A Software Engineer designs, develop, tests, and evaluates the software and the systems that allow computers to execute their applications. Take on the role of Software Engineer for the organization i
This is a security threats, attacks, and vulnerability assessment paper for an organization known as JJ People. JJ People is an organization that deals with software development, website development and mobile application development. JJ People only uses Java programming language to design its software.
Java is a computer programming language. It enables programmers to write computer instructions using English-based commands instead of having to write in numeric codes. Java is known as a high-level language because it can be read and written easily by humans.
JJ People IT designs its desktop applications using Java Standard Edition (Java SE), its websites using Java Enterprise Edition (Java EE) and its mobile applications using Android, which entirely depends on Java. JJ People is an international organization that was established in Canada in 2002. Its headquarters is in London, United Kingdom. JJ People has several assets, which include computers that are used to program, website hosting servers where they host their client’s websites, database servers where they put their client’s data, cloud computing services for the database and network infrastructure that supports all these.
Assessment scope of JJ PeopleHardware
Computers
Network fiber optic and cables
Routers, switches, gateways, modems, wireless access points, proxy servers and firewalls
Web servers
Database servers, mail servers, application server, and telnet server
Mobiles and tablets for testing website responsiveness
Software
Operating system
Utilities (antivirus etc.)
Commercial applications such as word processing, photo editing etc.
Database management system and all other software
System model From the diagram we can see that we have routers, switches, computers, laptops, servers, and there is also a firewall that is not included.Router – this is a networking device that forwards packets between networks
Switch – a network device that connects devices together in a network
Server – a computer or computer program that manages access to a centralized resource in a network
Firewall – a software or hardware put on the network that prevents forbidden communication as depicted by the network policy
Existing countermeasuresBefore we look at the countermeasures used by JJ People organization, let us first define a couple of terms. They include: countermeasures, vulnerability and threats.
Countermeasures are seen as control. Control as an action, device, procedure, or technique that removes or reduces vulnerability. A vulnerability is a weakness in the system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. A threat to a computing system is a something that has the potential to cause loss or harm.
JJ People used the C.I.A triad also known as security triad to ensure that they protect their devices and software from threats. The C.I.A stands for confidentiality, integrity and availability. Confidentiality is the ability of a system to ensure that an asset is viewed only by authorized parties. Integrity is ensuring that an asset is modified only by authorized parties. Availability is the ability to ensure that an asset can be used by any authorized parties.
JJ People has in place security policies that are adhered to and touch on various areas including
Network devices and infrastructure
The network devices such as routers and switches will be accessed by network administrators.
Passwords of network devices such as routers and switches will be changed every fortnight and it should be a strong password that includes letters, numbers and special characters.
The network administrator should ensure that the password is encrypted.
The network devices such as routers should lock a user out of the network when he / she tries to access the network by providing two attempts of invalid passwords.
The network devices such as routers and switches should be accessed through the use of Secure Shell (SSH) protocol which is a protocol that facilitates strong authentication and secure connection.
Servers
Servers should be physically located in an access-controlled environment.
Servers should be up to date with the latest security patches.
Servers should only be accessed by system administrators.
Access to services on the server should be logged.
Servers should be accessed over the network through a Secure Shell (SSH) protocol.
Daily incremental back up and weekly full back up will be done on servers.
Users accessing the database server will be given limited access as possible in terms of rights and privileges.
Antivirus policy
All computers and mobile devices including servers should be installed with an antivirus by system administrators.
Antivirus software should be up to data at all times.
Always scan devices attached to computers such as flash drives before using them.
Never download files from unknown or suspicious sources.
Threat agents and possible attacksThreat agent can be seen as an individual or group or anything that can bring about a threat.
A user can save the wrong data thus compromising the integrity of the data.
A java programmer in our case who writes code that performs indefinite loop taking a lot of computer memory and therefore bringing about memory leaks rendering the computer unusable.
Software that does not have latest security patches opening the computer to various attacks such as virus attacks.
A person can try and guess the network passwords through trial and error causing brute force attack.
A person can overwhelm the web server with traffic so that it can crash and therefore leading to denial of services attack.
An attacker can attach a worm to an email attachment and when unsuspecting user downloads the attachment, the worm starts infecting his / her system as it penetrates through the network leading to worm attacks.
Malware attacks – a user can set up a website that has kits to find vulnerabilities in a system and when a user visits the site a malware is forced into their system.
An attacker can inject malicious code into a website so as to access the server through cross site scripting attack.
An attacker can enter SQL commands on a website so as to manipulate the data in the database server thus resulting in SQL injection attack.
An attacker can write a code to look at opened ports on a system through the network and exploit that vulnerability leading to scan attacks.
A disgruntled employee can steal company information or leak sensitive information to competitors leading to insider attack.
An employee can decide to steal a laptop or mobile devices leading to physical attack.
An attacker can send emails or set up a website whereby they ask users to enter their bank details and other details leading to theft of identity and user confidential details. This type of attack is known as phishing attack.
A group of elite team of hackers can target users so as to steal their information over a specific period of time using several techniques such phishing etc. This type of attack is known as advanced persistent threat.
Malvertising attack – this is whereby an attacker uses the online advertising to inject malware into a user’s system when they click on the infected advert.
The types of vulnerabilities that can be exploited by an attacker include
Insufficient testing of the Java programmed software.
Lack of proper design while coming up with the Java software.
Lack of implementing strong passwords to the system and having passwords such as “admin”.
Lack of having antivirus that are up to date.
Inadequate recruiting process of personnel.
Unprotected communication lines
Insecure network architecture
Lack of closing unused ports.
This document will deal with penetration testing of a website application developed by JJ People Limited. The website application has been developed using the Java Enterprise Edition (JavaEE) and the database used is MySQL database due to its popularity in website applications and E-commerce. The website application is known as Niko. In this penetration testing we will look at the pre-planning, the timeline required, the location of the testing, the countries where the tests will take place, the technologies used to conduct the penetration testing among other things. Let us start by defining penetration testing.
Penetration testing (or pentesting) simulates real attacks to assess the risk associated with potential security breaches. During a pentest, the testers not only discover vulnerabilities that could be used by attackers but also exploit vulnerabilities, where possible, to assess what attackers might gain after a successful exploitation.
Penetration testing scopeThe penetration testing will test various areas of the system. The areas will include:
Passwords attacks
Client-side attacks
Social engineering
Web application attacks such as SQL injection
Wireless attacks
Stack-based buffer overflow
Pentest Pre-planning
The penetration testing of the website application will take 3 weeks and every test will have its own phase, for example passwords attack will be phase one and stack-based buffer overflow will be phase six.
The Niko website application was developed at the headquarter office in London and it will be hosted in the headquarters’ servers. This implies that the testing will happen at the JJ People Limited headquarters’ office in London.
The website application penetration testing team will involve two senior full-stack website developers, who will test the website application attacks such as cross site scripting attacks, two systems administrators who will test password attacks, two network administrators who will test wireless and network attacks, two database administrators who will test database attacks such as SQL-injection attacks, and two senior java programmers who will test stack-based overflow and other Java related problems.
The client’s agreed that since the testing of a website application is a technical endeavor, client’s personnel that were aware of the testing were from technical departments and they include: one senior full-stack website developer, one senior Java programmer, one systems administrator, one network administrator, one senior database administrator and the Chief Information Security Officer (CISO).
The penetration testing team will be provided with various resources such as access to the server and the database server as long as it has been approved by the senior systems administrator, computers, and network access as long as it has been approved by the senior network administrator. The penetration team will also have access to the entire code and the database code.
Tools usedThe penetration testing team will use various technologies such as virtual machine known as VMware and Kali Linux. According to Kali.org website, Kali Linux is a “Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing”. We will also use other technologies such as:
Hyperion
We will use the hyperion encryption program to bypass the antivirus software
Veil-Evasion
Veil-Evasion is a tool that generates payload executables you can use to bypass common antivirus solutions.
Ettercap
Ettercap is a tool that is used to perform man-in-the-middle attacks.
We will use nslookup which is a tool that turns a domain name from the human-readable URL to an IP address. We will use Whois tool so as to know the information of a person who registered a certain domain. We will use Maltego technology which is a data-mining tool that has been designed to visualize open source intelligence gathering. We will use the nmap tool for port scanning. We will also use ghost-phisher which is a wireless and Ethernet security auditing and attack software. We will use nikto tool which is a web server scanner which scans the server for potentially dangerous files among others. We will use sqlmap which detects SQL injection in a database server. We will also use several other tools such as proxyStrike, jboss-autopwn, FunkLoad etc.
Test boundariesWhat is tested?
The penetration testing has got six phases: passwords attacks (testing how an attacker can access the system e.g. using weak passwords), client-side attacks (testing whether an attacker can inject malicious code using techniques such as cross-site scripting), website application attacks such as SQL injection, network and wireless attacks, social engineering attacks and stack-based buffer overflow.
Social engineering testing
A social engineering test uses techniques by professional ethical hackers to trick a customer’s staff into revealing sensitive information or perform the actions that create security holes for a hacker to access the network.
We will test the on-site and off-site social engineering penetration testing.
Physical security testing
A physical penetration test sets out to uncover weaknesses in your physical security before bad potential unauthorized persons enter. We will test the physical security from internal boundaries i.e. from within the organization such as an unauthorized employee trying to access the server and from external boundaries i.e. an unauthorized employee trying to access the organization building.
Restrictions on penetration testingLimitation of time
Penetration testing takes a shorter time to conduct whereas an attacker can have a week, month or even a year to plan his / her attack.
Limitation of scope
Organizations do not test everything because they have limited their scope of testing thus leaving areas that might be vulnerable and can be a perfect place for an attacker to attack.
Limitation of known exploits
Testers only test the system from areas that they only know such as cross-site scripting; SQL injection etc. leaving out areas that they don’t know which an attacker can find vulnerability and exploit.
The type of corporate policies that affect our test include password policies, network policies etc.
Pentest Execution planningReconnaissance
We gathered information about our target such as IP address, web server, network topology, underlying database used, mail servers etc.
Scanning
Here we interacted with the target system with an aim of identifying vulnerabilities. We persistently sent malicious code in input text boxes and HTTP requests. We also used scanning tools to see opened ports etc. and record all these response.
Gaining access
We identified vulnerability and that was by implanting malicious code to the system while sending the HTTP request.
Maintaining access
We maintained access by tricking the system that it is using a secure connection by injecting a malicious code when a request is sent, the server views as if it is sending request on a secure connection (HTTPS).
Penetration Testing analysis and report planningAll other aspects of the website application and the system are secure but it is easier to get into the system by putting a malicious code while sending an HTTP request.
IntroductionThis paper is a recommendation to management of the organization about security standards, policies, and procedures which should be implemented in the organization JJ People. JJ People is an organization that deals in software development. The organization specializes in programming software with one particular programming language, Java and anything related to Java such as spring framework which makes it easy to create java enterprise applications etc.
Importance of security plans, policies, and proceduresA company’s security policy is the central repository where intangibles such as corporate philosophy, mission, statements, culture, attitude to risk and other difficult to define parameters can finally be made into enforceable, measurable action statements, procedures and ways of working.
Policies are important because they address pertinent issues, such as what constitutes acceptable behavior by employees.
Procedures are clearly defining a sequence of steps to be followed in a consistent manner, such as how the organization will respond to any policy violations.
Data Privacy Policies and ProceduresPurpose
The purpose of the data privacy policy is to protect the information of an individual from being accessed by another person without their consent
Scope
The data privacy policy applies to employees, vendors, service providers, and clients whose data is stored in the organizations’ servers.
Responsibilities
This policy is enforced by Compliance Management of the organization
Policy
JJ People respect the privacy of its employees, clients, vendors and sees the need for appropriate protection and management of personal information. JJ People is guided by the following guidelines while processing personal information
Notice
JJ People provides clear notice on the purpose of why the information is being collected
Choice
JJ People gives users a choice on whether to opt out of further processing of their information etc.
Accountability for the processing of the personal information
Data integrity
JJ People will only process information to the particular purpose that it was intended.
Compliance
Any person who does not comply with this policy will be subjected to disciplinary action, termination of employment or even legal action.
Data Isolation Policies and ProceduresPurpose
This policy deals with the isolation of data from unauthorized users
Scope
This policy applies to data that is stored in the database server of the organization
Responsibilities
The database administrators are responsible for enforcing this policy
Policy
Data should be saved in the database and needs to be protected from unauthorized users
Standards
Users should be provided rights and privileges in accessing the data, the ones with lower privileges should access minimal data.
The data should be encrypted so as not to be read while being transferred over the network
The data should be password protected
Non-Disclosure Agreement (NDA) Policies and ProceduresPurpose
The Non-disclosure agreement policy explains how employees should treat organization confidential information. Employees will view, receive and work with organization data and this may be information that gives the organization a competitive edge.
Scope
The Non-disclosure agreement policy applies to all employees including contractors who work at the organization premises and are authorized to access organization information.
Responsibilities
This policy will be enforced by senior management of the organization
Compliance
Failure to adhere to this policy will lead to disciplinary action, and/ or termination of employment or even legal action.
Policy
Not all employees can access confidential information
There will be various levels in place for accessing confidential information
Information such as unpublished financial information, data of customers, patents, markets and pricing information is considered confidential information
Standards
Confidential information should be shredded when it’s not in use
Confidential information should always be locked away
Only share confidential information with fellow employees when it is necessary and authorized
Confidential information should be kept inside organization premises
Intellectual Property (IP) Policies and ProceduresPurpose
The purpose of the Intellectual Property (IP) is to come up with a structure for the ownership, reporting, and commercialization of Intellectual Property.
Scope
This policy applies to all employees of the organization
Policy
The organization encourages creative work, research and learning and the Intellectual Property created out of this research is recognized as a valuable asset to the organization
The organization recognizes that any commercialization of Intellectual Property created by an employee, the employee is entitled to an equitable share to any financial returns provided by this commercialization.
Standards
The organization will own any Intellectual Property invented or created by an employee during employment
The organization will not claim ownership of any Intellectual Property created by an employee outside the course of employment if the employee did not use organization resources to come up with such Intellectual Property
Password Policies and ProceduresPurpose
The password policies and procedures define the guidelines and use of passwords in place. A poorly formed password may bring great damage to the organization such as denial of services due to the network being hacked.
Scope
The password policies and procedures will include all employees who have been issued an account and can access the company’s network using this account. It also includes visitors and contractors who have been given temporary access to the organization’s system.
Policies
Every user of the system must have a private identity when accessing the organization’s network
Users should not share their passwords
The system should have a mechanism of locking out the user if a password fails after two attempts
The user should change the password every fortnight
All workstations and devices that access the network such as routers, switches, and mobile devices should be password protected
A password should include letters, numbers and special characters and should not be less than ten characters long
Policy enforcement
This policy will be enforced by the Chief Information Security Officer (CISO) and failure to adhere to it will lead to an individual being denied access to company’s system and IT assets.
Acceptable Use of Organizational Assets and Data Policies and ProceduresPurpose
The acceptable use of organizational assets and data policy explains how the organizational assets should be handled
Scope
This policy applies to all organizational assets such as desktops, laptops, mobile devices, servers, network equipment, operating system, software, furniture, stationery etc.
Responsibilities
This policy will be enforced by Chief Security Officer (CSO) of the organization.
Policy
All IT assets must be used for the intended use and by authorized users
Every employee is responsible for the correct use of asset he / she has been assigned
All users handling IT assets must have prior training
Any disposal of assets must be done in accordance with the organizations’ procedure
All data needs to be backed up daily in an incremental fashion
Full back up of data will be done every fortnight
Employee Policies and Procedures (Separation of Duties/Training)Purpose
The employee policy shows how the employees are meant to conduct themselves
Scope
The employee policy applies to all employees of the organization
Responsibilities
The employee policy will be enforced by the human resource management
Compliance
Failure to adhere to this policy will result to disciplinary action. It may also result to termination of employment and / or criminal charges.
Policy
The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.
Standards
Employee shall abide by applicable laws, regulations and all standards
Employee shall meet the stipulated individual performance
Employee shall maintain the confidentiality of the organization’s information
Risk Response Policies and ProceduresPurpose
The purpose of this policy is to manage risks that arise from threats to confidentiality, integrity, and availability of organization’s data.
Scope
This policy applies to the information system and the electronic data that is created, stored and transmitted over the network by JJ People
Policy
All information systems must be assessed for risk that may result to threats to confidentiality, integrity, and availability of data.
Risks identified by a risk assessment needs to be mitigated
Every information system must have a security plan that is prepared using input from risk, security and vulnerability assessments
Responsibilities
The Information Security Administrators (ISA) need to ensure that their business units conduct risk assessments
Chief Information Security Officer is responsible for assessing and mitigating risks
Compliance (Regulatory, Advisory, Informative)Purpose
The purpose of compliance policy and procedures is to have an effective governance of the organization while adhering to policy and procedures and the law.
Scope
The compliance policy applies to all employees and clients of the organization
Policy
The organization is committed to complying with all relevant legislation and obligations.
The organization has its headquarters in Europe and thus it is mandated to comply with Europe’s General Data Protection (GDRP)
The organization compliance management identifies compliance obligations and assesses them
Standards
Behaviors that encourages and support compliance is encouraged
Training is done by the compliance management on compliance obligations
Incident Response Policies and ProceduresPurpose
The purpose of the incident response and policies and procedures is to define IT roles and responsibilities that deals with investigation of computer security and data breaches
Scope
This policy applies to information system of the organization
Policy
The Computer Security Incident Response Team (CSIRT) has the mandate to detect and investigate security breaches
The CSIRT oversee the recovery, containment and remediation of the security incident detected
Responsibilities
This policy will be enforced by the Computer Security Incident Response Team (CSIRT).
Standards
Do not power off or log off the affected IT asset
The affected IT asset should be labeled so that other users do not touch it
Ensure the affected IT asset is not connected to the network
Document on how the incident was detected, actions taken, type of data affected, and lessons learnt.
Auditing Policies and ProceduresPurpose
Auditing policy ensures that organization’s performance is assessed while using several policies, standards, metrics, or regulations. The audit may include, looking at the organizations’ governance, IT controls etc.
Scope
The auditing policy applies to organization business units, assets, governance of the organization and security at large
Responsibilities
Internal and external auditors are responsible for conducting audits
Policy
Various audits need to be performed and they include
Compliant audits
Environmental audits
Information technology audits
Operational audits
Performance audits
Policy
Information processing facilities that are critical to the organization’s day to day running will be put in a secure area that is defined by security perimeter and access controls. The control will enable access to authorized people.
Responsibilities
This policy will be enforced by the senior management of the company
Scope
This policy applies to all business units and contractors working at the organization’s premises and need access to the information processing facilities.
Compliance
Failure to comply with these policies may result to disciplinary action or even termination of employment
Standards
The company has put in place the following standards to enforce this policy.
Company will always have CCTV installed and in place
Offices that are not in use should be under lock and key
Server room will always have heat sensors installed and in place
Users will always access the business premises and rooms using an electronic identification badge
Administrative Policies and ProceduresPolicy
The administrative policies and procedures provide a set of rules by which and organization is governed.
Responsibilities
The administrative policy will be enforced by the senior management of the organization
Scope
The policy applies to employment of personnel, vacation time, sick leave, dress code, firing and promotion of personnel
Compliance
Failure to adhere to this policy may lead to disciplinary action or even termination of employment
Standards
New employee shall pass through a probationary period of six (6) months
If the performance of the employee is not satisfactory during the probation period, the employee contract shall be terminated at any time
If an employee completes the probationary period, he / she will be given a confirmation letter within a duration not exceeding two months after the probation period.
Salary of an employee shall be adjusted as deemed necessary by the organization upon considering the following criteria:
Performance of the employee
Educational background
Work experience
Work intensity
Regular working hours will be determined based on the conditions of the work and will not exceed 40 hours a week
Working hours will be 8.00 A.M to 5.00 P.M and a break of one hour will be observed between 12 P.M and 2 P.M.
Public holidays shall be observed by all employees of the organization and will be in line with the Country where the organization is located.
Public holidays shall be holidays with pay
Employees who have completed their probation period are eligible for sick leave and should inform his/her supervisor within 24 hours of the same day.
Configuration Policies and ProceduresPurpose
The configuration policy is to protect the organization data and information systems by ensuring consistent configuration of devices across
Scope
This policy applies to all information systems which include bot not limited to, routers, firewall, switches, servers, printers, desktop, laptops etc.
Responsibilities
The network and systems administrators are the ones to enforce this policy
Policy
The organizations’ systems that process and transmits data must be configured in accordance to appropriate standards and in the right manner
Before being deployed into production, a system must meet applicable standards.
Risk Mitigation IntroductionThis is a security risk mitigation document for JJ People Limited. This document will cover various areas such as security policies and controls, password policies, administrator roles and responsibilities, authentic strategy, intrusion detection and monitoring strategy, virus detection strategies and protection, auditing policies and procedures, education plan, risk response, change management, acceptable use of organization assets and data, employee policies, incident response and incident response process.
Security policies and controlsPurpose
The purpose of this policy is to ensure adequate level of security in protecting JJ People Limited data and Information Systems from unauthorized access.
Scope
This policy affects all the employees of the organization, contractors, consultants and temporary employees.
The policy also applies to computer and communication systems owned or operated by JJ People and it also applies to all application systems of the organization.
Policy
Any user accessing the organization network and systems must be authenticated. The authentication will include biometric identification, password, and personal identification number.
All workstations used for organization activities must use an access control system approved by the organization. They will have password-enabled screensavers with a time-out-after-no activity feature.
Users are expected to log out of a workstation after they are done with what they are doing. Users will be held responsible for any activity after they have signed on a workstation
Workstations that are inactive will be reset after a period of time of inactivity (typically 30 minutes).
Access control will be applied to all computer systems
System access will not be granted to any user without appropriate approval. User access will immediately be revoked if the individual has been terminated or the contract has expired.
Users will be granted access on a need to know basis. That is, users will be granted the minimal privileges so as to perform their jobs.
Users of the company’s system will need to sign a compliance statement indicating that they will abide by the policies and procedures enforced by the company.
Enforcement
This policy will be enforced by the Chief Information Security Officer.
Violation of this policy may result to termination of employment and / or legal action taken.
Password policiesPurpose
The purpose of this policy is to ensure that only authorized users gain access of the company’s information system.
Scope
This policy applies to employees of the organization, contractors, consultants, temporary employees and business partners.
Policy
All organization systems will require a valid user ID and password.
Passwords should not be stored in readable form without access control or in locations where unauthorized users can discover them.
All programs and applications including third party applications and the applications developed by the organization should be password protected
Password should not be less than 10 characters and it should have letters, numbers and special characters.
All passwords should be promptly changed if they are suspected of being disclosed
All users must change their passwords at least once every month.
After three failed attempts on inputting a password, the user-ID must be suspended until reset by a system administrator
Enforcement
This policy will be enforced by the system administrator and violation of this policy will result to a user being denied access to the organization system for a period of time seen fit by the systems administrator.
Administrator roles and responsibilitiesSystems administrator
Roles and responsibilities for systems administrator
User administration (setup and maintaining account)
Maintaining system
Monitor system performance
Create a backup and recovery policy
Monitor network communication
Ensure update of the system and new patches installed
Setup security policies for users
Password and identity management
Network administrator
Installing and configuring computer networks and systems
Monitoring computer networks and systems
Providing network administration and support
Chief Information Security Officer
Oversee security operations
Oversee cyber risks and cyber intelligence
Oversee data loss and fraud prevention
Oversees security architecture in designing applications
Ensures identity and access management
User roles and responsibilitiesThe users will use the company’s computer systems as described in the physical assets policy
The employees will abide by the policies described in the employee policies
The users should protect the organizations’ data and secrets as described in the non-disclosure agreement policy
Authentication strategyThe organization will use encryption in order to ensure that data remains authentic as it passes over the network.
The information system will log out a user who has attempted to access the system three times but failed until the systems administrator resets his/her account.
The server room will use biometric authentication where the user needs to verify his/her fingerprint.
Intrusion detection and monitoring strategyWe will employ the host-based intrusion detection and the network based intrusion detection.
Network based intrusion detection
Network-based intrusion detection analyzes data packets that travel over the actual network. The packets are examined and sometimes compared with empirical data to verify their nature. We will use snort for network intrusion detection.
According to Snort.org “snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks”.
Host-based intrusion
Host-based intrusion consists of a special agent on the host that observes the different activities such as calls of system, file logging and many other applications of relevant field and can protect them from other hosts.
Virus detection strategies and protectionAll computer systems of the organization shall have anti-virus software installed and scheduled to run at regular intervals.
The anti-virus software should be up to date with the latest security patches.
The network should be behind a firewall that check incoming and out-going packets.
All computer systems should have internet antivirus that checks malicious websites and emails.
Users should not download suspicious attachments.
If a workstation is infected by virus it needs to be removed from the internet to prevent spreading of the virus
Always scan external devices such as hard drive before using them
Auditing policies and proceduresPurpose
Auditing policy ensures that organization’s performance is assessed while using a number of policies, standards, metrics, or regulations. The audit may include, looking at the organizations’ governance, IT controls etc.
Scope
The auditing policy applies to organization business units, assets, governance of the organization and security at large
Policy
Various audits need to be performed every year and they include
Compliant audits
Environmental audits
Operational audits
Performance audits
Information technology audits
Enforcement
Auditing will be enforced by internal and external auditors
Education planEmployees and business partners will be educated on risk mitigation and company security at large, starting from cyber threats to physical access threats etc. every year and also when changes are done to the security documents.
Risk responseRisk acceptance
The organization knows that sometimes and in rare circumstances that the software developed by the organization can fail at the hands of the user. The organization though accepts these risks.
Risk avoidance
The organization knows that certain programming languages may be better for certain jobs than java (the programming language used by the organization). The organization therefore avoids programming an application of a client which would have been programmed better with another programming language in order to avoid the risks that may arise later.
Risk limitation
The organization employs risk limitation a lot, and this can be seen in performing data backup, using of firewall to protect the network, performing fire drills to get to know what to do when fire starts etc.
Risk transference
Risk transference involves handing the risk off to a willing third party. The organization also practice risk transference by undertaking insurance of various forms such as employee insurance, business premises insurance etc.
Change management/ version controlPurpose
This policy refers to a formal process for making changes to IT, software development and security services / operations.
Scope
This policy applies to all company computing systems and platforms.
Policy
Change request should be submitted to the management
A complete risk assessment and impact analysis ought to be done
Technical impact analysis needs to be done
Approval of change will be done by the change advisory board
A rollback/mitigation plan to be designed in case of failure
Acceptable use of organization assets and dataPurpose
This policy outlines the acceptable use of assets and data in the organization. Inappropriate use may result in compromise of network systems and services, virus attack and even legal issues
Scope
This policy applies to the assets of information, electronic and computing devices, and network resources.
This policy also involves employees, contractors, consultants and temporary employees
Policy
You have the responsibility of reporting theft, loss or unauthorized disclosure of company’s proprietary information
You may share proprietary information only to the extent that it is authorized to fulfill your duties
All devices such as mobile and computing devices connected to the internal network must comply with minimum access policy
System level and user level passwords must comply with the password policy.
Accessing data, server or account to conduct any other business other than the organizations’ activities is prohibited
Using the organization assets to promote country politics is prohibited
Using the organization assets to abuse or send racist messages is prohibited
Employee policiesPurpose
The employee policy shows how employees are meant to conduct themselves within the organization and when representing the organization to clients.
Scope
This policy applies to all employees
Policy
The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.
Standards
Employee shall abide by applicable laws, regulations and all standards
Employee shall meet the stipulated individual performance
Employee shall maintain the confidentiality of the organization’s information
Enforcement
This policy will be enforced by the Human Resource Management
Violation to this policy will result to termination of employment
Incident responseIncident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, it can also be known as a security incident.
An incident occurred whereby an employee opened an email and downloaded an attachment that was infected with malware.
Incident response processAn incident response process will include preparation, identification, containment, eradication, recovery and lessons learnt.
Preparation
This involves preparing users to handle potential incidents should they arise
In our scenario, this involves letting user report the malicious downloaded attachment
Identification
This involves determining whether an event is indeed a security incident
In our scenario, it will involve scanning of the downloaded attachment using an antivirus software
Containment
This involves limiting the damage of the incident
In our scenario, it involves removing the affected machine from the network
Eradication
This involves finding the root cause of the incident
In our scenario, we already know the root cause of the problem so we scan the downloaded attachment and the workstation and removing the virus.
Recovery
This involves returning the affected system back to the production environment.
In our scenario, we return back the workstation to the organization network
Lessons learnt
This involves completing incident documentation, and learning from the incident to improve future response efforts
In our scenario, users should learn that they should not download suspicious attachments, or they should scan them before downloading.
IntroductionThis is a security risk mitigation document for JJ People Limited. This document will cover various areas such as security policies and controls, password policies, administrator roles and responsibilities, authentic strategy, intrusion detection and monitoring strategy, virus detection strategies and protection, auditing policies and procedures, education plan, risk response, change management, acceptable use of organization assets and data, employee policies, incident response and incident response process.
Security policies and controlsPurpose
The purpose of this policy is to ensure adequate level of security in protecting JJ People Limited data and Information Systems from unauthorized access.
Scope
This policy affects all the employees of the organization, contractors, consultants and temporary employees.
The policy also applies to computer and communication systems owned or operated by JJ People and it also applies to all application systems of the organization.
Policy
Any user accessing the organization network and systems must be authenticated. The authentication will include biometric identification, password, and personal identification number.
All workstations used for organization activities must use an access control system approved by the organization. They will have password-enabled screensavers with a time-out-after-no activity feature.
Users are expected to log out of a workstation after they are done with what they are doing. Users will be held responsible for any activity after they have signed on a workstation
Workstations that are inactive will be reset after a period of time of inactivity (typically 30 minutes).
Access control will be applied to all computer systems
System access will not be granted to any user without appropriate approval. User access will immediately be revoked if the individual has been terminated or the contract has expired.
Users will be granted access on a need to know basis. That is, users will be granted the minimal privileges so as to perform their jobs.
Users of the company’s system will need to sign a compliance statement indicating that they will abide by the policies and procedures enforced by the company.
Enforcement
This policy will be enforced by the Chief Information Security Officer.
Violation of this policy may result to termination of employment and / or legal action taken.
Password policiesPurpose
The purpose of this policy is to ensure that only authorized users gain access of the company’s information system.
Scope
This policy applies to employees of the organization, contractors, consultants, temporary employees and business partners.
Policy
All organization systems will require a valid user ID and password.
Passwords should not be stored in readable form without access control or in locations where unauthorized users can discover them.
All programs and applications including third party applications and the applications developed by the organization should be password protected
Password should not be less than 10 characters and it should have letters, numbers and special characters.
All passwords should be promptly changed if they are suspected of being disclosed
All users must change their passwords at least once every month.
After three failed attempts on inputting a password, the user-ID must be suspended until reset by a system administrator
Enforcement
This policy will be enforced by the system administrator and violation of this policy will result to a user being denied access to the organization system for a period of time seen fit by the systems administrator.
Administrator roles and responsibilitiesSystems administrator
Roles and responsibilities for systems administrator
User administration (setup and maintaining account)
Maintaining system
Monitor system performance
Create a backup and recovery policy
Monitor network communication
Ensure update of the system and new patches installed
Setup security policies for users
Password and identity management
Network administrator
Installing and configuring computer networks and systems
Monitoring computer networks and systems
Providing network administration and support
Chief Information Security Officer
Oversee security operations
Oversee cyber risks and cyber intelligence
Oversee data loss and fraud prevention
Oversees security architecture in designing applications
Ensures identity and access management
User roles and responsibilitiesThe users will use the company’s computer systems as described in the physical assets policy
The employees will abide by the policies described in the employee policies
The users should protect the organizations’ data and secrets as described in the non-disclosure agreement policy
Authentication strategyThe organization will use encryption in order to ensure that data remains authentic as it passes over the network.
The information system will log out a user who has attempted to access the system three times but failed until the systems administrator resets his/her account.
The server room will use biometric authentication where the user needs to verify his/her fingerprint.
Intrusion detection and monitoring strategyWe will employ the host-based intrusion detection and the network based intrusion detection.
Network based intrusion detection
Network-based intrusion detection analyzes data packets that travel over the actual network. The packets are examined and sometimes compared with empirical data to verify their nature. We will use snort for network intrusion detection.
According to Snort.org “snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks”.
Host-based intrusion
Host-based intrusion consists of a special agent on the host that observes the different activities such as calls of system, file logging and many other applications of relevant field and can protect them from other hosts.
Virus detection strategies and protectionAll computer systems of the organization shall have anti-virus software installed and scheduled to run at regular intervals.
The anti-virus software should be up to date with the latest security patches.
The network should be behind a firewall that check incoming and out-going packets.
All computer systems should have internet antivirus that checks malicious websites and emails.
Users should not download suspicious attachments.
If a workstation is infected by virus it needs to be removed from the internet to prevent spreading of the virus
Always scan external devices such as hard drive before using them
Auditing policies and proceduresPurpose
Auditing policy ensures that organization’s performance is assessed while using a number of policies, standards, metrics, or regulations. The audit may include, looking at the organizations’ governance, IT controls etc.
Scope
The auditing policy applies to organization business units, assets, governance of the organization and security at large
Policy
Various audits need to be performed every year and they include
Compliant audits
Environmental audits
Operational audits
Performance audits
Information technology audits
Enforcement
Auditing will be enforced by internal and external auditors
Education planEmployees and business partners will be educated on risk mitigation and company security at large, starting from cyber threats to physical access threats etc. every year and also when changes are done to the security documents.
Risk responseRisk acceptance
The organization knows that sometimes and in rare circumstances that the software developed by the organization can fail at the hands of the user. The organization though accepts these risks.
Risk avoidance
The organization knows that certain programming languages may be better for certain jobs than java (the programming language used by the organization). The organization therefore avoids programming an application of a client which would have been programmed better with another programming language in order to avoid the risks that may arise later.
Risk limitation
The organization employs risk limitation a lot, and this can be seen in performing data backup, using of firewall to protect the network, performing fire drills to get to know what to do when fire starts etc.
Risk transference
Risk transference involves handing the risk off to a willing third party. The organization also practice risk transference by undertaking insurance of various forms such as employee insurance, business premises insurance etc.
Change management/ version controlPurpose
This policy refers to a formal process for making changes to IT, software development and security services / operations.
Scope
This policy applies to all company computing systems and platforms.
Policy
Change request should be submitted to the management
A complete risk assessment and impact analysis ought to be done
Technical impact analysis needs to be done
Approval of change will be done by the change advisory board
A rollback/mitigation plan to be designed in case of failure
Acceptable use of organization assets and dataPurpose
This policy outlines the acceptable use of assets and data in the organization. Inappropriate use may result in compromise of network systems and services, virus attack and even legal issues
Scope
This policy applies to the assets of information, electronic and computing devices, and network resources.
This policy also involves employees, contractors, consultants and temporary employees
Policy
You have the responsibility of reporting theft, loss or unauthorized disclosure of company’s proprietary information
You may share proprietary information only to the extent that it is authorized to fulfill your duties
All devices such as mobile and computing devices connected to the internal network must comply with minimum access policy
System level and user level passwords must comply with the password policy.
Accessing data, server or account to conduct any other business other than the organizations’ activities is prohibited
Using the organization assets to promote country politics is prohibited
Using the organization assets to abuse or send racist messages is prohibited
Employee policiesPurpose
The employee policy shows how employees are meant to conduct themselves within the organization and when representing the organization to clients.
Scope
This policy applies to all employees
Policy
The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.
Standards
Employee shall abide by applicable laws, regulations and all standards
Employee shall meet the stipulated individual performance
Employee shall maintain the confidentiality of the organization’s information
Enforcement
This policy will be enforced by the Human Resource Management
Violation to this policy will result to termination of employment
Incident responseIncident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, it can also be known as a security incident.
An incident occurred whereby an employee opened an email and downloaded an attachment that was infected with malware.
Incident response processAn incident response process will include preparation, identification, containment, eradication, recovery and lessons learnt.
Preparation
This involves preparing users to handle potential incidents should they arise
In our scenario, this involves letting user report the malicious downloaded attachment
Identification
This involves determining whether an event is indeed a security incident
In our scenario, it will involve scanning of the downloaded attachment using an antivirus software
Containment
This involves limiting the damage of the incident
In our scenario, it involves removing the affected machine from the network
Eradication
This involves finding the root cause of the incident
In our scenario, we already know the root cause of the problem so we scan the downloaded attachment and the workstation and removing the virus.
Recovery
This involves returning the affected system back to the production environment.
In our scenario, we return back the workstation to the organization network
Lessons learnt
This involves completing incident documentation, and learning from the incident to improve future response efforts
In our scenario, users should learn that they should not download suspicious attachments, or they should scan them before downloading.