Download D490 Cybersecurity Graduate Capstone Task 2 Western Governors University and more Exams Advanced Education in PDF only on Docsity!
D490 Cybersecurity Graduate Capstone Task 2 Western Governors University
- Security Problem Under Investigation Table of Contents
- Justification of Security Problem
- Background Information
- Documentation
- Root Causes 3-
- Project Stakeholders
- Functional and Detailed Requirements
- Industry-Standard Methodology 5-
- Rollout, Launch and Implementation Strategy 6-
- Implementation Risks 8-
- Training Approach
- Required Resources 11-
- Final Project Deliverables
- Project Timeline 12-
- Projects Outcomes and Evaluation Framework
- Test Plan
- Acceptance Criteria and Key Performance Indicators
- Test Cases and Scenarios 13-
- Analysis of Results
- Sources
Proposal Overview
Security Problem Under Investigation Warrenton Oil Company is a medium-sized company that provides multiple services to the consumer. Fuel Transportation is their primary means of revenue, in which they have over 100 vehicles and drivers to deliver fuel products to a multitude of vendors across central and east central Missouri, with a few stops into western Illinois. The currently own 55 convenience stores, with plans to acquire 10 more through the buyout of an existing chain. And lastly, they own 3 different hotels in the area. In total, they have over 1,000 employees across each functional area of their business model. Warrenton Oil Company, at its corporate office, currently utilizes a Windows Server Domain to incorporate all network security policies. The servers that are currently in place as the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) are housed in outdated server hardware, and are running out of compliance Operating Systems (OS) of Small Business Server 2003 and Windows Server
- While Windows Server 2012 has support until October 10, 2023 (https://docs.microsoft.com/en- us/lifecycle/products/windows-server-2012-r2), Small Business Server 2003 reached End-of-Life (EOL) was reached on July 11 th, 2017, meaning it needs to be immediately upgraded to be in compliance with current cyber security policies and procedures. In addition to the Server OS being EOL, the server hardware is also outdated, and needs to be updated to ensure that when new Server OS is installed, the hardware has the processing and memory capacity to facilitate the network traffic that will be present. Additionally, the hardware needs to have redundancy built in (power supplies, processors, etc.), as well as the network having redundancy built in. These are necessary to ensure that each branch of the business model has access to the data they need, when they need it, and in a manner that is conducive to their business interests.
As with all Cyber Security related issues, it is 90% human and 10% technical error that makes up most incidents. The key stakeholders now understand the immense importance of not only having a solid security incident response plan in place, but hardware and software components that secure the network from attacks. The security needs of the organization are also required by the PCI-DSS, as we sell directly out of our warehouse and not only from the convenience stores. PCI-DSS determines the requirements for a safe network for processing payment card data (https://www.pcisecuritystandards.org/wp- content/uploads/2022/05/Small_Merchant_Guide_to_Safe_Payments.pdf).
Project Stakeholders
The following personnel are key stakeholders in this project:
- Company president – His compliance with this project was necessary, as his approval or disapproval trumps all.
- Chief Financial Officer – Must clear the purchase of all related equipment, software, and licensing agreements for the multitude of software components needed for this project.
- Director of Retail Operations – Back Office software is housed remotely but must have a domain trust established to work. This is paramount to retail operations, as without this trust, updated pricing, reports, etc., cannot be provided.
- 55 Remote Endpoints – The primary reasoning behind the Domain Controller Transition. They rely on us for nearly all their data, it is essential we are working within compliance requirements.
- IT Director – He is the supervisor of the project; he ensures all key metrics are met.
IT Solution The proposed solution to resolve the current issues in Warrenton Oil Company’s Cyber Security landscape are relatively simple, as it mostly pertains to a few pieces of physical hardware, and quite a few virtualized machines that make the back-office software operate efficiently and seamlessly to the end users. The replacement of these devices will provide greater throughput, increasing the speed in which data is transported, modified, and stored. It will also provide an OS that does not contain vulnerabilities which cannot be mitigated using a traditional patch management and change management principles. Most importantly, this solution will prevent attackers from exploiting the multitude of vulnerabilities inherent to the current OS’s that are running the domain environment, greatly increasing overall network security, and decreasing the attack surface vector. The Domain Controller Transition provides the following:
- Upgrades the current Server OS from Small Business Server 2003 and Windows Server 2012 to Windows Server 2022, which receives critical security and service updates that Small Business Server 2003 does not get as it has reached EOL, and that Windows Server 2012 will stop getting in October of 2023.
- Upgrades the current hardware configuration of a HPE Proliant DL380 gen 8 to a HPE Proliant DL380 Gen10. This upgrades processing speed from a Xeon E5-2640 (6 core, 2.5GHz, 15MB L Cache) to a Xeon Silver 4210R (10 core, 2.4GHz, 14MB L3 Cache), providing higher processing speed, capacity, and threads. This upgrades current RAM from 64GB to 128GB Standard and expandable up to 2TB of RAM. Additionally, the Gen 8 utilizes 1333MHz DDR3 RAM, while the Gen 10 utilizes 2666MHz DDR4 UDIMM RAM, meaning it operates faster and provides greater information throughput, increasing overall system speed with correlates directly with increased network speed.
Failover redundancy is also a critical business need that will need to be addressed, as sensitive data is present in our environment, and a sufficient DLP will need to be implemented to ensure compliance. This can be achieved through a multitude of options, however, a VMWare HA cluster with Starwind vSAN will be used due to ease of configuration and the unmatched level of technical support offered with the service. Step 2: Assess the Needs of the Organization Assessing the current infrastructure and its dependencies is necessary to ensure the new systems can provide the services needed. This includes the following services, and will require the installation of VMWare eSXI:
- PDI (Professional Datasolutions, Inc.), is our back-office software that is essential for updating inventory pricing and disseminating prices to our remote locations.
- Unitrends – Backup software that backs up all critical infrastructure.
- RADIUS – A remote central authentication mechanism created to have granular control over the Wi-Fi AP’s at each of our remote locations. Authentication takes place in a multi-faceted approach. Each user is authenticated against the SSID, MAC address, and an individual Pre- Shared Key.
- LibreNMS – SNMP enabled network monitoring software that receives SNMP data from all 55 remote end points as well as my 14 pieces of in-house networking and server equipment. When you combine the above items with the Domain Controller migration, you create a good solid baseline of the necessary software applications that allow Warrenton Oil Company to operate efficiently and within the confines of the industry.
Step 3: Select the Right Migration Strategy Typical migration strategies require the installation of the newer Server OS, promotion of the new Server to PDC, movement of FSMO roles to new PDC, and replication of users, computers, printers, etc., onto new PDC. However, this is not a migration, this is a Domain Controller Transition, in which an entirely new domain is being created. This particular strategy comes with its own challenges outside of upgrading. This requires the creation of new Organizational Units (OU’s) within a newly named domain. This is not a downside, however, as it allows me to become more granular with my OU’s than our current environment allows. For example, currently there are 3 copies of the same shared folder in differently labeled drives on the same partition taking up 120GB. I have created the same folder, same name, on the new Domain and have already copied the necessary files over. As only one instance of this share drive is available, and mapped to only a specific OU, I prevent the unauthorized disclosure of data by invoking the principle of least privilege. This strategy allows me to keep all of the necessary data the users need, but control its access at a much higher level, increasing security across the organization. Step 4: Plan the Migration This involves collaboration between me, the IT Director, the Network Technician, and the end users themselves. A typical migration would not involve the end users, as the domain itself would not change, and it would be relatively seamless to them. This migration has quite a few moving parts that need to be addressed so they can be completed efficiently.
- Removal of the current PDC and its associated hardware (this is a dedicated machine with no VM’s).
- Install new servers in server rack.
- Reinstall network cabling to appropriate ports on new server hardware.
- Power on Server Hardware.
- Verify machines turn on, physically and virtually through the use of direct interaction with servers (KVM to switch back and forth).
- Verify all IP addresses for VM’s and PDC and BDC.
- Log in to each device to verify functionality, locally and remotely to ensure NTLM connectivity.
- Test domain computer and accounts against drive mappings and user permissions.
- Change each individual workstation in the domain to new domain (there is no automated process to complete this, it is a manual process).
Implementation Risks 8-
With any project, there are inherent risks associated with the implemented changes. This is no different. The primary risk associated with this project is loss of access to data. We currently run a cloud- based backup solution, so loss of data is not a primary concern. However, the environment consists of a file structure that relies heavily on permissions implemented via logon scripts. The removal of the logon scripts prevents any one organization from gaining access to all resources, however, it requires granular configuration at the GPO level. This may cause loss of access to data until the right departments have the right access to the right files when they need it. Additionally, there is risk involved while migrating workstations from one domain to another. Some machines may not like switching domains, which could cause us to have to factory reset some devices. While this doesn’t cause loss of access for the user on the workstation, it does present the risk of data availability for the external entities who also need the data.
Training Approach
This project does not make any significant changes to the user experience. The end users will not know they are on a new domain, aside from seeing an increased speed while accessing certain network resources. Therefore, no specific training is required to ensure that the end users can utilize the systems they did previously, as no visible change will be present. The end users, however, will have to adjust to the new file structure. As stated before, there are several duplicate folders that show up in different shares that are not restricted. In implementing the principle of least privilege, several users will not have access to the same folders they did before. This may cause some immediate pushback from end users, as they are used to a certain method in which they share data. However, principle of least privilege is not a principle the organization is willing to do away with, meaning some individual level training for end users on what they have access to and what they don’t have access to will be required.
Required Resources 11-
The following resources will be required to implement the project:
- Two HPE Proliant DL380 Gen10 Servers, Xeon Silver 4210R (10 core, 2.4GHz, 14MB L3 Cache)
- 20 HPE 861686-B21 1TB HDD - $2,
- Windows Server 2022 x 2 - $
- VMWare eSXI x 3, VSphere, VCenter Server and licensing - $13,752 (5-year licensing)
- Starwind vSAN Software and license – 5-year vSAN and support license - $1,350 Total cost of all associated resources for the project: $39,
- 21 March – 15 April 2022 – All OU’s and users are created, DNS set up on PDC for use with Meraki DHCP, Static entries made for eSXI hosts, VSphere, VCenter, etc.
- 1 May 2022 – key stakeholder meeting to discuss migration, agreed upon switchover date is by 1 August 2022.
- 1 May – 30 July 2022 – Transferring of existing data onto new Domain File System, mapping of shared drives to specific departments via GPO. Testing of drive mappings, to include user Home folder.
- 30 July 2022 – 31 July 2022 – Removal of old servers, replaced with new servers. Bring system up, test for basic functions. Switch all user workstations over to new domain, test drive mappings upon user login.
Projects Outcomes and Evaluation Framework
With any migration, upgrade, replacement, complete overhaul, there must be a method to determine the effectiveness of the project. Typically, there is a quantifiable metric (data transmission speed with networking equipment upgrade, better data with a database upgrade, etc.) that is used to determine how effective the project was at accomplishing its goal. However, as this is a Domain Controller Transition, and a Domain Controller simply processes data, controls machine policies, runs DNS, etc., it becomes more difficult to measure its effectiveness. From a cyber security perspective, it becomes easier to measure this projects effectiveness, as the purpose of the transition is to eliminate inherent vulnerabilities that Small Business Server 2003 has. To measure this projects effectiveness, two items must be present. The results of a vulnerability scan prior to the transition, and the results of a vulnerability scan after the transition has taken place. We will see a dramatic shift in the cyber security landscape towards a secure network, as these vulnerabilities
will no longer be present in our network. This is the quantifiable data that is needed to determine the effectiveness of the transition.
Acceptance Criteria and Key Performance Indicators
The following will be conducted for testing, analysis, acceptance criteria and determined performance indicators.
- Testing of the critical functions of the Domain Controller (FSMO Roles) will be conducted prior to the transition. This will allow us to determine how to build the file structure, how to build the permissions within the confines of the organizational chart, how to adhere to the principle of least privilege, and to ensure that transitioning individual workstations from one domain to another is a seamless process.
- Analysis of the services the transition if affording Warrenton Oil Company will be based on if the testing in step 1 above passes. Once the file structure is in place, the permissions are granted, and the domain controller is effectively running and completing tasks to all 5 FSMO roles, the analysis will show that the project is successful.
- The only acceptance criteria for this project are that all 5 FSMO Roles are effectively running on the PDC and BDC, and that all users, files, and permissions have access to the data and the personnel they are supposed to.
- Performance indicators are listed above: 5 FSMO Roles installed and running, granular file permissions per OU.
SOURCES
