You may use the textbook and any material in the class canvas site for this final exam. You may not use any other material, the internet, or communicate with anyone related to this final exam.
Please add a statement at the end of this exam confirming your compliance with these requirements.
Choose two of the following three scenarios below, answering questions within the scenarios paying close attention to course content. (60pts each scenario) 450-500 words each.
“I promised everyone remote access – the ability to access the corporate network from home or while on the road”, said the CIO of the Good Coffee company where you are employed. What does this mean? Provide a summary of the security issues and concerns, along with an overview of the remote access policy and technology needs in order to securely carry out this promise.
Explanation of the CIO’s statement
With the advancement in technology, companies can enable remote access. CIO of Good Coffee Company promising everyone remote access is employees to access the company’s computer system even when not linked to the network of the company. In this light, the following activities are possible. First, the employees of the Good Coffer Company will be able to login to the company’s database from home or anywhere. Secondly, the employees will be able to send emails and receive them from any device. Third, it means there will be a workspace where clients and share as well as view files. In such a system, an employee operating from their homes are less likely to disturb colleagues in the office asking them to send data.
Remote access security concerns
Despite the many benefits, remote access can expose Good Coffee Company to many risks. Remote working largely depends on the sharing of business information or service outside of the company’s infrastructure, especially over the internet. As a result, there are various security concerns that come with remote access. To begin with, in remote access, there is lack of physical security controls, which creates a risk of devise loss or theft. Physical security controls, which is highly practiced within the company’s infrastructure, protect against unauthorized physical access to information assets (Smith, 2019). It is worth noting that there is lack of adequate physical security controls hence putting the company at risk of information theft or breach.
The other security concern of allowing remote access is eavesdropping because information travels over the public internet. In computer security, eavesdropping refers to unauthorized interception of communication or digital transition in real-time. Eavesdropping attacks are often easier because an attacker can place software in the network path acquiring relevant information. Remote access puts the company at risk of eavesdropping (Smith, 2019). Another security concern is monitoring and manipulation of data. This occurs when a third party gains access to the device. When working at home, there is a high chance of a third party accessing the device either with a good or bad intention. An individual with a bad intention can alter the data hence placing the company at risk of losing vital information.
Overview of remote access policy and technology needs
To achieve this promise of allowing remote access, the CIO must make sure that the system is secure by considering the remote access policy and technology needs. The first requirement is that secure remote access has to be controlled with encryption like virtual private networks (VPN), and strong passwords (Smith, 2019). The other need is that authorized users, which in this case are employees of Good Coffee Company, should protect their logins and password information from others, even family members. In addition, all the hosts connected to the Good Coffee Company’s internal networks through remote access systems are required to use up-to-date antivirus software. It is also required that personal devices used to link to the networks of the company should meet the needs for remote access.
The CEO of Good Tea Co. is building out a data system to collect data from their point of service (POS) systems (i.e., the cash registers), storing the data for use in a store operations dashboard. As a consultant, you have been hired to put together a proposal describing how best to secure the data for Good Tea Co. Provide an overview of that proposal, make sure to include the threat community you are most worried about.
Midsize Healthcare Insurance Company just recently experienced a data breach of 250,000 patient records, and the new Chief Information Security Officer (CISO) wants a proposal for securing the companies portal website under 500 words for presentation to the Board of Directors. Provide that proposal for the CISO, include technical, management, and operational controls.
Website security is important because no one wants to experience a data breach. Having a secure website portal is vital because it saves an organization from lawsuits, ruined reputation, and fines when a data breach happens. There have been a number of attacks on website portals of different organizations across the globe. For instance, Midsize Healthcare Insurance Company data breach of 250,000 patients’ records was a blow to the company. In light of this, it is the responsibility of an organization to make sure that its website portal is safe from hackers. To prevent any kind of data breach, the company should consider improving its technical control, management, and operational controls on its website portal. Therefore, Midsize should implement the three controls to secure its portal website from any form of attack.
Technical controls are implemented and executed by the system’s hardware and software. To begin with, the company should keep its software up to date (Smith, 2019). It is important to make sure all platforms or scripts the company has installed are updated. Because attackers mainly target security errors in web software, hence the programs need to be updated to reduce security holes. Thus, it is crucial to maintain as well as update the software product the company uses. Secondly, the company should encrypt the login pages. To achieve this, the company should use SSL encryption on their login pages. The SSL ensures that sensitive information like social security numbers and credentials for logins are transmitted safely (Smith, 2019). The company should consider using a network-based firewall, a host-based firewall, and operating system patching.
Midsize should also adopt management controls. These controls majors on the management of risk and the management of information system security. In this one, the company should strive to limit user access and permission. The company’s portal website can be a target to the users as well. Based on this, the company should set up strong encryption on the portal that can only allow people who have passwords (Smith, 2019). The company should consider the use of web server best practices, such as protecting sensitive files using CMS configuration files. In addition, the company should also consider hiring a website portal security expert. A security expert will offer security services by regularly scanning the website for any vulnerabilities and perform full website security audits as well as monitor for malicious activity.
Operation controls are equally important in security the website portal from hacking or rather cybersecurity. These are controls mainly implemented and performed by people. The company should make sure that the IT staff managing the portal do not have a link to hackers. The company should conduct background checks on the IT staff members, including employment history and any outstanding warrant based on the hiring policy. In addition, the company should offer security training regularly to inform the users of the necessary compliant requirement. The training will make sure that the users do not fall victim to any phishing fraud. For instance, they should report to experts when they observe a malicious activity of the website portal.
Answer 4 of the following 5 questions. (25pt each question) 250-300 words each.
- Frameworks (e.g., NIST 800-53 r4) help organizations in building their information security program. What do you think is the main benefit and drawback are for adopting one of the many defined frameworks to program development? Justify your answer.
The NIST Special Publication 800-53 (Rev. 4) offers directions for the selection of security and privacy controls. The framework is in its fourth revision. It is the most comprehensive update since the inception of the first publication (Bodeau & Graubart, 2013). One of the benefits is that it provides acceptable models of defining principles and policies used in analyzing and considering systems, processes, and programs that influence privacy. The other advantage is that it is up-to-date. The framework handles current threats in the information system. The other advantage is that it enhances and helps innovation through promotion as well as maintenance of a set of standards for program development. The model guides an in program development and helps in making sure that data is protected.
While the framework is good at data security, risk assessment, and security program, it does not offer effective governance to cybersecurity. Governance to cybersecurity is important because it allows one to develop a product that has complied with the required security and protocol policies (Bodeau & Graubart, 2013). The main disadvantage is that it is unable to change with the changes in information security threats. Data attackers are changing tactics every time to facilitate their operations. In regards to this, I think the most appropriate framework should not allow such a gap. It is worth noting that NIST is in its fourth revision, which is an upgraded version of the previous one. It means that the framework cannot offer security to a new threat since it has to be updated to tackle the threat.
- Explain how Transport Layer Encryption (TLS) works and where an organization would utilize it in their infrastructure. Justify your answer.
Transport Layer Security (TLS) helps in creating encryption for private communication. By definition, TLS is a cryptography protocol that offers end-to-end security of data between the applications through the internet (Smith, 2019). The main purpose of TLS is to prevent eavesdropping and message tampering. TLS is developed to offer a full cryptographic security layer to sensitive data shared between servers. It has two the TLS Record Protocol layer, and the Handshake Protocol layer (Smith, 2019). TLS makes use of both symmetric and asymmetric cryptography because it performs well and ensures security when sharing information. Through symmetric, encryption, and decryption of data happens using a secret key only known to the parties sharing the data. The secret key is between 128 to 256 bits in length.
In asymmetric, two keys, public and private key are used. Although the public key is linked to private keys, it becomes impossible to get the private key from the public key because of sufficient key length (Smith, 2019). This offers a platform for the public key of the receiver to be used to the sender to encrypt the data they want to share. However, in this case, decryption can only happen with the private key of the one receiving the data. An organization would use TLS in encrypting its email communications. Since email communication is done over the internet, it is prone to attacks such as eavesdropping. Thus, an organization would want to hide its email communication to a third party. An organization can also use it to hide its communication between websites.
- Encryption should be used to secure data in multiple states, including “At Rest,” “In Transition,” and “In Use.” Explain what this means for data, giving an example of each and the main security concern (or attack vector) for each state.
Data can be vulnerable to risks when at rest, in motion and in use. It means that unprotected data, whether in transit, at rest, or in use, is prone to attack. Data at rest is one kept in a digital format on physical devices such as flash disk, hard disk, or USB thumb drive (Smith, 2019). The inherent risk of data depends on its sensitivity and value. In this state, data is relatively safe because it is protected by defenses like firewalls and anti-virus programs. However, data at this state requires physical security controls to make sure that information is safe from other vulnerabilities like theft or loss.
Data-in-transit is one that is moving from one person to another or from one device to the other through the internet. For example, someone sending an email, accessing data from a remote server, or even downloading files from the cloud, amongst others. In this, data is at its most vulnerable state, and security needs specialized capabilities (Smith, 2019). At this state, data is prone to attacks like eavesdropping that can intercept over the internet to get the information. When sending an email, an attacker with appropriate tools can intercept the email as it moves along the path over the internet. One possible way to prevent this is by making sure that messages remain confidential through encryption.
Data in use is one being accessed, processed, or loaded into RAM. Examples include files being read, active databases, or files being edited. In this state, data is more prone to attacks compared to data at rest since it has to be accessible to the people who want it. It is worth noting that the more devices, the more the risk (Smith, 2019). It is challenging to secure data in use because of the existence of RAM scrapping malware in the user or kernel mode. One of the solutions to protecting data in use is to prevent access and to introduce authentication.
- Describe, at the lowest layer covered in class, what happens when a user clicks a hyperlink on a website linking to a website utilizing TLS.
- The protocol stack goes from layer 1, the physical layer to layer 7, the application layer. Briefly describe each layer of the stack and provide an example of a security system designed to help provide security at the specific layer. Ensure you cover all seven layers.
This is the lowest layer among the seven in the model. The layer is the one that connects the devices physically (Kumar, Dalal & Dixit, 2014). It has information in the form of bits. Protecting the layer requires proper security surveillance with biometric authentication solutions.
Data link layer
The layer delivers a message from node to node. The primary role of the layer is to make sure that the sharing of data is secure (Kumar, Dalal & Dixit, 2014). Protecting the layer requires MAC filtering and analysis of wireless applications making sure that they are designed in encryption and authentication.
The layers transmit data from one host to another situated in diverse networks. It takes care of the packet routing as it determines which route is appropriate from source to destination. The only way to secure the data is by enhancing network layer controls. Effectively configured firewalls are also required.
The layer offers service to the application layer and takes services from the network layer. It delivers a complete message from end to end (Kumar, Dalal & Dixit, 2014). To secure the layer, there is a need for a firewall, controlling access to transmission protocols.
The main purpose of the layer is to build a connection, session maintenance, and authentication and enhances security (Kumar, Dalal & Dixit, 2014). It creates a platform that enables a process to add checkpoints into the data to determine errors. The most appropriate way to protect the layer is to make sure there is an encrypted password during sharing and storage.
The layer is also known as a translation layer. The information from the application layer is obtained in the layer and altered based on the format needed to share through the network (Kumar, Dalal & Dixit, 2014). The most appropriate way to protect the layer is to separate user input from the program control operations.
The layer is used over the network. It works as a window for applications to access the network and to indicate the data received to the user (Kumar, Dalal & Dixit, 2014). Some of the security systems designed to help the layer are secure web gateway services and web application firewalls, among others.
This was a course of exploration into the world of information security. Based on your learning, what grade do you feel you have earned in the class? Make your case! (30pts) 200 words. (For this one, there was the project that was done, I will attach, interview, and product memo), be creative to come up with something for this
When taking a course, every student has an ideal grade, which they would like to earn. However, while the information and knowledge acquired are more important, the grade that one gets is also important. During this course, I did assignments like a security assessment report, a presentation on Force-point, an SPD presentation script, and finally ISM 6331 Information Systems Security. For example, the security assessment report, we conducted a security assessment of the SPU’s information system. We made sure that all the requirements as requested were met to get a good grade. My group members were all certain of a earning a good grade. I have dedicated my time to research to handle these assignments. I participated in group work as provided. In addition, I have made my assessment from the rubric provided. I did this to make sure that I cover everything required as per the instruction. Apart from the group work, I equally gave my best in individual assignments. For example, in ISM 6331 Information Systems Security, I used the materials we used in class to respond to the question. Looking at what I have been able to do in the assignments, I feel I have earned an A grade. However, I will appreciate your assessment of the work I have done in class.
Bodeau, D., & Graubart, R. (2013). Cyber Resiliency and NIST Special Publication 800-53 Rev. 4 Controls. MITRE, Tech. Rep.
Kumar, S., Dalal, S., & Dixit, V. (2014). The OSI model: Overview of the seven layers of computer networks. International Journal of Computer Science and Information Technology Research, 2(3), 461-466.
Smith, R. E. (2019). Elementary information security. Jones & Bartlett Learning.