Assignment 4

Assignment 2

The Cost Of Inadequate Controls

i) The annual loss of revenue

Investing in data security is an important function of LOTR Experience. There is a need to ensure that the company has adequate controls in terms of IT personnel as well as IT equipment. This will save the company from incurring losses in multiple areas that are a concern of the business. If data is stolen irrespective of the exposure the whole company will lose money as well as the whole business (Meyer, 2017). In a recent study by CISCO, a highly reputable company that has invested in information and data security reveal that thousands of companies are losing billions of their revenue as indicated below.

Image sourced from: https://www.securitymagazine.com/articles/87778-measuring-the-impact-of-cyberattacks-lost-revenue-reputation-customers

It was also established that the majority of the companies that lost revenue was due to cutting off their budget expenditure on data security as it has been indicated below:

Image sourced form: https://www.securitymagazine.com/articles/87778-measuring-the-impact-of-cyberattacks-lost-revenue-reputation-customers

Looking at the above table, it is the same scenario that is likely to happen in the company if budget cuts are implemented. The worst part is how the company will be affected in case of a data breach. The same study revealed how much the majority of the victim companies were affected negatively as indicated below.

Image sourced from: https://www.securitymagazine.com/articles/87778-measuring-the-impact-of-cyberattacks-lost-revenue-reputation-customers

It is hence risky to not implement the recommendations that I had earlier on started. I have reviewed the LOTR Network Design artifacts and the critical areas of concern that are related to access control are as follows:

a) Secure configuration

There are no corporate policies that can update as well as patch the systems. There is a need to establish and also maintain policies that explain the priorities as well as the timescales for which updates can be applied and also patches. Here, there us need to make and take care of hardware as well as software inventories whereby a there is the need for automatic tools that can be used to create as well as maintains the inventories of all the devices and the applications that the company uses (Antón & United States, 2003). There is a need to lock down the operating systems as well as software, here there is the need to have a baseline security build which brings together workstations, the servers, the firewalls, and the routers. Also, I found out that there are no regular vulnerability scans. Here the company needs to acquire vulnerability scanning tools which can run automatically on a weekly basis to remedy any vulnerability that may be identified at that time.

b) Network security

I found that the network perimeter has not been policed. Therefore, boundary defenses with multiple layers need to be established with firewalls as well as proxies and then be deployed between an external network that is untrusted and the internal network that is rusted. Also, the internal network has not been protected. This should be done to prevent any connections that are direct to external services as well as protect the internal IP addresses (Antón & United States, 2003). Monitoring has to be done using the intrusion monitoring tools as well as audit the activity logs on a regular basis. I realize that security controls tests have never been done and t is hence easy to penetrate the system through cyber attacking. Test, as well as simulation exercises, need to be done regularly.

c) User privileges management

The company has not established effective account management processes. User accounts need to be reviewed regularly form the time they are created when they are modified and even when they are deleted. Also, the company does not limit the number as well as the use of privileged accounts, all users need to have their privileges minimized. Only administrators should have normal accounts for use in business operations (Antón & United States, 2003). Privileged accounts need to have their equipment reviewed more often than the standard accounts. Also, the company needs to monitor all their users in terms of their activities, access to sensitive information as well as how the privileged accounts are being used.

There is a need to have a database specialist for the company. A database specialist will ensure that the database is secure, has the desired data and is free from a breach. Looking at the above vulnerabilities, any malicious injection into the database can easily be detected by a specialist and the respective triggers be activated. It is risky to overlook the needs if at all no database hacking is to be assured.

Network Access Control Router

This is a device that will actually prevent unauthorized access into the company information system. Its basic principles are to authorize, authenticate and account for network connections. It allows access to different resources in the organization based on the role played by the user. It enhances policy enforcement as it keeps intellectual property confidential as well as well contained (Ballad, Ballad & Banks, 2011). It identifies and manages the company assets and asses the security posture of any device that may seem to access the company data. Lack of this means that the company data will be exposed to the public hurting the business’ reputation.

To install the NAC router, it is advisable that the company may buy it form a reputable vendor. The three most trusted vendors are Aruba Networks, EASY NAC and the third vendor is and CISCO.

References

Antón, P. S., & United States. (2003). Finding and fixing vulnerabilities in information systems: The vulnerability assessment & mitigation methodology. Santa Monica, CA: Rand.

Ballad, B., Ballad, T., & Banks, E. K. (2011). Access control, authentication, and public key infrastructure: Description based on print version record. Sudbury, Mass: Jones & Bartlett Learning.

Meyer, C. (2017). Measuring the Impact of Cyberattacks: Lost Revenue, Reputation & Customers. Retrieved from https://www.securitymagazine.com/articles/87778-measuring-the-impact-of-cyberattacks-lost-revenue-reputation-customers