Upload
randy
View
1.968
Download
3
Embed Size (px)
Citation preview
Security Overview(Aircraft Solutions)
Introduction
The following report concerns a security assessment of Aircraft Solutions (AS), a
well respected equipment and component fabrication company, providing full spectrum
design and implementation solutions to multiple industries, including the electronics,
aerospace, commercial, and defense sectors. Aircraft Solutions employs a range of highly
qualified professionals and houses an immense production plant, with an overall goal of
providing high-quality solutions to accommodate specifications from a wide range of
customer demands. My primary objective in this assessment is to identify the existence of
vulnerabilities present within the global context of AS operations. To accompany the
exposed weaknesses, an evaluation of the associated threats will be deduced, followed by
an analysis of the degree of risk present. Lastly, consideration of the consequences
resulting from the unfolding of potential threats will be given due attention.
Assessment
Of the three given areas of potential investigation pertaining to AS, i.e. hardware,
software, and policy, careful consideration has narrowed my focus down to the areas of
hardware and policy. More specifically, in the area of hardware, I find it very curious that
there is no firewall implemented between the commercial division and the Internet. The
Defense Department must be routed through Headquarters, but the Commercial
department is connected straight to the Internet. This is a significant vulnerability. The
second weakness I have pinpointed is the security policy stating router and firewall rule-
sets should be evaluated every two years. Such a time span between rule-set evaluations
is also a substantial liability to the continued and unimpeded success of the organization.
Further elaboration of the identified security vulnerabilities is presented below.
Hardware Vulnerabilities
The issue pertaining to Aircraft Solution’s hardware weakness is that of the lack
of adequate protection implemented between its Commercial Division and the rest of the
world, connected to the Internet. In one view of AS’s network infrastructure, it even
appears as though the CD must transmit through the Internet in order to connect to
Headquarters. The fact remains in either case that there is a significant increase of this
division of AS operations to outside threat. The threat here is characterized by the
inability of the CD to filter web traffic, which is effectively equivalent to inviting the
world in to see everything there is to see. (Northrop, T. 2010) In this case, this might
include AS’s commercial client’s confidential information, classified divisional statistics
pertaining to budgets, deadlines, or contracts, confidential employee information, etc.
The vulnerability is the absence of a firewall. The threat is an open exposure to
the uncertainties of the Internet, to any number of automated or personalized attacks or
attempts to exploit company vital statistics and/or confidential or classified data. To help
illustrate the risks of such a threat occurring, I’ll utilize the typical Risk Matrix, which is
commonly used by a number of companies and organizations, to include the military.
This matrix was borrowed from the Scottish Government’s, Risk Management website.
Because the possible consequences of the threat of company infiltration by
malicious parties could result in not only devastating company-wide data leak but also
the potential of client data exploitation, modification, or even blackmail, the potential
consequences would be marked ‘Extreme’. Because the likelihood is not only possible,
but quite feasible between likely and certain (optimistically), this brings the level of risk
to a near state of emergency, being characterized in the chart either by orange or red.
Of the associated likely consequences of a worst-case scenario, where all of the
company’s data were hi-jacked, the severity of the event would be factored by all of the
client’s data being exposed, which could lead to the possible tampering with of client
orders, which would then naturally lead to devastation for the clients as well. The
information could be sold to a rival organization, which could then effectively be used to
gain considerable competitive advantage over AS, which would likely be cause for
continue suffering, until such a time as either a tremendous loss of monetary assets and
reputation were lost, or worse yet, the data could be exploited in such a way as to be
manipulated for years undetected, leading to countless losses on all fronts.
Policy Vulnerability
The vulnerability in company policy exists in its security directive stating rule-
sets for routers and firewalls be evaluated at intervals of two years. Obviously, a lot can
happen in two years to warrant a much more frequent evaluation timeline. There are
many vendors who specialize in constant rule-set monitoring, like RedSeal.net, which
prevent the exploitation of vulnerabilities caused by outdated security configurations.
I was unable to find a definitive and quantitative rule for exactly how frequent the
evaluation of rule-sets should be conducted, but in consideration to the natural
contractions a company undergoes in response to sales fluctuations and the economy,
expansion, or any number of factors bearing influence upon the organization, certain
measurable changes within the company’s infrastructure should be expected to change,
and so too should the rule-sets for router and firewall security configurations. Leaving
rule-sets stagnant for two years presents the risk of improperly configured security
configurations for firewalls and routers due to the natural evolution of the company’s
assets and network infrastructure. As a result, the potential exists for malicious
programming initiated by hackers to exploit these out dated rule-sets, which could lead to
disaster.
Outdated rule-sets, with a little imagination, could be likened to a bank that
accumulated too much money to keep in their vault, and as a result, decided to store it in
the lobby instead. Perhaps not as blatantly drastic, but out dated rule sets would
potentially dictate the wrong rules at the wrong time for the wrong reason. The likelihood
of this vulnerability being exploited by hackers isn’t at first glance as high as the risk
present in the last example, because there isn’t any way to know how much the company
would change in two years. Feasibly, if there were no changes, than two years may
suffice, but if one thing has been consistent throughout the ages, it is change. If indeed
significant change within two years can be assumed, then the vulnerability grows with
time, as does the company’s exposure to threat, and the chances of such vulnerabilities
being exploited would logically agree with a ‘possible-to-likely’ rating on the risk matrix.
The consequences of these potential vulnerabilities being exploited could be numerous
and severe, or they could amount to a disgruntled ex-employee causing harm through un-
expired access rights. In the worst case scenario, an intelligent IT employee alerts a group
of malicious persons of the weakness, and then the opportune time is waited for, when
the most damage to the company, and/or benefit to the hacker might be caused. This
could amount to forced resignations, lost contracts, lawsuits, lost monetary assets, public
image, and a shrunken client base, in short, disaster.
References
Northrop, T. (2010). Firewalls. Microsoft/Technet. Retrieved Nov 14th 2010 from,
http://technet.microsoft.com/enus/library/cc700820.aspx#XSLTsection12312112020
The Scottish Government: Model for Organizational Risk Management. Risk Matrix.
Retrieved November 14th, 2010 from,
http://www.bing.com/images/search?
q=risk+assessment+matrix&FORM=IGRE&qpvt=risk+assessment+matrix#focal=5d
e8da492dccb1ee1ee75004bd8e9c0f&furl=http%3A%2F%2Fwww.scotland.gov.uk
%2FResource%2FImg%2F247049%2F0072144.gif
RedSeal.net. Security Assurance/Cyber Defense Consultants. Retrieved Nov 14th 2010
From,
http://www.redseal.net/solutions/