Course Project

Published on February 2017 | Categories: Documents | Downloads: 46 | Comments: 0 | Views: 339
of 10
Download PDF   Embed   Report

Comments

Content

Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS

Quality Web Design

by

Princ of Info Security and Privacy
SEC 571
Professor John Michalek
June 22, 2014

SECURITY ASSESSMENT AND RECOMMENDATIONS

Table of Contents

Executive Summary...........................................................................................................3
Company Overview...........................................................................................................3
Security Vulnerabilities.....................................................................................................4
Remote Access.............................................................................................................4
Chipset.........................................................................................................................6
Recommended Solutions...................................................................................................7
VPN Tunnel.................................................................................................................7
Failover.......................................................................................................................8
Impact on Business Processes.....................................................................................9
Concoulsion........................................................................................................................9
References...............................................................................................................................10

2

SECURITY ASSESSMENT AND RECOMMENDATIONS

3

Executive Summary
This report details a security assessment for Quality Web Design, identifying weaknesses
and vulnerabilities as well as recommendation to resolve these weakness within the company. I
have identified two vulnerabilities that exist in QWD’s network that must be addressed before
they are exploited. First being remote access to their server this type of access can lead to
attacks launched by external rouges that attract legitimate connecting access point traffic at
authorization time which forces the user to connect to the rogue. Such attacks can cause loss of
profit and loss of customer trust resulting in loss of customers altogether. Second is Chipset and
lack of a backup server, like most companies is you have been using a vendor for a while you
tend to trust them QWD needs to consider chipset and hardware security as they have many
servers and no backup if they crash this will leave the customers in limbo waiting for them to fix
the problem.
Company Overview
Quality Web Design (QWD) is an organization that specializes in Web site and Web
content design for all types of businesses. Their mission is to provide top quality Web design
that will increase consumer generated revenue to their customer web sites. QWD's database
contains over 250,000 proprietary images and graphical designs which will enhance most web
sites’ appeal to a targeted demographic. The company has a corporate office and remote office as
well as several business processes. A critical and primary process for QWD is the use of the
repository web site template, custom scripts and applications. The repository is stored in a
Microsoft Visual Studio Team Foundation Service (TFS) server, which is used to monitor project
development lifecycle of custom Visual Studio applications from their inception to deployment
this also includes the quality assurance testing phase. Other critical business processes include

SECURITY ASSESSMENT AND RECOMMENDATIONS

4

Payroll and Marketing, as well as Accounting. In addition to these, QWD provides employee
access to Web Access Outlook, ActiveSync for Exchange and VPN. Their customers also have
access to their corporate office.
Software Vulnerabilities
I believe that a primary vulnerability for QWD is remote access to their server, allowing
this type of access can lead to Man-in-the-Middle Attacks better known as an attack launched by
external rouges that attract legitimate connecting access point traffic at authorization time which
forces the user to connect to the rogue. Hackers then gather authentication information of the
legitimate computer as it is connecting to the access point then use that information to send a
request. The access point will send the virtual private network (VPN) challenge to the legitimate
system which in turn sends a valid response. Hackers who use this information pretend to be the
access point, the challenge, and the request; response continues as the hacker now appears to be
legitimate. (H.D. Lane, 2005) If a hacker gets into a strategic position on the network they can
steal information, gain access to the private network resources, introduce new information into
the network session, conduct DoS attacks and transmit data into the network session by taking
control of the session. (http://www.orbit-computer-solutions.com/Man-in-the-Middle-Attack.php,
June 19, 2014) Such attacks can lead to unauthorized users on QWD’s network as well as profit
loss for them, not to mention the loss for classified information. QWD needs to use caution when
running their wireless and VPN connection as they risk losing large amounts of information to
unwanted users. See figure 1 for an illustration of a Man-in-the-middle attack.

SECURITY ASSESSMENT AND RECOMMENDATIONS

5

Figure 1.

The likelihood of this happening is high as QWD provides top quality web designs which
means there scripting is very intricate and produces significant revenue for them and their
customers with that being said there are definitely companies out there that would love to get
their hands on this type of technology and claim it as their own. QWD specializes in custom
designs there mission critical business process as well as their competitive edge could be
compromised with exposure to such a vulnerability.

Hardware Vulnerability

SECURITY ASSESSMENT AND RECOMMENDATIONS

6

In the hardware department, because we tend to trust vendors we don’t think about
chipsets that are embedded within the organization IT infrastructure. As defined by computer
hope a:
“Chipset is a designated group of microchips that are designed to work with one or more related
functions they were introduced in 1986 when Chips and Technologies introduced 82C206. “
Chipsets play a critical role in determining system performance because they control
communications between the processor and external devices. (Computer Hope, 2014). QWD
needs to consider chip and hardware security as they have many servers but they don’t have a
back-up server nor do they talk about the back-up process if the main server crashes. The
problem is if the system were to crash then no one will be able to access information internally or
remotely without a back-up server. At this point they need to look into some type of load
balancing if there are going to be multiple users accessing the system. They should look into a
failover this is a backup operation that automatically switches to a standby server, network or
database in the event the main system fails or is shut down temporarily for maintenance. This is
a great alternative for a mission critical system that relies on constant accessibility as it is a fault
tolerant function that transparently and automatically redirects requests from the failed system to
the backup system and mimics the operations of the primary system. (webopedia, 2014).
The likelihood of system failure is really high, especially with the amount of users on the
network not only that, you have to think about the lifecycle of the servers and the computers on
the network if they are not changed out when they are supposed to be the wear and tear can be
detrimental to the network itself. In the event of system loss QWD needs to be concerned with
the loss of integrity, confidentiality and availability of the system. If the loss of integrity is not
corrected they run the risk of contaminating the system and putting out corrupted data. The loss

SECURITY ASSESSMENT AND RECOMMENDATIONS

7

of availability means that the system is not available to it ends users which will affect QWD’s
mission. The loss of confidentiality will mean that unauthorized users have had access to their
network. (http://csrc.nist.gov/publications/PubsSPs.html, May 1, 2014) Because QWD provides
24/7 web access to their customers a down server with no backup server will cause a long outage
time for them, having failover will be a smooth transition for the customers as it is transparent
and they will not be aware of the outage at all.

The loss of integrity, confidentiality and availability will affect QWD’s competitive edge
in a negative manner, customers will no longer trust that they can provide security on their web
sites; they will lose customers because they can’t protect personal information as any
unauthorized user can gain access to their network.
Recommended Solutions
VPN tunnels is one way to avoid Man-in-the-middle attacks, the tunnel allows the
hacker to see only encrypted and unreadable text this is particularly useful for Wide Area
Networks(WAN). However for Local Area Networks hackers may use ARP poisoning and
ettercap so port security configuration on LAN switches works best. Cost for VPN tunneling
varies as QWD can opt to install their own VPN tunnel within the company or they can subscribe
to privateinternetaccess.com where the cost range from $6.95(monthly) $35.95 (semi-annually)
or 39.95 (annually). I also recommend that using www.privateinternetaccess.com as this is less
costly on the company and requires no employee training. Zone Alarm offers a hard drive
encryption software that will update automatically once it is installed this is another viable option
for QWD as this software package includes a scan engine, antivirus/spyware, two-way firewall,
virus signature updates, secure online backups, advance download protection, virtual browsing,

SECURITY ASSESSMENT AND RECOMMENDATIONS

8

dangerous website detections and a variety of other features that will meet QWD’s remote office
needs (Check Point Software Technologies, 2014) the cost of this software is $1119.95 and can
be loaded by the IT staff at no additional cost to the company.

DSN made easy offer a variety of services one of them being DSN failover.
DNS Failover / System Monitoring Service $4.95 per A record per year and DNS Failover / System
Monitoring Service (10-pack) $45.95 per A record per year.
QWD can subscribe to monitoring by DSN made easy or they can opt to install their new backup server.

Figure 2

SECURITY ASSESSMENT AND RECOMMENDATIONS

9

If they opt to install their own back up servers they will have to ensure that they consider chip and
hardware security for these servers. My preference is failover as monitoring is done by another company and it
is monitored 24/7 so if the system crashes in the middle of the night the transition is smooth and none of
QWD’s customer’s will notice anything; a report is sent to QWD to let them know that the system went down.
This may be a little more pricy than having their own servers however I believe that in the long run this will
make up for the cost of maintaining their own servers and the additional training and software that is required
to install an in house failover.

Having a contingency plan is great for business if QWD implements the recommended
solutions to the identified vulnerabilities this will ensure customer satisfaction, and positive
revenue for the company. I think QWD will benefit from these recommendation as they both
provide no impact to the company when the system is down customers will still be able to access
their information. It is like having their information stored on an iCloud.

Conclusion

I found it interesting identifying security weaknesses and recommending solutions for
those weaknesses. For software remote access immediately stood out to me probably because I
have had some experience in using remote access the concern there will always be who is
accessing the network other than those people who are authorized to do. I think all companies
should do an annual assessment of their network because so many thing change on a daily basis
you have to keep up or find yourself wondering how a hacker was able to hack you. Identifying
that QWD needed backup servers wasn’t hard but in doing this research I learned about Chipsets
and to be aware to vendor and understanding that they aren’t all trustworthy. I think when it

SECURITY ASSESSMENT AND RECOMMENDATIONS

10

comes to hardware you have to know what you want and how evaluate the hardware before you
purchase it to ensure that it will accommodate the company’s needs. Learning about Chipsets in
this process was interesting because I never would have thought about defective chip on a
motherboard unless the computer was at least a year old.

References
Check Point Software Technologies. (2014). Extreme Security. Retrieved from http://
promotions.zonealarm.com/security/en/cdn/multiuser-smb.htm?lid=en-us.Computer
Documentation Project (n.d.)
Computer Hope. (2014, May). Chipset. Retrieved from http://www.computerhope.com/jargon/c/
chipset.htm
H.D. Lane. (2005, February 6). Security Vulnerability and Wireless LAN Technology, SANS
Institute. Retrieved from http://www.sans.org/reading_room/whitepapers/wireless/
security-vulnerabilities-wireless-lan-technology_1629
www.privateinternetaccess.com
Webopedia. (2014, May). failover. Retrieved from from http://www.webopedia.com/TERM/F/
failover.html

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close