Ai-Robotix Security Plan

Capstone

Jose Lopez

4404521

Prof. Eric Yocam

ISSC 498 –Information Security: Capstone

 Introduction

Security is the essential quality for a business to succeed. Not having a good solid security

structure can cause your business to deteriorate until failure. We do not want our business to fail.

This security plan will provide most of the necessary resources and information to follow to

complete your security plan. Ai-Robotix Corp. is a valuable source for not only the Inter

American University where it resides but to the Information Technology world.

Cyber threats grow everyday more with better and faster methods to gain access and control to

any system. Our goal is to identify, stop and mitigate any attack and/or malware before it causes

any harm to our systems. A safer environment where all employees and owners feel free to

continue the development of new technologies without any interruption. A disaster recovery plan

will also be discussed on this paper to note the importance of having one since the business

currently doesn’t have a trusted plan.

The paper is divided on the following points the physical security, authentication, network

security, encryption, software development, malwares, email security, Internet, disaster recovery

plan and business continuity plan.

 Physical Security

Location

The location of the assets of any business is very important and should be always be addressed

before any installation of any equipment. Physical security is the foundation for our overall

strategy (Shinder, 2007). Some key points to look when deciding how to address physical

security is to be conscious of what information is going to be managed or stored in the site.

Customer’s information, bank related documents, employees personal information, anything

containing sensitive information that will be managed by the local server is a very important

piece of data that will have to always remain safe and encrypted as we are going to discuss later

on the paper.

Ai-Robotix Physical Space

Ai-Robotix Corp. main office is located in a small space on the Inter American University in

Bayamon. The small office is secured by a Common Access Card reader that opens the only

entrance door. They have the tendency to leave the door always open because not everyone’s

access card is working, creating a vulnerability for their servers and physical assets because the

office is at time unattended and a server rack with other network switches are leave unattended to

the view of every who enters the office. Also use some of the university servers to run their web

page, http://ai-robotix.com/. The type of setup that Ai-Robotix has is an unsecured way to

manage their information. Since they also sell their own software’s online they manage sensitive

information from customers that is stored on the university servers. Trusting the university

security is a huge risk they are taking. Why? Because they do not manage their own security and

having the high volume of students connecting to the same server they can run into performance
issues as well as vulnerability exploitation since they do not control the updates and security

patches of those servers.

Another issue found on their physical security is the lack of surveillance. The only surveillance

found was the guard at the entrance of the university that with only telling him that you are going

to the library to study you can pass the gate at any time and they don’t even check any

identification card or record a license plate of the vehicle. There are several security cameras on

the building where the Ai-Robotix office is stablished but once inside the office there are no

other type of surveillance. Reconnaissance cameras monitoring continuously will provide that

key information of who was in and out at a certain time where a security breach was detected

(Shinder, 2007). There are several security options, biometrics scans, which provide some extra

security with a log report that are also important to prevent any threat.
 Authentication

Why so important?

The SANS Institute on their paper Overview of Different Authentication Methods and Protocols

by Richard Ducan, describes authentication as selecting the right way to secure a system.

Authentication protocols can be used anywhere where there is access needed to a restricted

place. Some examples are: Passwords, Digital Signatures, Biometric Scanners and Common

Access Cards. Authentication protocols are created to not only gave access to someone to enter

to a restricted site, but also they can create logs that will help future investigations defining who,

when, and where a misuse of an asset happened. Creating logs of every change is important but

one of the most important ones are the authentication logs. They can save anyone who is

innocent from been prosecuted as the one that created any damage to the assets. For a small

business as Ai-Robotix the authentication protocols are as important as the physical security. The

authentication protocols stablished by any business will be a great part for the security of the

information they manage. Setting passwords for each of the users to gain access to their

workstations is just the beginning of a great security implementation.

 Passwords

Choosing the best password for your security is essential. There are several ways to create a

strong password that will make any cracking software decades to decipher. Creating a password

with common words, dates, numbers only is not secure that is why is recommended to use

composed passwords with upper and lower case letters, numbers and symbols.

The best method I have found to create a strong password and not forgetting it is the following:
1. Create a sentence easy that you will always remember.

 My 2 kids are: Laura and Jose

 I like 4-wheel drive cars

 A cruise to Puerto Rico for 7 days

2. Take the first and last letter of each sentence to create your complex password, also use

the numbers and symbols.

 My2ksae:LaadJe

Your password can be hacked in at the most 420805123888006 years, 6

months.

 Ile4-wldecs

Your password can be hacked in at the most 506637647 years, 7 months.

 AcetoPoRofr7ds

Your password can be hacked in at the most 420805123888006 years, 6

months.
When compared the results using the same tool and simple passwords created from the same

sentences we can see the great difference.

Simple Passwords Complex Passwords

Lauraandjose123 My2ksae:LaadJe
8707845285 years, 28 days 420805123888006 years, 6 months
4wheeldrive Ile4-wldecs
1 year, 5 months 506637647 years, 7 months

PRCruise2015 AcetoPoRofr7ds
36537 years, 2 months 420805123888006 years, 6 months
The years where calculated using the tool How Long to Hack My Password from www.random-ize.com

There I have created complex passwords that will take years for a cracking tool to decipher.

Always remember that not the longer the password the better, is a combination of length symbols

upper and lower case letters and numbers that will provide the best password. Creating password

with the method I showed above is a simple way to always remember the password. Having the

best password is useless if you do not remember the complicated password. Using password

generators is an easy way to create fast passwords from simple words that are almost impossible

to crack today. Also tools like SafeInCloud where you can store all your passwords in one

application that can even be unlocked by the fingerprint readers on new phones, is a great

application that stores your passwords encrypted locally on your phone or in the cloud. Easy to

access and even have a password generator for the user to create custom complex passwords.

The application is available for most of the OS including Android and iOS.

Common Access Cards

Government agencies and most of the business uses the Common Access Cards (CAC) to gain

access to restricted locations. They are an easy way to manage security but only having to pass
the CAC through the sensor does not provide a very good security. Since it is only by the CAC

that the user gain access, other users or anyone with bad intentions can steal a CAC and have full

access to restricted areas. The CAC is also commonly use to authenticate users on their work

stations. Having to place the CAC on a CAC reader and a 6+ digit pin to gain access is a good

security protocol to follow.

Biometrics

Biometric scanners are a great security achievement. Since passwords will provide access to

anyone with the password combination, biometrics creates a new way to provide security since it

uses our physical bodies to authenticate the users. The most commonly used authentication

methods for the biometric protocols are fingerprints and eye iris. Every user have a different sets

of fingerprints that they are born with. Since it’s a unique feature that all users have why don’t

use it as a security authentication protocol. Today we can see that most of the new phones

include a fingerprint reader, it is easy to use just place your finger on top of the sensor/bottom

and there you have access to all of your phone data. Some business have adopt this protocol but

not for security, they use to keep track of the timesheets of the employees.

Ai-Robotix can implement this biometric security to their access door, where they can easily

manage the users that can go into the office. Not using a Common Access Card that can be stolen

from any of the employees and gain easy access to their assets is a great advantage and will

provide additional security.

Multiple protocols

Using a combination of different security protocols will always provide a better security.

Managing the security is essential for the benefit of everyone including employees, customers
and any asset connected to the network. Always remember that there are only two goals in

authentication: First, unauthorized users will never gain access and second, all authorized users

will always have access (Shinder, 2001).

 Network Security

Network security is what will provide the safety travel off all your business data. They

are activities or protocols established to protect your network as defined by CISCO. The idea of

network security is to create a complex set of protocols that will create a barrier between your

data and hackers. There are many hackers out there just trying to prove a point and challenging

themselves to hack into any vulnerable network. The network security will provide a defense line

between your data and the hacker trying to gain unauthorized access. A network security can be

as simple as a firewall. Other security measures taken when there are more complex systems

involve and a firewall only would not do the job and needs some help from malware detection

systems and intrusion prevention systems. Also a secure way to connect to your business

network when working from an unsecured network is using a Virtual Private Network or VPN.

The most common attacks on 2015 where; DDoS Attacks, Mobile Malware, Data Destruction,

Data interception, Zero-day attacks and many other types of attacks (Bradley, 2015).

Security Tools

There are many tools out there to download to provide security for your business. Many are very

expensive but there are several non-expensive tools that for a small business, like Ai-Robotix, it

will provide a defense line where the data stays safe. Some of the tools are: Zenoss Core,

OpenNMS, Security Onion, Kali Linux, OpenVAS, OWASP, BeEF and Unhide (InfoWorld,

2015). These tools are great to detect, prevent and analyze your network security.
 The Budget

The security of the network is a very important factor for your assets. Many of the vulnerabilities

are created by human interaction, for example, “been a CEO of a business that have run well for

the past 20years without investing that much in network security” is a huge risk that can create

catastrophic data lost and identity theft if the network is vulnerable. Developing a network

security protocol is essential. Hacking experts exploit these vulnerabilities and have been getting

more sophisticated each day more, developing new tools and more efficient ways to focus their

attacks and pass the securities implemented by any businesses (Ellyatt, 2015).

Internet of Things

The new Internet of Things or IoT has been growing in the past 5 years exponentially. Basically

is any device that connects to the internet including, TVs, Cameras, Game consoles, Smart

Watches and any device that tracks, records, log any personal detail of our lives (Bradley, 2015).

Having the IoT surrounding and recording almost every detail of our daily common lives create a

concern on their security and a new meaning for home security. Now not having the proper

security for your network will not only affect your data but it can also affect yourself directly.
 Encryption

Why we Encrypt?

Encryption is the process of changing an information to an unreadable format to cover its true

meaning. Also serves as an extra protection we use to create a secure data stream to be stored

and un-decipher until the encryption key has been validated and authenticated to reveal the true

data (Schneier, 2015). We use encryption to manage, send or store data in a secure way. There

are several encryption algorithms but the most commonly used are the RSA and the AES. They

are both used by government agencies for their reliability and difficulty to decipher. The 256-bit

AES is one of the most secure encryption methods ever developed with this method and is

effective efficiency (Bradford, 2014).

Network Security

Encryption is essential to complete your network security. Addressing all the points discussed

above in combination with encryption will provide the reliably any business needs. Data loss is

hitting every business and with the management of tons of sensitive data encryption will provide

that extra security, even if they gather your sensitive data if encrypted they will not be able to

decipher the information.

 Best Practices

For small business there are several key requirements to manage sensitive data. During my

research I discovered that there are 6 main systems to encrypt, workstations, storage, servers,

email, file sharing and network communication. Workstations are the user interface where most

of the data is input and move to any other place. The servers will manage the input data from the

workstations to the storage. Email server where information will go from a secure environment

to an unknown environment. The internal network will move all these encrypted data from one

place to another. Finally the file sharing, when the user use removable devices to physically

move the data from one place to another. When configuring an encryption system these are the

main point to focus but the most important one is the file sharing.

Sharing Data

The most important part of encryption is to give the encryption key to only the receiver. When

dealing with removable storage devices, on any business there have to be some protocols. For

example for many government agencies when the user inserts a removable device (CDs DVDs

External HD, Pen Drives, etc.) the computer will tell you to encrypt the device and create a

password. The password will be the key to read the sensitive data stored on the device. Advise

and train the employees to manage carefully the password, users tend to write down passwords

on stick-notes and then placing them on top of the encrypted device, that behavior will create an

unsecure device and anyone that founds the device, if lost, it would have easy access to the

sensitive information stored.

 Encryption Tools

There are several tools that can be used to maintain a secure communication between an

encrypted source and a unsecured receiver. First the email applications, when using Outlook a

powerful tool called EdgeWave is one of the best in the market. Added as a plugging to the

Outlook software it provides a tap with a “send secure” bottom that will encrypt the message and

attachments and the receiver will receive a link where he will stablish a secure connection to

download the information. VeraCrypt is a powerful tool capable of encrypting in different

protocols and is supported by Windows, iOS and Linux. For full local disk encryption the

BitLocker application from windows does the work. It supports AES 128 and 256 bit encryption

and is a very simple process to complete (Henry, 2015). Most of the network routers with

wireless capabilities provide WEP, WPA and WPA2 encryption, always choose the WPA2

encryption since it have AES capabilities and for small business that will be the way to go.
 Software Development

When developing a software everyone have to take in consideration the programing

language and how secure will it be. For Ai-Robotics and their development team this is a crucial

practice they should take in consideration when developing their software’s and selling them to

the public. Selecting from C/C++, iOS, JavaScript, Android, .NET, Java, PHP, ColdFusion and

many others is a decision to take depending of a couple of factors including the device that is

intended to use the software, the type of applications and the security is needed. If you are

creating a simple software to calculate time and data or a simple game to entertain yourself you

might not think about which is the most secure source code instead you will be thinking about

which is the fastest to write and performance, but for companies that will provide their software

to millions the development of a secure source code that is inaccessible and secure is essential.

The Open Web Application Security Project (OWASP) created a study for the testing of

security bugs per megabytes. These where the results:

Source Code Flaws / Megabytes Critical Flaws

JavaScript 8 flaws/MB .009
Android 11 flaws/MB 0.4
iOS 23 flaws/MB 0.9
C++ 26 flaws/MB 8.8
.NET 32 flaws/MB 9.7
Java 51 flaws/MB 5.2
PHP 184 flaws/MB 47
ColdFusion 262 flaws/MB 227
Clasic ASP 1686 flaws/MB 1112
 The calculations where made from thousands of applications over an 18 month
period (OWASP, n.d.).

Following the study we can determine that JavaScript was the successful winner of the test. It is

followed by the most used mobile device source code Android and iOS and the one of the most

used the C++. Dealing with the security when developing a software the protocols used and the

way the different writing is approached is key to create a secure software.

 Malware

Types of Malware

There are many types of malware but the most notorious ones are: Adware, Spyware, Virus,

Worm, Trojan, Rootkit, Backdoors, Key loggers, Rouge Security software, Ransomware and the

Browser Hijacker. Hackers are always trying in clever ways to trick every user into downloading

their malware or respond to their email scams (Sanchez, 2011). These malicious software’s are

very harmful for any system. Prevention is key but when having employee’s education is

essential.

Prevention

Malwares have been increasing since the beginning of the internet. They are software’s created

for the destruction or intrusion where we can include virus, spyware, worms, adware and any

other type of malicious program. They are commonly transmitted by removable storage devices,

emails, networks, and downloaded from the web. When your business is infected by any type of

malware you might be able to detect it by looking at the performance of the system. Slow

performance could mean that there are extra processing power been used by another application

that could be a malware. Also slow internet browsing can be a signs of a malware infection that

is using the internet to communicate with an external source. The prevention of malware can be

focused on a good practice of internet use and education to the employees is one of the best tools

you can use to prevent this type of malicious software (Geier, 2011). With a firewall and

monitoring system you can prevent on your business multiple suspicious websites that have these

malwares waiting to be deployed to your computer and network, but there is always a way to
introduce a malware to your network. For example one of your employees charges his phone at

home with a USB connected to his personal computer, a new malware have been released and is

stored on removable devices. The malware have already infected your employee personal

computer and have copy itself to the cellphone. Tomorrow he will go as usually to your business

start working and plug the infected device in to hi workstation without knowing that the

malicious software have now infected the workstation and is looking already to copy itself to all

the network devices connected. That is how simple it is to transfer a malware to an entire

network. There are many tools to prevent this scenario and many others.

Malware Scanners

There are hundreds of tools that will help you scan for these malwares and prevent from causing

more harm to your system. The top 8 as defined by Tech Arena are Malwarebytes, Spybot search

and Destroy, Ad-Aware Free Antivirus+, Super Antispyware, Panda Antivirus, Adw cleaner,

AVG Antivirus and the Microsoft Security Essentials (Bhagat, 2016). These tools offer a variety

of features that will detect and mitigate any malware active. Also software’s like AVG Antivirus

provide great capabilities scanning newly connected devices and creating a report if any infected

file is found. Protecting your assets is very important and while you are trying to grow your

business there are always people creating these small malicious codes to test the capabilities of a

system and create some damage. Data loss is a concern to anyone and most of these software’s

their intention is to destroy data, copy and send data to an external source or just stay hidden

doing a key log and sending it when no one is looking. There are also malwares that just create a

backdoor for hackers to gain access to the systems and networks so they can personally cause the

harm.
 Internet
The Revolution

The internet have connected the world, users from anywhere can interact with other user around

the world. A revolutionized method of communication between computer that have been

exploited to transfer data in many different languages and sizes. Unstoppable and will continue

to engage the users every day more and more.

Capabilities

Since the formal acknowledgement of the internet there have been many security breaches and it

have been growing exponentially day by day. For business the internet provides unlimited

communication with almost anything around the world and even space. The information

resources are immense and simple ways to gather information with your finger tip. The

capabilities are immense but also the harm that it can create.

Security

Harmful software’s like the ones we discussed on the Malware section are transported using this

medium to affect anyone connected. Spam Mail, Virus Trojans can target the large personal

sensitive information traveling the internet. Credit card, identity theft and many other sensitive

information is stolen every day because of the internet. Also having an unlimited resource of

information without any filters can affect children’s to be exposed to adult content while them

brows with their personal devices (Lucas, 2015). The internet have create another addiction for

users, people get anxious if they don’t have a device with internet and cannot get in contact with
their social media. Facebook is a great example of users been addicted to the internet and to the

social networks, is great that it connects everyone but do you really want to live a virtual life? It

is also a tool for burglars that can know everything from their victims without getting out of their

beds, and with a simple Check-in on the theater from the victim the theft know when to attack

and can even determine how long you will be out before you get home.
 Disaster Recovery & Business Continuity Plan

Risk Assessment

The risk assessment is an important element to perform when developing both plans. The risk

assessment will provide the system administrator with all the protocols, methods and any other

component of the system that needs to be addressed. Remember that the importance of creating a

disaster recovery and business continuity plan is to create procedures to return the operations to

an acceptable level to continue working (Kirvan, 2011).

Disaster Recovery Plan

The Disaster Recovery Plan (DRP) is a very important key document to be developed by every

business. The DRP will provide the element needed and the essential information to safely

recover any hardware or software loss in a safely manner. This plan should be developed with

the Business Continuity Plan that we are going to address on the next topic. Big or small

business, it does not matter, they all work with sensitive data and they work to provide to

customers that need their services. Data loss, software malfunction, hardware failure, hackers,

malwares, human errors or any natural disaster are the primary points to address when creating

the disaster recovery plan (Kirvan, 2011).

 Saving Everything

Backups are one of the first and simple ways to start your implementation. Having daily backups

or synchronization with a cloud service is a key element that will provide the continuity needed

if a disaster strikes. Saving everything might cover tons of data but look at the consequences that

it might have if only half of the data is only backed up, probably then you will have half of the

customers information. A safe site is also an essential part of been able to adapt to any natural

disaster. For example if a storm strikes the city where your business is located and it destroyed

windows and the work area for the employees is all destroyed, having a safe site to continue with

operations is not only part of the disaster recovery plan but also part of the business continuity

plan. The disaster recovery will start as soon as the disaster strikes while the business continuity

plan will start as soon as the local site is not more a safe location for employees to work (Rouse,

2009). Every business approach differently and less than 50 percent test their plans, even those

who have never it on the past (Rouse, 2009).

Cloud Implementation

When you are addressing the disaster recovery and business continuity plan the cloud

environment sounds great. If the local site is destroyed or not safe for the employees having an

up to date cloud system where employees can connect via VPN from their homes is a great way

to address any disaster that haven’t affect the cloud provider or Internet Service Provider. There

are many ways to approach a disaster recovery and business continuity plan but a cloud based

system might be the way to go. Choosing the correct provider will be the most difficult part of

the project (Posey, 2013).Selecting from cost effective to performance and storage capabilities is

very crucial and will depend on the specifications of your current system and how it will

synchronize with the cloud provider.

 Conclusion
This paper provides the reader with key elements to perform and create their own security

measures to minimize and mitigate threats. Have in mind that security protocols are constantly

updated as the hackers develop and find new ways to exploit vulnerabilities on the system. The

system not only being computer and networks but also employees, that is why education to the

employees about the vulnerabilities and consequences of not following security protocols is

essential (Shinder, 2001). Hackers will always look at the different ways to gain access to a

network and by making it more difficult the more challenging is for them, the security

administrator just have to create a challenging design that can make the hackers tiered and leave

the system unharmed. These is created by placing all the security features discussed in this paper

including encryption, employees behavior/education, proper firewall, intrusion prevention

system and a monitoring system that provides live feedback to the administrator.

The creation of this paper is with the intention of provide a security perspective from an external

source. All the security implementations discussed on this paper can be followed but having in

mind that all the security discussions where based on a single business, Ai-Robotix. The security

implementations discussed on this paper are not only addressed for Ai-Robotics, they are for any

small business implementations. Ai-Robotix is a business where I performed several

observations while creating this report to address their security issues.

 References

Bhagat, A. (2016, March 01). Top 8 Best Malware Removal 2016 & Spyware Removal Tools.

Retrieved March 27, 2016, from http://techarena.org/best-malware-removal-2016

Bradford, C. (2014, July 31). 5 Common Encryption Algorithms and the Unbreakables of the

Future - StorageCraft. Retrieved March 27, 2016, from

http://www.storagecraft.com/blog/5-common-encryption-algorithms/

Bradley, T. (2015, January 14). Experts pick the top 5 security threats for 2015. Retrieved March

27, 2016, from http://www.pcworld.com/article/2867566/experts-pick-the-top-5-security-

threats-for-2015.html

Ducan, R. (2001, October 23). An Overview of Different Authentication Methods and Protocols.

Retrieved March 27, 2016, from https://www.sans.org/reading-

room/whitepapers/authentication/overview-authentication-methods-protocols-118

Ellyatt, H. (2015, January 05). Top 5 cybersecurity risks for 2015. Retrieved March 27, 2016,

from http://www.cnbc.com/2014/12/19/top-5-cyber-security-risks-for-2015.html

Geier, E. (2011, November 15). How to Remove Malware From Your Windows PC. Retrieved

March 27, 2016, from

http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows

_pc.html

Henry, A. (2015, February 8). Five Best File Encryption Tools. Retrieved March 27, 2016, from

http://lifehacker.com/five-best-file-encryption-tools-5677725
How long would it take to crack your password? (2012). Retrieved March 27, 2016, from

https://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-

password/

InfoWorld. (2015, September 16). Bossie Awards 2015: The best open source networking and

security software. Retrieved March 27, 2016, from

http://www.infoworld.com/article/2982962/open-source-tools/bossie-awards-2015-the-

best-open-source-networking-and-security-software.html#slide1

Kirvan, P. (2011, May). Disaster recovery: Risk assessment and business impact analysis.

Retrieved March 27, 2016, from http://www.computerweekly.com/feature/Disaster-

recovery-Risk-assessment-and-business-impact-analysis

Lucas. (2015). Advantages and Disadvantages of Internet. Retrieved March 27, 2016, from

http://www.enkivillage.com/advantages-and-disadvantages-of-internet.html

OWASP. (n.d.). Source Code Analysis Tools. Retrieved March 27, 2016, from

https://www.owasp.org/index.php/Source_Code_Audit_Tools

Posey, B. (2013, August). Implementing cloud-based disaster recovery: Six key steps. Retrieved

March 27, 2016, from http://searchcloudstorage.techtarget.com/feature/Implementing-

cloud-based-disaster-recovery-Six-key-steps

Random-ize. (n.d.). Retrieved March 27, 2016, from http://random-ize.com/how-long-to-hack-

pass/
Rouse, M. (2009, December). What is disaster recovery plan (DRP)? - Definition from

WhatIs.com. Retrieved March 27, 2016, from

http://searchenterprisewan.techtarget.com/definition/disaster-recovery-plan

Sanchez, M. (2011, May 12). 5 Ways to Educate Employees about Network Security. Retrieved

March 27, 2016, from http://blogs.cisco.com/smallbusiness/5-ways-to-educate-

employees-about-network-security

Schneier, B. (2015, June 23). Schneier on Security. Retrieved March 27, 2016, from

https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html

Shinder, D. (2001, August 28). Understanding and selecting authentication methods -

TechRepublic. Retrieved March 27, 2016, from

http://www.techrepublic.com/article/understanding-and-selecting-authentication-

methods/

Shinder, D. (2007, July 16). 10 physical security measures every organization should take -

TechRepublic. Retrieved March 27, 2016, from http://www.techrepublic.com/blog/10-

things/10-physical-security-measures-every-organization-should-take/