CHAPTER III

METHODOLOGY

In this chapter, details of the research methodology used in the study are discussed. This

research aims to study security mechanism of an organization through survey method. Survey is

conducted by questionnaire method. This research proposal will use a quantitative approach and

survey is used to collect the data.

Data Collection

The data to be studied is all about the security mechanism of an organization. For this

study, we have 11 IT staff that is currently working in Provincial Capittol of Davao del Sur. Data

was collected using a survey questionnaire. There are six information security was being studied

in this research. The template consists of 10 questions per topic including Data Security,

Application Security, Operating System Security, Network Security, Physical Security, and

Access Control Security.

Data Security

In a descriptive case study research approach, this study examines the security

mechanism of the Provincial Capitol of Davao del Sur. Following the quantitative research route,

a survey questionnaire was conducted to determine the data security practices of the

organization. Interviews were conducted personally, face-to-face in the real life setting of the
respondents. There are a total of 11 personnel in the organization that was given a survey

questionnaire to answer the following questions. Answers of the respondents are below.

Table 1.1
DATA SECURITY YES NO
Do you install antivirus and personal firewall on your computing device?
/
Do you backup your data regularly?
/
Do you backup your data to an external storage?
/
Do you use a strong password on your computing device?
/
Do you encrypt your sensitive data?
/
Do you securely erase* data on your hard drive before disposing it?
*Secure erase is the process of repetitively overwriting the data on the media to ensure
that it is not recoverable. /
Are there adequate procedures to inform, train, and assist operations staff in the
implementation and support of changes in the system? /
Do procedures exist to inform and train users when database system changes occur?
/
Does the application encrypt data before sending it over the Internet or an open network?
/
Do you have a mechanism to backup critical IT systems sensitive data?
/

Data security is about keeping your data secure from accidental or malicious damage.

Security is a consideration at all stages of research, particularly if working with dissolve or

licensed data. Computers should be password protected, with file permissions controlled so

users, depending on their status, can “read only”, “write”, or “execute” files. The above result is

an indication for their data security measures of the systems. They didn’t use a strong password

with their computing device, and thus it’s their disadvantage against all theft and hackers. They

can easily access on their systems and manipulate data. Enable computer firewalls and keep anti-

malware software up-to-date and operational.

Cryptography

Encryption is a great research data management tool to secure storage and transmission

of files and it is a good practice to encrypt any dissolve files and machines or devices that store

data. Encryption maintains the security of data and documentation through an algorithm to

transforming information into something unreadable requiring a “key” to decrypt an return to

comprehension. Encryption is a best way of practice to prevent stealing of data on your

computer, to hide an important private message within the organization.

Application Security

Application security is the process of making apps more secure by finding, fixing, and

enhancing the security of apps. Much of this happens during the development phase, but it

includes tools and methods to protect apps once they are deployed. This is becoming more

important as hackers increasingly target applications with their attacks. Application security is

getting a lot of attention. Hundreds of tools are available to secure various elements of your

applications portfolio, from locking down coding changes to assessing inadvertent coding

threats, evaluating encryption options and auditing permissions and access rights. There are

specialized tools for mobile apps, for network-based apps, and for firewalls designed especially

for web applications.

The faster and sooner in the software development process you can find and fix security

issues, the safer your enterprise will be. Because everyone makes mistakes, the challenge is to

find those mistakes in a timely fashion. For example, a common coding error could allow

unverified inputs. This mistake can turn into SQL injection attacks and then data leaks if a
hacker finds them. Application security tools that integrate into your application development

environment can make this process and workflow simpler and more effective. These tools are

also useful if you are doing compliance audits, since they can save time and the expense by

catching problems before the auditors seen them. The rapid growth in the application security

segment has been helped by the changing nature of how enterprise apps are being constructed in

the last several years.

By “application,” I mean any internally-developed build, regardless of whether its

primary intended platform is the Web, mobile devices, or a traditional desktop OS like Windows.

This is because all application builds must go through the standard cycle of development, testing,

settling on a release candidate, and deployment into operations — at which time, too often,

problems are found and the new build is sent back for fixes. So application security can often be

improved by trying to improve on that cycle, at various points. Below is the data.

APPLICATION SECURITY YES NO

Does the application force “new” users to change their password upon first login into /
the application?
Can the application be set to automatically lock a user’s account after a predetermined /
number of consecutive unsuccessful logon attempts?
Does it detect and defeat encrypted application attacks? /
Does it present the leakage of sensitive corporate or customer data? /
Can the user change their password at any time? /
Does the application have ability to run a backup currently with the operation of the /
application?
Does the application provide for integration on into standard network domain /
structures?
Can application force password expiration and prevent using reusing a password? /
Does the application allows system administrator to set inclusion or explosion of /
audited events based on organizational policy and operating requirement or limits?
Are audit log reports available for the current version of this software application? /
Table 1.2
 First, from a development standpoint, it’s important to integrate application security best

practices in coding regardless of the specific methodology (Waterfall, Agile, etc.). After half a

century of careful analysis, we now know quite a bit about how programming errors tend to

arise, and how best to avoid them.

There are, additionally, various code vulnerability scanners designed specifically to

improve application security at this early stage. I’ve gone into these in another recent blog entry,

so won’t be exploring them in detail here, but they can help automatically spot cases in which

best practices have not in fact been followed in coding.

We live at an interesting time, when the very definition of applications is rapidly

changing — consider all the apps recently introduced for mobile devices, Web apps, plus

composite apps! So are the diversity and complexity of the environments in which they operate.

Operating System

Research papers are assessed based on the source of information. University of Bridgeport

provide its members whether, they are faculty members or students, access to thousands of digital

resources via digital library [5]. Many operating systems are root built based on UNIX with some

modifications and developments, and some of them are Macintosh, Windows, and Linux [18], but UNIX

is an open source, working with the developer community. UNIX has many versions such as UNIX 93,

UNIX 95, UNIX 98, and the latest version is UNIX 03. UNIX is a powerful operating system used to do

complicated tasks, where programmers need to work with command line, even if it has a graphical user

interface. Because of that, UNIX is categorized for serious programmers using shell interface. UNIX is so

sensitive to mistakes because it’s hard even for an expert user to debug the mistake easily [19], which

requires high patience and plenty of time. Window is an operating system developed by the Microsoft

Corporation as closed-source and they launched the first version on November 20, 1985 [20]. Which is
one-year after Apple released their first operating system. It is based on the Disk Operating System

(DOS) system which is well known as the black screen and command line. The last operating system that

was released on October 26, 2012; it is called Windows 8 and is a personal operating system. Each

windows operating system has many versions such as student, home, professional, unlimited, and

enterprise version [24]. These distinctions lead to users being able to choose the system that best fits their

unique needs. They released another type of operating system for servers in 2003. With an enterprise and

home edition, they named them Server 2003 or Home Server, respectively. Currently, their share of the

server market is approximately a massive sixty-four percent. The table below is survey template.

Table 1.3

OPERATING SYSTEM SECURITY YES NO

Has antivirus software been deployed and installed on your computers and supporting /
systems?
Do you have a mechanism to backup critical IT system? /
Are disaster recovery plans updated at least annually? /
Can the operating system hosting the application (server or client) be updated by the /
user without voiding the application warranty or support agreement?
Do the systems you use in your office have automatic lock capabilities to terminate a /
session or lock the application or device after a predetermined time of inactivity (e.g.
screensaver lock)?
Are the systems you use in your office protected by a firewall? /
Are the systems you use protected from virus infections that arrive via Instant /
Messaging clients?
Regarding Antivirus/antispyware protection, are the systems that you use protected by /
antivirus/antispyware software package(s) protecting each desktop and laptop?
Do you set your operating system to automatically download and apply updates? /
What operating systems hosts do you in your office? /
Microsoft Windows

Hardware industries compete to develop computer parts by trying to achieve optimization of

performance because windows operating system does not band with specific manufacturers. Some of

manufacturers are well-known because they do global business [25] such as Dell, Asus, Toshiba, Acer,

and HP. These global brands all sell personal computers and servers for big companies, and they are

taking the middle layer between Microsoft Corporation and Client. They provide the Client hardware,

customer service, and a warranty. Also, local stores with basic knowledge can build computers and install
Windows. Because of competition, industries release a series of same parts with the latest technology

within a short period of time; sometimes this can be within a year. That leaves the option for users to

build their computer [26] based on their budget and needs. It also gives people the resilience to upgrade

their machine inside, out from screen to motherboard with certain rules. Linux is a powerful and unique

operating system compared with other operating systems, such as Windows and Macintosh. Moreover,

installing Linux in a machine is simpler than with other operating systems, such as Windows and Mac.

A comparison of Linux with Windows is that Linux quite rarely crashes which is known in

Windows as blue screen or that Windows usually goes down because of over load. In terms of paying

hundreds of thousands dollars to protect data from being leaked or attacked via adversary [49], users

could have that free in the market of Linux whereas with Windows you need to pay for it. Linux has very

strong firewall which makes Linux undefeatable in terms of attacks. It has a unique technique for

reducing virus activity. The rate of malware is less in Linux compared with Windows’ operating system

because the designer targeted to attack a large number of computer users. Besides, spyware and viruses

designed for Windows cause it to slow down, and as a consequence, the performance of the operating

system is reduced [50]. On the other hand, users find disadvantages to Linux where many applications

are not being designed to run in Linux or not exist in Linux, such as iTunes and Microsoft program. This

is considered as an obstacle to people who care about applications and do not want to replace their whole

operating system just to have a “plug & play” application that they desire. It takes time for some people to

be familiar with and learn Linux’s many advantages and its limitations [51].

Network Security and Physical Security

The overall approach of this study is quantitative. It is to know what are the problems and

safety measures regarding the physical and network security of a security system. Quantitative
research is the most suitable approach for this research because we get the percentage of the

answers of the respondents and it’s easy to understand and evaluate the data of the responses.

Table 1.4

NETWORK SECURITY YE NO
S
Must all users on the network enter a log-on ID and password to access the network /
security?
If the network is connected to outside services or related services through the Internet
have “firewalls” been created to centralize access control to and from the network and
the other service? /
Is the facility local area network connected/bridged into any other network? /
Are any of these devices connected to a facility local area network? /
Are systems and network that host, process and/or transfer sensitive information
‘protected’ (isolated or separated) from the other systems and or networks? /
Is there a standard approach for protecting network devices to prevent unauthorized
access/ network related attacks and data theft?
i.e. Firewall between public and private networks, firewall separation, secure
costumer portal. /
Are third party connections to your network monitored and reviewed to confirm
authorized access and appropriate usage?
i.e. VPN logs, Server event logs, automatic alerts. /
In sensitive information transferred to external recipients? If so, are controls in place
to protect sensitive information when transferred?
i.e.( with encryption) /
Does the network software prevent access by unauthorized users to or from other /
network services (gateway, fax, dial out, WAN, etc.)?
Does the network software prevent access by unauthorized users sensitive system /
functions such as security administration, network monitoring, server console
operations, and enabling/disabling services?

For data collection we used survey method that involves 10 questions per field using

multiple choices. We did it in person and the respondents took only few minutes (3-5 minutes) to

answer the questions. For our sampling method, we used the simple random sampling for the

respondents to have equal chance of being selected from the population. For the analysis, we

prepared our data before analysing it just like checking for missing data and removing outliers.

All value outside calculated range were considered outliers (Hooglin & iglewicz, 1987). The data

was then analysed using statistical software which is the commonly used Microsoft Excel.
 PHYSICAL SECURITY YE NO
S
Security Guards: /
Do you have security guards at the facility?
Are security guards on duty all day, every day (24 hours per day, 7 days per week)? /
Are security guards employees of the company? /
Are there gates that control the entry of vehicles and personnel to your premises? /
Are employees and visitor parking areas separated? /
Does the facility have digital intrusion detection/alarm system? /
Do any of these devices employ wireless technology? /
Is privacy installed on monitors in public areas and/ or are monitors situated in such a /
way that they cannot be viewed by unauthorized individual?
Are the organization’s workstation s and PC physically secured to the desk through the /
use of a locking cable or other anti-theft device?
Does the server room have a monitored temperature sensor? /
Is the physical location of the computer/server /storage/training rooms appropriate to /
ensure security?
Does the office maintain written procedures relating to controls over the physical /
security of the computer equipment?
Table 1.5

Access Control

Access is the transfer of information from on abject to a subject. Subjects are active

entities that request information about or data from passive entities, called objects. A subject can

be a user, program, process file that is accessing an object to accomplish a task. An object is a

passive entity and can be a file, database, computer, program, process, printer, storage media,

and so on. The subject is always the entity that provides or hosts information or data. The roles

of subject and object can switch back and forth while two entities interact to accomplish a task.

In particularly case study research detailed and examine the security mechanism of

Provincial Capitol of Davao del Sur with the quantitative research execute through a survey

questionnaire was conducted to determine the Access control practices of the organization.

Interviews were conducted personally in the exact setting and working of the respondents. The
template contains with 10 questions per topic including the Access control, Application Security,

Operating Systems Security, Network Security and Physical Security.

There are 11 participants in the organization that to give a survey questionnaire and answer.

Access controls are categorized based on the type of implementation into the following three

groups:

1. Logical/technical access control - Logical and technical access controls are hardware

or software mechanisms used to manage access to resources and systems. Examples of

logical or technical access control lists include encryption, smart cards, passwords,

firewalls, routers, intrusion detections systems, and biometrics.

2. Physical access control - Physical access controls are physical barriers deployed to

prevent direct contact with systems or areas within a facility. Examples of physical access

control include guards, fences, motion detectors, locked doors, sealed windows, lights,

cable protection, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and

alarms.

3. Administrative access control - Administrative access controls (also called directive

controls) are implemented by creating and following organizational policy, procedure, or

guideline. User training and awareness also fall into this category.

The demand for access control security systems in the organization area and nationally is

at an all-time high partly due to advanced technology and the response to increased security and

safety threats. At other organization, we believe in creating safe environments by applying the
latest technology in our access control systems. Here’s a closer look at why access control could

be a vital component to the organization.