This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The scope of this research is pursued towards deploying a lasting potential solution to Miteqq Company identified existing threats and problems capable of causing sudden unexpected business disruptions to their products and services.
However, the project life cycle is divided into six chapters: chapter one provides the general structural framework of the research and gives an insight into the subject matter; starting with the identification of the problematic issues of the attack scenario of 1997 and 2003 that caused Miteqq Company financial loss of ?249,000 and subsequent change of the company name from MI-Technology Nigeria Limited to Miteqq Company to help them bury and overcome the embarrassment, scandals and loss of credibility.
Chapter two is the literature review which helps to define the topic area and contextualise the threats and problematic issues in terms of the analysis of existing knowledge, also investigating of relevant information, journals, articles, to work out potential solutions that will reduce the identified existing threats and problems to its lowest level.
Chapter three gives an insight into the qualitative research methodology used in this project in generating data and information as a direct observation as well as external observation via telephone conversations and so on.
Chapter four consist of the analysis of the proposed solution; chapter five is the implementations of the proposed potential solution and chapter six is the recommendation and cost benefit analysis.
I am grateful to God almighty for His providential care, parental love and grace in seeing me through to this level in my academic ladder. May His name forever be glorified, Amen. To my beloved wife and blossom friend, Ada-kosy Umezude, for her encouragement, motivation, standing by me and believing in my ability during the course of writing this piece of work.
To my uncle Chris Iheobi and family for their support unspeakable towards me and my family.
To my supervisor, Dr. Tatiana Simmonds for her guide and persistent attitude in seeing the unquantifiable piece born out of hard work.
To my parent, Emmanuel and Fanny Umezude, my elder brother, Bro. Goodnews & wife, Chidiebere, my younger brother, Agozie, and my younger sisters, Adaeze and Chidinma, for all their effectual and fervent prayers and love.
My special thanks go to Miteqq staff past and present: The Project Manager, Johnson Osadebe, Administrator, Ngozi Onyemachi, Store manager. Femi Adebayo and many others for their immense substantial contributions and relentless commitment in supporting Miteqq during their period of bankruptcy and finally the CEO of Miteqq Company, Chuka Ohagwasi for his unquenchable and tenacious persistent effort towards the realization of a new Miteqq Company born out of financial frustration and bankruptcy and many others who have affected my life in one way or the other may God bless all infinitely. Amen.
Brief Background Study of Miteqq Company?s Products and Services
The scope of this project is principally design to analysis MI-Technologies Nigeria Limited (Miteqq) areas of products and services, opportunities, strength, weaknesses and threats. Basically, the underlining idea is geared towards introducing some techniques, network security, and strategic measures that will protect and enhance Miteqq IT business information assets from attacks and potential threats they are exposed to as a result of their extensive reliance on IT for their products and services. Unfortunately, they are vulnerable in these areas: weak network security and firewall, lack of data backup system and data recovery system, lack of uninterruptible power supply (UPS) device in case of utility power failure; which gave room for the attack scenario of 2003 that cost them financial loss of over ?249,000; expenses procured trying to recover and restore the damages done during the attack. Sadly, for their business to continue, they had to change their company?s name from MI- Technologies Nigeria Limited to Miteqq Company to help them swollen the embarrassment, bankruptcy, and so on. Consider the aims and objectives of this research below:
AIMS AND OBJECTIVES
- Research by reviewing journals, literature reviews, documentaries reviews, case studies, articles and other sources of information on how other IT business outfit resolved their similar potential threats and IT problems. The research will be conducted through qualitative research methodology by systematically using predefined set of procedures to arrive to solution.
- A critical appraisal of Risk Management adoption into Miteqq business to help identify and assess their threats / problems and implement some measures to reduce the identified existing threats and problems to its lowest level. The technique will support Miteqq business evolve at the rate of business changing speed, and adequately matches their strength and approach towards securing sustainable competitive advantage over other IT businesses within their locality.
- Analysing and introducing a suitable Data backup and Data Recovery Devices / application software that will protect Miteqq systems from potential threats capable of damaging data stored in the computer in form of virus attack, hard drive failure / crashing, overheating, data loss and so on. The Data Backup and Data Recovery device will be selected based on sizes, reliability, portability, compatibility, durability, accessibility, cost effective, and suitability for archival purposes.
- Analysing and introducing ?Easeus Data Security Wizard, PowerElf 2.0 (Hardware appliance) and Easeus Todo Backup (Software Application) into Miteqq server to provide reduction in their bandwidth consumption, as an additional network security, enhancement to their network performance, reducing transmission delays, as antispam filter, auto defence, antivirus scanner, and web server.
- Analysing and introducing Uninterruptible Power Supply (UPS) device to provide emergency power supply when utility power is unavailable, and also to protect Miteqq computers, data centres, telecommunications equipment, workstations, CCTV and other electrical equipment where an unexpected power failure could cause fatalities, serious business disruption or data loss.
- Outlining the total cost of implementing these measures as well as the cost benefit analysis of the implementation and the recommendation.
QUALITATIVE RESEARCH METHODOLOGY
Basically, the project will be written in qualitative method with an in-depth study of Miteqq Company, also having valuable insight to the subject matter. The project will be conducted as a direct observation data collection as well as external observation via telephone conversation; because this is an IT company I have worked for prior to writing this project.
Apparently, I have satisfactory information about how Miteqq Company does its business and perhaps, this would give me greater insight into realizing what their major threats, and problems is. Also, data collected will be showcased through case study of the previous attacks scenario of 1997 and 2003 revealing what is already known by previous researcher and areas of concentration.
The qualitative research of this project will be based on scientific investigation which will aimed at seeking answers to reduce and eradicate the identified existing threats and attacks Miteqq Company is exposed to by using predefined, systematic approach and set of procedures to arrive to a given conclusion. There shall be provision of evidences to back up the findings that will arise at the course of the research. This research approach will give better understanding to Miteqq business operations in a complicated and challenging environment were critical business information is vulnerable to wide range of attacks and threats. The research will incorporate case scenario with open ended structure and flexibility. This method is chosen because of its efficiency and effectiveness rather than quantitative research to answer certain important questions on how and why certain outcomes will be achieved, its relevance, effects and impact to the company.
However, talking about the relevance, effect and impact of the findings and outcomes, it is paramount to showcase the risk level in terms of magnitude with the idea of integrating risk management tradition to Miteqq Company to understand what level of risk the company can accommodate in their business endeavours and the possible impact of the risk if not prioritized. The risk management will be used to identify and assess the threats and problems in Miteqq Company and ascertain the likelihood of it occurrence and the impact. Consider below the risk evaluation in colour significance of hypothetical table representation:
RISK EVALUATION IN TERMS OF MAGNITUDE:
May result to highly loss of major tangible / critical assets and resources, drag the organization reputation to the mud, resulting to serious injuries or death, loss of public confidence, massive financial loss, bankruptcy, embarrassment., etc
May result to costly loss of tangible assets and resources, loss of credibility and company reputation, legal action, injury, bankruptcy, huge economic losses, etc
May result in the loss of some tangible assets and resources, loss of public confidence and company?s? credibility, financial losses, etc One of the potential benefits of this technique is to help Miteqq prioritize their threats and problems level and identifies which threats and problems requires immediate action and which one can wait. In relation to the above table, the risk management tradition will guide Miteqq to know the kind of business to launch, and the level of risk to undertake in business to avoid been overtaken by events.
Obviously, every organization has their own distinctive IT risks graphic representation not minding the fact that changes in global IT risks still affect many organizations. From the diagram above there are significant colour representations which denote level of risks assessment. The red / dark red colour denotes critical / serious risks, orange / yellow denotes high risks these risks needs to be prioritized, blue denotes moderate risks, and gray low no risks. Besides, know level of risks assessment should be underestimated irrespective of the degree of its low impact at the present because it might degenerate to serious risk if not prioritized. (See 5.1 Miteqq Identified Existing Threats / Problems)
DATA STORAGE DEVICE SUITABLE FOR ARCHIVAL PURPOSES
Nowadays, with regards to computing era, there are different types of data storage devices suitable for archival purposes and there are unique ways in which these devices should be presented to offer geographic redundancy, portability and security of the data. Besides, data loss, hard drive crash, system failure is very common in information system however, due to uncertainty of information system all data is worth saving. A data repository formation would be used to provide storage structure. Below are the lists of storage media available today, unfortunately we shall be emphasizing on flash memory due to its importance to this research:
- Flash Memory
- Hard disk
- Optical disc
- Floppy disk
- Remote backup service
- Magnetic tape
This is one of the best bulky data storage backup devices and my second priority to Miteqq Company due to its better capacity than others, price effective when compared to hard disk Magnetic tape, and CD-Rom. It has sequential access medium, the rate of continuous writing and reading of data from. It is fastest than modern hard disk. It has been experimented time after time as the best portable, reliable, durable, virus-free, access speed, price advantageous, accessible bulky data storage device suitable for backups and archival purposes. With 160GB which cost ?100, Miteqq Company can backup all it files without upgrading the device in the subsequent years to come unlike 120GB Hard drive which cost ?180 and is prone to overheating, crashing and failure.
The chapter will be based on researching relevant information, journals documentaries and possible suggestions, recommendations, reviews, opinions, of authorities, author, business analysts gave towards establishing some potential solutions to remedy the threats and problems identified in some IT company. Some of the authors? recommendations and suggestions will be used to build the basis of our argument towards establishing, and deploying some potential solution to Miteqq Company to resolve their threats and problems. In relation to that, John Pironti, Chief Risk Strategist at IT Services Firm Getronics and the education board member for Information Systems Audit and Control Association admitted Danny Bradbury statement with the fact that technology should not be the starting point of solving IT risk rather "The first step is to perform a threat and vulnerability analysis on the organization?s information infrastructure - all of the processes, procedures, standards, people and technologies that support the use, transport and storage of data and information,". This implies, conducting a risk assessment of the company?s IT critical assets to identify the potential threats, and problems the company is exposed to and find set of control measure to protect the company?s assets from being disrupted. Basically, this is what the scope of this project is all about; finding a lasting solution to the identified existing threats and problems in Miteqq capable of causing them unexpected business disruptions. (See 5.1 Identified Existing Threats & Problems in Miteqq Company)
In reference to the above, the Chief Strategy Officer of Symantec Corporation, Grey Huges proclaims that ?IT Risk Management is more than using technology to solve security problems. With proper planning and broad support, it can give an organization the confidence to innovate, using IT to outdistance competitors.? This implies that each organization should incorporate risk management tradition to support their business in identifying and assessing their potential threats and problems. This technique should become an integral planning process towards solving any organizational problems and threats. In addition, Danny Bradbury in his article entitled ?IT Risk Management?, explains the dilemma CIOs experienced trying to manage risk in the era of tightening regulation: ?Handling compliance and risk have become inescapable elements of the modern CIO's role as they strive to ensure the business can forge ahead while not exposing areas of weakness or potential liability?. Also, James .F. Stevens et al, in their book entitled Information Asset Profiling ? information asset driven risk assessment, emphasise that ?an information security risk assessment is a process of determining the vulnerabilities, threats, and risks to an organization?s critical information assets. This process relies on the experience and insight of the organization to determine those risks that most need to be mitigated because they can impede the organization?s ability to achieve its goals and accomplish its mission?. James F. Stevens et al contributions are in relation to the fundamental scope of this project, by prioritizing the identified existing threats and problems in Miteqq to ascertain which threats or problems requires immediate action and which one can wait. (See 5.1 Identified Existing Threats & Problems in Miteqq Company)
Basically, organizational information is its critical assets and preventive measures should be undertaken to ensure that it doesn?t become a liability to threats, manipulation and loss. On this effect, EMC Corporation (2007) A Guide to Securing Critical Assets, emphasised that ?most organizations agree that information is their most valuable assets?to preserve its confidentiality, integrity, and value, information must be protected from variety of threats, unauthorized access, use, disclosure, disruption, modification and destruction?. Obviously, company?s critical asset is the lifeline and sustenance of that company and should be protected from diversification of threats, and problems emerging constantly due to the nature and challenges of IT business in a complicated environment where business information is vulnerable to wide range of emerging threats. However, Miteqq system integrity must be protected from been vulnerable to threats.
However, hardware and power failure remains the biggest potential threats and vulnerability IT business is experiencing nowadays, perhaps, adequate effort should be made to resolve this attacks and disruptions. Keith Tilley, Executive Vice-president for UK and Europe Sungard advises with reference to the above that: ?Protecting an organization?s most critical information is an important duty of directors,". Russell Price agreed with that view and emphasized that ?They are the custodians of the company's integrity - they are the ones who will have to face the consequences if they do not deliver, and they are the ones who can empower the rest of the organization to get business continuity effectively embedded in the organization,". Evidently, it is the management that are duty bound to protect the company?s integrity and credibility regardless of task allocations to different departments, they have to oversee and empower other departmental team to uphold the IT business information continuity embedded in the company because they are the one that will face the consequences if anything goes wrong just like Miteqq attack scenario of 2003 in which they loss ?249,000, it was the CEO that shouldered the responsibility of building the company back to life. However, Freeform Dynamics in his article ?Security no longer just about Hackers? explains a revolutionary trend and drifted views of some IT business continuity outfit that desire to pursue security in term of business enablement and risk reduction rather than protection from vulnerability, attacks and threats. According to them, ?if security is to be considered as threat prevention, solutions will invariably be in the form of threat removal? today's organizations are looking for security to be more about business enablement and risk reduction - and this will require not only different technology combinations but also different approaches to deployment and operation?.
John Pironti added that ??the other way to tighten up security controls is to refine your overall IT practice using service and management strategies like ITIL and COBIT? However, Information Technology Information Library (ITIL) ISO 17799 and Control Objectives for Information and Related Technology (COBIT) are the best practice key controls standard framework for managing IT risk at the IT management level. Furthermore, John Pironti added that the incorporation of this key control standard in the organization becomes ?the enhancement of adding identity and logging capabilities to all processes which touch sensitive data?this gives an organization a credible view of who touched data and what they did. It's a passive control, but it allows organizations to perform more effective root cause analysis in the case of an information security event or incident.". This implies that this set of control standard provides company with acceptable measures and unquantifiable indicators that will assist company to handle their threats and problems using various mechanisms like the one we are proposing to Miteqq known as PowerElf 2.0 Application software ? it is a multifunction application software suitable for auto defence, antispam, web-filter, backup, et cetera
Trend Micro Incorporated (2009) Internal Threats, emphasized ways of protecting businesses from internal threats like viruses, spyware, computer worms, Trojans and malware, et cetera that has the capacity of entering the business environment through infected laptops connected to a network or through removable device. According to them, the measures to protect a business are:
- ?Keeping PCs and Servers current with the latest software updates and patches,
- Protecting sensitive and confidential data,
- Protecting PCs, servers and networks from insider threats,
- Establishing data protection policies and educating employees,?
However, Bogdan Dumitru, Chief Technology Officer to Bitdefender Company, in his article ?Emerging Threats to Business Security, commented that IT businesses are ?faced with an ever-increasing volume of new and existing threats, businesses should consider integrated security solutions which can be centrally deployed and managed and can be integrated in the existing security setup with a minimum of effort and expense. Organizations can no longer rely on basic network security to get the job done. The threats are more sophisticated and a company?s security needs to be as well?businesses need a security that assesses the type of activities in which users are engaged as well as the channels employed to conduct those activities to proactively determine where future threats are likely to arise and to ensure complete network security? .In response to the above statement, IT business nowadays are confronted with new emerging threats and attacks regularly and that is why we are proposing some software application and hardware appliance for Miteqq Company to help them evolve at the business changing speed and protect them from the identified existing threats and problems in chapter five.
Consequently, the resultant effect of system malfunctioning / failure is data loss which has become a frustrating, problematic and predominating issue to individual computer user and company. James Marshall in his article titled ?5 Ways to Prevent Data Loss? recommend preventive measures of stopping data loss which are outline below:
- Never store your documents on the same drive as your operating system?: The reason is because the commonly computer problems usually affects the operating system and available solution become the reformatting of the hard drive as well as re-installing the operating system which will apparently result to absolute data loss. James Marshall suggested that the basic solution to this is ?installing a second hard-drive in your computer?a second internal drive will not be affected if the operating system is corrupted and it can even be installed in another computer if you need to buy a new one? Basically, the best option of device for this method is detachable or external hard drive which is compatible to any system using USB or fire-wire port. This detachable or external hard drive device would serve as a backup device in case of virus attack, data loss, etc
- Backup your files regularly, no matter where they?re stored?. In addition to the above, backup procedure is a paramount factor to any computer user. He stresses the point that ?even your backup is subject to failure, CDs get scratched, hard drives break and floppy get erased. It makes sense to increase your odds of being able to retrieve a file by having a second backup of it?you might think of backing up in a fireproof vault?
- Beware of email attachments? It is an obvious fact that, email attachments could cause computer user to lose data if the received document has the same file name with the one in the drive, there is every tendency that one will run the risk of over writing the already file. To avoid over writing a file, one should set individual email program to save attachments in a different location.
- Beware of user error?. Sometimes computer users are architect of their own problems or contributing to engineering their basic problems in their computer.
- Keep hard copies of your documents?. This is another preventive measure towards preventing data loss by having the stored file in hard copy to enable any recovering measure to be facilitated. The above listed preventive measures are practical low cost solutions.
Bradley .F. Hunter (2000) in this book entitled Data Loss Prevention, explained that ?data loss prevention is a complex problem that requires blending best of breed solutions to address all relevant aspects for a particular organization?identifying all the potential vectors for data loss in your organization (data at rest, data in motion and data at the end point) and then prioritizing them ? based on criteria such as past breaches, volume of communications, volume of data, the likelihood of a breach and the number of user with access to those vectors?to tackle the vulnerability of data in motion and police the various electronic communication avenues for data loss, companies need a traffic cop ? monitoring and controlling each and every communication that leaves the company regardless of the manner of transport. A comprehensive data loss prevention solution prevents confidential data loss by:
- Monitoring communications going outside of the organization,
- Encrypting email containing confidential content,
- Enabling compliance with global privacy and data security mandates,
- Securing outsourcing and partner communications,
- Protecting intellectual property,
- Enforcing acceptable use policies,
- Preventing malware-related data harvesting
- Providing a deterrent for malicious users
?data loss prevention is a serious issue for companies?whether it is a malicious attempt or inadvertent mistake; data loss can diminish a company?s brand, reduce shareholder value and damage the company?s goodwill and reputation?. The issue of data loss prevention is exhaustively analysed in chapter five to give Miteqq Company greater understanding of what could cause data loss, its impact and how it can be prevented through the use of data backup device or software application. However, the nightmare of data loss can cause any company to fold or serious financial loss and reputation. (See chapter five for causes of data loss and Easeus Todo Data Backup)
Symantec (2008) Data Loss Prevention emphasised that ?as a consequence, it has become more difficult than ever for organizations to prevent the loss of sensitive data. According to the Ponemon Institute, more than 250 million personal records have been exposed by data breaches since 2005, with each breach costing an average of US$6.6 million to the unfortunate organization?security perimeters aimed at securing IT network cannot address today?s data security challenges and it?s time to shift the focus to securing the data itself.?. Symantec and other software company has launch unifying data loss prevention software which will help to discover, protect and monitor organizational confidential data irrespective of where it is stored but for the purposes of this research, I recommend Easeus Todo Data Backup & PowerElf 2.0 designed to handle and react to this kind of situation (See Chapter Five for features)
Moreover, ACR System Inc, manufacturer of power backup for application document emphasised that ?Uninterruptible Power Supplies (UPS) are purported as the best protection against power disturbances and outages reducing the risk of losing valuable data or damaging hardware?There are three main functions of UPS devices: Battery Backup, Transient Voltage Surge Suppression (TVSS) and Power Conditioner?This device records surges, sags, impulses, dropouts, outages and frequency variations ? all power pollutants that may be harmful?. Apart from company protecting their IT critical assets, integrating suitable set of control measure, principles and strategies to enhance performance and business information continuity; data could still be lost if there is no uninterrupted power supply. However, this is in relation to the scope of this project to integrate into Miteqq Company uninterruptible power supply in case of utility failure which could cause unexpected business disruptions, data loss, system malfunctioning, etc (See chapter five for suitable UPS Device) In general, some categories of authors, business analyst and researchers are of the opinion that one of the vital ways of preventing virus attack to the server, PCs, or network are through ?running of virus checkers on the servers to trap any viruses, running of individual virus checks on users? PCs to ensure that they have not downloaded a virus directly or inadvertently introduced one via a CD or other forms of removable media, ?installing software patches provided by the supplier of your operating system to close security loopholes that could be exploited by viruses, using a firewall to prevent to prevent unauthorized access to your network and avoiding the download of unauthorized programs and documents from the internet and ensuring your staff adhere to this policy?. On the contrarily, other categories of authors, researchers, IT business analyst were of different opinion that your systems can still be infected irrespective of following the above guidelines. For them their suggestion is based on ?making regular backups of your data and software so that you can replace infected files with clean copies, subscribing for virus alert services, anti-spyware software, and it is important to keep these software up-to-date?. However, both strategies and principles are good experimented practices for decades. The practice to adopt depends on the company?s management, mission goals and product and services.
Furthermore, Greg Wanner, President of EWOL announced that ?Our commercial clients include private schools, and it is mandatory that they have an effective web filtering solution in place. With ?Cache Server as the delivery platform for filtering, I have accomplished two things: I have a cost-effective, well-supported cache solution to replace my outdated cache flow?which will drive down my costs. And I have the most accurate and reliable web filtering capabilities available to help generate new revenue streams for EWOL?. The Greg Wanner?s Cache Server testimony is a true reflection of the expected outcome of Easeus data Recovery Wizard and PowerElf 2.0 application software when experimented on network facility of any given company. Basically, it is this kind of network attributes we are proposing to Miteqq Company to gives them high frequency enhanced performance to their network, cost effective oriented, reduction in their bandwidth consumption to their LANs interface and other potential benefits outlined in chapter five.
Technically, this project research is written in qualitative methodology and the data collected was a catalogue of primary and secondary source comprising of first hand information of direct observation, direct evidence, telephone interview and conversations regarding Miteqq Company products and services, areas of strengths, opportunities, weaknesses and threats. Materials used for this research are: published magazines, newspaper, scholarly journal, articles, unpublished pieces: manuscripts ? hand written document which are personal correspondence, architectural drawings, unpublished facts, arguments, speculations, ideas, analysis observation, imagination, pictures and speeches / conversations. The project is a scientific investigation of the ways to remedy and minimize the identified existing threats and problems in Miteqq Company to its lowest level. (See 5.1 Identified Existing Threats / Problems in Miteqq Company).
At the analysis and implementation stage, some hardware appliances and software application was recommended, refined Miteqq operations strategy and integrate some network security principles for various solutions to their IT infrastructural development and this is in harmony with the beauty and spirit of Miteqq unquenchable Mission target to excel and thrive on IT challenges, with a proven record of meeting deadlines to client?s satisfaction. However, the approach of this research is a prerogative tool for Miteqq Company designed to rescue their business information continuity and structured to captivate the interest and deep passion of the staff / management.
Moreover, the logical sequence of language usage on this project is done in clearer expression for all and sundry as well as the logical coherence of the paragraphs which was met to blend with each other, and the literature review discusses the ideas of other writers towards justifying my own contribution to the area of concentration and not a repeated works of others. The project shows a simple review of the IT threats and problems situation in Miteqq Company and the possible proposing solution to the problem would be. An explanation of some of the vital key issues relating to the problem situation is highlighted, for the reader to have a clearer view of what the problem situation in Miteqq Company is all about and subsequently how the solution will be implemented and integrated.
The scope of this analysis is to showcase Miteqq Company identified IT business needs, areas of products and services, opportunities, strengths, weaknesses and threats. However, Miteqq is an IT Company I worked for in Nigeria that specialises on products and services such as: Networking Infrastructural Services: Network design & planning, Fibre optic cabling, network accessories, et cetera Hardware/Software Support: Application integration, software customization, system maintenance & engineering, et cetera Business/Accounting System: Peatree accounting general support, human resources management, payroll system, budget monitoring control software, software for economic evaluation/feasibility studies, medical records/database management, Training: Peatree accounting, desktop publishing, network engineering, and so on.
Basically, according to Miteqq Project Manager, the Company is now made up of simple LAN network comprising of 40 hosts workstations of 60 staff excluding the domestic staff and security officers, one database server, and one print server and I discovered during the telephone interview and conversations had with the project manager and other departmental team leaders that Miteqq has weak network security, and firewall, no data backup system, no data recovery system, no system to assist them in an event of data loss, or system failure / malfunctioning, or virus attack, to mention but a few and no uninterruptible power supply (UPS) device in case of utility power failure; thereby making their high-tech product and services vulnerable to a wide range of potential threats and attacks. These identified deficiencies especially in their IT infrastructure are capable of causing Miteqq Company another huge business disruptions and massive financial losses if not tackled wisely. The report received from staff shows that Miteqq had experienced slight business disruptions as denial of service attack, and virus attacks in 1997 and the massive attack scenario in 2003 which would have swift-off Miteqq from business. The recent attack in 2003 was exploited as hacking to Miteqq systems, networks, server and workstations because they have weak network security and firewall, also there was a virus / malicious attack, 30mins ? 2 hours denial of service attack to their network / server causing Miteqq temporary business disruption, intrusion / unauthorized modification of their system logs, unauthorized access to their server, system, network, loss of their system functionality, loss of operational effectiveness, corrupted data lending to inaccuracy, fraud, erroneous operation, access causing data loss to their systems, system failures / malfunctioning, interrupted power supply to mention but a few which caused the company over ?249,000 in 2003, the cost of repairing and recovering the data loss during the attack. However, some staffs were made redundant due to bankruptcy, others left out of frustration, and unable to cope with the minimum salary offered. Sadly, the business would have folded up but survived with massive financial debt and borrowing from banks and business alliance. Due to financial embarrassment, scandals and lost of reputation they changed their business name from MI-Technology Nigeria Limited to what we have today as Miteqq Company. According to Miteqq manager, ?it is the worst ruinous financial year and nightmare we escaped??
Essentially, these problems were identified following various telephone conversations held with the project manager, and various departmental team members past and present in Miteqq Company explaining that Miteqq relies extensively on IT systems for their products and services and such did exposed their business to a large vulnerabilities, threats, attacks and risks which has caused them unexpected business disruption in 2003 leading to massive financial loss and credibility, commercial embarrassment, bankrupt, loss of public confidence, workforce redundancy / retrenchment and loss of competitive advantage and change of their business name to regain their past glory and exploits. However, below is the chart of Miteqq Company financial loss of over ?249,000 in 2003, as a result of the attack scenario they experienced and the cost of repairing their IT infrastructural equipment and recovering of data lost due to tampering and damages done to their systems. See below:
THE CHART OF MITEQQ FINANCIAL LOSS IN 2003
Diagram of Miteqq Financial loss in 2003 Looking at the chart above of Miteqq financial loss of 2003 business years, it appears that Data loss has the greatest % figure, followed by System failure, Virus attack and Denial of service attack has almost slightly unequal % figures and all these are in red denoting how critical they are. The whole percentage figure is sum up to ?249,000 financial loss. In essence, following the risk assessment and several telephone conversation held with some departmental team members, it appears that those areas of vulnerabilities, threats and attacks are not ultimately rectified which could most likely cause the company another tremendous loss if not acted urgently.
Therefore, it is important to explain some of the key potential issues we are trying to prevent from occurring again in Miteqq Company. Such IT related problematic issues will be classified under three sub-heading: threats, attacks and vulnerabilities.
DEFINITIONS OF THE KEY CONCEPTS
Fundamentally from the point of view of information technology, threat can be viewed as anything that would cause tremendous damages to company?s information assets, network connections, servers, workstations, telecommunication, to mention but a few. The term company?s assets could be referred to as any valuable data, information, resources, software, hardware, human resources, and staffing. Report from Miteqq staff indicates that, Miteqq suffered terrible computer crash and breakdown in 1997, due to inadequate computer maintenance, and biggest attack occurred in 2003 as earlier on mentioned. During the process, Miteqq system was affected with Trojan virus, which gave the hacker opportunity to exploit, control and take advantage of their system vulnerability to send overflow of traffic email to their router that caused denial of service to their network. It was a direct or indirect intentional act of the exploiter to exploit Miteqq information system, facilities, software / hardware with the impending desire to cause terrible and alarming harm to their system which resulted to critical system malfunctioning, and the inability to perform and carry out their business.
DENIAL OF SERVICE ATTACK (D.O.S)
This is an intentional attack that is aimed to block access to Miteqq certain resources, for instance, leaving their server in an unresponsive state in this manner intentionally depriving Miteqq client internet services they are met to have. The information and report received from Miteqq staff shows that in July, 2003, the motive of the exploiter using denial of service attack resulted in stolen of business information and loss of security settings that caused Miteqq Company great deal of financial loss and time to resolve. Such lead to temporary unavailability and loss of network connectivity and services which destroyed computer files and programming of the affected system.
However, during the episode of the attack as Miteqq System manager portrayed, the exploiter acted by sending an overflowing traffic to their network knowing that their router is not capable of handling such package - e-mail messages containing over 256 attachments. This intentional act of sending oversized internet control message protocol (ICMP) launched Trojan virus to Miteqq computers, and spam to their email messages resulted to unusual slow down of their network performance, and Miteqq staff and customers were unable to access their websites and this report was hidden from the press so that it doesn?t blow out of proportion although statistic shows that over ?249,000 was spent to repair and recover data lost during the attacks. (See 4.2: The Chart for Miteqq Financial Loss in 2003) Conversely, this is what we are trying to prevent from happening again to Miteqq Company, where by their legitimate users are prevented from accessing information or services due to denial targeted to their network or computers connection preventing them from accessing their email, websites, online accounts, e-commerce, outsourcing, marketing, and so on which could cause so much damages to their products and services. Unfortunately, there are less effective ways of preventing being a victim of DOS attack but there are steps to be implemented that will safeguard Miteqq Company from being a victim of such attack in case of eventuality as will be seen in chapter five. See a case scenario of denial of service attack on Miteqq Network below:
CASE SCENARIO OF DENIAL OF SERVICE ATTACK
The above intentional act was demonstrated to render Miteqq server in an unresponsive state in so doing depriving them of network services with the intention of stealing their business information and destroying the company?s information system, and so on which has caused them massive financial loss and credibility. However, the annoying aspect of this calamity is that such potential threats and vulnerability that caused the company ?249,000 is still not resolved giving the exploiter opportunity to strike again.
It is another unintentional act permeated by individual due to availability of opportunity to cause damages to the system or exploitation. Following the risk assessment done and telephone conversation held with some of the departmental team, it is appears that Miteqq Company was vulnerable in these areas of their IT infrastructure that lead to the attack: weak encryption of data, software error, weak security access control, weak security of data, weak password access, and so on; this has given the exploiter opportunity to act upon. However, we shall be incorporating some security and network measures to remedy these problems due to the rapid changing nature of IT challenges and the nature of products and services run by Miteqq Company.
However, possible solutions has been proposed towards remedying these identified existing threats and problems in different dimensions to fit into Miteqq IT business needs in chapter five.
DESIGN AND IMPLEMENTATION
From the preceding chapter, we discussed various threats, attacks, risks and vulnerabilities Miteqq Company experienced in 1997 and ruinous one in 2003 that made them loss ?249,000 which had contributed to the changing of their business name from MI-Technology Nigeria Limited to Miteqq Company to help them bury and overcome the level of embarrassment, scandals and lost of reputation they were dragged into as a result of 2003 attack. However, this chapter will be based on deploying some potential solutions, graphic representations, hypothetical table analysis, security measures, operations strategies, hardware appliances / software applications, to solve, minimize and reduce each identified existing problems / threats in Miteqq Company to its lowest level. The scope will be based on designs and implementations of some sophisticated managerial, technical, operational, and security network measures to Miteqq IT infrastructural development.
Nevertheless, consider below the hypothetical table of identified existing IT infrastructural threats and problems in Miteqq Company capable of causing sudden unexpected business disruptions which could lead to denial of service attack, data loss, system failure, malicious / virus attack, unauthorized modification of system logs, unauthorized access to the server / system, network, or loss of system functionality, loss of operational effectiveness lending to inaccuracy, fraud, erroneous operations, power supply failure to mention but a few and their priorities and proposing solutions:
MITEQQ COMPANY IDENTIFIED EXISTING THREATS / PROBLEMS.
S/N EXISTING THREATS / PROBLEMS PRIORITIES SOLUTIONS
Weak Network Security
Introducing PowerElf 2.0 server appliance design to perform high frequency performance, proxy server solution, serving as antivirus protection, auto defence, firewall, intrusion detection and antispam. It is a reliable network security for companies, workstations, and so on. It is meant to meet the network security challenging needs of companies, reduce network overall bandwidth demand by which companies can save some costs as well as enhance performance. (See 5.5)
Weak Firewall Security System
PowerElf 2.0 as above is a multi- functioning server appliance suitable to perform adequate firewall security network in form of antispam, antivirus protection, auto defence, internet sharing, firewall technology, intrusion detection, remote administration, and so on (See 5.6.2)
No Data Backup System / Device
- Introducing flash memory device as the best bulky data storage backup device suitable for archival purposes, durable virus free and cost effective (See 126.96.36.199)
- Installing ?Easeus Todo Backup? application software design to provide system backup, hard disk restoration and partition backup to protect system and disk. It has the capacity of backing-up the entire organization system including the operating system, data, application and settings. It is my first priority for data backup system. (See 5.4.4)
No Data Recovery System / Device
Installing ?Easeus Data Recovery Wizard Demo Version? design to recover lost data from desktop, laptop, hard drives, CDs, DVDs, removable devices, and so on. It is experimented data recovery application software by several IT companies. (See 5.4.5)
No File / Folder Encryption /
Password Tradition Installing ?Easeus Data Security Wizard? application software design to encrypt file/folder, and data backup to prevent unauthorized access into the business data / workstations, in case of data loss would not trigger risk. (See 188.8.131.52)
No Uninterruptible Power Supply
Introducing APC Online Double Conversion UPS design to provide uninterrupted power supply to the systems, building, data centres and so on up to 45 minutes to few hours until utility power is restored or systems safely shut down. It has the capacity of protecting computers, data centers, telecommunication equipment and other electrical gadgets when sudden unexpected power failure occur which is capable of causing serious injuries, fatalities, data loss or serious business disruption. UPS ranges in sizes and shapes, from powering a single data centers, buildings to several megawatts. (See 5.8)
Inadequate System Maintenance
Incorporating PowerElf 2.0 features and integrating of more security measures comprising of managerial, operational and technical for adequate system maintenance. Integrating project / risk management tradition.
No Surveillance System / Device
Introducing CCTV security measure as guards worthy to deterrent perhaps criminals activities and discourage employee theft. It is useful in monitoring multiple areas as well as remote areas and it is cost effective and can be linked to police and the Security Guarding Company for instant response in case of any abnormal occurrence. (See 5.9)
Weak Security Access Control
Integration of security measures requiring authorization of access at discretion of the administrator to control the level of access allow and integrating manipulation and optimization of data to control unauthorized access to the business data by malicious insider / outsider. (See 5.4.1). Installing PowerElf 2.0 server appliance for its security access control features via the administrator system.
No Manipulation / Optimization of Data
Incorporating data manipulation and optimization tradition to facilitate and improve the backup speed, the restoration speed, the security of data, and reduction in network bandwidth consumption. It can be performed in the following ways by Data Compression ? which requires shrinking of the size of the data source storage in other to use less storage capacity. De- duplication ? which is use to reduce bandwidth usage and send backup data to it targeted storage location. Data Encryption: as an intensive data security protection to high capacity removable storage device in case of lost or stolen so that it does not trigger risk and to prevent unauthorized access into the business data by malicious insider. and installation of Easeus Data Security Wizard?(See 184.108.40.206)
No Staff Supervision / Review of System
Installing ?PowerElf 2.0? server appliance design to audit and monitor each organization computers and users separately from the administrator system. It creates daily and weekly web traffic reports for the administrator. These web traffic reports are sorted by IP address, user name, record of top visited web sites, etc. It is used to monitor how much effort and input every staff contribute towards the day-to- day running of the business and ascertain who is more efficient than others. (See 5.7)
No Intrusion Detection Device
Installing ?PowerElf 2.0? server appliance from the administrator system could choose to block some unwanted sites and control access through username and IP address. This server appliance serves as filter, and has hidden in-built indicator that will aid company to know when an intruder has visited or manipulated the business information because the system will display the IP address of the browser, the internet location where the intruder is operating from, the type of browser software the guest is using, the time and duration of the visit, pages requested and sites visited. (See 5.7.1)
Installing ?PowerElf 2.0 server appliance design to reduce network bandwidth demand, costs and increases enhance performance to solve web server load, network traffic congestion, network scalability cost, and responsiveness. (See 5.5)
High Bandwidth Consumption
See PowerElf 2.0 server appliance features in column 1 and 13 above.
Weak Security of Data
Introducing Data manipulation and optimization to facilitate and improve backup speed, restoration speed, security of data, and reduction in network bandwidth requirements. Data manipulation and optimization that will give strong security to data includes data compression, de- publication and data encryption. (See 220.127.116.11)
Lack of Project / Risk Management Tradition
Integration of project / risk management traditions to identify and assess the risks, threats the company is vulnerable to and mitigate some measure to remedy it. (See 5.2)
Weak Antivirus Scanner / Antispam Filter
Installing PowerElf 2.0? server appliance as multi-functioning capable of performing the following functions for network security: antispam, antivirus protection, auto defence, internet sharing, firewall technology, intrusion detection, remote administration, and so on.
However, the above tick (v) of identified existing threats and problems in Miteqq Company are some of the priorities of the threats and problems that require urgent attention to be fixed while the other without tick sign can wait. This is to enable the Miteqq IT manager to concentrate and launch their attack / defence based proposing solutions to the urgent need rather than focusing on the overwhelming amount of work. However, we shall begin with integrating project and risk management tradition to Miteqq to ascertain their IT critical assets and how it can be regularly protected from emerging threats / problems capable of causing business disruptions.
RISK MANAGEMENT TRADITION INTO MITEQQ COMPANY
In essence, to remedy and achieve remarkable result from the IT point of view, conducting of risk assessment is the first step to be taken into cognizant which will require the identification and assessment of the identified existing potential threats, attack, and vulnerabilities in Miteqq Company. Some of the potential benefits accompanying this procedure is to enable Miteqq Company recover quickly from any form of business disruptions in the past, present and future, retaining their customers? reassurance, having competitive advantage, recovering from financial loss and credibility, overcoming commercial embarrassment and lawsuit, protecting their system integrity from all forms of emerging attacks, threats and vulnerability that will necessitated to the identified existing threats and problems in the table above from occurring in Miteqq Company because the tangible impact of these threats / problems will be huge than the previous, besides the cost of repairing the system, recovery of data loss and reinstallation would be expensive.
However, due to the nature of products and services specialise by Miteqq Company, we strongly recommend risk management tradition towards addressing consistent changes in IT risks, threats, attacks, IT business environment complexity, IT challenges and changes driven by technology, environmental factors and regulation. The reason for integration of IT risk management is pursued because Miteqq Company uses technology to capture new market; which invariably exposes their products and services to newer risks, threats and attacks. However, the motive behind this integration is to assist Miteqq Company evolve at the rate of business changing speed, evaluate and adequately matches their approach towards securing sustainable competitive advantage over other IT businesses within their region. Basically, the catastrophic failures encounters in business usually occur as a result of day-to- day organizational deficiency to business risks, threats, attacks and vulnerabilities. However, the nature of risks an organization undertakes is invariable to their business risk tradition. Consider below Miteqq IT security risk assessment process flow conducted at the course of this research:
Miteqq IT Security Risk Assessment Process Flow
Assessing the Risk for each of the Miteqq IT Assets:
- System /Hardware failure
- Hard drive crash / Overheating
- Malicious / Virus attacks
- Power supply failure
- Hacking / fraud
- Denial of service attack,
- Weak Security Access control, et cetera
Miteqq IT Assets:
- Networks, etc
Identifying Miteqq Critical IT Assets Security Plan:
- Assigning of measures to likelihood & impact of threats and attacks occurring to each Miteqq IT assets
- Prioritizing those threats: No, low, Moderate, High & Critical risks.
- Operations strategies/ Control measures, software application, etc
- Deployment of the security plan,
Information Business Continuity Plan
- Introducing Data Backup System,
- Introducing Data Recovery System,
- Installing PowerElf 2.0?
- Uninterrupted Power Supply (UPS)
- Installing ?Easeus Data Security Wizard?
- CCTV, et cetera
Disaster Contingency Plan
Evaluation & Review
- Training & Induction
- Testing & Awareness
- Maintenance & Upgrading
- et cetera
Manual / Handbook Procedure
However, the primary factor of performing and implementing risk management on Miteqq Company as seen above is to enable the company accomplish their mission target, secure their IT systems, protect their Information assets, have greater competitive advantage over their rivalries, maximise their income, and so on and to maintain stabilizing, sustainable, accomplishing and actualizing business target and goal devoid of any form of business disruptions encountered before or in form of new challenges emerging.
DEPLOYMENT OF APPROPRIATE THREATS, ATTACKS REDUCING MEASURES
However, based on the analysis and risk assessment conducted, the preferred and appropriate safeguarding measures to address the identified potential threats, risks, and attacks in Miteqq would be tackled from the perspective of their System Software which is vulnerable to viruses, Trojan horses, worms which could lead to data exposure, vital files destruction, lost of machine control, data lost, and the potential solution is by installing an automatic anti- virus software updates (?Easeus Data Security Wizard?) in all the Miteqq computers, creating backup device, limiting opening and the use of attachments and configuring automatic Windows Update, adopting effective password policies, data encryption, configuration of security setting, strict access control and remote access restriction, thorough training and awareness.
INTEGRATION OF SECURITY MEASURES TO MITEQQ COMPANY
However, one of the threat, attacks reducing measures is the incorporation of security measures to Miteqq managerial, operational and technical areas of Products and services:
SECURITY MEASURES SECURITY CRITERIA
Managerial security network
- Assigning of precise responsibilities or tasks to staff / various departmental teams,
- Regular review and assessment of the security / network control
- Risk management tradition, . Security awareness and orientation
- Division and delegation of duties
- System application security plan
- System authorization / Access control
- Software application & hardware appliances reviews, Operational security awareness
- Control to ensure uninterruptible power supply
- Data media accessibility
- IT Infrastructural security and development,
- Workstations, laptops, server, network , et cetera
- Integrating operations strategy, Technical security awareness
- Encryption /password
- Auditing of system
- Access control discretion
- Network communication: routers, system interconnectivity
- Intrusion detection device,
- Surveillance / CCTV
These above security measures will be integrated into our analysis and implementation of some hardware appliances, software installation, and IT strategic business operation.
INTEGRATION OF DATA BACKUP / RECOVERY DEVICE AND SOFTWARE
However, this is another threats, attacks reducing method, which requires the integration of data backup and recovery mechanism into Miteqq Company to protect their information business continuity in case of sudden breakdown of systems, workstations, server; and the additional copies of the already stored data will be used to restore the original data. It is obvious to know that due to the uncertainty of information system all data is worth saving. However, a data repository formation would be used to provide storage structure. Nowadays, with regards to computing era, there are different types of data storage devices as well as data software suitable for creating backups as an application software or device and there are unique ways in which these devices and application software counterpart should be presented to offer geographic redundancy, portability and security of data. However, before data is sent to its location storage, Miteqq should ensure that the data is extracted, selected and manipulated to suit the optimizing backup procedure. The optimization backup procedure suitable for Miteqq product and services is the encryption of the data, compression of data and de-duplication of data, to prevent any exploiter having access to the information. (See 18.104.22.168 Manipulation and Optimization of Data) These are exemplified and experimented technique implemented by many IT organizations to sustain their IT information business continuity at the events of attacks and their business data could not be encrypted.
INTEGRATION OF MANIPULATION AND OPTIMIZATION OF DATA
Due to the nature of Miteqq products and services Data manipulation and optimization is essential to facilitate and improve their backup speed, speed up restoration, security of data, and reduction in network bandwidth requirements. Below are some ways Miteqq should manipulate and optimize their data:
- Data Compression: This will involve shrinking of the size of the data source storage in other to use less storage capacity.
- De-duplication: It will be use to reduce bandwidth usage required to send backup data to it targeted storage location.
- Data Encryption: This will be use as an intensive data security protection to high capacity removable storage device in case of lost or stolen so that it does not trigger risk. It is the data backup guarantee security device use to prevent unauthorized access into the business data.
INTEGRATION OF FILE/FOLDER ENCRYPTION
However, this is an intensive data backup security protection I am recommending to Miteqq Company and the application software is known as ?Easeus Data Security Wizard? It is design to encrypt file/folder once provided to give an enhance data backup guarantee. Once it is installed, the steps to encrypting file/folder are not problematic. It requires suffici