Assessment Brief

Qualification BTEC Level 5 HND Diploma in Computing

Unit number Unit 5: Security

Assignment title Security Presentation

Academic Year 2020

Unit Tutor

Issue date Submission date

IV name and date Khoa Canh Nguyen, Michael Omar, Nhung 9th/01/2020

Submission Format
The submission is in the form of two documents/files:

1. A ten-minute Microsoft® PowerPoint® style presentation to be presented to your colleagues.

The presentation can include links to performance data with additional speaker notes and a

bibliography using the Harvard referencing system. The presentation slides for the

findings should be submitted with speaker notes as one copy.

2. A detailed report that provides more thorough, evaluated or critically reviewed technical

information on all of the topics.

You are required to make use of the font Calibri, Font size 12, Line spacing 1.5, Headings, Paragraphs, Subsections
and illustrations as appropriate, and all work must be supported with research and referenced using the Harvard
referencing system.

Unit Learning Outcomes

LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
Assignment Brief and Guidance
You work as a trainee IT Security Specialist for a leading Security consultancy in Vietnam called FPT
Information security FIS.

FIS works with medium sized companies in Vietnam, advising and implementing technical solutions to
potential IT security risks. Most customers have outsourced their security concerns due to lacking the
technical expertise in house. As part of your role, your manager Jonson has asked you to create an engaging
presentation to help train junior staff members on the tools and techniques associated with identifying and
assessing IT security risks together with the organizational policies to protect business critical data and
equipment.

In addition to your presentation you should also provide a detailed report containing a technical review of the
topics covered in the presentation.

Your presentation should:

1. Identify the security threats FIS secure may face if they have a security breach. Give an example
of a recently publicized security breach and discuss its consequences
2. Describe a variety of organizational procedures an organization can set up to reduce the effects to
the business of a security breach.
3. Propose a method that FIS can use to prioritize the management of different types of risk
4. Discuss three benefits to FIS of implementing network monitoring system giving suitable reasons.
5. Investigate network security, identifying issues with firewalls and IDS incorrect configuration and
show through examples how different techniques can be implemented to improve network
security.
6. Investigate a ‘trusted network’ and through an analysis of positive and negative issues determine
how it can be part of a security system used by FIS.

Your detailed report should include a summary of your presentation as well as additional, evaluated or
critically reviewed technical notes on all of the expected topics.

Learning Outcomes and Assessment Criteria

Pass Merit Distinction

LO1 Assess risks to IT security

P1 Identify types of security threat to M1 Propose a method to LO1 & 2

organisations. assess and treat IT security D1 Investigate how a ‘trusted
Give an example of a recently publicized risks. network’ may be part of an
security breach and discuss its IT security solution.
consequences.
P2 Describe at least 3 organisational
security procedures.

LO2 Describe IT security solutions

P3 Identify the potential impact to IT M2 Discuss three benefits to

security of incorrect configuration of implement network
firewall policies and IDS. monitoring systems with
supporting reasons.
P4 Show, using an example for each,
how implementing a DMZ, static IP
and NAT in a network can improve
Network Security.
Contents
Assessment Brief.........................................................................................................................................................1
-Introduction-..............................................................................................................................................................6
LO1: Assess risks to IT security...................................................................................................................................6
P1. Identify types of security risks to organizations...................................................................................................6
1.IT threats.................................................................................................................................................................. 6
1.1-Computer virus.................................................................................................................................................6
1.2-Trojans Horse....................................................................................................................................................7
1.3-Worm................................................................................................................................................................8
1.4-Denial-of-service Attack...................................................................................................................................8
1.5-Spyware............................................................................................................................................................9
1.6-Adware............................................................................................................................................................10
1.7-SQL INJECTION................................................................................................................................................12
1.8- Phishing..........................................................................................................................................................12
1.9-Rootkit............................................................................................................................................................13
1.10-Malware........................................................................................................................................................15
1.11-Ransomware.................................................................................................................................................15
1.12-Data breach...................................................................................................................................................18
1.13-Zero day attack.............................................................................................................................................18
1.14-CARELESS EMPLOYEES OF ORGANIZATION..................................................................................................19
P2 Describe at least 3 organisational security procedures......................................................................................19
1. Acceptable Use (AUP)......................................................................................................................................19
P3 Identify the potential impact to IT security of incorrect configuration of firewall policies
and IDS. 1.Firewall defined:..........................................................................................................................21
2.Intrusion Detection System (IDS).......................................................................................................................23
3.Firewall threat-risk.............................................................................................................................................24
4.IDS threat-risk....................................................................................................................................................26
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve
Network Security......................................................................................................................................................27
1.DMZ(demilitarized zone)...................................................................................................................................27
2.Static IP..............................................................................................................................................................28
3.NAT(Network Address Translation).........................................................................................................29
Conclusion.................................................................................................................................................................30
REFERENCES..............................................................................................................................................................31

List of figure
Figure 1,virus wannacry.............................................................................................................................................18
Figure 2,virus decryptor.............................................................................................................................................19
Figure 3,firewall.........................................................................................................................................................23
Figure 4,firewall diagram...........................................................................................................................................24
Figure 5,IDS................................................................................................................................................................26
Figure 6,DMZ Diagram...............................................................................................................................................30
Figure 7,Static IP........................................................................................................................................................31
Figure 8,NAT..............................................................................................................................................................32
-Introduction-
Security is one of the most important challenges modern organisations face.

Security is about protecting organisational assets, including personnel, data, equipment and networks
from attack through the use of prevention techniques in the form of vulnerability testing/security
policies and detection techniques, exposing breaches in security and implementing effective responses.

The aim of this unit is to provide students with knowledge of security, associated risks and how security
breaches impact on business continuity.

Students will examine security measures involving access authorisation, regulation of use, implementing
contingency plans and devising security policies and procedures.

LO1: Assess risks to IT security

P1. Identify types of security risks to organizations

1.IT threats
A threat is an event that could exploit a vulnerability (an attack waiting to happen) and cause a negative
impact on the network.Threats in the digital world typically mimic threats in the physical world.Theft,
vandalism, eavesdropping are all threats that have moved from the real world into cyberspace, typically
via the Internet.There are some significant differences however, in terms of the distance these attacks
can be carried out, the automation involved, and the propagation(Spreading) of attack techniques.

1.1-Computer virus
A computer virus is a malicious software program loaded onto a user’s computer without the user’s
knowledge and performs malicious actions.

They are always induced by people. Once created and released, however, their diffusion is not directly
under human control. After entering a computer, a virus attaches itself to another program in such a way
that execution of the host program triggers the action of the virus simultaneously. It can self-replicate,
inserting itself onto other programs or files, infecting them in the process. Not all computer viruses are
destructive though. However, most of them perform actions that are malicious in nature, such as
destroying data. Some viruses wreak havoc as soon as their code is executed, while others lie dormant
until a particular event (as programmed) gets initiated, that causes their code to run in the computer.
Viruses spread when the software or documents they get attached to are transferred from one computer
to another using a network, a disk, file sharing methods, or through infected e-mail attachments. Some
viruses use different stealth strategies to avoid their detection from anti-virus software. For example,
some can infect files without increasing their sizes, while others try to evade detection by killing the
tasks associated with the antivirus software before they can be detected. Some old viruses make sure
that the "last modified" date of a host file stays the same when they infect the file.

There are different ways that a virus can be spread or attack, such as:

 Clicking on an executable file

 Installing free software and apps

 Visiting an infected and unsecured website

 Clicking on advertisement

 Using of infected removable storage devices, such USB drives

 Opening spam email or clicking on URL link

 Downloading free games, toolbars, media players and other software.

1.2-Trojans Horse
Trojan or Trojan horse is the name given to a computer virus. It is a type of computer software that is
camouflaged in the form of regular software such as utilities, games and sometimes even antivirus
programs. Once it runs on the computer, it causes problems like killing background system processes,
deleting hard drive data and corrupting file allocation systems.

Description: Mostly Trojans are introduced via email attachments. These emails are disguised in a way
that they look authentic. Once the user downloads the attached file and runs it, the file starts corrupting
the system. A Trojan can also come as a payload with freeware and shareware available on the Internet.
Although every freeware doesn't come with Trojan, it is still advised that one should download software
and freeware from authentic sources only. It is also imperative that you be very careful while making the
selections at the time of installation. Trojans can have multiple usages, which depend on the motives of
the attacker. These could be identity theft, data theft, crashing computers, spying or tracking user
activities. Generally, Trojans are identified by most anti-virus software and do not harm the computer
unless they are executed. Also, they do not replicate but can come attached to a virus which can spread
to other computers across the network. Installing a good and licensed anti-virus software, keeping virus
definitions of computers up-to-date, being cautious while opening email attachments even if it looks
authentic and paying attention towards system security popup messages are some of the ways by which
you can keep a computer safe and secure.

HOW DOES TROJANS HORSE ATTACK?

 The victim receives an email with an attachment file which is looking as an original official email.
The attachment file can contain malicious code that is executed as soon as when the victim clicks
on the attachment file.

 In that case, the victim does not suspect or understand that the attachment is actually a Trojan
horse.

1.3-Worm
A computer worm is a malicious, self-replicating software program (popularly termed as 'malware')
which affects the functions of software and hardware programs.

It fits the description of a computer virus in many ways. For example, it can also self-replicate itself and
spread across networks. That is why worms are often referred to as viruses also. But computer worms
are different from computer viruses in certain aspects. First, unlike viruses which need to cling on to files
(host files) before they can diffuse themselves inside a computer, worms exist as separate entities or
standalone software. They do not need host files or programs. Secondly, unlike viruses, worms do not
alter files but reside in active memory and duplicate themselves. Worms use parts of the operating
system that are automatic and usually invisible to the user. Their existence in the system becomes
apparent only when their uncontrolled replication consumes system resources, slowing or halting other
tasks in the process. In order to spread, worms either exploit the vulnerability of the target system or use
some kind of social engineering method to trick users into executing them. Once they enter a system,
they take advantage of file-transport or information-transport features in the system that allows them to
travel unaided. A computer worm called 'Stuxnet worm’ turned heads the world over recently when it
attacked the nuclear facilities of Iran.

HOW DOES WORM SPREADS?

It can spread without any human assistance and exploit the security holes of the software and trying to
access in order to stealing sensitive information, corrupting files and installing a back door for remote
access to the system.
1.4-Denial-of-service Attack
Denial-Of-Service (DoS) is an attack targeted at depriving legitimate users from online services. It is
done by flooding the network or server with useless and invalid authentication requests which
eventually brings the whole network down, resulting in no connectivity. As a result of this, users are
prevented from using a service.

A DoS attack is initiated by sending needless and superfluous messages to the server/network for
authentication of requests having invalid return addresses.

The server/network, when unable to locate the return address for sending authentication, waits for a
long time and gets stuck before the connection closes. Upon the closure of connection, the attacker once
again starts sending more messages with invalid return addresses for authentication to make the
server/network undergo the complete process again. The server/network gets stuck and remains busy,
causing the service interruption for other users.

Unlike other security attacks, DoS attacks usually do not aim at breach of security. Rather, they are
focused on making websites and services unavailable to genuine users resulting in loss of time and
money. These attacks can last many days, jeopardizing the image of an organization and causing revenue
loss towards compensation to users for unavailability of services at the time of an emergency.

DoS attacks can be of various types depending on the outcomes. Some examples are Smurf attack, Ping
flood, Ping of death, Teardrop attack, Email bomb, etc. Also, the motive of these attacks could be many,
including extortion, personal rivalry, cyber warfare, business competition, etc.

Although there is not much that can be done to stop these attacks, some basic prevention steps that can
be taken include monitoring the traffic for abnormalities, keeping security definitions up-to-date, and
being aware of the latest threats via social platforms.

HOW DOES DOS ATTACK?

 It occurs when an attacker prevents legitimate users from accessing specific computer systems,
devices or other resources.

 The attacker sends too much traffic to the target server 

 Overloading it with traffic and the server is overwhelmed, which causes to down websites, email
servers and other services which connect to the Internet.
1.5-Spyware
Spyware is the term given to a category of software which aims to steal personal or organisational
information. It is done by performing a set of operations without appropriate user permissions,
sometimes even covertly. General actions a spyware performs include advertising, collection of personal
information and changing user configuration settings of the computer.

A Spyware is generally classified into adware, tracking cookies, system monitors and Trojans. The most
common way for a spyware to get into the computer is through freeware and shareware as a bundled
hidden component. Once a spyware gets successfully installed, it starts sending the data from that
computer in the background to some other place.

These days spywares are usually used to give popup advertisements based on user habits and search
history. But when a spyware is used maliciously, it is hidden in the system files of the computer and
difficult to differentiate.

One of the simplest and most popular, yet dangerous are Keyloggers. It is used to record the keystrokes
which could be fatal as it can record passwords, credit card information etc. In some shared networks
and corporate computers, it is also intentionally installed to track user activities.

Presence of spyware in a computer can create a lot of other troubles as spyware intended to monitor the
computer can change user preferences, permissions and also administrative rights, resulting in users
being locked out of their own computer and in some cases, can also result in full data losses. Spyware
running in the background can also amount to increased number of processes and result in frequent
crashes. It also often slows down a computer.

Best way to remain protected is to use good Antivirus/Antispyware software. More importantly, be
careful while installing freeware applications by properly removing the unnecessarily checked options by
default.

HOW DOES SPYWARE INSTALL?

It can be automatically installs itself on your computer or hidden component of software packages or can
be install as traditional malware such as deceptive ads, email and instant messages.

1.6-Adware
Adware is the name of a program designed to display advertisements on a computer, direct requests to
an advertising website, and collect different types of marketing data. For example, the information might
be the list or category of websites that you often visit to help serve the distribution of custom ads.
Adware or adware - which collects data on the basis of your consent - therefore, don't confuse adware
with spyware programs like Trojans - software that collect information without permission. your
permission. If the adware does not notify you that the software is collecting data, it will be treated as
some form of malicious code - for example, malware using Trojan-Spy mode.

How can adware affect you?

Aside from ad rendering and crawling, Adware's existence is not really known. There are usually no
warnings or signs of the program in the computer's system tray, and there are no signs on the program
menu that indicate files are installed on the computer.

There are two ways for Adware to get into the computer:

What is Adware? What to do when your computer is infected with adware - Photo 1.

Adware infiltrates the computer through free software and programs

- Via freeware or shareware:

Adware can be found in a number of freeware or shareware programs. This is a legitimate way to
generate advertising revenue to finance the development and distribution of freeware or shareware
programs.

- Websites containing Adware:

Accessing websites that contain adware can lead to automatic installation of adware on your computer
without permission. High-tech hackers often use this approach. For example, your computer could be
compromised through a browser vulnerability, and at this point Trojans software designed for stealth
settings is very likely to be used. Adware programs that work in this manner are commonly known as
Browser Hijackers.

1.7-SQL INJECTION
 SQL injection is an application layer attack technique used by hackers to steal data from organizations by targeting
web-based applications.

SQL injection is one of the methods by which hackers attack the underlying data storage of a web application by
taking advantage of improper coding styles or insufficient database privileges assigned to the application user who
accesses this database. SQL injection arises because user input fields - if not checked correctly at the application -
allow SQL statements to pass through and directly question the database, allowing attackers to tamper with or
even delete existing data, spoof identity, change administrative rights and in some cases void transactions and
change balances. For example, consider a generic login page wherein users can enter their usernames and
passwords where they can view their personal details or modify them. Once the user submits the details, an SQL
query is generated from these details and sent to the database for verification. If found legitimate, the user is
allowed access. Now through SQL injection, the attacker may insert some specifically-crafted SQL commands to
bypass the login form and see what lies behind it. Inputs that are not properly sanitized (i.e. made invulnerable)
will make this possible and be sent directly with the SQL query to the database, following which the attacker will
gain access to the database. Prevalence of older functional interfaces makes PHP and ASP applications common
victims of SQL injection attacks. On the other hand, more robust programmatic interfaces make J2EE and ASP.NET
applications less likely to get exploited by SQL injection. The severity of SQL injection depends more on the
attacker’s skills, imagination and intent. This vulnerability in a system is considered a high impact severity and
demands immediate attention.

1.8- Phishing
Phishing is a form of network attack in which an attacker disguises itself as a reputable unit to trick users
into giving them personal information.
Typically, hackers will pretend to be banks, online transaction websites, e-wallets, and credit card
companies to trick users into sharing sensitive information such as: login accounts & passwords,
transaction passwords, credit cards and other valuable information.

This attack method is usually carried out by hackers via email and text messages. Users who open an
email and click on a fake link will be asked to log in. If "hooked", the hacker will get the information
immediately.

Phishing was first known in 1987. The origin of the word Phishing is a combination of two words: fishing
for information and phreaking (a scam that uses other people's phones for no charge. ). Due to the
similarity between "fishing" and "fishing for user information", the term Phishing was born.

HOW DOES PHISHING ATTACK?

 In a phishing email attack, an attacker sends phishing emails to victim’s email that looks like it
came from your bank and they are asked to provide your personal information.

 The message contains a link, which redirects you to another vulnerable website to steal your
information.

 So, it is better to avoid or don’t click or don’t open such type of email and don’t provide your
sensitive information.
1.9-Rootkit
Rootkit is a malicious program that installs and executes malicious code on a system without user
consent in order gain administrator-level access to a computer or network system.

There are different types of Rootkit virus such as Bootkits, Firmware Rootkits, Kernel-Level Rootkits and
application Rootkits.

HOW DOES ROOTKIT INSTALL?

It can be infected in a computer either by sharing infected disks or drives. It is typically installed through
a stolen password or installed through by exploiting system vulnerabilities, social engineering tactics, and
phishing techniques without the victim’s knowledge.

ROOTKIT type:

User-mode rootkits

User-mode contains scripts that restrict access to software and hardware resources on a computer. Most
code that runs on a computer will run in user-mode. Since access is limited, damage in user-mode is
irreversible.

User-mode rootkit runs on computers with admin rights. That means:

User-mode rootkits can change processes, files, system drives, network ports, and even system services.

The user-mode rootkit maintains the installation by itself by copying the required files onto the
computer's hard drive and starting automatically every time the system boots.

Hacker Defender is a typical user-mode rootkit. This rootkit and many others were discovered and
removed by Luckily Mark Russinovich's famous application.

Kernel-mode rootkits
Kernel-mode contains codes that cancels access to all hardware and software resources on the
computer. Kernel-mode is often used to store the most reliable operating system functions. The damage
in kernel-modec is also irreversible.

Since the rootkit running in user-mode was discovered and removed, the rootkit developers have
changed their mind and developed the kernel-mode rootkit. Kernel-mode means that the rootkit is
installed at the same level as the system and rootkit detection programs. Therefore, the rootkit can
render the system unreliable.

Instability is a sign of the system degrading a kenel-mode rootkit causing, even leading to unexplained
damage or screen crashes. At that point, you should try GMER, one of the few rootkit removal tools you
can trust, against a kernel-mode rootkit like Rustock.

Firmware rootkits

Firmware rootkits are sophisticated installable rootkits because the developers of this rootkit have been
investigating a method of storing the rootkit's malcode in firmware. Any firmware is subject to change,
from microprocessor code to expansion slot firmware. That means:

When shutdown, the rootkit writes the current malcode to different firmware.

When restarting, the rootkit computer will also perform reinstallation.

Even if a program detects and removes the firmware rootkit, the next time you start your computer, the
rootkit firmware will appear to work again.

1.10-Malware
Malware is software that typically consists of program or code and which is developed by cyber
attackers. It is types of cyber security threats to organizations which are designed to extensive damage to
systems or to gain unauthorized access to a computer.

HOW DOES MALWARE ATTACK?

  There are different ways that a malware can infect a device such as it can be delivered in the form
of a link or file over email and it requires the user to click on that link or open the file to execute
the malware.

 This type of attack includes computer viruses, worms, Trojan horses and spyware.

1.11-Ransomware
Ransomware is spyware or ransomware, it is the common name of a type of malware - Malware, whose
"effect" is to prevent users from accessing and using computer systems or files. their documentation
(mostly detected on Windows operating systems). Malware variants of this type often give messages to
victims that they have to pay a decent sum of money into the hacker 's account if they want to get their
data, personal information back or, at the very least, access to the computer. their calculation. Most of
the Ransomware software hijacked and encrypted all the victim's information it found (often called
Cryptolocker), while some other types of Ransomware used TOR to hide, hide C&C data packets above.
calculator (another name is CTB Locker).

Figure 1,virus wannacry

Ransomware is quite familiar with a ransom request

HOW DOES RANSOMWARE INSTALL?

All types of threats typically installed in a computer system through the following ways:

 When download and open a malicious email attachment

 Install an infected software or apps

 When user visit a malicious or vulnerable website

 Click on untrusted web link or images

EXAMPLE OF RANSOMWARE ATTACK:

WannaCry

WannaCry is no longer an unfamiliar name for those who care about technology and security. In 2017,
this malware was raging on a very large scale - 250,000 computers in 116 countries, including Vietnam.

WannaCry is considered "the most terrible ransomware attack in history" until 2017, estimated total
damage is up to hundreds of millions to billions of dollars. This malware takes advantage of a
vulnerability in the SMB protocol of Microsoft Windows operating system to automatically spread to
other computers on the same network.
Figure 2,virus decryptor

In just 4 days, WannaCry has spread in 116 countries with more than 250,000 malware detected. In
Europe, government organizations and large businesses such as FedEx, the National Health Service
System of England and the Russian Ministry of the Interior have all suffered from this type of
ransomware.

Several months after the attack, the US government formally accused North Korea of being the country
behind the WannaCry attacks. Even the British government and Microsoft have similar speculations.

1.12-Data breach
Data breach - sometimes also called a data or information leak - is the disclosure of private or
confidential information of an individual / organization. disclosure or abuse without their consent.
Data breach may expose an individual or organization to legal consequences. Therefore, detecting and
patching data leaks is a top priority. However, it must be understood that data security can be
threatened by both external factors and unintentional / intentional actions within the organization.

1.13-Zero day attack

zero-day attack (also referred to as Day Zero) is an attack that exploits a potentially serious software
security weakness that the vendor or developer may be unaware of. The software developer must rush
to resolve the weakness as soon as it is discovered in order to limit the threat to software users. The
solution is called a software patch. Zero-day attacks can also be used to attack the internet of things
(IoT).

A zero-day attack can involve malware, adware, spyware, or unauthorized access to user information.
Users can protect themselves against zero-day attacks by setting their software—including operating
systems, antivirus software, and internet browsers—to update automatically and by promptly installing
any recommended updates outside of regularly scheduled updates.

That being said, having updated antivirus software will not necessarily protect a user from a zero-day
attack, because until the software vulnerability is publicly known, the antivirus software may not have a
way to detect it. Host intrusion prevention systems also help to protect against zero-day attacks by
preventing and defending against intrusions and protecting data.

Think of a zero-day vulnerability as an unlocked car door that the owner thinks is locked but a thief
discovers is unlocked. The thief can get in undetected and steal things from the car owner’s glove
compartment or trunk that may not be noticed until days later when the damage is already done and the
thief is long gone.

While zero-day vulnerabilities are known for being exploited by criminal hackers, they can also be
exploited by government security agencies who want to use them for surveillance or attacks. In fact,
there is so much demand for zero-day vulnerabilities from government security agencies that they help
to drive the market for buying and selling information about these vulnerabilities and how to exploit
them.
Zero-day exploits may be disclosed publicly, disclosed only to the software vendor, or sold to a third
party. If they are sold, they can be sold with or without exclusive rights. The best solution to a security
flaw, from the perspective of the software company responsible for it, is for an ethical hacker or white
hat to privately disclose the flaw to the company so it can be fixed before criminal hackers discover it.
But in some cases, more than one party must address the vulnerability to fully resolve it so a complete
private disclosure may be impossible

Real World Example:

In April 2017, Microsoft was made aware of a zero-day attack on its Microsoft Word software. The
attackers used a malware called Dridex banker trojan to exploit a vulnerable and unpatched version of
the software. The trojan allowed the attackers to embed malicious code in Word documents which
automatically got triggered when the documents were opened. The attack was discovered by antivirus
vendor McAfee which notified Microsoft of its compromised software. Although the zero-day attack was
unearthed in April, millions of users had already been targeted since January.

1.14-CARELESS EMPLOYEES OF ORGANIZATION

Employees are the greatest security risk for any organization, because they know everything of the
organizations such as where the sensitive information is stored and how to access it. In addition to
malicious attacks, careless employees are other types of cyber security threats to organizations.

HOW DOES ATTACK?

They use very simple password to remember their mind and also share passwords. Another common
problem is that employees opening suspicious email attachments, clicking on the link or visit malicious
websites, which can introduce malware into the system.

P2 Describe at least 3 organisational security procedures.

1. Acceptable Use (AUP)
An AUP stipulates the constraints and practices that an employee using organizational IT assets must
agree to in order to access to the corporate network or the internet. It is standard onboarding policy for
new employees. They are given an AUP to read and sign before being granted a network ID. It is
recommended that and organizations IT, security, legal and HR departments discuss what is included in
this policy. An example that is available for fair use can be found at SANS.

2. Access Control  (ACP)

The ACP outlines the access available to employees in regards to an organization’s data and information
systems. Some topics that are typically included in the policy are access control standards such
as NIST’s Access Control and Implementation Guides. Other items covered in this policy are standards for
user access, network access controls, operating system software controls and the complexity of
corporate passwords. Additional supplementary items often outlined include methods for monitoring
how corporate systems are accessed and used; how unattended workstations should be secured; and
how access is removed when an employee leaves the organization. An excellent example of this policy is
available at IAPP.

3. Change Management

A change management policy refers to a formal process for making changes to IT, software development
and security services/operations. The goal of a change management program is to increase the
awareness and understanding of proposed changes across an organization, and to ensure that all
changes are conducted methodically to minimize any adverse impact on services and customers. A good
example of an IT change management policy available for fair use is at SANS.

4. Information Security

An organization’s information security policies are typically high-level policies that can cover a large
number of security controls. The primary information security policy is issued by the company to ensure
that all employees who use information technology assets within the breadth of the organization, or its
networks, comply with its stated rules and guidelines. I have seen organizations ask employees to sign
this document to acknowledge that they have read it (which is generally done with the signing of the
AUP policy). This policy is designed for employees to recognize that there are rules that they will be held
accountable to with regard to the sensitivity of the corporate information and IT assets. The State of
Illinois provides an excellent example of a cybersecurity policy that is available for download.

5. Incident Response (IR)

The incident response policy is an organized approach to how the company will manage an incident and
remediate the impact to operations. It’s the one policy CISOs hope to never have to use. However, the
goal of this policy is to describe the process of handling an incident with respect to limiting the damage
to business operations, customers and reducing recovery time and costs. Carnegie Mellon
University provides an example of a high-level IR plan and SANS offers a plan specific to data breaches.

6. Remote Access

The remote access policy is a document which outlines and defines acceptable methods
of remotely connecting to an organization's internal networks. I have also seen this policy include
addendums with rules for the use of BYOD assets. This policy is a requirement for organizations that
have dispersed networks with the ability to extend into insecure network locations, such as the local
coffee house or unmanaged home networks. An example of an remote access policy is available at SANS.

7. Email/Communication
A company's email policy is a document that is used to formally outline how employees can use the
business’ chosen electronic communication medium. I have seen this policy cover email, blogs, social
media and chat technologies. The primary goal of this policy is to provide guidelines to employees on
what is considered the acceptable and unacceptable use of any corporate communication technology.
An example of an email policy is available at SANS.

Standard procedures of securing information systems

Step 1. Encrypt data information

This is the first step in the process of securing an information system. Nowadays, you are all too used to
reading newspapers, buying goods, and transacting through the Internet. All online activities on the
network have potential risks of data and information security. One of the answers to this is the
encryption of important data. Encoding sounds complicated and we don't really care about it yet. You
can actually use encryption software to do this. SecurityBox would like to appoint a software that is
TrueCrypt. It will effectively protect the data in the computer and external hard drive. If you do not know
your password, no one will be able to break into your data when it is successfully encrypted.

Step 2. Use strong passwords

In the second step in the information system security process, the data encryption in step 1 will be
meaningless if hackers know your password and easily steal it. Use a strong password, use a long
password, including letters, numbers, and special characters. Here are some tools that will help you
create a strong password that even a major attack can hardly crack. Tools to help generate strong
passwords include:
+PC Tools Random Password Generator

+Good Password

+Strong Password Generator

+GRC Ultra High Security Password Generator

However, sometimes using a strong password will make it difficult to remember. The proposed solution
is to use LastPass. This tool will help you manage your passwords in the safest and most effective way.

Step 3 . 2-step authentication

Even if you have set a strong password and your data is encrypted, you can still lose your password when
transmitting over an insecure wireless network such as a Wi-Fi network at a cafe or a school network. To
be able to self-secure data information, in step 3 of the information system security process, you use 2-
step verification, also known as 2-factor authentication. This means that in addition to your password,
you need another information to log into the website or service.

The big Google has provided this service with the name of 2-step verification. According to SecurityBox
research, even if someone gets your Google account password, they cannot access your account because
they cannot know the randomly generated 6-digit code. what is your phone

Step 4. Securing the network

Another aspect of information security is how you connect with the outside world. What network
protocol are you currently using? How often do you access low-security networks? When setting up your
wireless router, you can completely increase safety by disabling SSID Broadcast, enabling MAC Address
Filtering and AP Isolation. Also, be sure to enable firewalls on your router and computer to prevent
applications from making unwanted communications.

Step 5. Use anti-virus software

Will the above security steps become? If in step 5 of the system security process, this information
contains viruses or malicious software that have entered your system illegally, helping hackers to take
control of your device remotely or just steal. data from your device. Using anti-virus software is the
answer to this problem. You can use some antivirus software like Avira, Avast! or AVG ...

Router security procedure

1. Avoid basic setup:

There are so many Wi-Fi routers that are so easy to connect that you can connect with the press of a
button. This is very convenient for you and also very convenient for strangers who want to intrude and
use your router.

2. Change the name of the Wi-Fi Router:

Strictly speaking, this doesn't make your network any more secure, but at least it can make the situation
a lot better. When you connect or help a visitor to your house connect to Wi-Fi, you won't have to
remember the name NETGEAR58843 or the cluttered Linksys-u8i9o. You can have a name that is easier
to remember and more lovely - what about WiFi_cua_Boo, for example.

3. Change the Wi-Fi Router's login name:

New Wi-Fi routers are always set by default username and password. You can even find these login
credentials on the internet - some manufacturers will, depending on the model, use the username
"admin" or leave it blank, the password too. Therefore the default setting is completely insecure. The
new username and password you set for the machine will be more secure and you must remember to
keep these information secret to protect your Wi-Fi Router. You can also choose a strong password for
yourself with Kaspersky Lab's password-checking tool.

4. Make sure your Router login page is not accessible from the internet

Today's new models of routers have a feature that allows remote installation and setup via the Internet.
Of course they will be very useful in some cases. But in terms of security they are not very secure, if you
do not need them, turn this feature off. The name of this feature will vary from manufacturer to
manufacturer, but you can look in the settings with a name like “Remote Management” and turn them
off.

5. Secure with a reliable encryption Protocol (Protocol) and use a strong password.

This is an important setting. In step 3, we change the Wi-Fi credentials, to secure the router settings. You
will now choose a password for your network. In other words, the Wi-Fi password that we use to
connect via PC, laptop, Mac, Smartphone, tablet ... Of course you don't want neighbors or strangers to
use your Wi-Fi, right? ? We recommend that you use the WPA2 - Personal protocol to encrypt your
passwords. You can also use a random phrase to create a password that is both easier to remember than
a complex password and difficult to hack.

Server security procedure

1. Review your server status

Following a regular and routine monitoring process can catch a problem before it snowballs. Begin by
conducting a review of your server’s status, and check whether there are any problems with its CPU,
RAM, disk usage, running processes and other metrics, as these will often help detect server security
issues.

Ideally, store network services logs, site access logs, database logs (Microsoft SQL Server, MySQL, Oracle)
and check them frequently. Then investigate the cause of any strange log entries you find.
It’s a good idea to always keep scripts on a separate drive, away from your operating system, your logs,
and any other system files. Then, if a hacker does access your web root directory, they can’t control the
server by using an operating system command.

2. Automate your security updates

Most vulnerabilities have a zero-day status. It takes very little time before a public vulnerability is used to
create an attack. But by applying automatic security updates and security patches as soon as they are
available you can minimise the risk.

3. Set up perimeter security with firewalls

Applications like border routers and firewalls can help filter for known threats, automated attacks,
malicious traffic, DDoS filters, bogus IPs, and untrusted networks. Your local firewall can monitor for
attacks such as port scans and SSH password guessing, and block any security threat from attacking the
firewall. A web application firewall will also filter incoming web page requests, and can block any that
have been deliberately created to break or compromise your website.

4. Security tools

Web server software often contains security tools (URL scan, mod security) that administrators can set
up to help secure the web server’s installation. Configuring these tools can be time consuming,
particularly with custom web applications, but they will give you peace of mind.

Scanners can run advanced security checks against open ports and network services to help secure your
server and web applications. They can check for vulnerable areas including SQL Injection, Cross site
scripting and web server configuration problems. Some can also audit shopping carts automatically,
check forms and dynamic web content, and flag up any issues found.

5. Remove unnecessary services

Typical default operating system installations and network configurations (Remote Registry Services,
Print Server Service, RAS) are not secure. Ports are left vulnerable to abuse with more services running
on an operating system. It’s best, therefore, to disable all unnecessary services.

6. Permissions

If an account is hacked, then file and network services permissions will limit any potential damage. It’s
good practice, therefore, to schedule regular reviews of your file system permissions. Grant the
minimum privilege required for a specific network service to run, and then restrict what each user or
service can do to a minimum. Disable any default account shells that are not being accessed normally
and consider removing the “root” account to enable login using SSH.
Ensuring server security is crucial for any business that operates online, but especially those that permit
network transactions. For them, this is an issue you simply cannot ignore, and network transactions are
being protected, increasingly, through the adoption of SSL certificates and HTTPS to encrypt
communications.

P3 Identify the potential impact to IT security of incorrect configuration of firewall policies

and IDS.
1.Firewall defined:
A firewall is a network security device that monitors incoming and outgoing network traffic
and permits or blocks data packets based on a set of security rules. Its purpose is to
establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and hackers.
How it works ???
A firewall is basically the shield between your computer (or a network) and the Internet. Firewall can be
compared to a security guard of a certain building, and this employee can allow or deny anyone entering
this building. Similarly, a firewall can be a software program, or a hardware device, that filters packets
going from the Internet to your computer or computer network.

Figure 3,firewall

A firewall can deny or allow network traffic between devices based on rules that have been configured
or installed by a firewall administrator. Many personal firewalls like the Windows firewall operate on a
set of pre-installed settings that prevent common threats, so users don't have to worry about how to
configure the firewall. .

The Personal firewall is easy to install and use. However, in a large network or company, it is extremely
important to configure a firewall to avoid possible threats on the network.
For example, a company may have different configurations for FPT server, Web server ... In addition, the
company can also control employees' Internet access by blocking access to certain websites.
A firewall uses one or more methods to control network traffic to and from a network:
 Packet Filtering: In this method, the packet is analyzed and compared with the pre-configured filter.
Packet filtering will have many different rules depending on the management policy of the company.
Each time a network traffic comes and goes, the packet is compared with the configuration available in
the firewall, if it is allowed the packet will be accepted, and if not allowed in the firewall's configuration. ,
the packet will be rejected to travel over the network.

Stateful Inspection: This is a newer method, it does not analyze the contents of the packet; instead, it
compares the packet's pattern and pattern to its trusted database. Both incoming and outgoing network
traffic will be collated to the database.
Firewall diagrams:

Figure 4,firewall diagram

2.Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a network security technology originally built for detecting
vulnerability exploits against a target application or computer. Intrusion Prevention Systems (IPS)
extended IDS solutions by adding the ability to block threats in addition to detecting them and has
become the dominant deployment option for IDS/IPS technologies. This article will elaborate on the
configuration and functions that define the IDS deployment.

An IDS needs only to detect threats and as such is placed out-of-band on the network infrastructure,
meaning that it is not in the true real-time communication path between the sender and receiver of
information. Rather, IDS solutions will often take advantage of a TAP or SPAN port to analyze a copy of
the inline traffic stream (and thus ensuring that IDS does not impact inline network performance).

IDS was originally developed this way because at the time the depth of analysis required for intrusion
detection could not be performed at a speed that could keep pace with components on the direct
communications path of the network infrastructure.

As explained, the IDS is also a listen-only device. The IDS monitors traffic and reports its results to an
administrator, but cannot automatically take action to prevent a detected exploit from taking over the
system. Attackers are capable of exploiting vulnerabilities very quickly once they enter the network,
rendering the IDS an inadequate deployment for prevention device.

(IDS)diagram:
Figure 5,IDS

3.Firewall threat-risk
1) Insider Attacks

A perimeter firewall is meant to keep away attacks that originate from outside of your network. So,
what happens when the attack starts from the inside? Typically, the perimeter firewall becomes
useless—after all, the attacker is already on your system.

However, even when an attack originates from within your network, firewalls can do some good—IF
you have internal firewalls on top of your perimeter firewalls. Internal firewalls help to partition
individual assets on your network so attackers have to work harder to move from one system to
another one. This helps increase the attacker’s breakout time so you have more time to respond to the
attack.
2) Missed Security Patches

This is an issue that arises when network firewall software isn’t managed properly. For any software
program, there are vulnerabilities that attackers may exploit—this is as true of firewall programs as it
is of any other piece of software. When firewall vendors discover these vulnerabilities, they usually
work to create a patch that fixes the problem as soon as possible.

However, the patch’s mere existence doesn’t mean that it will automatically be applied to your
company’s firewall program. Until that patch is actually applied to your firewall software, the
vulnerability is still there—just waiting to be exploited by a random attacker.

The best fix for this problem is to create and stick to a strict patch management schedule. Under such
a schedule, you (or the person managing your cybersecurity) should check for any and all security
updates for your firewall software and make sure to apply them as soon as possible.

3) Configuration Mistakes

Even when a firewall is in place on your network, and has all of the latest vulnerability patches, it can
still cause problems if the firewall’s configuration settings create conflicts. This can lead to a loss of
performance on your company’s network in some cases, and a firewall outright failing to provide
protection in others.

For example, dynamic routing is a setting that was long ago deemed a bad idea to enable because it
results in a loss of control that reduces security. Yet, some companies leave it on, creating a
vulnerability in their firewall protection.

Having a poorly-configured firewall is kind of like filling a castle’s moat with sand and putting the key
to the main gate in a hide-a-key right next to the entrance—you’re just making things easier for
attackers while wasting time, money, and effort on your “security” measure.

4) A Lack of Deep Packet Inspection

Layer 7 (or “deep packet”) inspection is a rigorous inspection mode used by next-generation firewalls
to examine the contents of an information packet prior to approving or denying that packet passage to
or from a system.

Less advanced firewalls may simply check the data packet’s point of origin and destination before
approving or denying a request—info that an attacker can easily spoof to trick your network’s firewall.

The best fix for this problem is to use a firewall that can perform deep packet inspection to check
information packets for known malware so it can be rejected.

5)DDoS Attacks
Distributed Denial of Service (DDoS) attacks are a frequently-used attack strategy noted for being highly
effective and relatively low-cost to execute. The basic goal is to overwhelm a defender’s resources and
cause a shutdown or prolonged inability to deliver services. One category of attack—protocol attacks—
are designed to drain firewall and load balancer resources to keep them from processing legitimate
traffic.

While firewalls can mitigate some types of DDoS attacks, they can still be overloaded by protocol attacks.

There is no easy fix for DDoS attacks, as there are numerous attack strategies that can leverage different
weaknesses in your company’s network architecture. Some cybersecurity service providers offer
“scrubbing” services, wherein they divert incoming traffic away from your network and sort out the
legitimate access attempts from the DDoS traffic. This legitimate traffic is then sent to your network so
you can resume normal operations.

Alone, firewalls cannot protect your network from all of the threats that are out there. However, they
can serve as an integral part of a larger cybersecurity strategy to safeguard your business.

4.IDS threat-risk
Source Addresses:

Intrusion detection software provides information based on the network address that is associated with
the IP packet that is sent into the network. This is beneficial if the network address contained in the IP
packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.
Either of these scenarios leaves the IT technician chasing ghosts and being unable to stop the intrusions
to the network from taking place.

Encrypted Packets:

Encrypted packets are not processed by the intrusion detection software. Therefore, the encrypted
packet can allow an intrusion to the network that is undiscovered until more significant network
intrusions have occurred. Encrypted packets can also be set to be activated at a specific time or date
once they have been planted into the network. This could release a virus or other software bug, which
could be avoided if the intrusion detection software was able to process encrypted packets.

Analytical Module:

The analytical module has a limited ability to analyze the source information that is collected during
intrusion detection. The result of this limit is that only a portion of the source information is buffered.
While an IT professional monitoring the system will be alerted that abnormal behavior has been
detected, they won't be able to tell where the behavior originated from. The response to this
information can only be to try and stop the unauthorized network access. If more information could be
obtained, the IT professional could take a defensive approach to prevent future intrusions before they
occur.

False Alarms:

Intrusion detection systems are able to detect behavior that is not normal for average network usage.
While it's good to be able to detect abnormal network usage, the disadvantage is that the intrusion
software can create a large number of false alarms. These false alarms are increased on networks where
there are a large number of users. To avoid chasing after these false alarms, IT professionals must
receive extensive training so that they can recognize what is a false alarm and what isn't. The expense of
completing this training is another disadvantage of intrusion detection software that companies must
deal with.

P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve Network Security.
1.DMZ(demilitarized zone)
In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a
screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN)
from other untrusted networks -- usually the public internet. External-facing servers, resources and
services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the
internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts a
hacker's ability to directly access internal servers and data through the internet.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the
most common of these services include web servers and proxy servers, as well as servers for email,
domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

How DMZs work

DMZs are intended to function as a sort of buffer zone between the public internet and the private
network. Deploying the DMZ between two firewalls means that all inbound network packets are
screened using a firewall or other security appliance before they arrive at the servers the organization
hosts in the DMZ. 

If a better-prepared threat actor passes through the first firewall, they must then gain unauthorized
access to those services before they can do any damage, and those systems are likely to be hardened
against such attacks.
Finally, assuming that a well-resourced threat actor is able to breach the external firewall and take over a
system hosted in the DMZ, they must still break through the internal firewall before they can reach
sensitive enterprise resources. While a determined attacker can breach even the best-secured DMZ
architecture, a DMZ under attack should set off alarms, giving security professionals enough warning to
avert a full breach of their organization.

Figure 6,DMZ Diagram

2.Static IP
A static IP address is simply an address that doesn't change. Once your device is assigned a static IP
address, that number typically stays the same until the device is decommissioned or your network
architecture changes. Static IP addresses generally are used by servers or other important equipment.

Static IP addresses are assigned by Internet Service Providers (ISPs). Your ISP may or may not allocate
you a static IP address depending on the nature of your service agreement. We describe your options a
little later, but for now assume that a static IP address adds to the cost of your ISP contract.

A static IP address may be IPv4 or IPv6; in this case the important quality is static. Some day, every bit of
networked gear we have might have a unique static IPv6 address. We're not there yet. For now, we
usually use static IPv4 addresses for permanent addresses.

When Static IP Addresses Are Used

Static IP addresses are necessary for devices that need constant access.
For example, they're basically required if your computer is configured as a server, such as an FTP server
or web server. This is a good thing, because if you want to ensure that people can always access your
computer to download files, then you need to force the computer to use a static, never-changing IP
address.

Alternatively, if the server were assigned a dynamic IP address, it would change occasionally which
would prevent your router from knowing which computer on the network is the server.

Similarly, if you want to access your home computer while you're on trips, or your work computer when
you're at home, setting up the computer to use a static IP address lets you reach that computer all the
time without fearing that the address will change and block your access to it.

Consider a shared printer as another example for when to use a static IP address. If you have a printer
that everyone in your house or office needs to share, you'd give it an IP address that won't change no
matter what. That way, once every computer is set up to connect to that printer, those connections will
remain indefinitely because the address will never change.

Figure 7,Static IP

3.NAT(Network Address Translation)

Stands for "Network Address Translation." NAT translates the IP addresses of computers in a local
network to a single IP address. This address is often used by the router that connects the computers to
the Internet. The router can be connected to a DSL modem, cable modem, T1 line, or even a dial-up
modem. When other computers on the Internet attempt to access computers within the local network,
they only see the IP address of the router. This adds an extra level of security, since the router can be
configured as a firewall, only allowing authorized systems to access the computers within the network.

Once a system from outside the network has been allowed to access a computer within the network, the
IP address is then translated from the router's address to the computer's unique address. The address is
found in a "NAT table" that defines the internal IP addresses of computers on the network. The NAT
table also defines the global address seen by computers outside the network. Even though each
computer within the local network has a specific IP address, external systems can only see one IP address
when connecting to any of the computers within the network.

To simplify, network address translation makes computers outside the local area network (LAN) see only
one IP address, while computers within the network can see each system's unique address. While this
aids in network security, it also limits the number of IP addresses needed by companies and
organizations. Using NAT, even large companies with thousands of computers can use a single IP address
for connecting to the Internet. Now that's efficient.

Figure 8,NAT

Conclusion
-To summary, this assignment about Identify the security threats FIS secure may face and its
consequences. Describe a variety of organizational procedures an organization can set up to reduce
the effects to the business of a security breach, give a method that FIS can use to prioritize the
management of different types of risk. Identifying issues with firewalls and IDS incorrect configuration
and show through examples how different techniques can be implemented to improve network
security.
REFERENCES
1- Cyber Security Portal. 2020. Common Types Of Security Threats To Organizations | Cyber Security Portal.
[online] Available at: <https://cyberthreatportal.com/types-of-security-threats-to-organizations/>
[Accessed 17 August 2020].
2- The Economic Times. 2020. What Is Trojan? Definition Of Trojan, Trojan Meaning - The Economic Times.
[online] Available at: <https://economictimes.indiatimes.com/definition/trojan> [Accessed 17 August
2020].
3- The Economic Times. 2020. What Is Sql Injection? Definition Of Sql Injection, Sql Injection Meaning - The
Economic Times. [online] Available at: <https://economictimes.indiatimes.com/definition/sql-injection>
[Accessed 17 August 2020].
4- The Economic Times. 2020. What Is Spyware? Definition Of Spyware, Spyware Meaning - The Economic
Times. [online] Available at: <https://economictimes.indiatimes.com/definition/spyware> [Accessed 17
August 2020].
5- The Economic Times. 2020. What Is Computer Worm? Definition Of Computer Worm, Computer Worm
Meaning - The Economic Times. [online] Available at:
<https://economictimes.indiatimes.com/definition/computer-worm> [Accessed 17 August 2020].
6- dienmayxanh.com. 2020. Malware Là Gì? Các Loại Malware Và Bảo Vệ Máy Tính Khỏi Bị Xâm Hại. [online]
Available at: <https://www.dienmayxanh.com/kinh-nghiem-hay/malware-la-gi-co-phai-la-virus-khong-
cac-loai-malw-1138301> [Accessed 17 August 2020].
7- Hội nghị truyền hình - Màn hình ghép - Videowall - màn hình tương tác l Sunmeida. 2020. Hội Nghị
Truyền Hình - Màn Hình Ghép - Videowall - Màn Hình Tương Tác L Sunmeida. [online] Available at:
<https://www.smediavn.com/giai-phap-bao-mat-mang.html> [Accessed 19 August 2020].
8-