BTEC FPT INTERNATIONAL COLLEGE

INFORMATION TECHNOLOGY
ASSIGNMENT 1 & 2:
UNIT 5: Security

STUDENT : My Duyen NGUYEN THI

CLASS : PBIT15101
STUDENT ID : BDAF190005
SUPERVISOR : MSc. Xuan Ly NGUYEN THE

Da Nang, January 2021

 ASSIGNMENT FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Nguyen Thi My Duyen Student ID PBIT15101

Class PBIT15101 Assessor name MSc. Xuan Ly NGUYEN THE

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand
that making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P1 P2 P3 P4 P5 P6 P7 P8 M1 M2 M3 M4 M5 D1 D2 D3
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

 ACKNOWLEDGMENTS

First of all, I’m extremely grateful for my family’s support in giving me their endless
encouragement, cherished affection and prompt assistance. There is not a stretch to say
that they are the most crucial movement to me to accomplish this report.

Secondly, I also highly appreciate Mr. Xuan Ly NGUYEN THE for his lectures and
instructions which are a rich resource in knowledge for me to reference.

Thirdly, a vast thankfulness goes to all my BTEC friends for the remarkable periods
of time we have been experienced.

Last but not least, I spectacularly express my deep gratitude to all the authors that
have provided extensively the immense wisdom to be used as the reference materials
throughout this document.
 ASSURANCE

I certify that this assignment is my own work, based on my personal study and that I
have acknowledged all material and sources used in its preparation, whether they be
books, articles, reports, lecture notes, and any other kind of document, electronic or per-
sonal communication. I also certify that this assignment has not previously been submitted
for assessment in any other unit, except where specific permission has been granted from
all unit coordinators involved, or at any other time in this unit, and that I have not copied in
part or whole or otherwise plagiarised the work of other persons.

Learners declaration

I certify that the work submitted for this assignment is my own and research
sources are fully acknowledged.

Student signature: Date:

 TABLE OF CONTENT

ACKNOWLEDGMENTS ............................................................................................ i

ASSURANCE ........................................................................................................... ii

TABLE OF CONTENT..............................................................................................iii

LIST OF FIGURES .................................................................................................. vi

LIST OF ACRONYM............................................................................................... viii

INTRODUCTION ...................................................................................................... 1

CHAPTER 1 ASSESS RISKS TO IT SECURITY .................................................. 4

1.1 P1 Security threat to organisations ............................................................... 4

1.1.1 Definition of security threats ................................................................... 4

1.1.2 Types of security threats ........................................................................ 4

1.1.3 Recent security breaches ....................................................................... 5

1.1.4 Consequences........................................................................................ 7

1.1.5 Suggest solutions to organizations ......................................................... 7

1.2 P2 Organisational security procedures ......................................................... 8

1.2.1 Acceptable Use Policy (AUP) ................................................................. 8

1.2.2 Remote Access Policy ............................................................................ 9

1.2.3 Physical Security Policy ........................................................................ 10

1.3 M1 Methods to assess and treat IT security risks ....................................... 11

1.3.1 OSSEC ................................................................................................. 11

1.3.2 Wireshark ............................................................................................. 13

CHAPTER 2 IT SECURITY SOLUTIONS............................................................ 14

2.1 P3 Identify the potential impact to IT security of incorrect configuration of

firewall policies and IDS. ................................................................................................ 14

2.1.1 Firewall ................................................................................................. 14

2.1.2 IDS ....................................................................................................... 15

 2.1.3 The potential impact of Firewall and IDS incorrect configuration to the
network 17

2.2 P4 Show, using an example for each, how implementing a DMZ, static IP
and NAT in a network can improve Network Security .................................................... 18

2.2.1 DMZ ...................................................................................................... 18

2.2.2 Static IP ................................................................................................ 22

2.2.3 NAT ...................................................................................................... 24

2.3 M2 Benefits to implement network monitoring systems with supporting

reasons 27

2.4 D1 Investigate how a ‘trusted network’ may be part of an IT security solution

28

2.4.1 Trusted network .................................................................................... 28

CHAPTER 3 Mechanisms to control organisational IT security ........................... 29

3.1 P5 Risk assessment procedures ................................................................ 29

3.1.1 Risk & risk assessment. ....................................................................... 29

3.1.2 Asset indentification procedure............................................................. 29

3.1.3 Threat identification procedure ............................................................. 30

3.1.4 Risk assessment procedure ................................................................. 31

3.1.5 List risk identification steps ................................................................... 32

3.2 P6 Data protection processes ..................................................................... 33

3.2.1 Define data protection .......................................................................... 33

3.2.2 Relations of data protection process to organization ............................ 33

3.2.3 The importance of data protection and regulation ................................ 33

CHAPTER 4 Manage organisational security ...................................................... 35

4.1 P7 Security policy for an organisation......................................................... 35

4.1.1 Definition .............................................................................................. 35

4.1.2 Security policy elements ....................................................................... 35

4.1.3 Steps to design a policy ........................................................................ 36

 4.2 P8 Main components of an organisational disaster recovery plan .............. 38

4.2.1 Business continuity and disaster recovery plans .................................. 38

4.2.2 List the components of recovery plan. .................................................. 38

4.2.3 Required steps in disaster recovery process ........................................ 39

4.2.4 Policies and procedures required for business continuity. .................... 40

CHAPTER 5 Implement ....................................................................................... 42

5.1 Website – Application ................................................................................. 43

5.1.1 Server-Side Web Application Attacks ................................................... 43

5.1.2 Client-side Application Attacks ............................................................. 43

5.2 Network ...................................................................................................... 44

5.2.1 Wireless ................................................................................................ 44

5.2.2 Secure the routers ................................................................................ 48

5.2.3 SSH server on R3................................................................................. 50

5.2.4 Syslog ................................................................................................... 53

5.2.5 NTP ...................................................................................................... 54

5.2.6 CBAC and ZPF firewalls ....................................................................... 55

5.2.7 Secure switches ................................................................................... 57

5.2.8 BPDU Guard and Postfast .................................................................... 59

5.3 Host ............................................................................................................ 65

5.3.1 Security guard ...................................................................................... 65

5.3.2 CCTV.................................................................................................... 66

5.3.3 Fingerprint scanners ............................................................................. 67

CONCLUSION ........................................................................................................ 69

REFERENCES ....................................................................................................... 70
 LIST OF FIGURES

Figure 1.1: CIAO Company’s infrastructure .............................................................. 1

Figure 1.1: Threat Agent ........................................................................................... 4

Figure 1.2: OSSEC (resources.infosecinstitute.com/) ............................................. 12

Figure 1.3: Wireshark (cyberhoot.com) ................................................................... 13

Figure 2.1: Firewall (vietnix.vn) ............................................................................... 15

Figure 2.2: IDS (bizflycloud.vn) ............................................................................... 16

Figure 2.3: DMZ ...................................................................................................... 19

Figure 2.4: Access control (security.stackexchange.com) ...................................... 20

Figure 2.5: Prevent attackers (community.qlik.com) ............................................... 21

Figure 2.6: IP spoofing (upguard.com).................................................................... 21

Figure 2.7: Protection against IP spoofing (sc1.checkpoint.com) ........................... 22

Figure 2.8: Static IP ................................................................................................ 23

Figure 2.9: NAT ...................................................................................................... 25

Figure 2.10: NAT benefits for LAN (kb.hostvn.net) ................................................. 26

Figure 2.11: LAN benefit for remote-access control (medium.com) ........................ 26

Figure 3.1: Attack tree [eng.dieselloc.ru]................................................................. 30

Figure 3.2: Qualitative Risk Analysis (ccna) ............................................................ 32

Figure 5.1: CIAO Company’s infrastructure ............................................................ 42

Figure 5.2: SQL injection ........................................................................................ 43

Figure 5.3: Disable SSID broadcast ........................................................................ 45

Figure 5.4: Encrypt the data .................................................................................... 46

Figure 5.5: Enable MAC filter .................................................................................. 47

Figure 5.6: Use Radius Server ................................................................................ 48

Figure 5.7: Result of secure routers and AAA ......................................................... 49

Figure 5.8: Result of console and VTY lines secure ............................................... 50

Figure 5.9: Result of SSH ....................................................................................... 51

Figure 5.10: Result of enable Syslog on R3 ............................................................ 51

Figure 5.11: Result of SSH: Telnet fail from R2 to R3............................................. 52

Figure 5.12: Result of SSH: Logging successful from R2 to R3 .............................. 53

Figure 5.13: Result of NTP ..................................................................................... 55

Figure 5.14: Result of CBAC and ZPF Firewall ....................................................... 56

Figure 5.15: Result of CBAC and ZPF Firewall ....................................................... 57

Figure 5.16: Result of CBAC and ZPF Firewall ....................................................... 57

Figure 5.17: Result of secure switches ................................................................... 59

Figure 5.18: Check MAC address in interface f0/24 ............................................... 61

Figure 5.19: MAC address on PC B (have not change) .......................................... 62

Figure 5.20: Check the up status in interface f0/24 ................................................. 63

Figure 5.21: Change MAC address ........................................................................ 64

Figure 5.22: Interface F0/24 is down....................................................................... 65

Figure 5.23: Security guard ..................................................................................... 66

Figure 5.24: CCTV .................................................................................................. 67

Figure 5.25: Fingerprint scanner ............................................................................. 68

 LIST OF ACRONYM

IDS Intrusion Detection System

HIDS Host-based IDS

NIDS Network-based IDS

LAN Local Area Network

NAT Network Address Translation

DMZ Demilitarized Zone

MTTR Mean Time To Repair

AUP Acceptable Use Policy

IP Internet Protocol

VPN Virtual Private Network

VoIP Voice over Internet Protocol

DHCP Dynamic Host Configuration Protocol

OSSEC Open Source HIDS SECurity

DRP Disaster Recovery Plan

BCP Business Continuity Plan

SLA Service-level agreement

 INTRODUCTION

The era of information technology develops so rapidly that the exploitation and as-
surance of information security are given more priority and attention, creating great con-
cern for important data security of the company. However, how and how to ensure securi-
ty, not everyone and businesses can do it well.

FIS is a company specializing in advising and implementing technical solutions to

potential IT security risks. Our project today involved a company well known for both do-
mestic and export clean food processing, especially sweet potatoes - CIAO Company.

Before I go into my analysis, I would like to discuss a few points related to the CIAO
Company. The company is a three-floor building located on the outskirts of the city with the
distribution system as follows:

Figure 1.1: CIAO Company’s infrastructure

 The 1st and 2nd floors belong to the staff, divided into 30 departments.
 In which, there are 20 departments for employees, including departments
such as engineering, accounting, and sales, each of which contains 10 desk
computers with wired network connection and 1 printer. Each floor has 10
similar rooms. A system of VLANs is created for each branch.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 1
  The remaining rooms are distributed for private purposes such as storage
room, materials room, meeting room, event hall and reception hall. Each
such room will contain 2 computers and 1 projector, its own reception hall
contains 5 wired computers and a 50-inch projection screen.
 The wireless system provides wireless connection for 300 devices at the
same time, the access point is installed on the first floor in the centre of the
reception hall.
 The third floor belongs to the company's executive board, including adminis-
trators, CEO, CFO, CTO and their secretaries. In addition, 3rd floor also con-
tains some of the most important documents of the company and meeting
rooms for senior departments.
 On the first floor, there is a building guard on duty from 6 am to 9 pm, the
building is covered with a surveillance camera system in key areas and many
passers-by. The control system is located in the security room.
 The same requirements that the CIAO Company is required to have is the
use of services such as FTP, DNS and Web. Some additional services are
added such as VPN, remote-access, VoIP...

As an employee of IT Security Specialist for a leading Security consultancy in Vi-

etnam called FPT Information security FIS, Nguyen Thi My Duyen, under the mandate and
entrustment of Mr Manager Jonson, hereinafter, I would like to briefly introduce tools and
techniques associated with identifying and assessing IT security risks together with the or-
ganizational policies to protect business-critical data and equipment, and simulating and
making basic recommendations in ensuring the security of your CIAO Company.

This report includes some of the technical topics below:

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 2
  Identify the security threats CIAO Company secure may face if they have a
security breach, in addition, we have listed some recently publicized security
breach and discuss their consequences.
 Describe a variety of organizational procedures an organization can set up to
reduce the effects to the business of a security breach.
 Propose a method that CIAO Company can use to go under the manage-
ment of different types of risk
 Discuss three benefits to CIAO Company of implementing a network monitor-
ing system giving suitable reasons.
 Investigate network security, identifying issues with firewalls and IDS incor-
rect configuration and show through examples how different techniques can
be implemented to improve network security.
 Investigate a ‘trusted network’ and through an analysis of positive and nega-
tive is-sues determine how it can be part of a security system used by CIAO
Company.

The first part of this report includes some basic topics such as:

 Chapter 1: ASSESS RISKS TO IT SECURITY

 Chapter 2: IT SECURITY SOLUTIONS

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 3
 CHAPTER 1 ASSESS RISKS TO IT SECURITY

1.1 P1 Security threat to organisations

1.1.1 Definition of security threats

Threat is defined as a potential event, an existing condition capable of causing

harm to a particular object, considered both in physical and non-physical aspects, bring
about unprecedentedly uncountable consequences of income, life, health, property...

By extension, threat in security are unusual events that have the potential to occur
with damaging consequences, leading to the loss or collapse of data, infrastructure or the
normal functioning of the system. Risks can be caused by subjective - human-induced ac-
cidents, equipment failure, and objective reasons - natural disasters such as diseases,
earthquakes, droughts, floods..., internal like corruption, spying and external such as theft,
non-target specific (ransomware, worms, trojans, logic bombs, backdoors and viruses) ter-
rorists, hacktivists and armed conflicts, etc.

They are frequently classified into 8 groups:

Figure 1.1: Threat Agent

(Jones, 2005)

1.1.2 Types of security threats

The exponential development of the Internet and technologies has exposed people,
including companies, to the possibility of data security breaches. Data stored by computer

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 4
users has become one of the most valuable things in need of protection against potential
severe harm if data storage is lost.

In this post, we will discuss on different types of security threats to organizations,

which are as follows:

 Malware Attacks

The term malware was first used by computer scientist and security researcher Yis-
rael Radai in 1990, to describe malware as programs or files that are harmful to computer
users by extensively damaging to systems or to gain unauthorized access to a computer
for stealing, encrypting or deleting sensitive data, altering or misappropriating core compu-
ting functions, and monitoring the user's computer activity without permission. Theirs can
be sent physically to a system via a USB drive or other means. Malware mainly includes
computer viruses, worms, Trojan horses and spyware.

 Social Engineering Attacks

This is a general concept in information protection that describes attacks that ma-
nipulate human behavior rather than focusing on leveraging bugs in computers' and
equipment's security to accomplish bad goals such as breaking into networks, breaching
common security procedures, accessing crucial data, and so on. It can be phishing, bait-
ing, vishing, piggybacking or Pop-up window, etc.

 Natural disasters

Both forms of extreme weather, such as hurricanes, volcanic eruptions, or land-

slides, as well as ice storms, floods, tornadoes, wildfires, and earthquakes, are considered
natural disasters. It does major harm to the climate, finance, vital infrastructure, and even
human life and wellbeing from here.

It happens both seasonally and unexpectedly, subjecting the country to repeated

times of insecurity, disruption, and economic loss, posing a significant risk of data loss and
having a significant and long-term impact on the business if no measures are taken to de-
ter and rebound from loss and crisis.

1.1.3 Recent security breaches

 Case 1: Microsoft database leaked because of employee negligence

Microsoft released a revised edition of Azure security rules at the beginning of De-
cember 2019. These laws were misconfigured by Microsoft staff, culminating in the unin-
tended spill. There was no password or two-factor authentication in place to secure access

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 5
to the servers. Furthermore, by tracking user accounts and analysing activity of confiden-
tial assets, the organization may have greatly decreased the detection time.

A security researcher uncovered a freely available Microsoft customer service data-

base of 250 million entries collected over 14 years at the end of December 2019. Custom-
ers' emails and IP addresses, customers' geographical locations, and notes taken by Mi-
crosoft support representatives were also included in the archive.

 Case 2: Ms Thompson stole 140,000 Social Security numbers and

80,000 bank account numbers.

29th of July, 2019 Federal prosecutors said on Monday that a software developer in
Seattle broke into a server containing customer records for Capital One and stole the per-
sonal data of over 100 million individuals, in one of the biggest data breaches by a bank.
According to court records in Seattle, where she was arrested and charged, the defendant,
Paige Thompson, 33, formerly worked for Amazon Web Services, which housed the Capi-
tal One website that was hacked, she left a trail online for police to trace while she boasted
about the hacking. Ms Thompson had obtained access to the confidential information
through a "misconfiguration" of a web application's firewall. The hacker was able to con-
nect with the server that Capital One used to store its data and, as a result, obtain cus-
tomer files.

According to court papers and Capital One, Ms Thompson stole 140,000 Social Se-
curity numbers and 80,000 bank account numbers in the breach. The bank also estimated
that the hack would cost it up to $150 million, including the cost of credit protection for
those affected. Equifax paid out $650 million last week to settle lawsuits stemming from a
2017 data leak that revealed personal information on over 147 million people.

 Case 3: Hurricane Harvey

Houston data centres, for example, were put to the test by Hurricane Harvey. The
North Houston data centre, according to Edward Heni-gin, CTO of Data Foundry Inc. in
Austin, is a "purpose-built facility designed to withstand Category 5 hurricane wind
speeds." The corporation took on additional personnel just before Hurricane Harvey to run
the data centre during the emergency and provide food, showers, and coworking space.
The corporation called on additional workers just before Hurricane Harvey to operate the
data center during the emergency and arranged meals, showers, cots, books, and video
games for employees who stayed at work for five days. During the emergency, the big da-
ta centre operators in Houston announced that service was not affected.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 6
 Just before Hurricane Harvey, the company brought on additional staff to maintain
the data centre throughout the emergency and provided food, showers, cots, books and
video games for employees who remained at work five straight days. The major data cen-
tre providers in Houston reported that there was no interruption of service during the
emergency. This is especially noteworthy considering that Hurricane Harvey caused dam-
age to 203,000 homes and cost at least $125 billion in damages.

1.1.4 Consequences

 Lost data

Economic contracts, loan contracts, corporate plans, marketing, and even payroll...
are all highly confidential documents that can have a significant impact on the whole en-
terprise. Simply put, information on how much time it takes you to write can be stolen and
erased...

 Loss of social trust

When an organization's internal information is revealed as a result of a non-

technical assault, it may create misunderstanding. Customers may lose faith in businesses
that retain sensitive personal information about them (banks, insurance companies, etc.). If
the business is attacked, sensitive information will be disclosed, then customers will lose
trust in the company.

 Loss of customer’s privacy

Obtaining personal details such as an individual's address, phone number, living

patterns, etc. has a slew of negative implications. Many people worried of receiving phone
calls "offering" credit loans, insurance, and other programs. A few people were even
tracked down and targeted.

 Financial loss

Due to system malfunctions, human error, effect of natural disasters or orders/

money that can be intentionally sent wrongly to a pre-determined address by cybercrimi-
nals, causing huge monetary losses for businesses.

1.1.5 Suggest solutions to organizations

Some of the solutions of the organization can be mentioned as:

 Incident response. When a security vulnerability is identified, an incident re-

sponse plan must be developed. With the effect of preparations and docu-
ments to minimize the sudden danger level, creating data recovery rapidly,
Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 7
 the loss and surprise will be reduced if the problem happens for the shortest
time to troubleshoot.
 Create and backup all data periodically and regularly check backup rules
such as 3-2-1, stored in the cloud, server and tape.
 Increased data security, there are policies and necessary procedures. Be-
ware of strange objects in and out and lurking around the company premis-
es.
 Use Window Defender, firewall, IDS and some anti-virus software to avoid
malicious scammers trying to steal data.
 Ensure that everyone on the team is aware of the company's contingency
plans. Employees are given basic training in data security protection and
how to deal with ransomware and social engineering attacks. They must be
prepared to support the organization through any hardship and the eventual
rehabilitation.
 Knowing the natural risks to your business facility, as well as any vulnerabili-
ties to your data centre if your organization uses Internet-based storage, is
the first step in keeping data safe. These data centres should be included in
the company's disaster planning so that you can remain open, well-stocked,
and ready for a long period of downtime.

1.2 P2 Organisational security procedures

When it comes to a basic information technology concern, if an organization begins

to build a basis for a security policy, it requires a management strategy to ensure that all
activities are unified and easy to handle. By using security technologies, auditable work-
flows, and recorded policies and procedures, you will reduce harm.

Some of the policies and procedures that should be used in the security program
are:

1.2.1 Acceptable Use Policy (AUP)

An AUP explains the restrictions and procedures that workers who use organiza-
tional IT assets must agree to in order to connect to the corporate network or the internet.
It is a normal new employee on boarding policy. Before being issued a network ID, they
must read and sign an AUP.

 AUP in Ciao Company

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 8
 Employees will be trained on the CIAO Company's data and security policies, as
well as their responsibilities for the safety of private information, including procedures for
preventing unauthorized entry, illegal use, or loss of non-public personal information. Edu-
cation would be given to company staff upon hiring, during induction, and at the outset of
the receivership period. Before being electronically transmitted, all data containing non-
public personal information must be encrypted.

 General Use and Ownership

 For any cause, at any time, with or without warning, CIAO Company can
track or inspect any information, including data files, emails, and infor-
mation stored on company-issued computers or other electronic devices,
for the purpose of checking and monitoring compliance with these securi-
ty procedures.
 Without appropriate authorization, any classified information must be kept
secret and not distributed or made accessible to anyone.
 Passwords at the system level must be updated after 90 days.
 Account Managers with access to sensitive data
 Authorized users must exercise strict vigilance when opening e-mail at-
tachments, which can include viruses, e-mail bombs, or Trojan horse
code, either intentionally or unknowingly. Both consumers must be
trained how to recognize possible hazards.

1.2.2 Remote Access Policy

A remote access policy is a manual that specifies and describes appropriate ways
of linking to an organization's internal networks from a remote location. I've even seen ad-
dendums of guidelines added to this policy. This strategy is mandatory for organisations
with distributed networks that can reach into vulnerable network locations.

 Remote Access in CIAO Company

Just those entities with a demonstrable need for access to classified information
stored on the CIAO Company's network will be given access. This includes staff, third-
party providers, and others.

 General
 Secure remote access must be tightly regulated, and only those persons
allowed by the Information Security Officer can have access. One-time

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 9
 password authentication or public/private keys with robust passwords
must be used to create approved entry.
 Authorized users must not give their login credentials to someone else,
and they must not write or keep a record of their login credentials.
 Unless the Information Security Officer approves otherwise, approved
users can only access the network using equipment provided by CIAO
Company.
 When dealing with high-risk content, equipment with remote access must
comply with the Transmission Encryption Technique requirements.
 Confidential information must not be processed locally on a remote ac-
cess server or other information retrieval system unless it is encrypted in
compliance with the procedures' requirements.

1.2.3 Physical Security Policy

This is a series of security procedures that give only designated employees, who
have been hand-picked for this honour, access to secure amenities. Its aim is to protect
the facilities, resources, and other properties inside a production facility or office space
from intruders, internal threats, cyber-attacks, incidents, and natural disasters, which ne-
cessitates a mixture of technology and human supervision, as well as holding unwelcome
visitors outside. Access control, surveillance, and security testing are the three most criti-
cal aspects of a physical security strategy.

 Physical Security Procedures in CIAO Company

Except when special procedures have been developed to leave a door open, all
building exterior doors must be kept locked at all times. And while a staff member is in a
position to control entry through the doorway should doors be left unlocked or open. No
one shall grant or give entry to any building or space to someone who is not a recognized
employee with permission to work there.

No one shall provide or give entry to any building or room to someone who is not
recognized to be an approved employee, guest, or vendor working in that area. Manage-
ment must be aware of someone that seems suspicious or cannot supply identification.

Employees and registered users of the CIAO Company are issued office and build-
ing keys depending on their real need for entry to particular areas.

The person is solely responsible for the equipment provided to him or her. The In-
formation Technology personnel or contractors must be alerted if any equipment is relo-

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 10
cated, destroyed, or replaced. The employee is in charge of the physical protection of any
business equipment assigned to him or her.

If CIAO Company-issued equipment is missing or robbed, the person in charge of

the equipment must notify the Information Security Officer as soon as possible.

In compliance with the CIAO Company Security Policy, decommissioned (scrapped)

machines should be submitted to the Information Technology department or a manufac-
turer to get the hard drive cleaned so that all confidential data is unrecoverable.

Internally switched machines with sensitive data must have the hard drive wiped be-
fore being used by the new owner.

(Group, 2008)

1.3 M1 Methods to assess and treat IT security risks

Securing a network is hard work and difficult, issues related to Cybersecurity are
not simple but can become very complex. As new security threats seem to emerge every
day, putting a risk on the information security of individuals and companies requires dy-
namic multi-point security solutions. Not only that, but administrators also need to quickly
identify vulnerabilities to protect data security. So the advent of network monitoring securi-
ty tools helps to reduce your effort and money with its features and functions, protecting
your IT surveillance environment. Below are some monitoring tools we highly recommend
for your company.

1.3.1 OSSEC

OSSEC (Open Source HIDS SECurity), which is currently maintained by Atomicorp,

is a free, open-source host-based intrusion detection system (HIDS) that can track and
manage the devices on a range of platforms, including Linux, MAC, Windows, Solaris, HP-
UX, ESX, and others. In a simple, efficient, and open source solution, it combines all fac-
ets of HIDS, log tracking, and SIM/SIEM. It performs the following features: File Integrity
Checking, Log Analysis, Rootkit Detection, Policy Monitoring and Active Response.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 11
 Figure 1.2: OSSEC (resources.infosecinstitute.com/)

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 12
1.3.2 Wireshark

Wireshark is a network protocol analyser rather than an intrusion detection system

(IDS), and it supports over 2,000 network protocols. Many of these are complicated, rare,
or outdated, and the modern security specialist will find that analysing IP packets is the
most practical.

It also intercepts traffic and transforms binary data into a human-readable format,
making it quick to see what traffic is going through the network, how often it does so, and
how much delay there is between those hops, among other things. It then provides search
tools, such as standard expressions and coloured highlighting, to help you zoom in on the
traffic you want to inspect. This makes it easier to find what you're searching for, particular-
ly anomalous illegal traffic and intrusion.

Figure 1.3: Wireshark (cyberhoot.com)

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 13
 CHAPTER 2 IT SECURITY SOLUTIONS

2.1 P3 Identify the potential impact to IT security of incorrect configuration

of firewall policies and IDS.

2.1.1 Firewall

 Definition

A firewall is a series of advanced rules that can help deter unauthorized access into
a device and restrict what goes out of the computer for network information protection. It
acts as a barrier between safe and insecure access through an active control model with
pre-defined policies, preventing unwanted access and viruses, preventing and mitigating
harm, and ensuring internal information is safe from bad access stealing.

 Its usage

The TCP/IP protocol - an algorithmic protocol that breaks down data obtained from
network applications - utilities that run on protocols (Telnet, SMTP, DNS, SMNP, NFS...)
into data packets and then assigns these packets recognizable, reproducible addresses at
the destination to be sent - operates closely with the firewall.

A firewall aids the computer in controlling the flow of data from the intranet and the
internet by determining which services from the inside are able to be accessed from the
outside, who from the outside is allowed to enter the system, and so on. A firewall adminis-
trator configures or installs rules that restrict access to external resources from those in-
side the system. As an example, users in the inside network would not be allowed to enter
those sites such as Facebook and YouTube of the administrator has limited and does not
allow access to.

This work is performed by a combination of the following methods:

 Packet Filtering: In this method, the packet is analyzed and compared

against the pre-configured filter rules in the firewall. If it is allowed then the
packet will be accepted, otherwise, the packet will be rejected to travel
through the network.
 Stateful Inspection: Instead of analysing the contents of the packet, it com-
pares the packet's pattern to its trusted database when compared to the da-
tabase.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 14
 Figure 2.1: Firewall (vietnix.vn)

 Its advantages

Using a firewall will have the following benefits:

 Monitors network traffic: Threats to the system's processes can be created

by data flowing in and out of your networks. A firewall will look at data and
see if it includes something that may be harmful to your network's protection,
and it will use pre-set rules and filters to keep your systems secure.
 Stops Virus Attacks: Firewall have the ability to control your system's entry
points and stop virus attacks to keep your systems healthy.
 Prevents Hacking: Firewalls have become much more necessary as a re-
sult of the increase of data theft and hackers who choose to exploit an unre-
stricted Internet connection to carry out illegal activities such as spreading vi-
ruses.
 Stops Spyware: Since firewalls act as an effective blockade against mali-
cious spyware and malware programs, it can be prevented from gaining ac-
cess and infiltrating your networks, which can be complicated and robust.
 Promotes Privacy: Create an environment that assists you by operating
proactively to keep your data and your customers' data secure by using a
firewall to deter intrusion.

2.1.2 IDS

2.1.2.1 Definition

An intrusion detection system (IDS) is a system that detects intrusions. IDS is a

network traffic monitoring device that detects disturbances, disruptive operations on other

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 15
networks, authentication failures, and direct threats to the network or to a computer. As a
result, system security issues are analysed and identified, ensuring protection against rap-
idly cyber threats, and system administrators are alerted to search ports and block any af-
fected connections. Intrusion monitoring apps will give you alerts until any new attacks
have been detected.

Figure 2.2: IDS (bizflycloud.vn)

Based on the surveillance scope, IDS is divided into 2 categories:

 Network-based IDS (NIDS)

These are IDSs that monitor the entire network, check network communications in
real-time, check communications, scan headers of packets, and can check the content of
packets to detect malicious code or different types of attacks.

 Host-based IDS (HIDS)

HIDS is an intrusion detection system that monitors and records logs for host-
system. It runs on a different server or a specific device on the network and monitors and
records the actions of each individual computer. Operators and programs, as well as the
server's whole service. As a consequence, in addition to data traffic to and from the server,
the key source of information for HIDS is system log data and system audit. Just checks
the device's inbound and outbound packets, alerting the user or administrator if unusual
behaviour is observed.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 16
2.1.2.2 Its usage

The two most critical elements of an IDS system are sensors and signature data-
bases. Sensors collect and interpret network traffic and other information sources to identi-
fy signatures, while signature databases store the signatures of threats that have been
identified and evaluated. Since signature databases function similarly to virus databases in
antivirus systems, routine maintenance of6 this database is important for an effective IDS
framework.

An IDS active detection: detect and respond is programmed to take the quickest ac-
tion possible to reduce future device threats. The answer may involve items like closing
down the server or facilities, as well as disconnecting connections.

An IDS with passive detection will respond to attacks but will not take direct action
against them. It has the power to record the entire system log and send an alert to the sys-
tem administrator. IDS is an excellent DoS attack detector; it can locate glitches, defects,
and secret functions, as well as search ports. However, it is unable to detect attacks based
on emails that contain malicious code.

2.1.2.3 Its advantages

 Keep an eye on network activity and unusual conduct.

 Device and administrator alerts on network status.
 To build a full protection framework, merge control mechanisms, firewalls,
and antivirus.
 Gives you a complete picture of all network traffic.
 Assists in the investigation of network concerns.

2.1.3 The potential impact of Firewall and IDS incorrect configuration to the net-
work

When security threats get more sophisticated, it's more critical than ever to keep
track of the firewall and IDS settings. IT experts spend a lot of time thinking about glitches
and bugs, but according to Gartner research, misconfiguration triggers 95 percent of all
firewall breaches, not flaws. Likewise, most of the problem related to IDS is the misconfig-
uration, which is the faulty setting of the parameters. Those are valid communications, but
the IDS device warns that the communications are malicious code and vice versa. Some
of the effects that can occur when the firewall and IDS are misconfigured are as follows:

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 17
  Bring the data into a less secure environment. It's possible that the infor-
mation is extremely confidential, and it's also possible that it's subject to reg-
ulatory rules.
 Reduces protection and gives criminals more options, such as not imple-
menting the business protocol for authentication, which makes it possible for
them to reach the company network from a remote office. Workers in the re-
mote division had access to local accounts with bad passwords, and there
was a separate cap on how many login errors were enabled before an ac-
count was locked out.
 Not only will you not be notified if you're being hacked, but you'll still have no
traceability while checking thereafter.
 Legal traffic is blocked, redirected to the incorrect destination, or cannot be
routed at all, whereas illegal traffic is routed to a destination it should not be.
 If the IDS isn't up to date and fine-tuned correctly, which takes time in and of
itself, more time is spent dealing with bugs.
 If there is some way to predict the effect, it could range from financial losses
that could force the company into bankruptcy to data leakage, blackmailing,
and litigation, among other things.
 The wanted traffic is blocked or stopped in any way from reaching its desti-
nation and vice versa.

2.2 P4 Show, using an example for each, how implementing a DMZ, static IP
and NAT in a network can improve Network Security

2.2.1 DMZ

2.2.1.1 Definition

The Demilitarized Zone (DMZ) is a physical or logical subnet that divides an existing
LAN from other untrusted networks that are situated outside of the firewall or security con-
trols from the rest of the network, such as the internet, in computing. Things in the DMZ,
such as external-facing servers, tools, and utilities, are available over the internet, but the
LAN is not. For an organization's internal network, the DMZ is one of the security shields of
a defence in depth device. Services of a DMZ include: DNS servers, FTP servers, Mail
servers, Proxy servers, Web servers.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 18
 Figure 2.3: DMZ

2.2.1.2 Its usage and advantages

By providing an internal network with an extra protection layer by limiting access to

sensitive data and servers, the DMZ offers a level of network segmentation that allows
traffic to be coordinated and public services to be reached at a reasonable distance from
the private network. A DMZ allows website users to access those resources while separat-
ing them from the organization's private network. Consequently, the DMZ has extra securi-
ty advantages, including:

 Access Control for Organizations

A DMZ network offers public internet connections to networks located outside of

their network perimeters while also implementing network segmentation that expands the
amount of barriers an unwanted user must clear before obtaining access to an organiza-
tion's private network. For example, in the picture below, the report can be accessed via
the DMZ by a private LAN.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 19
 Figure 2.4: Access control (security.stackexchange.com)

A proxy server, which centralizes the flow of internal traffic and allows logging and
tracking the traffic easier, is often used in a DMZ to secure confidential data, processes,
and services by keeping internal networks apart from devices that may be attacked by at-
tackers. Deals may also use DMZs to monitor and block access to sensitive systems.

 Prevent attackers from performing network reconnaissance

Since it serves as a buffer, a DMZ stops an intruder from performing reconnais-

sance in order to identify new targets. The internal firewall that distinguishes the private
network from the DMZ protects the private network even though a device inside the DMZ
is compromised. For the same purpose, it makes outward reconnaissance more difficult.
Despite the fact that the DMZ servers are freely accessible, they are covered by another
layer of encryption to discourage attackers from seeing inside the internal network. And if a
DMZ device is compromised, the internal fire-wall holds the private network isolated from
the DMZ, keeping it protected and avoiding external reconnaissance.

As can be seen from the following diagram, the server located in the DMZ can be
accessed by the Internet, but the spy action will not be allowed by the second firewall to
access the intranet and the server is located in private LAN is secure.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 20
 Figure 2.5: Prevent attackers (community.qlik.com)
 Protection against IP spoofing

Attackers will fake their IP to be access to the network, changes that original IP into
a fake IP address.

Figure 2.6: IP spoofing (upguard.com)

Thanks to the assisting of firewall and proxy servers, the access (B) from Internet
with network 10.10.10.0 in the public and 192.0.2.0 in the DMZ will try to fake its IP into
network 192.168.33.0 belonging to private LAN to gain access.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 21
 Figure 2.7: Protection against IP spoofing (sc1.checkpoint.com)

Through spoofing an IP address and impersonating an authorised device signed in

to a network, attackers may often get around access control restrictions. A DMZ will detect
and halt possible IP spoofers, while another network service verifies the validity of the IP
address by checking if it is reachable.

2.2.2 Static IP

2.2.2.1 Definition

A static IP address, which can be IPv4 or IPv6, is a fixed or dedicated IP address

that was manually configured for a computer. When yours is given a static IP address, it
normally remains that way until it is decommissioned or your network architecture chang-
es. Thanks to this, it usually used to configured servers or other important equipment so
that they are easy to identify and connect with.

2.2.2.2 Its usage and advantages

IP addresses are the foundation for network computers to identify and interact with
one another. The IP address will disclose the identities of the network's linked computers.
A static IP is useful in some circumstances where basic specifications are necessary, such
as hosting a site, mail, or FTP server, better DNS support, remotely accessing a corporate
network like a virtual private network (VPN) or other remote-access solution, hosting a
webcam for video streaming, or using Voice over Internet Protocol (VoIP) for voice and
video communications applications such as teleconferencing. But in terms of security, stat-
ic IP address can provide some big benefits as following:

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 22
 Figure 2.8: Static IP

Static IP addresses are beneficial for activities such as hosting a website from
home, having FTP, mail servers in your network, using networked printers, routing ports to
a single computer, running a print server, or using a remote access application. Other de-
vices will know how to contact a computer that uses a static IP address because it stays
the same.

Expanding, in a small business model, it is convenient and easy to manage the traf-
fic flows in the network while the IPs are fixed. Similar, setting up a static IP to a shared
device that everyone in the office belonging to your private LAN needs to share. That way,
once every computer is set up to connect to that device, those connections will remain in-
definitely because the address will never change. For options, the use of static IP will cre-
ate a more reliable and stable connection.

Creating these stable, long-lasting settings gives us more benefits in improving se-
curity because we can focus more on setting rules for firewall, using security tools like IDS,
IPS, and anti-virus program on critical and essential devices.

For example, when an FTP server and a computer has been set up a specific static
IP address tied to them, a router can be easier and more stable to configure forward cer-
tain inbound requests directly from that computer to FTP server to receive files and access
data. As a result, sensitive data is more secure when authorized. This also has the same
meaning as using services from DNS servers.

For remote access applications, using a static IP address means you can only ac-
cess network with the same address. Therefore, for other IPs, traffic from remote connec-

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 23
tion has the right to be denied access, thus improving security from unauthorized access
from outside of Internet to internal LAN.

2.2.3 NAT

2.2.3.1 Definition

Network Address Translation (NAT) is the term to define the process of modifying
the network address IP in the IP header of a data packet as it passes through a network
towards the destination node, which allows private IP networks that use unregistered IP
addresses to connect to the Internet. This feature adds to the security of the system by es-
sentially concealing the entire internal network behind that public address. This method is
commonly came into remote-access use because it provides both security and address
conservation.

2.2.3.2 Its usage and advantages

Before analyzing the benefits of using NAT for security needs, we need to have in-
formation and understand the basic operation of this method, the internet service provider
will assign a pool of IP addresses to every entity that establishes a networking system.
Within global addresses are IP addresses that have been registered and are specific. The
outside local address is one or more addresses that have been converted for the public
network by NAT from addresses on the internal network. This work is needed when com-
municating between devices on the stub domain to another network such as the Internet.

As in the example below, in the private LAN, there are many devices with different
private addresses, but when going to the public network, it is translated to the address
10.10.0.33 by the NAT using the TCP/IP protocol to be able to communicate with the de-
vices on the network 10.10.0.1. All this data about these addresses are stored by the rout-
er in the NAT routing table, or maybe called the address translation table, in the process of
transporting packets and making an entry for it.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 24
 Figure 2.9: NAT

NAT has the ability to broadcast only one IP address to the public network on behalf
of the entire internal network, which is easily visible. This provides anonymity by effectively
shielding the private network's total IP address behind the single address, keeping the
source and destination IP addresses hidden from the external network. This means even
large companies with thousands of computers and thousands of specific IPs, the comput-
ers outside the network can only see a single unique IP address. As shown in the image
above, 3 computers with IPs respectively 192.168.0.3, 192.168.0.13 and 192.168.0.23
simultaneously used access to the Internet and sent packets containing data. When pass-
ing through the router, now acting as an agent between the Internet and a or private net-
work, NAT is active and information such as the equivalent IP address and port number
will be logged and check in the NAT table, although inside the network you can see this
different information about those addresses, but from the access devices outside the LAN,
only one IP address is 10.10.0.33.

This also makes sense in reverse data forwarding. After searching data in the NAT
table, in case of data is found, the data is forwarded to the destination PC of the LAN net-
work. On the contrary, the data packet would be discarded by the router and marked as
unwanted traffic.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 25
 Figure 2.10: NAT benefits for LAN (kb.hostvn.net)
Consequently, the NAT router defends your link from malicious and unauthorized
access. This ensures that until your device initiates the communication, a computer on an
external network would not be able to connect to it. You can access the Internet, login to a
site, and even save a file, but your IP address cannot be used to connect to a port on your
device by anyone else. As a result, with a NAT router in place, none of the worms or mali-
cious viruses get the chance to damage your network.

Figure 2.11: LAN benefit for remote-access control (medium.com)

This not only makes sense for LAN protection but also for remote access of the
company, where data is required to be transferred over the public Internet connection.
With NAT, your company will have the power to decide which traffic is valid and can be
trusted, which traffic comes from unknown sources and needs to be eliminated. Due to the
provision for filtering and traffic logging, your organization will monitor the kinds of places
workers access on the Internet, stopping them from accessing objectionable content, and
use traffic monitoring to keep track of which websites being accessed and produce reports
from it.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 26
2.3 M2 Benefits to implement network monitoring systems with supporting
reasons

Network monitoring systems, which provide software and hardware mechanisms for
detecting and documenting faults in devices and links for the purposes of enforcement and
security maintenance, can track different facets of a network's operation, including traffic,
bandwidth usage, and uptime. These systems can automatically add new devices, map
your network topology and spot malicious activity. Furthermore, it assists in quickly detect-
ing device or connection failures or issues such as traffic bottlenecks that limit data flow
and alert administrators.

2.3.1.1 Preventing network outages before they happen

Human error, configuration issues, and environmental factors can all cause outages
- one of the worst nightmares of any network administrator. Network monitoring solutions
can help companies prevent an outage before it happens by sweeping your network for
any suspicious performance behavior that indicates an outage is about to happen, it will
detect the problem and alert you to it.

2.3.1.2 Reducing performance failure time

A monitoring solution will inform your team of issues as major network performance
issues happen, drastically reducing the time and financial costs it takes for your enterprise
to discover problems. Your company can also reduce the mean time to repair (MTTR) of
network performance issues due to it alert your team to performance issues as soon as
they discover them and include diagnostics tools that provide your team with an initial as-
sessment of the issue. By identifying slowdowns and problem areas and collecting perfor-
mance data, network monitoring systems allow administrators to optimize a network’s per-
formance.

2.3.1.3 Generating network performance reports

A network monitoring solution constantly tracks performance data, automatically

generate performance reports for your company to review and converting them into sever-
al printable file types on their dashboard weekly, monthly, quarterly, etc. These reports in-
clude both recent and historical data so the company can analyse your network perfor-
mance over time.

In addition, the implementation of network monitoring systems also helps to sup-

port discovering security threats on your network and maintaining full network visibility. As
can be seen from security threats lurking in your system that sometimes you cannot notice
Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 27
by using conventional methods, these systems will detect and alert to your company about
events that any unusual behaviour like password changes, or the existence of malware on
your system.

Some may identify potentially dangerous actors on a network and take action to
remove them as soon as possible thereby minimizing risk and damage. Furthermore, mon-
itoring software detects devices that link to a network automatically, creating and modifying
graphic charts that show information about the performance of your network nodes. Bring
in observations for any bit of traffic that passes through your network, as well as monitor-
ing and checking of every connected system and common performance metrics for your
business, as well as real-time analysis of data. It ensures that if a fault or problem is found,
you can be notified automatically by email. From there, it can help to reduce the need for a
physical system administrator and manual reviews, and save both time and money.

In conclusion, all of which assist in securing your data, giving your company safe
computing experiences, improving network performance and preserving essential data,
ensure your system run stably while remaining in control and understanding what's going
on in your system.

2.4 D1 Investigate how a ‘trusted network’ may be part of an IT security solu-

tion

2.4.1 Trusted network

A ‘trusted network’ is the one that a network admin tries to protect and defines the
security parameters for the same is under the control of the network manager or the net-
work administrator

Uses to conduct internal business. In many cases, the trusted network is by default
defined in the organization as “secure.” The trusted network typically supports the backend
systems, internal-only-based web pages, data processing, messaging, and, in some cas-
es, internal instant messaging. In many companies, the trusted network allows direct inter-
action between systems without encryption. Also, various protocols will exist within the
trusted network without any type of filtering or even virus scanning.

(Ellis, Tim, S and Juanita, 2003)

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 28
 CHAPTER 3 Mechanisms to control organisational IT security

3.1 P5 Risk assessment procedures

3.1.1 Risk & risk assessment.

Risk is described as the potential for loss, destruction, unavailability, or damage to

information or assets, as well as the potential for harm to individuals when a threat exploits
a vulnerability. It's known as the impact of uncertainty on targets and often calculated in
terms of its probability and consequences. People, procedures, systems, methods, cyber-
crime, virus attacks, and natural disasters are the most common triggers.

Some examples are financial damages, loss of privacy, reputation influences,

or casualties.

Risk assessment is described as the overall process or procedure of identifying

hazards that have the potential to cause danger, especially to individuals and the system,
analyzing and evaluating the risk associated with that threat, such as the likelihood of it
happening and the severity of the effects, and then determining appropriate ways to pre-
vent them from happening or how to handle them when the hazard cannot be avoided.

Its goal is to help businesses prepare for and mitigate risk by providing an analysis
of possible hazards, preventing injuries and illnesses, and justifying risk management and
remediation costs.

3.1.2 Asset indentification procedure

Asset identification, which is defined as the use of attributes and methods to

uniquely classify an asset which allows for matching of data across different sources, re-
porting of their data, targeted behavior against specific assets, and use of their data in
other business processes, is a vital process for any business because identifying which
equipment you have is key to being able to monitor it.

It assists in asset labeling, avoiding compliance problems and preventing stealing

and loss. Actions need to be done are:

 Make a list of all of the company’s assets.

 Keep track of the attributes of the company’s assets
 Measure the assets' relative value

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 29
3.1.3 Threat identification procedure

The threat identification process looks at IT vulnerabilities and decides their ability
to compromise the system so you can block unauthorised users, prevent data compromis-
es, and take proactive measures.

The two main steps in identify threat are:

Divide the hazard into two categories: physical and logical. Fire, water, energy
variations, environmental destruction, pollution, and intrusion are all threats to the physical
structures of information systems. Logical threats include malware, worms, and logical in-
trusion, which cause damage to software and data without requiring physical presence.
This method entails evaluating and comprehending the organization's specific hazard port-
folio, as well as producing a report that helps you to take proactive risk control measures.

Design attack tree: This allows for the comprehensive modeling of risks to system
security in an easy-to-understand graphical format, as well as a sophisticated environment
for defining metrics that calculate the risk of an attack, the organizational complexity of
staging the attack, and any other related quantifiable measure of interest.

Here's an attack tree that shows a subset of potential attack vectors that might lead
to passengers receiving fake transit information from PID apps.

Figure 3.1: Attack tree [eng.dieselloc.ru]

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 30
3.1.4 Risk assessment procedure

Risk assessment is a thorough review of what may cause individuals harm in the
workplace, in order to determine if any procedures are in effect and whether further pre-
ventative steps are needed.

1. To begin, the effect of vulnerability on the organization must be calcu-

lated.

After identifying the risks, they must be rated according to their likelihood of occur-
rence, and then the adverse impact must be determined. An existing analysis of the num-
ber of fire accidents in an organization for the purposes of fire protection, for example, is
meansurable. Users will be asked to provide a best estimate of how often the hazard is
likely to occur and how serious the effects would be in a situation where no previous evi-
dence or credible source of chance incidence is available. The higher the valuation of the
defined information asset, the more likely it is to be vulnerable.

2. The corporation must then quantify the risk's likelihood and impact.

The sum of predicted loss is calculated in the fourth stage of the exposure analysis
using the formula:

A=B*C*D

A = Expected Loss

B = Chances (in %) of occurrence of threat

C = Chances (in %) of Threat being successful

D = Loss that will arise if the threat succeeds

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 31
 Figure 3.2: Qualitative Risk Analysis (ccna)
3.1.5 List risk identification steps

Happening during the Risk Management Process and throughout the life-cycle of a
project, risk identification is an ongoing and persistent task that its method is to recognize
and evaluate risks to an organization's activities and personnel. For example, analyzing IT
security risks such as malware and ransomware, collisions, natural disasters, and other
potentially dangerous activities that could interrupt company processes are all examples of
risk identification. Risk identification is used to determine what, where, where, why, and
how anything could harm a company operation's ability. Businesses should create strate-
gies to mitigate adverse incidents by identifying risks before they occur. The aim of this
move is to recognise any potential threats to the company's activities, such as lawsuits,
theft, data breaches, market downturns, and so on.

When carring out this process, we must go through 4 steps

1. Inventory the assests

2. Determine what threats are against the assests and where they are coming
from
3. Examine if there are any vulnerabilities that can be expoited
4. Make a decision to cope with the risk

Since certain threats will still exist, some risk identification processes have a final
phase of monitoring and reviewing risks. Using the example of a natural disaster, compa-

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 32
nies in Japan will still be vulnerable to earthquakes, while businesses in the high moun-
tains of Vietnam's North West area will be vulnerable to landslides.

3.2 P6 Data protection processes

3.2.1 Define data protection

Data protection is the process of safeguarding important information from corrup-

tion, compromise or loss and making available data under all circumstances to increases
as the amount of data created and stored continues to grow at unprecedented rates and to
ensure that data can be restored quickly after any corruption or loss.

3.2.2 Relations of data protection process to organization

Modern data protection for primary storage entails the use of a built-in solution that
supplements or substitutes backups while still protecting against the issues.

Firstly, to ensure the data is accessible even if a storage system fails. Synchronous
mirroring simultaneously writes data to a local disk and a remote site. The write isn't com-
plete until the remote site sends a confirmation, meaning that the two locations are always
identical.

Secondly, to guard against a single point of failure, data is spread over several
disks. The embodiments of this is snapshots which may be used to restore data that has
been lost or destroyed by mistake. Most storage systems today can monitor hundreds of
snapshots without affecting performance significantly. When data is lost or removed by
mistake, a snapshot can be used to copy back or overwrite the current volume.

Next, to save the most recent versions of data that are most likely to be used in the
case of a major incident, and to instantiate program images, a company may use replica-
tion in conjunction with cloud recovery products and services.

Furthermore, companies should ensure that data stored remotely is protected, since
ransomware attacks are exacerbated as workers are more insecure and use less stable
networks. Data protection, above all, prevents the organization's data from failure by back-
up and recovery.

3.2.3 The importance of data protection and regulation

First and most important, names, photographs, personal details – Email ID, Phone
number, bank and credit card details, health-related information, fingerprint, browser histo-
ry, cookie data, as well as passwords, financial records, a person's racial or ethnic herit-
age, political opinions, social or moral views, community identifiers, sexual orientation, bi-

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 33
ometric and genetic data and other confidential information of the company's existing
staffs, employees, corporate associates and clients, consumers and other members of the
public are in business data storage system.

Secondly, with the rise of user-generated data and data's exponential industrial val-
ue, it's more crucial than ever for companies to secure citizens' data rights. This helps to
deter data from being misused by third parties for fraud, such as phishing scams and iden-
tity theft.

Following that, it’s obtaining the approval of the individual whose data is being col-
lected, increasing client trust in the company, strengthening the company's brand, reputa-
tion, and appearance in the eyes of users, staff, and partners.

Next, it’s to avoid the possibility of a data breach, which may result in tens of thou-
sands of dollars in monetary damages for organizations deemed to be non-compliant or
incompetent in their data protection duties.

Last but not least, it’s to protect the privacy of individuals' personal information and
to restrict the collection, use, transmission, and dissemination of that information. Further-
more, understanding that personal data security is a human right allows people access to
their data and establishes compliance mechanisms for organisations that handle personal
data, as well as providing solutions for unauthorised and harmful processing.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 34
 CHAPTER 4 Manage organisational security

4.1 P7 Security policy for an organisation.

4.1.1 Definition

A security policy is a written guideline in an organisation that specifies the rules and
procedures for all entities accessing and using the organization's IT facilities and services
in order to protect the organization from attacks. As a result, a successful IT security policy
is a one-of-a-kind document for each company, shaped by its personnel's attitudes toward
their information and jobs.

Some examples of security policy are Acceptable Use Policy (AUP), Human Re-
source Policy, Password Management Policy, Physical Policy, Ethics Policy, DMZ Security
Policy, E-mail Policy, VPN Policy and Wireless Communication policy

In my book, two crucial policies are AUP and Physical Policy. But in CIAO Compa-
ny, the others necessary policies are Remote Access Policy and Password Management
Policy due to their need of using VPN to accees data to company server.

4.1.2 Security policy elements

Information security is described as the safeguarding with three primary goals, aslo
known as CIA objectives:

 Confidentiality: Data and information assets must be kept private and only
shared by those that have been granted access.
 Integrity: Maintaining data integrity, completeness, and accuracy, as well as
keeping IT applications operating
 Availability: This meaning that authorized users have access to information
or a device when they need it.

A security policy should include everything relating to IT security and the security of
related physical properties, so it must be enforceable in its entirety. The following is a list
of key factors to address when creating an information security policy.

Acceptable use: This is a general statement that defines the importance of security
to the company when it comes to the use of company resources and time. It will e
stablishes the structure of the security program, describes the policy's objectives and
values, and determines the responsible person.

Due care: This is a collection of appropriate steps taken by a company to show that
it is liable and can be used to avoid frivolous lawsuits.
Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 35
 Privacy: Protecting customer and provider data builds trust between the
organization and third stakeholders, which leads to increased consumer trust and avoid
illegal action.

Separation of duties: To modify or uninstall a piece of equipment, one person

cannot perform alone; instead, personnel should be appointed to conduct user access
checks, education, change management, incident management, execution, and frequent
updates of the security policies.

“Need-to-know” issue is a dissemination method in which people can only have

access to information and services that they require.

Password mmanagement is the last and most critical safeguard for protecting
database safety and device integrity by keeping unauthorized users out of operating
networks. Minimum length, allowed character set, disallowed strings, and duration of
password usage are all attributes and procedures that can be defined.

Service-level agreements (SLAs) are contracts between an ASP and a customer

that connect the ASP to a specific and registered level of service. This section might con-
sist of levels of service and support, penalty clauses and DRP.

Destruction or disposal of information and storage media: Demagnetize the

medium.

4.1.3 Steps to design a policy

Technology is used to combat external threats, although there are several technol-
ogies available to eliminate external network risks, such as firewalls, antivirus software,
IDS, e-mail filtering, among others, these tools are typically implemented by IT personnel
and go unnoticed by users. However, a policy will shield you and your business against
lawsuits if you can demonstrate that any inappropriate activities were carried out in excess
of it. A rational and well-defined approach, on the other hand, is more likely to decrease
bandwidth consumption, increase employee performance, and minimize the risk of poten-
tial legal problems. 4 main steps to design a policy are:

4.1.3.1 Identify your risks

To detect threats, provide material that should be restricted, send or receive a num-
ber of big attachments and files, potentially offensive attachments making the rounds,
monitoring or reporting software may be used such as firewall and Internet security prod-
ucts. Any threats that could endanger the company must be identified by the planning

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 36
team. This can range from unwanted access to confidential data or data that has been im-
properly encrypted to organizational issues such as being passed or shared user ac-
counts. A data breach or device outage could cost you tens of thousands of dollars in
missed employee productivity.

4.1.3.2 Make the security level match the risk

The scope of security measures taken should correspond to the real threat. Exces-
sive enthusiasm in developing a cybersecurity strategy will potentially damage an organi-
zation's activities, causing inefficiencies and putting undue strain on employees. For ex-
ample, a small advertising startup would not need the same level of protection as an inter-
national organisation. Excessive protection can make it difficult to run a company smooth-
ly, so be careful not to overprotect. However, in order to serve as a point of reference and
a guiding principle for actions, the actual written information security policy must be both
specific about procedures and straightforward about how to interact with them.

4.1.3.3 Train your employees

As part of the AUP implementation process, staff training is either ignored or under-
valued. However, in fact, it not only assists you in informing staff and clarifying any con-
cerns that were not addressed explicitly, but it also encourages you to explore the policy's
particular implications. Ensure that every member of the team has read, signed, and com-
prehended the regulation; keep them updated as the guidelines and tools are developed;
since people recognize the importance of a responsible security policy, they will be far
more likely to comply.

4.1.3.4 Install the tools you need

Having a policy is one thing, but executing it is another. Today's organisations stand
or fall on the confidentiality of their sensitive data. They are protected from getting their
important data stolen by external cyberthreats or human error whether they have an ap-
propriate, robust information security policy. A organization will set itself in a position for
long-term development and prosperity by developing and enforcing an information security
policy that ensures all customers and employees are acting in a manner that improve ra-
ther than weaken data security.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 37
4.2 P8 Main components of an organisational disaster recovery plan

4.2.1 Business continuity and disaster recovery plans

The advance planning and training undertaken to ensure that an entity can have the
capabilities to perform its essential business operations during emergency situations is
known as a business continuity plan (BCP). It is vital for organisations of any scale to re-
tain all functions for the duration of a disaster. Natural disasters, business crises, pandem-
ics, workplace violence, and other events will all cause a disruption in your company oper-
ations. A strong BCP addresses the requirements for services, procedures, and functions
to return to normal operations, minimizing downtime.

A disaster recovery plan is a documented procedure for repairing critical support

systems, such as hardware, IT assets, and communications, in order to minimize down-
time and bring technical operations back up and running as quickly as possible. Disaster
recovery strategies are primarily data-centric, focusing on managing data in a manner that
can be retrieved more quickly after a disaster.

DRP, similar to BCP, outlines an organization's intended methods for post-failure

procedures. A BCP, on the other hand, focuses on keeping your organization running after
and directly following a crisis, while a DRP focuses on how the company react and how
it returns to normal.

4.2.2 List the components of recovery plan.

Companies must prioritize cybersecurity measures, and shield your own and your
customers' data against cyber-attacks. Unfortunately, no metric is perfect, and outages
and natural disasters will interrupt company operations in similar ways. To prepare for
worst-case situations, all companies should have a DRP.

There are 5 main components of a disaster recovery plan.

4.2.2.1 Covered disasters

The ability of experienced sensitive information employees in assessing potential

risks is indispensable. Though you can't predict all possible risks, you can create an ap-
propriate policy by measuring the likelihood and scale of each one, such as building fires,
wildfires, flooding, hurricanes, tornadoes, blizzards, wind storms, earthquakes, landslides,
road closures, power outages, biological threats, hazardous material spills, violence or ter-
rorism, cyber attacks and network intrusions.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 38
4.2.2.2 Team members and their contact information

After a tragedy, the personnel play a vital part in resuming operations. Key respon-
sibilities and personnel responsible for DRP coordination should be well defined in the
DRP. To avoid chaos, redundancy, and disruptions in the recovery work-flow, make sure
all of the employees are aware of the process and that everyone knows who
takes responsiblity. When including your staff in emergency preparations, make sure that
more than one person is aware of the critical steps to take.

4.2.2.3 Business impact assessment

After mapping out all of the assets and determine which ones need security, create
a list of assets, such as network infrastructure, hardware, software, cloud services, and
sensitive data, to provide a thorough overview of the company's structure. Update your list
as assets are added, removed, or changed, and use it as an opportunity to purge redun-
dant resources.

Then, due to their criticality and purpose, assets should be softened to understand
the value of each one, which will have the most important effect if destroyed or destroyed,
and how they work together to determine who should be prioritized from high to low in the
crisis event.

4.2.2.4 Business resumption and continuity plan

Businesses must not only put in place a solid DRP and BCP, but also track it to en-
sure that all aspects are executed effectively and that the plan is revised on a regular
schedule.

4.2.2.5 Backup and restore documentation

The company's critical documents will be destroyed in an instant if there is a natu-

ral disaster. Hold copies of sensitive records in a suitable off-site place, such as a safe de-
posit box, and store essential documents on the upper floor of a house instead of the
basement. Enable access to the offsite backup site. Both locations will collapse under the
same threat in the case of a natural disaster. Consider online backup as well. Disaster re-
covery will be sped up by using cloud backup, enabling companies to come back with re-
stored in minutes after a disaster.

4.2.3 Required steps in disaster recovery process

DRP helps the company continue to operate normally even though natural disasters
such as earthquakes, floods, or other catastrophes strike. It assists in maintaining a man-

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 39
ageable environment, decreases the effects of cyberattacks, and safeguards your clients'
personal information.

4.2.3.1 Identify and evaluate possible causes of the outage

Natural hazards, power outages, and network failures, as well as human error, and
cyber attacks, all pose increasing threats to businesses. The first step is to identify any
weaknesses in the IT infrastructure so that you can understand where the risk is coming
from.

4.2.3.2 Assess business impact

Any DRP should begin with an assessment of the organization's risks which can be
linked to a business impact report by managers. Only by considering risk and effect to-
gether will the board determine the organization's goals and the types of security
measures that are required. Some threats will be high, and their consequences will be ex-
tremely serious, that only a formalized DRP will be able to mitigate them, some solely
needs a staged DRP and some are best solved by insurance.

4.2.3.3 Document the server in concise language

Once an incident has been successfully identified, a recorded series of methods will
be used to carry out the DCP. For the DRP to be as efficient as possible, all automatic
and manual processes should be neatly registered. The comprehensive data raises the
likelihood of an effective network infrastructure reconstruction. It's best to keep all of your
data offline and in a private cloud. Futhermore, it must be concise so it would be compre-
hended by all employees.

4.2.4 Policies and procedures required for business continuity.

4.2.4.1 Security policy

A security policy is a structured document that outlines clear, detailed, and well-
defined plans, regulations, and procedures that govern access to an organization's infra-
structure and the data contained inside it. Consequently, each company's effective IT se-
curity policy is a one-of-a-kind document influenced by its employees' attitudes toward
their data and work. It will define how the security program is structured, outline the poli-
cy's objectives, identify the responsible one, and explain the policy's strategic value.

4.2.4.2 Human resources policy

Human resource policies are the written laws and procedures that companies use
to handle their workforce. HR protocols, on the other hand, are step-by-step directives that

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 40
detail how to deal with these policies. One of the main roles of human resource
management is to define these policies and procedures.

4.2.4.3 Incident response policy

This policy extends to all staff, including employees, interns, temporary workers,
consultants, those hired by contracting agencies, and those allowed to access UF
enterprise assets and information services, regardless of ownership or location of
information systems used to store, process, transfer, or access data. So that, in the midst
of a crisis, the right decisions may be taken to regain control of the situation. A
cybersecurity event can be a frightening scenario, because if the solution isn't planned
carefully, the possible consequence may be serious harm to a company's credibility.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 41
 CHAPTER 5 Implement

Before carry out the security policy, let take a quick review of CIAO Company infra-
structure:

Figure 5.1: CIAO Company’s infrastructure

Device Interface IP Address Subnet Mask

S0/0/0 (DCE) 10.1.1.1 (Internet) 255.255.255.252

F0/1 192.168.0.1 (WR) 255.255.255.0

R1
F0/2 192.168.1.1 (R2) 255.255.255.0

F0/3 192.168.3.1 (R3) 255.255.255.0

R2 F0/1 192.168.1.2 (R1) 255.255.255.0

R3 F0/1 192.168.3.2 (R1) 255.255.255.0

WR F0/1 192.168.0.2 (R1) 255.255.255.0

VLAN Network Subnet Mask Used for

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 42
 10 192.168.10.0 255.255.255.0 Engineering

20 192.168.20.0 255.255.255.0 Accounting

30 192.168.30.0 255.255.255.0 Sales

40 192.168.40.0 255.255.255.0 CCTV

During the design process, there are 3 main components that should be protected
to ensure the safety of the system:

5.1 Website – Application

5.1.1 Server-Side Web Application Attacks

Cross-Site Scripting (XSS) attacks are injection attacks in which malicious scripts
are inserted into normally trustworthy and innocuous websites. XSS attacks occur when an
attacker uses a web application to deliver malicious code to a particular end user, usually
in the form of a browser side script. The flaws that cause these attacks to work are com-
mon and can be found anywhere a web application uses user input in its output without
validating or encoding it.

SQL injection is a web hacking technique that involves inserting malicious code
into SQL statements through web page feedback, a code injection technique that has the
potential to break your database. It normally happens when you ask a user for information,
such as their username/userid, and the user instead gives you a SQL query that you
unknowingly run on your database..

Figure 5.2: SQL injection

5.1.2 Client-side Application Attacks

Header Manipulation occurs when an attacker modifies HTTP headers in order to

launch an attack using HTTP header manipulation. HTTP header abuse is not an attack in
and of itself, but rather a vehicle for other attacks such as XSS.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 43
 Cookies are divided into three categories: first-party cookies, third-party cookies,
and session cookies. Third-party cookies can be used to detect a user's surfing or
purchasing habits, while first-party cookies can be hacked and used to impersonate the
user.

When malicious attachments are opened, they can transmit viruses, Trojans, and
other malware.

5.2 Network

A Denial-of-Service (DoS) attack is a deliberate effort to block authenticated users

from gaining access to a server by flooding it with requests. Most DoS attacks today are
simply distributed denial of service (DDoS) attacks, which use hundreds or thousands of
zombie devices in a botnet to bombard a system with requests instead of a single
computer. Attackers also attack high-profile targets, such as web servers, as well as infra-
structure targets, such as routers and network connections.

Interception: An interception occurs when an asset is accessed by an unauthor-

ized entity. An individual, a program, or a computer machine may be an outside party. Illicit
copying of software or data files, or wiretapping to access data in a network, are examples
of this kind of failure.

5.2.1 Wireless

Below is something we can do to increase the level of security of wireless connec-

tion on Wireless Router in the 1st floor.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 44
 Figure 5.3: Disable SSID broadcast
Disable SSID broadcast: To block strangers from quickly accessing your network
and to stop publicizing your SSID, click disable. Users will shield their device's SSID on all
Wi-Fi routers, making it more difficult for attackers to locate a network. Shift your SSID to
something new at the very least. Allowing it to default to the manufacturer's setting might
allow a future intruder to gain access. Leaving it at the manufacturer's default settings
might cause a possible attacker to figure out what kind of router you have and exploit any
known flaws.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 45
 Figure 5.4: Encrypt the data

Protect the data on your network by encrypting it. By encrypting your wireless da-
ta, anybody who has access to your network will be unable to see it. This security can be
provided by a variety of encryption protocols. The Wi-Fi Protected Access (WPA), WPA2
Personal, and WPA2 Enterprise protocols encrypt data sent between wireless routers and
wireless devices. In this situation, WPA2 Enterprise are chosen.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 46
 Figure 5.5: Enable MAC filter

Restrict access. By filtering these MAC addresses, you will limit access to your
network. For detailed instructions on how to enable these functions, consult your user
documentation. You may also make use of the "guest" account, which is a popular feature
on many wireless routers. This feature allows you to provide guests wireless access on a
specific wireless channel with a different password while keeping your primary credentials
private.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 47
 Figure 5.6: Use Radius Server
The Radius server provides each one with an account that allows them to access
the network.

5.2.2 Secure the routers

In this section, the routers will be secured with strong passwords, password encryp-
tion and a "You are not authorized to access!" login banner.

 Enable password: ciaoen3#$%

 Password for console: ciaocon3#$%
 Password for vty lines: ciaovty3#$%

Configure enable password

securi pass mi 9

enab s ciaoen3#$%

servi pass

banner m "You are not authorized to access!"

Local AAA authentication

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 48
 AAA (Authentication, authorization, and accounting) refers to a system for intelli-
gently monitoring access to computing infrastructure, implementing rules, auditing use,
and supplying the information needed to charge for services. These processes work to-
gether to provide efficient network management and protection.

u Admin s ciaoad3@#$

aa n

aaa authen l d l n

Figure 5.7: Result of secure routers and AAA

Configure the console and VTY lines password

li con 0

pass ciaocon3#$%

login

exe 5
Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 49
 logging synchronous

li vty 0 4

exe 5

pass ciaovty3#$%

login

login authentication default

Figure 5.8: Result of console and VTY lines secure

5.2.3 SSH server on R3

SSH is a protocol that allows two computers to safely exchange data over an un-
trusted network. SSH ensures that the transferred identities, records, and files are kept
private and safe. It can be used on almost all machines and servers. An SSH server is a
piece of software that accepts connections from remote computers via the protected shell

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 50
protocol. SSH servers are often used for SFTP/SCP file transfers and remote terminal
connections.

Set up ciaocompany.com as a domain name on R3. Just allow SSH connections

and use local user accounts for required login and validation. Set the modulus of the RSA
keys to 2048. Set SSH timeout to 100 seconds, authentication retries to 3, and version to
2. Create an SSHadmin user ID with the highest possible privilege level and ciaossh3@#$
as a password.

username SSHadmin privilege 15 secret ciaossh3@#$

ip domain name ciaocompany.com

lin vty 0 4

login authentica default

transport input ssh

exit

crypto key generate rsa

2048

ip ssh t 100

ip ssh a 3

ip ssh v 2

Figure 5.9: Result of SSH

Figure 5.10: Result of enable Syslog on R3

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 51
 Figure 5.11: Result of SSH: Telnet fail from R2 to R3
This connection is fail, since R3 has been configured to accept only SSH connec-
tions on the virtual terminal lines.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 52
 Figure 5.12: Result of SSH: Logging successful from R2 to R3

5.2.4 Syslog

Configure the routers to send logging messages to a remote host (Syslog Server).
On the routers, configure the timestamp service for logging.

logging on

service timestamps log datetime msec

logging 192.168.1.6

login on-failure log

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 53
5.2.5 NTP

NTP (Network Time Protocol) helps network routers to synchronize their time set-
tings with an NTP server. NTP clients who get their time and date information from a single
source have more stable time settings and can analyze Syslog messages more effectively.
When troubleshooting network glitches and threats, this can be useful.

ntp trusted-key 1

ntp server 192.168.1.5 key 1

ntp authentication-key 1 md5 ciaontp3@#$

ntp update-calendar

ntp authenticate

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 54
 Figure 5.13: Result of NTP
5.2.6 CBAC and ZPF firewalls

To build an IOS firewall, Context-Based Access Control (CBAC) is used. You can
build a simple CBAC setup on edge router R3 in this operation. R3 gives hosts on the in-
side network access to services on the outside network. External hosts are denied access
to internal services by R3

ZPF (zone-based policy) firewalls are the most recent advancement in Cisco fire-
wall technology. You configure a simple ZPF on an edge router R3 in this operation to al-
low internal hosts access to external resources while blocking external hosts from access-
ing internal resources.

To block all traffic coming in from the outside network, create an IP ACL called
OUT-IN. On network Serial 0/0/0, apply the permission list to incoming traffic.

To inspect ICMP, Telnet, and HTTP traffic, create an inspection rule called IN-OUT-
IN. Apply the IN-OUT-IN inspection rule to the protocol where traffic leaves the network to

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 55
go outside. Make an internal zone with the name IN-ZONE and external zone - OUT-
ZONE. Create an extended, numbered ACL that allows all IP protocols to reach every des-
tination from the 192.168.3.0/24 source network. The ACL number should be 101. To fit
ACL 101, build a class map called IN-NET-CLASS-MAP. To figure out what to do with
matched traffic, create a policy map called IN-2-OUT-PMAP. Indicate the in-spect class
category and the IN-NET-CLASS-MAP relation class map. For this regulation chart, speci-
fy the inspect action. Create an IN-2-OUT-ZPAIR zone pair. Specify the previously created
source and destination areas. Attach a policy map and activities to the zone pair, referenc-
ing the IN-2-OUT-PMAP policy map that was previously developed.

Figure 5.14: Result of CBAC and ZPF Firewall

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 56
 Figure 5.15: Result of CBAC and ZPF Firewall

Figure 5.16: Result of CBAC and ZPF Firewall

5.2.7 Secure switches

Secure switches with strong passwords and password encryption.

 Enable password: ciaoen3#$%

 Password for console: ciaocon3#$%
 Password for vty lines: ciaovty3#$%

enable secret ciaoen3#$%

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 57
 service password-encryption

line con 0

password ciaocon3#$%

login

exec-timeout 5

logging synchronous

exit

line vty 0 15

password ciaovty3#$%

login

exec-timeout 5

exit

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 58
 Figure 5.17: Result of secure switches

5.2.8 BPDU Guard and Postfast

int fa0/1

switchport mode trunk

switchport native vlan 99

switchport nonegotiate

storm-control broadcast level 50

int r fa0/13-23

sh

int r gig0/1-2

sh

int r fa0/2-12

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 59
 switchport mode access

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

spanning-tree bpduguard enable

int fa0/24

switchport mode access

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

spanning-tree bpduguard enable

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 60
 Figure 5.18: Check MAC address in interface f0/24

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 61
 Figure 5.19: MAC address on PC B (have not change)

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 62
 Figure 5.20: Check the up status in interface f0/24

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 63
 Figure 5.21: Change MAC address

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 64
 Figure 5.22: Interface F0/24 is down

5.3 Host

5.3.1 Security guard

A security guard protects property from arson, robbery, burglary, extremism, and
criminal activity by patrolling and inspecting it. In order to deter violence, they keep an eye
on people and companies. In CIAO Company, they shield in the 1st floor of the building.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 65
 Figure 5.23: Security guard
5.3.2 CCTV

CCTV (Closed Circuit Television) Cameras are in high demand these days as the
primary surveillance platform for both private homes and enterprises. Buildings and resi-
dences with no CCTV built are uncommon. It is now included with all building kits and is a
standard for every business to run. CCTV systems are critical for any company that wants
to increase its efficiency. It will aid the owner in his or her monitoring duty, as well as in the
safekeeping of his or her employees' results. In CIAO Company, there are 30 CCTV Cam-
era, each floor has 10.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 66
 Figure 5.24: CCTV
5.3.3 Fingerprint scanners

Fingerprint scanners are used to recognize and authenticate an individual's finger-

print. Fingerprint readers and scanners are secure and dependable security authentication
systems. Some crucial rooms that stored confidential data require Fingerprint belonging to
the unique and special person to be accessed who might be CEO or Managers of CIAO
Company.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 67
 Figure 5.25: Fingerprint scanner

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 68
 CONCLUSION

After spending a lot of time working to complete the report, I have gathered the
knowledge and skills that are important in developing as a security specialist. The
knowledge related to security threats, some recently publicized security threats and breach
their consequences, organizational procedures, a method manage different types of risk
and list of some monitoring tools, some devices such as firewalls and IDS, some methods
like DMZ, static IP and NAT, and 'trusted network'.

In the process of completing assignment, it is not non-existent, some difficulty and

challenge that I have to undergo such as:

 The time constraints when the workload becomes too much causes the final
result to be finalized slowly and does not get as many details and ideas as
originally intended.
 When faced with scheduling problems when the subject comes to the rush
period.
 Novelty in approach and new concepts, terminology and methods and pro-
cedures used in security - something that I haven't had a chance to come
across before.

On the contrary, there are also certain advantages that I can see when doing pro-
ject work such as the enthusiastic support from friends and teachers. Also thanks to the
immense support of the documents used throughout this assignment and a number of oth-
er documents such as (Ciampa, 2015) (Charles, P. P., Shari, L. P. and Jonathan, M.,
2015) provided me the most objective points of view on this topic.

This report is completed with the great efforts that have been put through, we hope
that the next part of this report will be carefully cared for and completed on time.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 69
 REFERENCES

Charles, P. P., Shari, L. P. and Jonathan, M., 2015. Security in Computing, Courier
in Westford, Massachusetts.: Pearson Education, Inc..

Ciampa, M., 2015. CompTIA® Security+ Guide to Network Security Fundamentals,

Canada: Cengage Learning.

Ellis, Tim, S and Juanita, 2003. The Security Review Process. s.l.:s.n.

Group, T. R. T. a. A. (. W., 2008. Receivership Data Privacy and Security

Procedures For Property and Casualty Insurers in Liquidation. s.l.:s.n.

Jones, S. V. f. A., 2005. Analyzing Threat Agents and Their Attributes. s.l.:s.n.

Performed Student: My Duyen NGUYEN THI Instructor: MSc. Xuan Ly NGUYEN THE 70