1. What are ElectroMyCycle’s most important assets that must be protected with security mechanisms?
The Physical Building
2. What are the biggest security risks that ElectroMyCycle faces? The biggest risks are from tech savvy vendors and customers applying a DOS attack amongst other types of attacks and internal non – compliance. VPN’s also can pose a viable threat if infiltrated. Wireless network, server farms, etc.
3. Design a high-level security policy for ElectroMyCycle.
Purpose: This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of ElectroMyCycle Scope: All employees, contractors, consultants, temporary and other workers at Cisco and its subsidiaries must adhere to this policy. All routers and switches connected to ElectroMyCycle production networks are affected. Policy:
The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization. The following services or features must be disabled:
TCP small services
UDP small services
All source routing and switching
All web services running on router
Cisco discovery protocol on Internet connected interfaces
Telnet, FTP, and HTTP services
The following services must be configured:
NTP configured to a corporate standard source
All routing updates shall be done using secure routing updates. Access control lists must be used to limit the source and type of traffic that can terminate on the device itself. Access control lists for transiting the device are to be added as business needs arise. Each router must have the following statement presented for all forms of login whether remote or local: “UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring.”
4. Describe how you will achieve buy-in from the major stakeholders for your security policy. In order for me to gain a “Buy – In” from the major stakeholders, I would first have to convince the upper management and the owners that this security policy is the most financially beneficial to them. Once the administrators and the security department are in line with the new network , it would make it easier to have them end users and the stakeholders to buy – in to the concept.