Академический Документы
Профессиональный Документы
Культура Документы
Prepared by: Nadia Xing In Cooperation with: Shane Swinfen Dima Myrnyy
Page |2
CONTENTS
Introduction..............................................................................................................................................1 Background...........................................................................................................................................1 The Project Overview...........................................................................................................................2 The Project Team..................................................................................................................................2 The Objectives of Research...................................................................................................................4 Methodology.............................................................................................................................................6 Scope of Research.................................................................................................................................6 Within New Zealand........................................................................................................................6 Language: English only...................................................................................................................6 Solely Internet, excluding other media.............................................................................................6 Excluding business information exchange and/or publications.......................................................6 Literature review on internet security..................................................................................................7 Scenario Analysis .................................................................................................................................9 Category 1 (individual, how to use internet)....................................................................................9 Category 2 (individual, where to access internet)..........................................................................10 Category 3 (companys perspective)..............................................................................................10 Result Analysis.......................................................................................................................................12 Web Search Strategy...........................................................................................................................12 Website selection............................................................................................................................12 Key words and alternatives............................................................................................................12 Other methods................................................................................................................................12 Results Filtering..................................................................................................................................12 Numerical ......................................................................................................................................12 Abbreviation...................................................................................................................................12 Name..............................................................................................................................................13 Date................................................................................................................................................13 Frequency of repetition..................................................................................................................13 Classification......................................................................................................................................13 Based on Organizational Structure.................................................................................................13 Based on Information Type............................................................................................................13 Based on Channel...........................................................................................................................13 Summary.................................................................................................................................................14 Conclusion..........................................................................................................................................14 Recommendations...............................................................................................................................14 Managerial protection system........................................................................................................15 Technical protection system...........................................................................................................15 Further Studies...................................................................................................................................15 Appendices..............................................................................................................................................16 Result Analysis....................................................................................................................................16 Web Search Strategy...........................................................................................................................16 Website selection............................................................................................................................16 Key words and alternatives............................................................................................................16 Other methods................................................................................................................................16 Results Filtering..................................................................................................................................16
Page |3
Numerical ......................................................................................................................................16 Abbreviation...................................................................................................................................16 Name..............................................................................................................................................16 Date................................................................................................................................................16 Frequency of repetition..................................................................................................................17 Classification......................................................................................................................................17 Based on Organizational Structure.................................................................................................17 Based on Information Type............................................................................................................17 Based on Channel...........................................................................................................................17 Web Searching Results........................................................................................................................17 Distributions.......................................................................................................................................17 Reference.................................................................................................................................................18
Page |1
Introduction
Background
In modern world, threat coming from public sources of information is on the rise. Rapid development of social networks poses serious danger not only to personal, but also for a company as a whole, because people do not realize boundaries between general company information and company sensitive information. Other areas of information leaks existed before, but with development of search engines the entry level into data mining is lowering, at the same time increasing number of possible attackers. A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations. In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organizations overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program. Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the framework of a specific strategic objective. In the case of information security, the strategic objective is the satisfaction of protection requirements for an organizations information assets.
Page |2
To give some indication, In 2009, Symantec blocked an average of 100 potential attacks per second. Malicious code is as prevalent as ever, with more than 240 million distinct new malicious programs identified by Symantec in 2009a 100 percent increase over those found in 2008. Even though the scope of this project doesnt stretch far enough to cover malware, such programs are created to take advantage of vulnerabilities found in computer systems. All the attackers need to know is if a company houses these systems and they can be exploited.
As my major is information Service, I have taken the following papers: IT project management, CCNA, Network and System Administration and Needs Analysis and Acquisition and Training. I will use the knowledge gained from each of these papers to help me complete the project with my team. From the IT project management paper ive studied, I have experienced handling and controling a project with management silks. In CCNA and Network and System Administration, I have got the basic knowledge of an IT network.
Page |3 The Need analysis, acquisition and training which is really help me to do the research and analysis the information for the company. Dima: In general I am purely technical person, with strong interest in new technologies, mostly related to security issues. Also have strong interest in areas like social engineering and people psychology(how they are acting in critical situations). Technical skills relates to next areas: Network security Networking Software development
Team can gain from next personal capabilities: Result driven Capable of working under pressure Analytical thinking
Shane: This paper gives us the chance to really test all that weve learnt over the past few years and how we can adapt our skills to the real world tasks that have been set. Personally i feel i bring quite a lot to the table, Im a strong communicator and work well within groups where communication is such a key role in keeping projects afloat. Im a dedicated worker and enjoy motivating people around me to give their best in their work. Technically speaking I'm a network security/net centric major but have completed a variety of papers including project management, advanced Internet technology, data process modelling and management and Innovation. Each module has challenged me to develop new skills which I've thoroughly enjoyed learning. Professionally I've had the privilege of working with a couple companies over the summer break which has really taught me a lot. Im persistent in anything i do with an aggressive willingness to learn and improve my skills where i can.
Page |4
Page |5
Page |6
Methodology
Scope of Research
Within New Zealand
The project team is fully aware that Fonterra is a multi-national company with subsidiary organizations in many countries around the globe. Also, as part of its daily operation, the use of internet has been acting more and more importantly and even becoming indispensible in Fonterras communications, transactions, and information transmissions. However, due to the limits of time and available resources, this project is scoped to focus on the internet security issues of Fonterras operation within New Zealand. The project may cover some of cross-border internet use; nevertheless, the end users are located in Fonterra New Zealand.
Page |7
The increased security threats are caused by some reasons as follows: Increased Usage: In the last 10 years the face of computing has changed dramatically. More and more businesses rely heavily on networked systems and the Internet to conduct business. In just a few years, we have turned into a wired world, with information of any type accessible from just about anywhere, by anyone. At the end of 1999, there were approximately 200 million users online worldwide. That number is expected to increase to 1.7 billion users by the year 2009. As more people use the Internet the number of potential targets increase. Furthermore, as more and more businesses store their valuable information online, the potential for theft or damage increases.
Page |8
Always-On Connections: In response to the need for greater speed and higher carrying capacity, most small or home businesses users rely on high-speed bandwidth always-on connections to the Internet such as DSL (digital subscriber line) or cable modems. Always-on connections have two important characteristics that increase vulnerability. Firstly, because they are always on, they are always available for potential attackers to access. An unprotected connection to the Internet is an open two-way channel that information goes in and out of the system unimpeded. As long an unprotected connection is maintained, it serves as a point of entry for potential intruders to enter or attack the system. Secondly, always-on connections have static or unchanging IP addresses. As high-speed connections often remain connected, even when the computer is not in use the IP address never changes. Once a potential hacker has found the computer, he or she will be able to return to it as long as it is using the same IP address, placing it at greater risk of malicious intrusion. Insecure Technology: Another factor that has increased the risk of intrusion for Internet users is the tremendous rate of technological change. The pace of technological development has never been faster, and the world is trying frantically to catch up with it. Software developers strive to make their programs more userfriendly, often sacrificing security or reliability. Many commercial software packages that are released to market contain inherent flaws that may be exploited by attackers. This puts the end user at risk: not only is the technology potentially vulnerable, but users are often unaware of how they may be at risk. Lack of Education: One of the biggest security concerns that a business organization may face today is a lack of information about the threats that exist on the Internet. This doesnt mean that people dont care, or arent concerned, but in todays world of doing business at light-speed, managers do not have the time or resources to stay on top of the latest developments in information security. For most large sized enterprises, employing someone full-time to maintain system security is commonly seen as an option, and these IT security people are making great efforts in internet security; however, as greatly more employees are using internet in their daily jobs than ever before, it is significantly harder than ever for IT security people to maintain
Page |9 the companys system safe from fast developing threats as well as to educate every employee with internet security knowledge up to date. Furthermore, for those companies with higher personnel turnover, more staff changes in a working team would bring more difficulty in educating of IT security.
Scenario Analysis
From the above literature reviews, the security issues that a company, like Fonterra, may confront in its operations can be commonly seen as several typical scenarios, these scenarios can be classified into few categories as follows:
P a g e | 10 internet, thus giving much more accessible possibility for hackers to access this personal information. For example, some people may use mobile phone to access unsafe websites, thus give chances for hackers o scan the memories of these phones to get some sensitive or personal information, such as working contacts, job notes, etc.
P a g e | 11 database, once there is serious information leakage happened, the IT agent is always doubted. Scenario H: Employees or company build up chat room, forum, etc. that is out of the companys control, such as the alumni of Fonterra at Linkedin. In this case, the company almost has no control that what information would be published on these web sites. The worst case the that the out-hooked forum or chat room is for business use, in most cases, they are more likely not 100 percent for business use but to some extent business relevant. The company basically has no control what people would talk about in these websites, and the company has very limited control on who can access these forum or chat rooms. Scenario I: Employees are using computers at company while they opening other software such as outlook, MSN, etc. therefore leaving a side door for spyware or malware to access to the companys system. The workable way to prevent this is to abandon some social applications on companys computers; however, it is in need of relevant management policies as well. Scenario J: Foreign/unauthorized mobile storage devices, such as USB drive, memory cards, etc. physically connected into companys computers: passing virus, digging information. This is a difficult part to get control, as it is always related to technical authorization and management policies. Numerous mobile devices are supposed to connect to the companys system during the daily operations of a large company like Fonterra, they are a very possible way to spread virus. Scenario K: Email management: Email is always the largest aspect of internet use for the company. Therefore it is the most likely way in virus and spyware spreading. Technically, spam management and antivirus software are most common way seen in businesses, the updating and maintenance of these protective software are as important as having them. There is one point here that should be noticed: in business practice, the security issues of Internet applications are very likely not limited to above scenarios. These scenarios that listed as above are
P a g e | 12
Result Analysis
In this section, we will try to search the Internet to find out whether the scenarios stated as above section are possibly happening or actually happening in Fonterras business Internet applications. If so, then we will try to identify which scenario/s are more often amongst other; in other words what are more risky than others in Internet applications for Fonterra. Then the following section will work on providing solutions.
Other methods
Results Filtering
Numerical
Abbreviation
P a g e | 13
Name
Date
Frequency of repetition
Classification
Based on Organizational Structure
Based on Channel
P a g e | 14
Summary
Conclusion
Internet Security incorporates not only the technology needed to support a solid security strategy but also those policies and processes that must be incorporated in order for that strategy to work. New methods of breaking into corporate networks are resulting in major losses. This book provides the latest information on how to guard against attacks and informs the IT manager of the products that can detect and prevent break-ins. Crucial concepts such as authentication and encryption are explained, enabling the reader to understand when and where these technologies will be useful. Due to the authors' experiences in helping corporations develop secure networks; they are able to include the newest methods for protecting corporate data. This book helps you to shield data from both the internal and external intruder, discover products that can detect and prevent these break-ins, protect against major losses with the latest incident handling procedures for detecting and recovering data from new viruses, and get details of a full security business review from performing the security risk analysis to justifying security expenditures based on your company's business needs.
Recommendations
There should be a review regarding to the current status of the internet applications in Fonterra, and all the improvement should be based on the review. The review might be with focuses on the following questions: 1. What is Fonterra using: Dynamic Password/ Dynamic Cipher system or security question? 2. Does Fonterra have any kind of forum and/or alumni out of the companys system? How the Fonterras employees and ex-employees set their IDs and passwords? 3. How many company mobile phones are using internet? Are these phone protected? 4. Is Fonterras system accessible through unauthorized computers? Is there any protection? 5. How many Fonterras employees access the companys system at home, and how many of them using Wi-Fi? 6. How do Fonterras employees access the companys system remotely? VPN?
P a g e | 15 7. Does Fonterra have its own server? Are all the system and database under the companys full control? 8. How many forums and chat rooms related to Fonterras employees are known by the company? Is there any control over them? 9. What about the current policy in Fonterra regarding to the computer and internet using? 10. How is Fonterra dealing with the mobile storage devices connected to the companys system? 11. How many employees of Fonterra are using social mail addresses, such as hotmail, Gmail, as their working email? And how many employees are using their working emails as their social email?
Further Studies
P a g e | 16
Appendices
Result Analysis Web Search Strategy
Website selection
Email and attachments Blog Chat tool/room Macro blog Form submission Online survey Forum
Other methods
Results Filtering
Numerical
Abbreviation
Name
Date
P a g e | 17
Frequency of repetition
Classification
Based on Organizational Structure
Based on Channel
Distributions
P a g e | 18
Reference
P a g e | 19