Discussion 6

Course Name: IAP302

Instructor Name: Hồ Hải
Lab Due Date: 22/6/2021

Group: Nguyễn Ngọc Bảo Long - SE150889

Nguyễn Trần Đại Phước - SE150992
Dương Chí Hùng - SE151235

Hùng:
- Update softwares and operating systems regularly.
- Encrypt and backup important data.
- Penetration testing for vulnerabilities.
- Applied 2FA to all system log-in.
Phước:
- Backup data
+ Encrypted backed up data that contains sensitive information
+ Protect it with a password if possible
- Install trusted software
+ Install software or any package from credible and trusted sources to prevent
security risks to the infrastructure
- Encrypted data when needed
+ Translate sensitive electronic data into an intelligible code
+ Only authorized access can access and decipher the code
- Have a robust firewall system
+ Extra protection for built-in security features of the system
+ Prevent outsider threats
Long:
- Utilization of SSH Key Authentication
+ Using password still have a chance of being bruteforced or dictionary
attacked
+ Better security for IAM
- Use Strong Data Encryption
+ Better data security
+ Prevent the risk of data leakage
+ Provide better data integrity
- Regularly check for vulnerabilities:
+ Ensure the safety of IT infrastructure
+ Have a better insight of the infrastructure
- Update regularly
+ Up to date security resolution might available
+ Fixed some mistake made by developer
+ Have a healthy infrastructure without any vulnerability to well known
exploit
 Assignment 6
Course Name: IAP302
Instructor Name: Hồ Hải
Lab Due Date: 22/6/2021

Group: Nguyễn Ngọc Bảo Long - SE150889

Nguyễn Trần Đại Phước - SE150992
Dương Chí Hùng - SE151235

Policies Who? What? When? Why?

Users will only be given sufficient User Enable Access to Minimize threat of
rights to all systems to enable them access to system unauthorized
to perform their job function. User system access
rights will be kept to a minimum at
all times.

Users requiring access to systems User Discrete Access to Minimize threat of

must make a written application on access to an unauthorized
the forms provided by the I.T application application access
Department.

Where possible no one person will I.T Full-rights No one Implements

have full rights to any system. The Departmen system eligible for Segregation of
I.T. Department will control t access full system purpose
network/server passwords and access
system passwords will be assigned
by the system administrator in the
end-user department.

Access to the network/servers and User System Accessing Implement access

systems will be by individual Access the system control for safety
username and key, or by smartcard
and PIN number/biometric
Usernames and keys must not be User User Using Prevent
shared by users. Credential credential unauthorized
access
Usernames will consist User User On Identification
of initials and surname Credential Credential across organization
Creation
The I.T. Department will be notified User User On Prevent
of all employees leaving the Credential Resignatio unauthorized
Organisations employment. The I.T. n access from
Department will then remove the unused account
employees rights to all systems
Auditing will be implemented on all IT Authentica On attempt Keep track of
systems to record login Departmen tion Audit Login authentication
attempts/failures, successful logins t attempt for
and changes made to all systems. security provision

I.T. Department staff will not login I.T Linux, UNIX Using Prevent
as root on to UNIX, Linux systems, Departmen System System unauthorized user
but will use the su command to t access vulnerability
obtain root privileges of Linux system

Internet and Network Monitoring Technologi Provide unauthoriz Minimize threat of

es’ informatio ed or unauthorized
Informatio n related irregular access on network
n to network behavior
Technology on netowrk
Services
(ITS)
Internet Use Filtering System Personnel Actions Download, Law-breaking,
toward upoad, inappropriate in
unallowed contain, workplace
behavior: display….
racism,
sexual,
etc…
Intentionally circumvent security Personnel Breaching Accessing Inappropriate
mechanisms such as cracking company unauthoriz behavior in
passwords, exploiting system allowed ed organization,
vulnerabilities, or using systems in access of informatio against the
excess of granted privileges informatio n, cracking organization rules,
n others etc,…
password
Intentionally write, compile, copy, Personnel Creating Creating, Against the safety
propagate, execute, or attempt to malicious writing, policy, data leak,
introduce any malicious computer code executing system broken
code designed to self-replicate, malicious down,…
damage, or otherwise hinder the code
performance of any computer
system. Such software may be
referred to as malware virus, worm,
or a Trojan Horse