Project Charter
advertisement
DECEMBER 03 2010 Security TEK SAIT Polytechnic 1301 – 16 Avenue NW Calgary, Alberta, Canada, T2M 0L4 Project Charter Security TEK David Sutherland Jason Mah Chau Pham SECURITY TEK Table of Contents Executive Summary .................................................................................................................... 2 Project Vison................................................................................................................................ 3 Project Purpose ........................................................................................................................... 4 Problem / Opportunity ................................................................................................................. 4 Project Description ...................................................................................................................... 4 Key Stakeholders ........................................................................................................................ 4 Project Scope .............................................................................................................................. 5 Scope ........................................................................................................................................... 5 Out of Scope ................................................................................................................................ 5 Project Objectives........................................................................................................................ 6 Terminology ................................................................................................................................. 7 Project Team ............................................................................................................................... 8 Project Stakeholders ................................................................................................................... 9 Risk Assessment ....................................................................................................................... 10 Project Schedule ....................................................................................................................... 11 Project Facilities and Resources............................................................................................... 13 Project Budget ........................................................................................................................... 14 Equipment and Facilities ........................................................................................................... 14 Operating Costs......................................................................................................................... 14 Promotion and Communication ................................................................................................ 15 Intellectual Property ................................................................................................................... 16 Offer and Approvals .................................................................................................................. 17 Offer ........................................................................................................................................... 17 Approvals ................................................................................................................................... 17 Project Charter Signoff .............................................................................................................. 17 References ................................................................................................................................ 18 [NAME OF PROJECT CHARTER] PAGE 1 Section 1 Executive Summary Security Tek’s main goal is to create a hardened server with a hardened room to match. We will be using security techniques and procedures learned in IT security and Server Service Administration to enable a functional server, with programs for network intrusion detection and protection. As well, we will be using techniques to harden the server room to prevent unauthorized access or detect unauthorized access. Our purpose is to devise and implement a plan for a client to execute that will protect their server. We will be using techniques such as using a snort box to make sure network intrusion is documented and logged. As a network prevention system, we will be implementing a honeypot to attract the intruder to the fake network instead of our own. Physical access will control things such as a mantrap and user access codes to enable access. Shock sensors and cameras to monitor and secure the server. We are aiming at small to medium sized companies as these moderately sized companies may not have an IT department with the technical expertise to implement a more secured server for their needs. We will implement it in a way that it will be affordable and will not break a client’s budget to implement our system. It will provide much needed security for an up-and-coming business or a business looking to expand their IT server, whether it is for sending internal or hosting a new website for sales, this is needed to protect their backbone so they can continue their business. We will create a documentation guide and setup procedures to direct a client on how the system is to be setup. A step-by-step manual will be created and a troubleshoot section will be included in case the client encounters a situation similar to anything that happened will we were devising the manual. Our target time frame to creating our manual and having a documented manual will be end of March 2010. We will be having a demonstration of our plan at the end of April 2010, and will be using the time from the end of actual documentation to fine-tune our systems to work as one. Partial demonstrations will be documented half way to our stakeholders for approval and critique to ensure that we have the right direction in what a client would want in a hardened server room. PROJECT CHARTER – SECURITY TEK PAGE 2 Section 2 Project Vision In today’s growing technological society, it’s becoming increasingly more important that products are unique, easy to use and provide a great deal of functionality to the consumer willing to buy the product. Thus, it is important to have an innovating product that will catch the consumer’s eye at an ideal cost for both sides. The project vision is to create a security system that will securely keep the valued object(s) safe from intruders. Our team will create a unique product that will be easy to use by the consumer, but very secure to ensure the safety of the object(s) the consumer wants to keep safe. First of all, our group will be designing a hardened server that incorporates snort as well as other security programs. We will be using this server for two main objectives 1) as the “prized” object that thieves may want and 2) it will contain all the programs and scripts to control our intrusion prevention and detection system. To do this, our group will research the price of the materials and the overall design and build of the final product. We will locate a suitable room, measure to determine how much material it will need to secure it properly and then begin to design our system. From there we will design our security system that implements snort, and other security rules, sensors, cables and computer hardware to produce a reliable security system. Final Deliverables: 1. Project Demo 2. Presentation 3. Website 4. Project Documentation PROJECT CHARTER – SECURITY TEK PAGE 3 Section 3 Project Purpose Security is always a big area of IT and will continue to grow as technology advances. To keep intruders out and allow server administration access the server room. This problem is always occurring to companies that do not implement a plan of safety or have a poorly made plan. If an intruder is able to get into the server room, they can have control over the servers just by walking through the server room door. This has created a great project idea for our group, create a security system that is cheap, easy to implement and secure. This system will stop or slow down an intruder to allow security personnel time to get to the server room. Another deliverable that will be included is a presentation of our prototype and administrator manual for easy implementation by the administrator and security. The project does not just include our team but many others out side the team. Problem / Opportunity Think of having small business and because you have a small budget, you have to cut down the costs in some areas to help provide for areas, servers in an unprotected room are a likely situation. Many businesses may look at security as an expensive component that has no value for the company. Project Description If a company is worried about the cost then our project will dissolve that problem by setting up a low cost security system but with the benefits of a high cost system. This project also will deal with the initial problem for some companies, a security system that will protect their servers which was not implemented previously. Key Stakeholders The key stakeholders are the people that are involved with the overall project. The project managers are our team, each of us will have a chance at being the project manager. When it is our time as the project manager, we become a major stakeholder because we want the rest of our team to achieve what is needed. Our client is also the sponsor at the moment giving us ideas while we will give results back. This project is being performed at SAIT so we have to represent SAIT the best we can when looking for results and building our project. Each stakeholder is affected by the outcome of this project so it is our responsibility to make our project work. If problems arise, we are accountable for letting the key stakeholders know of complications. These are just the key stakeholders there are main more that are listed further bellow. Stakeholders Project Manager Client Performing Organization Sponsor PROJECT CHARTER – SECURITY TEK Comment David Sutherland, Jason Mah, Chau Pham Colin Chamberlin SAIT Colin Chamberlin PAGE 4 Section 4 Project Scope As with any project, how small or large it may be, security is always an issue. With our project our hope is to be able to create a hardened server and room to protect our assets. We will only have one server and server room to showcase for product, but we will include steps to expand security measures for a larger scale. So within the confines of this project we will not be demonstrating a large-scale security measures but rather only on one server. At least halfway through we would like to be able to demonstrate our hardened server. We will show how an intruder will be detected and kept at bay by the honeypot to throw them off our actual server. Our second partial demonstration would be our server room where it can monitor or trap unauthorized access. It will also be to monitor traffic in the server room to identify if a user was able to access the server by bypassing the security measures. As this is only a simple demonstration of our project, we cannot do things like setting up multiple servers each with their own protection, nor can we produce a real attack on our system, like a virus trying to infect our system. We will only be showing user intrusion detection. Also, as space will be limited, some things like pressure mats will only be situated in critical places in front of the door and server to monitor access. Our camera set up will only be able to monitor limited areas due to space limitations. Scope Our scope will mainly consist of one room, with security to trap unauthorized users from accessing the server. Due to cost budgets we’re limited to using only a fraction of all security features we can get such as high definition camera to be used as a motion sensor and video capture device. Out of Scope Since our budget is limited, we cannot implement things such as pressure mats, or a biometric scanner that scans finger prints. It will be limited to a one room design instead of an actually server farm. Other things that can be implemented and will not be included are things such as shock sensors to ensure that the server are immobile and cannot be moved without alerting someone with access. Other technologies, for example, keycards or magnetic access cards will not be implemented due to budget constraints PROJECT CHARTER – SECURITY TEK PAGE 5 Section 5 Project Objectives To achieve our desired goals; they must be first be defined. Hardening a server along with the physical security will be a large task. We will implement multiple physical security devices like cameras, pressure mats, motion detectors and more. As well as physical security, a server must be able to detect and trap malicious users or organizations from bringing down our protected servers. We will be using Snort and a honeypot to detect and confuse those that want harm our business. We must first have a server to protect. We will have to acquire a server capable of doing basic tasks such as webhosting, email and internet. As with our limited time scope we will only have one server doing multiple tasks, but we will create a plan in case it will need to be implanted on a larger scale. Once our server is acquired, we will begin to set up our honeypot. We will make it seem like there are multiple servers and end users talking to each other. We will simulate network traffic to make it more realistic and we will have snort to detect the ip of the attackers trying to get at our server. We will also be removing commands not used and have administrator rights only to protect from unauthorized modifications. To start with physical security we are putting in a man-trap style access to our server room. A user must have authorization to enter through the second door of the man-trap to reduce unwanted access from those without authorization. As for authorization, we will be implementing a finger print scanner as well as a keypad to ensure those with access codes cannot just give it to anyone and must verify it is them with the finger print scanner for the code to allow them access in to the server room. We will also be implementing a pressure mat system, to monitor foot traffic in and out of the server room. We are putting this in because an intruder may not be using the front door, and may likely try to bypass the main security defenses we will be putting up like our man trap doors. It also monitors how many people have entered and we will try to set it up so that only users that pass the man-trap and are authorized can enter, if they try to bring in a second person it will lock out the server. As pressure mats can only detect footsteps, or pressure, will also be including video cameras with IR, for dim light situations and monitor who has been inside the server room, day or night, to make sure only authorized users have been inside. If we have set all these defenses up properly, the server will only be accessible through the man-trap by a user with a finger print ID set up and key code for door access, and will only allow one person through the man trap at a time, and if more than one person has entered through the man-trap on only one authorization, the server will be locked down and not accessible until an administrator can verify and unlock the servers. PROJECT CHARTER – SECURITY TEK PAGE 6 Section 6 Terminology There are a few terms that will need some more explanation as to what they mean, such as honeypot, man-trap, IR, Snort and intrusion detection. Honeypot- is a trap set to lure in intruders to access fake information so that the real info is safe. This is done by creating scripts that appear to show real info when an intruder is able to get into that system. We want people to try and access this since we will be able to log where their IP, when they tried to hack into our network and how many times. IDS – Intrusion Detection system - Intrusion system setup to detect intruders, documenting or alert the administrator of the system. This can be used in the physical and network areas of security. IPS- Intrusion Prevention system - Intrusion system setup to prevent intruders from entering or stopping them in there tracks. As a physical system something like a mantrap will work. In a network environment a honeypot will help IR- Infrared This type of camera is able to detect heat signatures given off by warm blooded animals. This is especially important because we will be able to detect a person night or day in our restricted area. Mantrap- a physical security device(s) used to protect intruders from getting into a restricted area. For our purpose, we will be using floor detectors to sense footsteps when someone is near our restricted area. Snort-is a network intrusion detection system that detects and logs intruders trying to access our system. PROJECT CHARTER – SECURITY TEK PAGE 7 Section 7 Project Team The most important part of a project is creating a team that suits the style and goal of the project. A team needs to co-operate, communicate and create. Co-operation between members will lead to a better ending result. Over the past year and a half we have done a few projects together, so there are no uncomfortable situations that make it hard for the team to work together. We understand each other’s strengths and weaknesses. As well, communication between team members is well formed because of experience from previous projects, but in every project there is still miss communication that off balances the team but is quickly fixed. Creating means coming up with a solution to a standstill in the project; our team will use this in means organization and problem solving. Within the team each of us has a role that best fits our strengths. The order that the roles are placed in is our priority role. The project manager role is split evenly through the project when different tasks are implemented. Member David Sutherland Jason Mah Role Project manager, Hardware, Server Admin Hardware, Project manager Chau Pham Programmer, Project manager PROJECT CHARTER – SECURITY TEK PAGE 8 Section 8 Project Stakeholders Our key project stakeholders will be primarily ourselves. Other stake holders will include Colin Chamberlin and our sponsor. Colin will influence our group by giving us advice and ensuring the project is on schedule. Our sponsor will be monitoring, requesting and advising us with information so that all plans go forward and continue as planned. Other key stakeholders will include the user and suppliers. Users are a major stakeholder since they will be buying the product. The user influences us in a way that we will provide the best product for them and in return will receive a reputable reputation. Supplier’s reputation will also be on the line; should they fail at providing us a reliable product, they will lose reputable status. This can affect the suppliers company by causing them to go bankrupt. Other companies will not buy from them if their products are inadequate and unreliable. Stakeholder Project team Colin Chamberlin Sponsor Users Suppliers PROJECT CHARTER – SECURITY TEK Role or Influence The team that will be putting in the work Will make sure that project is on time Will sponsor us Will buy and evaluate the product Reputation of product line PAGE 9 Section 9 Risk Assessment While the project is to help implement security to a small business, complications can occur that affect the outcome of this project. This list of risk is to help ready our group for what could be expected as a problem that may occur. The mitigation strategy is how our team will stop the risk from happening or lower the chance of it happening. Project Risk Assessment Probability e.g. High, Medium, Low Impact e.g. High, Medium, Low Severity e.g. High, Medium, Low Insufficient training Medium High Medium Team members may not all be on the same page in training so some will have to less expirence Mitigation Strategy – Research area that is unfamiliar, Use textbooks and other resources to learn from Inadequate communication High Medium Low A new team means working with new people and can cause communication if we are not on the same page Mitigation Strategy – Set up meetings and create schedules, email when a problem has occurred, get to know one another, strengths and weaknesses … Conflicting priorities Medium Medium High The project might be going one direction but a team member wants to have it go in a different direction Mitigation Strategy – Keep everyone on track with the project try to fit priorities into project. Money/Funds Medium High Money can be a risk that puts the project on hold or stops it all together Mitigation Strategy – Find sources or funding before starting project High Not able to acquire resources Low High High Some resources may not be acquirable or out of stock Mitigation Strategy – Make sure to have back up resource site to acquire the same resources Loss of enthusiasm Low Medium Team members may hit a rough spot if something goes wrong and may want to stop Mitigation Strategy – push the team to move through the problem find a solution Medium Loss of team support Low High Medium Members of team may start objecting to ideas of Project manager if they falter Mitigation Strategy – Put into position a team member that is likely to do well as the Project manager Team change Medium High Something that can and cannot be controlled, team members move Mitigation Strategy- Understand the team and what there timing Low Change of project scope low High medium This can be caused by a project hitting a road block or the client made decision to change Mitigation StrategyTime High medium Time is always a factor in being a risk; most projects never meet the initial dead line. Mitigation Strategy- Planning is the best way to stay on track as well as a great team. PROJECT CHARTER – SECURITY TEK medium PAGE 10 Section 10 Project Schedule For this project to succeed, our team will create a plan that will follow guide lines so that we follow the milestones and deadlines. The important aspects of our plan are as followed, estimate the cost of all our materials, acquire the resources, setup the server; program the sensor board to use devices, and continual group meetings. We have also planned for extra time for example, extra research if it is needed for the more difficult parts of the project. See below for the overall plan layout. PROJECT CHARTER – SECURITY TEK PAGE 11 Embed your MS Project file below. (MS Word 2003: Insert > Object > Create from File > Browse; MS Word 2007: Insert > Object > Object > Create from File > Browse) PROJECT CHARTER – SECURITY TEK PAGE 12 Section 11 Project Facilities and Resources Resource Server Ethernet cables Cameras Controller boards Wire Motion sensors Unix OS (Linux or Ubuntu) Storage Room [NAME OF PROJECT CHARTER] Availability Available Need to acquire Need to acquire Need to acquire Need to acquire Need to acquire Available Need to acquire PAGE 13 Section 12 Project Budget The project will consist of expenses due to realistic payment to the team members and cost of material to build the physical security system. The prices of the project will vary as our team constantly finds better or cheaper options that provide a good security system. The budget was developed based on what materials were needed to design a physically secure room. Phase 1: Acquire Materials 48 hours of labor Phase 2: Program Sensor 64 hours of labor Phase 3: Setup Server 56 hours of labor Equipment and Facilities The equipment we will need to build and design our physical and computer security system. Parts and prices will vary as our team continues to implement the best technology available to us. Item Cameras with motion sensors Sever Snort Honeypot Ethernet cables Controller board Amount 4 1 1 1 3 1 Cost $30 $provided $free $free $provided $- Operating Costs This will include an ideal charge of what our team, per person, would charge an hour to build, design and setup a secure server and room. The total cost of our labor will vary depending on how smoothly the install goes. Our team will pay each person hourly at a rate of $30 an hour. Item Acquire Materials Program Sensor Board Setup Server PROJECT CHARTER – SECURITY TEK Hours 48 64 56 Rate 30 30 30 Cost 900 1920 1680 PAGE 14 Section 13 Promotion and Communication To promote our project, our team will have a booth to showcase and demo our finished project specs. It will consist of a live demonstration of how the server is monitored and our security system works in combination to prevent an unauthorized user from accessing the server. As for communication, we will be documenting all our meetings, internal and external and provide meeting agendas and plans for every meeting. All necessary steps leading to a meeting with all stakeholders and sponsors will be made accordingly, such as booking a room for conference and bringing refreshments for example. Our group will keep a log journal of our objectives, methods, successes and failures for the week and will be updated by every member to ensure that the project and its objectives and obstacles are understood by all and all can provide an idea to a solution to a problem if an obstacle arises. PROJECT CHARTER – SECURITY TEK PAGE 15 Section 14 Intellectual Property The intellectual property will be property of the group. Each group member will have the right to the intellectual property that they purpose and design. Other group members, who did not research and/or design that part of the project must ask the member who did do the research and/ or design for permission of use. Depending on our sponsor, they may have some right of the property as well. PROJECT CHARTER – SECURITY TEK PAGE 16 Section 15 Offer and Approvals Reading this charter, we have made some offers that will be the outcome of our project. Signing this will confirms that you approve of our project and will allow our team to help you become a more secure company with our implementation. Offer Security TEK would like to offer our services to small business companies that do not have security implemented and give them better security than what they started with. To help protect the servers, there are a few things we are offering out of this project: 1. Cost effective physical security system for a small server room in your small business. 2. Manual for administrator on how to use the system. 3. Demonstration and presentation of the implemented security 4. Final report that includes what was done and meeting minutes throughout the project Approvals In order to help implement a security system that will optimize security in your server room and approve our low budget cost, your approval for this project is needed. Approval needed for: 1. Adding security server to your network 2. Implementation of physical security devices in server room. 3. Gant Chart 4. Budget Project Charter Signoff Offering Signature Date David Sutherland Jason Mah Chau Pham Type name Approval Colin Chamberlain Type name PROJECT CHARTER – SECURITY TEK PAGE 17 Section 16 References [1] Ebay, Home CCTV Surveillance Color Dome Camera, [Online Document], 2010, http://cgi.ebay.ca/Home-CCTVSurveillanc-Security-Color-Dome-Camera-/280398062866?pt=LH_DefaultDomain_0&hash=item414906e512 [2] SourceFire, Snort, [Online Document], 2010, http://www.snort.org/ [3]Wikipedia, HoneyPot, [Online Document], 2010, http://en.wikipedia.org/wiki/Honeypot_%28computing%29 [4] Wikipedia, ManTrap, [Online Document], 2010, http://en.wikipedia.org/wiki/Mantrap [5] Webopedia, What is a Server? [Online Document], 2010, http://www.webopedia.com/TERM/S/server.html PROJECT CHARTER – SECURITY TEK PAGE 18
