CSC3064 Case Study 1 Security Policies  Group 40   Curtis McCaw: 40134883 Gavin Flack: 40132351 Daniel Schwartz: 40135746       Page Break Q1: (Gavin) A security policy is defined as a document that has been created with the purpose of stating what a company does to protect both hard and soft copies of the information and assets that it holds. The document should constantly be getting updated to make sure it is as up to date and thus secure as possible as the technology that the business uses and that people who would wish to harm the business change and/or update. Due to this it can sometimes be seen as what is called a “living document”. 1 It will tend to include the key aspects of the business, such as what they need to protect and keep safe, how they will do this and how employees will get educated so as they can follow the policy. The policy can cover a range of subjects, from how they will keep their internal network secure, to what times the doors will be locked at in the evening. While a security policy mainly deals with how to prevent a breach in security, they will also sometimes contain a plan for how to act when a breach happens. The policy should also be well circulated around everyone within the organisation and new employees who are recruited should be made familiar with the policy and will usually be asked to sign some form of document stating that they have read and understand the policy. 2 Q2:  (Curtis) A small e-commerce company sell some products online. To purchase a product off the website, you must be a registered user of the system. When registering, you must enter your basic personal information, including your name and your address. To make a purchase you are required to enter your credit or debit card details and store them with the website, trusting the information is stored securely. The e-commerce company store all the customer records in an online database, hosted on their small server in house and encrypt all of the private card information. They believe this is enough to ensure confidentiality of the customer data.  An employee goes out to meet a shareholder at lunch in the local coffee shop. They both connect to the public Wi-Fi connection available. During the meeting, the shareholder asks how many new customers have registered for the site this week as he is interested in the profit this could bring in future months. The employee opens up a web browser and navigates to the web location where the e-commerce company’s customer records are held. The web address doesn’t use https and the employee is allowed to access the website as his phone is registered as one of the IP Addresses allowed to access the records. He often views the records on his phone when in the company’s office or at home on his private network.  Unknown to the employee, a hacker is sitting across from him in the coffee shop, on his laptop and is able to see what everyone on the public network is doing. The hacker spots the request to the webpage and is able to intercept the information that is being sent back and forth. The employee is not required to log in to see the customer records as the company’s security policy uses level of access and he is trusted to maintain the confidentially and integrity of the data, without the need to login. The company policy only permits specific employees to access certain web addresses on the server – they believe this is enough security. This is a major breakthrough for the hacker, as they are able to intercept the packets being sent back and forth and make a copy of the customer records stored on the web address.  A classic man-in-the-middle attack. This is due to the limited security over the public Wi-Fi connection and the poor security on the company’s web server. The hacker is able to make a copy of hundreds of customer records. Including customer names, date of births, addresses, usernames, passwords and most importantly their financial information. From here the hacker could sell the information, release it to the wrong people, commit fraud or misuse the customer information elsewhere online. Although the card details are encrypted the hacker may be able to decrypt them and access them. This has the potential to cost the company a lot of money, lose customer trust, diminish their reputation and put the customers into debt if the hacker was to act as them and make purchases on their cards.   The company would need to reconfigure their network security to make it more secure. The customer records file should be stored on a web address that uses HTTPS and one that requires employees to login with a valid username and password, regardless of their role in the company. Limiting what employees have access to would also be beneficial to the company, for example only allowing them to see the customer names or financial information at once rather than being able to access everything in one place would limit the risk if a hacker was to attack and gain access. This would be good use of access control.  Q3: (Dan) Basic information security standards should be highly encouraged and taught to every new employee during their first week of induction, no matter what their position is in the organization. This is because many companies might have different policies, so an incoming new employee would have to learn their new employer’s security practices, which could be vastly different to their previous employer’s policies. Some of these can include: Never leave a computer unlocked, even if for a few seconds. Though the workplace might seem like a safe and comfortable place to work in, it is highly encouraged to lock the computer when leaving the area. There could be some highly sensitive or personnel data on the screen, and some co-workers might not be privy to that information if they happen to walk by it and see the screen 3. Do not go on any sites of ill-repute (i.e. torrents, pornography sites, etc.). Not only is this highly unprofessional but it affords the opportunity for malicious software to be introduced into the network, like viruses, Trojans, worms, etc. Also ensure you are connected to a secure network (using HTTPS) to send data through 4. Use a unique password and change every 90 days. Recommended passwords to use are ones that use special characters, like @, !, ^, etc. Never use a password more than once and never use the same password for all your passwords 4. Do not respond to spam. Do not forward any spam or other times of phishing, whaling, etc. If in receipt of an email of unknown sources and of dubious content, contact the security manager or IT team. Also, do not download any attachments from emails of unknown sources 3. When connecting any portable media devices (USB thumb drives, flash drives, etc.), scan them first for any malware that could be potentially found on the device. If these devices are necessary for work, secure them in a locker 3. The sharing of personal data should be tagged as such in a manner that demonstrates how sensitive the data is. A tag at the bottom of any email should read “Secret”, “Confidential”, “Internal Use Only”, “Public”, or something similar and should be easily recognized by the recipient of the email. For hard copies of sensitive documents, they should be stored in a locker or destroyed in a cross-shredder for destruction when no longer needed 4.  Q4: (Curtis) Emails are one of the main ways personnel in a company communicate. The email administrator is required to set up rules and regulations on the email server to ensure network security. Nowadays, we see a vast amount of cyber security attacks happening through emails.  The email server needs to have an appropriate secure email delivery server. There are many options available: SMTP, POP3 (or older) and IMAP4. The choice of email server will be different for each company based on their requirements. IMAP is preferred if the user is accessing their emails on multiple devices, desktop, laptop and mobile. POP3 downloads emails from the email server to only one device and then deletes each email from that server. POP3 has many downsides but may be more secure, as only one device has access to what is sent and received as it stores them locally, rather than on a server like IMAP. Storing files locally could be a potential hazard, for example if the PC was stolen or the hard drive failed – the company would lose all of them emails. IMAP is the recommended standard as the majority of people access their emails on the go on multiple devices. 5 Another factor the business need to look at is the security of the email server. Again, there are many options available. Using SSL will ensure encryption is implemented between the email client and the email server. When sending sensitive emails it is critical that all sensitive content is secured and keeps its integrity.   Ensuring that the mail server has a digital certificate is important. This allows the client to identify the mail server and trust it, also guaranteeing emails are being sent to and from the correct server. The certificate will provide security back and forth between the email servers. Adding a digital certificate to the email server also prevents any outsiders from getting in, preventing any chance of a man-in-the-middle attack.  Another form of encryption the company should initialise is S/MIME. This is a protocol that uses a mathematic formula to create public and private keys that are used between sender and receiver of the emails. The sender of a ‘sensitive’ email will encrypted with the public key and then the recipient will open the email with their private key. Without the key the email cannot be opened.  Implementing S/MIME would be the best policy for the company. 6, 7  It is important to test the email server before customer/employees begin using it. A penetration test would be an ideal way to check the maximum load the server can take. This would be a good measure to test against DoS attacks.  Generally the policy should also include some rules and regulations. The company should require all employees to login to their email client when they want to access emails. A secure username and password should be required every time they want to login.  When sending sensitive information or files, all employees should password protect attachments e.g. Excel customer data sheets with personal information. This is important, so that if the email was to get intercepted then the hacker wouldn’t be able to access it without knowing the password. The password should either be sent in a separate or provided over a phone call.  Adding your name and company information to the footer of the email is important to maintain professionalism.  Also, all employees should manage their emails efficiently and store them in relevant folders.  Ensure correct subject lines are used when sending emails. Make emails traceable.   Q5 (Dan, Curtis, Gavin) While mainly the same, there are a few key differences between Harvard University and UCL’s security policies. The most notable differences between the two institutions are: Harvard’s information security policy for data protection has 5 levels, and in each level an example of the type of data is provided. For example, level 1 is public information, level 2 is confidential data where the disclosure of said data would not harm the university, level 3 contains university financial information and student information where the disclosure of said material would cause harm to the university and/or student, etc. UCL’s data security policy isn’t very detailed and a bit vague and broad, and mainly focuses on personal data and not any other types of sensitive data for the University. I would suggest that UCL formulate a data protection policy similar to Harvard’s for the handling of other types of sensitive data. For passwords, Harvard enforces using a password policy of no common names or dictionary terms, choosing 3 out 4 possible choices for characters (one uppercase character, one lowercase character, one number or one special character). Harvard also provides 3 choices of password length: 10 characters minimum, 8 characters with an annual password reset/expiration or 8 characters with additional authentication. In comparison, UCL’s policy on user passwords. UCL does not publicly divulge its password policy, where authentication is required to view the policy. This is an extra step in UCLs password security policy, but further comparison is impossible without UCL credentials to view the policy.  Both Harvard and UCL require that any device connected to its network (desktop, laptops, phones, etc.) have up-to-date protection, be secured with a password and/or PIN and if possible encrypted end-to-end. Harvard provides a step-by-step walkthrough on how to do this for a user’s IOS/Android device. UCL is vague and leaves it open for interpretation on how to accomplish this.  In terms of the layout of both the policies, the two organisations have went different ways to display the policies. UCL have decided to display all the information in a list, starting with the main policy and then list the supporting documents and policies. Clicking on any of these links will open up a pdf document detailing what that policy covers. This seems to be a better layout to Harvard’s, wherein you have to search through the different levels mentioned in point 1 above to then find the section of the level that you are looking for to then find the link to another page which will then give you the information required. This seems like a confusing and roundabout way to find the information needed, especially for members of Harvard that are not computer literate. Harvard host their information security policy on a separate domain to their main website. The UCL policy is nested into their main website. Whilst hosting on a separate domain, Harvard provide the user with the ability to search the policy and look for specific details. E.g. Searching for ’email’ on the Harvard site will return policies and information on email servers and permissions etc. Whereas on the UCL site, the search feature is more generic and searches the entire site – not returning any relevant information about the security policies making it difficult for the user to find what they are looking for.  Harvard appear to be more thorough when it comes to security. They offer compliance documentation for all of the measures. UCL don’t give any information on how to comply with their security measures meaning users may not implement them correctly.     References 1M. Rouse, “security policy,” searchsecurity.com, para. 1, May. 2007. Online. Available: http://searchsecurity.techtarget.com/definition/security-policy. Accessed Jan. 23, 2018. 2Technopedia, “Security Policy,” technopedia.com, para. Online. Available: https://www.techopedia.com/definition/4099/security-policy. Accessed Jan. 23, 2018. 3 D. Galea, “10 Things to Include in Your Employee Cyber Security Policy,” opswat.com, Mar. 2015. Online. Available: https://www.opswat.com/blog/10-things-include-your-employee-cyber-security-policy. Accessed Jan. 18, 2018. 4 M. Sanghavi, “Training Your Employees on Information Security Awareness,” synmantec.com, Dec. 2015. Online. Available: https://www.symantec.com/connect/blogs/training-your-employees-information-security-awareness. Accessed Jan. 18, 2018. 5Global Sign, “Encrypting Emails v Encrypting Servers”, globalsign.com. Online. Available: https://www.globalsign.com/en/blog/encrypting-emails-vs-encrypting-servers/. Accessed Jan. 19. 2018 6Technet, “S/MIME Encryption”, technet.microsoft.com. Online. Available: https://technet.microsoft.com/en-GB/library/dn626158(v=exchg.150).aspx. Accessed Jan. 23, 2018 7Global Sign, “What is S/MIME”, globalsign.com Online. Available: https://www.globalsign.com/en/blog/what-is-s-mime/. Accessed Jan. 24, 2018