Download IT Security Risk Assessment and Management: A Comprehensive Guide and more Assignments Network security in PDF only on Docsity!
MANAGEMENT & TECHNOLOGY
ASSIGNMENT COVER SHEET
STUDENT DETAILS
Student ID Reg No.
Family Name
Enrolment Year
Given Name
2019 Section N
Semester Fourth Email Shuvechchha@ismt.edu.np
UNIT DETAILS
Unit Title
Assessor Name
Assignment Title
Assignment No
Security Unit Code K/615/
Krishna Parajuli Issued Date 26 Aug 2019
Managing security for sunrise bank
01 Submission Date 17 June 2021
Qualification Campus
Shuvechchha Bhandari (HND / Second Semester)
STUDENT ASSESSMENT SUBMISSION AND
DECLARATION
When submitting evidence for assessment, each student must sign a declaration confirming that the work is their own. Student Name Shuvechchha Bhandari Assessor Name (^) Krishna Parajuli Issue Date (^) 26 Aug 2019 Submission Date Jun 17 2021 Programme BTEC HND in Computing Unit Name (^) Security Assignment Title (^) Managing security for sunrise bank Plagiarism Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who break the rules, however innocently, may be penalized. It is your responsibility to ensure that you understand correct referencing practices. As a university level student, you are expected to use appropriate references throughout and keep carefully detailed notes of all your sources of materials for material you have used in your work, including any material downloaded from the Internet. Please consult the relevant unit lecturer or your course tutor if you need any further advice. Student Declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. malpractice. Pearson Education 2018 Higher Education Qualifications
INTERNATIONAL SCHOOL OF MANAGEMENT AND TECHNOLOGY
GAIRIGAUN, TINKUNE, KATHMANDU
Shuvechchha Bhandari (HND / Second Semester)
of the system has been managed via proper access control mechanism and the access control list, and the service access has been managed via ports and services. The bank has security policies for managing the security of all its assets, functions and the services. VPN access has been managed for limited person of all branch office employees and IT administration team of head office. Defense in depth approach is to be implemented in order to confirm the IT security at various level of network infrastructure. IT infrastructure security design including address translation, DMZ, VPN, firewall, antivirus and intrusion detection system are to be implemented for internal and external security policy. You have been working as an IT Officer for the bank. Your key role will be to manage, support and implement a secure network infrastructure for banks LAN/WAN environment. In order to assess the possibility, you have been assigned the following in which you have to demonstrate that you are able to assess risks to IT security, describe different possible IT solutions, review mechanism to control organizational IT Security and manage organizational security. Part: 1 Before you start the implementation of the IT security measure for the organization, you need to assess the IT security risks in the organization. You need to consider various aspects of risks such as unauthorized access of the system and data, naturally occurring risks, host, application and network risks etc. You are required to consider organizational security procedure such as business continuance, backup/restoration, audits etc. and then produce a report for the CEO of Sunrise Bank containing:
- Identified security risk types to the organization along with description of organizational security procedure.
- Develop a proposal of a method to assess and treat IT security risks. You would prefer to produce a more detailed document, so you will produce a comprehensive report for fully functional secure system which will include identified risks and method to mitigate those risks. Your manager would like a separate report on your assessment of the effectiveness of the design in relation to user and system requirements. Part: 2 Once the assessment of the risks and proposal for its remedy has been made you need to describe IT security solution for the organization such as VPNs, firewall, DMZ with a suitable implementation example. You need to: Shuvechchha Bhandari (HND / Second Semester)
- Identify the potential impact to IT security using firewall and VPNs and make aware of the repercussion of incorrect configuration of firewall policies and third-party VPNs.
- Show through an example in simulated environment, how implementing a DMZ, Static IP ad NAT in a network can improve Network Security.
- Discuss how network monitoring systems can benefit the security of IT of the organization. You need present at least three advantages.
- Finally investigate how a 'trusted network' may be the part of an IT security solution. Part: 3 Once you have identified IT risks and viable security solutions, you need to review the mechanisms to control organizational security. Consider various aspects of network change management, audit controls, disaster recovery plans, Data Protection Acts, Computer Misuse Act, ISO 3001 standards, etc. You need to:
- Discuss risk assessment procedures and explain data protection processes and regulations as applicable to the organization.
- Summarize the ISO 31000 risk management methodology and its application in IT security and then discuss possible impacts to organizational security resulting from an IT security audit.
- Explain considering how IT security can be aligned with organizational policy, detailing the security impact of any misalignment. Part: 4 Lastly you will produce technical and user documentation which will be given to the company for the management of organizational security. You have to design and implement a security policy for the bank which will
- List out the main components of an organizational disaster recovery plan, justifying the reasons for inclusion.
- Discuss the roles of stakeholders in the organization to implement security audit recommendations.
- And an evaluation of the suitability of the tools used in an organizational policy. Pass Merit Distinction LO1 Assess risks to IT security Shuvechchha Bhandari (HND / Second Semester)
General feedback on the assignment: In order to pass the unit, the learner has to meet all the pass criteria. Tick each criteria awarded. P1 P2 P3 P4 P5 P6 P7 P8 Pass Achieved / Not In order to be awarded a Merit the learner has to meet all the pass criteria and all the merit criteria. Tick the criteria awarded. M1 M2 M3 M4 M5 Merit achieved / Not In order to be awarded a Distinction the learner has to meet all the pass merit criteria and all the Distinction criteria. Tick the criteria awarded. D1 D2 D3 Distinction Achieved / Not Note: Please access HN Global for additional resources support and reading for this unit. For further guidance and support on report writing please refer to the Study Skills Unit on HN Global. Link to www.highernationals.com Note: Refer the unit details provided in your handbook when responding all the tasks above. Make sure that you have understood and developed your response that matches the highlighted key words in each task. Other Requirements: It should be the student’s own work – plagiarism is unacceptable. Clarity of expression and structure are important features. Your work should be submitted as a well presented, word-processed document with headers and footers, and headings and subheadings, both in hard and soft copies. You are expected to undertake research on this subject using books from the library, and resources available on the Internet. Any sources of information should be listed as references at the end of your document and these sources should be referenced within the text of your document using Harvard referencing style Your report should be illustrated with screen-prints, images, tables, charts and/or graphics. All assignments must be typed in Times New Roman, size 12, 1½ spacing. Shuvechchha Bhandari (HND / Second Semester)
The center policy is that you must submit your work within due date to achieve “Merit” and “Distinction”. Late submission automatically eliminates your chance of achieving “Merit and Distinction”. Also, 80% attendance is required to validate this assignment. Assignment Prepared by: Krishna Parajuli Signature: Date: 25 Aug 2019 Brief Checked by: Dhruba Babu Joshi Signature: Date: 25 Aug 2019 I declare that all the work submitted for this assignment is my own work and I understand that if any part of the work submitted for this assignment is found to be plagiarized, none of the work submitted will be allowed to count towards the assessment of the assignment.
Table of Contents
Part: 1................................................................................................................................................... 14 Introduction.......................................................................................................................................... 14 Environmental Risks............................................................................................................................ 15 Physical Risk........................................................................................................................................ 15 Phishing attack.................................................................................................................................. 16 Man in the middle attack.................................................................................................................. 16 Malware attack................................................................................................................................. 16 SQL-Injection attack........................................................................................................................ 16 DDOS attack..................................................................................................................................... 17 Shuvechchha Bhandari (HND / Second Semester)
Data backup in data warehouse:....................................................................................................... 81 Backup Domain:............................................................................................................................... 82 Backup DHCP:................................................................................................................................. 82 RAID (Redundant Array of Independent Disks).............................................................................. 82 Cloud Storage................................................................................................................................... 83 Test and maintain the DRP............................................................................................................... 83 Security Audits................................................................................................................................. 83 Roles of the stakeholders:.................................................................................................................... 84 Customer:......................................................................................................................................... 84 Management:.................................................................................................................................... 85 Investors & shareholders:................................................................................................................. 85 Employee:......................................................................................................................................... 85 Government:..................................................................................................................................... 85 Suitability of the tools used in organization policy:............................................................................. 86 Conclusion............................................................................................................................................ 87 References............................................................................................................................................ 88 Part: 1 Before you start the implementation of the IT security measure for the organization, you need to assess the IT security risks in the organization. You need to consider various aspects of risks such as unauthorized access of the system and data, naturally occurring risks, host, application and network risks etc. You are required to consider organizational security procedure such as business continuance, backup/restoration, audits etc. and then produce a report for the CEO of Sunrise Bank containing:
1. Identified security risk types to the organization along with description of organizational **security procedure.
- Develop a proposal of a method to assess and treat IT security risks.** Introduction With the advent of basic banking and the widespread adoption of the Internet in the last century, branch management has also completely changed. Some banks are also using a disabled strategy at Shuvechchha Bhandari (HND / Second Semester)
the moment; however, it is gradually being replaced by online technology. Sunrise Bank, established in 2009, is one of Nepal's leading commercial banks, created by so-called business visionaries. When they realized the need for an emerging economy, they created this bank and it is now overseen by a group of experienced investors and experts. Currently, the main objective of this bank is to lead the Nepal Bank, providing world-class benefits through a combination of innovative skills and visionary management. By ensuring quality support for its client, the bank wants to use all innovative offices that improve the quality of administration with a high level of consistency and risk management. The bank has different security strategies to guarantee the security of each of its strengths, capacities and administration, which are managed by a talented systems security engineer. A security risk is a risk that surrounds an organization’s network because it can be of a different nature. A security risk can affect the reputation of an organization, its partners and customers. There are two types of safety risks: environmental and physical. Environmental risks are the types that arise due to natural disasters, and physical risk are the type of risks that are caused by cyber-attacks, vulnerabilities, etc. Both of these risks have a greater impact on data loss and corruption. Organizational security procedures establish rules and guidelines for identifying, analyzing, and applying policies to protect the organization's data and information. In this part, I am going to review the security risks and its types as well as the organization’s security policy to understand the risks and threats. Environmental Risks Environmental risks are the risks that an organization faces due to a natural disaster. For example, one of the largest Maldives companies could be at risk from a tsunami as the country is covered by the sea. There may be other risks, but the main danger is the tsunami, and companies need to avoid server homes and domestic data backups. Listed below are other environmental risks that may affect your organization: Fire: Fire is naturally occurring risk that can destroy valuable documents and deplete everything. Fire can destroy anything and all organizations experience this risk as it can occur anywhere and the entire organization must be aware of it. The organization has a high probability of having a fire risk when the organization is located near the industrial area where there is fire work in businesses such as cement plant, noodle factory, metal factory etc. Shuvechchha Bhandari (HND / Second Semester)
Man in the middle attack The man of the middle attack is a way of disrupting the communication between the two sides and the information between being human. Cybercriminals hacked the computers of employees of the same company and their associates using their public IP addresses or Wi-Fi, and he would be the middle man who gathers information from the people of the organization. This can also be done through online forms such as phishing attacks. This attack can easily harm the organization because as a man in the middle he knows everything about the bank and the organization so he can encrypt the data and use this data for financial gain and it can also attack many viruses on the network system. [ CITATION Com18 \l 1033 ] Malware attack Malware attacks are a way of attacking other computers or mobiles by using or installing software to obtain organizational or personal information. It primarily injects viruses and damages the organization's network. The attack is unconventional and unaware that your personal information has been hacked. It also affects your organization's entire network and can bring down your entire server. Cybercriminals can also transfer all financial information to their account, compromising the financial status of an organization. SQL-Injection attack The database is an important part of the organization where you can save all the details of the organization. SQL injection is a method of attacking devices using malicious code to obtain information that is not shown to everyone. [ CITATION Glo19 \l 1033 ]The database is mainly operated by the main server, so the organization data will not be leaked. But by using SQL injection, attackers can easily find data like the financial status of the organization, employees and user lists, etc. They can also remove the fixed table from the database, which can affect the entire organization system and display it personal details. This attack affects the financial damage and reputation of the organization. DDOS attack Distributed Denial of service for DDOS attacks. It is often used by cybercriminals. DDOS is a way to create traffic that is not available to other online services, so that an attacker can take network resources by shutting down the server. These attacks are also used to blackmail. You can easily take all the confidential data of the company and use it for financial gain or to undermine the reputation of Shuvechchha Bhandari (HND / Second Semester)
the organization. [ CITATION jef18 \l 1033 ] With this attack, the attacker can take over the entire organization system, where he can easily deal with different problems and loss that this organization may face after the attack, which is a great disadvantage for the organization.[ CITATION Pid19 \l 1033 ] Virus attack Computer viruses are dangerous and attack our system if the system does not have the proper protocol to ensure that the virus escapes. A computer virus is a piece of software designed to harm a computer system using system resources and system memory. This type of program copies and executes itself, interferes with the way the computer is run, and interferes with data theft, corrupting files, or deleting them altogether, for any bank. That's a big problem. [ CITATION FTP18 \l 1033 ] Some of the viruses found in the bank are boot sector viruses that directly affect the master boot record and are difficult to remove. If this is attacked, the bank computer system needs a complete system which is a big challenge for the bank as shaping this system causes huge loss of bank data. Therefore, appropriate protocols should be put in place to protect computers from virus attacks. Ports should be banned for use by unauthorized users. Adware As we know in this modern world we know, every company wanted their advertisement. But some of the critical hackers use this process for retrieving data from user. [ CITATION FTP18 \l 1033 ]. When unusual ads start appearing on computer desktop, employee accidently download adware through the medium while downloading the free software. While using the browser by the company employee the hacker spreading adware collect critical data of bank without permission of user. Data breach Data breach is a kind of corporate data theft. There are two types of data breach: data breach inside and outside data breach. Inside Data Breach is committed by an unethical employee of a company, while an outsider’s data breach is committed by an unknown person or other related person. In either case, they intend to steal data from the company, sell it to the other company and make money. Within the data breach sometimes engage in mischievous activities on the account of other employees, including: deleting files and other valuable documents to make someone else guilty or sometimes for personal reasons. Shuvechchha Bhandari (HND / Second Semester)
Biometric security Biometric security is a unique identity of an individual used for identification and authentication. The person may have special features such as a person's fingerprint, iris print, hands, face, voice, etc. These features are saved as a format of data and are used for immediate validation. For example, my company has a fingerprint or iris printing system for attendance, and I need to access the system to provide biometrics. Otherwise, it is impossible. You cannot trick the system into hacking or cracking it. Only authorized persons can provide the data. VPN: A virtual private network (VPN) is a secure network in which data is transmitted through a highly secure tunnel that transmits data using encryption. It is a dedicated connection between host and server computers. All data packets are encrypted through a secure tunnel. In Nepali context, VPN services are provided by Internet Service Providers (ISPs). Router: A router is a highly intelligent device used to transfer data packets between two different networks. The best way to get data packets to the address, account, and destination is to forward them to the destination IP. It works on the network layer (layer 3) of the OSI model. Sister Router, Juniper, is an excellent router for security purposes. These routers are much safer than regular routers. These types of routers provide better protection to your organization. Security Procedure Security procedures are detailed, step-by-step instructions on how the user or server manager should enforce, enable, or enforce the security controls set out in bank policies. The following are some of the security measures that can be implemented in a bank: Developing local policy, process and guidance: Creating a policy means setting rules and protocols within your organization. The banking environment requires strong policies that include needs identification, information gathering, drafting, reporting and analysis. This process takes place in several stages. These steps are summarized below: Identify needs Identify who will take lead Gather information and raw data Drafting policies Consulting with proper and trustful stakeholders Approving policies Shuvechchha Bhandari (HND / Second Semester)
Consider whether procedure is required Implementation of those policies Finally, monitor, review and revise the policies. Design of network and user authentication strategy (authentication, authorization, and accountability) By designing the right network system, we create a better and more secure network strategy. By implementing authentication, authorization and accountability techniques, we can implement various authentication strategies. By adding these three methods to the design of a network system, we can create a secure system for the bank that is more reliable for illegal activities and that reduces the risk of the banking system's data. I will now briefly describe the AAA technique. Authentication Authentication is the process by which a machine or device can identify a user who is connected to a network resource. This is usually the process of identifying an individual based on their username and password. In a security system, authentication is different from authorization. Authorization is the process of granting individual access to system objects based on their identity. In the field of backing, this technique typically follows three steps. These steps identify each other, monitor communications through the firewall, and restrict policies by username and password. Technologies that work with authentication are firewalls such as Radius, WDS, LDAP, and token-based security. Authorization Authorization is a post-authentication process. This process helps secure banking transactions by granting the appropriate permission granted by the administrator or security administrator. This involves determining the rights / privileges of access to resources related to information security and computer security in general and access control in particular. Accountability Accountability helps us ensure the required registration process, audit control function, data security oversight, report writer, and most importantly, password protection on a networked system. This is the responsibility of the organization. Risk Assessment Shuvechchha Bhandari (HND / Second Semester)
