Richman Investments | Richman Internet Infrastructure Security Management Upgrade | ITT Technical Institute NT2580 Course Project | | Jason R Spitler | 5/30/2014 |

Based on the premises that Richman has 5000 employees throughout the main office and several branch offices, this document dictates research solutions and details the appropriate access controls including policies, standards, and procedures that define who users are, what they can do, which resources they can access, and which operations they can perform on a system. |

Final Project I. Richman Internet Infrastructure Security Management Upgrade A. Purpose
Based on the premises that Richman has 5000 employees throughout the main office and several branch offices, this document dictates research solutions and details the appropriate access controls including policies, standards, and procedures that define who users are, what they can do, which resources they can access, and which operations they can perform on a system. II. Basic Authentication Procedures and Standards, (Who users are.) A. Trinity-Three-factor Authentication Method replaces Basic Authentication
It is my view the Administrator’s responsibility is to provide secure communications by adding layers of security at all levels to assure the amount of protection for company’s valuable assets. Richman will provide its employees a new method of authentication I call Trinity. It is a three-factor authentication method requiring updated laptops and new Apple IPhone. Since Microsoft has stopped support for Microsoft Windows Operating System XP, and 87 % of our current systems require upgrade to Windows 7. We should take advantage of the newest technologies available to our Corporation. Trinity is a three-factor authentication combines” “something that you know” (password – PIN), with “something that you have” (hardware- token, mobile phone) and/or “something that you are” (biometric technologies), to make sure that the person is who he/she claims to be.”(1)

1. Biometric Identification - Biometrics is the science of identifying someone from physical characteristics. A user’s fingerprint is one of the strongest authenticators available. Never lost during a commute or forgotten at home, has fingerprint authentication introduced a new plateau of convenience for fast, secure access all users will have, Desktop USB add on, laptops and Iphone6 with biometric fingerprint scanners. This will be level one security. The log records will show GPS coordinates of the scanned process as well.

2. Device Authentication- Entrust IdentityGuard software leads the industry as one of the most robust authentication. We can use Entrust for device authentication, biometrics, digital certificates, mobile soft tokens, and IP Geolocation. 3M Cogent provides the highest-quality fingerprint authentication technology to government, border services and security- conscious organizations across the globe. “Entrust has partnered with 3M Cogent to integrate its world-class fingerprint enrollment and verification technology into the Entrust IdentityGuard software authentication platform.”(2) These are all available through Entrust.

3. Windows Basic Authentication-User ID and password. This is the most common, and typically the simplest, approach to identifying someone because it is fully software-based.

B. Strong Password Resolution

Make no mistake: An eight-character password could be very secure, even if attacked by today's high-speed computers. This method will soon be antiquated. Fortune 100 corporations, small firms and even Internet service providers with strong security have an Achilles heel; users who pick easily guessable passwords. Many who think themselves clever place a digit or two on the end of their chosen word. Such feeble attempts at deception are no match for today's computers, which are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute. Richman must stay one step ahead and have a torn Achilles tendon no more

1. SFSP - Simple Formula for Strong Passwords
SFSP is a simple way for all users to grasp the idea of good password creation methods. This will be taught to all Richman users by corporate video training followed by password reset script for users to change their passwords to the new method. SFSP works on a three part method.

a. Input Rules are static procedures dictating where certain information is to be typed b. Secret Code is a static number that a user secretly chooses that is easy to remember. c. Memory Cue is a an easy to remember word the user secretly selects

2. This is an example of the new password method for Richman employees. You can make as many input rules as the company deems necessary. For this password example there are two rules. The static number is the first number before the rule changes the number. The memory cue is the easy to remember word.

a. R1 = Add doubling numbers in between each character of simple word, before, through and after
R2 = Insert the special character “*” (not including quotes) as the first and last character, as the last step in creating the password b. Secret Code number is 1 c. Memory Cue is internet d. New Password is *1i2n4t8e16n32e64t128* e. Memory Cue is oranges f. New Password is *1o2r4a8n16g32e64s128* C. Permissions and Rights (What they can do. . Which operations they can perform on a system.)
All users will be reviewed to insure they are set up correctly with their user rights and permissions. The Administrator will review and updates roles and objects to insure each user has the correct amount of rights and permissions. The Administrator will look at each object per role, and each permission can have one or more access rights associated with it. In addition, a Windows user or group can be associated with more than one role. By redefining roles and access rights, Richman can put the squeeze on security loop holes and give their employees and clean internet access and 99.999% continuity. III. Access Control (Which resources they can access.)
Access Control helps employers control activities that lower productivity. - Monitor Computer use. You can restrict activities that lead to the computer being unfairly monopolized. - It can even minimize the likely hood of getting infected by preventing access to potentially dangerous websites. Richman can protect itself by training our employees in internet user monitoring and filtering policy. In conjunction, we will start using Pearl Echo. Suite web filtering and internet control software to enforce the policy. A. Employee Internet Use Monitoring and Filtering Policy
1.0 Purpose The purpose of this policy is to define standards for systems that monitor and limit web use from any host within Richman Investments' network. We need to ensure employees use the Internet in a safe and responsible manner. Employees will be monitored to obtain details with incidents.
2.0 Scope
This policy applies to all Richman Investments' employees, contractors, vendors and agents with a Richman Investments owned or personally-owned computer or workstation connected to the Richman Investments' network. This policy applies to all end user initiated communications between Richman Investments' network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols. Server to Server communications, such as SMTP traffic, backups, automated data transfers or database communications are excluded from this policy.
3.0 Policy
3.1 Web Site Monitoring
The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days.
3.2 Access to Web Site Monitoring Reports
General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative.
3.3 Internet Use Filtering System
The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for Richman Investments' corporate environment. The following protocols and categories of websites should be blocked:
• Adult/Sexually Explicit Material
• Advertisements & Pop-Ups
• Chat and Instant Messaging
• Gambling
• Hacking
• Illegal Drugs
• Intimate Apparel and Swimwear
• Peer to Peer File Sharing
• Personals and Dating
• Social Network Services
• SPAM, Phishing and Fraud
• Spyware
• Tasteless and Offensive Content
• Violence, Intolerance and Hate
• Web Based Email
3.4 Internet Use Filtering Rule Changes
The Information Technology Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.
3.5 Internet Use Filtering Exceptions
If a site is miss-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is miss-categorized.
Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources representative. HR will present all approved exception requests to Information Technology in writing or by email. Information Technology will unblock that site or category for that associate only. Information Technology will track approved exceptions and report on them upon request.
3.0 Enforcement
The IT Security Officer will periodically review Internet use monitoring and filtering systems and processes to ensure they are in compliance with this policy. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
4.0 Revision History 11/23/2007 – Draft Completed, Kevin Bong
Revision History04/18.2014 – Draft Completed, Jason Spitler
Revision History 03/18/2014-Drafted Completed, Jason Spitler

Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to stephen@sans.edu B. Pearl Echo. Suite web filtering and internet control software

Pearl Echo.Suite is an employee monitoring tool that can be used across multiple areas including e-mail, web surfing, file transfers, news resource access, instant messaging and chat. “Regardless of the needs of your company or organization, Pearl Echo.Suite will meet them whether for single or multiple locations as well as for the monitoring of roaming and mobile Internet users.”(3)

IV. Summary

By taking a three part approach to Internet Security within the user domain, Richman will define the standard of how a company’s internet maintains continuity. This document dictates the details the appropriate access control policies, standards, and procedures that define users within user domain; what they can do, which resources they can access, and which operations they can perform on a system.

References:
Entrust (2014),” Entrust Identityguard” Retrieved from: http://www.entrust.com/
Pearl Echo Software (2014).” Pearl Echo.Suite” Retrieved from: http://www.pearlsw.com/
SANS.ORG(2014),”Two Factor Authentication” Retrieved from: http://www.sans.org/reading-room
System Administration, Networking, and Security Institute or SANS.org (2001) “View Employee Internet Use Report (PDF)” retrieved from http://www.sans.org/security-resources/policies/internet.php