Cybersecurity System Security Report for Successful Acquisition
✅ Paper Type: Free Essay | ✅ Subject: Security |
✅ Wordcount: 3305 words | ✅ Published: 18th May 2020 |
Executive Summary
In the coming months Netflix (NFLX), a media and entertain company will begin to facilitate the merger and acquisition (M&A) of SoundCloud (SC) a small media streaming company based in Australia. NFLX has introduced the merger between ourselves and SC due to their growing success among media streaming companies. In time this marriage will integrate the strengths of both organizations which in turn will result in greater growth and profit margins for our company.
Through preliminary research, we have found that SoundCloud utilized older unsupported versions of Microsoft Windows and Adobe Acrobat. Further investigations must take place in order to determine the financial strength and operational capabilities SoundCloud holds. As the lead cybersecurity engineering architect within Netflix, I have been tasked to develop a strategy to mitigate risk, protect systems, and prevent threats to data. The following acquisition report will detail the cybersecurity posture of SoundCloud, trusted security mechanisms to incorporate as well as remedies that may prevent threats and exploits.
Policy Gap Analysis
While NFLX has spent years and millions of dollars establishing its security posture SC, a younger company still possesses a rudimentary policy. This deficiency may pose security risks that could affect the newly formed organization. It is critical to perform a cybersecurity due diligence review in order to identify areas open to unauthorized access, internal risks, external risks and supply chain risks, records of compliance as well as comprehensive cybersecurity reviews (Kennedy & Nelson, 2016). Additionally, we must conduct audits and penetration testing in order to better understand updates that should be made within our organization. As SC grows with our company, it is critical we bolster physical security, technical security, disaster recovery, policy and awareness (Hartman, 2002).
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Find out more about our Essay Writing Service
Policies are in place to define how systems and those that use them should operate. A gap analysis can be performed to determine if NFLX or SC is missing any policies that may be crucial for security (Jardine, 2014). First, we will analyze both organization’s current and desired policies, operations and security stance. Considering existing and future stances gives insight into the current gaps that exist allow us to strategize, bridge the gap and improve our overall security posture (Mikoluk, 2013).
Our legal department has drafted all regulations that both companies must follow. Along with security posture, these regulations include tax, state and federal laws. We will also contract a team with expertise on gap analysis as well as laws and regulations to aid our team in these efforts. Once we have grasped all necessary facets of this issue our own legal team will be able to draft new policies that concern the new merger.
SC currently has a customer base of 150,000 users who on average pay $14.99 in monthly fees. This equates to over $2.2 million in revenue each year. As SC gains popularity revenue will rise; the implementation of credit card security will be crucial. To facilitate this, we will utilize standards developed to protect costumers credit card data developed by the PCI Security Standards Council (PCI SSC). In order to maintain privacy and create a secure network, it is important to install and maintain a firewall configuration, update malware as well as antivirus software. Additionally, we must utilize strong encrypted passwords for each user account. These passwords must be between 10 and 15 characters, to include upper/ lower case letters, numbers and special characters. Card holder’s information will be in transit or at rest within our network. In both these cases, all information will be encrypted in order to ensure optimal security.
Cost to implement new firewall:
Hardware |
Cisco ASA5555-IPS-K9 With Intrusion Prevention Systems Services Adaptive Security Firewall Appliance |
$26,989.00 |
Standard maintenance contract |
$2,000.00 annually |
|
Software |
Cisco Adaptive Security Appliance (ASA) Software |
$3,500.00 |
Protocols for Streaming Services
SC streaming service transmits audio and video so customers may view content before its downloaded in its entirety. Streaming protocols are in place so organizations may understand requirements for communication between two objects. These protocols use Transmission Control Protocol (TCP) and the User Datagram Protocol (TCP) as their transport protocols. Additional protocols including the Real-Time Streaming Protocol (RTSP) an application level protocol that establishes and monitors client/server sessions, controls performance and interactions with clients. Real-Time Transport Protocol (RTP) ensures consistency of media data by enabling audio and video streaming through IP networks. Finally, Real-Time Transport Control Protocol (RTCP) works with RTP to monitor information (UMUC, n.d.).
These protocols experience vulnerabilities that may be harmful to overall security. These issues include lack of authentication/ authorization, denial of service or the loss of data. To solve these solutions we must implement patching and establish encryption (Jordan, 2017). NFLX currently holds the tools to solve these issues, no further expenses are necessary. The new firewall will also help to mitigate these vulnerabilities. SC streaming service will run on a separate server, allowing our current infrastructure to remain intact.
Merged Network Infrastructure
Both organizations utilize Microsoft Office and Skype to communicate during conference calls. Merging both will pose no issues. If they do arise patches will be implemented along the way to ensure security. SC emails will be transferred to a cloud service similar to that of NFLX.
We will place the SC’s web server in a Demilitarized zone (DMZ). DMZ is a logical subnet that separates the LAN from other untrusted networks. External-facing servers, resources and services are located in the DMZ. Customers have the ability to access content from the internet, while the internal LAN remains secure. The DMZ design will benefit our organization by providing our customers easy access to services while isolating potential target systems separate from internal networks, reducing and controlling access to those systems from outside of the organization (Rouse, 2018). To implement the DMZ, SC will join our network but work within a different domain and server. Currently SC’s server works within one firewall. Introducing our new firewall provided by Cisco will implement a new multi-level firewall as well as intrusion detection and protection software for a stronger security posture.
(Rouse, 2018)
Wireless & BYOD Policies
Initially implementing the Bring Your Own Device (BYOD) policy in our own company had the potential to pose some issues. Individuals possess various devices within our network including Android, PC and Apple devices. In order to combat any security vulnerabilities, we use the mobile device management software MaaS360 provided by IBM. It allows devices to securely work within our organization’s infrastructure, securely manage data on mobile devices, provide a conduit for virtual private network (VPN) connections as well as secure emails/calendars/contacts (Schulz, 2013). MaaS360 also provides mobile security through hardware encryption and remote wiping. Our security policies demand that users create strong passcodes to decrease the likelihood of adversarial attacks.
SC will follow our BYOD policies to ensure a smooth transition:
- Define a sustainable BYOD policy:
- Identify sensitive and proprietary corporate and personal information
- Periodic updates to the policy
- Include regulatory and internal audit compliance requirements:
- Include SC as part of the enterprise risk assessment processes
- Create and maintain an enterprise-wide list of supported devices:
- Equip and train the staff:
- Ongoing communication and training to includes the benefits/ risks and practiced for successful deployment and use
- Implement policies and procedures for discontinuation devices:
- When an employee leaves the company, corporate information is removed from the device
- If the device is lost or stolen all contents of device must be wiped (Koeppel, 2014)
Data Protection Plan
Our data protection plan will help to safeguard data from compromise, corruption or loss. The plan will use full disk encryption (FDE), BitLocker, platform identity keys, a trusted computing base as well as a Trusted Platform Module (TPM).
FDE automatically converts data on a hard drive into a form that cannot be read without a key to decipher the data or information. We will install FDE software into each new SC device. FDE is advantageous because it does not require much input from the user. The software will automatically encrypt new data as it is created; when it is read it is automatically decrypted (Rouse, 2014). Specifically, we will utilize BitLocker a Windows-based full disk encryption tool. BitLocker possesses a trusted platform module that holds a private key, locked through a Trusted Platform Module (TPM) microchip, within the motherboard of each device. This feature makes it impossible for unauthorized users to unlock data if a device is stolen (Koneti, 2010). TPM has the ability to hold multiple identities known as Attestation Identity Keys (AIKs) or platform identity keys. “An AIK will protect devices against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. If any of the hashed components has been modified since last started, the match will fail, and the system cannot gain entry to the network” (Rouse, Trusted Platform Module (TPM), 2014).
To provide optimal service to our customers we must maintain system integrity at all times. Our organization will follow the trusted computing base standard (TCB) in accordance to the National Institute of Technology (NIST) so our systems may perform as intended. TCB components such as, operating systems, hardware, software and prescribed procedures/security mechanisms, will provide a secure environment. To ensure data security this standard also requires access control, authentication/authorization, antiviruses protections as well as data backup (Schapker, 2005).
Currently SC does not have a TPM, integration will follow these steps:
- Target equipment for the pilot TPM program is selected.
-
prepped for improved operation. Two key TPM concepts will be introduced:
-
5S program
- Sort: eliminate unnecessary devices
- Set in Order: organize remaining items
- Shine: clean and inspect work area
- Standardize
- Sustain: regularly apply standards as well as audits
- Autonomous Maintenance: operators carry out regular maintenance
-
5S program
- Start measuring overall equipment effectiveness in order to ensure best practice
- Introduce proactive maintenance techniques (Lean Production, n.d.)
Supply Chain Risk
Supply chains involve personnel, businesses, resources, operations, and technology involved in the creation, sale, and distribution of our services to consumers (Wigmore, n.d.)
Our organization must follow a strict supply chain management system that focuses on minimizing risk for supply chains and logistics through the identification, assessment and prioritization of defense efforts.
Security procedures should include:
- Initially identify any potential weaknesses in our systems and address them
- Background checks on all employees
- Verifying participants credentials
- Securing the information in transit or at rest
- Meeting all compliance and security standards
- Regular risk assessments of supply chain
- Training employees to identify and resolve supply chain security risks
Supply chain vulnerabilities may cause loss of data which leads to unnecessary costs. A management system will help combat physical risks such as theft or sabotage as well as cyber threats which include malware attacks and unauthorized access. While threats cannot be completely erased, supply chain security can work towards a more secure deployment of media (Lewis, 2019).
Vulnerability Management Program
SC must now implement a vulnerability management program in order to secure information technology systems. This system of practices will work to identify, analyze and address flaws in hardware or software that could leave our organization open to malicious attacks. Implementation of a vulnerability management program into SC systems of practices include:
- Tracking of system assets/resources
- Categorize assets
- Scanning assets to detect vulnerabilities
- Ranking and prioritizing the risks
- Managing software patches to overcome the vulnerability
- Remediate and rectify vulnerability (UMUC, n.d.)
Educate Users
The M&A between NFLX and SC in the coming months will require both teams to work together to introduce our new network agreements and policies. Our team will undergo online training as well as in person education on how to ensure our security posture runs optimally. Ongoing annual training will help to keep members of our company up to date and accountable. topics will include:
- Password security
- Social engineering
- Company guidelines and policies
- Penalties for noncompliance
Conclusion
In the coming months Netflix and SoundCloud will experience many changes during our merger and acquisition. Although the security and operational capabilities are currently weak our plan to mitigate these issues will leave SoundCloud stronger and more efficient. Together our organizations will be able to provide unique services that will generate great revenue.
Works Cited
- Hartman, A. (2002). Security considerations in the merger/acquisition process. Retrieved from SANS Technology Institute: https://www.sans.org/reading-room/whitepapers/casestudies/security-considerations-merger-acquisition-process-667
- Jardine, J. (2014, July 22). Policy Gap Analysis: Filling the Gaps. Retrieved from Secure Ideas: https://blog.secureideas.com/2014/07/policy-gap-analysis-filling-gaps.html
- Jordan, M. (2017). RTP Security Vulnerabilities: A Retrospective. Retrieved from Asterisk: https://blogs.asterisk.org/2017/09/27/rtp-security-vulnerabilities/
- Kennedy, R. B., & Nelson, W. D. (2016, November 2). Cybersecurity Concerns in Mergers and Acquisitions. Retrieved from Law 360: https://www.law360.com/articles/857627/3-cybersecurity-concerns-in-mergers-and-acquisitions
- Koeppel, H. R. (2014, August). Eight steps for comprehensive BYOD governance. Retrieved from Tech Target: https://searchcio.techtarget.com/opinion/Eight-steps-for-comprehensive-BYOD-governance
- Koneti, E. (2010, May 12). BitLocker in Windows 7. Retrieved from http://eskonr.com/2010/05/bitlocker-in-windows-7/
- Lean Production. (n.d.). TPM (Total Productive Maintenance). Retrieved from Lean Production: https://www.leanproduction.com/tpm.html
- Lewis, S. (2019, May). Supply Chain Security . Retrieved from Tech Target: https://searcherp.techtarget.com/definition/supply-chain-security
- Mikoluk, K. (2013, July 25). Gap Analysis Template: The 3 Key Elements of Effective Gap Analysis. Retrieved from https://blog.udemy.com/gap-analysis-template/
- Rouse, M. (2014, December). full-disk encryption (FDE). Retrieved from TechTarget: https://whatis.techtarget.com/definition/full-disk-encryption-FDE
- Rouse, M. (2014, September). Trusted Platform Module (TPM). Retrieved from TechTarget: https://whatis.techtarget.com/definition/trusted-platform-module-TPM
- Rouse, M. (2018, June). DMZ (networking). Retrieved from Tech Target: https://searchsecurity.techtarget.com/definition/DMZ
- Schapker, R. (2005, September). trusted computing base (TCB). Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/trusted-computing-base
- Schulz, M. (2013, June). Pros and cons of mobile device management software. Retrieved from Tech Target: https://searchmobilecomputing.techtarget.com/tip/Pros-and-cons-of-mobile-device-management-software
- UMUC. (n.d.). Streaming Protocols . Retrieved from University of Maryland University College: https://lti.umuc.edu/contentadaptor/page/topic?keyword=Streaming%20Protocols
- UMUC. (n.d.). Vulnerability Management Program . Retrieved from University of Maryland University College: https://lti.umuc.edu/contentadaptor/page/topic?keyword=Vulnerability%20Management%20Program
- Wigmore, I. (n.d.). Supply chain. Retrieved from http://whatis.techtarget.com/definition/supply-chain
Cite This Work
To export a reference to this article please select a referencing stye below:
Related Services
View allDMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: