Rare vintage auto spares limited company raised concerns by the management and owner to address network related limitations to full functioning capabilities of the company. The network issues raised included failure to provide a smooth communication between the company offices situated at different locations in the city leading to numerous data losses, failed purchases and deliveries and reduced revenues due to a drop in normal business activities. The issues peaked with the dismissal of the network’s IT administrator who was described as rude and would access illicit content via the network system. The network failed and was not serviceable after the dismissal with replacement of a non-expert in the IT administrator docket, Miller et al (2012).
This report addresses therefore, the identified and analysed risks generated from the network vulnerability to external malicious individuals. The network threats and vulnerabilities derived from the poor networking security practices in the company have been assessed using the risk matrix and mitigations documented. In this report, the following will therefore be addressed circumstantially using the risk assessment matrix: poor data encryption mechanism, antenna types with a very high power gains and mixed network data cards, Thomson, G. (2012).
Data collection was conducted to collect data and analyse the network security system and provide solutions to the identified risks. The following methods were applied:
In-depth interviews: 27 employees participated in the data collection process. From a random sample, the participants were asked to provide their feelings, opinions and knowledge about the company’s network system in terms of access, usage, coverage, strength, speed and security, Song, Y. (2014).
Network security testing: a thorough static, dynamic and live testing procedures were conducted on the network to determine the vulnerabilities in the code and running mode and a vulnerability report was generated, Gollakota, S., & Katabi, D. (2011, April).
Secondary sources of data: the files in the storage facility of the company including deployment files, tender files and employee files were analysed for data the network system, usage, privileges and authenticity, Zou et al (2016).
Participatory observation: directly involved in the activities of the selected employees observing, taking notes, asking questions and attempting network procedures during the operations of the company daily activities.
Network and system failure.
Poor network performance.
Network misuse by the employees.
High cost in running and maintain network.
Theft, destruction of network components.
More power consumption in network operations.
The wireless network of the company broadcasts its service set identifier allowing external users in the public to be able to detect the network and connect to it. The routers send the connection capability of the network through the network beacon frames, Thomson, G. (2012). Compounded by the poor encryption used to secure the wireless network, third party individuals with malicious intentions are able to connect to the network and interfere with the normal functioning of the network through activities such as networking communication breakdown through tampering with the network’s SDN. Mesh topology is employed here as below.
The network’s service set identifier should be set to hidden in the network set up and configuration. In the process, to enable the employees connect to the network, the company devices such as computers and billing machines or the employees’ personal devices to be configured with the network prior to connection and access. This will minimize the unauthorized access from third party hackers, Song, Y. (2014).
The company’s wireless network apart from broadcasting the SSID, is configured to personal mode with a dynamic host configuration protocol that allows the employees and other users connect to the network by using a paraphrase and the network settings are stored on their devices, López, J., & Zhou, J. (2008). This exposes the wireless network to unauthorized access by malicious third party persons when they can use the employee devices when the devices are stolen or lost.
The network configuration protocol should not be set to dynamic to disable the access by third party individuals or attackers, Song, Y. (2014).
The wireless Wi-Fi network should be set to enterprise mode to allow the employees seek configuration from the network administrators to be able to access the network to prevent attackers and also monitor network activity while enforcing privileges.
The company uses the Wired Equivalent Privacy to encrypt the wireless network that provides a very basic security level that can be found in the wired networks. This type of encryption is very weak in terms of the keys generated to provide for authentication and therefore allows for man-in-the-middle to eavesdrop on the data being transmitted through a packet sniffing vulnerability. In the WEP encryption used by the company to secure the network, the resulting WI-FI is vulnerable in that it uses the RC4 cypher engine that uses a repetitive mechanism to generate encryption keys in 40 bits that can be easily hacked. Additionally, through network exploitation tools freely found in the dark web, the data traffic transmitted within the network can be analysed using the data generated passively from the network that can be analysed to determine the encryption keys used in the network.
The company should configure the network routers after purchase with the latest network security features out of the box.
The latest data and network cypher protocols should be implemented such as use of WPA and WPA2 to enable stronger encryption and authentication during data transmission or network log in.
The company deployed the network system with a different set of antennas to generate, transmit or receive the signals. The antennas are a 16dBi Omni-directional antenna and 6dBi. These are two antennas. The transmitter, generates and transmits signals at 16dBi in the 360 degrees’ plane in all directions for the receivers to pick the signals. However, the receivers with a 6dBi signal capability, receives very poor signals from the transmitter and thus the communication breakdown experienced in the company, Scarfo, A. (2012, November). Additionally, the antennas are widely spaced from each other with the average distance between the transmitter and the receiver large enough to allow signal distortion, interference and blockage along the way.
The company should budget for and purchase new hardware of antennas that have a similarity in the power gains, transmission frequencies and wavelength and with effective signal strengths in terms of transmission and receiving to enable proper communication.
The transmitters installed should be uni-directional, sending the signals in a single direction towards the receiver to enable signal concentration and efficient communication, Scarfo, A. (2012, November).
A direct access line between the transmitters and receivers should be established to reduce interference of the wireless signals by buildings, structures and tress.
Wi-Fi systems are designed to increase their signal strengths by consuming more power, this phenomenon is called power gains to reduce the interference or coverage. In the office layout of the Rare Vintage Auto Spare limited, there is very high interference and therefore the administrator deployed a system with a very high gain to increase the signal strength transmitted to the receivers. However, despite the increase in power consumption to increase the signal strengths, the Wi-Fi coverage reduces, Scarfo, A. (2012, November). Additionally, since the transmitter and access points are running on high power gains, the receivers are maintained at low power gains. This results in a stronger signals enabling all the peripheral devices acting as receivers get connected to the access point. However, the devices acing as receivers are able to push data through the network back to the access point to be directed to other components of the network such as the servers or other peer devices. In such circumstances, the network signal is recorded as excellent while there is no communication between the connected devices because of the high power gains of the transmitter as compared to the low power gains in the receivers.
The company, Rare Vintage Auto Spares limited should deploy access with suitable power gains that is equal to the receiver’s power gains in the ranges of approximately 25-50Mw, Lashkari et al (2008).
To reduce the number of access points in the geographical area within which the Rare Vintage Auto Spares limited offices are located, low power gain access points should be used to increase coverage while maintaining an effective wireless network strength that enables communication and data transfer.
The company (Rare Vintage Auto Parts Ltd) is founded on the infrastructure of using the internet to provide for communication and enable smooth flow of business, increasing employee throughput and productivity. The internet is the primary pillar linking the company offices, billing machines and employee devices to the management and main server. The application of the internet is advantageous, however, exposes the company to the public and other internet users including individuals with malicious intentions such as hackers and attackers.
The company uses only an antivirus to protect the network system and therefore the system is exposed to multiple vulnerabilities and threats such as spyware and ransomware due to lack of a firewall and VPN. Due to the lack of a firewall mechanism and VPN to protect the network against unauthorized access, the network, with its broadcasted SSID is very vulnerable from remote attacks. As a company network, using the wireless network as a public internet access medium exposes the company’s system to attackers and hackers. The lack of a virtual private network does not provide the company’s network system with the additional advantages of data encryption in secure tunnel of communication thus protecting the data from spoofing and eavesdropping.
A network firewall should be established to protect the network from unauthorized access by online users from within the company or the remote users by controlling the authentication and permissions granted to the users of the network.
A virtual private network should be configured with the tunnelling security protocol and layer forwarding in the network to enable secure authenticated communications and data transfers between any connected devices on the network.
In order to provide additional security to the network, third party subscription services with intrusion detection should be installed, configured and deployed to monitor and alert the administrators for any suspicious activities or traffic. The detection system can be advanced to provide additional security through blocking suspicions and malicious IP addresses.
Intrusion prevention systems should be sourced for to compliment installed and implemented security protocols to offer outright security in case of malicious intrusion by monitoring traffic and IP addresses, blocking the identified threats and generating the logs and attack reports for future security additions.
In the Rare Vintage Auto Parts Ltd company, all the connected devices use a similar infrastructure subnet to connect to the network and transfer data. In such a configuration, the network traffic becomes too slow and performance reduces. In this deployed network design and system, the same data packet is shared to all the connected devices on the subnet with an entry point on the network regardless of whether the device needs or does not need the data packet. The device spamming of the network subnet reduces the performance of the network and the connected devices. Due to the network operating on the same subnet, the devices connected congest the network with data packets and different identification addresses reducing the efficiency of the network with regards to speed, traffic monitoring and security.
Unique IP addresses specific to the company should be assigned to the connected devices to identify the devices and therefore provide an easier mechanism for data routing, monitoring of traffic and security.
The network addresses and domain should be divided into subnets in terms of address and masks using a 32-bit key system to identify the host and other network parts for effective data routing to only the network component that requested for a particular set of data.
The connected devices on the network with entry points should each be configured and assigned to different subnets of the network to reduce congestion, network lagging and increase the performance in terms of speed.
The function of a designated router is to form a channel source for all the network traffic and system updates. The designated router defines the network topology and establishes a slave-master relationship with all the other routers to control the direction of the data being transmitted within the network and reduce network “confusion”. In the case that the designated router breaks down, the backup router performs the functions of the designated router and ensure continuous network performance before repairs. In the network system deployed by the Rare Vintage Auto Parts Ltd IT stuff, the network has no described designated router nor backup router and therefore the data traffic is not controlled leading to communication failure. Additionally, the network is not serviceable because the network update could not be send without a designated router.
A multi-access network links should be deployed with an advertisement functionality for network control in order to reduce the data traffic generated.
As an OSPF multi-access wireless network, two routers should be identified as designated and backup routers using the IP addresses with the designated router having the highest IP number on the network configuration. With this network design and topology, the designated router generates link data packets transmitted within the network in a slave-master connection protocol to utilize the sync link-state databases and ensure efficient performance.
- The network was deployed using mixed network cards with different standards.
Although the different network card standards of 802.11b and 802.11g can be easily applied and deployed on the same network, the slower performance and outdated encryption of the 802.11b standard will reduce the efficiency of the latest standard 802.11g to allow connection. In the deployed wireless system of Rare Vintage Auto Parts Ltd the performance and encryption of the 802.11b standards are used and hence the slow data transfer rates with poor security of the system. For a short-term goal to save the budget, the mixing of card standards works fine but the long-term benefits are extremely diminished.
For the long-term benefits of efficient data transfer, a more secure system and increased speed of the network, all the data card standards should be upgraded to 802.11g. Despite the 802.11b network standard being cheaper, the short-term benefits should be overlooked.
- The company has no data backup mechanism and recovery system.
The company is not prepared in the event of data losses with a proper data backup and recovery plan. The data is vulnerable to many data losses ways such as ransomware, spyware, viruses, server outages, accidental and intentional deletion of data and network crash. Even though eliminating the backup and recovery plan during project design cuts down the budget, it becomes a very risky move.
A backup system should be installed with a standalone backup server for storage of the company data.
A disaster recovery program should be designed and deployed in preparedness for unfortunate events involving data losses.
- Rare Vintage Auto Parts Ltd has not provided its management and employees a network security policy and guidelines.
The company lacks a nicely documented network usage and management policy. The policies are written to guide the employees on how the network should be used with the privileges allowed. The security protocols should be easy to understand and enforce. In order to protect the company’s data and network components, Rare Vintage Auto Parts Ltd needs to document a security policy to guide its employees. The security policy documents the rights of the employees with regard to how they use the network, the benefits, acceptable use of the computers, internet access, passwords and data stored and transmitted within the network system. Furthermore, the policy documents the response in the event of attacks, data losses and unacceptable use of the network and network components, Bulbul et al (2008).
Rare Vintage Auto Parts Ltd should document policies, principles and guidelines describing the rights, rules, laws and procedures expected from their employees in terms on network usage for business purposes only, Wright, J., & Cache, J. (2015). The policies ought to be updated regularly directed towards the latest trends in networking modalities. Moreover, employee training and security awareness programs should be performed concerning the security procedures and protocols.
Deployment Of Appropriate Software And Hardware.
- Rare Vintage Auto Parts Ltd should purchase and deploy Cisco Unified Threat Management Systems.
Third party companies provide networking services and secure systems through unified threat management systems hardware appliances that provide several network security features at a subscription service and payment structure to enable from to medium to large enterprises be able to acquire the services and thus secure their systems, Swan & McKinney (2012).
Considering the company size, revenue generated, security requirements and vendor provisions, Cisco unified threat management systems are suggested to the management of Rare Vintage Auto Parts Ltd to provide security features.
The Cisco UTM appliances have the following advantages over the other vendors:
Provides the basic security features, firewall, application control, URL filtering, intrusion prevention and email security with anti-spam.
A high network and firewall performance with a data throughput of 1.2Gbps on average with up to 200 users connected.
The Cisco UTM appliances are ready out of the box packaged with software for ease deployment and use.
The appliance provided by the vendor is cheaper and offers a value for money package.
- Microsoft azure cloud computing services.
Cloud computing is the future of business by providing services that fulfil the long-term goals and objectives of the Rare Vintage Auto Parts Ltd company in terms of securing the wireless network and increasing performance while reducing expenditure on the cost of ownership of computing and networking systems, Ghosh et al (2013).
Microsoft azure provides online cloud computing services with three different platforms at a subscription based payment system that allows the client (Rare Vintage Auto Parts Ltd) to only pay for the resources utilized in a pre-pay or post-pay structure.
The Microsoft azure has the following advantages:
Provides highly scalable software as a service, platform as a service or infrastructure as a service cloud computing services and big data analytics that will increase the productivity and throughput of the employees, Swan & McKinney (2012).
Reduces the costs of acquiring and running new technology such as the total cost of ownership and the required cost for employment of IT stuff since the vendor provides the technicians.
The subscription based payment model is allowing for cheaper use of computing services as the company will only pay for the services used.
This written agreement puts forward procedures, laws and policies governing employees who work at Rare Vintage Auto Parts Limited. These laws dictate how the company’s network use, its components, personal computers and mobile devices owned by private individuals. This covenant/agreement serves the purpose of providing security and integrity to the infrastructure and data at the company (Swan &McKinney, 2012).
The company (Rare Vintage Auto Parts limited) vows to respect the privacy and confidentiality of the employees’ data. Information stored in the employees’ personal devices shall not therefore be tampered with, accessed or used for other purposes without their consent. The employees are expected to avail their devices to the company for the security controls to be implemented. Employees are also expected to provide evidence emanating from criminal, administrative or civil proceedings.
The company (Rare Vintage Auto Parts limited) in the BYOD policy stipulates that the endorsed use of devices of employees while connected to the network of the company or at the work-place as activities that support the missions, goals and objectives of Rare Vintage Auto Parts Ltd. Such practices/activities include: accessing and viewing company resources, for example, emails, calendars, communication documents, for instance, memos, and contacts.
Employees are expected by the company to limitedly use their personal devices while just at work, unless an urgent need for communication arises but not for:
- Chatting and texting on social media podiums. This includes drivers and office employees.
- Downloading, online streaming or illicit content sharing
- Sharing or storing data belonging to the company in any form
- Participating or running external businesses.
- Emotionally, sexually or physically molesting other company employees.
All mobile devices and personal computers are supported by the company. For example, iPhones, Laptops and android phones. For the devices to connect to the company network, the device connection settings are only input by the IT administrator of the company network. These settings include: employee profile creation on the network, configurations of standard applications and device Wi-Fi configuration on the network with login credentials, Swan & McKinney (2012).
The following are the recommendations by the company concerning employees’ personal devices, laptops and other computers configured to connect to the company’s network.
- Each device has to be protected with a very strong key/password. the password must have a length of at least 6 characters, consisting of both letters and digits. The device must automatically lock itself after 5 idle minutes.
- The network’s credentials must be changed or upgraded often hence devices will be reconfigured every three months. New devices will also be submitted by the employees for configuration.
- Android mobile devices that have been rooted will not allowed to be configured or connect to the network, whether the devices will be operating on a custom third party firmware or any other custom firmware.
- IPhones and iPads that have been jailbroken will not be accepted.
- Access to the company by the employees is not allowed. Permission for special access will be required. This permission can be given by the management.
- From the network, an employee’s device can be remotely wiped clean under the following conditions:
- Mutually or otherwise, the employee and the company agree and decide to terminate the employment contract or the company decides to dismiss the employee.
- Detection of an abnormal behavior or malicious acts from an employee’s device by the intrusion detection system of the IT department; behavior that appears to threaten data or the company’s network.
- If the employee’s device is lost, sold to another unauthorized third party, stolen or is in the hands of a non-employee of the company.
Employees’ have the responsibility to ensure data on their devices is backed up and the company takes no liability in case a device belonging to an employee is wiped remotely.
The company reserves the right to temporarily or permanently disconnect or deny an employee’s access to the network without any prior notification , Morrow, B. (2012).
The employee has the responsibility to notify the mobile phone network on which the phone operates and the company within twenty-four hours in the event that his/ her mobile phone is sold, stolen or lost, Morrow, B. (2012). Failure to do this shall make the employee answerable to any third party malicious acts or attacks to the company network.
All employees take responsibility for attacks to the company network emanating from use of their assigned devices when they are connected to the network, for example, malware, viruses, intentional or accidental deletion of part or entire company database.
All employees from all ranks are expected by the company to utilize their devices and network resources in a manner that is ethical and adhere to the BYOD policy of the company. They will also be liable for the costs of their devices at individual levels.
The company reserve exclusive rights to inflict reasonable disciplinary action to the human resources of the company right from the top executives to the lowest employees on the hierarchy in case of non-adherent to the regulations guarding the company network, for example, by termination of contracts of employment and payment of fines.
I have read and understood, and therefore, am in acceptance that I will, at all times, comply with the BYOD regulations and security regulations of the company. In any situation where my daily company activities increase the service costs of my personal plan, the company is not obligated to provide reinbursements.
Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and privacy considerations. It Professional, 14(5), 53-55.
Thomson, G. (2012). BYOD: enabling the chaos. Network Security, 2012(2), 5-8.
Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12), 5-8.
Song, Y. (2014). “Bring Your Own Device (BYOD)” for seamless science inquiry in a primary school. Computers & Education, 74, 50-60.
Scarfo, A. (2012, November). New security perspectives around BYOD. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2012 Seventh International Conference on (pp. 446-451). IEEE.
Ghosh, A., Gajar, P. K., & Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies. International Journal of Global Research in Computer Science (UGC Approved Journal), 4(4), 62-70.
López, J., & Zhou, J. (Eds.). (2008). Wireless sensor network security (Vol. 1). Ios Press.
Lashkari, A.H., Danesh, M.M.S. and Samadi, B., (2009, August). A survey on wireless security protocols (WEP, WPA and WPA2/802.11 i). In Computer Science and Information Technology, 2009. ICCSIT 2009. 2nd IEEE International Conference on (pp. 48-52). IEEE.
Wright, J., & Cache, J. (2015). Hacking exposed wireless: wireless security secrets & solutions. McGraw-Hill Education Group.
Gollakota, S., & Katabi, D. (2011, April). Physical layer wireless security made fast and channel independent. In INFOCOM, 2011 Proceedings IEEE (pp. 1125-1133). IEEE.
Zou, Y., Zhu, J., Wang, X., & Hanzo, L. (2016). A survey on wireless security: Technical challenges, recent advances, and future trends. Proceedings of the IEEE, 104(9), 1727-1765.
Bulbul, H. I., Batmaz, I., & Ozel, M. (2008, January). Wireless network security: comparison of wep (wired equivalent privacy) mechanism, wpa (wi-fi protected access) and rsn (robust security network) security protocols. In Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop (p. 9). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).
Jacobsen, S. C., Markus, D. T., & Pensel, R. W. (2010). U.S. Patent No. 7,787,939. Washington, DC: U.S. Patent and Trademark Office.
Van, D. N., Bui, T. T. X., & Tesfalidet, S. (2008). The transformation of phenyltin species during sample preparation of biological tissues using multi-isotope spike SSID-GC-ICPMS. Analytical and bioanalytical chemistry, 392(4), 737-747.
Bestermann, J. (2013). U.S. Patent No. 8,412,942. Washington, DC: U.S. Patent and Trademark Office.
Won, S. Y. (2013). U.S. Patent No. 8,509,199. Washington, DC: U.S. Patent and Trademark Office.
Jacobsen, S. C., & Wells, D. L. (2013). U.S. Patent No. 8,614,768. Washington, DC: U.S. Patent and Trademark Office.