TASK 3 notes

A centralised system to manage user identities and access. This can be compramised by simply implementing user access levels and group policy which will allow control accesss and user behaviour to be monitored.

A more suitable routing and secuirity solution. This can be fixed by replacing the current SOHO router with a more suitbale and security solution such as bussiness-grade router which would include features such as; VLAN support, DPI (Deep packet Inspection), IDS/IPS, and redundant WAN connections.

Protect costumer data from any access point, this is important as they require to comply to legislation and regualtions. They could store sensitive data on secure file servers or cloud platforms such as OneDrive which are secured by third parties. They could also use MFA to athunticate the user and enforce RBAC and least privilege policies.

Replace VPN with a simpler, secure solution was one of the requirments which could be achieved by simply shift to a cloud environment such as OneDrive which will allow file and data access for hybrid users over the internet as well making sure that all data is kept secure.

Replace NAS with secure storage could also considered. This would mean that the business fully migrated to cloud storage for scalability, access control, and backups. However, I would also recommened a sort of file server where all confidental data would be stored and backed up safely.

Improved auduting of network access and activity would enhance visibility and logging. By centralizing logs for firewalls, NAS, servers, and endpoints.

It is required to have strong endpoint and network protection, therefore I suggest the company to segmnet the network using VLANs, install endpoint detection and response (EDR), and enable full-disk encryption to enhance overall security over the sensitive data.

At the moment users are able to download unapproved software at will. This can be seen as a threat to the network as it may contain malicious malware, therefore use of group policy will lockdown local admin rights and enforce application allowlisting. 

By scheduling regular IT onboarding and security awareness training it will smoothen transition and user adaptation for new users and help grasp awerness on content such as new threats and security managment techquinques so that they can be aware of new threats as AI is evolving. 


FIREWALL:

Rules allow inbound and outbound access for all HTTP, HTTPS, IMAP, SMTP traffic from a broad IP range to any destination. This could expose internal systems to external threats if not properly filtered at another layer like the application layer. 

Allowing inbound/outbound IMAP and SMTP traffic can be risky without strong authentication and spam/malware protection. Port 25 is commonly known for being exploited for spam distrubution which increases the risk of human error. 

SMB is seen to be inconsistent as it has been allowed between specific IPs and denied for a broader range. If this is not ordered or prioritized correctly in the firewall, the deny rule might override the allow rule unintentionally or vice versa, leading to unintended access or blocking. 

Most rules list the destination address as "ANY", which is risky. Traffic should ideally be limited to known, trusted endpoints or services.
Action Service Protocol Source Address Destination Address Port Notes
Allow – inbound HTTP TCP 192.168.1.1 – 192.168.1.200 192.168.1.100 80 Restricted to known web server only
Allow – outbound HTTP TCP 192.168.1.1 – 192.168.1.200 Any 80
Allow – inbound HTTPS TCP 192.168.1.1 – 192.168.1.200 192.168.1.100 443 Secure traffic to web server only
Allow – outbound HTTPS TCP 192.168.1.1 – 192.168.1.200 Any 443
Allow – inbound IMAP TCP 192.168.1.1 – 192.168.1.200 mail.server.local 143 Limit to specific mail server
Allow – outbound IMAP TCP 192.168.1.1 – 192.168.1.200 mail.server.local 143
Allow – inbound SMTP TCP 192.168.1.1 – 192.168.1.200 mail.server.local 25 Limit SMTP usage to internal mail server
Allow – outbound SMTP TCP 192.168.1.1 – 192.168.1.200 mail.server.local 25
Allow – inbound SMB TCP 192.168.1.251 192.168.1.253 139/445 Keep limited SMB access for specific systems only
Allow – outbound SMB TCP 192.168.1.251 192.168.1.253 139/445
Deny – inbound SMB TCP 192.168.1.1 – 192.168.1.200 192.168.1.253 139/445 Deny all other SMB access to protect shared files
Deny – outbound SMB TCP 192.168.1.1 – 192.168.1.200 192.168.1.253 139/445




SECURITY ISSUES:

One of the major security risks currently faced by NexaTech IT Solutions is the use of shared administrator logins. As outlined in Control Document D, all users have access to shared administrative accounts, which allows them to access and modify any data on the network. This poses significant security concerns. For instance, it eliminates accountability since it is impossible to trace actions back to individual users. Furthermore, malicious employees could exploit these privileges to access or manipulate sensitive data, potentially leading to data breaches. Such breaches would violate data protection laws including the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA), which emphasize the principles of integrity, confidentiality, and accountability. Failure to comply with these regulations could lead to heavy fines, legal action, reputational damage, loss of clients, and diminished stakeholder trust. To mitigate this risk, it is essential to introduce user access levels by implementing role-based access control (RBAC). This approach restricts users to only the data and systems necessary for their job roles, ensuring that administrator accounts are secured with strong, regularly updated passwords and multi-factor authentication. Implementing Role-Based Access Control, however, presents its own challenges. As the company grows and new job roles emerge, the number of roles may increase dramatically, potentially leading to role explosion. Poorly designed roles can result in excessive permissions being granted, increasing the risk of unauthorized actions such as the installation of unapproved software or malware infections that could compromise the network. To address these challenges, it is critical to carefully define roles based on a thorough analysis of job functions and business needs. Permissions should be assigned following the principle of least privilege, granting users only the access necessary to perform their tasks. Assigning users to roles or groups simplifies management and enhances security. Regular audits of access rights are necessary to ensure permissions remain appropriate and to detect any unauthorized access promptly. When transitioning from the current system to the proposed RBAC framework, the company should carefully consider the implementation method. A direct cutover, while fast and inexpensive, carries high risk if issues arise, potentially disrupting business operations. A pilot approach, where the new system is tested with a small user group or department, offers the advantage of identifying and resolving issues before full deployment, minimizing disruption. Parallel running of both old and new systems reduces risk by allowing side-by-side comparison and user training, but it is resource-intensive. Phased implementation, introducing modules gradually, provides controlled change management and allows issues to be addressed step-by-step. For NexaTech, a pilot implementation is recommended, as it balances risk reduction and resource use effectively. The pilot should occur during a period of low activity, such as a non-working day, to minimize impact. This approach will allow the company to test the RBAC system’s components and address any issues before wider rollout.

Insider threats pose a significant risk to NexaTech IT Solutions due to the high level of access currently granted to employees through shared administrative accounts and weak access controls. An insider, whether intentionally malicious or unintentionally negligent, can exploit these privileges to steal, manipulate, or leak sensitive company and customer data. Such breaches not only compromise the integrity and confidentiality of information but also put the company at risk of severe legal and financial penalties under regulations like GDPR and the Data Protection Act. Additionally, insider threats can result in reputational damage and loss of customer trust, which may have long-term impacts on business viability. To mitigate these risks, NexaTech should implement strict access controls using role-based access control (RBAC), ensuring users have only the permissions necessary to perform their job functions, which limits the potential damage caused by insiders. Continuous monitoring and auditing of user activity through security information and event management (SIEM) tools will help detect unusual or unauthorized behavior promptly. Furthermore, enforcing multi-factor authentication (MFA) and unique user accounts increases accountability and reduces the risk of compromised credentials being used. Regular staff training on security awareness, data protection policies, and the consequences of insider threats will cultivate a culture of security mindfulness. Lastly, implementing clear disciplinary procedures for policy violations will deter intentional misuse of access.

As NexaTech IT Solutions transitions its infrastructure to cloud services such as Microsoft 365 or AWS, the risk of misconfigured access controls and permissions increases significantly. Incorrectly configured Identity and Access Management (IAM) settings can lead to unauthorized users gaining access to sensitive corporate or customer data. This may result from overly permissive roles, failure to enforce the principle of least privilege, or lack of proper monitoring, all of which increase the likelihood of data breaches. Such vulnerabilities can expose the company to compliance violations under GDPR and other data protection regulations, which mandate strict control over personal and sensitive information. To mitigate this risk, NexaTech should implement a robust IAM framework that enforces role-based access control (RBAC) combined with the principle of least privilege, ensuring users only have access necessary for their roles. Enabling multi-factor authentication (MFA) across all cloud accounts will add an extra layer of security against credential compromise. Additionally, the company should regularly audit cloud access logs and permissions to detect and remediate any anomalies promptly. Leveraging cloud-native security tools such as Microsoft Secure Score or AWS IAM Access Analyzer can assist in identifying and correcting misconfigurations, ensuring continuous compliance and minimizing exposure.


Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2