IT Assessment

Baytech Audit IT Security Proposal

Central Washington University

Table of Contents Title Page 1 Table of Contents 2 Audit Proposal ………………………..………………………………………………………..…3 Comptech …………………………………………………………………………………………4 Comptech Business Activity 4 Webserver 5 Database … 8 Private network 11 Cloud computing 15 Disaster Preparedness plan 16 References 20

The aim of this audit is to capture areas that may be considered to present shortcomings and propose possible solutions. Since the Comptech company is a service provider, challenges are inevitable, as is to all institutions that deal with computing architecture. By identifying and addressing these challenges, Comptech serves to provide better computing experiences to its clients, and it maintains its status as one of the most prolific service provider companies on a national scale.

The areas with vulnerabilities have been identified with regard to the services it provides. Comptech provides a disaster management and recovery plan for its clients, and there is a need to ensure that this plan is rigid enough to satisfy the needs of the clients. It is a web-hosting company and hence needs to ensure the availability of the products and services provided within the web-hosting domain. Comptech needs to secure its database to maintain the confidentiality and integrity of all the data hosted within its databases. As a provider of reliable internet connection and cloud computing services, there is the need to ensure that all the Comptech architecture that is dedicated to these functions are reliable and efficient at all times, which leads to the need to identify and mitigate all vulnerabilities within these domains.

Comptech

The Comptech company is a corporate society that deals exclusively with the provision of support services and computing solutions where their services are needed. It is a company that brags of a comprehensive set of systems that offer interoperability, availability, and reliability. It is a company located in a safe zone where the probability of the occurrence of natural disasters is minimal. For this reason, it is considered by the major companies which seek its services to be a dominant secondary site when compared to others that provide similar packages. Its name was derived from the horde of computer technology operations it is committed to performing. This name defines the brand that identifies all services that spring from it.

Comptech deals entirely in providing support services. This includes data storage and warehousing, internet connection and network management, system maintenance and installation as well as the provision of security in all these domains. Its clients are corporate societies and organizations, institutions such as colleges and hospitals and individual homes where telecommuting is done. The company has evolved from a domestic society to an institution that operates on a national capacity. Its database and database management system solution allow for quick access to data and ensures the overall data security solution is impenetrable. Comptech has within its workforce skilled personnel who are tasked with providing customized installations, fixing glitches on these systems and maintaining the resilience required for the synchronization with the Comptech’s computing infrastructure.

The following outline options are going to be the areas that will be covered in this audit proposal proposed by Baytech. Baytech audit will include webserver, database, private network, cloud computing, and disaster preparedness plan.

Since Baytech is tasked with providing the web hosting service, it should provide complete and extensive documentation of the terms of use to be strictly adhered to by its clients. These terms of use include the affiliate terms, the acceptable use policy, the privacy policy and other controls that guide the use of its architecture to support the client. This would prevent the misuse of Baytech’s architecture by the clients with the eventuality that in a way, the client’s computing culture does not introduce instances that could lead to lawsuits. The affiliate terms define the type of support services that the clients acquire from the Baytech company. The acceptable use policy developed by Baytech defines the period within which the relationship between Baytech and its clients stands, how Baytech’s resources are used and the boundaries within which Baytech’s resources are used. This policy defines constraints towards the use of Baytech’s resources within which the clients are to adhere to. The privacy policy documents the initiatives that Baytech has put into play to ensure that data privacy is realized. The privacy policy is an extension of what the client needs to do to prevent the disclosure of private information and to what extent Comptech involves itself with identifying data breaches.

Comptech needs to identify the scope of its hosting packages. The aspects may include the number of domains it supports for each client, the storage capacity it can provide for an individual client or even the number of websites that Comptech can efficiently support for an individual client. These limits establish a balance between the needs of an individual client and the capacity to which Comptech can adequately provide the horde of services requested by the client. In a way, this balance states the level of efficiency that Comptech can provide with reference to the level of its performance.

Comptech needs to maintain an active relationship with its clients in a way that it keeps them involved in any changes that it has established. Comptech, therefore, needs to maintain an updated inventory of all the services it provides and its overall computing capacity. By doing this, the clients would select the combination of services that suit their specific needs. It establishes an order of services from which the client can select based on his own choice and preference. Keeping the clients informed has the advantage of reducing costs based on whatever computing resources he requires by establishing a perfect match (Tuttas, 2015). If he selects an option that would stress his architecture, this would lead to a decrease in the efficiency of operations while in the case that he selects an option that would overshadow his computing capacity, he risks incurring unnecessary cost. The client would have to pay extra for services that he does not require. Any upgrades that Comptech provides should be communicated to the clients soon enough so that they take advantage of the improvement in performance since changes are inevitable. The client selects the type of backup service which best suits him, the type of network configuration that is most appealing to his computing capacity, the web hosting service and the data storage package that would best match his budget.

Comptech should implement a virtual private server to accommodate different clients. The virtual machines ensure that many virtual servers used in web hosting are all hosted within one physical server. All the primary components of the physical server such as the version of an operating system, disk space and memory are shared between virtual machines. By providing the virtual private server to its clients, Comptech ensures the flexibility of its web hosting service. In this case, since multiple clients share one architecture, Comptech requires to ensure that the clients strictly obey the rules of computing to prevent the blacklisting of the server’s IP. This would otherwise ruin the experience of other clients sharing resources from this server. When the virtual private server’s IP is blacklisted, resources from this server will be bounced back after being blocked by other servers making the resource unavailable.

The access to the webserver should be restricted so that only authorized technicians can access the webserver. An equivalent of SSH can be used for accessing the server and RSA keys, which are password protected can be implemented to ensure the security of the web hosting resource (Mathur et al., 2017). Comptech requires to identify or provide a list of IP addresses to be used for maintenance. This would ensure that the authorized personnel acquire the flexibility needed when they acquire the need to make changes or modify resources hosted on Comptech’s servers without traversing long authentication mechanisms. Any logins that would originate from the user root are to be disabled to prevent the exploitation of this access point and permission that is equivalent to this restriction is to be provided to the authorized system administrator. This would reduce the vulnerabilities posed by unauthorized access.

Since the dedicated denial of service attacks are common in web hosting environments, Comptech needs to implement the necessary mitigation tools. These tools may include honeypots or intrusion prevention systems. The honeypots would divert the interests of attackers which would aid the technicians in analyzing the source and scope of an attack whereas the intrusion prevention systems would intercept attacks before they happen by using signatures that study the patterns of the DDoS attacks. These tools are to remain online throughout the period when the webserver is active.

The Comptech company provides customer support within its services. Web hosting is incomplete when it exists without customer support as some of the users of the systems meet computing challenges more often. The support team to be tasked with providing customer support services should be composed of employees with enviable communication skills and who are oriented on providing the clients with the best experience. The employees selected to be part of the support team should be appointed by the human resource department of the Comptech company and there should be no form of external influence posed by entities outside this department to guarantee that the best skill is selected for this task. The selection criteria involve identifying employees who have good computing and communication skills.

All activity logs are to be stored within the web server in an encrypted format or they are to be stored on a machine within the intranet. This helps in monitoring user activity so that that which is considered malicious is easily identified. The activity logs are to be stored for periods defined by the Comptech company’s record retention plan as electronic data and separate copies are to be printed and stored in print format in secure storage locations. This would help establish the history of an attack and is viable evidence to be used in a court of the law.

The building of the database is to be guided by the viewpoint of different stakeholders. The client needs to establish a consensus with various entities such as the operations manager appointed by an individual client and the data management officer appointed by the Comptech company. This consensus will extensively analyze the various aspects to be considered and the various expectations are captured so that the use of the database by employees will not be too hard to master. Work units are to appoint representatives to voice their expectations when operating on a database so that the final outcome will be a database that encapsulates all the expectations of those who use it.

The complexity of the database selected is to be set according to the chosen type of database. The standard database type used for structured data on most occasions in the SQL database. The No-SQL databases are also on offer, but they are least appealing as they are less compatible when compared to SQL databases. They would also need extensive training since the NO-SQL databases are more difficult to operate.

When operating on databases, normalization is essential to reduce data redundancy (Ribeiro, Pinto & Vale, 2016). Normalization also reduces the space occupied by multiple versions of the same data. The result of normalization is data integrity where possible inconsistencies introduced by incompatible data formats are mitigated. The normalization of data is a standard to be enforced on the clients as part of the professional practices that employees are to involve themselves with. The normalization process is a guided process where employees first must receive adequate training in data handling practices. Normalization is to be provided as one of these practices and an actual database is to be used for elaboration to make the training process more vivid.

The database is built in a way that it can be used by future users and not those who are involved in its creation. There is, therefore, the need for transparency of the structure of a database in a way that shortcuts and abbreviations are avoided, and standard naming conventions are put in place. This is all in a bid to make the database operable and easily understood by future users. The database creation process should be guided on the incentive that modifications of the database in future instances are inevitable.

It is a standard procedure to document everything that comprises the database which may include its design, schema and entity relationships. This would provide insight to future users of the same database on how it is structured. The documentation process highlights the strengths and shortcomings of the database so that future instances that require its modification are first oriented towards providing solutions for the already identified shortcomings. The database is a shared resource and as such, documenting everything helps other users to operate on the data as if they were involved in the creation process. The overall result is that there is the sharing of the database among multiple users while perceiving it as a limited resource.

Privacy is a requirement where the Comptech databases are involved in storage operations. The passwords should always exist in encrypted formats and data to be relayed to the database requires to be subjected to end-to-end encryption. The criteria for selecting a password should be defined by the database administrator so that the outcome of a user password is that it becomes difficult to guess and an individual password has a limited lifespan in a way that the user will be required to provide a new password after the set period of time has elapsed. Encryption is a data security framework that ensures the data remains secure even in the case where it is intercepted as it traverses from the client’s computing framework to the Comptech databases.

Optimization is a practice done to ensure speedy computations that involve the database. For regularly used queries, indexes are created. This ensures that access to resources provided by the database is instantaneous. The database analyzer is employed in the process of determining whether an index is necessary, or a clustered index is more appealing.

It is common practice to keep the database independent on its own server. This is all in a bid to lower the CPU usage. It avoids subjecting computing resources to the strain incurred when there are multiple requests for the provision of the same resource. Placing the database on its own server also ensures that there is better management of the database in a way that it is kept away from prying minds. Most successful attacks that are enacted on servers that host the database among other resources leave the entire server at the mercy of malicious people. It is therefore advisable to place the database separately on one of Comptech's servers so that proper protection mechanisms can be provided.

Network segmentation is the first step towards ensuring that a private network is well managed (Creaco, Franchini & Todini, 2016). The network is segmented based on the institution within which it spans. The Comptech company will have its own network with appropriate segments while each client will have his network and network segments defined by the Comptech company as its provider for reliable internet connections. The segmentation process is guided by the number of work units that exist within an individual organization or institution and the boundaries for the subnets are set based on the logical configurations for computing devices that belong to specific premises such as departments and offices. The segmentation process is aided by network devices such as gateways and switches. By segmenting networks, the threat faced by the client to the Comptech company or a threat that directly targets the Comptech company is scaled-down and its impact is significantly reduced since an attack requires to acquire a specific target or identify a specific subnet within which penetration testing is done. It is better to sacrifice a specific subnet than to expose an entire network to a malicious attack. This is provided where an attacker is left with the choice of either enacting penetration testing on each subnet as an independent network which is tedious or to select one subnet for the attack. The segmentation of the network provides the functionality of data classification and protection where data that originates from a specific subnet is treated separately and assigned different classification rules to those of other subnets for better monitoring. Segmentation can be achieved through virtualization which makes the segmentation process easier to accomplish than in the case of the segmentation of actual systems.

It is a standard to correctly place the network security devices. The network security devices need the proper placement to ensure that they provide a reliable secure framework. The example of a network security device is the typical firewall which is normally placed there is a junction of two networks to provide packet filtering functionalities for each network segment. The logical network topology is designed to identify where network security devices are to be placed. It acts as a guideline that depicts areas that need network security devices. The selection of appropriate versions of network security devices is dependent on the type of service that is provided, and the secondary characteristics provided by the selected version of a device that makes the network resilient and impenetrable. These characteristics are usually documented on the manufacturer's website and provide different features to ensure that compatibility is established with other existing architecture. The manufacturer also provides descriptions of which devices are improvements or upgrades of previous or former devices.

Network address translation is a standard that helps in identifying the devices on a network which is essential especially since multiple devices are to be included in the network within the various subnets. In the case that IPv4 is used for addressing, network address translation is necessary to compensate for the deficiency in addressing which is incurred by this type of addressing. Routable addresses are established for the private addresses configured on individual devices.

Personal firewalls are not to be disabled. These are the type of firewalls installed on individual machines within the network. Even though personal firewalls may seem inappropriate, they are still important in providing a secure computing environment. It is from the view that personal firewalls do little to avoid infections by malicious code. To ensure that the personal firewalls find some value, instead of disabling them, they are included in the overall network security plan. This is done by configuring them to match the network security needs which they are meant to fulfill.

The security of the private network can be guaranteed by implementing honeypots and honeynets. While a honeynet is a simulated network segment that is fake but appears real to the attacker, a honeypot is the simulation of a system that looks so real to the attacker that he is tempted to enact penetration testing on it. The honeynet ensures that the private network remains secure while the honeypot ensures that the primary system is not tampered with as an intruder focuses his attention on the fake system that is more appealing to him. Both the honeypot and honeynet can be implemented as added security to shield the entire architecture and system components of both the Comptech company and that of its clients. The honeynet is viewed as an extension of the honeypot in the sense that it works almost similar to the honeypot but on the network level (Sochor & Zuzcak, 2015).

Insider attacks are those threats that spring from employees that are based either on Comptech’s premises or on the client-side. Strategies that include the detection and prevention of insider attacks are the standards put in place to mitigate this challenge. An example of a preventive measure is access control and access management which defines the principle of least privilege. Each user is assigned privileges that least enable him to effectively perform his role within the work environment. The principle of least privilege limits what an intruder can do in the system in the case that password mechanisms are compromised. While the prevention measure includes access control, the detection measure includes monitoring both users and systems to detect anomalies or behavior that may be indicators of an attack. For both the preventive and detection strategies, it is essential to train end-users on conventions to employ to mitigate security threats. This would limit the number of vulnerabilities that end users subject the systems due to a lack of prior knowledge on the different security threats they face.

Virtual private networks are to be used in creating secure connections across a public network. Since there are separate private networks that span Comptech’s premises and the premises of the clients, to ensure that a secure channel is set for the transmission of resources between these two networks and across a public network, it is essential to install a virtual private network in between. This would realize the effect that the possibility of the interception of transmitted resources across the tunnel is minimized (Rao & Kavitha, 2015).

The Comptech company needs to be transparent on how secure the data of its clients is to gain their trust. The company must present a detailed account of how the data obtained from its clients is handled or even whether a third party is entrusted with this data and it should describe its level of compliance with set international security standards. This can be done by presenting an information governance model that documents the Comptech’s security standards which it strictly adheres to in a bid to ensure the security of data obtained as defined in its role as a cloud computing service provider.

The clients need to establish what relevant data is to be submitted to Comptech. This is done independently without establishing a consensus with Comptech as the cloud service provider since the data at hand is defined as business data and it belongs to the clients. Comptech only provides the cloud service and is in no way the owner of the data. The establishment of what data can be moved to the cloud is done when the client conducts an internal review with other stakeholders within his organization to both identify and confirm the data that can be moved to the cloud.

Since Comptech is the provider of the cloud service, it is a standard that it should employ some form of backup and recovery. Comptech can establish a secondary computing site where copies of original data are stored offsite. Backup and recovery are an essential provision for the efficiency of cloud computing applications (Joseph & Anto, 2019). The Comptech company requires to ensure that all the data it obtains from its clients is made available even when it experiences challenges and as such, backup and recovery is critical.

One of the standards that govern cloud computing is the enforced data privacy requirements. These requirements are stated by the government in the form of laws that require cloud service providers such as Comptech to maintain data within the national boundaries for the purpose of inspection whenever the government sees it fit to inspect the cloud service provider's data center. This is a legal requirement that overlooks the fact that the cloud service providers host the corporate data for their clients. It’s therefore upon Comptech and other cloud service providers to ensure that these requirements are upheld.

The Comptech company provides a resilient security architecture for all traffic that gets to its data center from the infrastructure of its clients. The traffic first traverses an authentication server that identifies the machine which requests for the transmission of traffic to the data center. This ensures that only authenticated users can access Comptech’s hosted resources. After traversing the authentication server, traffic progresses to the intrusion prevention system and the company’s firewall. The intrusion prevention system keeps off malicious content while the firewall is tasked with packet-filtering. Comptech implements virtualization to enable roll-backs to an initial state by the system administrators operating on behalf of the client. This enables the clients to undo errors that affect the correctness of data hosted in Comptech’s servers. The virtual machines simulate real instances to reduce errors that spring from visualization functions (Celesti et al., 2016).

The company should enforce strict policies to tame employee behavior on what needs to be done in the case of a potential threat to data resources. There is a tendency to undervalue the need for subjecting traffic to security software such as antivirus software which leads to the infiltration of malicious content. On the client’s side, the Comptech company should require the provision of a policy which should address penalties to be incurred by an individual employee when his or her unaccountability and incompetence leads to the infection of resources by malicious code. This would be identified by implementing system logs to point out the source of a breach.

A select taskforce should be put in place to lead the disaster management initiative. This team should comprise the entities that have high influence levels over specific computing terminals on both an individual client's side and Comptech's side. Their coordination will be realized by appointing a team leader to act in favor of both sides. This task force is to follow the safety procedures when handling critical resources in the case of a disaster and is to ensure the success of the disaster recovery initiative is realized. On the terminals from which the members of the taskforce were picked out, they are to be tasked with providing training to their fellow employees on how the disaster management and recovery process is realized. This would, in turn, help the clients incur less cost in the result of the unavailability of resources due to the occurrence of a disaster, either natural or influenced by human activity, by speeding up the disaster recovery process.

There should be the partitioning of work units based on the processes enacted to effectively identify an individual unit that is affected by a disaster and take necessary initiatives to correct the situation (Shih et al., 2016). This splitting of work units helps in reducing the impact of a disaster in a way that one unit affected does not impact an entire organization. This is to be implemented on the client’s side. The partitions help to curb the adverse effects of the exposure of an entire organization’s architecture to disaster elements in the case of a consolidated framework. When the organization’s architecture is partitioned in independent units, each working unit can effectively monitor its resources for disasters and make appropriate configurations to avoid sharing the impacts that disasters pose on affected units.

The disaster management and recovery process should involve all employees represented within the taskforce. The standard that there should be complete adherence to the disaster management or recovery process is to be put in play. A period is to be set where all the organizational architecture of the work units within the client’s premises are to be subjected to the latter. This would ensure that a reboot of the system after an anticipated successful disaster recovery and management process remains in that state and that there were no omissions for system components. The eventuality of this coordination between workers spares the client the need to reconstruct the disaster management and recovery process where it is not effective.

In the disaster management and recovery process, the clients need to identify which components are to be affected by the process. Identifying these components helps the system administrators to develop customized configurations and layouts that define a robust computing architecture without compromising the relationship that an individual component has with respect to others within a system. The configurations are to be implemented based on employee computing practices so as not to interfere with the efficiency of computing operations.

Production changes that highly influence the computing operations of the client’s resources are to be captured within the disaster management and recovery plan. This would ensure that the plan remains updated to support an individual client facing a disaster by providing relevant guidelines on functionalities that would either mitigate or help reduce the impact of a disaster when its inception is due. The plan needs to accurately project areas of interest that would be affected by a disaster and how the client needs to react to spare him from further cost.

Celesti, A., Mulfari, D., Fazio, M., Villari, M., & Puliafito, A. (2016, May). Exploring container virtualization in IoT clouds. In 2016 IEEE International Conference on Smart Computing (SMARTCOMP) (pp. 1-6). IEEE.

Creaco, E., Franchini, M., & Todini, E. (2016). The combined use of resilience and loop diameter uniformity as a good indirect measure of network reliability. Urban Water Journal, 13(2), 167-181.

Joseph, S., & Anto, S. E. (2019). Survey on Cloud Backup and Recovery Techniques. Journal of Computer Technology & Applications, 7(2), 26-35.

Mathur, S., Gupta, D., Goar, V., & Kuri, M. (2017, February). Analysis and design of enhanced RSA algorithm to improve the security. In 2017 3rd International Conference on Computational Intelligence & Communication Technology (CICT) (pp. 1-5). IEEE.

Rao, B. B., & Kavitha, S. (2015). Connect Users to Private Networks Securely over Public Networks using Virtual Private Networks. International Journal of Advanced Research in Computer Science, 6(3).

Ribeiro, C., Pinto, T., & Vale, Z. (2016, June). Customized Normalization Method to enhance the Clustering process of Consumption Profiles. In International Symposium on Ambient Intelligence (pp. 67-76). Springer, Cham.

Shih, C. S., Hsiu, P. C., Chang, Y. H., & Kuo, T. W. (2016, November). Framework designs to enhance reliable and timely services of disaster management systems. In Proceedings of the 35th International Conference on Computer-Aided Design (p. 107). ACM.

Sochor, T., & Zuzcak, M. (2015, June). Attractiveness study of honeypots and honeynets in internet threat detection. In International Conference on Computer Networks (pp. 69-81). Springer, Cham.

Tuttas, C. A. (2015). Lessons learned using web conference technology for online focus group interviews. Qualitative Health Research, 25(1), 122-133.