Company network security management: a case study of grenada of electricity services Ltd.

Abstract

Incessant Analysis, modification of design, and methodology development of Grenada Electricity Services Ltd. to enhance the company protection is central to the company network security management in this highly competitive industry of the 21st century.  This dissertation is anchored along this issue and bid readers apt measures to update and upgrade under viable trade.

Considering the speed at which developments evolve in the electronic industry, regular updating becomes logical to Grenada Electricity Services Ltd. to be at par with the latest modifications.  In like manner, the paper is suitable to every IT outfit.

In today’s fast-changing and often risky electronic business environment, it is likewise crucial for IT of Grenada Electricity Services Ltd. to effectively secure its network systems as these are the arteries of its modern business and are vital for its sharing information and communication.  It is the lifeline of this company as an organization.

At the same time, Grenada Electricity Services Ltd. IT managers are expected to enhance worker productivity and implement new technologies that will drive competitive advantage for the business. Otherwise, it would be a process that is both costly and time-consuming to deal with outdated systems.

This case study describes how, by adopting an organized approach to security in Grenada Electricity Services Ltd. IT managers will spend less time cleaning up messes and more  time helping their organization meet its goals.  It will also look at some history of networking, as well as an introduction of a description of risk management, network threats, firewalls, and more special-purpose secure networking devices.

Furthermore, this report also contains information related with networking:   history, topology, architecture, equipment of the Grenada Electricity Services Ltd, advantages and drawbacks, security and threats. Included are other causes of problems in network security from the software used to maintain the over all system of Grenada Electricity Services Ltd.: software crisis, maintaining the software as well as brief description of wireless network security, wired vs. wireless, WEP, WPA, VPN, etc., and other issues such as considering real-time database system and real time system for accurate results.

1. –    Brief overview on information management and security

        1.1. –            Information technology from the late 19th century

Looking back at the early beginnings of information technology in the late 19th century, it was humbly a working and operational mode of calculator machines.

Communication was not its initial aim. It was merely to facilitate calculations of large sums of numbers. Its capability was limited then.

A replica of the machine is demonstrated by International Business Machines initial computers that are as large as a building can hold.  Nevertheless, this idea prompted enthusiast to enhance its capabilities which brought about the latest innovations in technology these days.

           1.1.1. –       The early years of calculating

In the early years of the 60’s, entrepreneurial companies went into the business of host computing. Even governmental institutions went into computerization especially in its treasury departments.  Enterprising and creative minds saw this as an opportunity to improve computer capability.  Thus was the birth of midrange computer platforms that are cost effective and efficient beyond the initial machines

            1.1.2. –       The personal computer breakthrough

Computers have evolved from early abacus, papyrus and ENIAC to today’s main frames and super computers that can manipulate huge amount of information across the globe.

In today’s digital world, having a digital Information System (IS) fully equipped with precise up to date network security system management is important in order to compete globally. Taking advantage of the technologies in the digital world does give an extra push toward a flexible and feasible business. Information Systems knowledge which is very essential will be boosted too for a company like Grenada Electricity Services Ltd. to further grow and prosper.

Inclusive are the line of objectives such as reaching far away location, offer new products and services, reshape jobs and work flows as well, which will profoundly change the traditional ways of business. As the information age advanced the need for enhancements in computer network security management became a profound challenge.

          1.1.3. – The steady growth of the internet in Grenada Electricity

                       Services Ltd.

Actually, the use of computers for internet was discovered by a military man to share information. After the first dial up connection, the trend became popular amongst local public, especially Grenada Electricity Services Ltd. At present, computers are indispensable part of its existence. Starting from basic calculators to storing and manipulating of terabits of information computers became its handy machine. As the information age advanced, Grenada Electricity Services Ltd. need for enhanced tools such as computer network connections became indispensable.

          1.2. –     Starting security considerations for Grenada Electricity

                       Services Ltd.

To implement a system that will maintain and manage a perfect security issue of Grenada Electricity Services Ltd is central. With the advent of electronic age, an enhancement for efficiency records is a must. A software will be installed which will replace the existing system. This is an electronic system maintained by network administrator and the employees. This will make possible all existing payroll documents to be converted into electronic forms where employees can access using Intranet. High-speed Internet services will be provided for employees that will be monitored using local ISP.

       1.3. – The influence of internet on information security of Grenada

                 Electricity Services Ltd.

The recent developments in internet communications posted a critical level of danger on the information security of Grenada Electricity Services Ltd. Concurrence of cyber crime is all over the papers. Plus is the danger of losing highly important communications documents of economic transactions. The present security aspect of Grenada Electricity Services Ltd. is the centralized system which is weak compared to the client-server three-tier system because the security protocols are used for application security services. Client case management software that will then be installed will ensure highest level security system in the market for the Grenada Electricity Services Ltd.

       1.4. – Is complete information protection possible for Grenada Electricity

                 Services Ltd.?

Total information protection may not be doable at the moment. The two software architectures, SSL and VPN however, though each has its own advantages and disadvantages to fulfill the requirements of Grenada Electricity Services Ltd. the main concern is the security of the company where a system is feasible enough to protect and secure in the highest possible level, and to control its information files along exemplar plane.

2. –       Introduction to information security

        2.1. – Background of this study

Computers have emerged from early abacus, papyrus and ENIAC to today’s main frame computer and super computers that can manipulate huge amount of

information across the globe. The use of Internet came about after a military initiative with the initial interest of sharing information. After the first dial up connection however, the use of Internet became very popular mode of communication amongst local public. Today, computers became the most essential part of human existence starting from basic calculators to storing and manipulating of terabits of information.

The process of information has become easier compared to what it was a decade ago. In order to maintain and enhance information, the process has to be fast, more efficient and feasible. Traditional ways of information process such as sending mails using regular post office and using telephone or keep papers based documentation became insufficient and old fashion. To fulfill the demands computer and internet became a solution. Information Technology (IT), a process of information using computers and computer software is the answer, but it must likewise be upgraded and updated to suit market needs.

The objective to convert, store, and process, protect, retrieve and transmit information faster and easier than ever before is in place. There exist many IT companies that implements and provide services for such system who are trying to change the traditional ways of doing business.  For example, the Electronic business mode E-Com is commerce on the internet that maintains distributing, buying, selling, marketing and servicing of products or services. E-com involves electronic funds transfer, supply chain management, e-marketing, online marketing, online transaction processing, etc using electronic communication such as the Internet.

Companies subsequently established research centers all over the world to conduct research in developing new technologies which emphasizes managing process in order to deliver product that are cheap and fast while maintaining a good Information Management strategy.

Manipulation of information however, using documentation, emails and other paper works became a potential information overload for many companies. Hence employing the new advance technologies to manage and maintain the information overload became inevitable.

For example, many companies are giving services to educational institute by going online, decreasing the cost of infrastructures and providing free services: Global School net (GSN) [2], GSN works with schools, universities, communities, businesses and other organizations to develop free or low cost programs.  This is to educate students to compete with global workforce. ICT solution online, Think.com [3] is also an online environment for teachers and students. It is global in coverage. Teachers and students can easily communicate and share ideas and enrich classroom learning experiences through real time discussions.

The Internet is a set of connections of networks which is system created by huge mainframes in research establishments connected to normal computer at homes and offices.  It can be accessed from anywhere around the world. Internet was first developed in 1970s by the US Department of Defense’s communications systems by interconnecting a collection of computers where no central computer storing huge amounts of data, rather information is dispersed.

Today, Millions of individuals, companies, programmers, consultants, researchers and students worldwide uses Internet to share information in a more fast and easy way of communication. Internet influences the growth of businesses by providing new, fast and efficient ways of advertising and new and different ways to reach the public and expand their organization.

Internet symbolizes sense of freedom which is uncensored and unregulated by the government. However, use of Internet has its drawbacks such as different security issues. The main security issue such as data access must be implemented in such a way that the privilege given to the individual or companies is controlled and can be manipulated.

Controlling the web-browsing habit such as browsing illegal or unwanted web sites need also to be controlled, hence providing user access to email, web sites using password and encryptions is essential. Keeping off the malicious users from accessing valuable company information and other external information that can be used against the GES stuff and the GES authorities needs to be taken under consideration. Sending emails and other attachments must be allowed according to hierarchy of access permissions.

Use of Internet is mostly possible if one uses computers or other devices such as mobiles. Need for speedy information has become an important issue in today’s business. Using such devices Internet caused a revolution in our society. “The power members of society: celebrities, professional criminals, fashion setters, etc become much less powerful than they are in real life. The social groups of advanced computer users, geeks, nerds, dweebs, hackers have a much larger power on the Internet because of their knowledge of its mechanics.” [4].

Peoples shopping style is also changing because of Internet. Selling products over the internet is cheap, fast and easy for both the company and the customer. Hence issues such as privacy and ethics are most important and needs to be concentrated on by the governments and education institute. Many of the ethical issues involve privacy. For example, privacy concerning e-mail uses by the employees, head office of a company and individuals.

In the late 1960s, networks only existed in the sense of huge mainframes and multiple networked terminals. Each terminal was connected using hub connected to one big central processing units spinning tapes and rotating drives. Today, networking is so vast and broad that with considering the security issues would be a great loss.

Security plays a main role when considering functions such as client/server network models, time sharing, or multi-user and multi-tasking processors. “It was not until the end of the 1960s and into the 1970s that the environment for network security did evolve.” [12].

Confidential information such as confidential data transmitted over public networks must be encrypted and the network connection must be secured. For example, no machine should be connected to other networks except the GES corporate LAN and a firewall should exist for communication over external (public & private) networks. GES email should be encrypted so that user can send information to other important client or users and when opening email, user should be aware of the risks of opening documents with macros, postscript files, etc via email.

The history of network security has been delineated, leading now into some of the numerous potential threats to information on a network.  Threats to network security range from harmless pranks to devastating crimes of destruction and theft. Breaches in network security occur internally by employees and externally by hackers. “In a recent attack on the Texas A&M University computer complex, which consists of 12,000 interconnected PCs, workstations, minicomputers, mainframes, and servers, a well-organized team of hackers was able to take virtual control of the complex.” [15]

Texas A & M attack is one of many examples that can be set as an extreme threat for any organizations. In order to avoid such attacks an organization need to be fully equipped with latest technologies and state of the art software such as antivirus (Escan [16]). “It is often impossible or very difficult to know if you are under attack and from whom and attackers sophistication has increased enormously in the last 5-10 years.” [5]

Other threats such as virus development have increased at an alarming rate. However, the most common cause of security problems are as stated “Human Error 52%, Dishonest people 10%, Technical Sabotage 10%, Fire 15%, Water 10% and Terrorism 3% and many computer crimes Money theft 44%, Damage of software 16%, Theft of information 16%, Alteration of data 12%, Theft of services 10%, Trespass 2%.” [5]

Wireless communications offer organizations and users many benefits such as portability, flexibility and lower installation costs. Wireless technologies cover a broad range of capabilities toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices and homes without the need for wires and without losing network connectivity. However, risks are natural in any wireless technology.

The most significant source of risks in wireless networks is that the technology’s underlying communications medium such as the airwave, is open to intruders. Unauthorized users may gain access to network systems and information, corrupt the agency’s data, consume network bandwidth and launch attacks that prevent authorized users from accessing the network.

Wireless technologies have become increasingly popular in everyday business and personal lives. Unfortunately, no computer network is truly secure. However, some networks are built and managed much more securely than others. For both wired and wireless networks alike, the real question to answer becomes – is it secure enough?

Wired LANs use Ethernet cables and network adapters where it uses central devices like hubs, switches, or routers to accommodate more computers. It is difficult and very expensive to installing Ethernet cables because cables must run under the floor or through walls. However, it is extremely reliable and only common failure is when there are loose cables.

Wired LANs gives fast and superior performance, providing close to 100 mbps bandwidth. It is sufficient for file sharing, gaming, and high-speed Internet access. As for security, wired LAN hubs and switches do not have their own firewalls but external firewall software products can be installed.

Wireless LANs uses three main Wi-Fi communication standards such as 802.11b, 802.11a, and 802.11q. The 802.11b was the first slandered used in wireless LANs and 802.11a is a slandered used in business networks because it is faster. The 802.11q slandered combines 802.11b and 802.11a making it an expensive home networking.

Wireless adapters and access can be three or four times expensive compared to Ethernet cable adapters and the performance of the wireless depends on the slandered used as well as distance covered. Wireless LANs are less secure than wired LANs because the signals travel through air with many types of interceptions.

 A wireless network seems to be a good option for the company due to the difficulty of cabling the company buildings. Since the system is implemented is an electricity company, security is more important issue compared to cost or other issues. Wireless is easier to install, more reliable and mobility is excellent where as wired is more difficult to install with limited mobility.

An increasing number of government agencies, businesses, and home users are using wireless technologies in their environments. There are many wireless security technologies that can be implemented for better security, for example, WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access) and VPN (VPN).

WEP is a security protocol for WLAN defined in the 802.11b standard. The 802.11 standard describes the communication that occurs in WLAN. The algorithm of WEP is used to protect wireless communication from eavesdropping. It relies on a secret key that is shared between a mobile station and an access point. The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit.

WEP is designed to make up for the inherent insecurity in wireless transmission, as compared to wired transmission.  WEP relies on a secret key that is shared between a mobile station (e.g. a laptop with a wireless Ethernet card) and an access point (i.e. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established.  In practice, most installations use a single key that is shared between all mobile stations and access points, Wired Equivalent Privacy (WEP) encryption for 802.11b wireless networks.

Once again, the clamor rises that the IEEE is using shoddy encryption, and that they are leaving the poor consumers and users of 802.11b networks open for the foulest kind of violations.  WEP is not, nor was it ever meant to be, an industrial data security algorithm.  It was never designed to protect your data from script kiddies and more intelligent crackers, who want to discover your secrets.  It is designed to make up for the inherent insecurity in wireless transmission, as compared to wired transmission.

When you have a wireless network, all the base stations and end nodes are transmitting their packets in a sphere, regardless of where you may want them to transmit.  In general, this sphere is about three hundred feet in diameter, although external and other factors can limit or enhance this range.  So, when you imagine your wireless network, it’s important not to imagine a web of lines from point to point, but rather a series of interconnected bubbles, like the foam in a bubble bath (Welch).

Some manufacturers of wireless security refer to 64-bit encryption as 40-bit, but in reality they represent the same degree of protection.  Devices using 40-bit encryption are able to communicate with devices using 64-bit and vice versa.  Also, the security enhancements when using a 128-bit key as compared to a 64-bit key are minimal at best.  In terms of performance, there is no extra cost when encrypting with a 128-bit key over a 64-bit key, however there is cost to transmit extra data over the network.  If network performance is a concern, then 64-bit encryption is recommended.

Furthermore, when a wireless network is run with no security (the OFF setting), anyone within reasonable proximity can connect to that network and be able to use its internet connection.

Although WEP offers some protection for wireless networks, there are many free tools that are widely and publicly available which can break, or crack WEP encryption.  A potential attacker would be able to sniff network transmissions and then use these tools to determine WEP encryption keys.

In 2001, research teams at Berkeley and the University of Maryland published separate papers that disclosed the security flaws in WEP, including its encryption algorithms.  Because of such vulnerabilities in WEP new security technology for wireless networks had to be developed.  Henceforth, Wi-Fi Protected Access was introduced in 2003.

The original design of WEP was to provide encryption and authentication as part of the 802.11 standard.  It uses an encryption algorithm, which utilizes a key, or sequence of hexadecimal numbers entered by the user. With WEP, wireless clients and access points are manually configured with the same key. Rather than having the user enters complicated hexadecimal strings for keys by hand, it also introduces the concept of a pass phrases.

A pass phrase is chosen like a password and then entered into the system where is converted to complex encryption key. When using a stronger security setting, WEP requires 4 pass phrases to implement a key. During transmission between wireless devices, WEP switches amongst the four keys to make traffic more difficult to intercept.

Regarding the levels of security, WEP offers three settings that consist of OFF (no security), 64-bit (weak security), and 128-bit (stronger security). For wireless devices to communicate, they must all use the same type of encryption.

WPA (Wi-Fi Protected Access) is a Wi-Fi standard that was designed to improve upon the security features of WEP. Its security is greater then that of WEP and hence has two significant advantages over WEP.

Wi-Fi Protected Access (WPA) is wireless security with a far greater degree of protection than WEP.  WPA has two significant advantages over WEP.

First, WPA utilizes an encryption key that differs in every packet of information transferred between wireless devices. The Temporal Key Integrity Protocol (TKIP) mechanism shares a starting key between devices.  Each device then changes their encryption key for every packet.  This makes it extremely difficult to for hackers to read messages even if they’ve intercepted the data.

Secondly, Certificate Authentication is used in order to block a hacker’s access posing as a valid user on the network.  A Certificate Authority Server is part of the recommended configuration to allow computers with WPA software to communicate with other certified computers on the network.  To run WPA between two computers both must have WPA software as well as all access points and wireless adapters between them.  WPA computers will communicate with WEP encryption, if they cannot use WPA for a particular device.

WPA encryption offers several advantages over WEP.  WPA provides extremely strong security for wireless networks.  It adds authentication to WEP basic encryption.  WPA has backward compatible support for WEP devices that are not upgradeable.  WPA also integrates with servers to allow administration, auditing, and logging.

Moreover, larger networks almost often contain devices that are not WPA upgradeable such as network interface cards and access points (in which case these devices are using WEP encryption or none at all) so the network is still vulnerable to attacks. Despite the known security flaws with WEP and WPA, new solutions are being developed to combat the issues of wireless security.  One of those solutions is known as the VPN.

It provides extremely strong security for wireless networks and adds authentication to WEP basic encryption. WPA also integrates with servers to allow administration, auditing, and logging. As mentioned above, WPA encryption offers several advantages over WEP. Firstly, WPA utilizes an encryption key that differs in every packet of information transferred between wireless devices.

The Temporal Key Integrity Protocol (TKIP) mechanism shares a starting key between devices.  Each device then changes their encryption key for every packet. This makes it extremely difficult to for hackers to read messages even if they have intercepted the data. Secondly, Certificate Authentication is used in order to block hacker’s posing as a valid user on the network.

Although WPA is powerful tool for network security, it does have its drawbacks.  It can be complicated to setup which makes it unsuitable for home users.  In most cases, it requires firmware upgrades for main products and older firmware will usually not be upgraded to support it.  It is also not compatible with older operating systems such as Windows 95. Since WPA adds to packet size, transmission between devices takes longer.

The encryption and decryption software is generally slower and performance is lost. Despite the problems WPA, new solutions are being developed to fight the issues of wireless security and one of those solutions is known as the VPN.

VPN (VPN) is a network that is constructed by using public wires to connect to nodes. A VPN enables a specific group of users to access private network data and resources securely over the Internet or other networks.  It is called a VPN because it uses a public network and only inherits the characteristics of a private network.

There are two main types of connections that can be made by a VPN, an individual machine and a private network connection, also known as a client-to-server connection and also a remote local area network and a private network connection, which is known as a server-to-server connection.  A routed network, a tunnel switch, and tunnel terminators are all needed to make up a VPN.

A routed network is needed to transport encrypted data packets. A tunnel switch is used to increase security and versatility.  Lastly, tunnel terminators take the role of acting as virtual cable terminators cutting off and restricting access, by users, to the network. A VPN is characterized by its concurrent use of tunneling, encryption, authentication, and access control over a public network.

Whenever information is being transmitted across the Internet, whether it is e-mail or shared files, security is always a main concern. What most people are starting to realize, is that whenever data packets and files travel on a publicly shared network like the Internet, they are potential targets from malicious attackers. The only things that can make VPN secure are solutions that integrate several mechanisms, from software to additional hardware devices.

VPN security is mainly based on two techniques, encryption and authentication.  Encryption is used to ensure data integrity and privacy. Authentication is used to verify that users have the rights to access the private network and which data they can access.  To provide strong encryption for a safe and secure VPN, one must first consider the two mechanisms, which guarantee data confidentiality. The encryption algorithm provides the mathematical rules that convert the plain text message to a random cipher text message.

The algorithm provides steps for converting the plain text message with an encryption key, which is a combination of alphanumeric data that introduces the random element into the cipher text message. The longer the secret encryption key is, the longer it takes for an attacker to test all possible values of the key.

While VPN are pretty stable, it does have its pros and cons. VPN enable secure broadband connection through cable modems and DSL and it also make it easy to manage T1 lines, phone and data lines and remote access terminals. It can create significant communication savings in particular when lots of remote users dial-in from outside the local calling area. However, VPN being mostly Internet-based hence it is dependent on 24 hours connection. If the ISP is down, so is VPN.

A VPN enables a specific group of users to access private network data and resources securely over the Internet or other networks.  A VPN is characterized by its con