Reference no: EM132702976

CIS097 Principles of Information Security - University of Bedfordshire

Assignment - Threat-Vector Evaluation

Learning outcome 1: Provide an understanding of knowledge and awareness of information and systems security processes, frameworks, tools and techniques used in different organisational contexts.

Learning outcome 2: Identify, select and apply solutions related to information security management, strategies, and technologies to respond to multi-faced attacks, and mitigate against constantly evolving threat landscapes.

In order to pass Assessment 1, you will need to:
• Apply your knowledge of information security to a given real-world problem
• Evaluate the concept of the defence-in-depth approach to cyber-defence
• Outline the threat vector given an information security scenario
• Outline the steps needed to secure a computer system and/or give recommendations for cyber-defence
• Justify the choices and selections of information security tools and techniques included in your solution to a given scenario

This is a case study of a network and information security consultation conducted on behalf of PetMeds, an online pet medicine supplier. You are to provide a report detailing the current cyber threats faced by the company and to make recommendations for improvements to their network and computer systems to mitigate the likelihood of damage from those threats. Your report needs to highlight the principles of cyber and information security.

Scenario and Environment Description
You are part of a digital information security team called InfoSafe who often act as consultant advisors to UK businesses to assess and help improve their data security.
One of your current clients is a small-medium enterprise called PetsMed, who are an online retailer of pet medicines and products.
PetsMed have a commercial building, just outside of Luton, which houses the main e-commerce servers and a small LAN for the 60 or so staff that administer the business. There is also an onsite warehouse that deals with orders and logistics. They only have one network administrator and a couple of IT technicians.
PetsMed have hired InfoSafe to help in reviewing their network and information security. In the previous year they have been the target of several denial of service attacks (mainly from Hacktivists who - mistakenly - believe that they are responsible for animal testing) and a few hacking attempts. PetMed do not believe (but cannot verify) that any data was accessed in these hacking attempts.
As part of your assessment, your team is asked to provide a ‘Cybersecurity threat-vector evaluation' which will critically evaluate the current areas of weakness within company, that a cyber-criminal may take advantage of, and suggest solutions (People, Processes and Products) to improve information security.

Current PetMed System Products, People and Processes

PetMed is an established company who has had unpredictable profits and losses in recent years. They used to act as a ‘brick' company (with physical stores) but, after achieving considerable success when they developed an online presence 5 years ago, a management decision was made to change to a ‘click-only' online business. Despite initial investment and success, declining profits have led to redundancies throughout the company and a reduction in the investment of network and information security equipment and training.
Recently PetMed have been toying with the idea of extending the online pharmaceutical part of their business and becoming suppliers of family and pet medicines, rather than just focusing on animal medicine. They would like InfoSec to suggest if there are any additional security concerns they would have to consider if this were the case.
PetMed has the following current systems and processes:
• A local-area network for the administration, managerial, website design, sales and finance departments; this is configured on one network that is not segmented (or sub-netted into separate VLANs).
• There is a company firewall configured with several access-control lists to limit malicious traffic.
• There is only one gateway router with minimal security. It requires a username and password for console access and allows telnet access for remote configuration and management.
• Host machines have a windows 7 or windows 10 installation, using windows defender and host firewall. They have some user and local security policy restrictions, such as users cannot install programs (though they can download), password complexity is turned on, but nothing further is enforced. The technicians monitor and update the host applications and OS's regularly but not systematically. There are no separate groups of users configured, staff shared files (such as the customer orders) are available on one shared drive.
• The company makes limited use of a directory service, such as Active directory, for authentication to the network. Authorisation and privileges are broadly all the same for all members of staff. There are a couple of administration accounts whose credentials are only know by the IT technicians. When staff leave their accounts are disabled at the end of the month by the IT staff.
• Customer payments are processed via Paypal or third-party payment vendors such as Visa, but PetMed stores all details of the orders (except for credit card/payment details).
• The company's e-commerce website was built using a template. Some penetration testing by InfoSafe has revealed web application weaknesses including a vulnerability to SQL injection type attacks; allowing arbitrary SQL statements to be executed as commands on the server, granting full access to resources.
• In LAN design, at the PetMed office: the switches in the network are not configured for VLANs nor port-security. They do require a username and password for console access, but this password is in plain-text in the running configuration. There is little redundancy in the network.
• Backups are made on a weekly basis to a RAID 5 server in the server room.
• There is a wireless network in the office cafeteria, using WPA-PSK encryption.
• If staff would like to work remotely they enable team viewer on their machine in the office and utilise that from their machine at home (or outside) to access resources at work.
• Personnel enter the office building past the reception desk, which is manned from 8am - 5pm. The building has a single security guard who goes home at 8pm after locking up the main office. The warehouse staff wear ID cards and use RFID technology for logistics and stock control.
• The company internet and computer usage policies have not been updated since PetMed became a sole e-commerce trader.
• The staff do regular training on health and safety, administration, sales and business management and recently on GDPR.
• PetMed has no definitive CERT or incident response plan but relies on its IT staff for information and data security and systems availability.

Attachment:- Principles of Information Security.rar