Organization has a small, but growing, employee base, with 50 employees in one small office.

The
company is an online retailer of the world's finest artisanal, hand-crafted widgets. They've hired you on
as a security consultant to help bring their operations into better shape.

Organization requirements: As the security consultant, the company needs you to add security
measures to the following systems:

 An external website permitting users to browse and purchase widgets

There would be a strict need to authenticate users if the organization is producing the world’s finest
hand-crafted widgets because business will be with select clientele only. Therefore, authentication will
be the filter to access the website in order to order their desired goods. By creating a chokepoint with
authentication, only clients that are authenticated can purchase the finest artisanal hand-crafted
widgets. Instead of using traditional methods that would not demonstrate exclusivity, I would
recommend the use of FIDO, Fast Identity Online, with a personalized USB security token device. This
authentication system will negate the need for a username and password, so it will effectively protect
the identity of the customer so long as he or she keeps the token device within their care.

 An internal intranet website for employees to use

Since the size of the organization does not exceed the ability to know everyone by name and face, I
would recommend a cloud hosted intranet. This option is also space effective as the office is not a big
space according to the assignment. Furthermore, I can discuss with the staff of necessities and niceties
of software and subscribe to pertinent services which would help save costs. Since we need to also make
sure that the intranet needs to be secure, I would look for a service that would again use authentication
as a chokepoint unless explicitly stated by the manager. If he or she wants to limit personnel access to
certain files, then the intranet would need to authenticate the individual at the endpoint or service
requested. The website security would be handled by the cloud-based service the company the
organization would subscribe to. However, I would choose a company that would use authentication as
the chokepoint and a whitelist to restrict access to certain employees from specific files.

 Secure remote access for engineering employees

With a cloud based intranet, I would also use a cloud based storage solution that uses the same
authentication system as the internal intranet. When choosing the service, the system will need to be
encrypted and utilize a VPN that is constantly patched and active. We will use the FIDO and have a
personalized security token when employees need to login from a remote location.

 Reasonable, basic firewall rules

All traffic for the organization will follow the block by default rule. This will block all traffic and will have
a strict control on the ins and out of the network in the office. Then only specific traffic will be allowed
by pinpointing the source IP address, destination IP address, and destination port. If there are certain IP
addresses that everyone needs to access all the time, then that service will receive the “any”
specification with the source and destination IP so that there is ease of access. However, the destination
port would not be set to any to make sure attackers cannot use the dictionary attack to guess the
password or exploits that would compromise the security of the organization’s systems.

 Wireless coverage in the office

With 50 personnel, I would assume there are 50 computers in need of access to the internet. This
number would dictate what type of Furthermore, the configuration of the office will also dictate how
many wireless access points are necessary.

 Reasonably secure configurations for laptops

 Handling customer payment data, the organization would like to be extra cautious about
privacy.
 Engineers will require access to internal websites, along with remote, command line access to
their workstations

Necessary Items to Address

 Wireless security
 VLAN configuration recommendations
 Laptop security configuration
 Application policy recommendations
 Security and privacy policy recommendations
 Intrusion detection or prevention for systems containing customer data