Question 1 ( Saurabh Korgaonkar ):
From the given scenario, we can come to know that if employees have received calls from individual who did not identify themselves and asked a lot of questions about the company and computers infrastructure means someone from outside of the company trying to grab the sensitive information through social engineering and formal ways of telephonic communication. Also, there are several strange emails requesting sensitive information from employees and few of company’s employees have been looking trash and recycle container which can lead to leak the sensitive information through intruders.
Thus, company should take above incidents seriously and must apply different security measures to avoid potential future threats from intruders and extruders. Also, company should make some security standards and policy and should implement those as soon as possible.
Some of the security measures that company can follows are
1.The company should setup filter in form of firewall between company’s internal server and outside domain and always apply updated security patches so that It will help to eliminate any malicious data and emails to enter company’s server. Also, every employee’s system should be update with latest security standards and tools to avoid possible security threats from virus, computer worm, dos and ddos attack, phishing, rootkit etc. company should follow owasp top 10 security standards to protect from web application security threats and vulnerability (owasp top 10, 2018)
2. Every individual employee should take responsibility of not to share or discuss any personal or company’s data with outsider. Company should guide employees on handling fake calls and phishing sites. Employees should get some practical training on system security to face those situation in real time scenario. There should be role-based -access for every employer so that based on persons position in the company, he or she will get access to the information but not all employees can access all the information. (Network and System security 2nd edition)
3. If such things happen repeatedly after taking possible actions from security point of view, then company should possibly need to hire security architect and consultant and should perform the penetration testing in company’s internal network and server to identify possible loopholes.
Finally, it is advisable to keep updated with latest security tools, patches as well system operating system and perform system security audit once in a month to minimize chances of system security threats.
Question 2 (Vinay Chowdary Boddu ):
Information security is one of the major concerns for any boss or owner of the organization. As per the scenario, employees in the organization receive several calls from the anonymous persons who are asking the number of questions and interrogated about the firm and its managerial structure and setup. On the first sight, it supposed that PC suppliers are trying to vend their products to the company however, it discovered that no supplier come up to the business. It is actually an instance of fake calls pretending to be authorized entity related to the company. On the other hand, various strange and unknown emails demanding confidential information have been directed to the workforces and more than a few individuals perceived looking for the firm’s trash emails or dumpsters for ecological containers. This incident identified as the phishing attack or attempt to deceive for taking away the classified information. From these current events happened to the firm, it is clear that information or data safety is a crucial issue for the organization and owner. Using any sort of computer and information security, the key factor for avoidance is to apply the protective and safekeeping measures in the business network. It is recommended that development of security awareness and understanding amid the workers is very important such that it can manage and cope up with such incidents or situations inside the firm (Maiwald, 2003). Here are some of the basic and significant recommendations for the company that can be accomplished to overcome the circumstances:
· *Train or instruct the workers of the company not to receive any call from the unidentified persons who are demanding confidential data and educate the workforces not to offer any details to an anonymous entity (Sullivan & Liu, 2011).
· *In order to prevent any attempts of phishing attacks through strange emails (pretentious) to employees, educate the staffs and conduct employee training conferences with fake phishing set-ups to understand the scenario.
· *Install a web/internet filter to hinder malevolent websites.
· *Encrypt or encode all the delicate information of the company using anti-virus or firewall solutions within the workstations of the employees.
· *Encryption schemes are mandatory to implement for workers who are telecommuting from the remote locations accessing the company email or web server.
· *It is very significant to mount an antivirus software solution; plan signature informs and observes the antivirus prominence on every device within the company (Maiwald, 2003).