Introduction to Information Security
This Key Assignment (KA) template will be the basis for a Security Management Document. Although an actual plan is not feasible, each week will constitute portions of an overall Security Management Document that could be implemented.
Throughout this course, you will be working with a scenario in which some basic background information is provided about a consulting firm. This scenario and information is typical in many companies today. You are tasked to select a company that you are familiar with that is facing a similar situation. The company can be real or fictitious, but the framework and problems that it faces should be similar. The assignments that you complete each week are based on the problems and potential solutions that similar companies may face. The end goal for these assignments is to analyze the problems that the company faces with respect to the upcoming audit, and provide guidance on how it can provide security for its infrastructure.
The case study shows a company that is growing, and its security posture needs to be updated based on this growth. Based on the recent initial public offering (IPO), the company has new regulatory requirements that it must meet. To meet these requirements, a review of the current security must be conducted. This provides a chance to review the current security mechanisms and analyze the threats that the company could face. In addition, the company needs to expand its current network infrastructure to allow employees to work more efficiently, but in a secure environment. What problems does the company currently face, and how does the expansion pose new threats?
Choose and describe the company that you will use in the scenario. Describe the need for information security, what potential issues and issues risks exist, and what benefits the company can gain from the new project. Describe what new challenges exist with the new project to allow consultants to work on-site. What challenges now apply to the company with respect to the recent IPO?
Introduction to Information Security
San-Comic Telecommunication Limited is a corporation that is publicly traded and is located in Florida Miami. The company was formed due to a lack of better telecommunication security in the tech industry. The company had to venture into telecommunication services to maximize company resources. The company produces a highly encrypted mobile phone with personal sim swaps that are also highly encrypted. These sim swaps enable the phones to access secure telecommunication networks, allowing the consumer to access the company’s services.
The company also offers cyber security by renting out the company servers. Consumers can access secure internet through the company network while bigger companies rent out the company servers. All the major business institutes lined up to sign a contract with the company for our cyber security services, making San-Comic Telecommunication Limited the leading security and telecommunication Services Company.
With technology changing daily and the company needed to stay ahead of other tech companies, the company needed strict security both at employees’ level and on company systems. Over 500 employees work for the company, and the company needs to lessen the gap between the employee and the customer to create a better customer service base between the customer and the company through the employee. The company also wants to use this opportunity to improve the firm’s security measures, hence the need to get customer feedback through interactions between the employee and the customer.
The employees are tasked with researching the places customers think the company should increase security before it expands; it needs to tighten its security for a smooth expansion. The company needs to know where they might be vulnerable to threats, and with the new (IPO), the company needs to be well protected. The employees interacted with the customer through their network, researching a new sufficient network.
The employees on the research groups experienced challenges of network stagnation when more users logged into the network. They also discovered that the network connection to the customer service work cubical had limited network admission. The specialist needs additional resolutions for connecting to the corresponding system. The company needs to develop a safer resolve that can guarantee customer communication disclosure and protect customer data privacy through the company’s network.
The Importance for Information Security
Information security is the safeguarding of information, the system, and the hardware that uses, keeps, and transfers the information making information security essential to the San-Comic Telecommunication Limited. The company needs to be comfortable that its information is secure and protected all the time. Common assaults occur when lawbreakers threaten company employees to access company security precautions or give company sensitive information to gain private information. Information security will make sure that whatever the company implements are implemented safely on the company’s information technology system. Information security will ensure that the data assembled and used by the company is protected. It also safeguards the assets that the company uses and its ability to operate (Peterson, 2019).
Information security protects the data used by the company since the information can be stolen and used against the company causing damages to the company. Information security will guarantee that sensitive company information is protected and all company legal requirements for protecting the company are met. Information security will also help avert the identity theft of the company. With the company expanding, the need to protect its assets and essential business information is high since it might be subject to threats and liabilities due to its expansion. Information security protects the company from malicious code or computer hacking or prevents the company servers from attacks (Peterson, 2019). Information security protects the company’s ability to function. The company trust that the information security will handle its information sensitively and that it will be secure from access by unauthorized persons. The company may hold Information security responsible for any security breach and expect to fix it on time. The information security department should always prioritize the company’s security at all times.
The importance of information security in organizations must be held at the same high priority level for vendors within your own company. The company should also terminate or suspend employees who risk the security of the company through careless acts.
WI-FI Environment Problems and Threats
Since San-Comic Telecommunication Limited increased its telecommunication network services through wireless technology, risks are bound to happen. The company had to familiarize itself with the common threats it might encounter and minimize them. Some of the threats are;
Most wireless liabilities are caused by simple configuration mistakes like passphrases and SSID usage. A beginner user can connect this device or set up the network externally without additional configuration, allowing attackers to steal an SSID and connect to the network without anyone noticing (Arberto, 2018). The company should ensure training of all employees on security measure. This will prevent negligence of company security measure by employees who would have been taught how to apply secure connection on company devices.
Denial of Service Attack
This is when someone places viruses’ programs on company wireless network or sends a large amount of traffic at a particular server to cause a slowdown on their system or shut down the wireless network. This enables the hackers to hijack company assets, view authorized data and introduce backdoors into the system (Arberto, 2018). This can be easily done through the wireless network as the signal can interfere in many different ways. The company should put regulation on those non personnel who access the company systems during times of system update.
This is achieved by being around the target radius of the network then stealing data that can be used to break current security precautions. Information that can be hacked includes SSIDs, files, and packet exchanges. A hacker can use a sniffer to capture all the outgoing traffic, analyze them and reveal their payload (Arberto, 2018). This is preventable through the nature of wireless networks by improving or adopting high-security standards by using a firewall.
Rogue Access Point
Attackers usually set up rogue access points within the limits of the wireless network. The intention is to misallocate some approved devices in the zone to access the wrong access point. This attack needs one to access it physically, and when a hacker gets to access the ports of the company network physically, he can steal the data for a short period. Steps that can be taken to prevent this are proper WLAN authentication techniques and rigorous encryption methods (Arberto, 2018). The company can also develop policies that prevent employees from using their wireless access points.
Evil Twin Attacks
This is when an intruder collects enough information about a wireless access point to mimic it with its stronger broadcasting signal. This fools the user into linking with the evil twin signal, enabling them to retrieve the company data. Server authentication and penetration testing are the only tools that can stop twin evil attacks.
Stolen Wireless equipment
Stolen wireless equipment is often overlooked since no one thinks the equipment will be used hacked. Most authorized equipment misplaced by the employee, mobile phones or laptops, can be hacked and the company information accessed and stolen for malicious purposes. The only requirement to hack the equipment is to get past the password protecting the equipment, which can be very easy to achieve by a professional hacker (Arberto, 2018). The company should make it a policy for all employees to report stolen and misplaced equipment to protect the information from hackers.
Users may gain access to the network innocently for different reasons, like updating their equipment through the internet, but later take advantage of the company hospitality and start using the wireless network for other reasons. This might cause the internet to lag for other users. The company may be sued if the content downloaded by the user is illegal. Company information is stolen or accessed through snooping (Arberto, 2018). The employees should be informed that file-sharing through an unrecognized network or sharing personal logins to company devices are in breach of company security procedures
Security Problems of letting Consultants Operate On-Site
One of the company’s problems for letting consultants operate within it may be breached, exposing the company and client information. This may create problems within the company and its clients. The company may experience lagging on the wireless network since the third party might be using the network for unintended use. For malicious reasons, a third party may introduce Spy malware into the company system. San-Comic Telecommunication Limited requires evaluating safety control measures due to the IPO taking place in the company. They will need to disclose all human factors of information technology to try and determine where threats might come from. The company needs to give instructions on who gets access to which information. The company should put in place information security policies and awareness programs so that employees do not compromise the company’s security (Peterson, 2019). The company will have to develop and distribute policies, procedures, and guidelines to prevent hackers’ security access. The company will also have to monitor and screen all personnel entering the company or accessing company information. The company will have to conduct seminars for employees to be trained on the appropriate security measures they need to take while using the wireless WLAN to prevent hacking or information access from outside (Peterson, 2019).
An Evaluation of the Sarbanes-Oxley Requirements
San-Comic Telecommunication Limited will face infrastructure difficulties while taking up the IPO. The company will have to make sure t the IT infrastructure can effectively manage its business obligations and performance requirements (Rechard, 2018). The information system should gather, examine, assess, deduce and distribute business data. The system needs to have efficient, quality data that is accurate, and its accessibility should be well controlled. The company development and application software should be well documented and maintained. The company should also make sure the information systems run efficiently and the information available is up to date.
Arberto, J. (2018). Wireless threats, vulnerabilities, and security. Wireless Crime and Forensic Investigation, 41-70. https://doi.org/10.1201/9781420013016-10
Peterson, H. (2019). Information security governance practices and commitments in organizations. Advances in Business Information Systems and Analytics, 280-315. https://doi.org/10.4018/978-1-5225-7826-0.ch007
Rechard, M. (2018). Information Security techniques. Security assurance framework. https://doi.org/10.3403/30242202