Paper_Wk6

Potential Weaknesses 1

Running head: POTENTIAL WEAKNESSES

Security Assessment and Recommendations

Colleen N. Clarke

Keller Graduate School of Management


Security Assessment and Recommendations

I have been charged with the task of identifying potential security weaknesses and

recommending solutions for Quality Web Design (QWD). The project was completed in two

phases. The first phase of the project specifically identified and defined two potential security

weaknesses: software and policy. The second phase recommends solutions to these potential

weaknesses. I chose a scenario that outlines specifics of the organization’s type of business,

business processes, assets, services, and security controls.

It is crucial for any organization to take necessary steps in securing their business’ assets,

and customer’s data. Furthermore, it is also important for these security measures to be effective,

and thoroughly planned. It is as equally important, in this interconnected and high-tech world,

for corporations to also have and enforce an effective corporate security policy, because there are

both internal and external threats (Symantec Corporation, 1995-2010).

Company Overview

Based on the scenario given, Quality Web Design is an IT corporation, with approximately

50-100 employees, offering top quality web design services for their customers. In order to

appeal to their target audience and enhance services, they offer over 250,000 proprietary images

and graphical designs. QWD’s customers can only access their corporate website.

There business processes include the use of a repository of website templates, custom

written scripts, and custom applications. This repository is used to monitor project development

and quality assurance testing. Additionally, QWD offers IT support for their accounting, payroll,

and marketing operations through the use of their digital assets. They utilize a Wide Area

Network (WAN) and an internal Local Area Network (LAN) for their offices.


There are strict technology-based access controls and a published corporate security

manual that covers various security practices. Employees at QWD’s corporate and remote offices

have access to services that include Virtual Private Network (VPN), Outlook Web email, and

Active Sync Exchange server.

Security Vulnerabilities

Listed below are two security vulnerabilities: software and policy. These were identified

during my initial assessment of the scenario provided for QWD. These vulnerabilities are

significant and should be addressed immediately.

Security Software

Many of QWD’s employees work from remote locations and can access Virtual Private

Network (VPN), Outlook Web email, and Active Sync Exchange services. They utilize

corporate-owned laptops, desktops, and mobile devices (IPhones and Windows Mobile 6) to

remotely access corporate intranet resources.

It is evident, by the scenario’s hardware profile, that the company has hardware-based

firewalls in place for network security. It is also evident in the WAN and corporate network

diagrams (see Appendix). According to SANS Institute (2006), a VPN connection, in this case,

offers secure connectivity between employees’ computers and the corporate network.

Furthermore, the VPN connection is there to provide data confidentiality, data integrity, and

authentication services (SANS Institute, 2006, pp. 4).

Having said this, it appears that QWD is not protected with firewall software on their

employee’s remote computers. This means that these remote computers are not protected from

personal attacks from the Internet. According to Beal (2010, pp. 3), “the best protection for your

computers and network is to use both” hardware and software firewalls. These attacks include


Trojan horses and email worm and the whole idea of software firewall is to protect the

“computer from outside attempts to control or gain access” to it (Beal, 2010, pp. 3). An intruder

can use an employee’s compromised system to gain entry to the corporate network through an

open VPN connection. Such an attack, using an open VPN connection, can be detrimental to the

company’s business processes, particularly their repository of website templates, custom written

scripts, and custom applications; and, their accounting, payroll, and marketing operations. An

attack to these mission-critical processes can mean a decrease in the organization’s revenue;

client’s personal information being accessed, modified, or even deleted; and even degraded

network performance. QWD would lose significant clientele and would not be as appealing to

their target audience – not so good for their mission of providing top quality services.

Policy

Reducing the exposure of the corporate network from outside attacks is crucial in

protecting mission-critical processes for QWD. The security assessment doesn’t end with

software firewalls for their remote users. The company’s security policy must also address this

vulnerability.

QWD has policy in place that speaks to who has access to data and the type of data;

username standards; password length, complexity, rotation, and history; and security training.

However, their policy doesn’t address remote access devices: installation and configuration of

firewall and anti-virus software on all employees’ remote computers and acceptable use. These

are critical in preventing remote computers and mobile devices from compromising the corporate

network (Ruskwig, 2006, pp. 1).

Without such a policy in place, there is no guideline for securing QWD’s assets. Any

remote employee that has Internet connection that is always on runs the risk of infection or even


allowing access to the corporate network via their open VPN connection. Something as simple as

an employee accessing company resources from a computer that is not owned by the

organization can also wreak havoc on the company’s network. If an employee losses their laptop

to theft, this could allow unauthorized use of the equipment and access to sensitive company or

even clients information. Mistakes can be made in strategically guiding the security of QWD,

resources could be wasted in protecting low level assets, and measures may be misguided

without such a policy in place (Watson, 2005, pp. 10).

Recommendations

The following software and policy improvements are recommended to Quality Web

Design, in order to ensure that remote desktops, laptops, and mobile devices do not compromise

the corporate network:

1. All remote desktops and laptops should have Zone Alarm Extreme Security 2010

Hard Drive Encryption Edition installed and configured to update automatically. It is a

comprehensive security software package that includes a unified antivirus/spyware scan

engine, fast virus signature updates, two-way firewall, operating system firewall,

additional layers, identity protection services, secure online backup, virtual browsing,

advanced download protection, dangerous website detection, key logger and screen

grabber jamming, private browsing, PC tune-up, automatic operation, and user-friendly

interface (Check Point Software Technologies Ltd., 2011). At a cost of $1,619.95 for a

50-user pack, it meets the needs of QWD remote office, offers full protection, and comes

with free upgrades and online customer support. QWD’s IT staff can install and

implement use of software at no extra cost to the company.


2. Security policy should address remote access devices: installation and configuration of

the firewall and anti-virus software on all remote devices and acceptable use. The policy

should specify that only Zone Alarm Extreme Security 2010 is authorized for anti-virus,

firewall, and spyware, and it must be installed by QWD’s IT staff. Unauthorized software

is prohibited. Additionally, employees cannot connect to corporate network without this

installation. It should also specify that all remote devices connect to corporate network

only using VPN and how it will work. In addition to this, the policy should make clear

the purpose of the policy, computer requirements, and VPN requirements. Loss

prevention guidelines will be set in the security policy, including immediate reporting of

loss or damaged corporate-issued equipment.

Conclusion

It has been a daunting, but interesting task as I attempted to dissect this scenario, identify

two potential security weaknesses, and recommend solutions. Software and policy weaknesses

seem to be the most likely problem within the context of the QWD scenario and quite possibly

the most easily spotted. However, it is important for any organization to closely analyze and

address their security flaws. It could mean their company’s reputation and livelihood.


References

Beal, V. (2010). Hardware and software firewalls explained. Retrieved on January 23, 2011,

from http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/

firewall_types.asp.

Check Point Software Technologies Ltd. (2011). Multi-user packs. Retrieved on February 13,

2011, from http://promotions.zonealarm.com/security/en/cdn/multiuser-smb.htm?lid=en-

us.

Computer Documentation Project (n.d.). Remote access policy. Retrieved on February 13, 2011,

from http://www.comptechdoc.org/independent/security/policies/remote-access-

policy.html.

Ruskwig (2006). Remote access security policy. Retrieved on January 23, 2011, from

http://www.ruskwig.com/docs/remote_policy.pdf.

Sans Institute InfoSec Reading Room (2006). Remote access VPN: Security concerns and policy

enforcement. Retrieved on January 23, 2011, from http://www.sans.org/reading_room/

whitepapers/vpns/remote-access-vpn-security-concerns-policy-enforcement_881.

Symantec Corporation (1995-2010). Importance of corporate security policy. Retrieved on

January 23, 2011, from http://securityresponse.symantec.com/avcenter/security/

Content/security.articles/corp.security.policy.html.

Watson, K. (2005). Security assessment report. Retrieved on January 23, 2011, from

http://www.docstoc.com/docs/7321054/Security-Assessment-Report-Template


Appendix

Wide Area Network (WAN) and Local Area Network (LAN)

Documents

Paper_Wk6