a network security policy group project unit 4 (1) july 2015

Running Head: NETWORK SECURITY POLICY 1

Network Security Policy

Group Project Unit 4

AIU Online

Jeffery Brown

Patricia Rodericks

Anthony Wigglesworth

Ralvin Wilson

April Withers

NETWORK SECURITY POLICY 2

Abstract

Every line in life has some rule or regulation to keep the peace. The companies have rules and

permissions to access its information. Networks need this same type of permission in any

business or even personal area to keep it secure. Security is a big priority today with the

outsourcing of information so readily available. Securing the network takes skill, diligence,

perseverance and confidences to keep up with each new attack. Society is under constant change

and new ways to attack a network is just one of the many things that are happening. Can security

network administrator keep the network secure? Is it even possible to have a secure network?

Security is in everyone’s hand all must be aware and awake to every possible threat.


Introduction

A network security policy is a policy to uphold regulations and procedure in an

organization so that the basic of any threat can be handled quickly and thoroughly. Policies

handle use of, access of, permissions, regulations, procedures, prevention, and security of all of

these policies. These include Social Engineering Safeguards, Files and Folders, Network

Firewall Protection, External Drives, Training Plans and End User Behavior.

Social Engineering Safeguards and Security Hardware

In this Introduction to the Social Engineering Safeguards and Security Hardware, these

are very important to a completed Information Security Network Implementation Design a

Policy. The Social Engineering Safeguards are here to keep the Users and Clients/Employees the

advantages to have access to all the Data through a Secured Network. As for the Security

Hardware this is the place where the Network Equipment needs to be properly Maintenance and

Upgraded as needed. When you notice that the Data is being access by Non-Authorized

Users/Clients on all the Platforms Levels.

These are the Parts I will be Focusing on within this Section;

Social Engineering Safeguard

Security Hardware

SOCIAL ENGINEERING SAFEGUARDS

The Importance of Having Social Engineering Safeguards.

A Brief overview of the importance of Social Engineering Safeguards, within an

Information Technology Security Network, when dealing with different Policies and Process that

goes into each Daily IT Routine. Making sure that the User Community on the Internet Networks


on the Outside in Public Locations that can gain access is getting the needed Data from all

Platforms within that Information Security Network System. This why Social Engineering

Safeguards are a major Player in the Information Security Networks; they keep their Users Data

Information secured from all unsecured Accesses from gaining their Users Personal Information.

There are some Techniques that Hackers are using to manipulate the Organization and Business

Users, to gain entry into the Information Security Networks. These are countless issues dealing

with Unsuspected Employees in giving information to Un-Authorize Individuals outside the

Organization and Business Security Networks. In order to keep all Employees and

Clients/Subscribers from giving Personal Data to Un-Authorize Users, it is best to screen all the

Users Social behavior while on the Information Security Network System on all Platform Levels.

Make sure to suspend the User/Employees and not to leave out the Clients or Visitors from some

features on the Security Networks. This makes the Information Security Network a more secure

enough that just the areas of the Networks are available for the needed purposes toward the

Users/Visitors. We need to look closely at these Hackers that use some Social Engineering

Attacks to gain the Organization and Business information of their Employees/Users. Mostly

importantly making sure we put into place a Secure E-Mail Verification in tracking all Foot

printing that Hackers uses for incoming and outgoing E-Mail Message on a Daily Basis.

Another Social Engineering Attacks that being use are when the Hackers are revealing

themselves as imposters as the Organization and Business IT Department Engineers and

Information Technology Security Officers. However, making every Contact with any Employees,

Users, and Clients giving them a since of not being suspicious to who are they Communicating

with. To put into place a Secured System to re-route all the Contacts to a Security Information

Center where each IT Screening Center will be able catch these types of false unidentified Users.


One last Social Engineering attacks when hackers Represents Himself or Herself as Delivery

Person, IT Service Technician, or just have a reason legally and Legitimate for being on the

Organization and Business Grounds. Lastly for this Secured area to have a 21st Century Chip on

the Employees and Clients Authorize Building and Grounds to be Scan at the New Improved

Security Entrance System at the Main Entrance the Organizations and Businesses.

SECURITY HARDWARE

Keeping the Security Hardware Up to Date.

Within this Overview of the Security Hardware, it is very most important to keep your

Security Network Equipment up to Date. In this 21st Century you can see how easy it is to access

Information Security Networks at all Levels. A few that come to mind are The U.S.

Governmental Departments/Offices, Retails Stores, Financial Institutions, Medical Facilities, and

Etc. There are some Industries where the Information Security Networks are being Hack by other

Governmental and Non-Governmental Individuals. Improvising on all Platforms Levels

throughout the whole Corporation and Organizations, keeping the Information Security

Networks up to date, is very important to have in place and the Budget to cover the cost. Making

sure that there isn’t any Security Hardware; not operating at Full Potential on every Level within

the Platforms. In which that all Data being Process at a Speed that each Authorized

Employee/Clients/Users can get their information at a Greater Speed at a Lesser Time; from the

Information Security Network System.

Files and Folders

It is important to have a policy for the files because they contain or possibly

contain information of confidentiality. Folders contain the files for everyone in the company or

organization there should be a folder for each employee as well as the administration of the


company or organization. Files and Folders will be access by the user who’s folder or file it

belongs to. Users who need access to other than their own will have a read only permission and

need to receive approval from the administrator and or the manager of the department all folders

are assets to the company. Access of files is on company time only, will be coded as users name

and the department users are in. All users will need to have a security clearance for access to

files or folders that contain information that is confidential to the company assets or personal.

Secure admin files by locking down IP addresses that access it. Remember to use strong

passwords, changing them on a regular basis. The most important is to be diligent in the security

of the networks and whom and when file or folders are access and the reason they are accessed.

(Wlosinski, 2015) An attitude of knowing what is out there as far as threats; types of hacks, types

of viruses will help to ensure that the files, folders and the network are secure. All user of the

network involving files or folders need to be up to date on all security measures within the

organization or company. The executives and administrators should also be aware of all security

measures with the files and folders. When everyone is secure in the knowledge of the steps

needed the company or organization has a better chance of being safe.

Network Firewall Protection

A vital piece of network security policy is protecting your network from attacks from an

outside party, safeguarding data within your network, safeguarding information, and maintaining

a fully functional network. Having a network firewall is an essential piece to any network

because provides security by keeping threats from penetrating the network.

The purpose of a firewall is to protect the network from an unauthorized intrusion. The

firewall acts like a filter allowing only authorized traffic or information pass through and


blocking everything else. The type of traffic or information allowed is configured in the firewall

policy; anything that is not identified in the policy is not allowed to go through.

Firewalls typically fall into two categories hardware and software. A hardware firewall is

piece of equipment that is dedicated to be a protective shield between your network and those

outside your network. They can be quite expensive and difficult to configure. Software firewalls

are commonly used by individuals or those with small networks. Most networks incorporate both

types; hardware products such as routers may have firewall protection pre-installed. Regardless

of which type the user should be knowledgeable in network security to ensure has been properly

configured.

There are several types of firewalls, Packet filters, Stateful inspection, and Proxy. A

Packet filter firewall allows or disallows traffic to pass through by examining the source and

destination addresses, ports, or protocols of each unit of data (packet). Stateful inspection or

dynamic packet filtering monitors the state of each active connection and determines which

packet to allow or disallow. It offers better security than packet filtering because it more

thoroughly examines each packet. Proxy firewalls combine Stateful inspection with the ability to

perform deep application analysis. It acts as a middle man of sorts by establishing a proxy

connection to the server. This is the most recent type of firewall.

As the technology has advanced firewalls can now perform functions that were

characteristically handled by hardware equipment. They now have the capability to filter traffic

based on the IP address, TCP, UDP, port numbers, etc. They can discriminate what type of access

is to be granted based on the user. However, firewalls do have limitations. For instance they

cannot protect against viruses especially programs or files. They cannot ensure data integrity nor

its’ confidentiality.


The firewall should be seen as the first line of defense for a network. Much like the walls

protecting an ancient city, it is not meant to be the only form of defense. It should be combined

with other defensive tactics that cover its’ vulnerabilities. If done effectively the results will help

bolster a successful network security policy.

What Should Not Be Included In The security Policy

Virtual Private Network Policy, Users Password Policy, Company Audit Policy,

Acceptable Encryption Policy, Server Security Policy, Information Sensitivity Policy, Anti-Virus

Guidelines, Wireless Communication Policy, Risk Assessment Policy, EMS Network and

Computer Acceptable Use Policy, Analog Line Policy, Remote Access Policy, Automatically

Forwarded Email Policy, Acceptable Use Policy.

Company security polices Problem and solution

A reviewed was completed and the protection applied to the information assets, and the

security controls suggested above is proportion to the value and sensitivity of the information;

we have balance these attributes against (1) Cost of the Controls. (2) Reviewed the impact of the

controls over the effectiveness of data to day operations. (3) Analyzed Risk of disclosure,

damage and modification of the intellectual property contained within.

The security policy for this organization will cover all entities that interact with the

organization including employees, vendors, and contractors. Each party involved will be

provided the security policy and will be required to comply with company policies henceforth, a

signed agreements acknowledging understanding of personal responsibility which will be kept

on file. These security policies will adhere to all Laws, regulations, industry standards and

contractual commitments, associated with intellectual property information commitments.


External Hardware - Connecting Devices to the Network

Security rules that apply to non-compliant devices connecting to the company’s network

should be provided to employees, and vendors alike.

Only company authorized devices may be connected to the network. Users should not

connect non company devices to the network this includes Local or remote users. Approved

devices include workstations owned by company and that complies with the company security

configuration guidelines in addition to management and monitoring network infrastructure

equipment used on the network. Unauthorized devices includes unauthorized storage devices,

e.g. thumb drives and writable CD’s, including personal Hubs, routers etc. Any device that

would alter the topology characteristics of the Network is considered and unauthorized device.

Purpose

The importance of end user behavior and responsibility to the security of the network will

be discussed and the importance of it will be shown. This section will also describe in detail the

training requirements for the company to follow for each employee at the beginning of their

employment and follow up training to keep the employees updated on the new possible security

attacks that are discovered.

End User Behavior

As IT professionals we know the dangers of network security breaches, however an end

user never thinks about such things and may be careless when accessing the network. This is

why it is important to educate them about the different security attacks and the tactics

cybercriminals will use. It is important to make sure the users have the information and

understand exactly what can happen if they do not follow the different safety precautions set up


within this policy. The first thing that needs to be done is to educate end users on what

cybercrimes and malware are. Getting them to understand malware in terms of spyware, key

loggers, worms and helping them to understand how they relate to criminal activity is very

important and can make the security team’s job easier. Most end users do not understand that

even the tiniest bit of information can be used by these criminals to steal information or cause

harm to a company network or that anyone can become a victim or be used to obtain the

information the criminals want. (Balci, 2015)

The end user needs to be shown how clicking to open an email from someone they do not

know can actually give access to a hacker or other type of cyber-criminal. Explain to the end

user how some programs are rogue and what is meant by this is that they appear to be exactly

what they say they are but in all actuality they are hiding worms, or Trojans to obtain access into

the user’s computer so the individual that created it can steal information or even take over

control of the computer. The next topic that needs to be explained to the end-user is the tactic of

phishing. Criminals use phishing to obtain information that individuals do not really understand

are important or even if the individual understand the importance of the information they still

manage to give it up because the criminal utilizes trust to obtain from them. In order to avoid

attacks such as these the best way for end users to avoid them is to not open emails from

unknown senders, not to download applications other than the ones approved and supplied by

supervisors and security team members, and not to visit social network sites on company

computers. (Balci, 2015)

Training

The training of end users is very important as they will be the first to spot something that

may be an attack on the network. The end-user will come into contact with the attacks long


before the security team will as they are the ones working on the computers within the company

daily. There needs to be several stages to the training of the employees and users of the network.

The first session of training should take place at the hiring of the employee. Depending on the

security risks involved within the position inside the company a contract can be signed between

the employee and the company stating the regulations and rules the employee will be required to

follow and maintain. Once the contract is signed the next step would be to give classes and

tutorials to the employees explaining what types of threats are out there and how to identify those

risks on a daily basis. (Blackmore, 2015)

The proper way to report them to the network security team members for each

department will also need to be discussed. The company then needs to schedule meetings with

the different department employees every six months or more frequently depending on the rate of

change in the company’s products, to go over any new attacks that may have come to light so the

users will know what to look for. It would be helpful for the company to utilize training videos

or even to schedule off campus training sessions for the employees to attend that will last three

or four days to give them time to learn and soak in the information about possible security risks

and how to effectively prevent them from occurring. (Blackmore, 2015)

Conclusion

You are probably asking why it is so important for the employees and end users to

understand all of the information within this policy. The best way to explain that to you is to ask

you one simple question. Would you willingly give your house keys to a total stranger to take

care of for a week while you are on vacation? Probably not because you would be afraid they

would rob you blind. This is why you will want to make sure all your employees understand and

know to follow this policy so that they can help you to keep the important and valuable


information being held within your network safe from possible hackers or attacks. Like guard

dogs or a security alarm on your house your employees can actually help to deter possible thefts

or attacks if educated properly in ways to keep the network safe.


References

Antivirus Software and Internet Security for Your PC or Mac | McAfee. (n.d.). Retrieved

from http://home.mcafee.com/advicecenter/?id=ad_ost_hvsf&ctst=1

Balci, T. (2015, April 24). Simple, Effective Security Tips for End Users. In Web Hosting

Geeks. Retrieved July 1, 2015, from Webhostinggeeks.com website:

https://webhostinggeeks.com/blog/simple-effective-security-tips-for-end-users/

Blackmore, C. (2015, July 3). Customer Success Training Best Practices: End-User Training

[Web log post]. Retrieved from http://www.bluenose.com/blog/customer-success-

training-best-practices/

Brown, J. F. (2015, June 30). Keeping the Security Hardware Up to Date. Midway, Florida,

United States of America: AIU Online Virtual Campus Student.

Fire Wall - Network Firewalls. (n.d.).retrieved from:

http://compnetworking.about.com/od/firewalls/g/bldef_firewall.htm

Firewalls. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/cc700820.aspx

How do proxy servers and proxy firewalls differ? (n.d.). Retrieved from

http://searchsecurity.techtarget.com/answer/How-do-proxy-servers-and-proxy-

firewalls-differPaquet, C. (2013, February 5). Implementing Cisco IOS Network Security Foundation Learning

Guide (2nd Edition). Retrieved July 1, 2015, from

www.ciscopress.com/articles/article.asp?p=1998559

https://technet.microsoft.com/en-us/library/cc787794(d=printer,v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc787794(d=printer,v=ws.10).aspx

http://www.ciscopress.com/articles/article.asp?p=1998559

http://searchsecurity.techtarget.com/answer/How-do-proxy-servers-and-proxy-firewalls-differ

http://searchsecurity.techtarget.com/answer/How-do-proxy-servers-and-proxy-firewalls-differ

https://technet.microsoft.com/en-us/library/cc700820.aspx

http://compnetworking.about.com/od/firewalls/g/bldef_firewall.htm

http://www.bluenose.com/blog/customer-success-training-best-practices/

http://www.bluenose.com/blog/customer-success-training-best-practices/

https://webhostinggeeks.com/blog/simple-effective-security-tips-for-end-users/

http://home.mcafee.com/advicecenter/?id=ad_ost_hvsf&ctst=1


Permissions for files and folders (Jan. 21, 2005) retrieved from: Brown, J. F. (2015, June

30). The Importance of Having Social Engineering Safeguards. Midway, Florida, United

States of America: AIU Online Virtual Campus Student.

Small Business Firewall Software vs. Hardware Firewalls - Cisco Systems. (n.d.). Retrieved

from http://www.cisco.com/cisco/web/solutions/small_business/resource_center/

articles/secure_my_business/small_business_firewall_software/index.html

Wlosinski, Larry G. (June 2, 2015) How to Secure WordPress in 10 Steps, NextGov, retrieved

from: http://www.nextgov.com/technology-news/tech-insider/2015/06/how-secure-

wordpress-10-steps/114226/

http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/small_business_firewall_software/index.html

http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/small_business_firewall_software/index.html