Background

Eldritch Industries (founded by Palmer Eldritch, 2017) is a startup company (155 employees) that aims to be the premier provider of actuarial and statistical information to Vaping industry lawyers in the UK. The company collects medical information from hospitals and clinics relating to patients with respiratory illnesses and diseases related to vaping products, performs data analysis on the data and sells the resulting information via an online marketplace Greenwalding.

The London (HQ) building near the Costas on Church Street has 5 floors. Each floor is dedicated to a separate division. Each Division maintains a separate network inaccessible to the other networks. Each network consists of desktop computers connected via Ethernet (wired connection). Each room on each floor has 4 to 8 wall-mounted Ethernet ports. The Ethernet ports connect to the Network server on each floor via an unmanaged switch. The servers do not have any hardware or software firewalls and employees can plug in any device to the Ethernet ports and get a direct connection to the servers. Servers do not have a software or hardware firewall.

In addition, each floor also has a Wireless Access Point (WAP) on the main reception desk for each floor allowing employees with wireless cards/chips in their personal laptops to be connected to the network. The wireless access points all use the Wi-Fi Protected Setup (WPS) network security system. Each wireless access point has the WPS PIN hardcoded into it and printed on the bottom of the Wireless Access Point. Although the Wireless Access Points are intended to give access to staff from a specific division employees wandering between floors can use wireless enabled laptops to connect to servers other than their own by looking up the WPS PIN on the bottom of the WAPs.

When employees are hired they are given a user ID (surname_firstinitial) and a temporary password (1234) which employees can change if they wish, most employees do not bother to change it. There is no policy on password length and complexity and passwords never expire. Several users have the same passwords for multiple systems as there is no way to check this. Many uses share and write down passwords to make life easier. All employees have the same full (read/write/execute/delete) access to all systems , drives and folders including operating system folders on the servers.

The server for each floor is also a gateway to the world wide web, each server also has an email server for that specific division. The company uses the services of a local ISP (LazyCamelNet). Customers can "chat" with Employees online. The "chat:" feature is unencrypted as is company email.

Employees on the same network can share files via the built in Windows (unencrypted) File Transfer Protocol application. Each network server runs FTP server software that has no password requirement. Employees can upload files to the server and download files from the server.

The FTP server software gives full (read, write, execute, delete) access to all files and folders on the server. If a customer wants to see their records they can also use any unencrypted File transfer client to connect to the records folder in one of the servers, no ID or password is required. In some cases customers have worked out hat they can delete or edit their own records.

Within each network (division) employees have access to a shared customer database, an id (surname_firstinitial) and 3 number PIN is required to access the database.

The company's connection to Greenwalding (the online marketplace) uses an unencrypted FTP connection.

As might be expected from a company dealing with confidential information, security, privacy and reliability are very important. As a new company they have not had any incidents but many of their competitors have. Also Palmer Eldritch plans to have all the individual networks connected together and to have one central database to make data interchange easier.

Palmer Eldritch has heard of several incidents that concern him. In May 2019 a Phishing attack exposed an employee's login information which was used to access the email server and spread a virus. The same event led to the attacker installing a software keylogger on all networked computers for the Legal Division. In June 2019 a distributed denial of service (DDOS) attack took down all the company servers for several days. In July 2019 a security breach led to 200,000 customer records being stolen and posted on Reddit, this has cost the company $40m dollars in restitution fees.

In August 2019 an employee was subject to an evil twin attack and exposed the wireless security PIN leading to internal data theft. In the same month an employee plugged in an infected laptop to the ethernet network which spread a worm to all computers on the wired network and eventually to the wireless network, clean-up operations were expensive and time consuming. The company was hit with a Ransomware attack in September. Finally on October 1 2019 an employee left a password on a post-it note on a monitor which was used by a visitor to steal company confidential data.

Workers in the same division routinely share passwords and IDs. As mentioned before there is no password expiry policy nor policy on password composition or password reuse (most employees use password, 1234). There is no bring your own device policy nor Antivirus installation policy. The company in fact lacks any stated strategic objectives related to security.

Your task is to advise Palmer Eldritch on what he can do to improve on the security of the company's computer systems. This is certain to involve a sizeable number of recommendations with regards to technology, process, policy and strategy. You will tell him what he should do to get to a position where the company's data assets are more secure. Your recommendations must also include advice for assuring security when connecting the different networks together.

Assume that money is an object, you cannot just throw money at the problem.

Section 3. How to fix the problems (30 points)

This is the main section. This is the "what to do about it part". Here you will present two specific elements

• Section 3.1 Policies and rules: A set of explicit and specific security policies and rules that will help achieve the strategic objectives, together these policies and rules must address all the identified problems in Section 2. 15-20 policies.