This paper examines the enterprise security management practices of Cincom Systems, a global enterprise software provider serving defense contractors in the United States, United Kingdom, France, and Australia. Drawing on firsthand internship experience, the paper explains how Cincom implements the Confidentiality, Integrity, and Availability (CIA) triad alongside a Role-Based Access Control (RBAC) model to meet stringent Department of Defense audit requirements. It also describes formal and informal security policies, the primary threats faced by the company — including sophisticated phishing and network impersonation attacks — and how Cincom uses HP's Mercury Interactive suite and Network Management Center to monitor and respond to security incidents in real time.
Cincom Systems is a global leader in the development, implementation, and service of enterprise software specifically designed for the needs of complex manufacturers. Its security and ethics policies reflect the company's long-standing customer relationships with defense contractors in the United States, the United Kingdom, France, and Australia. Each of these nations uses Cincom's software to manage their complex defense systems. As a result of these trust-based relationships, Cincom must adhere to very stringent requirements for data and information security.
The intent of this analysis is to explain how Cincom Systems used the Confidentiality, Integrity, and Availability (CIA) triad to better manage security requirements, and to define the formal and informal security policies the company has in place. Having served as an intern for the company for two years — specifically during summer and winter breaks — much of the information shared in this paper was drawn from those experiences. The main information security threats, how information security is managed, and how Cincom monitors computer and online usage are also discussed. Restrictions on access to company data are also addressed.
The Cincom security platform is predicated on the CIA triad of Confidentiality, Integrity, and Availability, and formal, audit-based procedures are in place for gaining access to specific information assets based on this model. As a former intern in the company's IT and marketing services organization over two years, many aspects of their security strategy became clear. The CIA triad model is supported through a series of user and data taxonomies — each role-based — that define specific data sets, fields, and, in the case of transaction systems, specific records and customer data (Bertino & Sandhu, 2005).
The CIA model is also used to manage the reporting analytics and metrics that drive overall security strategies. These metrics are provided to the U.S. Department of Defense as part of annual audits, as well as to defense agencies in the UK, France, and Australia. The audits conducted to ensure Department of Defense (DoD) compliance require that servers for government projects be physically located in a completely separate section of the computer room, with distinct security processes and procedures governing access.
Consistent with the CIA model, Cincom has aligned its CIA framework to the strategic IT plan and the overall strategic plan of the entire enterprise. One of the most challenging aspects of using the CIA triad is ensuring sufficient agility in the business model to achieve strategic goals while maintaining the security infrastructure and frameworks needed to protect information assets (Knapp, Marshall, Rainer, & Ford, 2006).
Cincom has adopted the CIA triad in conjunction with the Role-Based Access Control (RBAC) model (Bertino & Sandhu, 2005), as the audit and security requirements of the U.S. Department of Defense and foreign ministries of defense require a high level of auditability, visibility, and verifiability of activity within each database and across the entire IT system landscape. The RBAC model was adopted specifically to allow greater agility in global software development, testing, and sales efforts while ensuring a hardened and secure IT infrastructure. The CIA triad is specifically designed to provide enterprises with the flexibility needed to achieve these strategic objectives (Knapp, Marshall, Rainer, & Ford, 2006). Cincom has built compliance into its IT strategic plan with specific focus on attaining the shared objectives of confidentiality, integrity, and availability of data, while also ensuring its authenticity — verified every six months or more by the government agencies whose projects Cincom supports.
The formal and informal security policies in place at Cincom vary significantly across divisions. For those divisions actively involved in projects and programs with the U.S. Department of Defense and related foreign ministries, requirements are very stringent down to the server level. There is a substantially greater level of auditing and monitoring with regard to network connections, which cannot be used in VPN configurations and have no available Web access. Web server software is prohibited on servers running any type of government project.
The main threats the company faces include competitors attempting to bypass the firewall and access the contract management system, the use of phishing attacks on executives to gain access to corporate bank accounts, and the persistent impersonation of Virtual Private Network (VPN) sessions. The majority of these threats are relatively straightforward to stop. However, a more sophisticated attack — carried out by India-based actors who attempted to emulate the entire Cincom intranet and lure executives into initiating wire transfers — was exceptional in its depth.
The goal of this attack was to get executives to log into a fake version of the Cintranet portal from their remote offices, thereby capturing bank routing numbers, passwords, and intercepting bank transfers between Cincom's global subsidiaries and the home office. The scheme was discovered within the control center in Cincinnati, where an HP Mercury Interactive application evaluated risks and monitored overall traffic flows. An entire series of bank transfer requests originating from Australia were hijacked in under a second and routed to India, where the attackers attempted to decode the packets and redirect funds to a small bank in Mumbai. The Mercury Interactive application captured the entire scheme, including the IP address and probable physical location of the attackers, and froze all accounts in real time. This incident occurred at 2:00 a.m. on a Sunday morning, Cincinnati time.
After an intensive investigation, it was determined that a former general manager of Cincom India had perpetrated the scheme and had hired a team of programmers to create the shadow intranet site so that Australian executives would not suspect anything unusual.
Information security is managed at Cincom through a variety of techniques, including hardware- and software-based firewalls. Network monitoring is based on an aggregated measure of overall load times by system and network connection, and the availability of bandwidth across each of the ten networks supporting seven global offices. A control center at the company's world headquarters in Cincinnati, Ohio displays overall performance levels, including security threats, using the Mercury Interactive suite of threat assessment and deterrence applications.
"Phishing, VPN impersonation, and sophisticated hacking incidents"
"HP Mercury Interactive and network management tools in use"
Always verify citation format against your institution’s current style guide requirements.