Potential Weaknesses 1 Running head: POTENTIAL WEAKNESSES

Security Assessment and Recommendations Colleen N. Clarke Keller Graduate School of Management

Potential Weaknesses 2 Security Assessment and Recommendations I have been charged with the task of identifying potential security weaknesses and recommending solutions for Quality Web Design (QWD). The project was completed in two phases. The first phase of the project specifically identified and defined two potential security weaknesses: software and policy. The second phase recommends solutions to these potential weaknesses. I chose a scenario that outlines specifics of the organizations type of business, business processes, assets, services, and security controls. It is crucial for any organization to take necessary steps in securing their business assets, and customers data. Furthermore, it is also important for these security measures to be effective, and thoroughly planned. It is as equally important, in this interconnected and high-tech world, for corporations to also have and enforce an effective corporate security policy, because there are both internal and external threats (Symantec Corporation, 1995-2010). Company Overview Based on the scenario given, Quality Web Design is an IT corporation, with approximately 50-100 employees, offering top quality web design services for their customers. In order to appeal to their target audience and enhance services, they offer over 250,000 proprietary images and graphical designs. QWDs customers can only access their corporate website. There business processes include the use of a repository of website templates, custom written scripts, and custom applications. This repository is used to monitor project development and quality assurance testing. Additionally, QWD offers IT support for their accounting, payroll, and marketing operations through the use of their digital assets. They utilize a Wide Area Network (WAN) and an internal Local Area Network (LAN) for their offices.

Potential Weaknesses 3 There are strict technology-based access controls and a published corporate security manual that covers various security practices. Employees at QWDs corporate and remote offices have access to services that include Virtual Private Network (VPN), Outlook Web email, and Active Sync Exchange server. Security Vulnerabilities Listed below are two security vulnerabilities: software and policy. These were identified during my initial assessment of the scenario provided for QWD. These vulnerabilities are significant and should be addressed immediately. Security Software Many of QWDs employees work from remote locations and can access Virtual Private Network (VPN), Outlook Web email, and Active Sync Exchange services. They utilize corporate-owned laptops, desktops, and mobile devices (IPhones and Windows Mobile 6) to remotely access corporate intranet resources. It is evident, by the scenarios hardware profile, that the company has hardware-based firewalls in place for network security. It is also evident in the WAN and corporate network diagrams (see Appendix). According to SANS Institute (2006), a VPN connection, in this case, offers secure connectivity between employees computers and the corporate network. Furthermore, the VPN connection is there to provide data confidentiality, data integrity, and authentication services (SANS Institute, 2006, pp. 4). Having said this, it appears that QWD is not protected with firewall software on their employees remote computers. This means that these remote computers are not protected from personal attacks from the Internet. According to Beal (2010, pp. 3), the best protection for your computers and network is to use both hardware and software firewalls. These attacks include

Potential Weaknesses 4 Trojan horses and email worm and the whole idea of software firewall is to protect the computer from outside attempts to control or gain access to it (Beal, 2010, pp. 3). An intruder can use an employees compromised system to gain entry to the corporate network through an open VPN connection. Such an attack, using an open VPN connection, can be detrimental to the companys business processes, particularly their repository of website templates, custom written scripts, and custom applications; and, their accounting, payroll, and marketing operations. An attack to these mission-critical processes can mean a decrease in the organizations revenue; clients personal information being accessed, modified, or even deleted; and even degraded network performance. QWD would lose significant clientele and would not be as appealing to their target audience not so good for their mission of providing top quality services. Policy Reducing the exposure of the corporate network from outside attacks is crucial in protecting mission-critical processes for QWD. The security assessment doesnt end with software firewalls for their remote users. The companys security policy must also address this vulnerability. QWD has policy in place that speaks to who has access to data and the type of data; username standards; password length, complexity, rotation, and history; and security training. However, their policy doesnt address remote access devices: installation and configuration of firewall and anti-virus software on all employees remote computers and acceptable use. These are critical in preventing remote computers and mobile devices from compromising the corporate network (Ruskwig, 2006, pp. 1). Without such a policy in place, there is no guideline for securing QWDs assets. Any remote employee that has Internet connection that is always on runs the risk of infection or even

Potential Weaknesses 5 allowing access to the corporate network via their open VPN connection. Something as simple as an employee accessing company resources from a computer that is not owned by the organization can also wreak havoc on the companys network. If an employee losses their laptop to theft, this could allow unauthorized use of the equipment and access to sensitive company or even clients information. Mistakes can be made in strategically guiding the security of QWD, resources could be wasted in protecting low level assets, and measures may be misguided without such a policy in place (Watson, 2005, pp. 10). Recommendations The following software and policy improvements are recommended to Quality Web Design, in order to ensure that remote desktops, laptops, and mobile devices do not compromise the corporate network: 1. All remote desktops and laptops should have Zone Alarm Extreme Security 2010 Hard Drive Encryption Edition installed and configured to update automatically. It is a comprehensive security software package that includes a unified antivirus/spyware scan engine, fast virus signature updates, two-way firewall, operating system firewall, additional layers, identity protection services, secure online backup, virtual browsing, advanced download protection, dangerous website detection, key logger and screen grabber jamming, private browsing, PC tune-up, automatic operation, and user-friendly interface (Check Point Software Technologies Ltd., 2011). At a cost of $1,619.95 for a 50-user pack, it meets the needs of QWD remote office, offers full protection, and comes with free upgrades and online customer support. QWDs IT staff can install and implement use of software at no extra cost to the company.

Potential Weaknesses 6 2. Security policy should address remote access devices: installation and configuration of the firewall and anti-virus software on all remote devices and acceptable use. The policy should specify that only Zone Alarm Extreme Security 2010 is authorized for anti-virus, firewall, and spyware, and it must be installed by QWDs IT staff. Unauthorized software is prohibited. Additionally, employees cannot connect to corporate network without this installation. It should also specify that all remote devices connect to corporate network only using VPN and how it will work. In addition to this, the policy should make clear the purpose of the policy, computer requirements, and VPN requirements. Loss prevention guidelines will be set in the security policy, including immediate reporting of loss or damaged corporate-issued equipment. Conclusion It has been a daunting, but interesting task as I attempted to dissect this scenario, identify two potential security weaknesses, and recommend solutions. Software and policy weaknesses seem to be the most likely problem within the context of the QWD scenario and quite possibly the most easily spotted. However, it is important for any organization to closely analyze and address their security flaws. It could mean their companys reputation and livelihood.

Potential Weaknesses 7 References Beal, V. (2010). Hardware and software firewalls explained. Retrieved on January 23, 2011, from http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/ firewall_types.asp. Check Point Software Technologies Ltd. (2011). Multi-user packs. Retrieved on February 13, 2011, from http://promotions.zonealarm.com/security/en/cdn/multiuser-smb.htm?lid=enus. Computer Documentation Project (n.d.). Remote access policy. Retrieved on February 13, 2011, from http://www.comptechdoc.org/independent/security/policies/remote-accesspolicy.html. Ruskwig (2006). Remote access security policy. Retrieved on January 23, 2011, from http://www.ruskwig.com/docs/remote_policy.pdf. Sans Institute InfoSec Reading Room (2006). Remote access VPN: Security concerns and policy enforcement. Retrieved on January 23, 2011, from http://www.sans.org/reading_room/ whitepapers/vpns/remote-access-vpn-security-concerns-policy-enforcement_881. Symantec Corporation (1995-2010). Importance of corporate security policy. Retrieved on January 23, 2011, from http://securityresponse.symantec.com/avcenter/security/ Content/security.articles/corp.security.policy.html. Watson, K. (2005). Security assessment report. Retrieved on January 23, 2011, from http://www.docstoc.com/docs/7321054/Security-Assessment-Report-Template

Potential Weaknesses 8 Appendix Wide Area Network (WAN) and Local Area Network (LAN)