. name, social security
number, date and place of birth, etc. The process is brief is:
1) Notify Security, your department manager.
2) Complete a report containing:
a. Date of incident
b. Number of individuals impacted
c. Their status: Government / Military / Civilian.
d. Description of the incident including circumstances of the breach, type of
information lost of compromised and if the PII was encrypted or password
protected.
3) Security department completes the process with the corporate Legal team depending on
the actual incident. State laws differ on notifications; therefore the actual response may
be different depending on where the incident occurred.
The process for HIPPA information breach is somewhat different and is spelled out in the policy
as well.
© Copyright: April 2012, D. E. Jennings Page 36 of 41

37. APPENDIX II
Vulnerability Assessment
The table below shows the results of assessment that may be completed by an outside consulting
firm. It should be repeated periodically asimprovements are made. This type of security audit or
assessment is often required by Government contracts. It is presented for illustration only. Of
course an actual list would depend on the particular network / implementation being assessed.
Risk Assessment Vulnerability Business Impact Mitigation
Finding Analysis
Server located in unlocked room. Physical access by unauthorized Potentially cause loss of CIA for Install hardware locks with PIN alarm
persons. email system through physical system (risk is reduced to acceptable
attack on the system level).
Software is out of date. This version is insecure and has Loss of CIA for email system Update system software (risk is
reached end of life from vendor. through cyber attack. eliminated).
Firewall weak or not properly Exposure to Internet without Loss of critical data possible. Move email server into a managed
implemented. Need DMZ Firewall increases cyber threat. Potential catastrophic impact. hosting site (risk is transferred to
protection due to network hosting organization). Conduct
architecture and risk of intrusion. Penetration testing and resolve network
breaches through improved network /
firewall design and implementation.
CIA = Confidentiality, Integrity, or Availability
© Copyright: April 2012, D. E. Jennings Page 37 of 41

38. Appendix III
Roles matrix and Organization Chart
ROLES (Used for Security Authorization Purposes)
Management Management Project Subject Matter Operator Operator
Supervisor Compliance
Level I Level II Manager Expert Class I Class II
A&B A&B
A&B A&B A&B A&B A&B A&B
Human
- X X - X X X X
Resources
Research and
- X X X X X X X
Development
Engineering &
- X X X X X X X
DEPARTMENTS:
Technology
Corporate
X X X - X X X X
Management
Marketing
- X X - X X X X
Sales
Finance &
- X X X X X X X
Accounting
Manufacturing
- X X X X X X X
& Operations
IT Security &
X X X X X X X X
Architecture
Information
- X X X X X X X
Technology
Documentation
- X X X X X X X
& Training
The matrix (above) outlines potential allocations of roles within departments for security level authorizations and
does not indicate actual assignments. The Organization chart (below) represents the philosophy of utilizing the IT
Security department to manage the IT department whereas in traditional organizations it may be reversed or often
there are two competing organizations sometimes performing similar operations.
Corporate
Management
Marketing & Engineering & Manufacturing & IT Security & Finance & Human
Sales Technology Operations Architecture Accounting Resources
Research & Information Documentation &
Development Technology Training
© Copyright: April 2012, D. E. Jennings Page 38 of 41