Potential Weaknesses 1
Running head: POTENTIAL WEAKNESSES
Security Assessment and Recommendations
Colleen N. Clarke
Keller Graduate School of Management
Potential Weaknesses 2
Security Assessment and Recommendations
I have been charged with the task of identifying potential security weaknesses and
recommending solutions for Quality Web Design (QWD). The project was completed in two
phases. The first phase of the project specifically identified and defined two potential security
weaknesses: software and policy. The second phase recommends solutions to these potential
weaknesses. I chose a scenario that outlines specifics of the organization’s type of business,
business processes, assets, services, and security controls.
It is crucial for any organization to take necessary steps in securing their business’ assets,
and customer’s data. Furthermore, it is also important for these security measures to be effective,
and thoroughly planned. It is as equally important, in this interconnected and high-tech world,
for corporations to also have and enforce an effective corporate security policy, because there are
both internal and external threats (Symantec Corporation, 1995-2010).
Company Overview
Based on the scenario given, Quality Web Design is an IT corporation, with approximately
50-100 employees, offering top quality web design services for their customers. In order to
appeal to their target audience and enhance services, they offer over 250,000 proprietary images
and graphical designs. QWD’s customers can only access their corporate website.
There business processes include the use of a repository of website templates, custom
written scripts, and custom applications. This repository is used to monitor project development
and quality assurance testing. Additionally, QWD offers IT support for their accounting, payroll,
and marketing operations through the use of their digital assets. They utilize a Wide Area
Network (WAN) and an internal Local Area Network (LAN) for their offices.
Potential Weaknesses 3
There are strict technology-based access controls and a published corporate security
manual that covers various security practices. Employees at QWD’s corporate and remote offices
have access to services that include Virtual Private Network (VPN), Outlook Web email, and
Active Sync Exchange server.
Security Vulnerabilities
Listed below are two security vulnerabilities: software and policy. These were identified
during my initial assessment of the scenario provided for QWD. These vulnerabilities are
significant and should be addressed immediately.
Security Software
Many of QWD’s employees work from remote locations and can access Virtual Private
Network (VPN), Outlook Web email, and Active Sync Exchange services. They utilize
corporate-owned laptops, desktops, and mobile devices (IPhones and Windows Mobile 6) to
remotely access corporate intranet resources.
It is evident, by the scenario’s hardware profile, that the company has hardware-based
firewalls in place for network security. It is also evident in the WAN and corporate network
diagrams (see Appendix). According to SANS Institute (2006), a VPN connection, in this case,
offers secure connectivity between employees’ computers and the corporate network.
Furthermore, the VPN connection is there to provide data confidentiality, data integrity, and
authentication services (SANS Institute, 2006, pp. 4).
Having said this, it appears that QWD is not protected with firewall software on their
employee’s remote computers. This means that these remote computers are not protected from
personal attacks from the Internet. According to Beal (2010, pp. 3), “the best protection for your
computers and network is to use both” hardware and software firewalls. These attacks include
Potential Weaknesses 4
Trojan horses and email worm and the whole idea of software firewall is to protect the
“computer from outside attempts to control or gain access” to it (Beal, 2010, pp. 3). An intruder
can use an employee’s compromised system to gain entry to the corporate network through an
open VPN connection. Such an attack, using an open VPN connection, can be detrimental to the
company’s business processes, particularly their repository of website templates, custom written
scripts, and custom applications; and, their accounting, payroll, and marketing operations. An
attack to these mission-critical processes can mean a decrease in the organization’s revenue;
client’s personal information being accessed, modified, or even deleted; and even degraded
network performance. QWD would lose significant clientele and would not be as appealing to
their target audience – not so good for their mission of providing top quality services.
Policy
Reducing the exposure of the corporate network from outside attacks is crucial in
protecting mission-critical processes for QWD. The security assessment doesn’t end with
software firewalls for their remote users. The company’s security policy must also address this
vulnerability.
QWD has policy in place that speaks to who has access to data and the type of data;
username standards; password length, complexity, rotation, and history; and security training.
However, their policy doesn’t address remote access devices: installation and configuration of
firewall and anti-virus software on all employees’ remote computers and acceptable use. These
are critical in preventing remote computers and mobile devices from compromising the corporate
network (Ruskwig, 2006, pp. 1).
Without such a policy in place, there is no guideline for securing QWD’s assets. Any
remote employee that has Internet connection that is always on runs the risk of infection or even
Potential Weaknesses 5
allowing access to the corporate network via their open VPN connection. Something as simple as
an employee accessing company resources from a computer that is not owned by the
organization can also wreak havoc on the company’s network. If an employee losses their laptop
to theft, this could allow unauthorized use of the equipment and access to sensitive company or
even clients information. Mistakes can be made in strategically guiding the security of QWD,
resources could be wasted in protecting low level assets, and measures may be misguided
without such a policy in place (Watson, 2005, pp. 10).
Recommendations
The following software and policy improvements are recommended to Quality Web
Design, in order to ensure that remote desktops, laptops, and mobile devices do not compromise
the corporate network:
1. All remote desktops and laptops should have Zone Alarm Extreme Security 2010
Hard Drive Encryption Edition installed and configured to update automatically. It is a
comprehensive security software package that includes a unified antivirus/spyware scan
engine, fast virus signature updates, two-way firewall, operating system firewall,
additional layers, identity protection services, secure online backup, virtual browsing,
advanced download protection, dangerous website detection, key logger and screen
grabber jamming, private browsing, PC tune-up, automatic operation, and user-friendly
interface (Check Point Software Technologies Ltd., 2011). At a cost of $1,619.95 for a
50-user pack, it meets the needs of QWD remote office, offers full protection, and comes
with free upgrades and online customer support. QWD’s IT staff can install and
implement use of software at no extra cost to the company.
Potential Weaknesses 6
2. Security policy should address remote access devices: installation and configuration of
the firewall and anti-virus software on all remote devices and acceptable use. The policy
should specify that only Zone Alarm Extreme Security 2010 is authorized for anti-virus,
firewall, and spyware, and it must be installed by QWD’s IT staff. Unauthorized software
is prohibited. Additionally, employees cannot connect to corporate network without this
installation. It should also specify that all remote devices connect to corporate network
only using VPN and how it will work. In addition to this, the policy should make clear
the purpose of the policy, computer requirements, and VPN requirements. Loss
prevention guidelines will be set in the security policy, including immediate reporting of
loss or damaged corporate-issued equipment.
Conclusion
It has been a daunting, but interesting task as I attempted to dissect this scenario, identify
two potential security weaknesses, and recommend solutions. Software and policy weaknesses
seem to be the most likely problem within the context of the QWD scenario and quite possibly
the most easily spotted. However, it is important for any organization to closely analyze and
address their security flaws. It could mean their company’s reputation and livelihood.
Potential Weaknesses 7
References
Beal, V. (2010). Hardware and software firewalls explained. Retrieved on January 23, 2011,
from http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/
firewall_types.asp.
Check Point Software Technologies Ltd. (2011). Multi-user packs. Retrieved on February 13,
2011, from http://promotions.zonealarm.com/security/en/cdn/multiuser-smb.htm?lid=en-
us.
Computer Documentation Project (n.d.). Remote access policy. Retrieved on February 13, 2011,
from http://www.comptechdoc.org/independent/security/policies/remote-access-
policy.html.
Ruskwig (2006). Remote access security policy. Retrieved on January 23, 2011, from
http://www.ruskwig.com/docs/remote_policy.pdf.
Sans Institute InfoSec Reading Room (2006). Remote access VPN: Security concerns and policy
enforcement. Retrieved on January 23, 2011, from http://www.sans.org/reading_room/
whitepapers/vpns/remote-access-vpn-security-concerns-policy-enforcement_881.
Symantec Corporation (1995-2010). Importance of corporate security policy. Retrieved on
January 23, 2011, from http://securityresponse.symantec.com/avcenter/security/
Content/security.articles/corp.security.policy.html.
Watson, K. (2005). Security assessment report. Retrieved on January 23, 2011, from
http://www.docstoc.com/docs/7321054/Security-Assessment-Report-Template
Potential Weaknesses 8
Appendix
Wide Area Network (WAN) and Local Area Network (LAN)