computer network security policy and design policy

batrafuck

WWTCSecurityPoliciesandSecurityDesignsample.docx

Home >Computer Science homework help >computer network security policy and design policy

Running Head: WWTC Security Policies and Security Design

WWTC Security Policies and Security Design 20

WWTC Security Policies and Security Design

CMIT 495

Professor

UMUC

July 23, 2017

Table of Contents

Table of Contents…………………………………………………………………………….....1

Introduction…………………………………………………………………………………….2

Business Needs………………………………………………………………………………….2

Security Policies………………………………………………………………………………...4

Acceptable Use Policy…………………………………………………………………...4

Classified Network Usage Policy………………………………………………………..5

Network Access Policy…………………………………………………………………..6

VPN Policy…………………………………………………………………………….....7

Remote Access Policy…………………………………………………………………....8

Encryption Policy………………………………………………………………………...9

Physical Security Policy…………………………………………………………………10

Wireless Policy…………………………………………………………………………..11

Email Policy……………………………………………………………………………...12

Removable Media Policy………………………………………………………………...13

Password Policy………………………………………………………………………….15

Asset Security…………………………………………………………………………………...16

Security Design…………………………………………………………………………………17

Security Architecture/Diagram………………………………………………………………..20

Conclusion………………………………………………………………………………………22

References……………………………………………………………………………………….23

Introduction

WWTC currently has strong security requirements at its other locations around the world. However, there have issues with this current security model at the other locations that need to be addressed at the New York office. A recent audit of the other locations has identified a few issues such as email misuse, confidential data storage, poor authentication methods, poor encryption methods, and data confidentiality. To protect the new office from these past issues, vulnerable assets and practices must be identified and mitigated. The governing documents for WWTC to help mitigate these vulnerabilities will be comprehensive security policies put in place. A security policy is a high level document that states how business should be conducted and sets the standard for how a secure environment should be deployed.

These policies are put into place to protect WWTC’s most important assets. Policies can include how individuals may use the network, what types of security measures are put into place to reduce risk, and the consequences if the policies are not complied with. This essentially represents the business needs for security, which drives how network security is implemented. Security requirements are needed in order to fully design a network that meets those requirements. The security policies designed for WWTC’s New York office are required to protect its assets, baseline acceptable use, proactively reduce risk, and ensure compliance with current regulations and legislation.

Business Needs

More often than not, business goals and technical goals can conflict with each other. In cases like this, either business or technical tradeoffs are often the outcome. When security is a main goal for an organization, a trade off of spending more capital on securing the network may be required. There are many examples of tradeoffs that can take place to either secure an organization or to optimize profits and reduce overhead. Regardless of the trade off, each time this scenario occurs, all aspects should be considered due to the importance of the decision and its potential outcomes (Oppenheimer, 2010.

WWTC’s primary business needs are providing secure means of customer purchase and payment over the Internet, fast and secure network services, consistent network availability, and overall heightened network security to mitigate network vulnerabilities. To meet these needs, appropriate security policies need to be implemented to establish a baseline for network performance and user interaction. Table 1 shows and describes a list of twelve security policies that will be implemented at the WWTC New York office to meet the business goals stated above and also improve security to keep the organization and its stakeholder’s information safe.

Policy	Description/Purpose
Acceptable Use Policy (AUP)	An AUP documents the constraints and general practices a user must agree to and follow in order to use/access the WWTC network
Classified Network Usage Policy	The Classified Network Policy documents acceptable behavior on the classified network and authorized users and actions on the network
Network Access Policy	The Network Access Policy states how users connect to the local network and the authentication methods used
VPN Policy	The VPN Policy states the minimum tunneling protocols and encryption required to establish a VPN connection between WWTC sites and remote users
Remote Access Policy	The Remote Access Policy states how uses will be able to connect to the internal network resources while physically off-site
Encryption Policy	The Encryption Policy states the minimum encryption standards required for communication on the WWTC network
Physical Security Policy	The Physical Security Policy states how employees enter workspaces, physical network device security, and access control
Wireless Policy	The Wireless Policy states how users will connect to the WLAN and the minimum security standards used
Email Policy	The Email Policy states how the use of email should be performed and the limitations of the data classification allowed over email
Removable Media Policy	The Removable Media Policy states if and when removable media such as USB drives are allowed to be plugged into WWTC devices
Privacy Policy	The Privacy Policy states how user data will be handled on the network and the monitoring techniques used by WWTC to ensure overall security
Password Policy	The Password Policy states the minimum acceptable password standards for users on the WWTC network and how often they must be changed

Table 1. WWTC Security Policies Overview

Security Policies

1.0 Acceptable Use Policy

1.1 Overview

The Acceptable Use Policy (AUP) is designed to inform users about the WWTC network and acceptable actions while connected to the network. The purpose ultimately to protect WWTC resources, users, and customer data while accessing and using network resources. WWTC is dedicated to ensuring that its employees have the access that they need to perform their functions to the highest level possible, promoting the availability of information while protecting its integrity and authenticity. The network is designed to streamline business communications between branch offices and customers while maintaining overall security.

1.2 Purpose

The purpose of this AUP is to identify and describe the acceptable use of all company resources on the WWTC network. In the event that any employee fails to adhere to these rules, they risk exposing WWTC to external attack or exploitation, loss of network functionality, and potential legal ramifications. For specific policies detailing email use, password compliance, privacy, removable media, wireless use, and remote access refer to those specific policies found later in this document

1.3 Scope

The scope of this policy includes all users who have access to WWTC owned or provided computers or require access to the corporate network and/or systems. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the WWTC network.

1.4 Policy

· Information stored on WWTC computers, removable devices, and network resources, leased or owned by WWTC, the employee or third party, is the sole property of WWTC.

· It is the sole responsibility of each employee to report lost, stolen, or unauthorized disclosure of any WWTC information.

· It is your duty to only access, use, or share WWTC information to the extent to fulfill your assigned job duties.

· Access to WWTC company data is limited to the extent that is required to completely perform employee job requirements.

· Monitoring equipment, systems, and network traffic is authorized at any time per the Privacy Policy for security and network maintenance purposes without prior notice.

· WWTC reserves the right to audit the network and systems at any time to ensure compliance with this policy.

· User passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.

· Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.

1.5 Unacceptable Use

Under no circumstances is a WWTC employee authorized to engage in any illegal activity under local, state, federal law while utilizing WWTC resources. The entities below are limited to these specific rules, but an attempt to provide a baseline for activities which fall into the category of unacceptable use.

· Unauthorized physical or logical access to WWTC assets is strictly prohibited.

· Unauthorized copying or removal of any WWTC proprietary or intellectual property by any mean is strictly prohibited without prior approval.

· Installation of any software not prior approved is prohibited.

· Access to network resources for any reason other than official business is prohibited.

· Any type of network scanning techniques by employees other than in an official capacity is strictly prohibited.

1.6 Policy Compliance

All activity on the WWTC network is carefully monitored in real-time. All activities taking place on the WWTC network shall be business related and in accordance with this policy. Any user that is found in violation of this policy is subject disciplinary action including, but not limited to, immediate termination and/or legal action.

2.0 Classified Network Usage Policy

2.1 Overview

This policy identifies acceptable usage of the WWTC classified network for all employees. The type of information that resides on the WWTC classified network could cause significant damage to WWTC and its stakeholders if improperly handled. Strictly adhering to the policy below will help ensure data confidentiality of classified WWTC information.

2.2 Purpose

The purpose of this policy is to act as a guideline for the minimum acceptable use of the WWTC classified network. This classified network holds volatile data that could cause harm to users, employees, customers, and the WWTC as a whole.

2.3 Scope

The scope of this policy includes all users who have access to WWTC classified network. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the WWTC classified network.

2.4 Policy

· At no time will classified information be introduced to an unclassified environment.

· Classified information shall only be stored on approved devices.

· All network communications shall be encrypted on the classified network.

· No removable media, including but not limited to, USB thumb drives, CDs, or external hard drives may be used on the classified network without prior approval.

· Storage of classified information shall be in a physically separate location than any unclassified information.

· Only authorized users may have access to any entity or resource on the classified network.

· Disposal of classified information must take place within the minimum requirements for that classification level.

2.5 Policy Compliance

3.0 Network Access Policy

3.1 Overview

This policy identifies how users connect to the local network and the authentication methods used. It also states who has access to the network and under what circumstances. Specifically stating who has access and how users gain access to the WWTC network and when will increase security through thorough access control.

3.2 Purpose

The purpose of this policy is to state the minimum acceptable methods used to access the local WWTC network. This policy also states what authentication methods are used to access the network. This policy will help ensure that only authorized users have access to the WWTC network and are able to access WWTC resources on the LAN.

3.3 Scope

The scope of this policy includes all users who have access to WWTC local area network. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the WWTC LAN network.

3.4 Policy

· Only authorized WWTC users shall access the LAN.

· Users shall access the network via a minimum of two-factor authentication.

· Only official business shall be conducted while using or connected to the WWTC network.

· Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) is strictly prohibited.

· All users shall properly authenticate to the WWTC network in order to conduct official business while on the premises.

· All users shall properly log off of their devices when leaving them unattended.

· All users shall only access areas of the network that he/she is authorized.

3.5 Policy Compliance

4.0 Virtual Private Network (VPN) Policy

4.1 Overview

A VPN allows users to access internal WWTC resources from off-site locations. A VPN encapsulates and encrypts the connection when traversing over an untrusted network, like the Internet. This allows users to securely access the internal network from home or when traveling. Additionally, VPNs are also used to connect to other branch locations for information and resource sharing.

4.2 Purpose

The purpose of this policy identify the VPN method of remote access to WWTC internal resources from external locations. This policy also dictates the minimum tunneling protocol and encryption methods used to establish a VPN connection.

4.3 Scope

The scope of this policy applies to all users who have authority to access WWTC resources from outside of the physical office location. This policy applies not only to employees, but also to guests, contractors, and anyone requiring a VPN connection to access to the WWTC network.

4.4 Policy

· All remote connections to the WWTC network shall be established utilizing a VPN connection.

· All VPN connections shall utilize the Layer 2 Tunneling Protocol (L2TP) in addition to IPSec to ensure a highly secure connection.

· VPN gateways will be implemented and maintained by WWTC.

· Connection time of any VPN connection will be twelve hours.

· Only WWTC owned devices shall be used to establish a VPN connection to the WWTC network. No personal devices will be allowed.

· Authentication to the VPN will be established with a user’s WWTC credentials.

· VPN users who have thirty or more minutes of inactivity shall be automatically disconnected to prevent unauthorized access.

· Only WWTC approved VPN clients may be used.

4.5 Policy Compliance

5.0 Remote Access Policy

5.1 Overview

Remote access allow users to be able to access WWTC internal resources from outside the physical network. This increases efficiency as it allows employees work in a mobile environment. However, remote access to internal resources could pose a security threat if not properly configured through this policy. Minimum standards must be met when allowing users to remotely connect via an untrusted network, like the Internet.

5.2 Purpose

The purpose of this policy is to identify the minimum standards of remotely connecting to WWTC internal resources while maintaining the highest security standards available. This policy states how users are able to remotely connect and through what methods.

5.3 Scope

The scope of this policy applies to all users who have authority to remotely access WWTC resources. This policy applies not only to employees, but also to guests, contractors, and anyone requiring remote access to the WWTC network.

5.4 Policy

· Only authorized users shall be able to connect to the WWTC network via a remote connection.

· All remote connections shall be established through an encrypted VPN connection. Refer to the VPN Policy for details.

· Only WWTC owned devices shall be used to establish a remote connection to the WWTC network. No personal devices will be allowed.

· All devices remotely connected devices shall have up-to-date anti-virus software.

· All WWTC internal policies also apply to users remotely connecting from outside the premises.

5.5 Policy Compliance

6.0 Encryption Policy

6.1 Overview

While there will be no classified information transmitted over the unclassified network, there may be times when unclassified communications may need to be encrypted. This could include times when potential PII is involved or upcoming business plans. While the information itself may not be classified, it may pose a slight threat if the information was transmitted in clear text. At a point where the information being communicated may not officially be classified, but could pose risk, encryption should be used.

6.2 Purpose

The purpose of this policy is to identify minimum encryption standards required for communication on the WWTC network, when required.

6.3 Scope

The scope of this policy applies to all users who may require use of encryption methods. This policy applies not only to employees, but also to guests, contractors, and anyone requiring remote access to the WWTC network.

6.4 Policy

· Any communication that involves customer or employee Personally Identifiable Information (PII) shall be encrypted.

· Any information deemed Sensitive but Unclassified (SBU) shall be encrypted.

· Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.

· Any communications of lower classification may be encrypted based on the preference of the user.

· All encryption must be signature-based algorithms

· All remote connections shall be encrypted. Refer to the VPN Policy and Remote Access Policy for details.

6.5 Policy Compliance

7.0 Physical Security Policy

7.1 Overview

Physical security is just as important as logical security for the WWTC network. Physical access poses a significant threat to any network if perimeter security is not addressed and hardened. Physical controls such as door locks, entryway access control, networking closet security, and user awareness all play a role in hardening physical security.

7.2 Purpose

The purpose of this policy is to establish minimum requirements for physical security with the WWTC New York office.

7.3 Scope

The scope of this policy applies to all users who have physical access to the WWTC New York office. This policy applies not only to employees, but also to guests, contractors, and anyone requiring remote access to the WWTC network.

7.4 Policy

· All users shall visibly display proper WWTC identification while on the premises.

· All doors leading to any networking equipment shall be locked at all times.

· Only authorized users shall have access to networking closets where network infrastructure devices reside.

· All users shall show proper identification in the reception areas prior to entering the office.

· Any person found without proper identification shall immediately be escorted off of the premises.

· Guests shall properly display guest identification badges at all times.

· All users shall be on alert and immediately report any suspicious activity to building security.

7.5 Policy Compliance

All activity within the WWTC New York office is carefully monitored in real-time. All activities taking place within the WWTC New York office shall be business related and in accordance with this policy. Any user that is found in violation of this policy is subject disciplinary action including, but not limited to, immediate termination and/or legal action.

8.0 Wireless Policy

8.1 Overview

Wireless security can be a launching point for multiple types of attacks on a network. Maintaining wireless security is key to protecting the network as a whole. Additionally, WWTC users are only authorized to use the wireless network in certain areas of the office, the conference rooms and the reception areas. This helps to maintain security and also enable mobility during meetings in the conference rooms. Current security standards must be in place to help protect the wireless network from unseen attackers.

8.2 Purpose

The purpose of this policy is to establish minimum security requirements and to define acceptable use of the wireless network.

8.3 Scope

The scope of this policy applies to all users who have access to the WWTC wireless network. This policy applies not only to employees, but also to guests, contractors, and anyone requiring remote access to the WWTC network.

8.4 Policy

· All connections to the WLAN shall be established through a WPA2 or higher standard.

· The WWTC wireless network shall only be available and accessed in the conference rooms and reception areas.

· All users connecting to the WLAN in the conference rooms shall properly authenticate.

· No unauthorized access points shall be used within the network. Only WWTC owned access points shall be utilized.

· All wireless users shall also comply with the Acceptable Use Policy and Network Access Policy.

· Wireless devices may not be used to gain or attempt to gain unauthorized access to any other areas of the network.

· The transmit power for wireless access points near the building’s perimeter (such as near exterior walls) should be adjusted appropriately in order to prevent access from outside the office.

· All guest users shall be required to accept a wireless acceptable use and privacy policy statement prior to gaining access to the guest network.

8.5 Policy Compliance

9.0 Email Policy

9.1 Overview

Email is the primary business communication method in the world today. In the past, email has been used inappropriately to conduct sensitive business communications. This is unacceptable as this is not a holistically secure way to communicate. Accordingly, security measures need to be in place for users to communicate securely through email. Additionally, proper etiquette is required when sending emails, whether it be to other WWTC employees or customers. Standards must be set and followed when using this form of communication medium.

9.2 Purpose

The purpose of this policy is to state proper guidelines for email communications at WWTC while also maintaining security.

9.3 Scope

The scope of this policy applies to all users who utilize WWTC email services. This policy applies not only to employees, but also to guests, contractors, and anyone requiring remote access to the WWTC network.

9.4 Policy

· All email correspondence from a WWTC email account shall be business related at all times.

· All company emails shall be used in a professional manner.

· At any point, if an email contains PII or SBU information, it shall be encrypted. Refer to the Acceptable Use Policy and Encryption Policy for more details.

· Users shall not use personal email accounts to conduct WWTC business at any time.

· Users shall report any email with suspicious attachments immediately.

· Automatic email forwarding is strictly prohibited.

· Users should assume no reasonable expectation of privacy when utilizing WWTC email accounts.

· WWTC email correspondence shall only be accessed on approved WWTC devices. Accessing WWTC email on personal devices is strictly prohibited.

9.5 Policy Compliance

10.0 Removable Media Policy

10.1 Overview

The use of removable media such as USB thumb drives, CDs, and external hard drives (HDD) pose a significant risk to introducing malicious software to the WWTC network. As soon as an infected removable media device is introduced to a networked laptop or workstation, so is the rest of the network. It is unrealistic to ban all forms of removable media as it is such an efficient way to transfer data at a high rate of speed. This is why strict standards and policies must be implemented to protect from these types of devices.

10.2 Purpose

The purpose of this policy to set guidelines for removable media usage within the WWTC network. This policy will ensure an added measure of safety when using removable media devices and help prevent loss of confidentiality.

10.3 Scope

The scope of this policy includes all users who have access to WWTC network. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the WWTC LAN network.

10.4 Policy

· All removable media used must be prior approved by the WWTC IT department. No personal removable media devices are allowed.

· All removable media devices must have full disk encryption implemented.

· All removable media devices must be clearly labeled with the classification level of the information contained within it.

· All information contained on WWTC removable media devices must be business related. No personal use is authorized.

10.5 Policy Compliance

11.0 Privacy Policy

11.1 Overview

When using the WWTC network, it is important for users to understand the privacy they are entitled too. Although the users are voluntarily using the WWTC network, they are still somewhat protected under the Fourth Amendment and have rights. At the same time, WWTC must also protect itself. This means keeping logs of network activity that may inadvertently collect private user data. When users use the WWTC network, they are also consenting to this type of surveillance and need to understand how to how their actions are monitored.

11.2 Purpose

The purpose of this policy is to identify how user data is handled while utilizing the WWTC network. It identifies the basic rights of the user and the rights of WWTC to monitor all network traffic to protect itself and its customers.

11.3 Scope

11.4 Policy

· When accessing the WWTC network, all users thereby consent to having their actions monitored and logged. This includes, but is not limited to, sending and receiving emails, creating files, Internet traffic, resources accessed, or any other action on the WWTC network.

· All data collected shall be safeguarded to prevent unauthorized access.

· All devices storing event logs and users actions shall be enabled with full disk encryption.

· All users should understand that their actions on the WWTC network is being constantly monitored.

· All users should not expect any reasonable expectation of privacy while using WWTC devices or accessing its resources.

· Any information collected may be turned over to law enforcement and used in criminal proceedings if deemed relevant.

· By accessing the WWTC network, all users agree to this privacy policy.

11.5 Policy Compliance

12.0 Password Policy

12.1 Overview

Passwords are crucial to maintaining system security. However, passwords alone are inherently vulnerable for a number of reasons and the technology readily available to bypass them. To increase security, password policies are put into place to make it harder for an attacker to bypass them. While passwords by themselves are vulnerable, increasing the complexity of them provides additional countermeasures. This can include password length, complexity, maximum/minimum life cycle, and number of passwords remembered before one can be reused. Passwords, along with another factor of authentication substantially increase identification and authentication security.

12.2 Purpose

The purpose of this policy is to set guidelines for password strengths and complexity requirements. This policy dictates the minimum requirements for password lengths, complexity, and lifecycle. Users are responsible for keeping their passwords safe and ensuring that they meet the minimum requirements established.

12.3 Scope

12.4 Policy

· All WWTC user accounts must be secured with a minimum of two-factor authentication.

· All account passwords must meet the following requirements to be used:

- Must contain 10 or more characters

- Must contain at least one uppercase letter

- Must contain at least one lowercase letter

- Must contain at least one number

- Must contain at least one symbol (!, @, #, etc.)

· Passwords shall not be changed more than once within a 24 hour period.

· Passwords must be changed at a maximum of 60 days

· Users may not reuse a password they have previously used from the last 12 passwords.

· All users shall protect their passwords and not reveal them to anyone.

· Users shall not use words that are found in the dictionary in any parts of their password.

12.5 Policy Compliance

Asset Security

While all of WWTC’s assets are important, there are some assets that pose more risk than others if in a vulnerable state. Assets such as the core routers and distribution switches are vital for day-to-day operations and enabling the network to consistently operate. Although each of these devices have redundancies if they were to fail or become unavailable, there is not any redundancy for an exploit. This is where security must be designed to protect these devices from certain attacks that could detrimentally affect the entire network (Kadam, 2012). These devices handle most, if not all, of the network traffic at the WWTC office and ensure constant communication links between local and remote users. These devices are vulnerable to Denial of Service (DoS) attacks, reconnaissance attack, and access attacks. The design of the network architecture can help mitigate these vulnerabilities as well as device hardening and perimeter devices.

Other important assets are the servers running in the server farm and the end user devices. These servers provide network services to the local network as well as services across the WAN links to other sites. These devices can be vulnerable to malware such as worms, viruses, and Trojan horses as well as access attacks and DoS attacks. To mitigate these attacks, perimeter defense devices should be in place as well as host based firewalls and antivirus software.

Along with logical security for these network based devices and end user devices, physical security should also be implemented. All the logical security in world is useless against an attack where an intruder has physical access to any one of these devices. To protect the network devices like the switches, routers, and the server farm, locked networking closets should be used. Keeping these devices locked up will protect not only from intruders, but also from the potential of an insider threat (Covington, 2015). These rooms should only be accessible to those that need it, such as the IT department. These rooms should also be protected by two-factor authentication as previously discussed. Employee RFID cards should be used along with a keypad PIN to grant access. This will prevent someone from gaining access to a secure room if they just found an ID on the ground. These ID cards will also have employee pictures on the for the reception area to confirm identity prior to entry to the WWTC internal offices.

Security Design

The security architecture for the WWTC New York office should protect from the four primary attack categories: Reconnaissance attacks, Access attacks, DoS attacks, and Malware. Redundancy, while providing high availability, also adds an increased attack surface because more devices are on the network. However, well designed security measures will mitigate the risk associated with adding more devices to increase redundancy and availability. To help prevent potentially malicious packets from stepping one foot inside the network, the firewalls and IDS should be at the very edge of the network. This instantly filters out traffic that does not meet the specific rules of the allowed traffic on the network. Some organizations use their routers to perform this function, but this is not best practice for an organization this size and when considering the assets on the network. A firewall is much better equipped to filter traffic than a router. Firewalls are also much more customizable than an router in terms of security, rules, and port security. These specific devices can be configured to defend against DoS attacks as they would be a direct target. A successful DoS attack on a firewall or IDS can cause them to default into a mode that allows all traffic (Leach, 2013). This causes the devices to be useless as they would now be acting as a hub with no security measures and any type of traffic gaining access to the internal network.

Reconnaissance attacks allows attackers to map networks and discover vulnerabilities in the services it is running. Reconnaissance is more of a passive attack, but often preludes an actual attack such as the other three previously mentioned. If an attacker does not know the specific services running on the network, it would be quite difficult to launch an effective attack. Therefore, device hardening against reconnaissance should be a top priority. Attackers often perform reconnaissance though seemingly innocent ICMP traffic. ICMP is normally used for troubleshooting, but attackers use it to map networks and discover devices. Various Access Control Lists (ACL) can be implemented to prevent ICMP traffic on the network. Another way to prevent this type of attack is to close and lock down all ports on the firewalls that are not needed. By closing all unnecessary ports, attackers are not given an easy way into the network through a security device. This also protects services because ports are an immediate indicator of what services are running ("Reconnaissance Attack Detection and Analysis", n.d.). Reconnaissance is the usually the first stage in an attack, therefore, reducing the ability for an attacker to enumerate the network and its users will substantially reduce the likelihood of a successful attack.

Access attacks are used by an attacker to gain unauthorized access to networks and exfiltrate valuable data. These attacks are usually focused on customer financial data, proprietary company data, or privilege escalation. This attack can be carried out through social engineering, password attacks, and poor authentication practices. To prevent social engineering, user training is crucial. This training will educate the users about what types of information they should and should not give out and what to look out for if a social engineering attack is recognized. Password attacks and poor authentication can be mitigated by deploying robust authentication methods like two-factor authentication. The smart cards associated with a user defined PIN will create a two-factor authentication system that drastically reduces the potential of access attacks. Additionally, with Active Directory, GPOs can be implemented to assign users specific permissions on the network that can essentially cage an attacker from escalating privileges if they gained access to a user’s account. The attacker would then be limited by the permissions of the user they exploited. Each user on the WWTC network will only be given the least amount of privileges allowable for them to complete their daily duties ("Unauthorized Access Attack", 2013). Access attacks can cause organizations to lose valuable information that ends up costing them money, while simultaneously losing public trustworthiness.

Malware, such as worms, viruses, and Trojan horses can cause serious harm to a network if introduced. Malware can be introduced in any number of ways, but the most common is by the users themselves. They often do not know that they are downloading malware until it is too late. To prevent malware, host-based anti-malware and antivirus software should be installed on each end user device and servers. This software will consistently scan the hosts for any potentially harmful files on the device itself and will scan any files the user is attempting to download. This software along with user training can significantly help reduce the risk of malware being introduced into the network (Huculak, 2017). Additionally, normal users should not be able to download executable files from the Internet. The average user usually cannot tell the difference between malicious files and the real ones they are attempting to download. Administrators should be the only ones allowed to perform this function as they are trained on how to check hash values and recognize potentially harmful files. All software updates should also be pushed from a centralized update server after the update has been verified in a lab environment. New iterations of worms and viruses are introduced every day, so to mitigate this constant and ever growing threat, the use of host based antivirus software along with user training will help reduce the potential for this type of attack.

Security Architecture/Diagram

A modular and scalable network design combined with defense in depth methodology is the ideal security architecture basis for the WWTC New York office. This provides redundancy, future growth, and security in an integrated package that meets WWTC’s business goals and enables future growth. Figure 1 depicts a high level security design for the WWTC New York office that will help protect on the network level. This will halt attacks before they make it to the sensitive internal network that houses confidential data about both the company and its customers.

Each level of the network acts as a defense mechanism from the border firewalls to the end users and their computing devices. As previously discussed, the firewalls will help protect against DoS attacks, reconnaissance attacks, and others with the help of other network devices like the switches and routers (Cohen, 2014). The end user devices help protect from malware attacks and access attacks that can be used as an initial entry point for a larger network based attack. All of these network devices and the architecture around them work together to provide defense in depth for the network and WWTC as a whole.

WWTC%20Security%20Design%20-%20Page%201.png

Figure 1.. WWTC High Level Network Security Infrastructure Design Diagram

Conclusion

Security should be designed as a holistic and constantly evolving entity for any organization. For the WWTC New York office, this is the initial iteration of a security architecture that will eventually expand and become more complex overtime. Threats are always evolving, new attacks are introduced daily, and new device vulnerabilities are exploited every day. Therefore, network security must be designed to protect from the onslaught of these daily logical time bombs that are roaming the Internet looking for a victim. WWTC handles particularly sensitive financial information about themselves and their customers. This data would be extremely valuable to an attacker that can sell this data to a third party on the less savory side of the Internet. The combination of security policies, logical security, physical security, and defense in depth techniques help harden the network as a whole, with increased security measures on the most valuable assets. Knowing what types of attacks a network is vulnerable to is key to developing an effective security plan and allows for a finely tuned security architecture. Overall, this WWTC security design will provide them with a secure way of doing business while not affecting their business goals of expansion and will increase public confidence.

References:

Oppenheimer, P. (2010). Developing Network Security Strategies > Network Security Design. Ciscopress.com. Retrieved 17 July 2017, from http://www.ciscopress.com/articles/article.asp?p=1626588

Kadam, A. (2012). Identifying and classifying assets - Secured View - Asset Classification and Control - Network Magazine India. Networkmagazineindia.com. Retrieved 18 July 2017, from http://www.networkmagazineindia.com/200212/security2.shtml

Covington, R. (2015). Physical security: The overlooked domain. Computerworld. Retrieved 18 July 2017, from http://www.computerworld.com/article/2939322/security0/physical-security-the-overlooked-domain.html

Leach, S. (2013). Four ways to defend against DDoS attacks. Network World. Retrieved 20 July 2017, from http://www.networkworld.com/article/2170051/security/tech-primers-four-ways-to-defend-against-ddos-attacks.html

Reconnaissance Attack Detection and Analysis. Attivo Networks. Retrieved 20 July 2017, from https://attivonetworks.com/solutions/recon-exploit/

Unauthorized Access Attack. (2013). Itsecurity.telelink.com. Retrieved 20 July 2017, from http://itsecurity.telelink.com/unauthorized-access-attack/

Huculak, M. (2017). 7 tips to keep your Windows PC protected against malware. Windows Central. Retrieved 20 July 2017, from https://www.windowscentral.com/how-to-keep-your-windows-pc-protected-against-malware

Cohen, G. (2014). Best practices for network security management. Network World. Retrieved 21 July 2017, from http://www.networkworld.com/article/2173927/tech-primers/best-practices-for-network-security-management.html