Richman Investments Risk Assessment Plan There are currently 5000 Employees at Richman Investments. There are 2000 computers spread out between the 7 locations across the United States and the one sight in Canada. After having a security audit I have come to realize there are many security risks at Richman. I will go over a few risks and hopefully from this presentation I will have the ability to start a companywide project to correct all of these risks.
List of Risks:
1. Wireless mice and keyboards
2. Bluetooth being enabled on Laptops
3. Wireless network signals reaching outside of buildings
4. Passwords Policies
5. No NAT between the internal and external networks.
6. Too many/the wrong people have admin rights.
7. Cell phones
8. Out of date security policy
9. Different types of computer programs
10. To many active directory forests
11. No policy on removal able media.

How to Handle the Risks of Wireless Devices A lot of employees will say they cannot work without their wireless keyboards and mice. This will probably be the hardest policy to enforce. Knowing what can happen from a simple wireless mouse and keyboard set up I do not think it would be wise to allow the use of these devices within Richman Investments. If an employee is using a certain wireless keyboard and mouse set there is a chance of someone else using the same type and being able to control their computer form up to a football field’s length away. When a key is pressed on the keyboard or a button is pressed on the mouse it is transmitted to the receiver through and RF (Radio Frequency) signal, a signal similar to that of a wireless network except a lot less secure. Data transmitted over a wireless network is automatically encrypted. The signal sent to a wireless peripheral receiver has little to no encryption on it. With the proper software a hacker could easily gain access to your network from that radio frequency. People will argue that the signal from wireless peripherals is too low for anyone farther away than 10 feet will not be able to gain access. In some cases this may be true but even if that is true not all hackers are people outside of the company. In this line of work I do not think we should chance it. The cost to replace all wireless devices with wired devices is going to be a lot less than the cost of repairing all the damage that one hacker can do to this system.

How to handle the risks of Bluetooth Devices When dealing with Bluetooth devices all the vulnerabilities that exist in a conventional wired network apply to this wireless technology. Most people do not think that the range of a cell phones Bluetooth device is wide enough to propose a security risk. This is not accurate. Hackers can gain access to all the data on your cell phone through that Bluetooth connection. They would have your entire contact list and if you have a smart phone with your email linked up to it then they will have access to all of your emails. Even if you do not think you have anything important in your email, to the right hacker that information is golden. On top of stealing all your information on your phone the hacker can also corrupt the data so that you will not be able to use it anymore. Also a lot of laptop computers have Bluetooth built into them. This works almost the same way as the cell phone Bluetooth except they will have access to your PC rather than your phone. Obviously you do not want a hacker roaming around your pc. If that PC is connected to a file server with the login name and password saved then they now have access to the entire file server and everything on it. The employee can just as easily use a wired headset to talk hands free. The bottom line is that Bluetooth devices are not safe and should not be used on any company cell phone.

How to handle wireless signals reaching outside buildings
Another issue that is very common is the range of the wireless signals broadcast from wireless routers. Most businesses need wireless access throughout their building. The problem is that terminating the wireless signal before it reaches outside the building is not a very easy process and is usually best discussed before the building is built. Almost any type of metal wall will terminate wireless signals. But unless metal sheets are put into the walls when the building was first built then ripping out walls in order to install metal sheets is not really an option. So in order to solve this problem we have to take in to account the range of the wireless signal and the strength of the password to get on the wireless network. We should not rely on what the router says is the max range of the wireless signal. The router should be deployed then have someone go just outside the building and test for the wireless signal. If the wireless signal can be picked up then the range on the router should be dialed back a step then tested again. If the signal is too weak inside the building then we will turn the router strength back up and discuss a STRONG password for the wireless network. This password should be at least 25 characters and should also be alphanumerical. This password should only be known by the IT department. If an employee has lost connection to the network then they will have to call IT to come and type in the password to get them back on. This is to prevent the password being written down on a sticky note and posted on some ones monitor or under the keyboard.

Password Policies Password Policies have to be put into place and ENFORCED. Passwords should expire every 90 days. The following is a example calculation done by www.hitachi-ID.com:
• Assumptions: o Encrypted passwords are not available to an attacker and consequently passwords can only be guessed at a rate of 100/second (this number is high / conservative for an over-the-network attack). o An attacker can make an unlimited number of guesses without being detected (this is easy to fix). o Passwords are changed, at most, every 90 days.
• Objective: the attacker's probability of success should be no more than 1%.
• Technical constraints: passwords may only contain lowercase letters, uppercase letters and digits.
• Calculation: o An attacker can make 90 x 24 x 60 x 60 x 100 = 777,600,000 guesses before a password will expire. o There should be 77,760,000,000 possible passwords -- about 8e10. o From the above table, a 7 character password is sufficient, so long as users don't pick easily guessed values (e.g., their name or a dictionary word).
When you think of someone guessing your password you tend to think of them sitting in front of your computer for hours trying to get it right. However, there is such a thing as a Brute Force attack which is when a person or a program just keeps trying different combinations until it gets one right. The hacker does not need to be anywhere near your computer. They can launch this attack remotely and still succeed.
NAT between Internal and External networks According to farpost.com “NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses”. Without NAT in place people who can get on the public network can also gain access to our network resources. Of course all of our network resources have passwords in place but that may not stop a dedicated hacker in time. Our main goal with this proposal is to secure our data in every way possible. In order to do that we must seal or prevent any security holes. This would be a huge hole in our security that can easily be fixed. It may require some additional hardware if the routers that are in place now do not have NAT then we will need to purchase some that do. We would need at least 1 router with NAT at each location in order to keep the our network away from the public view.