Case study

SEC450 GROUP CASE STUDY

Compromised Credit Card Information

DeVry University

SEC450

April 7, 2021

Professor Cheryl Garvin

Brigida Gentile

The key to securing any size network is to understand where the biggest threats are and how to address the weaknesses. To protect an organization against vulnerabilities, for example, malware and computer viruses, there must be an information security policy in place to keep the data infrastructure safe from cyber-attacks. This policy will force the organization to think through an address all the ways it handles data and how to keep that data safe. In addition, it will include best practices that employees are expected to follow, including procedures for keeping employee, vendor, and customer information safe. Unlike processes and procedures, policies do not include instructions on how to mitigate risks. Instead, they acknowledge which risks the organization intends to address and broadly explains the method that will be used.

The first step in developing a security policy is to identify the risk factors that an organization may encounter. This is called a risk profile and is an extremely important part of the security policy. Assessing risk factors will help determine issues such as outdated software which can cause you to be at risk of dangerous malware. Once potential risks are identified, they can be addressed. In addition to risk factors associated to software, network risks must be addressed. In addition to antivirus installation and firewalls, appropriate technology solutions, company policies and an IRP (Incident Response Plan) will be utilized. The risk assessment will state how often potential threats will be reassessed for IT security and update the security program. The type of risk assessment that needs to be performed will identify data that may be defined as outside of compliance. Once those compliance risks have been identified, they can be remediated quickly.

All personnel within the corporation will be trained according to the security policies set in place. A training plan is needed to provide employees with advice on policies, password setup, verification processes, and a variety of other topics. Employees will be trained in an ongoing

fashion by integrating education opportunities in all facets of the workplace. Employees can learn the importance of strong passwords by demonstrating how easily passwords can be cracked using weak passwords.

Hardware and software updates on desktop and laptop computers, tablets, and mobile devices will be updated regularly for data security. Spam filters will be set in place to catch

phishing emails and other junk mail before it can pose a threat to the network. Operating systems updates will be set to automatically download and install key cyber security fixes as soon as they are available to protect from cyber threats. Software patches will be installed to cover security holes and fix or remove computer bugs.

Mark Marroquin

Access will be limited for unauthorized personnel to the organization’s computers and accounts. Trusted employee’s will not be allowed to access computers and information that they are normally unauthorized to use. Individual logins for employees and dictating a policy that ensures that they do not share their login with others will be implemented. The number of people that have access to sensitive data will be limited to avoid the risk of data breaches. An access control system will be installed to effective limit access to certain areas of the building and personalized key cards will be issued to unlock certain doors. In addition, potential harms will be minimized by shredding and recycling all documents such as invoices that may contain sensitive information.

VPN (Virtual Private Network) privilege will be controlled using ID and password

authentication to ensure unauthorized users are not allowed access to the network. Only traffic

destined for this organization will travel across the VPN tunnel, all other traffic will go through the user’s ISP (Internet Service Provider). VPN services will be terminated immediately if any suspicious activity is found and may also be disabled until the issue has been identified and resolved. The Wi-Fi network will be secured, all rogue access will be blocked, and BYOD will be standardized with proper security protocols. All traffic will be monitored with the suggested ESET Endpoint Security network monitoring software to identify potential hackers, and encryption algorithms will be utilized for all storage and transmission of sensitive data on the server. All data will be backed up on a regular basis in case any data breaches and this back up will be tested by restoring the system to ensure the process works.

Finally, this security policy will be a living breathing document that will evolve as the company changes or new technologies are implemented. It will be reevaluated and updated annually using policy management software to analyze its effectiveness and stay ahead of potential threats. Changes may include complying with new global laws (such as the General Data Protection Regulation), state changes in cybersecurity regulations, a data breach at the company, new management, adopting new technologies or new types of threats. This security policy will be audit-ready and based on industry-recognized best practices.

In summary, the completed security analysis of the customer’s network has been concluded with recommendations for an IT Security Policy. Antivirus installation and firewalls, appropriate technology solutions, company policies and an IRP (Incident Response Plan) should be implemented. A training plan is needed to provide employees with advice on policies, and hardware and software updates should be updated regularly for data security. VPN (Virtual Private Network) privilege should be controlled, and security policies will be reevaluated annually to stay ahead of potential threats.

Patrick B.

References Badrick, C. (2019, January 3). DEFENDING AGAINST PORT SCAN ATTACKS. Retrieved from TURN-KEY TECHNOLOGIES: https://www.turn-keytechnologies.com/blog/article/defending-against-port-scan-attacks/ Chapple, M. (2020). Port scan attack prevention best practices. Retrieved from TechTarget: https://searchsecurity.techtarget.com/answer/Port-scan-attack-prevention-best-practices Sivabalan, V. (2003). Ping Sweeps: Definition, Tools & Uses. Retrieved from Study.com: https://study.com/academy/lesson/ping-sweeps-definition-tools-uses.html