Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS

Security Assessment and Recommendations for Quality Web Design
Mike Mateja
October 9, 2011
Submitted to:
Dean Farwood
SE571 Principles of Information Security and Privacy
Keller Graduate School of Management

1

SECURITY ASSESSMENT AND RECOMMENDATIONS

2

Table of Contents
Executive Summary ............................................................................................ 3
Company Overview............................................................................................. 4
Security Vulnerabilities ....................................................................................... 4
Hardware Vulnerability: Unrestrained Components .................................................................. 4
Software Vulnerability: Unsecure Wireless Access Points .......................................................... 6

Recommended Security Solutions ....................................................................... 7
Hardware Solution: Physical Restraints ...................................................................................... 7
Impact: Hardware Solution ..................................................................................................... 8
Budget: Hardware Solution ..................................................................................................... 9
Software Solution: Configuring the Wireless access points for security ................................... 10
Impact: Software Solution..................................................................................................... 11
Budget: Software Solution .................................................................................................... 11

Summary .......................................................................................................... 12
References ........................................................................................................ 13

SECURITY ASSESSMENT AND RECOMMENDATIONS

3

Executive Summary
Quality Web Design (QWD) is an enterprise company that can provide a website for any business. This paper is the first of two phases for my SE571 Principles of Information Security and Privacy course project which will identify and explain vulnerabilities found at Quality Web
Design. First, this report will discuss the hardware vulnerability of an unrestrained component.
Second, the software vulnerability of an unsecured wireless access point. This report will conclude with recommended solutions for each of the vulnerability. Included in the recommendation will be an estimated budget and implementation plan as well as a discussion of the impact each solution will have on the business processes.

SECURITY ASSESSMENT AND RECOMMENDATIONS

4

Company Overview
Quality Web Design (QWD) is web design company that focuses on a high quality and an innovative product to immerse the user in an intuitive interface to give the content of any business a graphical high five. Tackling customers around the globe, Quality Web Design is culturally aware of their audiences’ digital expectations. QWD separates themselves from the other web designers by using every client as an opportunity to research and develop new technology to add to their repository.

Security Vulnerabilities
Hardware Vulnerability: Unrestrained Components
Any unrestrained component is a hardware vulnerability to Quality Web Design. All of the hardware that makes up Quality Web Design’s physical network, workstations and servers needs to be physically restrained. The computer components located at both QWD’s corporate and remote offices are quite expensive. A quick search online proves that these type of computer components can be sold used online at a great profit. One item for example, the firewall located in the corporate office is priced at $25,333. This Juniper ISG200 firewall also only weighs 52 pounds (Amazon, 2011). This makes the firewall an expensive and light piece of hardware that a thief could easily walk off with. The ease of removal and the great value of the firewall provide motivation to be concerned about the physical theft of our computer components. Our servers, desktops and laptops may not be as expensive to replace but they contain a great deal of digital value. Also, they are light enough to be physically removed by an employee without the help of a hand truck. This is a threat that luckily has not yet been exploited against QWD.

SECURITY ASSESSMENT AND RECOMMENDATIONS

5

The likelihood that the threat of theft will occur is very high. Kensington Computer
Group reports that “91% of U.S. organizations surveyed have experienced a laptop theft”
(Kensington Computer Group, 2011, para. 3). Just about half of these thefts occur in the office
(Kensington Computer Group, 2011). This is mainly due to the highly competitive market, large quantity of telecommuters and QWD’s decentralized control. In the highly competitive market of web design, the edge that QWD has due to their proprietary images and custom templates could motivate competitors to steal this information. QWD needs to be prepared for a physical attack as well as their firewall protects from a digital attack. The telecommuting culture of QWD could also provide an opportunity for a physical theft. Several employees working a variety of different schedules could allow for an opportunistic attack when the corporate and remote offices are empty. Finally, the organizational culture of most technological companies has directed corporate officers to choose a decentralized control style of management. A decentralized management control gives more decision power to employees. I think the adoption of diverse management techniques could lead to a less interrogative culture. This means that a resourceful thief could successfully use social engineering techniques to get away with his crime without being questioned.
The consequences to QWD’s mission critical business processes should theft of physical hardware occur would be dependent upon the technology lost. The theft of a desktop or laptop workstation would result in a nominal cost to replace and downtime for a QWD employee.
However the theft of any one server could cost the company a great deal of time, money and business. The organization’s competitive edge would be dependent upon the theft as well. A

SECURITY ASSESSMENT AND RECOMMENDATIONS

6

component can be replaced but the data lost from within the component could greatly dull
QWD’s competitive edge.

Software Vulnerability: Unsecure Wireless Access Points
An unsecured wireless access point is a software vulnerability to QWD. An unsecured wireless access point can allow unauthorized access to QWD’s corporate and remote networks.
An unsecure access point means that anyone can connect to the company’s network without authorization. This connection would enable an unauthorized user to access our internet connection. Multiple “hitchhikers” on our network can lead to a loss of bandwidth and the denial of service to QWD employees. Even more serious, an unauthorized user with access on our network would have access to our data. A malicious unauthorized user could even cause the loss or manipulation of data. An unsecure wireless access point also threatens our data’s confidentiality due to a lack of encryption. A lack of data encryption on a wireless access point means that data retrieved or sent over this connection is in plaintext. Plaintext can be read by anyone whom is on the network.
The likelihood that the threat of unauthorized access will occur is very high, considering the amount of web enabled portable Wi-Fi devices currently available on the market. In an article by Narain, she states that “by 2014, there will be an installed base of 2.6 billion Wi-Fi enabled consumer devices across the globe” (Narain, 2010, para1). For example smart phones, tablet pc’s, laptops and MP3 players can all connect and actively search for wireless access points. This leads me to believe that there is a good chance that the general public or neighboring businesses around QWD’s corporate and remote offices would inadvertently connect to the QWD private network.

SECURITY ASSESSMENT AND RECOMMENDATIONS

7

One consequence to mission critical business processes should a non-user gain unauthorized access to the QWD network would be a slow in performance and production time due to a loss of bandwidth. Another consequence would be the possible unavailability of network assets such as access to the data repository or the ability to process timesheets due to the increased network traffic. QWD’s competitive edge will strongly be affected should unauthorized access to the QWD network occur. The increased network traffic causing a lull in production could cost QWD business in their competitive market. In addition if this vulnerability were to be exploited maliciously, with the injection of a virus, the threat of unauthorized access to the QWD network could end up becoming the cause for leaked or manipulated data.

Recommended Security Solutions
Hardware Solution: Physical Restraints
In order to block the threat of physical theft of our computer components, it is necessary to restrain them to our brick and mortar location. “Only 3% of lost or stolen laptops are recovered” (Kensington, 2011). The controls recommended to elevate this threat are
Kensington locking kits. Kensington
Development Group provides various locking kits to secure desktop computers, network components and laptops to their environment, reducing the ease of removing small items from their location. A locking kit contains a steel cable, lock and fasteners which will lock the

Figure 1 Rear view of installed desktop and peripherals locking kit. (Kensington Development Group, 2011)

SECURITY ASSESSMENT AND RECOMMENDATIONS

8

computer component into place. Figure 1 shows an installed Locking kit.
Each desktop and network component will be fastened to it surrounding environment with one Desktop and Peripherals Locking Kit. Each kit can accommodate locking down a CPU, monitor, keyboard and mouse. The locks for these kits can be ordered to be keyed alike. Two separate orders will need to be placed so that the corporate offices key is unique from the remote offices key.
Laptops will be fastened in a similar fashion but with different hardware. A Portable Combination Laptop Lock will be used to restrain all of QWD’s laptops. This steel cable restraint has a combination lock that is fastened to the laptops K-slot. This type of lock is portable because it can be fastened and unfastened quickly (Kensington, 2011).

Figure 2 Portable combination laptop lock in use. (Kensington, 2011)

Figure 2 shows an installed laptop lock.

Impact: Hardware Solution
The daily business processes should not change due to the hardware restraint solution.
The desktop computers will be located in the same positions and will function as they were before the restraint installation. A potential positive effect on the business processes is that
QWD can be ensured the computer components will remain accounted for. The IT department will definitely be effected by this solution. After IT installs the locks, the time it takes to service each component will be longer due the added security of the lock. However the users will be impacted by the decision to use the portable combination laptop locks. This type of lock is

SECURITY ASSESSMENT AND RECOMMENDATIONS

9

designed to be portable but it will require the user to use it for it to retain its effectiveness. An employee could be tempted to not use the lock in lieu of saving time. One method to counter an employee’s decision to not use the lock is to educate them on the importance of fastening the computer in just a few minutes rather than all of the potential physical and data losses that could occur from the theft of a laptop.

Budget: Hardware Solution
The Kensington computer restraint devices will directly address the threat of theft by ensuring that our hardware cannot be easily removed from our offices. Anchoring QWD’s light and costly items to heavier office equipment like desks and cabinets will deter an opportunistic thief. Figure 3 lists the products and prices of all the physical restraints for the corporate office.

Quantity
15

35

21

Cost for Physical Security in the Corporate Office
Product
Model #
Feature
Cost
Physical restraints for
Desktop and Peripherals
K64665US All desktops and
$ 34.99
Locking Kit monitors Portable physical
Portable Combination
K64670US restraint for All
$ 24.99
Laptop Lock
Laptops
Physical restraints for
Desktop and Peripherals
K64665US All network
$ 34.99
Locking Kit components Total

Extended Cost
$

524.85

$

874.65

$

734.79

$

2,134.29

Figure 3 Cost breakdown for corporate office computer restraints. (Kensington, 2011)

Figure 4 lists the products and prices of all the physical restraints for one the remote office. For both instances, installation can be done in-house by our IT team. Installations of the locking kits require no extra tool and can be installed while the system is running. The implementation of the locking kits will take two weeks. During the first week, the network

SECURITY ASSESSMENT AND RECOMMENDATIONS

10

components will be done, along with the securing of the desktops. The second week will deal with a training program that will inform all of QWD’s employees on the dangers of leaving their laptop unsecured as well as instructions on how to use the laptop restraint and how to select a proper combination lock number.

Quantity
5

Cost for Physical Security in the Remote Office
Product
Model #
Feature
Physical restraints for
Desktop and Peripherals
K64665US All desktops and
Locking Kit monitors 15

Portable Combination
Laptop Lock

K64670US

11

Desktop and Peripherals
Locking Kit

K64665US

Portable physical restraint for All Laptops
Physical restraints for
All network components Cost

Extended Cost

34.99

174.95

24.99

374.85

34.99

384.89

Total

$

934.69

Figure 4-Cost breakdown for remote office computer restraints. (Kensington, 2011)

Software Solution: Configuring the Wireless access points for security
The recommended method to best secure QWD’s wireless access points are to ensure it is configured for security. There are three parts to the recommended configuration. Access to the wireless network should be limited to only company owned devices. This can be enforced with static IP filtering and Mac address filtering. It is also recommended to encrypt communication that takes place over this network. Configuring the QWD network using WPA with PEAP-MS-CHAPv2 is one of the “most effective secure implementation supported by current versions of Windows–based clients” (Microsoft, 2011). Using a static IP address filter and Mac address filtering reduces the amount of devices that can connect to the network.
When a device attempt to connect the firewall verified that the requesting IP and Mac address

SECURITY ASSESSMENT AND RECOMMENDATIONS

11

match a list of authorized users. Using the WPA with PEAP-MS-CHAPv2 protocol ensure that communication in the wireless network is encrypted. This prevents someone from sniffing the signal and gleaming passwords and data. Static IP filtering, Mac address filtering and the WPA protocols are already features of QWD’s HP E-MSM410 Access Point (Hewlett-Packard
Development Company, 2011). This means that the only need is to be configured.

Impact: Software Solution
One positive impact that configuring the wireless network for Static IP filtering, Mac address filtering and the WPA protocols will have on QWD’s business processes is an increased level of controls over QWD’s proprietary data. QWD’s network can potentially run more efficiently by removing unauthorized traffic. Any employee whom used their personal computer devices to do their work will feel a negative impact from these software configuration changes. These changes that are recommended would restrict any personal device from being used. A second impact felt by the employees of QWD during the time when the changes take place. The IT department will need to acquire the Mac address from each device and disrupt its wireless connection. This might inconvenience the users but only for a short period of time.

Budget: Software Solution
Since QWD already has the all of the necessary equipment for a wireless network, no additional material costs will be incurred. The IT department can make all of the recommended changes after they have a complete list of Mac address and have assigned static IP to all wireless components. Implementation should take three weeks. Planning will take place during the first week. The IT team needs to decide on the range of IP address to use. During week two,
Mac addresses from the wireless devices will need to be attained, logged and listed for

SECURITY ASSESSMENT AND RECOMMENDATIONS

12

comparison when the device attempt to connect. The third week will consist of adding the WPA encryption protocols. Since each location has two access points, one will be configured at a time. This will allow users to still access the unsecure way and not disrupt mission critical business processes during the transition. The IT team will need to ensure that all users can connect to the configured access point before transitioning over. After the configurations have been made and transitioned over to the new connection, the users will not notice a difference.
They will login and access the network seamlessly as they have done before so there are no additional training or maintenance issues to discuss.

Summary
My SE571 Principles of Information Security and Privacy course project has identified the hardware vulnerability of an unrestrained component and the software vulnerability of an unsecured wireless access point for Quality Web Design. I have also explained the assets associated with each of the vulnerabilities as well as provided documented proof of the threats and likelihood that they would occur. This report also defines solutions for both vulnerabilities.
The solutions have been explained in terms of an expected cost, implementation and impact on mission critical business processes and how QWD’s competitive edge would be affected if each threat occurred.

SECURITY ASSESSMENT AND RECOMMENDATIONS

13

References
Amazon.com. (2011). Netscreen-isg 2000 Chassis Adv Fan Module Dual Ac Ps. Retrieved from http://www.amazon.com/Netscreen-isg-2000-Chassis-ModuleDual/dp/B000CQM5IM/ref=sr_1_fkmr1_1?s=electronics&ie=UTF8&qid=1318115903&sr =1-1-fkmr1
Hewlett-Packard Development Company. (2011). HP E-MSM410 Access Point (US). Retrieved from http://h30094.www3.hp.com/product/sku/10256669/mfg_partno/J9426B
Kensington Computer Group. (2011). Security Solutions for Enterprise. Retrieved from http://www.kensington.com/kensington/us/us/s/1646/increase-employeecompliance.aspx Microsoft. (2011). Secure Wireless Access Point Configuration. Retrieved from http://technet.microsoft.com/en-us/library/cc875845.aspx Narain, D. (2010). Mobile Unified Communications Featured Article. Retrieved from http://www.tmcnet.com/channels/mobile-unified-communications/articles/95727global-wifi-enabled-consumer-device-market-touch-26.htm