security assessment and recommendations for quality web...

Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS 1

Security Assessment and Recommendations for Quality Web Design Mike Mateja

October 9, 2011

Submitted to: Dean Farwood

SE571 Principles of Information Security and Privacy Keller Graduate School of Management

SECURITY ASSESSMENT AND RECOMMENDATIONS 2

Table of Contents

Executive Summary ............................................................................................ 3

Company Overview............................................................................................. 4

Security Vulnerabilities ....................................................................................... 4

Hardware Vulnerability: Unrestrained Components .................................................................. 4

Software Vulnerability: Unsecure Wireless Access Points .......................................................... 6

Recommended Security Solutions ....................................................................... 7

Hardware Solution: Physical Restraints ...................................................................................... 7

Impact: Hardware Solution ..................................................................................................... 8

Budget: Hardware Solution ..................................................................................................... 9

Software Solution: Configuring the Wireless access points for security ................................... 10

Impact: Software Solution ..................................................................................................... 11

Budget: Software Solution .................................................................................................... 11

Summary .......................................................................................................... 12

References ........................................................................................................ 13


Executive Summary

Quality Web Design (QWD) is an enterprise company that can provide a website for any

business. This paper is the first of two phases for my SE571 Principles of Information Security

and Privacy course project which will identify and explain vulnerabilities found at Quality Web

Design. First, this report will discuss the hardware vulnerability of an unrestrained component.

Second, the software vulnerability of an unsecured wireless access point. This report will

conclude with recommended solutions for each of the vulnerability. Included in the

recommendation will be an estimated budget and implementation plan as well as a discussion

of the impact each solution will have on the business processes.


Company Overview

Quality Web Design (QWD) is web design company that focuses on a high quality and an

innovative product to immerse the user in an intuitive interface to give the content of any

business a graphical high five. Tackling customers around the globe, Quality Web Design is

culturally aware of their audiences’ digital expectations. QWD separates themselves from the

other web designers by using every client as an opportunity to research and develop new

technology to add to their repository.

Security Vulnerabilities

Hardware Vulnerability: Unrestrained Components

Any unrestrained component is a hardware vulnerability to Quality Web Design. All of

the hardware that makes up Quality Web Design’s physical network, workstations and servers

needs to be physically restrained. The computer components located at both QWD’s corporate

and remote offices are quite expensive. A quick search online proves that these type of

computer components can be sold used online at a great profit. One item for example, the

firewall located in the corporate office is priced at $25,333. This Juniper ISG200 firewall also

only weighs 52 pounds (Amazon, 2011). This makes the firewall an expensive and light piece of

hardware that a thief could easily walk off with. The ease of removal and the great value of the

firewall provide motivation to be concerned about the physical theft of our computer

components. Our servers, desktops and laptops may not be as expensive to replace but they

contain a great deal of digital value. Also, they are light enough to be physically removed by an

employee without the help of a hand truck. This is a threat that luckily has not yet been

exploited against QWD.


The likelihood that the threat of theft will occur is very high. Kensington Computer

Group reports that “91% of U.S. organizations surveyed have experienced a laptop theft”

(Kensington Computer Group, 2011, para. 3). Just about half of these thefts occur in the office

(Kensington Computer Group, 2011). This is mainly due to the highly competitive market, large

quantity of telecommuters and QWD’s decentralized control. In the highly competitive market

of web design, the edge that QWD has due to their proprietary images and custom templates

could motivate competitors to steal this information. QWD needs to be prepared for a physical

attack as well as their firewall protects from a digital attack. The telecommuting culture of QWD

could also provide an opportunity for a physical theft. Several employees working a variety of

different schedules could allow for an opportunistic attack when the corporate and remote

offices are empty. Finally, the organizational culture of most technological companies has

directed corporate officers to choose a decentralized control style of management. A

decentralized management control gives more decision power to employees. I think the

adoption of diverse management techniques could lead to a less interrogative culture. This

means that a resourceful thief could successfully use social engineering techniques to get away

with his crime without being questioned.

The consequences to QWD’s mission critical business processes should theft of physical

hardware occur would be dependent upon the technology lost. The theft of a desktop or laptop

workstation would result in a nominal cost to replace and downtime for a QWD employee.

However the theft of any one server could cost the company a great deal of time, money and

business. The organization’s competitive edge would be dependent upon the theft as well. A


component can be replaced but the data lost from within the component could greatly dull

QWD’s competitive edge.

Software Vulnerability: Unsecure Wireless Access Points

An unsecured wireless access point is a software vulnerability to QWD. An unsecured

wireless access point can allow unauthorized access to QWD’s corporate and remote networks.

An unsecure access point means that anyone can connect to the company’s network without

authorization. This connection would enable an unauthorized user to access our internet

connection. Multiple “hitchhikers” on our network can lead to a loss of bandwidth and the

denial of service to QWD employees. Even more serious, an unauthorized user with access on

our network would have access to our data. A malicious unauthorized user could even cause

the loss or manipulation of data. An unsecure wireless access point also threatens our data’s

confidentiality due to a lack of encryption. A lack of data encryption on a wireless access point

means that data retrieved or sent over this connection is in plaintext. Plaintext can be read by

anyone whom is on the network.

The likelihood that the threat of unauthorized access will occur is very high, considering

the amount of web enabled portable Wi-Fi devices currently available on the market. In an

article by Narain, she states that “by 2014, there will be an installed base of 2.6 billion Wi-Fi

enabled consumer devices across the globe” (Narain, 2010, para1). For example smart phones,

tablet pc’s, laptops and MP3 players can all connect and actively search for wireless access

points. This leads me to believe that there is a good chance that the general public or

neighboring businesses around QWD’s corporate and remote offices would inadvertently

connect to the QWD private network.


One consequence to mission critical business processes should a non-user gain

unauthorized access to the QWD network would be a slow in performance and production time

due to a loss of bandwidth. Another consequence would be the possible unavailability of

network assets such as access to the data repository or the ability to process timesheets due to

the increased network traffic. QWD’s competitive edge will strongly be affected should

unauthorized access to the QWD network occur. The increased network traffic causing a lull in

production could cost QWD business in their competitive market. In addition if this vulnerability

were to be exploited maliciously, with the injection of a virus, the threat of unauthorized access

to the QWD network could end up becoming the cause for leaked or manipulated data.

Recommended Security Solutions

Hardware Solution: Physical Restraints

In order to block the threat of physical theft of our computer components, it is

necessary to restrain them to our brick and mortar location. “Only 3% of lost or stolen laptops

are recovered” (Kensington, 2011). The controls recommended to elevate this threat are

Kensington locking kits. Kensington

Development Group provides various locking kits

to secure desktop computers, network

components and laptops to their environment,

reducing the ease of removing small items from

their location. A locking kit contains a steel

cable, lock and fasteners which will lock the Figure 1 Rear view of installed desktop and peripherals locking kit. (Kensington Development Group, 2011)


computer component into place. Figure 1 shows an installed Locking kit.

Each desktop and network component will be fastened to it surrounding environment

with one Desktop and Peripherals Locking Kit. Each kit can accommodate locking down a CPU,

monitor, keyboard and mouse. The locks for these kits can be ordered to be keyed alike. Two

separate orders will need to be placed so that the corporate offices key is unique from the

remote offices key.

Laptops will be fastened in a similar fashion but with

different hardware. A Portable Combination Laptop Lock

will be used to restrain all of QWD’s laptops. This steel

cable restraint has a combination lock that is fastened to

the laptops K-slot. This type of lock is portable because it

can be fastened and unfastened quickly (Kensington, 2011).

Figure 2 shows an installed laptop lock.

Impact: Hardware Solution

The daily business processes should not change due to the hardware restraint solution.

The desktop computers will be located in the same positions and will function as they were

before the restraint installation. A potential positive effect on the business processes is that

QWD can be ensured the computer components will remain accounted for. The IT department

will definitely be effected by this solution. After IT installs the locks, the time it takes to service

each component will be longer due the added security of the lock. However the users will be

impacted by the decision to use the portable combination laptop locks. This type of lock is

Figure 2 Portable combination laptop lock in use. (Kensington, 2011)


designed to be portable but it will require the user to use it for it to retain its effectiveness. An

employee could be tempted to not use the lock in lieu of saving time. One method to counter

an employee’s decision to not use the lock is to educate them on the importance of fastening

the computer in just a few minutes rather than all of the potential physical and data losses that

could occur from the theft of a laptop.

Budget: Hardware Solution

The Kensington computer restraint devices will directly address the threat of theft by

ensuring that our hardware cannot be easily removed from our offices. Anchoring QWD’s light

and costly items to heavier office equipment like desks and cabinets will deter an opportunistic

thief. Figure 3 lists the products and prices of all the physical restraints for the corporate office.

Cost for Physical Security in the Corporate Office

Quantity Product Model # Feature Cost Extended Cost

15 Desktop and Peripherals Locking Kit

K64665US Physical restraints for All desktops and monitors

$ 34.99 $ 524.85

35 Portable Combination Laptop Lock

K64670US Portable physical restraint for All Laptops

$ 24.99 $ 874.65


K64665US Physical restraints for All network components

$ 34.99 $ 734.79

Total $ 2,134.29

Figure 3 Cost breakdown for corporate office computer restraints. (Kensington, 2011)

Figure 4 lists the products and prices of all the physical restraints for one the remote

office. For both instances, installation can be done in-house by our IT team. Installations of the

locking kits require no extra tool and can be installed while the system is running. The

implementation of the locking kits will take two weeks. During the first week, the network


components will be done, along with the securing of the desktops. The second week will deal

with a training program that will inform all of QWD’s employees on the dangers of leaving their

laptop unsecured as well as instructions on how to use the laptop restraint and how to select a

proper combination lock number.

Cost for Physical Security in the Remote Office

Quantity Product Model # Feature Cost Extended Cost


K64665US Physical restraints for All desktops and monitors

34.99 174.95

15 Portable Combination Laptop Lock

K64670US Portable physical restraint for All Laptops

24.99 374.85


K64665US Physical restraints for All network components

34.99 384.89

Total $ 934.69

Figure 4-Cost breakdown for remote office computer restraints. (Kensington, 2011)

Software Solution: Configuring the Wireless access points for security

The recommended method to best secure QWD’s wireless access points are to ensure it

is configured for security. There are three parts to the recommended configuration. Access to

the wireless network should be limited to only company owned devices. This can be enforced

with static IP filtering and Mac address filtering. It is also recommended to encrypt

communication that takes place over this network. Configuring the QWD network using WPA

with PEAP-MS-CHAPv2 is one of the “most effective secure implementation supported by

current versions of Windows–based clients” (Microsoft, 2011). Using a static IP address filter

and Mac address filtering reduces the amount of devices that can connect to the network.

When a device attempt to connect the firewall verified that the requesting IP and Mac address


match a list of authorized users. Using the WPA with PEAP-MS-CHAPv2 protocol ensure that

communication in the wireless network is encrypted. This prevents someone from sniffing the

signal and gleaming passwords and data. Static IP filtering, Mac address filtering and the WPA

protocols are already features of QWD’s HP E-MSM410 Access Point (Hewlett-Packard

Development Company, 2011). This means that the only need is to be configured.

Impact: Software Solution

One positive impact that configuring the wireless network for Static IP filtering, Mac address

filtering and the WPA protocols will have on QWD’s business processes is an increased level of

controls over QWD’s proprietary data. QWD’s network can potentially run more efficiently by

removing unauthorized traffic. Any employee whom used their personal computer devices to

do their work will feel a negative impact from these software configuration changes. These

changes that are recommended would restrict any personal device from being used. A second

impact felt by the employees of QWD during the time when the changes take place. The IT

department will need to acquire the Mac address from each device and disrupt its wireless

connection. This might inconvenience the users but only for a short period of time.

Budget: Software Solution

Since QWD already has the all of the necessary equipment for a wireless network, no

additional material costs will be incurred. The IT department can make all of the recommended

changes after they have a complete list of Mac address and have assigned static IP to all

wireless components. Implementation should take three weeks. Planning will take place during

the first week. The IT team needs to decide on the range of IP address to use. During week two,

Mac addresses from the wireless devices will need to be attained, logged and listed for


comparison when the device attempt to connect. The third week will consist of adding the WPA

encryption protocols. Since each location has two access points, one will be configured at a

time. This will allow users to still access the unsecure way and not disrupt mission critical

business processes during the transition. The IT team will need to ensure that all users can

connect to the configured access point before transitioning over. After the configurations have

been made and transitioned over to the new connection, the users will not notice a difference.

They will login and access the network seamlessly as they have done before so there are no

additional training or maintenance issues to discuss.

Summary

My SE571 Principles of Information Security and Privacy course project has identified

the hardware vulnerability of an unrestrained component and the software vulnerability of an

unsecured wireless access point for Quality Web Design. I have also explained the assets

associated with each of the vulnerabilities as well as provided documented proof of the threats

and likelihood that they would occur. This report also defines solutions for both vulnerabilities.

The solutions have been explained in terms of an expected cost, implementation and impact on

mission critical business processes and how QWD’s competitive edge would be affected if each

threat occurred.


References

Amazon.com. (2011). Netscreen-isg 2000 Chassis Adv Fan Module Dual Ac Ps. Retrieved from

http://www.amazon.com/Netscreen-isg-2000-Chassis-Module-

Dual/dp/B000CQM5IM/ref=sr_1_fkmr1_1?s=electronics&ie=UTF8&qid=1318115903&sr

=1-1-fkmr1

Hewlett-Packard Development Company. (2011). HP E-MSM410 Access Point (US). Retrieved

from http://h30094.www3.hp.com/product/sku/10256669/mfg_partno/J9426B

Kensington Computer Group. (2011). Security Solutions for Enterprise. Retrieved from

http://www.kensington.com/kensington/us/us/s/1646/increase-employee-

compliance.aspx

Microsoft. (2011). Secure Wireless Access Point Configuration. Retrieved from

http://technet.microsoft.com/en-us/library/cc875845.aspx

Narain, D. (2010). Mobile Unified Communications Featured Article. Retrieved from

http://www.tmcnet.com/channels/mobile-unified-communications/articles/95727-

global-wifi-enabled-consumer-device-market-touch-26.htm

security assessment and recommendations for quality web...

Documents