Zack Trimble
CYB-230
6/16/2023
Project 3
I have been tasked with looking over Helios Health Insurance's security plan and I have found
some flaws in their plan. There are many flaws in their network software and computer hardware. I have
focused on choosing hardware in which the hard drives are not encrypted as well as how open the Wi-Fi
is. For the software side of things, I have chosen to look at the firewall and how remote users work.
Firewalls are imperative to keeping malicious data out of the network so when working remotely, they
need a way to secure their connection, while hard drive encryption secures each computer and having a
non-open WiFi keeps the network more secure. I first explain the hardware choices and what can be
done to fix them. I will then finish by discussing the software. As I looked over the hardware specifics for
this company two major things popped out to me. Their Wi-Fi network is set to open which throws up
many red flags to me. Public Wi-Fi would be available in places that are open to guests as well as
everyone else. This is dangerous in a company as it leaves the network open to anyone which means any
hacker can jump onto the network without having to type any password, and they can grab any
incoming traffic and see all data that flows through the port. If a hacker can get into this, they can easily
steal the data of the company which can include sensitive data and confidential information regarding
the company. With having open Wi-Fi your connection is not secure, leaving it vulnerable to attacks.
Unsecured networks and vulnerable networks are a hacker’s best friend and that is one thing that needs
to be fixed. Another thing about this company that popped out to me was unencrypted hard drives in
the computers. The company has decided to use an unencrypted hard drive to make the computers run
faster and have better performance while sacrificing the security they need to have for sensitive data,
especially since they deal with HIPAA. When you have an unencrypted hard drive at risk, you are leaving
the entire computer at risk making it easy for hackers to get a hold of the computer as it is not password
protected. Encrypting hard drives for companies is essential and according to laws like HIPAA all
sensitive data needs to be protected especially when it comes to confidential information. A few
recommendations that the company should follow to keep everything safe. The first step would be to
use a locked down Wi-Fi network. This would mean that it needs to be Password-protected and should
be set up privately rather than publicly. Making it a private connection allows the network and data
traveling through the network to be safe and more secure. To accomplish this, least privilege techniques
would be implemented and layering which would all tie into confidentiality and integrity for the CIA
triad. With having a locked down Wi-Fi connection, it allows only certain people to connect. So, to keep
this safe you would only use laptops, which are company-owned computers. This allows only users with
laptops can connect to Wi-Fi in the building. Any person using a cell phone or outside equipment would
not be able to be connected, eliminating further threats. It would be a good idea to encrypt all computer
hard drives that are unencrypted. Every person who has a computer will need it encrypted. I would
recommend imaging the computer with Windows version with Bitlocker. Bitlocker is windows drive
encryption software that allows the drive to stay safe which then requires a password to get into the
computer. If the computer is locked then someone who does not know the password would not let you
in. After so many attempts the drive will lock and require a long key. Without this key you cannot access
any data on the computer. Having this security is necessary. Additionally, data on an encrypted drive is
protected because it prevents unauthorized access. If your company maintains a log of HIPAA
information, it could be a violation of the law if it is correctly secured.
Now to the software side of things. Currently there is only one firewall and that is in the system
administrator sector. Having a firewall only at this location, it allows all the good traffic and malicious
traffic to be filtered in and out, however it leaves the rest of the network vulnerable to malicious traffic.
An undesirable traffic can consist of users navigating to websites and if those websites are not blocked it
could allow malicious attacks or viruses to get through from the hackers. It also can allow emails to
�Zack Trimble
CYB-230
6/16/2023
come through that are not safe which would be a hacker masking as a safe user which then the user
clicks on it and unleashes a malicious attack or virus on the network. This company also has laptop users.
If there will be laptop users in this company, extra security layers on their computer are needed. To do
this, I would recommend having all laptops get a VPN installed on them. Having a VPN allows you to
connect to a secure session making it more difficult for a hacker to find you and your data as it masks
your IP address. VPNs should be implemented if laptops are going to be used as they can travel off site.
It is recommended to put another firewall in the network and put it in between the network router and
the main switch. Having it here will protect all the other devices. You can also mirror the system
administrator firewall settings to this new one. Now with this firewall in place, we can filter out bad
traffic for emails and websites. Blocking unwanted websites will allow to keep the network safe from
intruders as well and you can filter out malicious emails so that way only emails from trusted domains
can be allowed which can include internal employees and clients. The biggest thing for the laptop users
is that if they are going to be walking around with the sensitive data, they need a VPN installed on
computer. Having a VPN hides your activity. If these users are allowed to take their computers home,
they would be required to make use of this connection at home, or at least until the Wi-Fi problem at
work is resolved. With the VPN it hides your activity making it harder for a hacker to find and steal your
data. Since we are dealing with HIPAA and sensitive data, it is not recommended to allow anyone to take
any work home with them even to work from home. If you take this data away from office, it can violate
clients' laws and privacy especially if your home network is not as secure as an office network. Having
the VPN would help buffer, but still, it is not recommended to take any work home. It also falls into
availability to ensure the product is available to use. It also can maintain confidentiality and integrity as
well.
Overall, I have made a few recommendations to the four issues that I think needed attention
which among them are needing another firewall, needing VPN installed on all laptops, needing to
change the Changing Wi-Fi to secured Wi-Fi rather than open Wi-Fi, and encrypting all hard drives as a
final step. All the data should be kept safe and secure by following the suggestions made. Having it also
will eliminate any vulnerable spots and to keep hackers out of the network and form having any sort of
data leaked.
�Zack Trimble
CYB-230
6/16/2023
Sources
GeeksforGeeks. (2021, November 3). Packet Filter Firewall and Application Level Gateway.
https://www.geeksforgeeks.org/types-of-firewall-and-possible-attacks/
Journal, H. (2014, November 11). Importance of Encryption for HIPAA Compliant
Organizations. HIPAA Journal. https://www.hipaajournal.com/importance-encryptionhipaa-compliant-
organizations/
Poole Sidell, E., 2022. Why Do I Need to Use a VPN?. [online] Why Do I Need to Use a VPN?.
Available at: <https://www.avast.com/c-do-i-need-a-vpn> [Accessed 14 April 2022].
Fruhlinger, J., 2022. The CIA triad: Definition, components and examples. [online] CSO Online.
Available at: <https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-
and-examples.html> [Accessed 14 April 2022]
