Here's a comprehensive security plan based on the protection measures and

actions needed for the identified threats. I've outlined actions, reasons,
constraints, and test plans for the relevant threats and protection measures:

Protection Measure 1:

Threat Addressed: Threats 1 & 8 - Attack via remote access method,

misconfigured firewall.

Size of Loss: Major

Actions to be Taken:

1. Install or activate a firewall on the router if not already present.

2. Configure the Internet firewall to allow access via ports required by the
chosen remote access software. Change the default ports if possible.
3. Set up port forwarding / NAT on the router to direct remote access
traffic to the correct remote access server software.
4. Configure the remote access server and client software to align with
the firewall settings.
5. Enforce a strong password policy for the remote access software and
network logons.
6. For the Wi-Fi router, only open essential ports (80, 443, and 993).

Reason for Actions:

 Automated attacks commonly target well-known ports; a firewall helps

block unauthorized access unless relevant ports are open.
 Changing default ports reduces the risk of targeted automated attacks.
 Port forwarding ensures that remote access is secured through the
appropriate remote access server, rather than an easily exploitable
network logon.
 Using strong passwords adds an additional layer of security.
 Restricting unnecessary ports on the router (such as port 80, 443 for
web traffic and port 993 for secure email) ensures minimal exposure.
Constraints:

 Technical: Minimal. Setup and configuration tasks are simple, and

“walk-through” guides are widely available.
 Financial: Minimal. A commercial-quality router typically includes a
firewall.
 Legal Responsibilities: None, assuming data protection through
encryption.
 Usability: Minimal impact, though strong password enforcement could
lead to user login issues.
 Cost-Benefit: The potential risk of a system intrusion outweighs the
minimal costs involved.

Test Plan:

T
e
s
Expected
t Test Description Further Action
Outcome
N
o
.
Use a port scanner to identify Open ports should Close any
1
open firewall ports be identified. unnecessary ports.
Recheck remote
Perform an external login to Default ports
access software
2 remote access server using should fail, custom
and ports if
default and custom ports ports should work.
needed.
Set weak passwords for Password change Enforce strong
3 remote access and network should be password policy if
logons rejected. accepted.
Attempt to access services Access to non- Recheck router
4 other than browsing and essential services and software
email via Wi-Fi should be blocked. configuration.

Protection Measure 2:

Threat Addressed: Threat 2 - Attack via Internet connection.

Size of Loss: Major

Actions to be Taken:

1. Install or activate the firewall on the router.

2. Configure the firewall to only allow essential ports for system software.
3. Enforce a strong password policy for the system software and network
logons.

Reason for Actions:

 Firewalls help block unauthorized access by filtering traffic based on

port configurations.
 Limiting open ports reduces exposure to automated attacks.
 Strong passwords improve the defense against brute force attacks.

Constraints:

 Technical: Minimal. Setup and configuration are straightforward.

 Financial: Minimal. Modern routers include firewall functionality.
 Legal Responsibilities: None, provided data is encrypted.
 Usability: Minimal disruption, though strong password policies may
cause user login issues.
 Cost-Benefit: The benefits of preventing major intrusions justify the
low cost.

Test Plan:

Te
st Expected
Test Description Further Action
No Outcome
.
Use a port scanner to Only required ports Close any unused
5
identify open firewall ports should be open. ports.
Set weak passwords for Password change Enforce strong
6
network logon should fail. password policy.
Protection Measure 3:

Threat Addressed: Threats 3, 6, 10 - Network access by mobile devices,

Wi-Fi access for staff and visitors.

Size of Loss: Major

Actions to be Taken:

1. Install separate Wireless Access Points (WAPs) for staff and visitors.
2. Configure the staff WAP with WPA2 encryption and a strong password.
3. Use a MAC address whitelist for the staff WAP to limit access to
approved devices.
4. Configure each WAP with a unique SSID and strong password.

Reason for Actions:

 Separate WAPs for staff and visitors prevent visitors from accessing
internal resources.
 WPA2 encryption ensures a secure wireless connection.
 MAC address whitelisting limits unauthorized device access to the
network.
 Configuring SSID properly ensures users connect to the correct
network.

Constraints:

 Technical: Minimal for WAP setup; medium for maintaining the MAC
address list.
 Financial: Minimal for basic WAPs; possible additional costs for larger
networks.
 Legal Responsibilities: None, assuming encryption and data
protection are maintained.
 Usability: Minimal, though MAC address lists may require
maintenance.
 Cost-Benefit: Preventing unauthorized access outweighs the cost of
setting up and managing these measures.
Test Plan:

T
e
s
t Test Description Expected Outcome Further Action
N
o
.
Log in to visitor WAP and Only limited areas Adjust WAP
7 attempt to access (like internet) should configurations if
restricted areas be accessible. necessary.
Recheck each staff
Attempt to log in to staff Login should require
8 WAP for proper
WAP a password.
configuration.
Attempt login with devices Update MAC
Access should be
9 not in the MAC whitelist on address list if
denied.
staff WAP needed.

Protection Measure 4:

Threat Addressed: Threat 4 - Attack on the paintball equipment.

Size of Loss: Moderate

Actions to be Taken:

1. Configure the Paintball sub-domain to restrict access to the control box

web pages.
2. Implement an additional login step (password protection) for the
control box web pages.
3. Ensure the Paintball sub-domain is isolated from the Admin sub-
domain.

Reason for Actions:

 Isolating the Paintball sub-domain ensures only authorized access to

the control box, reducing attack vectors.
 Password protection adds an additional layer of defense.
Constraints:

 Technical: Minimal setup and configuration.

 Financial: Minimal, as most network operating systems support these
configurations.
 Legal Responsibilities: High, ensuring safety standards for
operational equipment.
 Usability: Minimal impact once configured.
 Cost-Benefit: Preventing equipment misuse or damage outweighs the
low setup cost.

Test Plan:

Te
st Expected
Test Description Further Action
N Outcome
o.
Attempt to log in to the Admin Access Adjust permissions or
10 server and access Paintball should be configuration as
data denied. needed.

Protection Measure 5:

Threat Addressed: Threat 5 - Attack on / theft of client information.

Size of Loss: Major

Actions to be Taken:

1. Encrypt all sensitive data (client information, payment details).

2. Restrict database queries from the internet, using pre-validated form
pages if necessary.
3. Implement strict access rights to ensure only authorized users can
access sensitive data.

Reason for Actions:

 Encryption protects sensitive data even if the system is compromised.

  Restricting access through form validation prevents SQL injection and
other web-based attacks.
 Strict access rights reduce the chances of insider threats.

Constraints:

 Technical: Minimal for encryption and access rights setup.

 Financial: Minimal to medium, depending on consultant fees for query
form creation.
 Legal Responsibilities: High, as client data security is critical for
legal and compliance reasons.
 Usability: Low impact; encryption and access rights are transparent to
users with appropriate permissions.
 Cost-Benefit: The risk of data theft and legal consequences far
outweigh the costs.

Test Plan:

Te
st Expected
Test Description Further Action
No Outcome
.
Access
Attempt access to client data Review access control
11 should be
with insufficient privileges policies.
denied.
Input should
Try SQL injection on Ensure all input fields
12 fail
database query forms are correctly validated.
validation.

This plan covers protection measures for the identified threats, outlining the
necessary actions, reasons for them, constraints, usability considerations,
and cost-benefit analysis, along with test plans to verify implementation.