Note: This assignment wasn’t graded for accuracy, so some of the technical details might not be. Scenario prompt not included.
The company’s external website will require HTTP over TLS to create the most secure system over which paying customers can initiate transactions. If not by best practice, the company may by law need PCI DSS implementation for its payment system. Network-based firewall configurations must whitelist traffic for customer payment data and payment vendor services necessary to initiate, process, and finalize transactions.
A NIDS machine must be connected to the company switch and port mirroring must be enabled. The system can issue an alert if the network, for example, suspects a threat between:
If so, a corresponding NIPS system will terminate transmission of those sensitive data packets – which may contain stored customer data and more. Aside from customers, team members may authenticate against a RADIUS server for access to the company’s intranet. For secure-yet-remote access, engineering employees can connect to the same intranet via a VPN authenticated against the same RADIUS server. If using a reverse proxy, they may authenticate, in part, with TLS client certificates. For purposes of network monitoring and auditing, a VLAN network can be applied to both tunneled traffic (engineering team) and non-tunneled traffic (all other team members). Whether roaming users (engineers) or mobile users (all other employees), the wireless connection should implement 802.1x with EAP-TLS for the strongest level of encryption given that the requisite RADIUS server is deployed. For access to the intranet by devices, network-based firewall configurations can authorize whitelisting of employee laptops and other machines via MAC address. In addition to approved devices, network-based firewalls must whitelist only those services that team members use actively. To minimize the company network’s attack surface, it’s important that services or applications not in active use be disabled. Employee laptops must enable an automatic screen-locking mechanism to prevent unlogged access to the hardware. Each laptop must have FDE to prevent data theft or tampering if the device is lost, stolen, or decommissioned. Further, a Key Escrow is recommended for data recovery of the hard drive if the FDE encryption key or password is forgotten. It’s assumed that all employee laptops have host-based firewalls by way of their operating system.
Jubalyn ExWilliams lives in Pennsylvania (United States). You can find her writings and commentaries, including "Cybersecurity: final project," at landturn.com/blog.
Related: Cybersecurity (Quiz)
Related: Cybersecurity 3 (Notes) Related: Making sense of the encryption algorithm in cybersecurity (2021) Related: No, your IP address isn't private info (2021) Related: "Cybersecurity & Cyberwar" (2020)
0 Comments
Leave a Reply. |
Archives
January 2024
|