Scenariul3:

The company does not currently have a messaging system in place; messaging technology can improve
communication network of their company.

When an employee leaves, the are currently not disabled in the directory service. Company must disable
their accounts immediately as the employee leaves, and you can enable it again when you need it.

Ticketing system is confusing and difficult to use. The company needs ticketing system that is easy to use
and focus on communication and customer satisfaction . Each IT ticket will contain a techincal problem
or series of problems and is IT team's responsability to resolve these issue in a timely manner.

Company does not have backup system. Company must have secure and clean data to keep their
bussines running in the case of data loss, a hack attack or even a natural disaster.

Scenariul 1:

Network Funtime Company has several problems. First, HR always purchase the cheapest laptop for new
employee and unfamiliar with its hardware. This could save time and company's budget, but is a bad
idea and will result in lost productivity. Infrastructure management is needed. Laptops should be
ordered before the new employee starts the work. Purchasing computers from the Internet when they
are needed is a very inefficient process. This results in lost time and inefficiency. Second, company does
not have anything to track their inventory. Company assets need to be documented and inventoried (bu
physically labeling every asset), including all computers, printers and so on. company does not have
person to install and configure their machines. They must have a tech support. Employees don't have a
strict password requirement to set for their computers.Although the entire company uses only cloud
services, I think they would benefit from having a domain controller and some kind of central
management services.

Scenariul 2:

The good thing is that they have some machines in stock in case of emergency. In this case they will not
loose time and productivity when a new employee starts the work.

The company has also some problems. First, there is no ticketing system in place in order to have
structured problem solving and also a data base with lessons learned could be useful. In this way you
avoid having hundreds of emails for the same issue.Second, all software is kept in house. Backup on the
cloud for this will save keep the data safe.Third, there are no backups to critical customer data. Back up
system is needed in order to avoid data loss and keep the bussines running. Also, there are issues with
the access permission. Some rules of read-write permission needs to be put in place to avoid deleting
important data by mistake.
Week6

Security means identifying risks and exposure, understanding the probability of attacks and creating
defenses that minimize risk and the potential impact of attacks.

Security risk assessment begin with threat modeling. Identify likely threats then assign them a priority
based on severity and probability.

Protecting customer data will help prevent successful external attacks as well as help limit the possibility
of abuse by employees. A privacy policy defines the access to and usage of sensitive data. A privacy
policy will help guide people who may not be security-minded while they are working with sensitive
data. Data access logs will help you confirm that only authorized users have access to sensitive data.

Authentication can be done by using the user ID and password, by using social sign in or by using
biometrics. Authentication means verify the user who they claim they are and to grant them access.
Authentication work as follows: prompting the user to enter the credentials, send the credentials to the
authentication server, match the credentials, authorize the user and grant the access.

External Website security is important to protect the website from hackers, electronic thieves and to
prevent security breach. Use of firewall. Implement the access control. Use of encryption, use of SSL
certificate.

For Internal Website Security: use of authentication to identify the user identity, encrypt or hide
sensitive web pages, implement IT policies.

Remote access provides better security, cost efficiency, ease of management and increased availability.
Remote access can be deployed by using the RAS gateway: VPN, BGP acan be used to provide the
remote access. Remote access involves enabling user, managing their access, protecting the assets, use
of remote desktop protocol and managing server sessions.

Firewall is important for managing the trafic and providing external website security. Allow only the
specific type of traffic. Use access rules for IP security. Implement certain IT policies.

Nowadays Wifi is being used in every organization and it prevents the network from malicious and
unauthorized access. Wireless security can be provided by the use of encryption, decryption,
authentication and authorization.

VLAN are important for traffic filtering and providing the logical divison of the network. VLAN can be
configured for web interface and can provide web filtering. In the following manner VLAN can be
configured for web interface:

Switching => VLAN => Advanced => VLAN Membership

Switching => VLAN > Advanced => Port PVID Configuration.

VLAN web filtering: VLAN can be configured between router and firewall, router and gateway, router
and switch and by doing so one can filter the web traffic that passes the network.

Use of password, VPN and registering the laptop by their MAC address will provide laptop security. Use
of security tool for local machine is also a good option. Use of device level authentication by using local
username and password is also a good idea.

Security and privacy policy recommendations: It includes the list of security methods to be
implemented for traffic filtering, IP spoofing, user authentication and other specific policy for the
website.

IPS is implemented behind the firewall and it matches the incoming traffic against the security policies. It
matches the signature and handles the intrusion if any and generates the log and alerts for the same.

IDS goal is to identify malicious traffic before it can proceed further into the network. It generates alerts
and notification so that the network monitoring team can look after the intrusion.

Final Project - Sample Submission

Authentication
Authentication will be handled centrally by an LDAP server and will incorporate One-Time Password generators
as a 2nd factor for authentication.

External Website
The customer-facing website will be served via HTTPS, since it will be serving an e-commerce site permitting
visitors to browse and purchase products, as well as create and log into accounts. This website would be
publically accessible.

Internal Website
The internal employee website will also be served over HTTPS, as it will require authentication for employees
to access. It will also only be accessible from the internal company network and only with an authenticated
account.

Remote Access
Since engineers require remote access to internal websites, as well as remote command line access to
workstations, a network-level VPN solution will be needed, like OpenVPN. To make internal website access
easier, a reverse proxy is recommended, in addition to VPN. Both of these would rely on the LDAP server that
was previously mentioned for authentication and authorization.
Firewall
A network-based firewall appliance would be required. It would include rules to permit traffic for various
services, starting with an implicit deny rule, then selectively opening ports. Rules will also be needed to allow
public access to the external website, and to permit traffic to the reverse proxy server and the VPN server.

Wireless
For wireless security, 802.1X with EAP-TLS should be used. This would require the use of client certificates,
which can also be used to authenticate other services, like VPN, reverse proxy, and internal website
authentication. 802.1X is more secure and more easily managed as the company grows, making it a better
choice than WPA2.

VLANs
Incorporating VLANs into the network structure is recommended as a form of network segmentation; it will
make controlling access to various services easier to manage. VLANs can be created for broad roles or
functions for devices and services. An engineering VLAN can be used to place all engineering workstations and
engineering services on. An Infrastructure VLAN can be used for all infrastructure devices, like wireless APs,
network devices, and critical servers like authentication. A Sales VLAN can be used for non-engineering
machines, and a Guest VLAN would be useful for other devices that don't fit the other VLAN assignments.

Laptop Security
As the company handles payment information and user data, privacy is a big concern. Laptops should have full
disk encryption (FDE) as a requirement, to protect against unauthorized data access if a device is lost or
stolen. Antivirus software is also strongly advised to avoid infections from common malware. To protect against
more uncommon attacks and unknown threats, binary whitelisting software is recommended, in addition to
antivirus software.

Application Policy
To further enhance the security of client machines, an application policy should be in place to restrict the
installation of third-party software to only applications that are related to work functions. Specifically, risky and
legally questionable application categories should be explicitly banned. This would include things like pirated
software, license key generators, and cracked software.

In addition to policies that restrict some forms of software, a policy should also be included to require the timely
installation of software patches. “Timely” in this case will be defined as 30 days from the wide availability of the
patch.

User Data Privacy Policy

As the company takes user privacy very seriously, some strong policies around accessing user data are a
critical requirement. User data must only be accessed for specific work purposes, related to a particular task or
project. Requests must be made for specific pieces of data, rather than overly broad, exploratory requests.
Requests must be reviewed and approved before access is granted. Only after review and approval will an
individual be granted access to the specific user data requested. Access requests to user data should also
have an end date.

In addition to accessing user data, policies regarding the handling and storage of user data are also important
to have defined. These will help prevent user data from being lost and falling into the wrong hands. User data
should not be permitted on portable storage devices, like USB keys or external hard drives. If an exception is
 necessary, an encrypted portable hard drive should be used to transport user data. User data at rest should
always be contained on encrypted media to protect it from unauthorized access.

Security Policy
To ensure that strong and secure passwords are used, the password policy below should be enforced:

 Password must have a minimum length of 8 characters

 Password must include a minimum of one special character or punctuation
 Password must be changed once every 12 months
In addition to these password requirements, a mandatory security training must be completed by every
employee once every year. This should cover common security-related scenarios, like how to avoid falling
victim to phishing attacks, good practices for keeping your laptop safe, and new threats that have emerged
since the last time the course was taken.

Intrusion Detection or Prevention Systems

A Network Intrusion Detection System is recommended to watch network activity for signs of an attack or
malware infection. This would allow for good monitoring capabilities without inconveniencing users of the
network. A Network Intrusion Prevention System (NIPS) is recommended for the network where the servers
containing user data are located; it contains much more valuable data, which is more likely to be targeted in an
attack. In addition to Network Intrusion Prevention, Host-based Intrusion Detection (HIDS) software is also
recommended to be installed on these servers to enhance monitoring of these important systems.

GOOGLE IT SUPPORT PROFESSIONAL CERTIFICATE SKILLS LIST

 Basic computer architecture

 Operating systems (Windows, Linux)
 Remote connection and virtual machines
 Computer networking
 Software management
 Troubleshooting
 Customer service
 Routing concepts
 VPNs and proxies
 Permissioning
 Package and software management
 Process management
 Resource monitoring
 Systems administration
 Configuration
 Centralized management
 Implementing/managing directory services
 Data management and recovery
 IT security
 Cryptology/encryption
 Hashing
 Network security