Security Design Document for ABC: Name Changed

Abstract: This document identifies the current security measures taken by the organization in its IT infrastructure and then highlights the major security updates that are required by the organization to meet the current security trend in the IT industry. Suggested solutions are chosen on the basis of running cost analysis without compromising the quality and standard of the product. Solutions are backed by reasons. Each security measures are described in a separate heading. The headings are chosen after the initial survey and several meetings with the IT staff and users. While utmost care is taken to implement the latest security solutions, this document cannot ignore the essential modification of the security measures from the day it is implemented. This is because new threats are emerging rapidly at a very fast rate. While the layered approach is not described here, this document also outlines the importance of Defense of Depth strategy and recommends the series of mechanisms to slow the advance of the attack. This approach removes the resilience on any single layer.  Each measure that is described below falls on the following category.

The recommended layer approach is:

Physical Security

Identity and Access

Perimeter

Network

Compute

Application

Data

 Systems and Security Measures:

 Authentication System: Authentication is an important part of the security. For authenticating the domain (normal) users in a computer, single-factor authentication from LDAP will be used. But a strong password is recommended. For email authentication (office 365), multi-factor authentications will be used along with the password. An SMS will be sent to the mobile number. To get access to the company portal or software, two-factor authentication will be used. Google Authentication when used implements two-step verification services using a Time-based One- Time password Algorithm. For highly sensitive personal laptops (CEO and Managers) and server fingerprint authentication will be used along with the password.

External Website: The website is designed and hosted with the aspect of Confidentiality, Integrity, and Availability. The unwanted information about employees’ details are hidden/removed from the website. For example, only admin or office staff email is used for external communication. To make sure the website is available any time, the hosting company is chosen sincerely and security measures like the use of the latest TSL, Spam scanners, latest Captcha are used while designing the website. The website will be encrypted and communicated with the HTTPS protocol.  When the website detects some suspicious activities like Brut force attack or intruder attack the website should be locked automatically. This prevents further damage. Further, the website should be scanned regularly by some anti-virus software. For handling the credit card information, PCI DSS (Payment Card Industry Data Security Standard) will be used. Banks providing such standards will be approached.

Intranet Website and Remote Access: Intranet website is hosted internally in the Linux server. Users should access the website through a user name and password. It will be different from the user login ID for the computer. To avoid the use of public network while accessing the internal website and resources, Virtual Private Network will be used. There are many VPN solutions and to avoid the extra cost OpenVPN is used. To run OpenVPN, we need to setup OpenVPN Server under Linux OS. Fedora Linux will be used and the same server will host the website. This way we can minimize the resources and cost for ABC. Remote Access into the internal network will be limited to the few people and the user must take the authority from the CEO before requesting it. This minimizes the user and decreases the space for the intruder. Recommended solutions for the remote access as discussed earlier is OpenVPN. Resources should be allocated strictly with the need. If staff needs access to a drive from home, then only the drive will be mapped. Users are requested to use the strong password, different from the login password for the remote access and the access will be revised monthly. The reverse proxy will be used which provides a single point of authentication for all HTTP requests which also hides the server from the public network. Two-factor authentications will be implemented while accessing the office computers remotely.

Firewall and Basic rule Recommendation: This comes under the network-level security. Our main goal should reduce the attack surface, so any unnecessary access is denied and stopped by using the firewall rules. At a desktop level, many programs are shipped with default programs. They do no harm to the computer, but it is wiser to shut them. Only the features that are necessary are activated at the desktop level. Implicit deny rule in ACL will be implemented in existing CISCO routers. To achieve a highly secured system, two-level firewalls will be implemented, Network-based firewalls and a Host-based firewall. Many options are available for the network-based firewall, but it is recommended to use the Cisco Firepower NGFW (Next Generation firewall) as this provides advanced threat protection before, during and after attacks. For a small company, Cisco Firepower 1000 series appliances are recommended to minimize the cost. We need to make sure that it supports Adaptive Security Appliance (ASA) which Cisco is going to add soon. Cisco Easy Pay provides a 36 months payment plan and provides other flexibility. For a host-based firewall, all laptops and desktops firewall will be turned off. Along with the firewall, a centralized security and logging system is also necessary to monitor the network. While Cisco NGFW supports the centralized logging and monitoring system at a network level, a SIEM is recommended to capture all desktops, servers, router, and switches.

Wireless Security: For wireless security, we will use the WPA2 security protocol. A strong password will be used, and the password won’t be shared with the staff. It is manually entered or automatically connected for a computer who are connected to the domain environment. WIFI is restricted or limited to personal devices. Many wireless systems are available in the market, but it is recommended to use HP Aruba Access points and switch. They are easy to manage and have good coverage. The IP range chosen for the access points should be in number with the devices on the premises. And, two different WIFI connections will be created for the regular staff and visiting staff. The WIFI along with LAN will be implemented with an 802.1X authentication mechanism. For authentication server will run software supporting the RADIUS or EAP Protocols.

VLAN configuration: VLAN segregates the traffic, so it helps in network security. The existing VLAN will be reviewed and new VLANs are added as new departments have emerged in the company. The company is using resources located at the other site connected by a VPN tunnel. But, all the users at site A (example only) do not need access to the resources at site B. To distinguish users, all users requiring access to the resources at site B will be kept under the same VLAN. Typically, four VLAN will be used: Engineering VLAN, Sales VLAN, Guest VLAN, Infrastructure. This helps in segregation and isolates the traffic. 

Laptop security: The laptops in the company first will be categorized into sensitive and highly sensitive ones. The highly sensitive laptops hard disk will be encrypted. Full disk encrypted hard disks are resilient against data theft. Disk encryption will also be done on handheld devices and servers. ABC uses the windows machine so for full disk encryption, bit locker password will be used. For security at the domain level, the group policy in the windows server will be set up for lockout period, password complexity (numbers, special character and upper/lower case) and frequency of the new passwords. A laptop will have an up to date antivirus software and the administrator will set up the binary white-listing of the software that is good to install and only approved software can run. Some form of mandatory security training will be given how the keep your system safe and secure.

Application policy recommendations: The software will have many updates, and this must be done on time. Also, the installation of the patches must be done regularly to address network security vulnerabilities. If we make a delay on these, no matter how much our system and network are secure and strong, an intruder can get easily into our system. ABC company has around 200 devices and the numbers are growing. So, for device management, deployment of OS, software and its update, SCCM is recommended. SCCM can automate the process and keep track of all the software, updates, and patches. A routine will be set up in order to check any firmware, patches, and OS update. And, this will be performed with high importance. The software installation will be done only by the IT staff and any new software recommended by the user must be verified by the IT security team. The use of free applications will be restricted, and any new application should be verified by the security department.  Users will be trained for keeping the system update as this is a shared responsibility of the staff in the organisation to keep the laptop safe. Any application that is not used will be removed immediately to reduce security vulnerabilities. Bolt ware and extension that comes with an application will be removed and staff will be trained to identify such unwanted stuff.

Security and Privacy Policy recommendation: Security and Privacy policies are very important to minimize the security threat. The very first policy, that is to be implemented is the installation of the latest software. Users are requested to restart the computer whenever it asked so the installation process will complete. The privacy of the user’s data is very important for trust and confidentiality. So, users’ data is maintained and kept with the digital privacy policy act 1990 AD. Access to the data or drive is given after taking pre-approval from the manager and CEO in some cases and is revised from time to time.

Intrusion detection or prevention for systems containing customer data: The database server that contains the customer data is housed locally. Every query that is sent to the server is checked with the whitelisted queries. The server is always kept updated and suspicious action in the server will automatically notify the admin via an automatic trigger. For physical security, the only authorized persons will get access inside the server room, and cameras will be installed inside the server room. The data are backed up using a Datto backup solution. Datto is chosen based on the existing system and it is very simple to use, and the price is reasonable as well.  Any laptops and servers that host customer data are installed with Host Intrusion Prevention / Host Detection Prevention (HIPS/HIDS). To detect the intrusion at the network level, Network intrusion protection system (NIPS) is recommended. NIPS uses a Network Intrusion Detection System (NIDS) device, IPS (Intrusion Prevention System) or combination of both called IPDS to proactively stopped an attack by following the established rules. The ABC company is a growing company with a limited budget, so to start with the SIEM solution, rsyslog is recommended. SIEM solution will assist in monitoring and logging.