SlideShare ist ein Scribd-Unternehmen logo
1 von 52
Downloaden Sie, um offline zu lesen
‘Web-Tech Home Improvement’
An Analysis of the Information Security Infrastructure
 For an E-Commerce Home Improvement Company.




           SE571 – Term Project
              Course Project
                  Final Report




                   Chris McCoy
       Keller Graduate School of Management
                 DeVry University
                     3/13/2007
SE571 - Web-Tech Home Improvement’                                                                             Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




                                               SE571 - Course Project


                Presentation to the Board of Directors – WTHI (Web Tech Home Improvement)

                        Members of the Board, it is a pleasure to address you today on the subject of Corporate

             Information Security. As you may be aware, the security of information here at WTHI is critical to

             the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home

             Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales

             channel that allows our customers to receive their home improvement items faster than they would

             from our other online competitors.


                        I would like to share with you a quote from the recent InfoSec conference held in Florida

             at the end of March, “Attackers probably have less interest these days in bringing down large

             numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman,

             senior technology manager in corporate information security at Boston financial services firm

             State Street.”1 (As cited in Network World, 2007)


                        These words from Mr. Sweetman should be considered our call to arms to improve the

             current state of our corporate security. It is a loud and powerful wakeup call that we can not

             ignore. In order to maintain our competitive advantage, expand our marketing channels and

             improve upon our abilities for future growth, we must first consider the improvement of those

             safeguards necessary to protect our vital technological resources; Our four distribution centers,

             supply chain systems, our e-commerce database information and our datacenters, containing the

             equipment needed to support the transactions from which we generate and grow revenue via our

             most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from

             ‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between


1
    Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from
      ABI/INFORM Global database. (Document ID: 1247736921).



                                                                   2
SE571 - Web-Tech Home Improvement’                                                             Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong

           is maintaining a powerful, secure, well monitored environment where our physical and

           information assets are protected in an ongoing process. We have made great strides, but the time

           to take great action is now.


                      This report will discuss the current status of our physical and information security

           infrastructure and the steps we must take to improve these systems to better protect our data and

           maintain our leadership position in the ‘Home Improvement Appliance’ market.


           There are 2 major components that make up the security of our information enterprise.

           First is the physical security of our 4 locations. Our ability to perform adequate video surveillance

           and access control at each of these sites is critical to protecting our information and physical

           assets. Second is the protection of our data, databases and complete information systems

           infrastructure. Finally, a third component is necessary to tie these two items together: Increased

           Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to

           support the need for additional bandwidth and security required by the new technologies

           introduced later in this report.




                      Following a comprehensive analysis of the security here at WTHI, we have determined

           that the existing security infrastructure must be improved if we are to continue our competitive

           advantage. To ignore this critical need could cost us this leadership position in the market or

           worse, compromise the integrity and security of our data. A recent report from our CFO indicates

           that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e-

           commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in

           revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and

           mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”,

           “Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales,




                                                          3
SE571 - Web-Tech Home Improvement’                                                              Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com”

           (www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive

           advantage as we come one step closer to losing our market share in the online home improvement

           market. With our current Information Technology and Information Security infrastructure, there is

           no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s

           presentation is to show you where we are, where we need to be, and what we need to do to get

           there in terms of a Capital Investment in the Security of our Physical and Informational Assets.


                      Though the picture painted here is not pretty, there is good news. The proposed plan of

           Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the

           required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN

           service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of

           equipment shown in today’s presentation. .


                      To begin our presentation, we will look at the physical security in place at all four of our

           distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and

           Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide

           on site security guards and camera monitoring. Today, these security guards continue to work hard

           to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to

           provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft.


           There are two major technology components in the Physical Security Plan:

           1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock,

           elevators and specific internal areas such as the Warehouse and Computer room where access

           should be restricted. A need to control access using individual employee badges is identified

           below.


           2. Closed Circuit Video Camera Surveillance of the critical access areas including the main

           entrance, parking lot, lobby, computer room, loading docks, and inside warehouse.



                                                          4
SE571 - Web-Tech Home Improvement’                                                              Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           The diagram below shows the current state of the camera surveillance and physical perimeter

access control (none) in place and identifies areas where security weaknesses exist.




           This diagram identifies four weaknesses in our current facilities security plan:


           1.   There is No way to track who is in the building at any given time of the day.

           2.   The Camera System reports to a local camera monitor and is recorded locally to video tape,

                but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will

                be no record kept of the security video.

           3.   The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas

                such as the Data Center.




                                                           5
SE571 - Web-Tech Home Improvement’                                                                        Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           4. The camera systems are antiquated and need to be replaced. Identifying minor details in the
                video image is difficult.



                A security solution is required to mitigate the risk of an intrusion into our buildings and theft

                of our information systems and assets.


           A network-based video solution is recommended to help better manage the perimeter access to all

           four of WTHI’s facilities. In an article from the “Journal of Housing and Community

           Development” the important value of investment in such a system is highlighted, as Stennett and

           Wren (2006) observe, "By supporting access control and other systems, network video can

           improve their effectiveness and even generate additional return-on investment on those

           technologies.”2

           Technology Solution


           With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a

           digital video recorder where their signal format is transformed from analog to digital, then stored

           on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This

           recorder will offload its digital video across the network to a central server in the Chicago Office

           once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital

           storage capacity that will allow the recorder to continue to capture video in the event of a network

           outage where the regular transfer of footage cannot be completed at its scheduled time.




2
  Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help
Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March
12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131).




                                                               6
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           The following diagram provides a visual representation of the proposed video solution:




           Note that the Camera system can now be monitored locally and remotely.

           The digital capability allows deeper analysis of the video with more sophisticated analysis

           tools in order to identify intruders and unauthorized access.




                                                         7
SE571 - Web-Tech Home Improvement’                                                                 Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Cost information for proposed solution:




Solution                           Digital Video
Vendor info                        Vicon Systems                                 Alternative Security
                                                                                 (4) 9-camera complete systems
                                                                                 w/cameras and DVR's @ $2,699.00
Cost info                          4 DVRs @ $8,000.00 ea = $32,000.00            ea= $10,796.00
                                   36 PTZ Cameras @ $463.85 ea =
                                   $16,698.60                                    n/a (included above)

                                   Central Console $1,352.65, joystick control   Central Console $1,352.65, joystick
                                   unit: $200.00 = $1,552.65                     control unit: $200.00 = $1,552.65
                                   EMC Clariion Ax (500 Gb expandable            EMC Clariion Ax (500 Gb expandable
Digital Video Archive              archive) $6,000.00                            archive) $6,000.00
Total Cost - Video:                 $                              56,251.00      $                       18,348.65




           A diagram of the proposed DVR Centralized monitoring system is shown below:




                                                           8
SE571 - Web-Tech Home Improvement’                                                        Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video

Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed

IP address. Once the unit is configured, with its IP information it can communicate with the Master Control

unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive

video for a predetermined time so it can be accessed later if needed for legal review.




(Continued on next page)


           Physical Access to Buildings and Facilities




                                                         9
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           The second major component of physical security at WTHI is the physical access control to all

WTHI’s buildings. The current model of physical access control consists of a security guard seated at the

main security desk in the lobby of each of our four locations. This guard asks all employees to show a

badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or

military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current

date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front

desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go,

only the date they were at our office.

           Fortunately, technological advances in building security systems will allow us to move forward

with a new system that will provide WTHI with an elaborate means for tracking employee and visitor

movement throughout the building. This new system will involve issuance of a new employee badge for

every employee at each site. The badge will have the Company logo, employee name and picture as well as

the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special

device designed to read the information from this chip (called a badge reader) will be installed at every

perimeter access point in each location. An additional badge reader will be installed in the elevator and on

the outside main entrance door to validate after-hours and weekend access. These readers will have a

keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a

few inches from the reader. The reader will beep and small display window will prompt the employee to

enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee.

When access is granted, the reader sends a message to the control panel to unlock the door. If the

employee’s access is denied, the door will remain locked. Note, not all employees should be given access

to all areas. For example, warehouse employees have no need to enter the data center; however, an IT

employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be

trained in the use of badge reader systems. Additional fingerprinting and training will be required for

warehouse employees, as the warehouse perimeter access units will have an additional biometric

fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for

others is discouraged by security, and can be tracked on the camera system. Should a security officer




                                                         10
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



observe an employee allowing others to enter through the same door, the manager of the employee who

swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations

will be reported to HR.


           The diagram below shows placement of access point badge readers for all critical access areas:




                                                         11
SE571 - Web-Tech Home Improvement’                                                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




(Continued on next page)


Cost Information – Badge Access System


           Due to limited pricing availability of components, a mixed solution cost from 2 vendors is shown:




            Solution                                     Perimeter Badge Access Control



                                                    Software House Ccure Badging System
           Vendor info                              $1,000.00 (4) = $4,000.00

           Cost info                                Control Panels $450.00 (8) $3,600.00
                                                    ACTAtek badge readers $790.00 (26) =
                                                    $20,540.00

                                                    ACTAtek Fingerprint and HID ProxI/II
                                                    Combo badge and biometric readers $
                                                    1,590.00 (8) = $12,720.00

                                                    Door Strikes - $175.00 (32) $5,600.00

                                                    Door Relay units - $179.00 (32) $5,728.00
           Total Cost - Badge Control
           System                                    $                                52,188.00




Central Control of Panel Access

Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a

request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing

the connectivity of the panels into the central control facility.




                                                                12
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           Physical Security Plan Purchase and Contract Requirements including SLAs


           The implementation of this 2 part solution will be a combined integration project for IT and a

selected vendor. Required actions to complete the implementation of this solution include:



1. Negotiate purchase price (based on cost information included above) for all equipment including

cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center.

A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for

each location). A digital fingerprint component is also required for fingerprinting employees (to be used

with the biometric readers installed on the warehouse doors.)



                                                         13
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment

purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring

station equipment.


3. Negotiate discount on tech support contract based on volume purchase for all badge control system

equipment including door locks, badge readers, control panels.


3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office

locations.


4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control

panels, including central control system at Chicago security office.


5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data.

This purchase will also require a technical support contract to cover hardware and software support for

management of the device.


6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to

monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be

included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a

maximum response from the monitoring company of 10 minutes and an immediate call to local police

when no response is received from the local warehouse manager within 10 minutes.



7. SLA: Technical Support contracts for the Video and Badge Systems:

           a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of

reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR

failure, where no video is captured, a 3rd party security company will be contracted to provide security

officers to patrol the entire location and watch perimeters and warehouse activity until the replacement

DVR is delivered and setup.



                                                         14
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or

reported failure, 24 hour hardware replacement for failed component at any site.

Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed

Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open

(Door cannot be locked due to system failure). Example of a company that provides this service is

“Securitas” http://www.securitasinc.com/


           8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure

based on the contract amount for each contract. This penalty amount will be consistent with industry rates

for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract

will be subject to further legal action.


WAN Firewall Infrastructure (Existing):


One of our key security vulnerabilities is founded in the way our offices communicate across the wide are

network. Twelve years ago, this network was considered cutting edge, and served a great purpose in

transacting business communication between the offices. Today, it is a limitation to our continued revenue

growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue

in a secure environment while maintaining a state-of-the art electronic supply chain management with our

vendors and partners.




                                                         15
SE571 - Web-Tech Home Improvement’                                                 Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



A diagram containing the current wide area network configuration is shown below.




                                                         16
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           As indicated in the above diagram, each site has its own firewall connected to a local ISP

circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via

an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which

was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one

‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes

down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today,

this solution will not meet the requirements of our fast-paced electronic commerce model of business on

the Internet.

          The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and

tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies

from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to

the WAN is central to the successful implementation of a new security protocol within WTHI. The need for



                                                         17
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology

solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more

secure and rapid transfer of data between sites.




(Continued on next page)


A diagram of the proposed WAN solution is shown here:



                                                         18
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




           The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of

creating a larger bandwidth, better protected solution without the overhead of decentralized firewall

management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core

component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the

local office WAN circuits in order allow the network to carry the additional traffic loads generated by the

added video and badge access solutions and also the replication of Antivirus updates.


           The data traversing the new WAN must also co-exist with regular replication of the e-commerce

database between the Chicago and Dallas sites. This replication must be completed regularly to provide a

failover solution for business continuity, should a disaster strike the Chicago region.




                                                         19
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



           This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to

Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by

centralizing control of the e-mail server in the Chicago Data Center.


           The contract and requirements for this upgrade are as follows (cost information follows):



1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to

provide such MPLS VPN Service at the corporate level to support all four sites.

2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial

DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB)

primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC.


           Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the

Network Operations Center will have the capability to monitor bandwidth utilization following the

implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a

consideration for increasing the available bandwidth should be initiated. If it is determined that the largest

partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be

considered.

3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of

these sites.

4. Network Engineering will need to create new routes at each Core switch to match the new MPLS

Network Routes.


5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and

Receiving are handled only during regular business hours) System downtime would produce a negative

impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows:

   a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation)

   b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of




                                                         20
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



monthly

       circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly



       charge on the 4 T1 backup circuits..

…..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on

backup

       circuits for the entire duration of the outage

   d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater

than

       3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally)




                                                         21
SE571 - Web-Tech Home Improvement’                                                     Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the

business traffic as it is used by the new WAN.




                                                         22
SE571 - Web-Tech Home Improvement’                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




(Continued on next page)


Cost of WAN Solution:




                                                         23
SE571 - Web-Tech Home Improvement’                                                                 Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Solution                           WAN - MPLS Service and broadband circuits
Vendor info                        telcoIQ                                   usa access
                                   $400.00 per month per site - $1,600.00
Cost info                          per month for all 4 sites                 not available
Total Cost per month:              $1,600.00 per month                           n/a
Circuits
                                   DS3 - partial Circuits and T1's
Vendor info                        telcoIQ                                       usa access




                                    $1,250.00 per month (6Mb) 4 bundled
Cost info                          T1's                                          DS3 full 1,500 per month

Total Cost per month:               $                                2,500.00    4,500.00 - 6,000.00
Total Telecom Data Circuit
Charge for all sites per
month:                              $                                                                        8,500.00


Cisco 3725 Multiservice
WAN Routers                         6500.00 x (5) Two are needed in Chicago)                                32,500.00

Total WAN investment for
all sites, per month                $                                                                       10,100.00

Total WAN ROUTER
Purchase:                                                            32,500.00




Central Chicago Internet Gateway


With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion

Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to

analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model

is changed from individual site access to centralized access through the Chicago Gateway. This gateway

consists of a load balanced high traffic firewall solution designed to control individual site Internet access

traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from

each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS

‘Cloud’ to move all traffic to and from Chicago




The new Internet Gateway diagram is shown below:




                                                            24
SE571 - Web-Tech Home Improvement’                                                           Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




Selection of Vendors Switches, Routers, Firewalls, IDS:


1. Switches and Routers


The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support

contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about

continuing the relationship with Cisco systems as our Router and Switch IT Vendor.




2. Firewalls


Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology

consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer


                                                         25
SE571 - Web-Tech Home Improvement’                                                                        Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A

new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic

throughput is required to support the new centralized firewall and internet gateway solution.


Cost Information for Firewalls and Routers to support the Internet Gateway :


Solution                           Firewall
Vendor info                        Nokia                                            SonicWall Pro
Source: securehq.com               IP 560 with Checkpoint FW-1                      Sonic Wall 5060f
Cost info                                                             $16,000.00                                  $10,371.00




Total Cost - Firewalls                                                $16,000.00                                  $10,371.00




3. IDS (Intrusion Detection System)

           According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security

context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them

from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred.

Because complete prevention of intrusions is unlikely, detective controls have become an important

element in a firm’s overall security architecture.”3


            WTHI has never implemented any means of detecting intrusion into its information systems. This

means that the implication for lost revenue and data is high. To mitigate any further damage due to possible

intrusion, a detection system is needed for better monitoring of the corporate networks and information

assets.


Cost Information for IDS:




3
 Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology
Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database.
(Document ID: 836085061).




                                                              26
SE571 - Web-Tech Home Improvement’                                                              Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Solution                           Intrusion Detection

Vendor info                        Enterasys Dragon Sensor                    Juniper IDP 200 Security Appliance
Cost info                          $15,000.00 x 5 = $75,000.00               $16,000.00 x 5 = $80,000.00
                                                                             ethernet taps (560.00 ea) x 6 =
                                   ethernet taps (560.00 ea) x 6 = $3,240.00 $3,240.00
total cost - IDS                    $                             78,240.00    $                       83,240.00




Service Level Agreement:

For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the

software application running on the IDS servers. A 24 hour hardware replacement should be included in

this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could

indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected

data.


VPN/Remote Access


The current Remote Access Solution in place is a Microsoft VPN client based solution.

Examination of the existing authentication system has revealed a significant security weakness that will

allow a hacker to guess a username and password to gain access to corporate resources.

A more complex solution is required to insure that VPN client connections are limited to authorized

personnel only. The diagram below shows the current VPN remote access model.



Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago.

A VPN session independent of a direct dialup modem is required to access the system.




Current Remote Access using Microsoft PPTP Client

The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication.

While this method of access provides a secure channel, the protection of user and password information is

not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a

valid username and guessed password. A better solution is required to prevent potential security breach via



                                                          27
SE571 - Web-Tech Home Improvement’                                                       Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to

leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The

token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds.

To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the

password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of

this number makes it almost impossible for a thief to guess the password.

The diagram shown below illustrates the current model of remote client VPN authentication using the

traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and

SecurID solution.




                                                         28
SE571 - Web-Tech Home Improvement’                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Proposed Remote Access using Cisco VPN Client:




                                                         29
SE571 - Web-Tech Home Improvement’                                                        Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




Service Level Agreement:

For this implementation two technical support contracts are needed. The first will provide the Cisco VPN

solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote

Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise

with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that

downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center

works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access

outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN

for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing

routers and switches. The addition of a new VPN router will be added to the existing support contract. A

negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy

on hardware of 24 hours.



                                                         30
SE571 - Web-Tech Home Improvement’                                                             Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Cost Information: VPN Software, Access Token System and VPN Router




                                   Cisco VPN
Solution

Vendor info                        Cisco
                                   Client Access License 40.00     (500
                                   users)                                     $                        2,000.00

                                   Cisco 7204 VXR VPN Router                  $                        6,000.00

Total Cost - Cisco VPN                                                        $                        8,000.00




Solution                           SecurID Fobs
Vendor info                        RSA                                        CryptoCard


Cost info                          $45,000.00                                 $68,000.00

                                   Authentication Manager Enterprise
                                   License: $50,000.00                        Windows Starter Kit $500.00
Total Cost - Authentication
Tokens                                                           $95,000.00                          $72,000.00




Policy Changes with regard to resources and users::

The next several policy changes do not involve any purchase cost. However, they do require man-hour cost

to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first

drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000

(Windows 2003 is not an upgrade consideration for this project).




                                                          31
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




The access of these groups to corporate resources on the domain is limited to the needs of their group. In

accordance with Microsoft’s Active Directory Best Practices 4


Windows User Account Logon Password Policy


Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for

protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The

current system in place allows users to choose and keep their passwords indefinitely. A new system is

needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by

Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to
4
    .Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
     2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx




                                                         32
SE571 - Web-Tech Home Improvement’                                                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a

password.


We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently

long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than

others.”5


Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to

any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT

department can print network diagrams to its color printers, but not to the Black and White laser printers in

the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but

not to those in IT.


Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent

critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally

selected the printer of a different department (in which several employees who were to be terminated

worked); this could create a big potential problem. Locking down printers to their specific groups helps to

prevent such situations from happening. Similarly, printing of Salary information to the Shipping and

Receiving department for an employee who was to receive his annual review, might end up in the hands of

a co-worker, and create confidentiality issues.


File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific


to each department. For example: the IT group can access shares on its own folders on the File server, but

not order processing or shipping documents. Accounting and Finance can access its tax document files and

shares on the File server, but not HR’s folders and documents.



5
    Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS
     EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
     Document ID: 1140500361).



                                                         33
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Applications: An Accounting employee can access the Solomon financial server, but this is not accessible

to IT. Troubleshooting an issue on such an application server would require the presence of an accounting

employee.


Network Security at the Router Level (ACL Controls for VLANS)


Often there are scenarios that require the Network Engineering team to lend a hand in securing data

channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and

thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical

documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and

malicious infrastructure protection ACLs should be deployed at network ingress points.”6


For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet

on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that

encounter this ACL are dropped.

The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office

of WTHI. All other offices have a similar core switching architecture.




6
    Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists.
       Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf


                                                         34
SE571 - Web-Tech Home Improvement’                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




Note, a WAN upgrade is mentioned for strong consideration in this report.

See local switching architecture change impacted in the diagram below.




                                                         35
SE571 - Web-Tech Home Improvement’                                   Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Proposed router site implementation based on the new WAN framework




                                                         36
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




The new framework will continue with the same core configuration; however the new WAN circuits will

require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring

the DS3 circuit into the Data Center area.


Internet Browsing Limitations


           The current Information Security policies do not limit Internet Browsing. Employees at all four

offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last

2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4

offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during

work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com

and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have



                                                         37
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance

has suffered and many users have called the help desk to report “poor network performance”. Although the

consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network

performance.


Proposed Solution:


Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics

policy regarding proper use of IT resources and appropriate web-browsing.

The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram

shown previously in this report.


The Legal department has agreed to revise its ethics policy in coordination with the IT department. This

revised plan will determine the criteria used to filter websites. Some suggested criteria include:

Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be

added to this list following a full review of the new plan.


A sample screen that a user would encounter when attempting to access a banned/filtered site would appear

similar to the one shown here:




                                                         38
SE571 - Web-Tech Home Improvement’                                                              Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




Cost Comparison Information – Web Filter:


Solution                           Web Browsing Filter

Vendor info                        Barracuda Web Filter - model 410           iPrism M1200 Web Filter Appliance
                                    $4,000.00 (1) add 2,000.00 for 1 year
Cost info                          support and updates                        1,000 users, 1 year, $10,010 direct
Total Cost - Web Filter             $                              6,000.00   $                        10,010.00




AntiVirus Software and Microsoft Updates


The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution.

Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running

a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT




                                                          39
SE571 - Web-Tech Home Improvement’                                                           Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



staff has done its best to configure each desktop to automatically update virus definitions, this does not

always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are

times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus

definition downloads often fail due to network congestion. The same problem exists for Microsoft Security

updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements.

To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy

to force each desktop computer to download updates during non-business hours.


A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from

its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the

MPLS Private Network will provide. A diagram of the proposed solution is shown below:




                                                         40
SE571 - Web-Tech Home Improvement’                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




                                                         41
SE571 - Web-Tech Home Improvement’                                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



Cost Comparison – Enterprise Level Antivirus:




Solution                           Corporate Antivirus

Vendor info                        Symantec (Norton) Enterprise Edition              McAfee "Active Virus Defense
Cost info                          1000 licenses                                     1000 licenses
                                    $                           60,800.00              $                            55,090.00
                                   (3) Dell Poweredge 1950 and one Dell              (3) Dell Poweredge 1950 and one
                                   poweredge 2650                                    Dell poweredge 2650

Antivirus Server Hardware



                                    $                                  10,000.00      $                            10,000.00
Total cost - Antivirus              $                                  70,800.00      $                            65,090.00




E-mail Spam Filtering:

Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than

simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG

(www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of

attempts to steal passwords or other important personal information from corporate customers, up more

than 25% from December and up 5% above the previous record, set in June of last year.”7


In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail

server architecture in place. This decision is centered on cost reduction to create more budgetary focus on

the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually

allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one

redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for

employees in all departments where time is better spent conducting company business rather than deleting

7
 Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM
Global database. (Document ID: 1249851201).




                                                              42
SE571 - Web-Tech Home Improvement’                                                               Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or

compressed file containing the executable file.


With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is

recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended.


Cost Comparison Information – Spam Filter:


Solution                           Anti-Spam Filter

Vendor info                        Barracuda Spam Firewall - model 400       Mail Foundry 2100

                                    $4,000.00 (4) $16,000.00 plus 8,000.00   $2,000.00 (4) $8,000.00 plus 2
Cost info                          for 1 year support and updates            years extended support
Total Cost - Antispam               $                            24,000.00   $                        13,021.60




(Continued on next page)


The diagram below outlines the connectivity of the spam filter at each location.




                                                          43
SE571 - Web-Tech Home Improvement’                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




Oracle Database Security




                                                         44
SE571 - Web-Tech Home Improvement’                                                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



    Within this report, many security solutions are recommended to ultimately protect the data of the

company’s databases. These solutions offer the most protection at each perimeter of the Information

Systems Infrastructure. A critical consideration is the application level security of the Database

Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing

reputation for leading the industry in e-commerce database management products. The use of Oracle’s

security features will insure the database at a final core level against attacks and data theft. Oracle adds an

additional layer to database security through its own technology resource center. As indicated by Oracle

Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates

(CPU), on dates announced a year in advance and published on the Oracle Technology Network. The

patches address significant security vulnerabilities and include other fixes that are prerequisites for the

security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle

Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite,

PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World

XE.”8


Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428)

provides a comprehensive list of potential database security issues and resolutions. This list includes items

such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of

service.”9


With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle

recommended solutions. A critical component to this risk management solution will be a new WTHI

Information Technology policy in cooperation with the Database Administration group and Network

Operations staffs to follow published Oracle security recommendations and patch all reported

vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations

will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7
8
  Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
     Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
9
  Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
     Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html


                                                         45
SE571 - Web-Tech Home Improvement’                                                           Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of

database administration experience. Database backups are performed nightly, and a full database

replication is done daily with the Dallas datacenter.



Business Continuity Planning


WTHI has a solid plan for continuation of business in the event of a major technical outage at the main

Chicago data center. The plan for business continuity consists of a complete operations failover from

Chicago to Dallas.

     To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas

office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20

minutes in the event such service is required. Local personnel in Dallas are trained to take over main

operations from Chicago. Key management personnel have an emergency travel budget to temporarily

relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to

continue operations, and there is no requirement to upgrade or change the plan at this time. With

continuous innovation in the Information Technology and Security fields, this plan should be revisited

annually to identify new opportunities for improvement.


Disaster Recovery


     Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail,

and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled

forward’ to restore data that may have been damaged during a server outage. All servers are configured

with a RAID capability and spare hardware replacements are kept ready and available at all sites should the

need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate

control facility, and these may be recalled at any time if for any of the four offices as needed. At present

time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the




                                                         46
SE571 - Web-Tech Home Improvement’                                                          Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



plan at this time. With continuous innovation in the Information Technology and Security fields, this plan

should be revisited annually to identify new opportunities for improvement.




Summary List of Recommendations:


     1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a
           Perimeter Security Access Control (Badge Reader) System

     2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage.

     3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based.

     4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway.

     5.    Enforce Password Policy on all Domain Accounts:


           a. Require password change every 90 days


           b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters.


     6. Implement an Intrusion Detection system.

     7.    Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours

           Download Cycle for MS-Security Patches.

     8. Limit Web Site Browsing with a Web Filter Appliance.

     9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN.

     10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers.

     11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website.

     12. Standardize Anti-virus software to Enterprise, server based version.




                                                         47
SE571 - Web-Tech Home Improvement’                                                           Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.




                                                         Conclusion


           The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to

the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN

technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with

increased bandwidth. The physical access control and video surveillance solutions will utilize more

bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet

Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of

the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the

existing Windows 2000 Active Directory environment will tighten desktop security by and enforce

restriction on resources so that the appropriate groups and departments will access only the resources

required to conduct daily business. This will also allow IT administrators to enforce a new global password

policy for number and type of characters and fixed password renewal requirement. The server based anti-

virus model will decrease the internet traffic at each office by centralizing virus definition updates on a

master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by

allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The

addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth

utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and

“youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will

increase security by randomizing the second part of the user password in the Authentication process. It will

also strengthen the reliability of the VPN hardware solution by moving away from a server based solution

to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new



                                                            48
SE571 - Web-Tech Home Improvement’                                                         Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



technology developments and innovations in the field of security that might better protect the infrastructure

and help to maintain the company’s competitive advantage. A line item budget consideration is strongly

suggested to continue the needed updates to these technologies needed for maintaining security of the

company’s physical and informational assets.




                                                         References
1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved
       April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921).

2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can
         Help Increase Security at Public Housing Authorities. Journal of Housing and Community
         Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database.
        (Document ID: 1183865131).
 3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
         Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
        Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
       2007 from
       http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx
.5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS
     EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
     Document ID: 1140500361).
6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control
     Lists.
        Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf
7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116.
       Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861).
8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
       Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
      Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring
         Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document
         ID: 1025469841).
9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007,
       from ABI/INFORM Global database. (Document ID: 1249851201).
10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
       Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html

11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007
     from: http://download-
east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428




                                                            49
SE571 - Web-Tech Home Improvement’                                                             Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature
       Set Retrieved April 12, 2007 from:
       http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx

13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from:
           http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf



                                          Appendix A: Cost Information

 Budget Requirement - Capital Asset Equipment Investment: $442, 079.00
 Budget Requirement - Recurring Service Charges: $10,100.00 per month
 Cost Information
 Solution                                 WAN - MPLS Service and broadband circuits
 Vendor info                              telcoIQ                                        usa access
 Cost info                                $400.00 per month per site - $1,600.00 per     not available
                                          month for all 4 sites
 Total Cost per month:                    $1,600.00 per month                            n/a
 Circuits
                                          DS3 - partial Circuits and T1's
 Vendor info                              telcoIQ                                        usa access
 Cost info                                 $1,250.00 per month (6Mb) 4 bundled T1's      DS3 full 1,500 per month




 Total Cost per month:                          $                            2,500.00    4,500.00 - 6,000.00

 Total Telecom Data Circuit                                                          $
 Charge for all sites per                                                    8,500.00
 month:

 Cisco 3725 Multiservice WAN               6500.00 x (5) Two are needed in Chicago)                                   32,500.00
 Routers


 Total WAN investment for all                                                        $
 sites, per month                                                           10,100.00


 Total WAN ROUTER Purchase:                                                 32,500.00




 Solution                                 Cisco VPN

 Vendor info                              Cisco

                                          Client Access License 40.00       (500         $                          2,000.00
                                          users)
                                          Cisco 7204 VXR VPN Router                      $                          6,000.00

 Total Cost - Cisco VPN                                                                  $                          8,000.00


 Solution                                 Firewall




                                                            50
SE571 - Web-Tech Home Improvement’                                                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



 Vendor info                              Nokia                                          SonicWall Pro
 Source: securehq.com                     IP 560 with Checkpoint FW-1                    Sonic Wall 5060f
 Cost info                                                                  $16,000.00                              $10,371.00



 Total Cost - Firewalls                                                     $16,000.00                              $10,371.00


 Solution                                 SecurID Fobs
 Vendor info                              RSA                                            CryptoCard


 Cost info                                $45,000.00                                     $68,000.00


                                          Authentication Manager Enterprise License:     Windows Starter Kit $500.00
                                          $50,000.00
 Total Cost - Authentication                                               $95,000.00                               $72,000.00
 Tokens


 Solution                                 Digital Video
 Vendor info                              Vicon Systems                                  Alternative Security
 Cost info                                4 DVRs @ $8,000.00 ea = $32,000.00             (4) 9-camera complete systems
                                                                                         w/cameras and DVR's @ $2,699.00
                                                                                         ea= $10,796.00
                                          36 PTZ Cameras @ $463.85 ea = $16,698.60       n/a (included above)

                                          Central Console $1,352.65, joystick control    Central Console $1,352.65, joystick
                                          unit: $200.00 = $1,552.65                      control unit: $200.00 = $1,552.65

 Digital Video Archive                    EMC Clariion Ax (500 Gb expandable archive)    EMC Clariion Ax (500 Gb expandable
                                          $6,000.00                                      archive) $6,000.00
 Total Cost - Video:                           $                           56,251.00          $                     18,348.65

 Solution                                 Perimeter Badge Access Control
 Vendor info                              Software House Ccure Badging System            Software House Ccure Badging System
                                          $1,000.00 (4) = $4,000.00                      $1,000.00 (4) = $4,000.00

 Cost info                                Control Panels $450.00 (8) $3,600.00           Control Panels $450.00 (8) $3,600.00

                                          ACTAtek badge readers $790.00 (26) =           ACTAtek badge readers $790.00 (26) =
                                          $20,540.00                                     $20,540.00
                                          ACTAtek Fingerprint and HID ProxI/II Combo     ACTAtek Fingerprint and HID ProxI/II
                                          badge and biometric readers $ 1,590.00 (8)     Combo badge and biometric readers $
                                          = $12,720.00                                   1,590.00 (8) = $12,720.00

                                          Door Strikes - $175.00 (32) $5,600.00          Door Strikes - $175.00 (32) $5,600.00

                                          Door Relay units - $179.00 (32) $5,728.00      Door Relay units - $179.00 (32)
                                                                                         $5,728.00
 Total Cost - Badge Control                $                             52,188.00        $                      52,188.00
 System

 Solution                                 Corporate Antivirus
 Vendor info                              Symantec (Norton) Enterprise Edition           McAfee "Active Virus Defense

 Cost info                                1000 licenses                                  1000 licenses
                                                $                            60,800.00       $                         55,090.00




                                                            51
SE571 - Web-Tech Home Improvement’                                                            Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.



 Antivirus Server Hardware                 (3) Dell Poweredge 1950 and one Dell           (3) Dell Poweredge 1950 and one Dell
                                          poweredge 2650                                 poweredge 2650


                                                $                            10,000.00       $                       10,000.00



 Total cost - Antivirus                         $                            70,800.00   $                       65,090.00


 Solution                                 Anti-Spam Filter
 Vendor info                              Barracuda Spam Firewall - model 400            Mail Foundry 2100

 Cost info                                 $4,000.00 (4) $16,000.00 plus 8,000.00 for    $2,000.00 (4) $8,000.00 plus 2 years
                                          1 year support and updates                     extended support

 Total Cost - Antispam                          $                            24,000.00   $                       13,021.60


 Solution                                 Web Browsing Filter
 Vendor info                              Barracuda Web Filter - model 410               iPrism M1200 Web Filter Appliance

 Cost info                                 $4,000.00 (1) add 2,000.00 for 1 year         1,000 users, 1 year, $10,010 direct
                                          support and updates
 Total Cost - Web Filter                       $                              6,000.00   $                       10,010.00


 Solution                                 Intrusion Detection
 Vendor info                              Enterasys Dragon Sensor                        Juniper IDP 200 Security Appliance

 Cost info                                $15,000.00 x 5 = $75,000.00                    $16,000.00 x 5 = $80,000.00
                                          ethernet taps (560.00 ea) x 6 = $3,240.00      ethernet taps (560.00 ea) x 6 =
                                                                                         $3,240.00
 total cost - IDS                               $                            78,240.00       $                       83,240.00




                                                             52

Weitere ähnliche Inhalte

Was ist angesagt?

Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2Donald Jennings
 
Big Data Requires Big Protection
Big Data Requires Big ProtectionBig Data Requires Big Protection
Big Data Requires Big ProtectionIBM Security
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
A 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainA 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainPim Piepers
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
Pulse 2014.mobile first.security
Pulse 2014.mobile first.securityPulse 2014.mobile first.security
Pulse 2014.mobile first.securitySreeni Pamidala
 
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsWhitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsHappiest Minds Technologies
 

Was ist angesagt? (16)

ZS Infotech v1.0
ZS Infotech v1.0ZS Infotech v1.0
ZS Infotech v1.0
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
 
Big Data Requires Big Protection
Big Data Requires Big ProtectionBig Data Requires Big Protection
Big Data Requires Big Protection
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Mag4free newsletter 5
Mag4free newsletter 5Mag4free newsletter 5
Mag4free newsletter 5
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
A 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainA 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron Mountain
 
Patch management
Patch managementPatch management
Patch management
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Pulse 2014.mobile first.security
Pulse 2014.mobile first.securityPulse 2014.mobile first.security
Pulse 2014.mobile first.security
 
Regulatory Compliance Financial Institution
Regulatory Compliance Financial InstitutionRegulatory Compliance Financial Institution
Regulatory Compliance Financial Institution
 
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsWhitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
 

Ähnlich wie Info Security

Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Finalrjt01
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
A Evolving Information Assurance Landscape
A Evolving Information Assurance LandscapeA Evolving Information Assurance Landscape
A Evolving Information Assurance LandscapeShannon Sand
 
Vazata Federal IaaS
Vazata Federal IaaSVazata Federal IaaS
Vazata Federal IaaSftculotta27
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxbudbarber38650
 
Curb to core White Paper
Curb to core White PaperCurb to core White Paper
Curb to core White PaperRyan Hadden
 
BR Allen Associates compares Information Infrastructure providers
BR Allen Associates compares Information Infrastructure providersBR Allen Associates compares Information Infrastructure providers
BR Allen Associates compares Information Infrastructure providersIBM India Smarter Computing
 
Centuric Overview
Centuric OverviewCenturic Overview
Centuric OverviewCenturic
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI.docx
 GLOBAL FINANCE, INC. (GFI)  Global Finance, Inc. (GFI.docx GLOBAL FINANCE, INC. (GFI)  Global Finance, Inc. (GFI.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI.docxaryan532920
 
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...Symantec
 
Cloud & Big Data - Digital Transformation in Banking
Cloud & Big Data - Digital Transformation in Banking Cloud & Big Data - Digital Transformation in Banking
Cloud & Big Data - Digital Transformation in Banking Sutedjo Tjahjadi
 
Challenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsChallenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr  css non-confidential slide deck2016 01-05 csr  css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxbudbarber38650
 

Ähnlich wie Info Security (20)

Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Final
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
A Evolving Information Assurance Landscape
A Evolving Information Assurance LandscapeA Evolving Information Assurance Landscape
A Evolving Information Assurance Landscape
 
Vazata Federal IaaS
Vazata Federal IaaSVazata Federal IaaS
Vazata Federal IaaS
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
 
Curb to core White Paper
Curb to core White PaperCurb to core White Paper
Curb to core White Paper
 
BR Allen Associates compares Information Infrastructure providers
BR Allen Associates compares Information Infrastructure providersBR Allen Associates compares Information Infrastructure providers
BR Allen Associates compares Information Infrastructure providers
 
Centuric Overview
Centuric OverviewCenturic Overview
Centuric Overview
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI.docx
 GLOBAL FINANCE, INC. (GFI)  Global Finance, Inc. (GFI.docx GLOBAL FINANCE, INC. (GFI)  Global Finance, Inc. (GFI.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI.docx
 
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
 
Essay About Tft2
Essay About Tft2Essay About Tft2
Essay About Tft2
 
Cloud & Big Data - Digital Transformation in Banking
Cloud & Big Data - Digital Transformation in Banking Cloud & Big Data - Digital Transformation in Banking
Cloud & Big Data - Digital Transformation in Banking
 
The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019
 
Challenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsChallenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure Components
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr  css non-confidential slide deck2016 01-05 csr  css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
 
Federal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive PanelFederal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive Panel
 

Mehr von chris20854

Network Solution
Network SolutionNetwork Solution
Network Solutionchris20854
 
Pharma Info Sys
Pharma Info SysPharma Info Sys
Pharma Info Syschris20854
 
Voip Recommendation
Voip RecommendationVoip Recommendation
Voip Recommendationchris20854
 
Wireless Network
Wireless NetworkWireless Network
Wireless Networkchris20854
 
Security Proposal
Security ProposalSecurity Proposal
Security Proposalchris20854
 

Mehr von chris20854 (7)

Network Solution
Network SolutionNetwork Solution
Network Solution
 
Pharma Info Sys
Pharma Info SysPharma Info Sys
Pharma Info Sys
 
Wireless Abc
Wireless AbcWireless Abc
Wireless Abc
 
Voip Recommendation
Voip RecommendationVoip Recommendation
Voip Recommendation
 
Wireless Network
Wireless NetworkWireless Network
Wireless Network
 
Security Proposal
Security ProposalSecurity Proposal
Security Proposal
 
Chris Mc Coy
Chris Mc CoyChris Mc Coy
Chris Mc Coy
 

Info Security

  • 1. ‘Web-Tech Home Improvement’ An Analysis of the Information Security Infrastructure For an E-Commerce Home Improvement Company. SE571 – Term Project Course Project Final Report Chris McCoy Keller Graduate School of Management DeVry University 3/13/2007
  • 2. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. SE571 - Course Project Presentation to the Board of Directors – WTHI (Web Tech Home Improvement) Members of the Board, it is a pleasure to address you today on the subject of Corporate Information Security. As you may be aware, the security of information here at WTHI is critical to the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales channel that allows our customers to receive their home improvement items faster than they would from our other online competitors. I would like to share with you a quote from the recent InfoSec conference held in Florida at the end of March, “Attackers probably have less interest these days in bringing down large numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman, senior technology manager in corporate information security at Boston financial services firm State Street.”1 (As cited in Network World, 2007) These words from Mr. Sweetman should be considered our call to arms to improve the current state of our corporate security. It is a loud and powerful wakeup call that we can not ignore. In order to maintain our competitive advantage, expand our marketing channels and improve upon our abilities for future growth, we must first consider the improvement of those safeguards necessary to protect our vital technological resources; Our four distribution centers, supply chain systems, our e-commerce database information and our datacenters, containing the equipment needed to support the transactions from which we generate and grow revenue via our most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from ‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between 1 Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921). 2
  • 3. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong is maintaining a powerful, secure, well monitored environment where our physical and information assets are protected in an ongoing process. We have made great strides, but the time to take great action is now. This report will discuss the current status of our physical and information security infrastructure and the steps we must take to improve these systems to better protect our data and maintain our leadership position in the ‘Home Improvement Appliance’ market. There are 2 major components that make up the security of our information enterprise. First is the physical security of our 4 locations. Our ability to perform adequate video surveillance and access control at each of these sites is critical to protecting our information and physical assets. Second is the protection of our data, databases and complete information systems infrastructure. Finally, a third component is necessary to tie these two items together: Increased Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to support the need for additional bandwidth and security required by the new technologies introduced later in this report. Following a comprehensive analysis of the security here at WTHI, we have determined that the existing security infrastructure must be improved if we are to continue our competitive advantage. To ignore this critical need could cost us this leadership position in the market or worse, compromise the integrity and security of our data. A recent report from our CFO indicates that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e- commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”, “Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales, 3
  • 4. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com” (www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive advantage as we come one step closer to losing our market share in the online home improvement market. With our current Information Technology and Information Security infrastructure, there is no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s presentation is to show you where we are, where we need to be, and what we need to do to get there in terms of a Capital Investment in the Security of our Physical and Informational Assets. Though the picture painted here is not pretty, there is good news. The proposed plan of Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of equipment shown in today’s presentation. . To begin our presentation, we will look at the physical security in place at all four of our distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide on site security guards and camera monitoring. Today, these security guards continue to work hard to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft. There are two major technology components in the Physical Security Plan: 1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock, elevators and specific internal areas such as the Warehouse and Computer room where access should be restricted. A need to control access using individual employee badges is identified below. 2. Closed Circuit Video Camera Surveillance of the critical access areas including the main entrance, parking lot, lobby, computer room, loading docks, and inside warehouse. 4
  • 5. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The diagram below shows the current state of the camera surveillance and physical perimeter access control (none) in place and identifies areas where security weaknesses exist. This diagram identifies four weaknesses in our current facilities security plan: 1. There is No way to track who is in the building at any given time of the day. 2. The Camera System reports to a local camera monitor and is recorded locally to video tape, but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will be no record kept of the security video. 3. The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas such as the Data Center. 5
  • 6. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 4. The camera systems are antiquated and need to be replaced. Identifying minor details in the video image is difficult. A security solution is required to mitigate the risk of an intrusion into our buildings and theft of our information systems and assets. A network-based video solution is recommended to help better manage the perimeter access to all four of WTHI’s facilities. In an article from the “Journal of Housing and Community Development” the important value of investment in such a system is highlighted, as Stennett and Wren (2006) observe, "By supporting access control and other systems, network video can improve their effectiveness and even generate additional return-on investment on those technologies.”2 Technology Solution With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a digital video recorder where their signal format is transformed from analog to digital, then stored on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This recorder will offload its digital video across the network to a central server in the Chicago Office once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital storage capacity that will allow the recorder to continue to capture video in the event of a network outage where the regular transfer of footage cannot be completed at its scheduled time. 2 Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131). 6
  • 7. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The following diagram provides a visual representation of the proposed video solution: Note that the Camera system can now be monitored locally and remotely. The digital capability allows deeper analysis of the video with more sophisticated analysis tools in order to identify intruders and unauthorized access. 7
  • 8. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost information for proposed solution: Solution Digital Video Vendor info Vicon Systems Alternative Security (4) 9-camera complete systems w/cameras and DVR's @ $2,699.00 Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 ea= $10,796.00 36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above) Central Console $1,352.65, joystick control Central Console $1,352.65, joystick unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65 EMC Clariion Ax (500 Gb expandable EMC Clariion Ax (500 Gb expandable Digital Video Archive archive) $6,000.00 archive) $6,000.00 Total Cost - Video: $ 56,251.00 $ 18,348.65 A diagram of the proposed DVR Centralized monitoring system is shown below: 8
  • 9. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed IP address. Once the unit is configured, with its IP information it can communicate with the Master Control unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive video for a predetermined time so it can be accessed later if needed for legal review. (Continued on next page) Physical Access to Buildings and Facilities 9
  • 10. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The second major component of physical security at WTHI is the physical access control to all WTHI’s buildings. The current model of physical access control consists of a security guard seated at the main security desk in the lobby of each of our four locations. This guard asks all employees to show a badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go, only the date they were at our office. Fortunately, technological advances in building security systems will allow us to move forward with a new system that will provide WTHI with an elaborate means for tracking employee and visitor movement throughout the building. This new system will involve issuance of a new employee badge for every employee at each site. The badge will have the Company logo, employee name and picture as well as the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special device designed to read the information from this chip (called a badge reader) will be installed at every perimeter access point in each location. An additional badge reader will be installed in the elevator and on the outside main entrance door to validate after-hours and weekend access. These readers will have a keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a few inches from the reader. The reader will beep and small display window will prompt the employee to enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee. When access is granted, the reader sends a message to the control panel to unlock the door. If the employee’s access is denied, the door will remain locked. Note, not all employees should be given access to all areas. For example, warehouse employees have no need to enter the data center; however, an IT employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be trained in the use of badge reader systems. Additional fingerprinting and training will be required for warehouse employees, as the warehouse perimeter access units will have an additional biometric fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for others is discouraged by security, and can be tracked on the camera system. Should a security officer 10
  • 11. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. observe an employee allowing others to enter through the same door, the manager of the employee who swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations will be reported to HR. The diagram below shows placement of access point badge readers for all critical access areas: 11
  • 12. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. (Continued on next page) Cost Information – Badge Access System Due to limited pricing availability of components, a mixed solution cost from 2 vendors is shown: Solution Perimeter Badge Access Control Software House Ccure Badging System Vendor info $1,000.00 (4) = $4,000.00 Cost info Control Panels $450.00 (8) $3,600.00 ACTAtek badge readers $790.00 (26) = $20,540.00 ACTAtek Fingerprint and HID ProxI/II Combo badge and biometric readers $ 1,590.00 (8) = $12,720.00 Door Strikes - $175.00 (32) $5,600.00 Door Relay units - $179.00 (32) $5,728.00 Total Cost - Badge Control System $ 52,188.00 Central Control of Panel Access Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing the connectivity of the panels into the central control facility. 12
  • 13. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Physical Security Plan Purchase and Contract Requirements including SLAs The implementation of this 2 part solution will be a combined integration project for IT and a selected vendor. Required actions to complete the implementation of this solution include: 1. Negotiate purchase price (based on cost information included above) for all equipment including cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center. A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for each location). A digital fingerprint component is also required for fingerprinting employees (to be used with the biometric readers installed on the warehouse doors.) 13
  • 14. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring station equipment. 3. Negotiate discount on tech support contract based on volume purchase for all badge control system equipment including door locks, badge readers, control panels. 3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office locations. 4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control panels, including central control system at Chicago security office. 5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data. This purchase will also require a technical support contract to cover hardware and software support for management of the device. 6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a maximum response from the monitoring company of 10 minutes and an immediate call to local police when no response is received from the local warehouse manager within 10 minutes. 7. SLA: Technical Support contracts for the Video and Badge Systems: a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR failure, where no video is captured, a 3rd party security company will be contracted to provide security officers to patrol the entire location and watch perimeters and warehouse activity until the replacement DVR is delivered and setup. 14
  • 15. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or reported failure, 24 hour hardware replacement for failed component at any site. Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open (Door cannot be locked due to system failure). Example of a company that provides this service is “Securitas” http://www.securitasinc.com/ 8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure based on the contract amount for each contract. This penalty amount will be consistent with industry rates for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract will be subject to further legal action. WAN Firewall Infrastructure (Existing): One of our key security vulnerabilities is founded in the way our offices communicate across the wide are network. Twelve years ago, this network was considered cutting edge, and served a great purpose in transacting business communication between the offices. Today, it is a limitation to our continued revenue growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue in a secure environment while maintaining a state-of-the art electronic supply chain management with our vendors and partners. 15
  • 16. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. A diagram containing the current wide area network configuration is shown below. 16
  • 17. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. As indicated in the above diagram, each site has its own firewall connected to a local ISP circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one ‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today, this solution will not meet the requirements of our fast-paced electronic commerce model of business on the Internet. The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to the WAN is central to the successful implementation of a new security protocol within WTHI. The need for 17
  • 18. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more secure and rapid transfer of data between sites. (Continued on next page) A diagram of the proposed WAN solution is shown here: 18
  • 19. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of creating a larger bandwidth, better protected solution without the overhead of decentralized firewall management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the local office WAN circuits in order allow the network to carry the additional traffic loads generated by the added video and badge access solutions and also the replication of Antivirus updates. The data traversing the new WAN must also co-exist with regular replication of the e-commerce database between the Chicago and Dallas sites. This replication must be completed regularly to provide a failover solution for business continuity, should a disaster strike the Chicago region. 19
  • 20. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by centralizing control of the e-mail server in the Chicago Data Center. The contract and requirements for this upgrade are as follows (cost information follows): 1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to provide such MPLS VPN Service at the corporate level to support all four sites. 2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB) primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC. Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the Network Operations Center will have the capability to monitor bandwidth utilization following the implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a consideration for increasing the available bandwidth should be initiated. If it is determined that the largest partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be considered. 3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of these sites. 4. Network Engineering will need to create new routes at each Core switch to match the new MPLS Network Routes. 5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and Receiving are handled only during regular business hours) System downtime would produce a negative impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows: a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation) b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of 20
  • 21. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. monthly circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly charge on the 4 T1 backup circuits.. …..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on backup circuits for the entire duration of the outage d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater than 3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally) 21
  • 22. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the business traffic as it is used by the new WAN. 22
  • 23. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. (Continued on next page) Cost of WAN Solution: 23
  • 24. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Solution WAN - MPLS Service and broadband circuits Vendor info telcoIQ usa access $400.00 per month per site - $1,600.00 Cost info per month for all 4 sites not available Total Cost per month: $1,600.00 per month n/a Circuits DS3 - partial Circuits and T1's Vendor info telcoIQ usa access $1,250.00 per month (6Mb) 4 bundled Cost info T1's DS3 full 1,500 per month Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00 Total Telecom Data Circuit Charge for all sites per month: $ 8,500.00 Cisco 3725 Multiservice WAN Routers 6500.00 x (5) Two are needed in Chicago) 32,500.00 Total WAN investment for all sites, per month $ 10,100.00 Total WAN ROUTER Purchase: 32,500.00 Central Chicago Internet Gateway With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model is changed from individual site access to centralized access through the Chicago Gateway. This gateway consists of a load balanced high traffic firewall solution designed to control individual site Internet access traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS ‘Cloud’ to move all traffic to and from Chicago The new Internet Gateway diagram is shown below: 24
  • 25. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Selection of Vendors Switches, Routers, Firewalls, IDS: 1. Switches and Routers The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about continuing the relationship with Cisco systems as our Router and Switch IT Vendor. 2. Firewalls Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer 25
  • 26. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic throughput is required to support the new centralized firewall and internet gateway solution. Cost Information for Firewalls and Routers to support the Internet Gateway : Solution Firewall Vendor info Nokia SonicWall Pro Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f Cost info $16,000.00 $10,371.00 Total Cost - Firewalls $16,000.00 $10,371.00 3. IDS (Intrusion Detection System) According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred. Because complete prevention of intrusions is unlikely, detective controls have become an important element in a firm’s overall security architecture.”3 WTHI has never implemented any means of detecting intrusion into its information systems. This means that the implication for lost revenue and data is high. To mitigate any further damage due to possible intrusion, a detection system is needed for better monitoring of the corporate networks and information assets. Cost Information for IDS: 3 Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 26
  • 27. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Solution Intrusion Detection Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00 ethernet taps (560.00 ea) x 6 = ethernet taps (560.00 ea) x 6 = $3,240.00 $3,240.00 total cost - IDS $ 78,240.00 $ 83,240.00 Service Level Agreement: For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the software application running on the IDS servers. A 24 hour hardware replacement should be included in this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected data. VPN/Remote Access The current Remote Access Solution in place is a Microsoft VPN client based solution. Examination of the existing authentication system has revealed a significant security weakness that will allow a hacker to guess a username and password to gain access to corporate resources. A more complex solution is required to insure that VPN client connections are limited to authorized personnel only. The diagram below shows the current VPN remote access model. Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago. A VPN session independent of a direct dialup modem is required to access the system. Current Remote Access using Microsoft PPTP Client The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication. While this method of access provides a secure channel, the protection of user and password information is not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a valid username and guessed password. A better solution is required to prevent potential security breach via 27
  • 28. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds. To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of this number makes it almost impossible for a thief to guess the password. The diagram shown below illustrates the current model of remote client VPN authentication using the traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and SecurID solution. 28
  • 29. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Proposed Remote Access using Cisco VPN Client: 29
  • 30. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Service Level Agreement: For this implementation two technical support contracts are needed. The first will provide the Cisco VPN solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing routers and switches. The addition of a new VPN router will be added to the existing support contract. A negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy on hardware of 24 hours. 30
  • 31. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Information: VPN Software, Access Token System and VPN Router Cisco VPN Solution Vendor info Cisco Client Access License 40.00 (500 users) $ 2,000.00 Cisco 7204 VXR VPN Router $ 6,000.00 Total Cost - Cisco VPN $ 8,000.00 Solution SecurID Fobs Vendor info RSA CryptoCard Cost info $45,000.00 $68,000.00 Authentication Manager Enterprise License: $50,000.00 Windows Starter Kit $500.00 Total Cost - Authentication Tokens $95,000.00 $72,000.00 Policy Changes with regard to resources and users:: The next several policy changes do not involve any purchase cost. However, they do require man-hour cost to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000 (Windows 2003 is not an upgrade consideration for this project). 31
  • 32. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The access of these groups to corporate resources on the domain is limited to the needs of their group. In accordance with Microsoft’s Active Directory Best Practices 4 Windows User Account Logon Password Policy Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The current system in place allows users to choose and keep their passwords indefinitely. A new system is needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to 4 .Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12, 2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx 32
  • 33. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a password. We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than others.”5 Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT department can print network diagrams to its color printers, but not to the Black and White laser printers in the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but not to those in IT. Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally selected the printer of a different department (in which several employees who were to be terminated worked); this could create a big potential problem. Locking down printers to their specific groups helps to prevent such situations from happening. Similarly, printing of Salary information to the Shipping and Receiving department for an employee who was to receive his annual review, might end up in the hands of a co-worker, and create confidentiality issues. File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific to each department. For example: the IT group can access shares on its own folders on the File server, but not order processing or shipping documents. Accounting and Finance can access its tax document files and shares on the File server, but not HR’s folders and documents. 5 Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361). 33
  • 34. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Applications: An Accounting employee can access the Solomon financial server, but this is not accessible to IT. Troubleshooting an issue on such an application server would require the presence of an accounting employee. Network Security at the Router Level (ACL Controls for VLANS) Often there are scenarios that require the Network Engineering team to lend a hand in securing data channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and malicious infrastructure protection ACLs should be deployed at network ingress points.”6 For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that encounter this ACL are dropped. The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office of WTHI. All other offices have a similar core switching architecture. 6 Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf 34
  • 35. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Note, a WAN upgrade is mentioned for strong consideration in this report. See local switching architecture change impacted in the diagram below. 35
  • 36. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Proposed router site implementation based on the new WAN framework 36
  • 37. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. The new framework will continue with the same core configuration; however the new WAN circuits will require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring the DS3 circuit into the Data Center area. Internet Browsing Limitations The current Information Security policies do not limit Internet Browsing. Employees at all four offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last 2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4 offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have 37
  • 38. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance has suffered and many users have called the help desk to report “poor network performance”. Although the consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network performance. Proposed Solution: Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics policy regarding proper use of IT resources and appropriate web-browsing. The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram shown previously in this report. The Legal department has agreed to revise its ethics policy in coordination with the IT department. This revised plan will determine the criteria used to filter websites. Some suggested criteria include: Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be added to this list following a full review of the new plan. A sample screen that a user would encounter when attempting to access a banned/filtered site would appear similar to the one shown here: 38
  • 39. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Comparison Information – Web Filter: Solution Web Browsing Filter Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance $4,000.00 (1) add 2,000.00 for 1 year Cost info support and updates 1,000 users, 1 year, $10,010 direct Total Cost - Web Filter $ 6,000.00 $ 10,010.00 AntiVirus Software and Microsoft Updates The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution. Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT 39
  • 40. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. staff has done its best to configure each desktop to automatically update virus definitions, this does not always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus definition downloads often fail due to network congestion. The same problem exists for Microsoft Security updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements. To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy to force each desktop computer to download updates during non-business hours. A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the MPLS Private Network will provide. A diagram of the proposed solution is shown below: 40
  • 41. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 41
  • 42. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Cost Comparison – Enterprise Level Antivirus: Solution Corporate Antivirus Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense Cost info 1000 licenses 1000 licenses $ 60,800.00 $ 55,090.00 (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one poweredge 2650 Dell poweredge 2650 Antivirus Server Hardware $ 10,000.00 $ 10,000.00 Total cost - Antivirus $ 70,800.00 $ 65,090.00 E-mail Spam Filtering: Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG (www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of attempts to steal passwords or other important personal information from corporate customers, up more than 25% from December and up 5% above the previous record, set in June of last year.”7 In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail server architecture in place. This decision is centered on cost reduction to create more budgetary focus on the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for employees in all departments where time is better spent conducting company business rather than deleting 7 Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1249851201). 42
  • 43. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or compressed file containing the executable file. With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended. Cost Comparison Information – Spam Filter: Solution Anti-Spam Filter Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100 $4,000.00 (4) $16,000.00 plus 8,000.00 $2,000.00 (4) $8,000.00 plus 2 Cost info for 1 year support and updates years extended support Total Cost - Antispam $ 24,000.00 $ 13,021.60 (Continued on next page) The diagram below outlines the connectivity of the spam filter at each location. 43
  • 44. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Oracle Database Security 44
  • 45. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Within this report, many security solutions are recommended to ultimately protect the data of the company’s databases. These solutions offer the most protection at each perimeter of the Information Systems Infrastructure. A critical consideration is the application level security of the Database Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing reputation for leading the industry in e-commerce database management products. The use of Oracle’s security features will insure the database at a final core level against attacks and data theft. Oracle adds an additional layer to database security through its own technology resource center. As indicated by Oracle Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates (CPU), on dates announced a year in advance and published on the Oracle Technology Network. The patches address significant security vulnerabilities and include other fixes that are prerequisites for the security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World XE.”8 Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428) provides a comprehensive list of potential database security issues and resolutions. This list includes items such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of service.”9 With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle recommended solutions. A critical component to this risk management solution will be a new WTHI Information Technology policy in cooperation with the Database Administration group and Network Operations staffs to follow published Oracle security recommendations and patch all reported vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7 8 Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 9 Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 45
  • 46. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of database administration experience. Database backups are performed nightly, and a full database replication is done daily with the Dallas datacenter. Business Continuity Planning WTHI has a solid plan for continuation of business in the event of a major technical outage at the main Chicago data center. The plan for business continuity consists of a complete operations failover from Chicago to Dallas. To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20 minutes in the event such service is required. Local personnel in Dallas are trained to take over main operations from Chicago. Key management personnel have an emergency travel budget to temporarily relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to continue operations, and there is no requirement to upgrade or change the plan at this time. With continuous innovation in the Information Technology and Security fields, this plan should be revisited annually to identify new opportunities for improvement. Disaster Recovery Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail, and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled forward’ to restore data that may have been damaged during a server outage. All servers are configured with a RAID capability and spare hardware replacements are kept ready and available at all sites should the need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate control facility, and these may be recalled at any time if for any of the four offices as needed. At present time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the 46
  • 47. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. plan at this time. With continuous innovation in the Information Technology and Security fields, this plan should be revisited annually to identify new opportunities for improvement. Summary List of Recommendations: 1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a Perimeter Security Access Control (Badge Reader) System 2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage. 3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based. 4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway. 5. Enforce Password Policy on all Domain Accounts: a. Require password change every 90 days b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters. 6. Implement an Intrusion Detection system. 7. Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours Download Cycle for MS-Security Patches. 8. Limit Web Site Browsing with a Web Filter Appliance. 9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN. 10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers. 11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website. 12. Standardize Anti-virus software to Enterprise, server based version. 47
  • 48. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Conclusion The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with increased bandwidth. The physical access control and video surveillance solutions will utilize more bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the existing Windows 2000 Active Directory environment will tighten desktop security by and enforce restriction on resources so that the appropriate groups and departments will access only the resources required to conduct daily business. This will also allow IT administrators to enforce a new global password policy for number and type of characters and fixed password renewal requirement. The server based anti- virus model will decrease the internet traffic at each office by centralizing virus definition updates on a master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and “youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will increase security by randomizing the second part of the user password in the Authentication process. It will also strengthen the reliability of the VPN hardware solution by moving away from a server based solution to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new 48
  • 49. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. technology developments and innovations in the field of security that might better protect the infrastructure and help to maintain the company’s competitive advantage. A line item budget consideration is strongly suggested to continue the needed updates to these technologies needed for maintaining security of the company’s physical and informational assets. References 1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921). 2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131). 3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12, 2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx .5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361). 6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf 7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116. Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861). 8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061). 8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document ID: 1025469841). 9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1249851201). 10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html 11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007 from: http://download- east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428 49
  • 50. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. 12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature Set Retrieved April 12, 2007 from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx 13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from: http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf Appendix A: Cost Information Budget Requirement - Capital Asset Equipment Investment: $442, 079.00 Budget Requirement - Recurring Service Charges: $10,100.00 per month Cost Information Solution WAN - MPLS Service and broadband circuits Vendor info telcoIQ usa access Cost info $400.00 per month per site - $1,600.00 per not available month for all 4 sites Total Cost per month: $1,600.00 per month n/a Circuits DS3 - partial Circuits and T1's Vendor info telcoIQ usa access Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00 Total Telecom Data Circuit $ Charge for all sites per 8,500.00 month: Cisco 3725 Multiservice WAN 6500.00 x (5) Two are needed in Chicago) 32,500.00 Routers Total WAN investment for all $ sites, per month 10,100.00 Total WAN ROUTER Purchase: 32,500.00 Solution Cisco VPN Vendor info Cisco Client Access License 40.00 (500 $ 2,000.00 users) Cisco 7204 VXR VPN Router $ 6,000.00 Total Cost - Cisco VPN $ 8,000.00 Solution Firewall 50
  • 51. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Vendor info Nokia SonicWall Pro Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f Cost info $16,000.00 $10,371.00 Total Cost - Firewalls $16,000.00 $10,371.00 Solution SecurID Fobs Vendor info RSA CryptoCard Cost info $45,000.00 $68,000.00 Authentication Manager Enterprise License: Windows Starter Kit $500.00 $50,000.00 Total Cost - Authentication $95,000.00 $72,000.00 Tokens Solution Digital Video Vendor info Vicon Systems Alternative Security Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 (4) 9-camera complete systems w/cameras and DVR's @ $2,699.00 ea= $10,796.00 36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above) Central Console $1,352.65, joystick control Central Console $1,352.65, joystick unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65 Digital Video Archive EMC Clariion Ax (500 Gb expandable archive) EMC Clariion Ax (500 Gb expandable $6,000.00 archive) $6,000.00 Total Cost - Video: $ 56,251.00 $ 18,348.65 Solution Perimeter Badge Access Control Vendor info Software House Ccure Badging System Software House Ccure Badging System $1,000.00 (4) = $4,000.00 $1,000.00 (4) = $4,000.00 Cost info Control Panels $450.00 (8) $3,600.00 Control Panels $450.00 (8) $3,600.00 ACTAtek badge readers $790.00 (26) = ACTAtek badge readers $790.00 (26) = $20,540.00 $20,540.00 ACTAtek Fingerprint and HID ProxI/II Combo ACTAtek Fingerprint and HID ProxI/II badge and biometric readers $ 1,590.00 (8) Combo badge and biometric readers $ = $12,720.00 1,590.00 (8) = $12,720.00 Door Strikes - $175.00 (32) $5,600.00 Door Strikes - $175.00 (32) $5,600.00 Door Relay units - $179.00 (32) $5,728.00 Door Relay units - $179.00 (32) $5,728.00 Total Cost - Badge Control $ 52,188.00 $ 52,188.00 System Solution Corporate Antivirus Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense Cost info 1000 licenses 1000 licenses $ 60,800.00 $ 55,090.00 51
  • 52. SE571 - Web-Tech Home Improvement’ Chris McCoy An Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company. Antivirus Server Hardware (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one Dell poweredge 2650 poweredge 2650 $ 10,000.00 $ 10,000.00 Total cost - Antivirus $ 70,800.00 $ 65,090.00 Solution Anti-Spam Filter Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100 Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for $2,000.00 (4) $8,000.00 plus 2 years 1 year support and updates extended support Total Cost - Antispam $ 24,000.00 $ 13,021.60 Solution Web Browsing Filter Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance Cost info $4,000.00 (1) add 2,000.00 for 1 year 1,000 users, 1 year, $10,010 direct support and updates Total Cost - Web Filter $ 6,000.00 $ 10,010.00 Solution Intrusion Detection Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00 ethernet taps (560.00 ea) x 6 = $3,240.00 ethernet taps (560.00 ea) x 6 = $3,240.00 total cost - IDS $ 78,240.00 $ 83,240.00 52