Security Infrastructure Design Document

I Introduction
In our contemporary world Security concept acquire more importance and
focusing in daily life and business, its critical piece in major industries.
All organizations keep cyber security on the top of its agenda, Cyber Security is
one of success criteria for all organizations.
High secured structured policies, secured system infrastructure items & Firm
security culture are core of security process, all of these will be covered in the
following lines.

II External web site permitting users to browse and

purchase widget.
To secure origination externa website we need to apply
A. VPN; provides a secure internet connection to your network over the public
internet. Think of a secure VPN as a tunnel that stops unauthorized access
and encrypts online activity
B. NDIS
C. Logging and Auditing ,
Having detailed audit logs helps companies monitor data and keep track of
potential security breaches or internal misuses of information
D. Software patch management- Microsoft SSCM or Puppet labs, Patch
management fixes vulnerabilities on your software and applications that are
susceptible to cyber-attacks, helping your organization reduce its security risk.
E. We need to handle credit card payments, then we have to follow
the PCI/DSS (Payment card industry data security standards)

III an Internal for employees to use

A. IEEE802.1X Protocol; 802.1x is a protocol used for network authentication. It's
more secure than the Wi-Fi password you use at home. 802.1x is standard for large
organizations.
B. Logging and auditing system (SIEM System) like SYS log- Splunk
Enterprise security, IBM Security & RSA Analytics. (SIEM System) Allow organizations
to efficiently collect and analyse log data from all of their digital assets in one place
IV Secure remote access for engineering employees
A. VPN; using VPN tunnel secure everything between two places, while not always
ideal, the use of a VPN is often the most affordable and secure way to protect
oneself online
B. Proxy; Create a secure access without using VPN, Proxies come with several
benefits that can give your business an advantage: Enhanced security: Can act like
a firewall between your systems and the internet.
C. Reverse proxy; Block malicious content, a type of proxy server that typically sits
behind the firewall in a private network and directs client requests to the appropriate
backend server. A reverse proxy provides an additional level of abstraction and
control to ensure the smooth flow of network traffic between clients and servers (like
Hyproxy, Nginx & Apache)

D. ACLS; Organizations can use access control lists (ACL) to secure data. One of
the major reasons to use access control lists is to restrict unauthorized users from
accessing business-sensitive information. It can also be used to control network
traffic by limiting the number of users accessing files, systems, and information.

V Reasonable Basic firewalls:

It can be deployed as dedicated network infrastructure devices or Host based
firewalls
A. Monitor mode, Monitor current traffic for which IP addresses and ports are
used - and validate that they are needed; not everything requires internet
access.

B. Deny Any/Any; Create a deny all, inbound and outbound as the first created

and last firewall rule processed. Also known as a ‘Default Deny,’ it ensures

that all rules created after these initial denies are purposeful.

C. Be Specific and Purposeful With Rules

If possible, create different groups of IPs and ports that make sense, which

allows you to create a set of firewall rules, and primarily use groups where

you can add/remove individual components. Ensure your rules specify the

destination and source IP addresses — or sometimes ranges — and

destination port whenever possible

VI Reasonable Configuration for Laptop

A. Host Based firewalls; A software-based firewall installed on a server to

monitor and control its incoming and outgoing network traffic
B. Full desk encryption (FDE); a security method for protecting sensitive
data at the hardware level by encrypting all data on a disk drive like
Bitlocker, Filevault2 or dm-crypt packet
C. Key Escrow, allows the encryption key to be securely stored for later
retrieval by an authorized party
D. Home directory or file based directory, to keep and secure the
important and confidential files.
E. Software patch management, like SCCM or puppet labs, is an
administrator's control over operating system (OS), platform, or application
updates. It involves identifying system features that can be improved or
fixed, creating that improvement or fix, releasing the update package, and
validating the installation of those updates.

VII Recommendations
Here is some techniques & tools you can apply to harden your network security,
- Promiscuous mode, Promiscuous mode is often used to monitor network
activity and to diagnose connectivity issues. It is sometimes given to a network
snoop server that captures and saves all packets for analysis, for example, to
monitor network usage.

- Port mirroring, allows the switch to take all packets from a specified port, port
range or entire VLAN and the packet to the specified port to gain access for all
packets on the switch
- We can insert Hub into the topology on devices you want to monitor the traffic

- Monitor mode, Allows us to scan access channels to see all wireless traffic being
sent by APS Clients
Open sources for Capture and monitoring utility like Kismet or Air cracking

- Wireshark, Wireshark is better than Tcpdump, can analyse important traffic using
packet capture
- IDS/IPS System for monitoring network traffic and analysing it.
- Disable all unnecessary protocols or component, to decrease the surface
of breaching or attacks
- Reduce software deployment

- Telnet, used for managed switches has to be disabled

- Any vendor specific AP access should be disabled, if you don’t plan using this
service or tool
- Using Microsoft 365 defending services, Microsoft 365 Defender is a unified
pre- and post-breach enterprise defence suite that natively coordinates detection,
prevention, investigation, and response across endpoints, identities, email, and
applications to provide integrated protection against sophisticated attacks.
- Using UAC (User account control), helps prevent malware from damaging a PC and
helps organizations deploy a better-managed desktop
- Application Policies, only support or require latest version of a piece of software

- Disallow risky classes of software by policy

- Understand what your users need to do their jobs , will help you shape your
approach to software policies and guidance
- Extension that requires full access to web sites visited can be risky since
the extension developer has the power modify pages visited.
- Apply security risk assessments

- Understanding what vulnerabilities about your system by preforming

regular vulnerability scanning using tools like OpenVas, Qualys & Nessus
- Regular penetration tests to test your defences, to insure detection and alerting
system working probably
- Privacy Policies, overs the access and use of sensitive data, define what
authorize to use is, what provision and restrictions for data using.
- Periodic Audits on cases of sensitive data accessed, can enabled by Alerting
and monitoring systems, it’s a good practice to apply the principle of least privilege
here, but not allowing access to this type of data by default.
- Any access that doesn’t have a corresponding request should be flagged
as a high-priority potential breach that need to be investigated as soon as possible.
- Data handling policies, should cover the details of how different data is
classified
 - Data Destruction System, Data destruction makes data unreadable to an
operating system or application. You should destroy data on devices no longer used
by a company, unused or duplicated copies of data, or data that’s required to
destroy. Data destruction methods include:

 Recycling: erasing the data from a device for reuse

 Physical destruction: destroying the device itself to prevent access to data
 Outsourcing: using an external company specializing in data destruction to handle
the process
I think in our case the best solution for data destruction trade- off between physical
destruction and outsourcing.

- Users habits, Habits and actions of users involve, having a clear and reasonable
security policies by understanding what employees need to accomplish their jobs,
you also make sure that they have the right tools to get their work done without
compromising security
Employees should never upload confidential information onto a third-
party services that hasn’t been evaluated by your company
- Password policies; it’s important to understand what threats password policies
are supposed to protect against. That way to find a better balance between security
& usability, we adjust the mandatory password rotation period
It’s important to make sure employees use new and unique passwords, and don’t
reuse them from other services
Also important to have a password change system check against old passwords, this
will prevent users from changing their password back to a previously used potentially
compromised password.

-User should be aware & educated about credential theft from phishing emails
If someone entered their password into a phishing site, or even suspects they did, it’s
important to change their password as soon as possible

We need to use tool like password alert, Password Alert is a Chrome extension
that helps Google Workspace and Cloud Identity users avoid phishing attacks by
detecting when they enter their Google password into any websites other than the
Google sign-in page.

- Third party security; It's important to hire trustworthy and reputable vendors
whenever you can
For software services, or hardware vendors, you might also ask to test the software/
hardware, that way, you can evaluate it for potential security vulnerabilities
or concerns before deciding to contract their services. It's important to understand
how well-protected your business partners are, before deciding to work with them
- Provide Security training for users; this will boost a healthy company culture
and overall attitude towards security
 - Incident report, analysing & Recovery plan; here we have a critical data
which requires extra care and high incident response;
Credit card or payment card industry information (PCI)
Personally identifiable information (PII)
Export administration regulations compliance (EAR)

- Chain of custody; refers to a process that tracks evidence movement through its
collection, maintaining chain of custody make difficult for someone to argue that the
evidence tampered with or mishandled.
- Mobile security and privacy policies and regulations : Keeping users
mobiles safe and secured critical because it can contain important information and
data
- Bring your own device (BYOD) Policies; BYODs can become dangerous
security threats to companies’ data and networks, to mitigate these threats

 Develop BYOD policies

 Enforce BYOD policies with MDM software
 Distribute MDM settings to multiple OSes through EMM systems
 Require multi-factor authentication (MFA)
 Create acceptable use policies for company data and resources
 Require employees to sign NDAs
 Limit who can access data
 Train employees on data security
 Back up data regularly

- Steps can apply to harden browse and protect online security,

A - Identify if source can be trusted or not
 - use ant-virus and antimalware software and browser extension
 -Check for SSL Certificates
 - Ensure the URL displayed in the URL bar shows the correct domain
 - Search the negative reviews of the websites link.
 - Don’t automatically trust websites link provided by people or organizations you
trusted
B- Use password manager extension
C- Configure your browser setting
 - Use pop-up lockers
 - Clear browsing data and cache
 - Use Private browsing mode
 - Sign in browser data SYN
 - Use ad blockers

You need to know if your company has legal requirement related to security
VIII Conclusion
Security is all about determining risks or exposure; understanding the
likelihood of attacks and designing defences around these risks to minimize the
impact of an attack
The balance between productivity and security is critical point you’re your
organization
Having define and well establish privacy policy is important part of good
privacy practice
Company policy acting as a guidelines in informational resources on how to
access and not access and handle data
Security subject is common responsibility between users & security team, no
one of two parties can survive alone

Prepared by Abdelhak Nasr

Security consultant