TASK 3 notes
A centralised system to manage user identities and access. This can be compramised by simply implementing user access levels and group policy which will allow control accesss and user behaviour to be monitored.
A more suitable routing and secuirity solution. This can be fixed by replacing the current SOHO router with a more suitbale and security solution such as bussiness-grade router which would include features such as; VLAN support, DPI (Deep packet Inspection), IDS/IPS, and redundant WAN connections.
Protect costumer data from any access point, this is important as they require to comply to legislation and regualtions. They could store sensitive data on secure file servers or cloud platforms such as OneDrive which are secured by third parties. They could also use MFA to athunticate the user and enforce RBAC and least privilege policies.
Replace VPN with a simpler, secure solution was one of the requirments which could be achieved by simply shift to a cloud environment such as OneDrive which will allow file and data access for hybrid users over the internet as well making sure that all data is kept secure.
Replace NAS with secure storage could also considered. This would mean that the business fully migrated to cloud storage for scalability, access control, and backups. However, I would also recommened a sort of file server where all confidental data would be stored and backed up safely.
Improved auduting of network access and activity would enhance visibility and logging. By centralizing logs for firewalls, NAS, servers, and endpoints.
It is required to have strong endpoint and network protection, therefore I suggest the company to segmnet the network using VLANs, install endpoint detection and response (EDR), and enable full-disk encryption to enhance overall security over the sensitive data.
At the moment users are able to download unapproved software at will. This can be seen as a threat to the network as it may contain malicious malware, therefore use of group policy will lockdown local admin rights and enforce application allowlisting.
By scheduling regular IT onboarding and security awareness training it will smoothen transition and user adaptation for new users and help grasp awerness on content such as new threats and security managment techquinques so that they can be aware of new threats as AI is evolving.
| Action | Service | Protocol | Source Address | Destination Address | Port | Notes |
|---|---|---|---|---|---|---|
| Allow – inbound | HTTP | TCP | 192.168.1.1 – 192.168.1.200 | 192.168.1.100 | 80 | Restricted to known web server only |
| Allow – outbound | HTTP | TCP | 192.168.1.1 – 192.168.1.200 | Any | 80 | |
| Allow – inbound | HTTPS | TCP | 192.168.1.1 – 192.168.1.200 | 192.168.1.100 | 443 | Secure traffic to web server only |
| Allow – outbound | HTTPS | TCP | 192.168.1.1 – 192.168.1.200 | Any | 443 | |
| Allow – inbound | IMAP | TCP | 192.168.1.1 – 192.168.1.200 | mail.server.local | 143 | Limit to specific mail server |
| Allow – outbound | IMAP | TCP | 192.168.1.1 – 192.168.1.200 | mail.server.local | 143 | |
| Allow – inbound | SMTP | TCP | 192.168.1.1 – 192.168.1.200 | mail.server.local | 25 | Limit SMTP usage to internal mail server |
| Allow – outbound | SMTP | TCP | 192.168.1.1 – 192.168.1.200 | mail.server.local | 25 | |
| Allow – inbound | SMB | TCP | 192.168.1.251 | 192.168.1.253 | 139/445 | Keep limited SMB access for specific systems only |
| Allow – outbound | SMB | TCP | 192.168.1.251 | 192.168.1.253 | 139/445 | |
| Deny – inbound | SMB | TCP | 192.168.1.1 – 192.168.1.200 | 192.168.1.253 | 139/445 | Deny all other SMB access to protect shared files |
| Deny – outbound | SMB | TCP | 192.168.1.1 – 192.168.1.200 | 192.168.1.253 | 139/445 |
One of the major security risks currently faced by NexaTech IT Solutions is the use of shared administrator logins. As outlined in Control Document D, all users have access to shared administrative accounts, which allows them to access and modify any data on the network. This poses significant security concerns. For instance, it eliminates accountability since it is impossible to trace actions back to individual users. Furthermore, malicious employees could exploit these privileges to access or manipulate sensitive data, potentially leading to data breaches. Such breaches would violate data protection laws including the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA), which emphasize the principles of integrity, confidentiality, and accountability. Failure to comply with these regulations could lead to heavy fines, legal action, reputational damage, loss of clients, and diminished stakeholder trust. To mitigate this risk, it is essential to introduce user access levels by implementing role-based access control (RBAC). This approach restricts users to only the data and systems necessary for their job roles, ensuring that administrator accounts are secured with strong, regularly updated passwords and multi-factor authentication. Implementing Role-Based Access Control, however, presents its own challenges. As the company grows and new job roles emerge, the number of roles may increase dramatically, potentially leading to role explosion. Poorly designed roles can result in excessive permissions being granted, increasing the risk of unauthorized actions such as the installation of unapproved software or malware infections that could compromise the network. To address these challenges, it is critical to carefully define roles based on a thorough analysis of job functions and business needs. Permissions should be assigned following the principle of least privilege, granting users only the access necessary to perform their tasks. Assigning users to roles or groups simplifies management and enhances security. Regular audits of access rights are necessary to ensure permissions remain appropriate and to detect any unauthorized access promptly. When transitioning from the current system to the proposed RBAC framework, the company should carefully consider the implementation method. A direct cutover, while fast and inexpensive, carries high risk if issues arise, potentially disrupting business operations. A pilot approach, where the new system is tested with a small user group or department, offers the advantage of identifying and resolving issues before full deployment, minimizing disruption. Parallel running of both old and new systems reduces risk by allowing side-by-side comparison and user training, but it is resource-intensive. Phased implementation, introducing modules gradually, provides controlled change management and allows issues to be addressed step-by-step. For NexaTech, a pilot implementation is recommended, as it balances risk reduction and resource use effectively. The pilot should occur during a period of low activity, such as a non-working day, to minimize impact. This approach will allow the company to test the RBAC system’s components and address any issues before wider rollout.
Insider threats pose a significant risk to NexaTech IT Solutions due to the high level of access currently granted to employees through shared administrative accounts and weak access controls. An insider, whether intentionally malicious or unintentionally negligent, can exploit these privileges to steal, manipulate, or leak sensitive company and customer data. Such breaches not only compromise the integrity and confidentiality of information but also put the company at risk of severe legal and financial penalties under regulations like GDPR and the Data Protection Act. Additionally, insider threats can result in reputational damage and loss of customer trust, which may have long-term impacts on business viability. To mitigate these risks, NexaTech should implement strict access controls using role-based access control (RBAC), ensuring users have only the permissions necessary to perform their job functions, which limits the potential damage caused by insiders. Continuous monitoring and auditing of user activity through security information and event management (SIEM) tools will help detect unusual or unauthorized behavior promptly. Furthermore, enforcing multi-factor authentication (MFA) and unique user accounts increases accountability and reduces the risk of compromised credentials being used. Regular staff training on security awareness, data protection policies, and the consequences of insider threats will cultivate a culture of security mindfulness. Lastly, implementing clear disciplinary procedures for policy violations will deter intentional misuse of access.
As NexaTech IT Solutions transitions its infrastructure to cloud services such as Microsoft 365 or AWS, the risk of misconfigured access controls and permissions increases significantly. Incorrectly configured Identity and Access Management (IAM) settings can lead to unauthorized users gaining access to sensitive corporate or customer data. This may result from overly permissive roles, failure to enforce the principle of least privilege, or lack of proper monitoring, all of which increase the likelihood of data breaches. Such vulnerabilities can expose the company to compliance violations under GDPR and other data protection regulations, which mandate strict control over personal and sensitive information. To mitigate this risk, NexaTech should implement a robust IAM framework that enforces role-based access control (RBAC) combined with the principle of least privilege, ensuring users only have access necessary for their roles. Enabling multi-factor authentication (MFA) across all cloud accounts will add an extra layer of security against credential compromise. Additionally, the company should regularly audit cloud access logs and permissions to detect and remediate any anomalies promptly. Leveraging cloud-native security tools such as Microsoft Secure Score or AWS IAM Access Analyzer can assist in identifying and correcting misconfigurations, ensuring continuous compliance and minimizing exposure.
Comments
Post a Comment