Running Head

ED 577 Final 1

ED 577

Final

Charissa Piccotti-Fannu
ED 577 Final 2

ED 577 Final

Widgets Incorporated is a small but growing company, in the business of Widget

production and sales. Widget’s Inc. is experiencing several issues related to their growth,

which must be addressed by the CSO. This document will address the technical issues related

to these concerns and suggestions for continued growth.

Board of Trustees Retreat

The Board of Trustees of Widgets Inc. will be going on a retreat in Florida, and will need

access to their files on the company server. Because this is an internal server, a secure Virtual

Private Network (VPN) must be established. There are three different types of VPN

technologies; secure VPNs, trusted VPNs and hybrid VPNs. Because the Board of Trustees

will be out of the area, using an unsecured network from their retreat location, a Secure VPN

would be the best choice. The Secure VPN will use security protocols to encrypt data

transmitted across public networks. The IPSec (internet protocol security) will ensure

network security through encryption of packets of data, and protocol for authentication, data

integrity and confidentiality.

Security requirements for the VPN include authentication, authorization, and accounting.

Using the Diameter protocol, minimum security standards will be set for this VPN, including

user authentication, data encryption, and tracking of network use. In order to implement the

VPN, a secure VPN client router must be installed at the retreat location. Care must also be

taken at the main office location because the connection of a VPN may slow internet speeds

(Fitzpatrick, 2016). A service like StrongVPN (www.strongvpn.com) offers secure

connection to and from multiple locations, and includes secure PPTP, L2TP, OpvnVPN, and

IPSec protocols.
ED 577 Final 3

Finance Department Server

The finance department of Widgets Inc. is thinking about purchasing a server to store

financial documents. Because this server will host financial documents for the corporation,

and will not be involved in outside sales or customer relations, an internal server (intranet) is

the best option for the finance department. This server can be used on a linked local area

network within the finance department, with a gateway computer to link to the rest of the

corporation. This server should be protected with a hybrid firewall.

The company should consider the following issues when planning for the server

purchase. First, Widgets Inc. should consider future growth of the company and what data

will be stored on this server. With that in mind, the company should opt for a server with

scalability, or the ability to add on multiple drives and upgrades, along with a capable

processor. Second, the company must consider space, IT support, and environment. These

factors will contribute to the overall size and features of the server chosen. Widgets Inc. must

be sure to have qualified staff to service and maintain the server chosen, appropriate space

for storage and expansion of the server rack, and a server aligned to the computers being

used, whether they are Mac or PC desktops or laptops. In this case, a Windows Small

Business Server may be the best option. Finally, serious consideration must be given to data

redundancy and fault tolerance of the server chosen (Lynn, 2010). RAID (redundant array of

independent disks) level 5, is an array that stripes data across multiple drives, with no

dedicated parity drive. Because RAID 5 drives can also be hot swapped (replaced without

fault and without powering down the system), this would be the recommendation of the CSO

to ensure safety and redundancy of data, while also balancing operating costs (Whitman &

Mattord, 2016).
ED 577 Final 4

Network Administrator Termination

As a condition of N.A.’s employment, a background check was completed and an

employee technology use agreement signed. We can be reasonably assured that N.A. does not

have a criminal background on malicious intent. However, several security measures must be

taken to ensure confidentiality of data, security of all media and information, and network

security. The CSO must be informed of the employee’s termination prior to any other steps being

taken, to ensure that access to any of the organization’s systems is revoked.

First, following the corporations security plan, all access to the Widget’s Inc. network

(intranet, internet, and system files) must be disabled. This can be accomplished by removing

user permissions for the terminated employee and disabling all accounts in that employee’s

name in the ACL (access control list) and capability tables of the company network

(Whitman & Mattord, 2016). Second, physical properties belonging to the company,

including hard drives, removable media, portable storage devices, and the data stored on

them must be returned to the company. A security escort must accompany the employee to

retrieve and return these devices and data. Finally, door keys and keycard access must be

removed and secured. The employee’s keycard must be deactivated on the security system,

and building security must be notified. The terminated employee will be made aware of these

items in an exit interview, as will necessary staff. It is also recommended that security

protocol and procedures, as well as Widgets Incorporated’s Fair and Responsible use policy

be reviewed and updated after this incident, in order to plan for any future occurrences. The

company’s SysSP (system-specific security policy should also be reviewed at this time, as

changes will be made to the ACL and capability table within the system (Whitman &

Mattord, 2016).
ED 577 Final 5

Report of a new internet WORM

According to CERT (Computer Emergency Readiness Team), there is a new Internet

WORM which was just released. Because Worms can replicate themselves to fill all available

hard drive space, memory, and network bandwidth, this is a serious threat to Widget’s

Incorporated. Initially, the IDPS (intrusion detection and prevention system) should be checked

to make sure it is up to date and operating correctly. A security risk assessment and vulnerability

assessment should be performed immediately, focusing on this latest threat. Once security risks

and vulnerabilities are found and documented, steps should be taken to correct any outstanding

issues.

Because worms are most often transmitted through email, often as attachments,

employees should be made aware of the risks of opening any unknown attachment or any

email from an unknown sender. Firewalls on all corporate servers and networks must be

updated and tested to ensure network security. This should include authorizations for access

to the firewall device as well as limiting data through the network. For user email, SMTP

(simple mail transfer protocol) data should be allowed to enter the firewall and then be safely

filtered through the gateway to be routed securely. For web services, web traffic should be

restricted using proxy server firewalls. Finally, all data that is not verifiably authentic should

be denied (Whitman & Mattord, 2016).

Additionally, once vulnerability and security risk assessments are completed and

necessary updates made, penetration testing should be performed. Penetration testing should be

performed by an outside firm with little knowledge of the inner workings of the network. This

will result in a more realistic representation of the network’s true security.

ED 577 Final 6

Beginning Online Sales and Credit Card Acceptance

Widgets Inc. will now be expanding their offerings to online sales and will begin

accepting credit cards. This new addition will require several updates to the company’s web site.

Because of the acceptance of credit card information online, steps must be taken to ensure

privacy of personal financial information. In order to accomplish this, Widgets Inc. will be

installing a PKI (public key infrastructure) system.

Installing a PKI system will ensure the security of sensitive information involved in each

transaction. The PKI integrates the following characteristics: Authentication (validating the

identity of users), Integrity (content has not been altered), Privacy (information is protected from

interception), Authorization (control of access privileges), and Nonrepudiation (accountability

for transactions). In this case, a Certificate Authority will be used to manage users’ digital

certificates (Whitman & Mattord, 2016).This will enable the maintenance of the PKI certificates

to be handled by a third party and reduce in-house operating time and costs. By implementing a

strong cryptosystem through a complex key, password protection, and hardware-based key

tokens, the PKI can ensure secure, encrypted, binding e-commerce transactions for Widgets Inc.
ED 577 Final 7

References

Fitzpatrick, J. (2016, August 21). Connect Your Home Router to a VPN to Bypass Censorship,

Filtering, and More. Retrieved June 13, 2017, from

https://www.howtogeek.com/221889/connect-your-home-router-to-a-vpn-to-bypass-

censorship-filtering-and-more/

Lynn, S. (2010, October 07). How to Buy a Server. Retrieved June 13, 2017, from

http://www.pcmag.com/article2/0,2817,2370348,00.asp

Whitman, M. E., & Mattord, H. J. (2016). Principles of information security (5th ed.). Boston,

MA: CENGAGE LEARNING CUSTOM P.