Enterprise Security Plan

Enterprise Security Plan
Smith Systems Consulting (SSC) is a major regional consulting company. Headquartered in Houston, Texas, the firm’s 350 employees provide information technology and business systems consulting to its clients in a wide variety of industries including manufacturing, transportation, retail, financial services and education. Smith Systems Consulting (SSC) is a service provider. It provides IT services for other companies. Security is essential for SSC because it not only requires security for itself, but SSC also has many customers depending on it to provide top level IT services, which also includes security.
Enterprise risks are a part of all business and how we address these risks determines how successful we are in the business world. Risks can be defined by “any exposure to the chance of injury or loss.” (Cheryl l. Dunn, 2005) Risks can be internal or they can come to us from outside sources in the form of external risks. Both types of risks pose a threat to the overall security of the enterprise. An Enterprise Security Plan (ESP) outlines possible risks by identifying the vulnerabilities within the business process and ranks the vulnerabilities for ease in developing a mitigation plan. The ESP also identifies technologies and policies that will help in the development of an operational plan that protects the business process and intellectual property of your corporation.
Within this ESP we have developed 3 different appendixes for the ease of review and to facilitate the corporate review. First Appendix will focus on the identifying vulnerabilities. The second appendix will indentify the vulnerabilities that will have posed the greatest threat and will also provide the logical justification matrix. The third appendix will address Enterprise Vulnerabilities. Within this appendix Smith Systems Consulting will discuss and make recommendations that will provide enterprise protection by identifying and by making recommendation to mitigate vulnerabilities that affect the following areas: Physical, System and Logical. This in-depth analysis will help provide recommendations for the necessary resources to protect your enterprise.
Appendix 1 The team will be looking at many security issues addressed at the company. There were many ideas for topics to address when it comes to risks that are possible for an Enterprise environment. Some of the ideas included data loss, insider threat, outsider threat, and un-patched or updated vulnerabilities that might hinder SSC. It is understood by the team that all of the identified risks are significant. Insider threat is when internal users of the system cause damage to the system. It is more likely the damage is inadvertently caused. The probability of malicious insider threat is not as great, but it is definitely a possible threat. Certain steps must be taken to help prevent the malicious insider threat and inadvertent insider threat. The specific steps can be focused on in the project.
Another threat discussed by the team is the threat of un-patched systems. Research must be conducted to see if there is a vulnerability management process in place for SSC or any of the companies it provides IT services to. If there are no vulnerability management plans or processes, SSC must create one. Vulnerabilities left unchecked can cause system issues, including intrusions by unauthorized persons.
SSC will need to create a strong security policy plan and will need to hire some internal security professionals to help them setup roles and create security profile to resolve some of the issues discussed.
Appendix 2
Risk and vulnerabilities matrix Risk and vulnerability strategies are important to a growing business. In order to evaluate the infrastructure of organizations you would want to do a good threat assessment and other to determine if the outcome is in the best interest of the company. Threats to an organization can include natural, criminal, terrorist, and accidental to name a few. A good threat assessment determines that likelihood of a threat occurring.
In this assignment Team A determined the risks and vulnerabilities of our virtual organization – Smith Consulting. We then designed a matrix and ranked the risks and vulnerabilities. We then added a comments field to the matrix so that we could describe the possible outcomes for each of the vulnerabilities.
We categorized our rankings as: * High probability/high impact * High probability/medium impact * High probability/low impact * Medium probability/high impact * Medium probability/medium impact * Medium probability/low impact * Low probability/high impact * Low probability/medium impact

Appendix 3
Enterprise vulnerabilities Smith Systems Consulting (SSC) recommends and installs premium support services such as network installs, email server installs and upgrades, and database design and development. Though not on their website, SSC is security conscious with the technologies that are available for businesses, and the technologies that they recommend to their customers. One area of security that SSC thrives in is that of vulnerability assessments. This involves evaluating a customer’s current vulnerabilities, as well as vulnerabilities that may arise from the installation of new technologies, if not installed correctly. The vulnerability areas focused on are: physical, system, and logical.
Physical
Vulnerabilities in the physical sense are not so much referring to things such as access to a building or server room or damage to networking equipment (though these things should be considered by IT staff). A DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack would be considered a physical attack because it causes physical problems with a server, i.e. over working a server to the point of extreme slowness or failure. DoS and DDoS attacks occur when an attacker (hackers) sends a large amount of packets to a particular server (often web servers), causing all of the bandwidth to be taken up and all of the server’s resources to handle and process the packets. The end result for valid visitors of the site is slowness bringing up the site, or the website not coming up at all. Though DoS attacks can be very service affecting, there are ways to combat against them. Having a good quality firewall in place that scans packets as they come in, and denies DoS attacks is a start. Having an IPS (intrusion prevention system) is an even better way to prevent these types of attacks, because an IPS device is usually much smarter than a firewall and also has the ability to scan incoming packets for a multitude of other problems. Dos and DDoS can also occur on client machines as well. To protect against this, it is important to have high quality and updated antivirus / spyware removal software on the machines, as well as all current updates for the operating system. All of these steps does not guarantee that DoS attacks won’t occur (hackers are always coming up with new ways to lead these attacks), but it greatly reduces the chances that it will happen.
System vulnerabilities System vulnerabilities are another area where many businesses suffer. In particular, email servers can cause a lot of issues for companies if not setup correctly. If an email server is setup by someone that does not know best practices for installing email servers, often the server is abused by hackers, who use the server as an SMTP relay server. Basically, your organization’s email server is now used to relay emails from someone outside your organization to hundreds, maybe even thousands of people, commonly referred to as SPAM. This problem could be prevented by turning off the relay option on a server. An email server can be the lifeblood of a company, due to the important nature of email and the constant use during the day. If proper backup and restore procedures are not in place, an organization could be crippled if their email server goes down. Again, having someone that knows the proper procedures can save a lot of time and lost productivity for a company. With an example of using Microsoft Exchange as an email server, the organization using it most likely will not be using the IMAP and POP3 protocols that are running by default. By disabling these protocols, the server becomes less penetrable from outside hackers. If the protocols are left running, it creates unnecessary open doors for hackers to access. Insider threats can also be an issue when it comes to email. Employees could be sending out insider secrets through the email server, and the organization may never know it. Installing a security appliance that monitors outgoing email will help in removing this risk. Last, email servers can emails from all sorts of sources, including many that are unwanted. Virus, malware, and spyware can be contained in emails on the server. Configuring antivirus software to know what files to scan to prevent viruses from spreading, while not scanning other areas that could potentially corrupt the email server database is also a crucial step when configuring Exchange. Bottom line, setting up an email server should be done by someone that knows the intricacies of the software.
Logical vulnerabilities Logical vulnerabilities point in the direction of things like installed software, operating systems, etc. Problems like virus protection on client and server computers can be included in this. Not configuring the antivirus software correctly or worse not having antivirus software installed at all can cause major problems on a network. Network slowness, erratic behavior on servers or clients, and pop-ups are some of the signs that one or more systems may be infected with a virus. Another common area that gets overlooked is that of keeping up on software and operating system updates and patches. Though it is an easy and quick procedure to run updates for a system, often the steps are overlooked due to bigger IT problems that need to be taken care of. Holding off on updating software may not cause problems initially, but in the long run can cripple organizational functionality. Some companies will hold off on running updates and patches because of fear that it will take down systems due to a bad patch. This can be mitigated in several ways. First would be to have client machines with similar hardware and software configurations, so that tests can be run on a similar system first, before applying changes to production computers. Second would be to install something like a Windows Systems Update Server. This server downloads all Microsoft Updates to itself, and then pushes the updates out only when an administrator gives the go ahead. This allows administrators to keep the updates for a week or so to make sure that no complaints arise on the Internet, regarding those updates.