Omega Research is a rapidly growing research and consulting firm. It has a single main office located in Reston, VA, and three small branch offices located in San Diego, CA, Salem, OR, and Kansas City, MO. Omega is not currently involved in e-commerce or business-to-business relationships.

Two weeks ago, Omega experienced a significant loss of proprietary data (estimated value $550,000.00) that was stored electronically in an Oracle database in the main office in Reston. The data was unrecoverable and backups were not being routinely maintained, so no restoration was possible. Although he has no hard evidence, Omega's CTO believes that the loss resulted from deliberate deletion of files by a systems administrator from the Kansas City office who had been let go several weeks prior to the loss. To add insult to injury, four days ago, Omega's CEO received a phone call from one of the company's largest clients informing her that Omega's website had been defaced with pornographic content. Needless to say, the CTO has been tasked with getting things under control.

You have been hired as a consultant to develop a comprehensive plan for improving the company's security posture in order to prevent future compromise of Omega's networks and networked resources in the form of a risk assessment. Your guidance and observations will eventually be used to develop a long-term procedural and policy solution for Omega Research. The CTO has stepped up to the plate and made the commitment to do whatever it takes to address these issues.

Baseline Architecture

Wide Area Architecture

Omega leverages AT&T Managed Internet Services for each of its office locations.
Omega owns and manages the border routers for each of its office sites.
Offices in Reston, San Diego, and Kansas City receive full T-1 service.
Offices in Salem receive 256k F-T1 circuit service.
Local Area Architecture

Reston Office

Perimeter protection provided by screening router. Configured for dynamic packet filtering using reflexive Access Control Lists (ACLs).
Remote access is provided to employees while at home or on travel through PPTP VPN and dial-up RAS offered by a Microsoft Windows NT 4.0 Server ®.
All servers in the Reston office have been centrally located to a data center.
The Reston data center supports a five-keypunch combination lock that is required to have access to the room. That combination is shared with all IT personnel and is infrequently rotated.
The data center is controlled for humidity through HVAC purification.
The data center is controlled for temperature with isolated HVAC services.
The data center is not on a raised floor to control static electricity.
The data center does not have a site-wide UPS. Each server and network equipment piece supports its own mini-UPS.
Internal Omega E-mail is supported by a Microsoft Exchange ® 2000 mail server running on a Microsoft Windows ® 2000 server. Omega has installed an SMTP mail gateway to support Internet mail exchange.
Omega is the registered owner of omegaresearch.com, and maintains a DNS Server at the Reston facility for name resolution, supporting Omega users and to allow Internet access to publicly accessible information (Web and e-mail).
Web-hosting services are provided on a Microsoft Windows ® 2000 server, running Internet Information Services (IIS).
X.500 directory services are available through Active Directory, although their implementation is relatively immature-they are operating in a mixed environment.
Server and client o/s environments have not been routinely patched.
Reston office printers are all network connected.
The IT Department is responsible for management of the networks and networked resources at the Reston facility. They manage more than 170 workstations and six servers, performing the functions previously described.
Client machines consist of Microsoft Windows 7.
Productivity applications have not been standardized. Some user communities enjoy Corel Office Suite ®, while others appreciate Microsoft Office ®. There are various editions of these packages installed on client machines.
San Diego Office

The San Diego office is essentially a mirror of the network architecture provided at the Reston facility.

Differences

San Diego does not host a Web server.
San Diego does not support VPN or RAS connections.
There are fewer employees working out of the West Coast office. The local IT staff consists of one engineer who manages all networks and networked resources within the San Diego office.
There are fewer than 50 client machines in San Diego with similar configurations as the main office.
All servers have been located in a spare office in San Diego.
There is not a controlled access restriction like in the main center.
The office is not controlled for temperature, humidity, or static.
There are no redundant power supplies.
Salem Office

Salem is a small site with only 30 workstations configured in much the same way as the rest of the company.
Salem supports a single combined shared file and print server hosted on a Microsoft Windows ® NT 4.0 Server.
Mail services are obtained through the San Diego office, using mailboxes set up on the San Diego Exchange Server.
There are no publicly available networked resources at the Salem office.
Remote access to Salem's infrastructure is provided to mobile and home employees using VPN client to gateway connectivity.
Salem has an IT staff of one engineer who manages all networks and networked resources at this site.
All servers have been located in a spare office in Salem.
There is not a controlled access restriction like in the main center.
The office is not controlled for temperature, humidity, or static.
There are no redundant power supplies.
Kansas City Office

Kansas City is very similar in size to the Salem office, with the exception that Kansas City runs a Microsoft Exchange ® 2008 server for mail services.
Kansas City has a local system administrator for support.
All servers have been located in a spare office in Kansas City.
There is not a controlled access restriction like in the main center.
The office is not controlled for temperature, humidity, or static.
There are no redundant power supplies.
Considerations

Networking and Systems Administration

Access to any site LAN automatically guarantees access to the entire WAN. This means that user accounts authenticated in the Salem office have immediate access to resources in San Diego, Kansas City, and Reston.
User accounts and access restrictions are independently managed by each office's system engineer. There is not a common user policy - rules concerning how passwords are created and enforced, cycled, and aged; lockout; user account retention; and so on, are created and maintained per office.
There is no formal backup and disaster recovery policy at any site. Backups are decentralized. Off-site rotation only happens at the Reston office; no officer of the company or single IT person knows how to access each other's tapes in the event of a catastrophe. Salem currently performs no tape backups.
The local system administrators found at the satellite offices take all direction from the central office and are not authorized to make boundary router changes. They do not have authority to change anything without central IT approval. They have no budget; they have no authority; they have full accountability for their LANs.
All machines run some form of antivirus software, although local IT staff infrequently maintain their definition files and rely on user intervention to perform file updates. No machine has spyware protection.
There is no dedicated program for training employees on avoiding threats such as phishing. 
Firewall logs, host packet analysis, application logs, and event and error logs are generally ignored across the board.
Business Requirements

The organization is growing rapidly in spite of recent events.
Its strength is in developing business within the local market and providing on-site consulting services.
The research end of the business is the wellspring from which it draws its competitive edge, but Omega is realizing that consolidating the research workforce adds synergy to its efforts and reduces unnecessary overhead.
Omega plans to continue down that road. As a result, local sites will expand their consulting workforce and research will continue to be consolidated at the Reston and San Diego facilities. As this trend continues to develop, access to the research data stored at the East and West Coast facilities becomes critical. Additionally, Omega cannot afford another loss of proprietary information like the one recently experienced, and management knows that it could have been much worse.
Known Environmental Risks

The San Diego office is located in a 20-year earthquake zone. Once every 20 years, it estimated that a 6.0-Richter scale earthquake or greater will strike the facility, likely causing damage to the facility/computer equipment; management assumes that losses to computer assets could be estimated at 20%. As a countermeasure, the company has purchased insurance with $18,000.00/year annual premiums that increase 5% every year.
The Reston office is located in a 500-year flood zone. Once every 500 years, it is estimated that a flood will strike the facility, likely causing damage to the facility/computer equipment; management assumes that losses to computer assets could be estimated at 40%. The company has opted to not purchase insurance. Annual premiums would run at approximately $25,000.
The Kansas City office suffers a significant tornado event once every five years. When the tornado hits, severe electrical disruption affects the equipment and the office suffers 10% losses on computer assets. The company pays $14,000 in annual insurance premiums.

Specific Component and Grading Rubrics
At a minimum, students are to create a five-to-seven-page (minimum 2,000 words) Word document compliant with APA guidelines.

Provide a written assessment of the current security posture of the organization. (10 points)
State in general terms where Omega has strengths and where it has weaknesses. (10 points)
Develop a listing of threats, prioritized by their relative likelihood and potential frequency of occurrence. (15 points)
Develop a listing of vulnerabilities in the current security posture of Omega Research. (15 points)
Prioritize the vulnerabilities based on the potential impact on Omega Research if the vulnerability is exploited (i.e., threat is realized). (20 points)
Identify potential threat agents. (20 points)
Identify appropriate policies that must be developed and published now to support your plan of action. Include the essence of these policies (a paragraph), not the detailed policy itself. (25 points)
Additional recommendations that you might have for Omega senior management to improve their competitive advantage or to provide additional security. (25 points)
Proper APA citations are used throughout the report. (10 Points)

Best Practices

The following are best practices in preparing this paper.

Cover Page: Include who you prepared the paper for, who prepared it, and the date.
Table of Contents: List the main ideas and sections of the paper and the pages where they are located. Illustrations should be included separately.
Introduction: Use a header on your paper. This will indicate that you are introducing the paper.
The purpose of an introduction or opening is to
introduce the subject and why it is important;
preview the main ideas and the order in which they will be covered; and
establish the tone of the document.
Include in the introduction a reason for the audience to read the paper. Also include an overview of what you will cover and the importance of the material. (This should include or introduce the questions that you are asked to answer in each assignment.)

Body of the Report: Use a header with the name of the project. An example is, "The Development of Hotel X: A World Class Resort." Proceed to break out the main ideas: State the main ideas and the major points of each idea, and provide evidence. Show some type of division, such as separate, labeled sections; separate groups of paragraphs; or headers. Include the information that you found during your research and investigation.
Summary and Conclusion: Summarizing is similar to paraphrasing, but presents the gist of the material in fewer words than the original. An effective summary identifies the main ideas and the major support points from the body of the report; minor details are left out. Summarize the benefits of the ideas and how they affect the subject.
References: Use the citation format specified in the Syllabus.