Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Capstone
Jose Lopez
4404521
Security is the essential quality for a business to succeed. Not having a good solid security
structure can cause your business to deteriorate until failure. We do not want our business to fail.
This security plan will provide most of the necessary resources and information to follow to
complete your security plan. Ai-Robotix Corp. is a valuable source for not only the Inter
Cyber threats grow everyday more with better and faster methods to gain access and control to
any system. Our goal is to identify, stop and mitigate any attack and/or malware before it causes
any harm to our systems. A safer environment where all employees and owners feel free to
continue the development of new technologies without any interruption. A disaster recovery plan
will also be discussed on this paper to note the importance of having one since the business
The paper is divided on the following points the physical security, authentication, network
security, encryption, software development, malwares, email security, Internet, disaster recovery
Location
The location of the assets of any business is very important and should be always be addressed
before any installation of any equipment. Physical security is the foundation for our overall
strategy (Shinder, 2007). Some key points to look when deciding how to address physical
containing sensitive information that will be managed by the local server is a very important
piece of data that will have to always remain safe and encrypted as we are going to discuss later
on the paper.
Ai-Robotix Corp. main office is located in a small space on the Inter American University in
Bayamon. The small office is secured by a Common Access Card reader that opens the only
entrance door. They have the tendency to leave the door always open because not everyone’s
access card is working, creating a vulnerability for their servers and physical assets because the
office is at time unattended and a server rack with other network switches are leave unattended to
the view of every who enters the office. Also use some of the university servers to run their web
page, http://ai-robotix.com/. The type of setup that Ai-Robotix has is an unsecured way to
manage their information. Since they also sell their own software’s online they manage sensitive
information from customers that is stored on the university servers. Trusting the university
security is a huge risk they are taking. Why? Because they do not manage their own security and
having the high volume of students connecting to the same server they can run into performance
issues as well as vulnerability exploitation since they do not control the updates and security
Another issue found on their physical security is the lack of surveillance. The only surveillance
found was the guard at the entrance of the university that with only telling him that you are going
to the library to study you can pass the gate at any time and they don’t even check any
identification card or record a license plate of the vehicle. There are several security cameras on
the building where the Ai-Robotix office is stablished but once inside the office there are no
other type of surveillance. Reconnaissance cameras monitoring continuously will provide that
key information of who was in and out at a certain time where a security breach was detected
(Shinder, 2007). There are several security options, biometrics scans, which provide some extra
security with a log report that are also important to prevent any threat.
Authentication
Why so important?
The SANS Institute on their paper Overview of Different Authentication Methods and Protocols
by Richard Ducan, describes authentication as selecting the right way to secure a system.
Authentication protocols can be used anywhere where there is access needed to a restricted
place. Some examples are: Passwords, Digital Signatures, Biometric Scanners and Common
Access Cards. Authentication protocols are created to not only gave access to someone to enter
to a restricted site, but also they can create logs that will help future investigations defining who,
when, and where a misuse of an asset happened. Creating logs of every change is important but
one of the most important ones are the authentication logs. They can save anyone who is
innocent from been prosecuted as the one that created any damage to the assets. For a small
business as Ai-Robotix the authentication protocols are as important as the physical security. The
authentication protocols stablished by any business will be a great part for the security of the
information they manage. Setting passwords for each of the users to gain access to their
Choosing the best password for your security is essential. There are several ways to create a
strong password that will make any cracking software decades to decipher. Creating a password
with common words, dates, numbers only is not secure that is why is recommended to use
composed passwords with upper and lower case letters, numbers and symbols.
The best method I have found to create a strong password and not forgetting it is the following:
1. Create a sentence easy that you will always remember.
2. Take the first and last letter of each sentence to create your complex password, also use
My2ksae:LaadJe
months.
Ile4-wldecs
AcetoPoRofr7ds
months.
When compared the results using the same tool and simple passwords created from the same
PRCruise2015 AcetoPoRofr7ds
36537 years, 2 months 420805123888006 years, 6 months
The years where calculated using the tool How Long to Hack My Password from www.random-ize.com
There I have created complex passwords that will take years for a cracking tool to decipher.
Always remember that not the longer the password the better, is a combination of length symbols
upper and lower case letters and numbers that will provide the best password. Creating password
with the method I showed above is a simple way to always remember the password. Having the
best password is useless if you do not remember the complicated password. Using password
generators is an easy way to create fast passwords from simple words that are almost impossible
to crack today. Also tools like SafeInCloud where you can store all your passwords in one
application that can even be unlocked by the fingerprint readers on new phones, is a great
application that stores your passwords encrypted locally on your phone or in the cloud. Easy to
access and even have a password generator for the user to create custom complex passwords.
The application is available for most of the OS including Android and iOS.
Government agencies and most of the business uses the Common Access Cards (CAC) to gain
access to restricted locations. They are an easy way to manage security but only having to pass
the CAC through the sensor does not provide a very good security. Since it is only by the CAC
that the user gain access, other users or anyone with bad intentions can steal a CAC and have full
access to restricted areas. The CAC is also commonly use to authenticate users on their work
stations. Having to place the CAC on a CAC reader and a 6+ digit pin to gain access is a good
Biometrics
Biometric scanners are a great security achievement. Since passwords will provide access to
anyone with the password combination, biometrics creates a new way to provide security since it
uses our physical bodies to authenticate the users. The most commonly used authentication
methods for the biometric protocols are fingerprints and eye iris. Every user have a different sets
of fingerprints that they are born with. Since it’s a unique feature that all users have why don’t
use it as a security authentication protocol. Today we can see that most of the new phones
include a fingerprint reader, it is easy to use just place your finger on top of the sensor/bottom
and there you have access to all of your phone data. Some business have adopt this protocol but
not for security, they use to keep track of the timesheets of the employees.
Ai-Robotix can implement this biometric security to their access door, where they can easily
manage the users that can go into the office. Not using a Common Access Card that can be stolen
from any of the employees and gain easy access to their assets is a great advantage and will
Multiple protocols
Using a combination of different security protocols will always provide a better security.
Managing the security is essential for the benefit of everyone including employees, customers
and any asset connected to the network. Always remember that there are only two goals in
authentication: First, unauthorized users will never gain access and second, all authorized users
Network security is what will provide the safety travel off all your business data. They
are activities or protocols established to protect your network as defined by CISCO. The idea of
network security is to create a complex set of protocols that will create a barrier between your
data and hackers. There are many hackers out there just trying to prove a point and challenging
themselves to hack into any vulnerable network. The network security will provide a defense line
between your data and the hacker trying to gain unauthorized access. A network security can be
as simple as a firewall. Other security measures taken when there are more complex systems
involve and a firewall only would not do the job and needs some help from malware detection
systems and intrusion prevention systems. Also a secure way to connect to your business
network when working from an unsecured network is using a Virtual Private Network or VPN.
The most common attacks on 2015 where; DDoS Attacks, Mobile Malware, Data Destruction,
Data interception, Zero-day attacks and many other types of attacks (Bradley, 2015).
Security Tools
There are many tools out there to download to provide security for your business. Many are very
expensive but there are several non-expensive tools that for a small business, like Ai-Robotix, it
will provide a defense line where the data stays safe. Some of the tools are: Zenoss Core,
OpenNMS, Security Onion, Kali Linux, OpenVAS, OWASP, BeEF and Unhide (InfoWorld,
2015). These tools are great to detect, prevent and analyze your network security.
The Budget
The security of the network is a very important factor for your assets. Many of the vulnerabilities
are created by human interaction, for example, “been a CEO of a business that have run well for
the past 20years without investing that much in network security” is a huge risk that can create
catastrophic data lost and identity theft if the network is vulnerable. Developing a network
security protocol is essential. Hacking experts exploit these vulnerabilities and have been getting
more sophisticated each day more, developing new tools and more efficient ways to focus their
attacks and pass the securities implemented by any businesses (Ellyatt, 2015).
Internet of Things
The new Internet of Things or IoT has been growing in the past 5 years exponentially. Basically
is any device that connects to the internet including, TVs, Cameras, Game consoles, Smart
Watches and any device that tracks, records, log any personal detail of our lives (Bradley, 2015).
Having the IoT surrounding and recording almost every detail of our daily common lives create a
concern on their security and a new meaning for home security. Now not having the proper
security for your network will not only affect your data but it can also affect yourself directly.
Encryption
Why we Encrypt?
Encryption is the process of changing an information to an unreadable format to cover its true
meaning. Also serves as an extra protection we use to create a secure data stream to be stored
and un-decipher until the encryption key has been validated and authenticated to reveal the true
data (Schneier, 2015). We use encryption to manage, send or store data in a secure way. There
are several encryption algorithms but the most commonly used are the RSA and the AES. They
are both used by government agencies for their reliability and difficulty to decipher. The 256-bit
AES is one of the most secure encryption methods ever developed with this method and is
Network Security
Encryption is essential to complete your network security. Addressing all the points discussed
above in combination with encryption will provide the reliably any business needs. Data loss is
hitting every business and with the management of tons of sensitive data encryption will provide
that extra security, even if they gather your sensitive data if encrypted they will not be able to
For small business there are several key requirements to manage sensitive data. During my
research I discovered that there are 6 main systems to encrypt, workstations, storage, servers,
email, file sharing and network communication. Workstations are the user interface where most
of the data is input and move to any other place. The servers will manage the input data from the
workstations to the storage. Email server where information will go from a secure environment
to an unknown environment. The internal network will move all these encrypted data from one
place to another. Finally the file sharing, when the user use removable devices to physically
move the data from one place to another. When configuring an encryption system these are the
main point to focus but the most important one is the file sharing.
Sharing Data
The most important part of encryption is to give the encryption key to only the receiver. When
dealing with removable storage devices, on any business there have to be some protocols. For
example for many government agencies when the user inserts a removable device (CDs DVDs
External HD, Pen Drives, etc.) the computer will tell you to encrypt the device and create a
password. The password will be the key to read the sensitive data stored on the device. Advise
and train the employees to manage carefully the password, users tend to write down passwords
on stick-notes and then placing them on top of the encrypted device, that behavior will create an
unsecure device and anyone that founds the device, if lost, it would have easy access to the
There are several tools that can be used to maintain a secure communication between an
encrypted source and a unsecured receiver. First the email applications, when using Outlook a
powerful tool called EdgeWave is one of the best in the market. Added as a plugging to the
Outlook software it provides a tap with a “send secure” bottom that will encrypt the message and
attachments and the receiver will receive a link where he will stablish a secure connection to
protocols and is supported by Windows, iOS and Linux. For full local disk encryption the
BitLocker application from windows does the work. It supports AES 128 and 256 bit encryption
and is a very simple process to complete (Henry, 2015). Most of the network routers with
wireless capabilities provide WEP, WPA and WPA2 encryption, always choose the WPA2
encryption since it have AES capabilities and for small business that will be the way to go.
Software Development
language and how secure will it be. For Ai-Robotics and their development team this is a crucial
practice they should take in consideration when developing their software’s and selling them to
the public. Selecting from C/C++, iOS, JavaScript, Android, .NET, Java, PHP, ColdFusion and
many others is a decision to take depending of a couple of factors including the device that is
intended to use the software, the type of applications and the security is needed. If you are
creating a simple software to calculate time and data or a simple game to entertain yourself you
might not think about which is the most secure source code instead you will be thinking about
which is the fastest to write and performance, but for companies that will provide their software
to millions the development of a secure source code that is inaccessible and secure is essential.
The Open Web Application Security Project (OWASP) created a study for the testing of
Following the study we can determine that JavaScript was the successful winner of the test. It is
followed by the most used mobile device source code Android and iOS and the one of the most
used the C++. Dealing with the security when developing a software the protocols used and the
Types of Malware
There are many types of malware but the most notorious ones are: Adware, Spyware, Virus,
Worm, Trojan, Rootkit, Backdoors, Key loggers, Rouge Security software, Ransomware and the
Browser Hijacker. Hackers are always trying in clever ways to trick every user into downloading
their malware or respond to their email scams (Sanchez, 2011). These malicious software’s are
very harmful for any system. Prevention is key but when having employee’s education is
essential.
Prevention
Malwares have been increasing since the beginning of the internet. They are software’s created
for the destruction or intrusion where we can include virus, spyware, worms, adware and any
other type of malicious program. They are commonly transmitted by removable storage devices,
emails, networks, and downloaded from the web. When your business is infected by any type of
malware you might be able to detect it by looking at the performance of the system. Slow
performance could mean that there are extra processing power been used by another application
that could be a malware. Also slow internet browsing can be a signs of a malware infection that
is using the internet to communicate with an external source. The prevention of malware can be
focused on a good practice of internet use and education to the employees is one of the best tools
you can use to prevent this type of malicious software (Geier, 2011). With a firewall and
monitoring system you can prevent on your business multiple suspicious websites that have these
malwares waiting to be deployed to your computer and network, but there is always a way to
introduce a malware to your network. For example one of your employees charges his phone at
home with a USB connected to his personal computer, a new malware have been released and is
stored on removable devices. The malware have already infected your employee personal
computer and have copy itself to the cellphone. Tomorrow he will go as usually to your business
start working and plug the infected device in to hi workstation without knowing that the
malicious software have now infected the workstation and is looking already to copy itself to all
the network devices connected. That is how simple it is to transfer a malware to an entire
network. There are many tools to prevent this scenario and many others.
Malware Scanners
There are hundreds of tools that will help you scan for these malwares and prevent from causing
more harm to your system. The top 8 as defined by Tech Arena are Malwarebytes, Spybot search
and Destroy, Ad-Aware Free Antivirus+, Super Antispyware, Panda Antivirus, Adw cleaner,
AVG Antivirus and the Microsoft Security Essentials (Bhagat, 2016). These tools offer a variety
of features that will detect and mitigate any malware active. Also software’s like AVG Antivirus
provide great capabilities scanning newly connected devices and creating a report if any infected
file is found. Protecting your assets is very important and while you are trying to grow your
business there are always people creating these small malicious codes to test the capabilities of a
system and create some damage. Data loss is a concern to anyone and most of these software’s
their intention is to destroy data, copy and send data to an external source or just stay hidden
doing a key log and sending it when no one is looking. There are also malwares that just create a
backdoor for hackers to gain access to the systems and networks so they can personally cause the
harm.
Internet
The Revolution
The internet have connected the world, users from anywhere can interact with other user around
the world. A revolutionized method of communication between computer that have been
exploited to transfer data in many different languages and sizes. Unstoppable and will continue
Capabilities
Since the formal acknowledgement of the internet there have been many security breaches and it
have been growing exponentially day by day. For business the internet provides unlimited
communication with almost anything around the world and even space. The information
resources are immense and simple ways to gather information with your finger tip. The
capabilities are immense but also the harm that it can create.
Security
Harmful software’s like the ones we discussed on the Malware section are transported using this
medium to affect anyone connected. Spam Mail, Virus Trojans can target the large personal
sensitive information traveling the internet. Credit card, identity theft and many other sensitive
information is stolen every day because of the internet. Also having an unlimited resource of
information without any filters can affect children’s to be exposed to adult content while them
brows with their personal devices (Lucas, 2015). The internet have create another addiction for
users, people get anxious if they don’t have a device with internet and cannot get in contact with
their social media. Facebook is a great example of users been addicted to the internet and to the
social networks, is great that it connects everyone but do you really want to live a virtual life? It
is also a tool for burglars that can know everything from their victims without getting out of their
beds, and with a simple Check-in on the theater from the victim the theft know when to attack
and can even determine how long you will be out before you get home.
Disaster Recovery & Business Continuity Plan
Risk Assessment
The risk assessment is an important element to perform when developing both plans. The risk
assessment will provide the system administrator with all the protocols, methods and any other
component of the system that needs to be addressed. Remember that the importance of creating a
disaster recovery and business continuity plan is to create procedures to return the operations to
The Disaster Recovery Plan (DRP) is a very important key document to be developed by every
business. The DRP will provide the element needed and the essential information to safely
recover any hardware or software loss in a safely manner. This plan should be developed with
the Business Continuity Plan that we are going to address on the next topic. Big or small
business, it does not matter, they all work with sensitive data and they work to provide to
customers that need their services. Data loss, software malfunction, hardware failure, hackers,
malwares, human errors or any natural disaster are the primary points to address when creating
Backups are one of the first and simple ways to start your implementation. Having daily backups
or synchronization with a cloud service is a key element that will provide the continuity needed
if a disaster strikes. Saving everything might cover tons of data but look at the consequences that
it might have if only half of the data is only backed up, probably then you will have half of the
customers information. A safe site is also an essential part of been able to adapt to any natural
disaster. For example if a storm strikes the city where your business is located and it destroyed
windows and the work area for the employees is all destroyed, having a safe site to continue with
operations is not only part of the disaster recovery plan but also part of the business continuity
plan. The disaster recovery will start as soon as the disaster strikes while the business continuity
plan will start as soon as the local site is not more a safe location for employees to work (Rouse,
2009). Every business approach differently and less than 50 percent test their plans, even those
Cloud Implementation
When you are addressing the disaster recovery and business continuity plan the cloud
environment sounds great. If the local site is destroyed or not safe for the employees having an
up to date cloud system where employees can connect via VPN from their homes is a great way
to address any disaster that haven’t affect the cloud provider or Internet Service Provider. There
are many ways to approach a disaster recovery and business continuity plan but a cloud based
system might be the way to go. Choosing the correct provider will be the most difficult part of
the project (Posey, 2013).Selecting from cost effective to performance and storage capabilities is
very crucial and will depend on the specifications of your current system and how it will
measures to minimize and mitigate threats. Have in mind that security protocols are constantly
updated as the hackers develop and find new ways to exploit vulnerabilities on the system. The
system not only being computer and networks but also employees, that is why education to the
employees about the vulnerabilities and consequences of not following security protocols is
essential (Shinder, 2001). Hackers will always look at the different ways to gain access to a
network and by making it more difficult the more challenging is for them, the security
administrator just have to create a challenging design that can make the hackers tiered and leave
the system unharmed. These is created by placing all the security features discussed in this paper
system and a monitoring system that provides live feedback to the administrator.
The creation of this paper is with the intention of provide a security perspective from an external
source. All the security implementations discussed on this paper can be followed but having in
mind that all the security discussions where based on a single business, Ai-Robotix. The security
implementations discussed on this paper are not only addressed for Ai-Robotics, they are for any
Bhagat, A. (2016, March 01). Top 8 Best Malware Removal 2016 & Spyware Removal Tools.
Bradford, C. (2014, July 31). 5 Common Encryption Algorithms and the Unbreakables of the
http://www.storagecraft.com/blog/5-common-encryption-algorithms/
Bradley, T. (2015, January 14). Experts pick the top 5 security threats for 2015. Retrieved March
threats-for-2015.html
Ducan, R. (2001, October 23). An Overview of Different Authentication Methods and Protocols.
room/whitepapers/authentication/overview-authentication-methods-protocols-118
Ellyatt, H. (2015, January 05). Top 5 cybersecurity risks for 2015. Retrieved March 27, 2016,
from http://www.cnbc.com/2014/12/19/top-5-cyber-security-risks-for-2015.html
Geier, E. (2011, November 15). How to Remove Malware From Your Windows PC. Retrieved
http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows
_pc.html
Henry, A. (2015, February 8). Five Best File Encryption Tools. Retrieved March 27, 2016, from
http://lifehacker.com/five-best-file-encryption-tools-5677725
How long would it take to crack your password? (2012). Retrieved March 27, 2016, from
https://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-
password/
InfoWorld. (2015, September 16). Bossie Awards 2015: The best open source networking and
http://www.infoworld.com/article/2982962/open-source-tools/bossie-awards-2015-the-
best-open-source-networking-and-security-software.html#slide1
Kirvan, P. (2011, May). Disaster recovery: Risk assessment and business impact analysis.
recovery-Risk-assessment-and-business-impact-analysis
Lucas. (2015). Advantages and Disadvantages of Internet. Retrieved March 27, 2016, from
http://www.enkivillage.com/advantages-and-disadvantages-of-internet.html
OWASP. (n.d.). Source Code Analysis Tools. Retrieved March 27, 2016, from
https://www.owasp.org/index.php/Source_Code_Audit_Tools
Posey, B. (2013, August). Implementing cloud-based disaster recovery: Six key steps. Retrieved
cloud-based-disaster-recovery-Six-key-steps
pass/
Rouse, M. (2009, December). What is disaster recovery plan (DRP)? - Definition from
http://searchenterprisewan.techtarget.com/definition/disaster-recovery-plan
Sanchez, M. (2011, May 12). 5 Ways to Educate Employees about Network Security. Retrieved
employees-about-network-security
Schneier, B. (2015, June 23). Schneier on Security. Retrieved March 27, 2016, from
https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html
http://www.techrepublic.com/article/understanding-and-selecting-authentication-
methods/
Shinder, D. (2007, July 16). 10 physical security measures every organization should take -
things/10-physical-security-measures-every-organization-should-take/