security assessment and recommendations for quality web...
TRANSCRIPT
Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS 1
Security Assessment and Recommendations for Quality Web Design Mike Mateja
October 9, 2011
Submitted to: Dean Farwood
SE571 Principles of Information Security and Privacy Keller Graduate School of Management
SECURITY ASSESSMENT AND RECOMMENDATIONS 2
Table of Contents
Executive Summary ............................................................................................ 3
Company Overview............................................................................................. 4
Security Vulnerabilities ....................................................................................... 4
Hardware Vulnerability: Unrestrained Components .................................................................. 4
Software Vulnerability: Unsecure Wireless Access Points .......................................................... 6
Recommended Security Solutions ....................................................................... 7
Hardware Solution: Physical Restraints ...................................................................................... 7
Impact: Hardware Solution ..................................................................................................... 8
Budget: Hardware Solution ..................................................................................................... 9
Software Solution: Configuring the Wireless access points for security ................................... 10
Impact: Software Solution ..................................................................................................... 11
Budget: Software Solution .................................................................................................... 11
Summary .......................................................................................................... 12
References ........................................................................................................ 13
SECURITY ASSESSMENT AND RECOMMENDATIONS 3
Executive Summary
Quality Web Design (QWD) is an enterprise company that can provide a website for any
business. This paper is the first of two phases for my SE571 Principles of Information Security
and Privacy course project which will identify and explain vulnerabilities found at Quality Web
Design. First, this report will discuss the hardware vulnerability of an unrestrained component.
Second, the software vulnerability of an unsecured wireless access point. This report will
conclude with recommended solutions for each of the vulnerability. Included in the
recommendation will be an estimated budget and implementation plan as well as a discussion
of the impact each solution will have on the business processes.
SECURITY ASSESSMENT AND RECOMMENDATIONS 4
Company Overview
Quality Web Design (QWD) is web design company that focuses on a high quality and an
innovative product to immerse the user in an intuitive interface to give the content of any
business a graphical high five. Tackling customers around the globe, Quality Web Design is
culturally aware of their audiences’ digital expectations. QWD separates themselves from the
other web designers by using every client as an opportunity to research and develop new
technology to add to their repository.
Security Vulnerabilities
Hardware Vulnerability: Unrestrained Components
Any unrestrained component is a hardware vulnerability to Quality Web Design. All of
the hardware that makes up Quality Web Design’s physical network, workstations and servers
needs to be physically restrained. The computer components located at both QWD’s corporate
and remote offices are quite expensive. A quick search online proves that these type of
computer components can be sold used online at a great profit. One item for example, the
firewall located in the corporate office is priced at $25,333. This Juniper ISG200 firewall also
only weighs 52 pounds (Amazon, 2011). This makes the firewall an expensive and light piece of
hardware that a thief could easily walk off with. The ease of removal and the great value of the
firewall provide motivation to be concerned about the physical theft of our computer
components. Our servers, desktops and laptops may not be as expensive to replace but they
contain a great deal of digital value. Also, they are light enough to be physically removed by an
employee without the help of a hand truck. This is a threat that luckily has not yet been
exploited against QWD.
SECURITY ASSESSMENT AND RECOMMENDATIONS 5
The likelihood that the threat of theft will occur is very high. Kensington Computer
Group reports that “91% of U.S. organizations surveyed have experienced a laptop theft”
(Kensington Computer Group, 2011, para. 3). Just about half of these thefts occur in the office
(Kensington Computer Group, 2011). This is mainly due to the highly competitive market, large
quantity of telecommuters and QWD’s decentralized control. In the highly competitive market
of web design, the edge that QWD has due to their proprietary images and custom templates
could motivate competitors to steal this information. QWD needs to be prepared for a physical
attack as well as their firewall protects from a digital attack. The telecommuting culture of QWD
could also provide an opportunity for a physical theft. Several employees working a variety of
different schedules could allow for an opportunistic attack when the corporate and remote
offices are empty. Finally, the organizational culture of most technological companies has
directed corporate officers to choose a decentralized control style of management. A
decentralized management control gives more decision power to employees. I think the
adoption of diverse management techniques could lead to a less interrogative culture. This
means that a resourceful thief could successfully use social engineering techniques to get away
with his crime without being questioned.
The consequences to QWD’s mission critical business processes should theft of physical
hardware occur would be dependent upon the technology lost. The theft of a desktop or laptop
workstation would result in a nominal cost to replace and downtime for a QWD employee.
However the theft of any one server could cost the company a great deal of time, money and
business. The organization’s competitive edge would be dependent upon the theft as well. A
SECURITY ASSESSMENT AND RECOMMENDATIONS 6
component can be replaced but the data lost from within the component could greatly dull
QWD’s competitive edge.
Software Vulnerability: Unsecure Wireless Access Points
An unsecured wireless access point is a software vulnerability to QWD. An unsecured
wireless access point can allow unauthorized access to QWD’s corporate and remote networks.
An unsecure access point means that anyone can connect to the company’s network without
authorization. This connection would enable an unauthorized user to access our internet
connection. Multiple “hitchhikers” on our network can lead to a loss of bandwidth and the
denial of service to QWD employees. Even more serious, an unauthorized user with access on
our network would have access to our data. A malicious unauthorized user could even cause
the loss or manipulation of data. An unsecure wireless access point also threatens our data’s
confidentiality due to a lack of encryption. A lack of data encryption on a wireless access point
means that data retrieved or sent over this connection is in plaintext. Plaintext can be read by
anyone whom is on the network.
The likelihood that the threat of unauthorized access will occur is very high, considering
the amount of web enabled portable Wi-Fi devices currently available on the market. In an
article by Narain, she states that “by 2014, there will be an installed base of 2.6 billion Wi-Fi
enabled consumer devices across the globe” (Narain, 2010, para1). For example smart phones,
tablet pc’s, laptops and MP3 players can all connect and actively search for wireless access
points. This leads me to believe that there is a good chance that the general public or
neighboring businesses around QWD’s corporate and remote offices would inadvertently
connect to the QWD private network.
SECURITY ASSESSMENT AND RECOMMENDATIONS 7
One consequence to mission critical business processes should a non-user gain
unauthorized access to the QWD network would be a slow in performance and production time
due to a loss of bandwidth. Another consequence would be the possible unavailability of
network assets such as access to the data repository or the ability to process timesheets due to
the increased network traffic. QWD’s competitive edge will strongly be affected should
unauthorized access to the QWD network occur. The increased network traffic causing a lull in
production could cost QWD business in their competitive market. In addition if this vulnerability
were to be exploited maliciously, with the injection of a virus, the threat of unauthorized access
to the QWD network could end up becoming the cause for leaked or manipulated data.
Recommended Security Solutions
Hardware Solution: Physical Restraints
In order to block the threat of physical theft of our computer components, it is
necessary to restrain them to our brick and mortar location. “Only 3% of lost or stolen laptops
are recovered” (Kensington, 2011). The controls recommended to elevate this threat are
Kensington locking kits. Kensington
Development Group provides various locking kits
to secure desktop computers, network
components and laptops to their environment,
reducing the ease of removing small items from
their location. A locking kit contains a steel
cable, lock and fasteners which will lock the Figure 1 Rear view of installed desktop and peripherals locking kit. (Kensington Development Group, 2011)
SECURITY ASSESSMENT AND RECOMMENDATIONS 8
computer component into place. Figure 1 shows an installed Locking kit.
Each desktop and network component will be fastened to it surrounding environment
with one Desktop and Peripherals Locking Kit. Each kit can accommodate locking down a CPU,
monitor, keyboard and mouse. The locks for these kits can be ordered to be keyed alike. Two
separate orders will need to be placed so that the corporate offices key is unique from the
remote offices key.
Laptops will be fastened in a similar fashion but with
different hardware. A Portable Combination Laptop Lock
will be used to restrain all of QWD’s laptops. This steel
cable restraint has a combination lock that is fastened to
the laptops K-slot. This type of lock is portable because it
can be fastened and unfastened quickly (Kensington, 2011).
Figure 2 shows an installed laptop lock.
Impact: Hardware Solution
The daily business processes should not change due to the hardware restraint solution.
The desktop computers will be located in the same positions and will function as they were
before the restraint installation. A potential positive effect on the business processes is that
QWD can be ensured the computer components will remain accounted for. The IT department
will definitely be effected by this solution. After IT installs the locks, the time it takes to service
each component will be longer due the added security of the lock. However the users will be
impacted by the decision to use the portable combination laptop locks. This type of lock is
Figure 2 Portable combination laptop lock in use. (Kensington, 2011)
SECURITY ASSESSMENT AND RECOMMENDATIONS 9
designed to be portable but it will require the user to use it for it to retain its effectiveness. An
employee could be tempted to not use the lock in lieu of saving time. One method to counter
an employee’s decision to not use the lock is to educate them on the importance of fastening
the computer in just a few minutes rather than all of the potential physical and data losses that
could occur from the theft of a laptop.
Budget: Hardware Solution
The Kensington computer restraint devices will directly address the threat of theft by
ensuring that our hardware cannot be easily removed from our offices. Anchoring QWD’s light
and costly items to heavier office equipment like desks and cabinets will deter an opportunistic
thief. Figure 3 lists the products and prices of all the physical restraints for the corporate office.
Cost for Physical Security in the Corporate Office
Quantity Product Model # Feature Cost Extended Cost
15 Desktop and Peripherals Locking Kit
K64665US Physical restraints for All desktops and monitors
$ 34.99 $ 524.85
35 Portable Combination Laptop Lock
K64670US Portable physical restraint for All Laptops
$ 24.99 $ 874.65
21 Desktop and Peripherals Locking Kit
K64665US Physical restraints for All network components
$ 34.99 $ 734.79
Total $ 2,134.29
Figure 3 Cost breakdown for corporate office computer restraints. (Kensington, 2011)
Figure 4 lists the products and prices of all the physical restraints for one the remote
office. For both instances, installation can be done in-house by our IT team. Installations of the
locking kits require no extra tool and can be installed while the system is running. The
implementation of the locking kits will take two weeks. During the first week, the network
SECURITY ASSESSMENT AND RECOMMENDATIONS 10
components will be done, along with the securing of the desktops. The second week will deal
with a training program that will inform all of QWD’s employees on the dangers of leaving their
laptop unsecured as well as instructions on how to use the laptop restraint and how to select a
proper combination lock number.
Cost for Physical Security in the Remote Office
Quantity Product Model # Feature Cost Extended Cost
5 Desktop and Peripherals Locking Kit
K64665US Physical restraints for All desktops and monitors
34.99 174.95
15 Portable Combination Laptop Lock
K64670US Portable physical restraint for All Laptops
24.99 374.85
11 Desktop and Peripherals Locking Kit
K64665US Physical restraints for All network components
34.99 384.89
Total $ 934.69
Figure 4-Cost breakdown for remote office computer restraints. (Kensington, 2011)
Software Solution: Configuring the Wireless access points for security
The recommended method to best secure QWD’s wireless access points are to ensure it
is configured for security. There are three parts to the recommended configuration. Access to
the wireless network should be limited to only company owned devices. This can be enforced
with static IP filtering and Mac address filtering. It is also recommended to encrypt
communication that takes place over this network. Configuring the QWD network using WPA
with PEAP-MS-CHAPv2 is one of the “most effective secure implementation supported by
current versions of Windows–based clients” (Microsoft, 2011). Using a static IP address filter
and Mac address filtering reduces the amount of devices that can connect to the network.
When a device attempt to connect the firewall verified that the requesting IP and Mac address
SECURITY ASSESSMENT AND RECOMMENDATIONS 11
match a list of authorized users. Using the WPA with PEAP-MS-CHAPv2 protocol ensure that
communication in the wireless network is encrypted. This prevents someone from sniffing the
signal and gleaming passwords and data. Static IP filtering, Mac address filtering and the WPA
protocols are already features of QWD’s HP E-MSM410 Access Point (Hewlett-Packard
Development Company, 2011). This means that the only need is to be configured.
Impact: Software Solution
One positive impact that configuring the wireless network for Static IP filtering, Mac address
filtering and the WPA protocols will have on QWD’s business processes is an increased level of
controls over QWD’s proprietary data. QWD’s network can potentially run more efficiently by
removing unauthorized traffic. Any employee whom used their personal computer devices to
do their work will feel a negative impact from these software configuration changes. These
changes that are recommended would restrict any personal device from being used. A second
impact felt by the employees of QWD during the time when the changes take place. The IT
department will need to acquire the Mac address from each device and disrupt its wireless
connection. This might inconvenience the users but only for a short period of time.
Budget: Software Solution
Since QWD already has the all of the necessary equipment for a wireless network, no
additional material costs will be incurred. The IT department can make all of the recommended
changes after they have a complete list of Mac address and have assigned static IP to all
wireless components. Implementation should take three weeks. Planning will take place during
the first week. The IT team needs to decide on the range of IP address to use. During week two,
Mac addresses from the wireless devices will need to be attained, logged and listed for
SECURITY ASSESSMENT AND RECOMMENDATIONS 12
comparison when the device attempt to connect. The third week will consist of adding the WPA
encryption protocols. Since each location has two access points, one will be configured at a
time. This will allow users to still access the unsecure way and not disrupt mission critical
business processes during the transition. The IT team will need to ensure that all users can
connect to the configured access point before transitioning over. After the configurations have
been made and transitioned over to the new connection, the users will not notice a difference.
They will login and access the network seamlessly as they have done before so there are no
additional training or maintenance issues to discuss.
Summary
My SE571 Principles of Information Security and Privacy course project has identified
the hardware vulnerability of an unrestrained component and the software vulnerability of an
unsecured wireless access point for Quality Web Design. I have also explained the assets
associated with each of the vulnerabilities as well as provided documented proof of the threats
and likelihood that they would occur. This report also defines solutions for both vulnerabilities.
The solutions have been explained in terms of an expected cost, implementation and impact on
mission critical business processes and how QWD’s competitive edge would be affected if each
threat occurred.
SECURITY ASSESSMENT AND RECOMMENDATIONS 13
References
Amazon.com. (2011). Netscreen-isg 2000 Chassis Adv Fan Module Dual Ac Ps. Retrieved from
http://www.amazon.com/Netscreen-isg-2000-Chassis-Module-
Dual/dp/B000CQM5IM/ref=sr_1_fkmr1_1?s=electronics&ie=UTF8&qid=1318115903&sr
=1-1-fkmr1
Hewlett-Packard Development Company. (2011). HP E-MSM410 Access Point (US). Retrieved
from http://h30094.www3.hp.com/product/sku/10256669/mfg_partno/J9426B
Kensington Computer Group. (2011). Security Solutions for Enterprise. Retrieved from
http://www.kensington.com/kensington/us/us/s/1646/increase-employee-
compliance.aspx
Microsoft. (2011). Secure Wireless Access Point Configuration. Retrieved from
http://technet.microsoft.com/en-us/library/cc875845.aspx
Narain, D. (2010). Mobile Unified Communications Featured Article. Retrieved from
http://www.tmcnet.com/channels/mobile-unified-communications/articles/95727-
global-wifi-enabled-consumer-device-market-touch-26.htm