Aircraft Solutions (AS) Security Assessment

Submitted to: Professor
SEC-571 Principles of Information Security and Privacy
Keller Graduate School of Management
Submitted:

Overview

Aircraft Solutions (AS) is a southern California company specializing in cutting edge design and manufacturing. AS supplies products and solutions in the fields of electronics, commercial, defense, and aerospace to a wide variety of customers. AS not only has a highly skilled and trained workforce, but they also utilize state of the art equipment that provides efficiency and productivity rarely seen in this industry. AS’s headquarters is located in San Diego, California while their Commercial Division (CD) is located 40 miles east of San Diego in Chula Vista, California. The AS Defense Division (DD) is located between Los Angeles and San Diego in Orange County, California. AS uses Business Process Management (BPM) to integrate customers, vendors, and suppliers in order to create a successful product. The success of the BPM is closely dependent on the success and efficiency of the Information Technology (IT) process of AS. Customer data, design engineering, and Proof For Production (PFP) are all examples of how AS’s IT success directly impacts their BPM.

Vulnerabilities

Hardware vulnerability

AS has an obvious hardware vulnerability that could potentially have a catastrophic effect on the Chula Vista CD and the rest of AS. AS has a current network architecture that employs four (4) firewalls that prevent AS headquarters, DD, contractors, suppliers, and customers from directly connecting through the Internet. CD is positioned in such a way that they have direct exposure to the Internet, which in turn could expose AS headquarters and DD. This lack of a firewall for CD is a major security concern and needs to be addressed immediately. The lack of a firewall between CD and the Internet is a major vulnerability as it allows unfiltered Internet traffic to touch the AS network (Scarfone & Hoffman, 2009). This is a critical exposure as the lack of a firewall increases the risk of malicious attacks, whether from an intrusion, dangerous packets, or exposure to a virus. These types of threats are real and persistent whether from malicious state actors seeking proprietary company information, a disgruntled employee, or just an everyday hacker looking to do some damage. The lack of a firewall allows these attackers to use such websites as www.shodan.com to scan all of the ports that CD is making available to the Internet and discover which avenues of access to the AS network are available (Hill, 2013). The likeliness of one of these attacks occurring is high. The United States Computer Emergency Readiness Team, or U.S. – CERT, reported that more than 12,000 cyber incidents occurred in 2007, and that number has more than quadrupled by 2012. See below:

The specific consequences of a successfully attack or security breach are too numerous to list, however, any degradation or loss of productivity to the CD will have a significant impact on the mission critical businesses of AS. At best, consequences could be minor disruption in network traffic or performance and at worse it could be a complete compromise of business critical information and infrastructure which would effectively cripple AS. AS’s competitive edge would be affected by them losing network integrity and a complete disruption of the BPM. Even if recovery efforts were successful, the loss of consumer confidence in AS’s ability to protect their own network and customer data would be tremendous and AS would still lose their competitive edge.

Policy vulnerability

The policy that AS currently has in place for router and firewall rule set review is a vulnerability that needs immediate attention. The current policy states that rule sets will be reviewed every two years. This policy is so inadequate that it, in all practicality, renders the firewall and routers useless. IT security can literally change on a daily basis and it is a continuing process to stay current on security trends and security needs of an organization (Wilshusen, 2013). For example, ports that were secure can become vulnerable, AS business requirements and practices can change, and newly discovered viruses and threats become known all the time. This information needs to be reviewed in conjunction with the firewall and router rule sets to make sure that a new exposure or vulnerability does not exist. The likelihood of one of these threats occurring under the current security control policy is high. In the IT security world, the amount of change that occurs in two years is astronomical. If a security control rule set for a firewall or router was not reviewed for two years, there would be a significant number of vulnerabilities that the router or firewall would be exposed to. As time passes, the number of vulnerabilities would increase and therefore increasing the risk and likelihood that a threat will occur. The consequences of a vulnerable firewall or router to AS’s mission critical business cannot be understated. Taking the current policy into consideration, if we assume vulnerability came into existence two months after a review of the firewall rule set, then AS has potentially exposed their network and information to undetected exploitation for a 22 month period. Again, this is a worst case scenario, but it is always better to plan for the worst and hope for the best. This 22 month exposure period could destroy any competitive edge that AS had over its competitors. AS’s entire network and business practices could be exploited and made available to rival companies which would effectively put AS out of business.

Recommended solutions

Hardware solution

The recommended hardware solution for AS is to place a Next Generation Firewall (NGFW) product between the Internet and CD. The recommended product for AS, based on a totality of the circumstances, is to deploy a Check Point 13500 NGFW. Check Point’s 13500 device is part of their 13000 series of appliances. Check Point has a long history of being a respected security solutions provider and the companies’ devices are one of the most deployed firewalls in use today. The great thing about this product is that it has a variety of states that it can be deployed in. The 13000 series can be deployed to be a NGFW, Next Generation Threat Prevention (NGTP), Next Generation Secure Web Gateway (NGSWG), and/or a Next Generation Data Protection (NGDP) solution separately or independently depending on the blade package used.
(Wilkins, 2014) That is a great feature as it allows AS to adjust its security posture as it grows, changes, or identifies areas that may be more of a security concern. Here we are only concerned with the NGFW. The specifications for the Check Point 13500 NGFW are as follows: CheckPoint 13500 | Server Application Attacks (Blocked %) | 97.1% | Client Application Attacks (Blocked %) | 95.9% | Evasion Results | Unable to be Evaded | Stable and Reliable | Yes | Successful Enforcement of Application Policies? | Yes | Successful Enforcement of Identify Policies? | Yes | IPS Throughput (Specification) | 5.7 Gbps | IPS Throughput (Tested) | 6.7 Gbps | Total Throughput | 23.6 Gbps | Cost per Protected Mbps | $21.45 | Dual Power Supplies | Yes | Max Power Consumption | 431 Watts | Stackable | No | Rack Space Used per unit | 2U |
(Wilkins, 2014) As you can see from the above chart, the Server Application Attacks and Client Application Attacks blocked are at 97.1% and 95.9% respectively. This is a tremendous percentage while still allowing a total throughput of information at 23.6 Gbps. Additionally, the max power consumption is at 431 Watts which is the second lowest in this class of NGFW. One other great feature is that the Check Point 13500 maximizes connection capacity by supporting up to 28 million concurrent connections. (Check Point Software Technologies LTD, 2016) One of the security features of the Check Point 13500 is it offers complete zero-day threat prevention and alerts when under attack. Their Threat Extraction delivers zero-malware documents in zero seconds and the Threat Emulation feature inspects files for malicious content in virtual sandbox. (Check Point Software Technologies LTD, 2016) Placement for the Checkpoint 13500 would be directly between the CD and the Internet. This is the most vulnerable point of the AS architecture and this is what needs addressed first. The placement of the Check Point 13500 should be re-evaluated periodically to ensure that it is in the most beneficial spot for AS and that it is being used to its greatest potential. The justification for this product and its placement is primarily based on the value of the information that CD handles. As a recognized leader in the design and fabrication of component products and services for companies in the electronics, commercial, defense, and aerospace industry, AS cannot afford to have a security breach in their CD. This could not only compromise their business/production process, but it could also compromise valuable data on AS customers and their products. The latter would be devastating to AS as their current, and future, clients would lose faith that AS can properly safeguard their secrets. The implementation of the Check Point 13500 NGFW can be done with little to no disruption. It can be pre-configured with the help of the network administration staff and they can perform the installation during early hours on the weekend or a holiday when production and customer activity is at its lowest. Maintenance for the NGFW will also cause little to no disruption as the 13500 appliance has hot-swappable and redundant components to prevent downtime. The cost of the Check Point 13500 is approximately $62,000 with an expected yearly maintenance of $5000. The positive effects on the business process are added security and peace of mind. The positive effects will manifest themselves in very subtle ways as it might be harder to quantify since in this case, “no news is good news”. However, the Check Point 13500 NGFW will provide great logging information to give the IT staff much better visibility as to what attacks are being prevented and the vulnerabilities facing CD. The potential negative effect on the Business Impact Analysis (BIA) is that with any type of change there can be problems. The network administration staff needs to prepare to learn a new product and to put in extra hours as they troubleshoot the inevitable problems that will occur. Network administrators should plan on 8-16 hours of training or product review just to become familiar with the new appliance. Additionally, for the first month or so, they should plan on 5-10 hours a week of work time being put towards the set-up and troubleshooting of the new appliance. Lastly, CD employees should plan on having several hours of down or slow network time due to the new appliance. That is not to say it is going to happen, but it is always better to plan on it occurring than having no plan whatsoever. These are all acceptable negative effects as the potential for loss is too great to risk by not putting the Check Point 13500 NGFW in place.

Policy solution
The recommended policy change is to address the current security policy for AS that states in part, “all firewalls and router rule sets are evaluated every two years…”. The recommended policy solution will be to adopt the Payment Card Industry Data Security Standard (PCI DSS) that addresses firewall rule set review. Specifically, PCI requirement1.1.7 states: * 1.1.7.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. * 1.1.7.b Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. * This review gives the organization an opportunity at least every six months to clean up any unneeded, outdated, or incorrect rules, and ensure that all rule sets allow only authorized services and ports that match the documented business justifications.
(PCI Security Standards Counsel, 2013) The justification for using this standard is that the PCI DSS is a widely used policy and is considered a standard for firewall review. In addition, PCI DSS compliance is required for “all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)”. (PCI Security Standards Counsel, 2013) It is incumbent on AS to determine if they fall under the requirements for PCI DSS compliance. AS’s CD does engage in business transactions with customers and other clients so they very well might be required to be PCI DSS compliant. The BIA for AS to implement this policy will be moderate. The positive impact will be that not only will AS have a greater security policy in relation to firewall rule sets, but they will also be PCI DSS compliant as far as firewall policy is concerned. The negative effects of implementing this policy will be that it could potentially be man power intensive. AS will have to officially adopt PCI DSS requirement 1.1.7 and make it part of their official security controls. After that is completed, AS will have to ensure that network administrators are adhering to this requirement by putting in the hours to review the firewalls and their rule sets. To compound things, this policy does not just apply to the new firewall that is being placed between CD and the Internet, but rather it will apply to all firewalls and routers that AS has in use. This could potential be cumbersome for network administrators to find the time to take on this project. AS will need to determine if they should hire additional network administrators, in particular ones that are familiar with PCI DSS requirements. Lastly, if AS determines that they are an entity involved in payment card processing, then they would need to implement and comply with all PCI DSS rule requirements. Complying with all the requirements could be a massive undertaking and is beyond the scope of this assessment. The trade-off between the increased network security vs. the business requirements of this policy implementation is worth it. The new security policy would be in compliance with a recognized and enforced standard of security and would provide AS and their customers with a tremendous level of confidence. The initial cost of implementation could be high when it comes to work hours involved or even the hiring of new employees to assist with the implementation and maintenance. The trade-off for AS is worth it considering the alternative of potentially suffering a data breach or intrusion and losing customer information or valuable work product.

References
Scarfone K., Hoffman P., (2009) Guidelines on Firewalls and Firewall Policy. Special
Publication 800-41, Revision 1, National Institute of Standards and Technology (NIST), U.S Department of Commerce.
Wilshusen, G., (2013) CYBERSECURITY – A Better Defined and Implemented National
Strategy Is Needed to Address Persistent Challenges. United States Government Accountability Office (GAO).
Hill, K., (2013) The Terrifying Search Engine That Finds Internet-Connect Cameras, Traffic
Lights, Medical Devices, and Power Plants. Forbes/Tech. Retrieved January 18, 2016 from, http://www.forbes.com/sites/kashmirhill/2013/09/04/shodan-terrifying-search-engine/#2715e4857a0b1bb07ae174c0
Requirements and Security Assessment Procedures Version 3.0, Payment Card Industry (PCI)
Data Security Standard by PCI Security Standards Counsel. (2013, November). Retrieved February 19, 2016 from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
A Guide to Choosing a Next-Generation Firewall by Sean Wilkins. (2014, December 23). Retrieved February 19, 2016, from http://www.tomsitpro.com/articles/next-generation- firewall-vendors,2-847.html
Check Point 13000 Appliances by Check Point Software Technologies LTD. (2016, February).
Retrieved February 19, 2016 from https://www.checkpoint.com/products/13000-appliances/