Internet Technology New Trends IP5
NETWORK SECURITY FRAMEWORK MANAGEMENT 21
Network Security Framework Management
Information Technology Hypothesis Unit 4 Independent Project
Information Technology Capstone
Credit Repair December 12, 2016
Contents I. Credit Management System Outline 3 II. Problem Identification 5 III. Project Plan 7 IV. Hypothesis 8 1. Physical 8 2. Data Link 8 3. Network 9 4. Transport 9 5. Session 10 6. Presentation 10 7. Application 11 V. Data Collection 12 VI. Project Execution 13 A. Time Management 13 B. Cost management 13 C. Quality Management 14 D. Research Results Summary 15 VII. Project Solution 17 A. Proposed Solution 18 B. Project Plan 19 C. Timeline 20 v. Communication 24 D. 3 -5 Year Cost Benefit Analysis 26 VIII. Current and Future Technology 27 IX. References 28
Credit Management System Outline
Noravenei, LLC is a medium sized credit counseling company located in Gainesville and Ft Lauderdale, FL. The company has three hundred customers and thirty employees. The company is experiencing increased growth and wants to expand online to provide worldwide outreach to all potential clients. Current customers expressed their interest in having accessibility electronically. The Company’s website is simple, but does not provide personal do it yourself access. The Company aims at integrating to online teaching and allow customers to keep up with credit updates daily. This research project gives a description of the general business environment of the Company. Referencing objectives, statements, and system goals. (Re-purposed Sharon Colter, Colorado Technical University, Database Systems, CS660-1604A-01, Professor Michael Watson, November 7, 2016)
The focus is to provide self-service consumption of all services, including downloadable documents, contracts, and credit reports. Content Management Systems or CMS is a technology of retrieving and storing users’ data with utmost efficiency and appropriate security measures. The credit management system is designed to check and report credit information. This content system includes customer information, credit report retrieval, dispute management, billing, and security portal. The customer information section covers leads, employee information, calendar appointment, tasks, and notes. The customer/employee information includes leads, appointments, and pricing module. The credit report retrieval system integrating microservices with the implementation of API’s. The dispute management system provides online dispute on demand, classroom teaching integration, through microservice application. The company’s goal is to control security through application integration. Conflicts arise through authentication and lack of workflow encompassing errors in crossing applications into the new Content Management System (CMS). (MuleSoft, 2016)
Problem Identification
Security is the problem identification and will continue to be an issue because of personal and sensitive information involved by banking and credit websites, which are targets for hackers. Correct integration of applications is important to keep workflow and security issues to a minimum. The problem identification includes, data breaches and threats which compromise sensitive information. Constant development of a security policy plan is necessary to the operations of the CMS system. (Sucuri, 2016)
The IT Project Manager is responsible for overseeing the development of security policies, management, and upkeep of progressive objective assignments. The security plan consists of maintenance of servers. Development of security model integration to assist in security protection from cyber criminals. Encryption of code development in software and new technology, which acts as a lock out system to protect intruders from entering the system. The security management will oversee the current state of the system, determination of the systems working stability, interventions, and improvements of the targeted goals. The Capability Maturity Model Integration (CMMI) is used to infiltrate the levels of operations of security infrastructure development. The current system is a poorly managed system which consist of many threats. Fallacies involved includes failures in performance, configuration errors, updates, quality, control, and policy issues. Interaction with guests, users, and administrators will assist in development of problem issues to correct system behavior. (Persse, 2007)
1. Performed Assessment of a poorly managed system.
2. Managed Describes the security model is in the development phase and status of success or failure is unidentified. Involves planning, agreements, management of configuration, quality, control, and monitoring.
3. Defined Security model is being used and proactive measures applied. Entails security model development training, technical explanations, integration, validation, and process organization.
4. Qualitatively Managed Process managed and controlled. Process is an instance of a computer/software program code that is being used; the process contains the code that is being executed with the activity/instructions.
5. Optimizing Processes modified, security policies applied. This level provides the performance, analysis, and resolution.
The requirements of the process model give instructions and objectives which define the behavior of the organizations projects. The development of the security models should follow the instructions of the CMMI Model and structuring employee’s systematically to manage model effectively. (Persse, 2007)
Project Plan
The strategy plan of the network security framework management is to assess the security risk and vulnerability of the network model. Development of system dynamics needed to show system network technology, which includes system virtualization, database illustration and network behavior. The evaluation of operative network methodologies used to encompass scalable network system security. Integration with the inclusion of emulation and simulation. Investigation and research of possible cyber exposures and attacks. (Godfrey, et al., A Hypothesis Testing Framework for Network Security, 2016)
Hypothesis
Testing network security hypothesis is imperative to the design of server framework management. Testing consists of layers of security policies rendered in the network framework stack. The network security stack consists of seven Open System Interconnection (OSI) Model layers. The Network Hypothesis Testing Methodology (NetHTM) implemented to test network security policy OSI model. (Godfrey, et al., A Hypothesis Testing Framework for Network Security, 2016)
OSI LAYERS
Physical
The Physical Layer controls information sent in and out of the network. This layer is responsible for electrical signals sent within the network through low and high frequency detection methods. The layer comprises of repeaters, connectors, hubs, cables, pins, and voltage. (Re-purposed Sharon Colter, Colorado Technical University, Introduction to Network Management, IT245-1402A-02, Rodney Brown, April 28, 2014)
Data Link
The Data Link Layer keeps up with the communication of the network, involving the physical layers, and decodes information transported over the internet. This layer receives, addresses, and interprets it into local addresses. The local network computer address recognized by the MAC address, which identifies individual computers. This layer guides information packets through the Ethernet to the Physical Layer. This layer sends and receives media to the TCP/IP packets over the Network Layer. Performance requirements for wireless, wired, and LAN functions occur at this layer. The layer transports information for reception by the receiving computer. Switches used at this layer. (Re-purposed Sharon Colter, Colorado Technical University, Introduction to Network Management, IT245-1402A-02, Rodney Brown, April 28, 2014)
Network
The Network Layer translates addresses and routes data through the network. The TCP/IP protocol locates the IP address of remote computers, translates the information to the intended computer. This layer is responsible for traffic, route, category, and budgeting of the infrastructure. The router sends and receives data to the network and determines process, delivery, and data segmentation. (Re-purposed Sharon Colter, Colorado Technical University, Introduction to Network Management, IT245-1402A-02, Rodney Brown, April 28, 2014)
Transport
The Transport Layer transfers data over the network infrastructure by disbursing and reuniting information, making sure the data flow maintained, arranged, and transferred correctly. The data transferred at the correct speed sequences by sending and receiving data. (Re-purposed Sharon Colter, Colorado Technical University, Network and Telecommunications, IT640-1601A-01, Dr. Gregory Gleghorn, February 8, 2016)
Session
The session layer maintains and produces communication between computers within the network. The layer keeps up with startup broadcasts at session connections and timing. This layer is also, responsible for duplex processes, which include half, and full duplex options; comprising of streaming video and music. Virtual and remote computing interfaces maintained at this layer. Protocol methodologies consist of SOCKS, NetBIOS, and SQL. (Re-purposed Sharon Colter, Colorado Technical University, Introduction to Network Management, IT245-1402A-02, Rodney Brown, April 28, 2014)
Presentation
The Presentation Layer interprets data between the network and applications transferring information from the applications throughout the network. The web browser delivers these options via Hypertext Transfer Protocol (HTTP) to a web server within the network as well as the Multi-Purpose Internet Mail Extensions (MIME). Video and audio protocols included within this layer. (Re-purposed Sharon Colter, Colorado Technical University, Network and Telecommunications, IT640-1601A-01, Dr. Gregory Gleghorn, February 8, 2016)
Application
The Application Layer delivers end user services comprising of network management, file transfers, virtual access, digital messaging, and emails. This layer is accountable for client user interaction. The governing protocols include FTP, NFS, and SMTP. The current system uses the Application Layer for virtual terminals, remote terminals, and remote network printing. (Re-purposed Sharon Colter, Colorado Technical University, Network and Telecommunications, IT640-1601A-01, Dr. Gregory Gleghorn, February 8, 2016)
Examination and observation of the stack’s architecture to determine vulnerabilities and attacks on processes and data methodology. Understanding the network’s behavior is demonstrated during hypothesis analysis. Such as identification of packet flow between devices, hypothesis is derived through data flow examination of quantitative analysis of data flow through the security of each layer of the network. The methodology is to complete scientific reasoning for network and data flow security results. (Godfrey, et al., A Hypothesis Testing Framework for Network Security, 2016)
Data Collection
The Network Hypothesis Testing Methodology (NetHTM) examination testing developed to challenge security analysis of quantitative theory of entire OSI model. Using quantitative risk assessment:
Conduct vulnerability risk assessment including value of asset risk; Company history of reporting losses and risk documentation; Scope; Data Collection; Proactive determination to conquer risk issue; Surveys; Questionnaires; (Tang, 2002)
Collection includes the verification of policies and methods in place documented or not recorded. Interviews with key staff using surveys an questionnaires to identify assets, missing, obsolete data, and identify scope. Scope includes the current system state including; access control permissions; packet levels, scanning ports; running processes; network applications; physical topology; kind of operating system; wireless vulnerabilities; intrusion analysis; survey network; phone and firewall system testing. (SANS, 2016)
Project Execution
The Project Execution phase is the stage in project management that the final and physical project is built and delivered to the customer. All the tasks outlined in the project plan stage are worked on in this phase. Various processes taken to manage time, cost, change, quality, risk, and other related issues. (Khnaser & Hunter, 2004)
0. Time Management
Time Management monitors and controls the time allocated to various project tasks and the overall time spent on the overall project development.
Importance of time management
i. It gives specific steps needed to manage time within the project development.
ii. It gives the diagrammatic representation of the steps involved in the project development.
iii. Explains the roles and the responsibilities that are involved in the project development phase.
Cost management
This process helps to monitor, report and control the expenses incurred in the project development. The prime importance of this process is to ensure that all costs and expenses acquired in the project development are accurately recorded and accounted.
Importance of Cost Management
i. Identify various costs within the project
ii. Keep track of all the costs incurred in the project development.
iii. Monitor and control the occurrences of over-spending in the project development.
iv. Updating the financial plans and the overall progress of the project.
(Wang & Kissel, 2015)
Quality Management
This process, helps to improve the quality, of the final project deliverable, and ensure quality, of the final product, is not compromised, in the project development. (Khnaser & Hunter, 2004)
Importance of Quality Management
i. Helps to set the quality targets to be met in the final deliverable product.
ii. Defines how to measure the quality targets.
iii. Assists the project team, to perform, quality assurance, on the project development.
iv. Helps the project team, to undertake quality control, on the project development. (Wang & Kissel, 2015)
During the execution of this project, works in hand to identify, the vulnerability, of the network model at large. The entire project is based on the security, of the company’s network, in association, with the OSI network model. (Wang & Kissel, 2015)
Research Results Summary
The network OSI model is the layer, which holds all the responsibilities, of directing all data sent, and received on the company’s network. During the operation of the company activities, numerous data is sent over the network, such as, emails, passwords, credit card information etc. This data sent over the network, at some point, is the prime target, of hackers who aim to retrieve and use the information illegally to fraud or blackmail the company’s security. (Wang & Kissel, 2015)
For the case when an email is sent over the company’s network from the sender to the recipient, the data is sent via a protocol called the SMTP protocol. The data moves across the network layer to the data link layer. The data then moves from the data link layer to the physical layer where the final recipient will receive the final email. Each attack that occurs on the company network is greatly mapped on the OSI model. (Wang & Kissel, 2015)
Attacks
Layer 1 attacks. These attacks, associated with the disruption of the signals, or the physical part, of the network, such as cabling.
Layer 2 attacks. Attacks which focus on the packet delivery on the network, such as, routing devices on the LAN. (Barber, et al., 2004)
Layer 3 attacks. These are the attacks which result from multiple protocols involved in routing. These attacks associated with the WAN protocols.
Layer 4 attacks. These attacks associated with the transport protocols in the network; controlled by doing port scanning, regularly, to identify defaults.
Layer 5-7 attacks. These are the attacks associated with the SQL injection over the network. For the case of database, attackers may run commands to extract data from the database using network applications. (Khnaser & Hunter, 2004)
Project Solution
The Company
Noravenei, LLC Company is specialized in the provision of comprehensive services in the field of credit services which need high level of information security. The main activities of the Company are credit services to customers coinciding with downloadable documents, contracts, agreements, and credit reports.
Project Team
The project development roles are project manager, analyst, designer, front-end developers, back-end developers, testers, and technical writer. Nine employees of the Company have been chosen from the software development department, the department of maintenance, and implementation of software products and documentation department. (Watt, 2014)
Project Plan
The objective of this project, is to create a website infrastructure, where legal entities could order, revoke digital signature certificates, and train customer service department employees. (ISG, 2015)
The website completion within 90 days, from 01/01/2017 to 04/04/2017.
This project will deliver:
· Web site;
· Network security and Policy Plan.
· User manual;
· Cabling Materials and Network Devices
· Technical Documentations;
· Training Materials;
The WBS created by decomposition of work into 16 manageable packages.
A project schedule developed, a Gantt diagram shows each task, with the duration. The critical path computed, with a duration of 77 days.
To clarify the roles that stakeholders play in the project RACI model is applied. According, to the analysis of schedule activities, there are no conflicts of human resources.
A communication plan and risk assessment plan is provided. (SANS, 2016)
0. Proposed Solution
The company deals with banking and credit services, the major problem, is the security of the customers’ details, sent over the network. The hackers and other ill-intentioned network users, usually aim for this information, so that they will use the information, to illegally access accounts, performing fraudulent activities, and transactions. (Khnaser & Hunter, 2004)
Network security is the major area of concern in any application system, which involves the transfer of credit, and bank account information, over the network. Whenever the information is transferred by users, information must be accompanied, by strong security measures, to control any form of vulnerabilities on the network. (Barber, et al., 2004)
The proposed solution in this case is to ensure that the security is strong enough to control threats on the network. The main solution, is the use of data encryption techniques, in the event attackers, get access to the information, over the transit, they will not benefit from access; because they will not be able to interpret or understand the cypher texts of the data. The use of secure protocols, over the websites, will ensure data encryption, is strong enough. These secure protocols may include: HTTPS, TCP, SMTP etc. (Priemus, Flyvbjerg, & Wee, 2008)
The alternative solution is to use the intrusion detection system. The use of these systems will monitor the network, analyze the data requests from users, and control the network access. In case of any suspicious access or packet requests, these systems will block such users. These systems include: network firewall security system. (Priemus, Flyvbjerg, & Wee, 2008)
The proposed solution will address the problem because, for the use of data encryption, the hackers will not be able, to tamper with the information, sent over the network. This ensures the target user is the only person who can have access to the main data sent. While for the case of the use of intrusion detection systems, the suspicious users, and requests will be blocked from the network, and denial of access to data, and information. (Priemus, Flyvbjerg, & Wee, 2008)
Project Plan
Project Objectives.
i. Ensuring that customers perform continuous or twenty-four hour/seven day a week transactions on their credit and bank accounts.
ii. Maintain the highest level of security on the customer credit information.
iii. Improving the customer support services.
iv. Ensuring that data validation techniques are maintained in high levels.
Timeline
i. WBS
|
WBS |
Task |
Start date |
Duration (days) |
End date |
|
1.1.1 (A) |
Gather requirements |
01.01.2017 |
2 |
03.01.2017 |
|
1.1.2 (B) |
Develop website content |
01.03.2017 |
5 |
01.08.2017 |
|
1.1.3 (C) |
Create the terms of references |
01.03.2017 |
7 |
01.10.2017 |
|
1.2.1 (D) |
Create website user interface mock-ups |
01.10.2017 |
10 |
01.20.2017 |
|
1.2.2 (E) |
Develop SQL database tech. requirements |
01.20.2017 |
7 |
01.17.2017 |
|
1.2.3 (F) |
Develop technical specifications |
01.10.2017 |
7 |
01.17.2017 |
|
1.3.1.1 (G) |
Code web pages |
01.19.2017 |
15 |
02.04.2017 |
|
1.3.1.2 (H) |
Web pages testing |
02.02.2017 |
15 |
02.17.2017 |
|
1.3.2.1 (I) |
Build database tables |
02.17.2017 |
20 |
03.02.2017 |
|
1.3.2.2 (J) |
Database testing |
02.06.2017 |
15 |
02.21.2017 |
|
1.3.3.1 (K) |
Network design and analysis |
02.17.2017 |
20 |
03.02.2017 |
|
1.3.3.2 (L) |
Network security analysis |
02.06.2017 |
10 |
02.16.2017 |
|
1.4 (M) |
Quality assurance |
02.21.2017 |
20 |
03.13.2017 |
|
1.5.1 (N) |
Create documentation |
03.13.2017 |
5 |
03.18.2017 |
|
1.5.2 (O) |
Create training materials |
03.13.2017 |
3 |
03.16.2017 |
|
1.5.3 (P) |
Train customer service department staff |
03.16.2017 |
3 |
03.19.2017 |
ii. Resource plan
Stakeholders
|
A |
Project Manager |
|
|
Analyst |
|
|
Tester |
|
B |
Network Forensic Analyst |
|
C |
Tester |
|
D |
Front-End Developer |
|
E |
Back-End Developer |
|
F |
CISCO Analyst |
|
G |
Designer |
|
H |
Technical Writer |
|
I |
CEO |
|
J |
Manager of Software Development Department |
|
K |
Manager of Department of Maintenance and Implementation of Software Products |
|
L |
Manager of Documentation Department |
|
M |
Manager of Customer Service Department |
iii. RACI
|
Tasks/Stakeholders |
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
|
Gather requirements |
R/A |
I |
I |
I |
I |
I |
I |
I |
C |
I |
I |
I |
- |
|
Develop website content |
C/A |
I |
I |
I |
I |
I |
I |
R |
- |
I |
I |
A |
- |
|
Create the terms of references |
R/A |
C |
C |
C |
C |
C |
C |
I |
- |
I |
I |
- |
- |
|
Create website user interface mock-ups |
C/A |
I |
I |
I |
I |
I |
R |
I |
- |
A |
- |
- |
- |
|
Develop SQL database tech. requirements |
C/A |
I |
I |
I |
R |
I |
I |
I |
- |
- |
- |
- |
- |
|
Develop technical specifications |
C/A |
I |
I |
I |
I |
R |
I |
I |
- |
- |
- |
- |
- |
|
Code web pages |
C/I |
I |
I |
R |
I |
I |
C |
C/I |
- |
A |
- |
- |
- |
|
Web pages testing |
R/A |
- |
- |
C/R |
- |
- |
- |
- |
- |
- |
A |
- |
- |
|
Build database tables |
I |
I |
- |
I |
R |
I |
- |
I |
- |
A |
- |
- |
- |
|
Database testing |
I |
R |
- |
- |
C/R |
- |
- |
- |
- |
- |
A |
- |
- |
|
Network analysis and design |
C |
- |
I |
I |
I |
R |
- |
I |
- |
A |
- |
- |
- |
|
Network security analysis |
I |
I |
R |
- |
- |
C/R |
- |
- |
- |
- |
A |
- |
- |
|
Quality assurance |
R/A |
R |
R |
C/R |
C/R |
C/R |
C |
- |
I |
I |
A |
- |
- |
|
Create documentation |
C |
I |
I |
C |
C |
C |
C |
R |
- |
- |
- |
A |
- |
|
Create training materials |
C |
C |
C |
- |
- |
- |
- |
C |
- |
- |
- |
R |
I/C |
|
Train customer service department staff |
R/A |
- |
- |
- |
- |
- |
- |
C |
- |
- |
I |
- |
I |
R – Responsible;
A – Accountable;
C – Consulted;
I – Informed.
iv. Risk Assessment Plan
|
Category |
Prob. |
Imp. |
Risk |
Mitigation approaches |
|
Key developers quit or sick |
Med |
High |
Without key developers project will be delayed |
Ten days have been added into the project schedule. Other Company’s developers should assist. |
|
Overestimated project team’s abilities |
Low |
High |
Underestimating timeline |
Project manager identified knowledge gaps and provided additional trainings |
|
Change of requirements |
Med |
High |
Major changes of functionality or design will result in project delay |
Proper requirement analysis should be done, scope statements should be signed by stakeholders |
|
Software abnormality |
Low |
High |
Project will be delayed |
There are three developers in the project. Moreover, there will be at least three other developers to assist the project team in the Company. |
|
Schedule |
Med |
High |
Website will not be ready by 1 April 2017 |
Project has been broken into smaller parts to maintain schedule |
|
Low access to internet services by customers and access devices |
Low |
High |
The project will be unprofitable |
References to the website from Tenders websites |
|
Low security measures |
Medium |
High |
Illegal access to user information by hackers. |
Implementing strong security measures in the project development. |
|
Stakeholder |
Document Name |
Delivery Method |
Due |
|
Testers |
Project Plans
Status Reports |
Meeting
|
Weekly
Weekly |
|
Developers |
Project Plans
Status Reports |
Meeting
|
Weekly
Weekly |
|
Designer |
Project Plans
Status Reports |
Meeting
|
Weekly, until 02/19/2017 (The end of web pages testing ) Weekly, until 02/19/2017 (The end of web pages testing ) |
|
Technical writer |
Project Plans
Status Reports |
Meeting
|
Weekly
Weekly |
|
CEO |
Monthly Status Report |
|
First of month |
|
Manager of Software development department |
Status Reports |
|
Weekly |
|
Manager of Department of maintenance and implementation of software products |
Status Reports |
|
Weekly |
|
Manager of Documentation department |
Status Reports |
|
Weekly |
|
Manager of customer service department |
Training materials |
Meeting |
Daily from 03/13/.2017 To 03/16/2017 |
|
Analysts |
Status reports. |
Meeting |
Daily |
vi. Project budget
|
Item |
Cost |
Risk allowance |
|
4 notebook computers and 2 servers |
$6000 |
$1500 |
|
Salaries |
$50000 |
$2000 |
|
Cabling materials and devices |
$30000 |
$1500 |
|
Transport |
$5000 |
$1000 |
|
Rent expenses and other bills |
$20000 |
$1500 |
|
Data recovery |
$5000 |
$500 |
|
Printing |
$500 |
$100 |
|
Printing papers |
$500 |
$100 |
|
Domain and webhosting |
$10,000 |
$2000 |
|
CISCO and encryption standards registration |
$30000 |
$2000 |
|
Total |
$157,000 |
$12,200 |
B. 3 -5 Year Cost Benefit Analysis
|
|
Benefits |
costs |
||||
|
Time (years) |
Time saving |
Reduced risks |
Continuous Transaction Operations |
Right-of-Way |
Budgeted Cost |
maintenance |
|
current |
$0 |
$0 |
$0 |
$300,000 |
$15,700 |
$500,000 |
|
1 |
$500,000 |
$200,000 |
$100,000 |
$0 |
$0 |
$200,000 |
|
2 |
$700,000 |
$350,000 |
$200,000 |
$0 |
$0 |
$150,000 |
|
3 |
$1,500,000 |
$370,000 |
$400,000 |
$0 |
$0 |
$100,000 |
|
4 |
$2,000,000 |
$400,000 |
$450,000 |
$0 |
$0 |
$100,000 |
|
total |
$4,700,000 |
$1,320,000 |
$1,150,000 |
$300,000 |
$15,700 |
$1,050,000 |
|
|
|
|
|
|
|
|
|
|
benefits |
$7,170,000 |
|
|
|
|
|
|
costs |
$1,365,700 |
|
|
|
|
|
|
net benefits |
$5,804,300 |
|
|
|
|
(Priemus, Flyvbjerg, & Wee, 2008)
Current and Future Technology
References