Running Header: DIGMARK NETWORK SECURITY 1
DIGMARK NETWORK SECURITY 2
Digmark Network Security
Name
Professor
Institution
Course
Date
Abstract
In today’s market, businesses have and are gaining competitive advantage by incorporating technology and specifically internet technology into their operations .The development of internet technology has led to a new caliber of businesses that are conducted online; for instance, online shopping businesses. However, the network security behind the internet technology is often overlooked. Weak network security creates a loophole for professional network hackers to illegally intrude into the system causing damages and losses to both the firm as well as its clients involved. A number of new policies and regulations have been put in place to address data breaches. The goal of this project is to address data or information breach involving gathering client’s information as well as credit card information while shopping online. Digmark is an online shopping firm located in Texas. The firm has often received complaints involving the interference of their credit card information attracting the attention of the authorities .The breach has been massive a one leading to the credit card processing clearing house not accepting transactions from them until the issue is resolved. This calls for the firm to quarantine the devices connected to the network to carry out forensic analysis to resolve the issue.
To address the problem, the organization has a plan to quarantine the current network connected devices and install new network equipment, segment the network, implementations of intruder detection system, data encryption, and implementation of enterprise class firewall as well as performing vulnerability assessment both internally and externally to ensure compliance with DSS/PCI.
Some of the key clients to be involved in the project testing and implementation will include the united state secret service. The US secret service will be involved in investigating the criminals or the network intruders. Credit card processing clearinghouse is another stakeholder for which to accept transactions from the Digmark has to ensure its compliance with DSS/PCI. Dig mark has to the necessary equipment for the development and implementation of the new network security that is DSS/PCI compliant.
My involvement in the issue is to ensure the development of a network system that is secure and facilitate its proper implementation. The proposed plan is to be implemented in four phases within a period of four weeks. In the first two weeks the initial phase of plan implementation was performed .The phase will involve quarantine of the devices connected to the network for forensic investigation. In the second week, the second phase will involve installing new devices as well as configuration and installation of serves. In week three, phase three of the plan involving configuration intruder detection system and enterprise class firewall of new network security infrastructure. The last phase is to be conducted in forth week which will involve performing DSS/PCI compliance test as well as proving the compliance to the clearinghouse.
The proposed outcome for the project is a Digmark with a more secure and operational efficient information network. Moreover, the organization staff will be aware of intruder’s attempts to enter the system and the risk involved and mitigates process of the risks. The actual outcome was closely related or similar to the proposed one. The Dig mark network security was full-optimized making the firms operation efficient. In addition, the staff became aware of basic security risk management and became aware of attempts of an intruder to enter the system.
Introduction
Online shopping businesses majorly involve ordering commodities as well as paying for them online via online banking and other money services. If an intruder via a weak network security misdirects the payments, it could lead to an enormous loss of revenue for the entity involved.
Digmark is an online shopping firm based in Dunhill Texas .it started its operation in the year 2009.It specializes in sale of electronic gadgets, furniture, clothes for all gender and ages including other products. The firm recently experienced a massive explosive growth with the spread of internet technology knowledge as well as increased number of smart phones in the hands of the youths in the country (Havelka et al, 2009). Despite the massive growth, the firm did not consider advancing its network technology to improve its network security. The firm temporarily relied on the knowledge and solutions of freelance technicians to fix any issue in case of concern in the system temporarily. The use of several freelancers’ solutions in a one system creating a layer of solutions resulted into an insecure and a weak network system creating an opportunity for intruders to intrude the system collecting credit cards information (Thomas et al, 2010).
As a result of illegal harvesting of credit cards information due to weak network security the Digmark requires the services of network security professionals who can address the issue in accordance with the credit card processing clearing house requirements. Digmark, which is considered to process about 150,000 credit cards transactions in a year, is categorized as a tier 2 merchant. According to the policies of the United States (us) secret service, it should first quarantine all its devices connected to its network for forensic investigation (Alpcan et al, 2010). In this situation, the firm has to decide whether to cease its operation until the forensic investigation is completed or the firm should invest in a new network system that is PCI/DSS compliant. The entity choosing not to cease its operation it chose to replace all its network connected devices while redesigning its infrastructure to secure its network making it a more secure and efficient one. The infrastructure redesigning will include the replacement of managed switches, consumer switch mode with the business –line model as well as the segmentation of the network into multiple virtues LAN (VLAN) that comprises of a subset of the ports on a multiple switches (Ciampa, 2012).
The project will involve replacing of firewall, routers, servers, switches, and workstations. Segmentation of the network into multiple virtues LAN will isolate the broadcast traffic on that network, making the flow of efficient of the packets. Access control list as well as intruder detection system will facilitate enforcement of adequate trust models hence improving the network security. In addition, ACL will be filtering the hosts who are allowed the access of specific virtue LAN (VLAN) acting as an additional security strategy (Alpcan et al, 2010).
Project scope
Following the massive unauthorized harvesting of credit cards information due to weak network security the Digmark is required by the united states (US) secret service to quarantine all its devices connected to its network for forensic investigation .This will mean Digmark firm being unwilling to cease its operations it has to purchase new equipment and request for the infrastructure redesign to enhance its security and efficiency. The new system required will involve ten (10) business line switches, forty five (45) work stations, (2) services as well as network accessible storage (NAS) sixteen (16) terabyte device, two (2) internal firewall and two external firewall.
This project has a projected period of four (4) weeks to implement it in four (4) phases. In phase one (1), quarantine of all security defective devices is to be performed. In the same phase the procurement of the new network devices by Dig mark will take place (Thomas et al, 2010). The second (2) Phase of the implementation will include installation of the new network devices such as configuration and installing, serves both system. All servers have to be patched, configured and to have an updated anti-virus program installed in. The third (3) phase involved encryption of data, deployment configuration, and testing of enterprise class firewalls. The fire walls have in-built security suites which involve web-filtering ,span filtering intrusion prevention system (IPS/IDS) as well as perimeter anti-virus .the perimeter anti-virus (PAV) scans inbound traffic then quarantines files that are suspicious apply for the system administrator to conduct further review or scanning of the file.
In this phase (three), network segmentation into LAN (VLAN) as well as the configuration and deployment of business line switches is done .Access control list (ACL) to prevent unauthorized data or network access will be developed on the routers as well as onto the switches. The phase entails performing of intruder detection and prevention (IDS/IPS) compliance tests. In addition, both internal and external scan to verify the strength of the network security are to be performed. The results are expected to be impressive and satisfactory to the credit card processing clearinghouse. The results are to proof that the new system is compliant to the PCI/DSS requirements .In this very final stage of implementation, training, and creating security awareness among the staff is to be performed.
Project Rationale
Digmark network system requires a complete development of a new secure network system. My firm being a network security consultancy this will be the best opportunity to practice. The new challenges presentment in the development of the new network system will enable me and my colleagues to develop the professional skills, which will be useful in solving future challenges. Digmark will become our client in regularly reviewing and maintaining their network security. Moreover, the issue being argent one, we will have to take swift actions with an aim to rescue the Digmark condition.
Problem Statement
The issue or problem identified in this case involve weak network security because of little or lack of knowledge as well as awareness. The problem is worsening by utilization of outdated network devices as well as software programs that are not updated. The above characteristics of network create a thriving zone for even novice network intruders.
Problem Background
The involvement of the United States (US) secret service makes it difficult to conduct a detailed system and process audit, since the top most priority was quarantining of all the devices connected to the network for the purpose of forensic analysis and preservation. However, a detailed visual and enquiry assessment was completed. A visual analysis revealed that the Dig mark firm utilized outdated versions of servers, firewall router, and switches. The anti-virus programs were not up to date (not updated) making the system vulnerable to virus attack. The network was not segmented one allowing an opportunity for intruder to face less resistance as they try to intrude the system. Moreover, the firm employed no security measure to the system; the staff actually used the default passwords, which can easily be memorized.
Defense of the Solution
Any business entity requires the security and ability to receive payments for its services or products. When the process of payment reception is interfered with, it might be costly to the firm in terms of revenue loss. In current market where most payment are majorly done online or by cheques or credit cards, credit card transactions done in cleaning house contribute significantly to the respective business entity. For a firm to accept credit card transactions, it must be compliant with the PCI/DSS requirements. So long as the security of a network is weak, leaving room for network intruders it will mean continuity in loss making by the entity.
Digmark is not exception of the above statements and explanation. The firm has been experiencing continuous loss of its revenue. The proposed network system will strengthen the network security, minimizing attack by intruders. In addition, the new network system being a layered one, it would discourage the intruders from penetrating, as the intruder will have to penetrate several layers of the network in order to harvest any information. Moreover, the new network system security being PCI/DSS compliant it will mean that clearing house will allow credit card transaction for the entity once more.
Methodology Justification
In cases of information breach due to a wing organizations weak network security, an immediate solution need to be sought for. If the organization does not have a network, security expert will require an external network security expert to solve the issue. In addition, about the federal laws in cases of information breaches a forensic investigator to work hand in hand with the law enforcement team to preserve the obtained chain of evidence will be required.
Following the discovery of massive breach of credit card information, the United State (US) secret service required the quarantine of all of the devices connected to the Digmark network. However, Digmark was not willing to cease its operation as the process of forensic investigation was being conducted. The firm opted to purchase and put in place new network infrastructure since the database software and online shopping software were the fundamental part for the business operation. I had to start by deployment and the configuration of the servers as well as the computers.
Moreover, since the credit card clearing house was not accepting credit card transaction of the firm. I had to hasten my process of ensuring improved network security ensuring PCI/DSS compliance. The second step I took involved configuration and deployment of both the internal and external enterprise class firewalls subsequently configuring and enabling security suites such as intruder detection and prevention (IDS/IPS).Thirdly, I deployed business line switches replacing customer switches and the segmentation of network into virtual LAN .the above procedures ultimately improved the network security as well as its efficiency.
Analysis of the Problem
Problem Statement
The major and clear problem in this project is the lack of implementation of security measures as well as lack of knowledge and awareness of security measures in the organization (Digmark).The problem is made worse by the outdated equipment as well as software including the network infrastructure which is not layered .The above network technology environment, creates a suitable environment for intruders including novice intruders.
Problem cause
To begin with, the failure of the firm (Digmark) to keep its devices and network programs updated is one of the major causes of the problem. The staff behavior clearly displayed lack of knowledge and awareness concerning security. Moreover, the management of Digmark demonstration ignorance by the fact that they used default passwords to login the system holding a mere perception that the default passwords were easy to remember and that there could be no intruder who would bother to intrude their network system with the intention of harvesting credit card information which is supposed to be kept confidential.
Stakeholder Impacts
The major are impact that Digmark will experience will involve the loss of customer confidence with the operations of the firm since the news of credit card information breach went public in addition, some customers experienced losses to the breach .this will damage the Dig mark customer relation. As a result of managed customer relation, few customers will be willing to do online shopping with the firm .This will drastically lead to loss of revenue to the Digmark. In addition, the financial cost that the firm will incur to rectify the breach is enormous bearing in mind the declined number of customers coupled together with the increased revenue losses.
Problem Analysis
Cost Analysis
The project having to be undertaken or implemented in four phases .The cost of the implementation will also be subdivided into four. Phase one (1) involved quarantine of all devices connected to the network and carrying out forensic investigation as well as preserving the trial of evidence obtained. The cost of this stage is $5000.00. Phase two (2) involved the procurement of new devices as well as their initial configuration and installation .the projected cost for this stage is $70,500.00. Phase three (3) would involve the configuration, installation, and deployment of the security system firewall and in general the deployment of the entire network system. The projected cost for this phase is $4,800.00. Phase four (4) involved the scanning and testing of the network to verify the PCI/DSS compliancy. In the very same stage, the training and creating network security awareness to the staff will be conducted. The cost for this phase is $ 5732.00. The total cost for the project added up to $86,032. The project was completed within this estimated budget and on time. The itemized breakdown cost can be found in this document in the following chapters.
Risk Analysis
Digmark faces the vulnerability of two major related risks. First, Digmark being an online shopping firm accessible to the large public if not the whole community internet; the likelihood of network intrusion is high. The fact that the firm operations are majorly conducted online, the risk of attack drastically increases from medium to high. Secondly, the occurrence of an attack greatly affects the firm’s relation with its customers.
Therefore, the risk of intruder invading and gathering customer credit card information and other identity information is very high in the case of Digmark. It is therefore crucial for the properly train and create awareness on network security issues in order to mitigate the above briefly introduced risks.
Solution
Bearing in mind the cause of the problem discussed in the above chapter, there is need to help the Digmark management as well as its staff to fathom the differences between business –class hardware and the customer grade hardware. In addition, there is a crucial demand to train and create awareness among the users and the management about network security. Moreover, as noted earlier the staff use simple or default passwords, which are easy to be cracked by network intruders .It is therefore crucial to train the staff on the significance and the need to always change default system password to difficult ones, which are difficult to crack especially when adding a brand new software package or new device to the network.
The outdated network connected devices, utilizing the old operating system as well as anti-virus programs, which are outdated, creates a conducive environment for novice intruders’ .By the fact that the Digmark has high costly risks due to the weak network security. It is therefore advice able for the firm to deploy new devices and operating system as well as software that are updated. The network of the network system should be layered one with multiple virtual LAN enhancing the security of the system. In addition, all the security measures and change in policies should be put in place to safeguard the Dig mark network system.
Approach Justification
The basis of the solution is to offer a vigorous as well as comprehensive secure network system. By creating network security awareness among the staff coupled with the implementation of an intruder detection system will generally lead to an improved network security. Since, the staff will be able to not and raise alarm in case of any suspicious activity in the network. Moreover, the employee or users will put in place passwords that are difficult to crack enhancing security.
The deployment of new network devices, which are advanced fitted with updated operating system as well as software, would make it difficult for intruders to hack the network for collecting confidential information. The proposed solution offers the Dig mark with a segmented network coupled with access control lists. The isolated segments of network prevent or protect Dig mark for a wide infection leading to a massive loss of customer confidential information such as credit card information. The layered network system calls for potential intruders to be patient, to continuously advance their skills as well as being determined to penetrate a layer of the network .this makes the work of professional intruders difficult eliminating the network system intruders due to weak network.
Risk Assessment
Dig mark would face several consequences if the problem were not addressed first due to wide illegal harvesting of customer identity as well as their credit card information the customers would lose confidence with the organization as well as decline in the customer relations .This would mean a decline in the number of customers as well as purchases, hence loss in revenue .moreover the costs involved in resolving information breach are extremely high add to the revenue losses. Internet network technology can offer an entity a competitive edge. However, if the organization involved is not willing to advance with the technological changes and advancement as well as ensuring online or system security can be a drawback element to the organization.
Digmark is not exception of the above statements .moreover the credit card clearing house is not willing to accept and could not accept the credit card transaction of Digmark until the organization’s network system is proven compliant with PCI/DSS requirements. Holding the fact that Digmark is an online shopping firm most of its payments are receivable via credit cards .This would have meant continuous loss of revenue and if not rectified immediately the firm would go under.
Project Requirements and Design
Execution Requirements
The new system required will involve ten (10) business line switches, forty five (45) work stations, (2) services as well as network accessible storage (NAS) sixteen (16) terabyte device, two (2) internal firewall and two external firewall.
Existing Gaps
Illegal harvesting of credit cards information due to weak network security the Dig mark requires the services of network security professional who can address the issue in accordance with the credit card processing clearing house requirements. Digmark, which is considered to process about 150,000 credit cards transactions in a year, is categorized as a tier 2 merchant. According to the policies of the United States (us) secret service, it should first quarantine all its devices connected to its network for forensic investigation (Alpcan et al, 2010). In this situation, the firm has to decide whether to cease its operation until the forensic investigation is completed or the firm should invest in a new network that is PCI/DSS compliant. The entity choosing not to cease its operation else to replace its entire network connected devices while redesigning its infrastructure to secure its network making it a more secure and efficient one.
Measures
Several measures are taken in the project taken to alleviate the above mentioned negative consequences .To begin with, Dig mark being an online shopping firm receiving its payment for most of commodities purchased via credit card I had to first work towards ensuring DPI/DSS compliance for the cleaning house to allow for the credit transaction of the firm .This would mean continuous flow of some revenue as the firm undergo recovery procedure.
To solve the issue of massive illegal credit card information harvesting which was leading to decline in customer confidence as well as poor customer relations; I had to develop a new secure network system. The network was a layered one composed of several network segments. This type of network structure is more secure. In addition, the DPI/DSS compliance documents would serve to restore and improve customer confidence and relation with the firm.
Creation of network security awareness coupled with the implementation of additional key policies such as changing default passwords especially when adding new device or a new software to the system is additional measure for improving the network security in general all the above measure were crucial and ideal for the purpose of restoring or improving customers confidence, ensuring continuity in receipt of payments done by use of credit cards as well as protecting the Dig mark from future wide spread ,illegal harvesting of customers identity as well as their credit card information.
Alternative solutions
Several alternatives were available to solve the network security issue facing Dig mark. To begin with, Dig mark could have ceased its operation awaiting the forensic investigation in progress of all its old devices connected to the network .The firm could then seal all the points of weaknesses identified and continue with its operations as normal.
Another alternative solution for the Digmark would have been instead of incurring huge costs in rectifying the weak points of network system. The firm could as well abolish the network or online transaction and turn the business into manual purchase and payment with cash as opposed to the online shopping.
However, after thorough evaluation of all the available alternatives the above alternative solutions were found to be less effective. Therefore, the best alternative selected for implementation-involved procurement, redesigning of a new network system that is; more secure and which promotes the operation efficiency in the Digmark. The alternative involved in layering of network system into single segments each operating on its own promoting operation efficiency.
Project Development and Implementation
Project scope
Several objectives have to be met by the new project to be termed as a success. The system must be secure allowing the customers to place orders online and facilitate processing of the credit card payment. The Digmark database is required to accept the input of inventory when received and process as well as print sales receipts. In addition, the network infrastructure should be segmented one, business class firewall fitted with security suite such as intruder detection and prevention IDS/IPS should perform as intended. Business line switches as opposed to customer switches must prevent users of the system from crossing over. The ultimate goal of a successful implementation of the project will be meeting or passing the PCI/DSS compliance test.
Assumptions
The assumptions below were taken into consideration in this project:
· The staff and the management generally lack awareness and knowledge in network security.
· Documentation of procedures, networks, and equipment does not exist or is not available.
· Digmark firm lacks or has weak security measures put in place to secure its network system.
· The staff in the Digmark organization uses default or weak passwords.
· The network devices used by the firm are outdated including its operating systems as well as anti-virus programs.
· The Digmark firm lacks foundational structure that can facilitate the scaling of current network system.
· Digmark lacks network security expert.
Project Phases
Just as indicated earlier the project implementation of plan will take four phases. Phase one (1) implementation plan would involve the quarantine of all the existing devices connected to the network. The process of quarantine would involve labeling, photographing, sealing the devices as well as locking the devices in a secure room for forensic investigation carried out on the devices. In this, first phase the procurement of the new network devices as well as carryout of visual audit of the old network devices will be carried out.
The second phase, which will be conducted in the second week into the work .the phase, will involve configuring of the servers. The first server to be installed will be the domain controller and the antivirus server. The antivirus would be the update version. The second server will be the online shopping data server. The third server will be the database server coupled together with its backup server. The fourth sever will be for the purpose of other online shopping related activities.
The third phase of the project implementation would involve configuration and installation of both the internal and external business class firewall, (watch guard XTM 330) four of them fitted with advanced security suits .In this phase all the forty five (45) work stations will be configured and deployed .This will be coupled with deployment of the ten (10) business line managed switches. In addition, here the network segmentation into multiple virtual LAN coupled with application of access control lists will be done here.
In phase four (4) in the fourth week, testing and scanning to proof the new network system will be carried out. The phase will involve completion at least of certificate to PCI compliance. Finally, training and creating awareness among the management as well as the staff concerning the issue of network security will be the final implementation phase.
Important Milestones
Milestones that this project followed are as the above four phases of implementation .It was crucial for the quarantine of the devices connected to the network first as we could not install or deploy new network devices will the old one prevail. The second phase involved installation of servers as they are the fundamental to return the firm into operation.
To protect perimeter both internal and external firewall installation was essential in the third phase of the plan implementation .Configuration as well as deployment of workstations as well as business line switches followed to facilitate the layering and the segmentation of the network into multiple virtual LN together with the application of access control list (CL). The above milestones were to strengthen the security of the new network system. The following milestone involved the testing and scanning of the system vulnerability. This step was one of the major milestones in the project. It involved confirmation of PCI/DSS compliance of the project derived network system. The next milestone involved providing the clearing house with the PCI/DSS compliance scan results thereby allowing Dig mark to conduct credit card transactions again towards the conclusion, the staff and management were trained and made aware of the network security finally the project was declared fully completed as planned within the budget and on time.
Timelines
Phase
Task
Start date
End date
Duration
One
Virtue audit
Quarantine of devices
Procurement of new devices
5/1/2016
5/3/2016
5/6/2016
5/2/2016
5/5/2016
5/7/2016
2 days
3 days
2 days
Two
Server one deployed
Second Server deployed
Third Server deployed
Fourth Server deployed
5/8/2016
5/10/2016
5/12/2016
5/14/2016
5/9/2016
5/11/2016
5/13/2016
5/14/2016
2 days
2 days
2 days
1 day
Three
Configuration and deployment of firewalls
Configuration and deployment of workstations and terminals
Configuration and installation of business line switches.
Application of ACL and segmentation of network into VLAN
5/15/2016
5/17/2016
5/18/2016
5/20/2016
5/16/2016
5/17/2016
5/19/2016
5/21/2016
2 days
1 day
2 days
2 days
Four
Scanning and tests for vulnerability PCI
Compliance certificate completion
Clearing house contact
Staff training and creation of awareness
Close out meeting with Dig mark owners
5/22/2016
5/24/2016
5/25/2016
5/26/2016
5/29/2016
5/28/2016
5/24/2016
5/25/2016
5/28/2016
5/29/2016
1 day
1 day
1 day
3 days
1 day
Total number days
28 days
Dependencies
The project would begin by quarantine of all the devices connected to the old network system. In the same period visual analyses of the old system weaknesses will be investigated. This will be followed by the deployment of the servers. This will be crucial for the making the work stations dependent as well as to facilitate the access of QuickBooks database. This step will be followed by deployment of the larger infrastructure of the network switches and all the related devices to be deployed to make the system operate as intended
Resource Requirements
Personnel
Personnel
When needed
US secret service personnel
Will be needed during the first phase quarantine and carrying out forensic investigation on the old devices connected to the network.
Digmark Owners
Will be needed in the initial stage in providing necessary information to the various specializes.
They will be involved in the decision-making concerning the best alternative on the way forward.
Network Security Specialized
Will be involved in analysis of the weak points of the old network system to come up with solutions
Involved in the entire process of configuring, deploying, and the testing of the new network system
Database Specialized
Will be involved in the second phase of the project implementation especially in ensuring the appropriate database server and its backup server are correctly configured and deployed
Software engineer
Will be needed throughout the project in analyzing the old software applied in the old defective network system.
Will be required to advice on the appropriate updated software including their confirmation and deployment They will be involved in training and creating awareness to the staff.
Credit card clearing house personnel.
Will be required during the last phase to prove the PCI/DSS compliance test or scan of the new network
Digmark Security Staff
Will be needed majorly at the beginning to state their expectation of the new network as well as at the last phase for training as well as being made network security aware in addition on how to use and manage the new system.
Resources
Resources
When needed
HARDWARE
Cisco ASA 5585-X-IPS External firewall
The third place for perimeter protection
Cisco AP 3702 corporate wireless servers
In the second phase to ensure 1
4 Giga bytes of memory an 1 terabyte
Third phase in deployment configuration of devices
CISCO 4500* routers
In the third phase of the project implementation
CISCO 3550*Access
In the third phase of configuration and deployment of devices
SOFTWARE
Antivirus programs
In the second phase during server configuration and deployment
2010 Operating systems for work station computers
In the third phase for work stations
Symantec Back up EXPO 2010
In the 2nd phase for database back up
Quick books 2014
In the third phase of configuration and deployment
Fire wall
Required in the second phase of plan implementation
Window server r2
Windows and professional
BUDGET
PHASE
ITEM
COST
TOTAL
One
Detailed analysis of the old network devices
Quarantine of the existing devices
Placing order for new network devices
$2,100
$2,000
$900
$5,000
Two
Purchasing, configuration and deployment of four (4) servers
Purchase, confirmation deployment of both extension and internal firewall with security suites
$6,000
$10,500
$70,500
Three
Configuration and deployment of forty five (45) work stations
Purchase, configuration and deployment of ten (10) business line switches
Network segmentation into multiple virtual LAN
$2,100
$1,500
$1,200
$4,800
Four
Vulnerability scans PCI/DSS compliancy scan, staff training, and awareness creation.
$1,700
$2,030
$2,002
$5,732
TOTAL COST
$86,032
Risk factors
Some major risks involved with the project include the historical usage of default passwords as well as lack of network security knowledge creating vulnerabilities with the new system. In addition, another major risk is another attack on the new network system, which would mean complete stoppage by credit clearing house accepting Digmark transactions.
The risk of creating house ceasing to accept credit transactions of Digmark would cost the firm approximately 90% of total revenue, which is equivalent to $32,500. The new network system mitigates the issue to 7% of acceptable level. Moreover, the risk of using default or weak passwords with the new network compound with awareness creation will mitigate the issue by 70% saving Digmark approximately $10,000 a year.
The above risks were mitigated by first proper maintenance of the equipment, regularly performing review on firewall log files, scanning for viruses and malware as well as patching of the operating system regularly. In the case of use of default or weak passwords, training the management as well as consulting security professional could assist in dealing with the issue.
Deliverables
The deliverables, which will be required in this stage, the results from analysis of the previous network system; the physical and logical drawings of the new network system (appendix A and B) will also be included here.
Project Development
Implementation Plan
The new system development requirement involves ten (10) business line switches, forty five (45) work stations, (2) services as well as network accessible storage (NAS) sixteen (16) terabyte device, two (2) internal firewall and two external firewall.
This project has a projected period of four (4) weeks to implement it in four (4) phases. In phase one (1), quarantine of all security defective devices is to be performed. In the same phase the procurement of the new network devices by Dig mark will take place (Thomas et al, 2010). .the first phase is crucial since a new network system cannot be put in place so long as the old one was in place. The second (2) Phase of the implementation will include installation of the new network devices such as configuration and installing, serves both systems. All servers have to be patched, configured and to have an updated anti-virus program installed in. This phase is crucial as it facilitates quick return into operation by the firm by the servers facilitating quick access to QuickBooks database as well as it is crucial for the work stations. The third (3) phase involved encryption of data, deployment configuration, and testing of enterprise class firewalls. The fire walls have in-built security suites which involve web-filtering ,span filtering intrusion prevention system (IPS/IDS) as well as perimeter anti-virus .the perimeter anti-virus (PAV) scans inbound traffic then quarantines files that are suspicious apply for the system administrator to conduct further review or scanning of the file. This phase will ensure that the system is safe from the activities of the intruders.
In this phase, network segmentation into LAN (VLAN) as well as the configuration and deployment of business line switches is done .Access control list (ACL) to prevent unauthorized data or network access were developed on the routers as well as onto the switches. The phase entailed performing of intruder detection and prevention (IDS/IPS) compliance tests. In addition, both internal and external scan to verify the strength of the network security was performed. The results were impressive and satisfactory to the credit card processing clearinghouse. The results proof that the new system to be compliant with the PCI/DSS In this very final stage of implementation, training, and creating security awareness among the staff was performed.
Strategy for the implementation
One of the possible alternative solutions to the issue facing Digmark would be to rectify the weaknesses of the old network system still using the old devices. However, since the management of the organization wanted to continue with its operation it would not be possible with the old network system devices which required to be analyzed by the US secret service. In addition, the old weakness of the old system would have been rectified temporarily. This made the alternative for the new network system the most desirable.
Phases of the rollout
The stages for testing and acceptance will follow the sequence of the four phase’s implementation. This is due to the reason that the success of the following phase depend on the success of the previous one. This also will be the stages of acceptance of the project.
Details of the project launch
Once training and the PCI/DSS compliancy form is acquired the project will be considered a success and a fully implemented one. Moreover, training and creating security awareness among the staff will be performed
Deliverables
The deliverables, which I have included in this report, include the physical and logical drawings of the new network system (appendix A and B). In the report, I have also included a copy of the notification letter, which I assisted in its drafting directed to the patron with the manager of the Digmark (appendix c)
Training plan for users
I will be involved in training and creating awareness among the management as well as the staff on the issues pertaining to the network security. The training will first be conducted before the full adoption of the new network system on the project delivery. In addition, our firm will be willing available to offer Digmark with the training when necessary in future.
Quality assurance approach
Solution testing
Upon the installation and firewall configuration, a test by going to a known notorious website was conducted. This was in order to verify the site blockage with log entry creation. External port scanning using NMAP was conducted to configure with IPS policy of verifying that IP address would be blocked and notification sent to the control or administrator. Rapid 7’s Nexpose was applied in scanning for vulnerabilities against system appliance. Moreover, Rapid 7’s was used to scan for internal vulnerability. By conducting the above tests, the PCI compliancy was reached. The tests were conducted twice in order to verify compliancy.
Evaluation Plan
A project can only be termed as success after its evaluation of efficiency and support was proven so. In this project, evaluation plan would include; quality assurance, proposed revisions on results, summative evaluation and results in dissemination.
Formative Plan
Formative plan or quality assurance in this project involve standards which can be answered either yes or no. Some of key questions involved include:
· Is the device/software working as intended?
· Is the connectivity required for the device or software connected?
· Is the software operating correctly and connect to the desired points?
The approach was top-down approach allowing the technicians with the results could then view the entire network. Moreover, the Digmark required results before any phase is declared completed.
Revisions
In case of failure, a complete analysis of the device or software was performed to establish the point of failure. On identification of the point of failure, a comprehensive and thorough work was conducted to rectify the failure. Then documentation was updated after performing test and ensuring appropriate performance.
Summative Plan
The testing of individual software and devices would ensure that all the software and devices are functioning as designed and as expected to. This is important in ensuring the security and functionality of the entire network system. The ultimate quality assurance will be the PCI/DSS compliancy scan or test. The test would proof proper functionality of the entire system as well as its security.
Dissemination
The evaluation results as well as the results of PCI/DSS compliancy scan will be an important item to prove to both the management as well as the credit card creaming house personnel that the Digmark new network system is secure and properly functioning. The results will be properly documented and disseminated to the above-mentioned personnel
Post Implementation Support and Issues
Post implementation support
My company being a consulting firm for services will be able to offer remote as well as on-site support services. Digmark can call use any time if they require any support having entered into service contract to offer full support to the organization. Moreover, the support will involve maintenance plan of upgrading firmware, changing network device passwords, renew and approve Microsoft upgrades as well as performance of DCI/DSS compliancy scan.
Post Implementation Support Resources
The resources required would include documentation of the project for the referencing as well as training the staff in the future. Upgrading firmware Microsoft upgrades this will be provided by enquire from our firm.
Maintenance Plan
Digmark can call use any time if they require any support having entered into service contract to offer full support to the organization. Moreover, the support will involve maintenance plan of upgrading firmware, changing network device passwords, renewal and upgrading of the systems software.
Conclusion, outcomes, and reflections
Project summary
This network security project begun following the Digmark realization of the massive unauthorized harvesting of credit cards information; in response, the firm informed the US secret service as well as the credit card processing clearinghouse. The firm was not willing to cease its operations. It had to employ expertise to come up with a new secure network system.
Digmark approached our firm upon which we entered into an agreement after which situation analysis was conducted as well as determining the topology of the new network system of the Digmark. I approached and discussed with US the secret service and the credit clearing house their requirements in order to approve the new network system. After gathering the requirements, a plan designed and then submitted for approval thereafter the execution of the project begun.
The implementation of the project carried out in four (4) phases in a period of four (4) weeks. The four phases involved procurement of new equipment, quarantine of the old network devices as well as their analysis, configuration and deployment of the four servers, firewalls, workstations, switches which are business line managed, network segmentation and control lists. The last phase involved testing and conducting vulnerability scan as well as training and creating awareness among the Digmark staff about network security. The PCI/DSS compliancy form of proof was then forwarded to the credit card clearing house to authenticate credit card transactions with Digmark; Lastly, I was involved in a close meeting with the management of Digmark whereby I advised them on issues associated with network security, precautions, as well as dis.ster recovery plan.
Deliverables
The deliverables, which I have included in this report, include the physical and logical drawings of the new network system (appendix A and B). In the report, I have also included a copy of the notification letter, which I assisted in its drafting directed to the patron with the manager of the Digmark (append
Outcomes
I carried out the project. The first meeting, which involved physical analysis of the network system, it was clear that the organization required a new network system as well as guidance. The project outcome was a favorable one. Though throughout the project there were unclear unpredictable circumstances, which delayed the progress, I was able to complete the project within the allocated budget and on time. I felt content and proud by being able to utilize my education coupled with my skills to get the organization PCI/DSS compliant. The Digmark owners were pleased and happy with the delivery of the completed new secure network security project. The on this project enable me to practice my skills presenting me with challenge to gain experience. However, I proved up to the task.
Reflection
Network system development needs a balance among its usability, functionality, and security. It is difficult to build a network system that is secure without compromising the usability and functionality of the system. This Digmark network system development was not exceptional. However, by a wide research determination and patience, the balance among the three was achievable. Moreover, I learned how costly an information breach due to a weak security system can be costly.
References
Alpcan, T., & Ba?ar, T. (2010). Network security: A decision and game-theoretic approach. Cambridge University Press.
Ciampa, M. (2012). Security+ guide to network security fundamentals. Cengage Learning.
Havelka, D. & Merhout, J. W. (2009). Toward a theory of information technology professional competence. The Journal of Computer Information Systems, 50(2), 106 – 116. http://www.iacis.org/jcis/archives/vol50_iss2.html.
Thomas, T. M., & Stoddard, D. (2011). Network security first-step. Cisco Press.
APPENDIX: A
Appendix: B
Appendix: C
Digmark
Date: April 28, 2016
Dear Digmark customer
We are contacting you because we have learned a serious network security issue resulting to data security incident that happened between February 3, 2015 and March 28, 2015 involving some of your personal information. The incident involved harvesting of credit card information for instance customer’s names as well as credit card numbers.
The issue being serious, we are therefore informing you to take preventive measure along with us to avoid misuse of your credit card information. We have already informed two (2) credit card agencies about the incident.
We recommend closely monitor your bank account for any unauthorized activity. Alternatively, you can contact the two credit agencies to obtain your credit report by calling 1-878-436-3438 as well as 1-879-483-3282.
It is advisable constantly check your credit report so that if issues arise, it can be resolved early enough. Alternatively, you can place a freeze on your credit. We as Digmark are sorry for the inconvenience but we are working hard to resolve the issue.
Director name……….
Signature…………….
Date April 28, 2016
