Creating a Company Culture for Security – Design Document
Overview: Now that you’re super knowledgeable about security, let’s put your newfound know-how to the test. You may find yourself in a tech role someday, where you need to design and influence a culture of security within an organization. This project is your opportunity to practice these important skillsets.
Assignment: In this project, you’ll create a security infrastructure design document for a fictional organization. The security services and tools you describe in the document must be able to meet the needs of the organization. Your work will be evaluated according to how well you met the organization’s requirements.
About the organization: This fictional organization has a small, but growing, employee base, with 50 employees in one small office. The company is an online retailer of the world’s finest artisanal, hand-crafted widgets. They’ve hired you on as a security consultant to help bring their operations into better shape.
Organization requirements: As the security consultant, the company needs you to add security measures to the following systems:
- An external website permitting users to browse and purchase widgets
- An internal intranet website for employees to use
- Secure remote access for engineering employees
- Reasonable, basic firewall rules
- Wireless coverage in the office
- Reasonably secure configurations for laptops
Since this is a retail company that will be handling customer payment data, the organization would like to be extra cautious about privacy. They don’t want customer information falling into the hands of an attacker due to malware infections or lost devices.
Engineers will require access to internal websites, along with remote, command line access to their workstations.
Grading: This is a required assignment for the module.
What you’ll do: You’ll create a security infrastructure design document for a fictional organization. Your plan needs to meet the organization’s requirements and the following elements should be incorporated into your plan: - Authentication system
- External website security
- Internal website security
- Remote access solution
- Firewall and basic rules recommendations
- Wireless security
- VLAN configuration recommendations
- Laptop security configuration
- Application policy recommendations
- Security and privacy policy recommendations
- Intrusion detection or prevention for systems containing customer data
The Correct Answer and Explanation is:
Security Infrastructure Design Document for Artisanal Widgets Retailer
1. Authentication System
Implement a robust authentication system using multi-factor authentication (MFA) for both internal and external access. Employees will use a combination of passwords and a time-based one-time password (TOTP) application for secure access to the intranet and internal resources.
2. External Website Security
The external website must be secured using HTTPS with a valid SSL/TLS certificate to encrypt data in transit. Web Application Firewalls (WAF) should be employed to protect against common web vulnerabilities, such as SQL injection and cross-site scripting (XSS). Regular security assessments and penetration testing will help identify and mitigate vulnerabilities.
3. Internal Website Security
The internal website should be hosted behind a secure network perimeter. Access control lists (ACLs) will limit access to authorized personnel only, and role-based access control (RBAC) will be implemented to ensure employees have access only to the resources necessary for their roles. Regular updates and patch management are essential.
4. Remote Access Solution
For secure remote access, a Virtual Private Network (VPN) should be implemented, allowing engineers to access the internal network securely. The VPN will use strong encryption protocols, such as OpenVPN or IPsec, and require MFA for additional security.
5. Firewall and Basic Rules Recommendations
Implement a firewall with basic rules to restrict inbound and outbound traffic. The firewall should block all unsolicited inbound traffic and allow only specific protocols necessary for business operations, such as HTTP(S), FTP, and VPN connections.
6. Wireless Security
Wireless access points must use WPA3 encryption to secure wireless communications. A separate guest network should be configured to isolate guest users from internal resources. Network monitoring tools should be implemented to detect unauthorized access.
7. VLAN Configuration Recommendations
Segment the network using Virtual Local Area Networks (VLANs) to separate user groups (e.g., employees, guests, servers). This segmentation will help reduce the attack surface and contain potential breaches.
8. Laptop Security Configuration
Laptops should be configured with full disk encryption, using tools such as BitLocker for Windows or FileVault for macOS, to protect data in case of loss or theft. Antivirus and anti-malware solutions should be installed and regularly updated, along with firewalls configured on all devices.
9. Application Policy Recommendations
Establish application whitelisting policies to restrict the installation of unauthorized software. Regular vulnerability scanning of applications should be conducted to identify and mitigate potential risks.
10. Security and Privacy Policy Recommendations
Create comprehensive security and privacy policies, including data protection guidelines, incident response protocols, and employee training on security best practices. Regular training sessions will enhance employee awareness of security threats and response protocols.
11. Intrusion Detection or Prevention
Deploy an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) to monitor network traffic for suspicious activity, especially on systems containing customer data. These systems will help detect and respond to potential breaches promptly.
Conclusion
Implementing this security infrastructure design will enhance the overall security posture of the artisanal widget retailer, protecting customer payment data and ensuring a secure environment for both employees and customers. Regular audits and updates will be essential to maintaining the effectiveness of these security measures.