HND in Computing & System

Development

Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on
following elements to the board of EMC Cloud Solutions;

Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such
issues would create on the business itself.

1.2. Cloud Computing

Cloud computing is the use of various services over the Internet, such as software development
platforms, servers, storage and software, often referred to as "clouds."
 HND in Computing & System
Development

1.3. Cloud Computing Services

Most cloud computing services have three broad categories: a service (IaaS), a service (PaaS) and a
software (SaaS) as a service. These are sometimes called Cloud Computing Stock. Knowing what they
are and how they differ makes own business goals easier. (Microsoft, 2018)

Infrastructure as a Service (IaaS)

The most basic cloud computing service category. With IaaS, we can rent IT infrastructure servers and
virtual machines (VMs), storage, networks, and operating systems from cloud providers on a pay as we
go basic.

IaaS Issues and Concerns

1) Compatibility with legacy security vulnerabilities
2) Virtual Machine Sprawls
3) Robustness of VM level isolation
4) Features for dynamic network configuration
5) Data Erase practices
 HND in Computing & System
Development

IaaS Recommendations
1) Multi-tenancy
2) Data Protection
3) Secure Data Deletion
4) Administrative Access
5) VM Migration
6) Virtualization best practices
a) EMC guide to security for full virtualization technologies

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud computing service that provides an on-demand environment for
the development, testing, delivery, and management of computing software applications. PaaS is
designed to make it easier for developers to quickly create web or mobile applications without having to
worry about setting up or managing the underlying infrastructure of servers, storage, networks and
databases needed for development.

PaaS Benefits
1) Reduced Disruption
2) Efficient use of Software Licenses
3) Centralized Management of Data
4) Platform Responsibilities managed by providers
5) Upfront cost savings

PaaS Issues and Concerns

1) Browser based risks and risk remediation
2) Network Dependence
3) Isolation vs. Efficiency

PaaS Application Suitability

1) PaaS implemented as SaaS
2) Application Classes
 HND in Computing & System
Development

a) Business Logic
b) Collaboration
c) Office Productivity
d) Software tools

PaaS Recommendations
1) Generic Interfaces
2) Standard Languages and Tools
3) Data Access
4) Data Protection
5) Application Frameworks
6) Component Testing
7) Security
8) Secure Data Deletion

Software as a Service (SaaS)

Software as a Service (SaaS) is a method of providing software applications on demand over the
Internet, usually on a subscription basis. With SaaS, cloud providers can host and manage software
applications and underlying infrastructure and can handle any maintenance, such as software upgrades
and security fixes. Users connect to applications via the Internet, usually using a web browser on a
mobile phone, tablet or PC.

SaaS Benefits
1. Reduced Disruption
2. Efficient use of Software Licenses
3. Centralized Management of Data
4. Platform Responsibilities managed by providers
5. Up front cost savings

SaaS issues and concerns

1. Browser based risks
2. Network dependence
3. Lack of Portability
 HND in Computing & System
Development

SaaS Application Suitability

1) Business Logic
2) Collaboration
3) Office Productivity
4) Software Tools
5) Not suitable for any of the following: -
a) Real time software
b) Bulk consumer data
c) Critical Software

SaaS Recommendations
1) Data Protection
2) Client Device/Application protection
3) Encryption
4) Secure data deletion
 HND in Computing & System
Development

Cloud Deployment Models

The cloud deployment model mentioned below is based on the National Institute of Standards and
Technology. There are four basic cloud deployment models, namely:

Private cloud model

In this system, the cloud infrastructure is built on the premise of the organization and its customers. In
terms of cost efficiency, this deployment model does not bring many benefits. However, many large
companies choose it for the security they provide.

https://www.quora.com/What-is-the-difference-between-private-cloud-and-intranet

Public cloud model

The public cloud is hosted on the premise of a service provider. Service providers provide cloud
services to all of their customers. Many small and medium-sized organizations typically use this
deployment to implement non-core and partial core functionality.
HND in Computing & System
Development
 HND in Computing & System
Development

3) Community cloud
A community cloud model is a cloud infrastructure shared by a group of organizations with similar
requirements (with similar requirements, namely tasks, security, compliance, and IT policies). It can
exist internally or externally and can be managed by the communities of these organizations.

https://www.researchgate.net/profile/Ishrat_Ahmad/publication/314072571/figure/fig4/AS:4660131846
30787@1488117609790/Community-Cloud.png
4) Hybrid cloud model

A hybrid cloud is a combination of two or more models, a private cloud, a public cloud, or a community
cloud. While these models maintain their separate entities, they are combined through standard
techniques to enable data and application portability.

https://itknowledgeexchange.techtarget.com/cloud-computing-enterprise/new-hybrid-cloud-models-
emerging/
 HND in Computing & System
Development

Public Private Community Hybrid

Cloud Cloud Cloud Cloud
Ease of setup Easy Requires IT Requires IT Requires IT
and use proficiency proficiency proficiency
Data security Low High Comparatively High
and privacy high
Data control Little to High Comparatively Comparatively
none high high

Reliability Vulnerable High Comparatively High

high
Scalability High High Fixed capacity High
and flexibility
Cost- The cheapest Cost-intensive, Cost is shared Cheaper than a
effectiveness one the most among community private model but
expensive one members more costly than a
public one
Demand for No Depends Depends Depends
in-house
hardware
The Comparative Analysis of the Types of Cloud Deployment Models
 HND in Computing & System
Development

1.4. Cloud computing Risk of EMC

Organizational risks can cause losses due to uncertainty. It is the term for top risk in the organization,
including major strategies, reputation, regulatory, legal, security and operational risks. (Martin
Horden,2018)
 HND in Computing & System
Development

1. Natural Risk
In today's efficiency-oriented business world, natural disasters are an embarrassing threat. Modern
companies use tightly operated supply chains to minimize redundancy and maximize budgets. Most
importantly, as urban centers become hot spots for booming businesses, if a natural disaster destroys
this, the fact that a single company can squeeze into a single and multi-floor building can cause
problems.

A new infographic for the Master of Professional Management program at Boston University recently
explains why natural disasters should be a priority for every organization: up to 25% of companies will
not reopen after a major disaster. This means that only one bad weather event will pose a major threat to
the company's operations.

Here are four reasons why natural disasters are so influential to unprepared companies:

1. Loss of assets and physical property

This may be the most prominent risk that companies need to consider. When natural disasters occur,
they often cause significant damage to physical assets. Company buildings and property may be
damaged or equipment may be destroyed.

2. Raw material damage

Natural resources are another direct organizational loss in many disasters. For example, cold weather
can destroy crops or wildfires that can damage the collected and stored wood. As with the physical
damage of assets, companies can accurately calculate the damage caused by disasters to raw materials.

3. Supply chain disruption

Unlike the first two loss categories, supply chain disruption is an indirect organizational loss that may
be more difficult to calculate. The more companies rely on the supply chain, the greater the impact of
disruptions.

4. Workers can't get the job done

This is another indirect organizational loss. People may not be able to work during bad weather events,
and even if they can, they may not be able to operate at peak efficiency. Power outages, Internet
outages, failure to use appropriate tools and other similar issues can result in downtime, resulting in
significant losses.
 HND in Computing & System
Development

Companies should consider all the different effects of natural disasters, including sales and revenue
losses and regulatory fines. From there, steps such as uninterruptible power supplies can be taken to
mitigate - if not completely prevent - many of the dangers associated with weather-related threats.
 HND in Computing & System
Development

2. Internal and External Risk

The company faces internal risks within the organization and occurs during normal operations of the
company. These risks can be predicted with certain reliability, so the company is likely to reduce
internal business risks.

External risks arise from economic events outside the company's structure. External events that cause
external risks cannot be controlled by any company or cannot be predicted with high reliability.
Therefore, it is difficult to reduce the associated risks.

1: Cloud Provider Outages (Internal)

1. Inevitable downtime
a. Attacks
b. Errors
c. Disasters
2. Outage Frequency
3. Frequency
4. Resiliency

Risks 2: Safety Critical Processing (Internal)

1. Loss of life or property
2. Regulated by government
3. Pedigree

Risks 3: Compliance (External)

1. Lack of visibility
2. Physical Data location
3. Regulation
4. Jurisdiction
5. Forensics

Risks 4: Information Security (Internal)

1) Risks of unintended disclosure
2) Data Privacy
3) System Integrity
 HND in Computing & System
Development

4) Multi-Tenancy
5) Browsers

Risk 5: Open Source Software (Internal)

1) Easy deployable
2) Interoperability and Standards
3) Openness = vulnerability
4) Loss of control
5) Licensing risks
 HND in Computing & System
Development

3. Technical Risk
Technical risk is the impact that a project, system, or entire infrastructure can have when
implementation fails to work as expected. Failure to identify or properly manage these threats can result
in performance degradation, security breaches, system failures, increased maintenance time, and a large
amount of technical debt from the organization. Providing reliable analytical solutions for Technical
risk management is critical to ensure early detection of these issues. This will prevent problems from
occurring without warning and greatly reduce the amount of work required to mitigate sudden
infrastructure or system problems.

Risk 1: Hackers
Hackers are individuals who use computers, networks or other skills to overcome technical problems.
The term hacker can refer to anyone with technical skills but usually refers to someone who uses their
ability to gain unauthorized access to the system or network. For example, hackers may steal
information, harm people through identity theft, destroy or shut down the system, and often collect
ransoms as hostages.
In most cases, hackers will target the business as an economic benefit. These predators are looking for
opportunities to exploit vulnerabilities.

Risk 2: Viruses
Programs or code that attach a copy of themselves to another computer program or document when it
runs. When the infected program runs, the attached virus program activates and attaches itself to other
programs and documents. When a user opens a document that contains a macro virus, the attached virus
program activates and attaches itself to other programs and documents. Viruses commonly deliver a
payload, such as showing a message on a particular date. Some viruses specifically damage data. These
viruses can corrupt programs, delete files, or reformat disks

Risk 3: Spyware
This malware, as its name implies, spies on users without their knowledge or permission. If a spyware
program is installed on a computer in EMC organization, criminals who execute the program can
monitor activity on that device and collect information for the user or business. Some Examples for
financial data, login information, website access.
Some spyware can detect keystrokes, redirect web browsers, change computer settings, or install other
dangerous programs.
 HND in Computing & System
Development

Risk 4: Adware
When unwanted advertisements start appearing on a computer, it has been victimized by adware.
Company employees may accidentally download adware while trying to access free software, and it can
be used to retrieve information without permission or knowledge as well as redirect Company user’s
browsers.

Risk 5: Wigging
Wiggling its way into EMC network, a worm is deployed to self-replicate from one computer to
another. What makes it different from a virus, however, is that it requires no user interaction in order to
spread. This software is applied to reproduce in large quantities in a very short period of time, and it can
both wreak havoc on EMC network performance and be used to launch other malicious attacks
throughout the Company system.

Risk 6: Spam
Company probably already familiar with spam, as this junk email tends to clog up business servers and
annoy recipients across the organization. Spam becomes a computer security threat when it contains
harmful links, overloads company mail server or is harnessed to take over a user’s computer and
distribute additional spam.

Risk 7: Dos Attack

In a DOS (Denial of Service) attack, company's website or web service may not be available to users.
Typically, these attacks are used by companies that are used for ransom or extortion purposes.
Perhaps the most famous version is DDoS (Distributed Denial of Service), which involves bombing
servers with traffic and requests to flood and shut down the system.
 HND in Computing & System
Development

4. Financial Risk
Financial risk is one of the high priority risk types for each business. Financial risks are caused by
market changes, and market changes may include many factors. On this basis, financial risks can be
divided into various types, such as market risk, credit risk, liquidity risk, operational risk and legal risk.

Risk 1: Market risk

This risk is due to changes in the price of financial instruments. Market risk can be divided into targeted
risk and non-targeted risk. Targeted risk is caused by changes in stock prices, interest rates, etc. On the
other hand, non-directional risk may be a risk of volatility.

Risk 2: Credit risk

This risk arises when a person fails to perform his or her obligations against his or her partner. Credit
risk can be divided into sovereign risk and settlement risk. Sovereign risks are usually generated by
difficult foreign exchange policies. On the other hand, when one party pays and the other party fails to
perform the obligation, there is a settlement risk.
 HND in Computing & System
Development

Risk 3: Liquidity risk

This type of risk stems from the inability to execute trades. Liquidity risk can be divided into asset
liquidity risk and liquidity risk. The liquidity risk of the asset is due to insufficient buyer or the seller's
insufficient sales and purchase orders.

Risk 4: Operational risk

This type of risk stems from operational failures such as poor management or technical failure.
Operational risks can be divided into fraud risks and model risks. Risk of fraud due to lack of control
and model risk due to incorrect model application.
 HND in Computing & System
Development

5. Physical Risk

Risks 1: Computing Performance

1. Latent
a. Uncontrolled by consumers
b. Not controlled by the Cloud Provider
c. Decide which applications will be cloud based

2. Offline data synchronization

a. When the consumer is offline (requires version control)
b. Scalable programming

3. High performance computing requirements for data analysis

a. High performance computing requirements for data analysis
b.  for scientific research, etc.
c.  Many of the above environments need to be careful Check the implementation of the
cloud provider and surroundings

4. Data storage management brings challenges

a. Supply
b. Local restriction
c. Wipe verification
d. Safe disposal
e. Access control
 HND in Computing & System
Development

1.2. Develop and describe security procedures for EMC Cloud to minimize the impact of issues
discussed in section (1.1) by assessing and treating the risks.

1.2.1. Importance of Effective Security Management

Maintaining up-to-date and effective security management is critical to providing organizations with
structure and security and a variety of business goals. Security management companies provide up-to-
date information and security policies. This allows for a very straightforward security program that is
both efficient and easy to follow. (lsc, 2018)

Natural Risk Management

Contact and communication

For most companies, the first thing they think about in a disaster is their employees. In fact, even social
media platforms have added a feature that allows people near the disaster to let their loved ones know
they are safe. Nothing is more terrible than losing touch, and no one can be found after the incident.
Always building and maintaining a contact list is a good starting point. The next step is to establish an
alternative communication line. We are unable to contact by phone, please try to contact us using text or
email. We may want to have a web page where employees can quickly and easily access updates
without being able to check voicemails or work emails. In addition, we should ensure that everyone
who is a key member of the disaster recovery team knows about it in advance and takes further steps to
communicate.

Alternative location and/or mobility

Virtualization and mobility make many businesses easier when it comes to alternative sites. This
basically involves setting up auxiliary and alternate locations, and if our primary location is
compromised or unavailable, we will be able to resume operations. Since many companies are using
virtualization, the choice of remote work becomes more reasonable. Make sure your employees know
what will happen. Identify important issues such as whether and when we need to restore their
responsibilities, replace site locations, and when they might be activated.

List of Suppliers and Key Customers

Like your employees, another major issue after a disaster is talking to suppliers and customers, and you
need to know about you. Even if you are able to resume operations immediately, you need to ensure that
 HND in Computing & System
Development

your suppliers and customers are able to operate and/or know that you are still able to complete the
termination of the transaction. Ensuring that your important relationships survive the event is a priority
and maintaining communication is a great way.

Data backup and technology planning

One of the most important aspects of business continuity planning is data backup and disaster recovery.
In fact, our company data should not only be backed up regularly and stored in multiple locations - so
should our business continuity plan. The 3-2-1 backup rule is a good way to back up our EMC Cloud
computing data. It requires you to store 3 copies of data on 2 different media or devices, 1 of which is
offsite. However, as far as your data is concerned, you need to ensure that your records are fully backed
up on a regular basis and that backups are regularly tested to make sure they are working.

Emergency Plan:
This section includes the actions we should take when an emergency occurs in our office. Emergency
situations such as flashlights, batteries, and water should be checked and inspected regularly.
Emergency escape exits should be identified. The meeting point should be set. Another stage is the
inventory of items such as tables, chairs, supplies, etc. If you need to file an insurance claim, we need to
know what is missing.

Review, update, and test: The last component is probably the most important but often overlooked
component. Test the backup. Make sure we update our phone number. Make sure key people
understand their role in the disaster. Identify the alternate site and be ready to move there when needed.
The only thing worse than a disaster is to realize that our plan for dealing with disasters is not enough.
 HND in Computing & System
Development

Internal and External Risk Management

Internal risk

The project manager must determine the project risks within the organization and prioritize them. When
looking internally, the risk of the project may involve the company's financial solvency, and the
company can get the equipment and other resources needed to support the project in a timely manner.
Personnel issues such as illness or accidental termination of key team members can also be considered
internal risks of the project.

External risk

External risks are not controlled by the project team and its host organization. Therefore, external risks
are often more difficult to predict and control. Factors such as key supplier bankruptcy, economic
turmoil, war, crime and other events may directly affect the effectiveness of the project. Some risks may
be difficult to foresee, such as foreign mines providing the necessary elements for projects taken over
by the revolutionary government. Such incidents directly threaten the project, but the lack of analysis of
external threats often surprises the project manager.
 HND in Computing & System
Development

Internal and External Risks in EMC Management

Because effective assessment of internal and external risks is a prerequisite for effective project
management, steps should be taken to ensure that each risk is carefully assessed. Essential is a team of
members with different backgrounds. The availability of numerous views on the same issue will help to
analyze internal and external factors that may affect the project. By creating an environment conducive
to brainstorming, team members will be free to express their thoughts and thoroughly examine the
internal and external risks of the project.

When considering internal and external risks in project management, it is important to recognize that
internal risks are often easier to identify and manage than external risks, but an accurate assessment of
both will greatly contribute to the successful completion of the project.
 HND in Computing & System
Development

Technical Risk Management

Safe the Organization from Hackers

To avoid being hacked, must be vigilant and adopt a comprehensive security plan, including file sharing
and data management solutions that keep our critical business assets secure. In addition, employees
need ongoing education and training to identify threats and ways to stop attacks. Without this
enhancement, they can easily accidentally invite intruders who may cause irreparable damage to the
company.

Safe the Organization in Virus

Viruses are dangerous and they are expensive. A virus is a software created to destroy a computer. The
program copies and the page itself interferes with how the computer operates. It can steal data, destroy
company files or completely remove them, which is a threatening threat to any business.
Viruses can also infect other computers using other programs on the machine, such as e-mail, and it can
be transmitted by users over a network, USB stick or other media.

Safe the Organization in Spyware

If think Company device is infected with spyware, run a scan with EMC current security software to
make sure it has cleaned up everything it can. Next, download and run a virus removal tool, such as the
free Norton Power Eraser.

There are also other reputable anti-spyware removal tools. Some of them work only when Security
Officer manually start the scan. Others continuously monitor company computer to make sure spyware
can’t modify or monitor EMC information.

Safe the Organization in Adware

Safe Save is advertised as a program that displays coupons for sites we are visiting and competitive
prices when we are viewing product pages at sites like Amazon. Though this may sound like a useful
service, the Safe Save program can be intrusive and will display advertisements whether the company
want them to or not.
 HND in Computing & System
Development

These ads are aimed to promote the installation of additional questionable content including web
browser toolbars, optimization utilities, and other products, all so the Safe Save publisher can generate
pay-per-click revenue.
When our company machine is infected with the Safe Save adware, other common symptoms include:

1. Advertising banners are injected with the web pages that we are visiting.
2. Random web page text is turned into hyperlinks.
3. Browser popups appear which recommend fake updates or other software.
4. Other unwanted adware programs might get installed without the user’s knowledge.
5. To make matters worse, the company will also find that Safe Save will cause our computer to act
more sluggish or for our web browser to freeze.

Safe the Organization in DDos Attack

Automation technology can partially help prevent cyber-attacks, but it also requires artificial
intelligence and monitoring to maximize the protection of company website. The traditional network
structure is not enough. Multi-layer cloud security developed and monitored by experienced and loyal
engineers provides the best protection. Understanding how DDoS attacks work and being familiar with
network behavior are key steps in preventing intrusions, outages, and shutdowns caused by cyber-
attacks. Here are some additional tips to help prevent DDoS attacks:

1. Implement technologies that allow company to visually monitor EMC network.

Understand the amount of bandwidth company site uses on average. DDoS attacks
provide visual clues, and if the company are familiar with the normal behavior of the
network, EMC will be able to capture these attacks more easily.
2. Make sure EMC server capacity handles large traffic spikes and has the mitigation
tools needed to solve security problems. Add bandwidth.
3. Update and patch firewalls and network security programs.
4. Learn how EMC network security system works and set up protocols that outline the
steps should take when DDoS occurs. Practice executing them.
5. Don't hesitate to call a professional. Companies such as DNS providers and CD
Networks can help system protect our Web properties by rerouting visitors as needed,
monitoring performance, and distributing traffic among multiple servers in the event
of an attack.
HND in Computing & System
Development
 HND in Computing & System
Development

Financial Risk Management

Technology risk is the impact that a project, system, or entire infrastructure can have when
implementation fails to work as expected. Failure to identify or properly manage these threats can result
in performance degradation, security breaches, system failures, increased maintenance time, and a large
amount of technical debt from the organization. Providing reliable analytical solutions for technology
risk management is critical to ensure early detection of these issues. This will prevent problems from
occurring without warning and greatly reduce the amount of work required to mitigate sudden
infrastructure or system problems.

Misunderstanding
Financial risk management does not define the types of risks a company should take or involves an
analysis of those risks. Instead, it provides guidance for the guidelines that those who make financial
decisions for the company must follow. The company's board of directors and senior management
personnel follow the policies formulated by the financial risk management department when making
investment decisions.

Work in financial risk management

The head of the company's internal risk management department is called the chief risk officer.
Depending on the size of the company, the number of employees in the risk management department
may vary. Some positions within the department include the head of market risk management, the head
of credit risk management and the head of operational risk management. These people oversee the team
and create the company's risk management policies and procedures for their respective risk management
types.

Independence and conflict of interest

In financial risk management, it is important that the financial risk management department and the
employees working in it are not supervised by those responsible for making decisions involving
financial risks for the company. This avoids the risk of conflicts of interest between the financial risk
management department and the board members or senior management. If the department members do
not do what they are required to do, they may attempt to influence the policy with threatened or implied
work actions. Employees in the financial risk management department should not be transferred to the
department that makes financial investment decisions for the company. This is another policy to avoid
conflicts of interest.
HND in Computing & System
Development
 HND in Computing & System
Development

Association
Employees involved in financial risk management can become part of an international association,
connect with others and receive additional education. The association is known as the Global
Association of Risk Professionals. Financial risk management professionals can take the exams
provided by GARP and become registered financial risk management professionals.
 HND in Computing & System
Development

Physical risk management

Physical risk management handles security systems, keeping in mind the business impact of violations
or risks on company goals. Our company not only identifies risks but also designs and implements
safety systems to mitigate risks.

We attach great importance to risk events. Any risk event should be picked out in real time and brought
to the attention of the parties concerned in order to take effective action. Any compromise to the
security system can result in disruption of business processes, resulting in substandard performance
and/or reduced productivity.

Physical risk management of EMC Cloud Solution

Our journey on the road to transforming to an Enterprise Risk Management based program, one of the
more traditional security sweet spots, is our next area of focus. In this month’s column, we will explore
why most enterprises can no longer simply depend on “Gates, Guns & Guards” to adequately safeguard
their physical assets.

Mitigating risks associated with physical assets covers virtually every type of object known to man.
This category of assets ranges from EMC computers and computer Accessories to buildings and major
infrastructure elements, and everything in between. Physical security mythologies have for years
focused on concentric rings of defense. Starting at the outside and working inward with layers of
protection measures based on the value of what was being safeguarded, as well as the perceived risk of
theft, malicious alteration, or sabotage from human caused actions or damage, inoperability or complete
loss due to natural caused events.

Municipal planners have adopted physical security risk mitigation strategies with the advent of Crime
Prevention through Environmental Design (CPTED). The original concepts focused on utilizing a
multi-disciplinary approach to deterring criminal behavior through environmental design. CPTED
strategies rely upon the ability to influence offender decisions which precede criminal acts.

Today, CPTED concepts are also being utilized to thwart terrorist attacks. For example, our EMC
designing and that building with windows that are constructed of high-strength polycarbonates or
coated with blast resistant film not only prevents smash and grab type crimes, but assists in protecting
buildings and their occupants from a broad range of explosive devices. Berms, bollards, planters and
 HND in Computing & System
Development

moats are frequently being utilized as a measure to reduce the likelihood of car or truck bombs from
making it within an effective blast range of a building or critical infrastructure element.

Landscaping and lighting also come into play with CPTED. The use of low growing plants and shrubs
eliminates potential hiding places. Carefully designing where trees will be located helps to avoid
security video blind spots and from them being utilized to gain easy access over fences. CPTED
concepts also call for the lower branches of a tree to be trimmed so there is at least an eight-foot clear
zone before reaching the first branches.

Effective deployment of access control, coupled with security video and intrusion alarms has become
more critical than ever.

Many corporations and building owners have deployed turnstiles of one type or another in lobbies.
These turnstiles typically are low in height so they remain more aesthetically pleasing to the eye. Unless
you have an armed security officer on the other side, they won’t stop some deranged person from
jumping them to commit an act of workplace violence. Similarly, many schools have deployed a double
door controlled entry system as an access control measure. In more than one school shooting incident,
the shooter simply shot out the large pane glass panel next to the entry way to gain access.

Designing truly effective containment areas for visitors and limiting ingress and egress points are
critical elements in physical security risk mitigation, but it can’t stop there. Not unexpectedly, people
are the weakest link in maintaining effective physical security controls. Training all employees and/or
building occupants, coupled with frequent reminders, relative to their individual responsibilities in
maintaining access control is vital.

Never lose sight of the fact that a stable full of lawyers and regulatory compliance agency personnel is
anxiously waiting for the opportunity to point out your negligent security liability and regulatory
violations. Couple these risks with today’s social media deluge that explodes after every incident, and
which is frequently filled with misperceptions and incomplete or inaccurate accounts. At the end of the
day, every risk mitigation measure a company takes will be subjected to the harsh light of public
opinion, just another element of reputational risk for the enterprise.
 HND in Computing & System
Development

Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect
configurations which are applicable to firewalls and VPN solutions.

VPN
A virtual private network (VPN) is a technology that creates secure, encrypted connections over less
secure networks such as the Internet.

VPN technology was developed to allow remote users and branch offices to securely access enterprise
applications and other resources. To ensure security, data is transmitted over a secure tunnel, and VPN
users must use authentication methods (including passwords, tokens, or other unique identifiers) to
access the VPN server.

Advantages of VPN
 HND in Computing & System
Development

Navigation privacy
Navigation privacy exists because of some anonymity in the visit. In fact, when we enter the VPN, we
are "hiding" our IP (marking who we are the Internet address from where we connect). This prevents
the site from knowing where we are connected. When we say 'website', we are also talking about
advertising and possible hackers, who will be more difficult to track our tracks (fingerprints).

Unlock websites and filters

VPNs are great for accessing blocked websites or bypassing Internet filters.

Data encryption
In addition, there is data encryption. A good VPN ensures encrypted connections and encryption, so
tracking mobile will be more difficult while avoiding unnecessary advertisements (the site displays ads
on the site for several months after searching for a hotel in one place). Data encryption

When connected to a virtual private network, data transmitted over the Internet is encrypted. If you can't
find a secure wireless Internet provider and use an insecure connection, a connection to the VPN
protects your data. Your office may ask you to log in to the VPN while traveling to ensure your work is
secure, based on the VPN definition of encryption.

Safer
Another advantage is that, for example, if we connect to a public Wi-Fi network, you can access remote
content more securely.

Remote access
Using VPN is an advantage for the company because it allows employees to work remotely. Once
employees connect to the virtual private network, they can access all the files in their office computer
network. This means you can access the same files that you can use in the office and the program
resides on the network instead of on your computer's hard drive. This also allows several people to work
on files and share them remotely on the network.

It works for all applications

Because it can route all Internet traffic, unlike proxy servers, proxy servers can only be used in web
browsers, and there are other applications that can be used to configure advanced connectivity options.
 HND in Computing & System
Development

Low cost compared to private networks

The last advantage is that the VPN uses the Internet as a connection between various gateways and
hosts, greatly reducing implementation costs. In fact, the study estimates that when using VPNs, the
cost reduction is greater than 60%, depending on the situation.

Disadvantages of VPN

But everything that sparkles is not gold. Although these connections have great advantages, they also
have their disadvantages.

Lower navigation speed

On the other hand, free can be expensive. VPNs require a lot of infrastructure and resources, and some
free VPNs (always in small fonts) share a partial connection with the rest of the VPN to simplify the
transfer. The downside is that the navigation speed is slower. When connecting to a VPN, employees
must make two connections. This means you have to spend time connecting to an Internet provider and
then connecting to a VPN. This delay can be severe if the employee has limited time, such as a short
stop at the airport, or if they need to obtain information before meeting with the client at the office.

More hacking possibilities

We should also not forget VPNs that are of interest to those who can trade with our information, so they
may be interested in attacking them and getting information from users. Therefore, a big disadvantage is
that VPNs attract a lot of hackers.

The VPN Service Might Monitor our cloud Activity and Use our Data

Some private network services will allow using their private servers in exchange for our data. Of
course, they might not state their intention in the first place. However, there have been cases where
VPN companies are monitoring the data from their users for their own benefits. Yes, they might help
bypass our internet restrictions and hide our IP address, but the private network companies might
actually do the tracking instead. We should be aware of the VPN services that offer their private
connection for free or for a very low price because they might log our activity.
 HND in Computing & System
Development

VPN work
 HND in Computing & System
Development

Limitations of VPN
Please note that VPN is not a perfect system. There are some limitations so that each user can use such a
computer system wisely and discreetly.

Anonymous question

By using a VPN, the user cannot be 100% certain that he is anonymous. In fact, its VPN provider is
able to view all browsing history through its servers. For this reason, it is necessary to work with a VPN
provider that strictly restricts access to information about the user and consulting his data.

Slow navigation

Use the VPN service to reduce the connection speed. This slowness is due to the need for encryption to
protect the data, and the distance between the user and his VPN provider needs to be encrypted. The
farther the VPN provider is from the country where the user is located, the slower the connection speed.
Therefore, the speed promised by each VPN provider must be compared before making a choice.

Restrictions for VPNs for mobile devices

As mentioned earlier, VPNs do not provide data security for smartphones and touchscreen mobile
devices, especially when users start using applications and blinds. You should be careful to choose a
VPN provider that provides cross-platform support for mobile devices. In this way, confidentiality and
savings.

Insufficient servers for some VPN providers

When the VPN server is limited, global access to online information becomes difficult. Even if the user
tries, the slow connection will cause trouble and dissatisfaction. Then, it is necessary to work only with
VPN providers with many platforms to increase customer satisfaction.

VPN provider lacks experience

 HND in Computing & System
Development

When a VPN provider lacks experience, there may be data breaches that may affect user privacy. The
solution is to work only with recognized VPN providers to provide quality of service. Consultation with
Web users on the Web and comparison of VPN providers may be necessary before subscribing to the
Firewall
Firewall is software used to maintain the security of a private network. Firewalls block unauthorized
access to or from private networks and are often employed to prevent unauthorized Web users or illicit
software from gaining access to private networks connected to the Internet. A firewall may be
implemented using hardware, software, or a combination of both.

A firewall is recognized as the first line of defense in securing sensitive information. For better safety,
the data can be encrypted.

Firewall Advantage

Deployment of development configuration to production

Development configurations can include tracing, unencrypted string concatenation, test accounts with
weak passwords, descriptive error messages, and more. A malicious attacker will be able to use a trace
or error message to access an unsecured account, jeopardizing the application. When deploying our
application, be sure to use the correct set of configuration settings in your deployment scripts.

When deploying EMC application, be sure to use the correct set of configuration settings in EMC
deployment scripts.
 HND in Computing & System
Development

Configuration is an important part of every application.

Misconfiguration can happen at any level of the application stack - from code, web and application
servers, to databases and frameworks. Below, I have compiled some of the most common scene lists.

Deploy development configuration to production

Development configurations can include tracing, unencrypted string concatenation, test accounts with
weak passwords, descriptive error messages, and more. A malicious attacker will be able to use a trace
or error message to access an unsecured account, jeopardizing the application. When deploying your
application, be sure to use the correct set of configuration settings in your deployment scripts.

Unable to protect directory

A protected or dedicated directory is a directory that is only used by the identifiable application user,
administrator, or application code. Protected directories may contain sensitive information in the form
of files and images, or the Account Control Panel.

Third-party applications installed on the production server

Production servers with other applications installed often pose a security risk. Some applications have
their own vulnerabilities and known vulnerabilities. For example, some applications may need to use
ports in the firewall that may be blocked. Rather than trying to attack your application directly, smart
attackers may catch known vulnerabilities in other applications that they suspect may exist on your
server. You can do the right thing, but your server can only be as secure as the least secure application.

Web service source file

A web server that is not configured to run technology in the desired endpoint might provide the file
back to the client instead of executing it. This can include compiled class files, PHP code, and more.
Once hackers have access to your source code, they are able to access any aspect of your application
stack.
 HND in Computing & System
Development

Firewall Disadvantage

Attack
The firewall is the center of the attack. Firewalls are designed to prevent unauthorized network
intrusion; however, if an intruder or malware passes through the system, your computer is vulnerable to
additional system attacks, or even full control by malicious parties. When a malware such as a Trojan
tries to install it, it must first pass through a firewall. For example, this can happen by email. After
installation, malware can actually disable the firewall and the process used to run it, which is especially
easy if you don't have anti-virus software.

Block legal processes

Firewalls, especially Windows Firewalls, are designed to block superficially suspicious activity.
Unfortunately, blocks can also be extended to legitimate network-intensive processes. In some cases, if
your firewall considers it to be a malicious process, even running a legitimate program (such as a
messaging program or a social networking plugin) will not work. The weakness or strength of the block
depends on the settings and configuration of the firewall, so it is always important to adjust the settings
of the program accordingly. If a legitimate program cannot connect to your network, verify that it has
been added to the firewall's exception list, which contains a list of programs that are allowed to connect
to the network.

Malware removal
Firewalls, especially Windows Firewall, do not include malware and virus removal. While there are
some advanced security tools including firewall removal and firewalls that block network intrusions,
Windows Firewall does not remove or block malware. If malware such as Trojans and spyware
bypasses the firewall, you must run a virus scan and malware removal program to remove dangerous
files. The firewall also does not protect your computer from backdoor Trojan horses, which open ports
on your computer and send messages to hackers, who then control your system from a remote location.

Data protection
Firewalls provide a defense against malicious policies that can cause system problems, but they cannot
protect your computer alone. If you are using a Windows firewall, be sure to open it from the Control
Panel. For example, Windows Firewall will tell you if your computer has an antivirus program. If an
antivirus program does not exist, it is recommended to install an antivirus program to improve system
security. Firewalls are also not designed to ensure data confidentiality. Websites that promote phishing
 HND in Computing & System
Development

are designed to steal personal information such as passwords and credit card numbers, and can be stolen
using emails and links. Unless your firewall includes an encryption tool, you may still lose the error
message to the wrong person.