Security Risk Assessment for Quality Web Design

Ting Yin

Submitted to: Jude Lamour

SE571 Principles of Information Security and Privacy

Keller Graduate School of Management

Submitted: November 16, 2014

1

Table of Contents

Executive Summary………………………………………………………………………….3

Company Overview…………………………………………………………………………..3

Security Vulnerabilities……………………………………………………………………....3

Threats………………………………………………………………………………… ……4

Risk Assessment ……………………………………………………………………..……..5

The Consequence …………………………………………………………………….…….6

The Affects on The Company Competitive Advantages .......................................................7

The Definition of Solution ………….……………………………………………………..15

Justification …………………………………………………………………………………6

Impact on Business Processes ………………………………………………………………10

Reference…………………………………………………………………………………….19

2

Executive Summary

Dell Sonic Firewall TCO recommends QWD to use Dell NSA 250m and NSA 6600 and

to replace its current IPSec VPN. NSA 250m and NSA 6600 appliances come with a wide range

and heighted level of security protection services and additional security protection hardware and

software bundles. Based on a reputable technology survey, NSA 250 m and NSA 6600 are given

rating of 5 out of 5 (NSA Review). NSA 6600 system should be located near QWD office

headquarters and NSA 250m should be located near in QWD remote office. Both NSA systems

have the right tools to protect QWD from intrusion, denial of service, and SQL attacks. In

addition to the security protection, NSA systems offer mobile service for workers, business

partners, customer, clients or QWD affiliations to be able to collaborate online on QWD related

projects. The remote access and connectivity can further improve QWD business process and

even increase revenue.

Company Overview

Quality Web Design (QWD) is a web design and development company that designs and

creates client side web application for different industries. The web application that QWD make

can help their clients to market their client information in form of web content to the outside

world. QWD has a basic Microsoft (MS) shop that uses a Visual Studio (VS) Team Foundation

to support its image repository. For quality analysis and site development, QWD uses VS. QWD

also utilizes MS SQL Server and MS Exchange (SEC 517).

Two Security Vulnerabilities

In this paper, I will discuss three security vulnerabilities: one is associated with

hardware, the second is associated with the software. The first vulnerability is found within the

3

network infrastructure (hardware). The second vulnerability is associated with SQL injection

attack into the client’s web page (SEC 517).

Threats Against VPN or Server

In this section, two threats against a VPN will be discussed: 1) Intrusions; 2) Denial of

Service. Intrusion is a form of threat that offers opportunities for unauthorized outsider to access

and to control over parts of the VPN. The parts that can affect could be internal computers,

servers, network elements, and other network components. To access into internal information or

equipment as hackers or intruders, the malicious individual first inject code for traffic control

into the VPN. In a simple case of the virtual invasion and unauthorized internal control is to send

a single IP packet to a destination in the VPN (Threat Against).

The terminals or phones and other mobile devices that are left opened and neglected are

one of the primary reason that unauthorized individual can gain access to the internal resources

that lie with QWD. “VPNs will likely continue to be the weakness link in an organization’s

security infrastructure for some time to come.” (VPNs Virtual) Any organization is as secure as

its weakest links or connections. VPNs provide illusion of a false sense of security, due to “poor

implementation and maintenance.” Perhaps, VPN can be considered as one the weakest link in

QWD (The Myth).

Denial of service is another threat from outside against the VPN. Unlike intrusion

discussed above this section, DoS prevents other from accessing the web. For hackers to

complete DoS, s/he first needs to able to inject packets into the trusted zone of the VPN. The

DoS attack can also interfere the VP user indirectly. When a PE router is affected by DoS attack

can affect a given VPN that affect PE, which in turn can negatively affect the connected VPN

(Threat Against).

4

The third threat is related to the potential SQL code insertion or injection client’s web

application. SQL injection is found as one of most prevalent destructive system attack. Open

Web Application Security Project (OWASP) point out SQL injection as the number one threat.

Injecting extraneous code into the textboxes can potentially debilitate the entire database. SQL

injection can potentially be used to perform the following types of attacks. The injection can

allow hacker to illegally logon to the internal application and illegally earn the privilege to

manipulate the data stored in database and to disclose confidential information (SQL Injection).

Risk Assessment

In 2006, the U.K. Department of Trade and Industry (DTI) did a survey and released the

results on businesses regarding security incidents. Of organization surveyed, it was found that

intrusion was constant at 17 percent in their period of survey study, and failure of equipment was

up to 29 percent (Pfleeger, 256) . In an official study, it was found that 87-percent of businesses

surveyed have suffered a service degradation up to a full outage in 2013 from a DDoS attack

(XAND LAUNCHES). SQL inject was found to be one of the six most commonly reported

threats for Web applications. SQL among with other top five threats accounted for 40 percentage

of threats found in 2012 (HP 2012).

Level of Risk and Its Influence on QWD Operation

Threat Level of Risk

Denial of Service 4

Intrusion 3

SQL Inject 3

4- Critical: QWD business will not be operational when it encounters the type of threat as listed

5

3- Medium –Critical: QWD business still can somewhat manage its operations, but it has to do it

under the interference caused by the threats.

The Consequence

The consequences of security breach through VPN can lead to the theft of QWD

proprietary or confidential information or loss of client information, to the exploitation or

manipulation of confidential information, to web page content modification, etc. The

authentication method used by IPsec authentication can weaken authentication process and can

be unmanageable for QWD in deploying web services for multiple clients’ organizations. The

expenses and the complexities associated with IPsec deployment, IPsec VPN selectors are

insufficient to meet the need of the authorization-associated policies that QWD must have in

today highly regulated environment (The Myth).

To compensate the weaker authentication by IPsec VPN, QWD have to create relatively

more complicated constituency-orientated policies to limited user access. IPsec VPN remote

access need VPN client software and policy configuration at the end devices. With the need of

additional supports and resources, QWD simply cannot deliver cost-effective secure remote

access to all users from all devices. When a client is connected using IPsec, every resource inside

this protected network is potentially available to the user, and therefore vulnerable to misuse and

attack from that client during the entire connection (The Myth).

DDoS attacks can cause costly and destructive downtime on the client’s hosted

applications and resources. During the downtime caused by DDoS, the users of the websites

developed and designed by QWD would be able to access the websites and the services that are

offered by the clients through the web pages. In the meantime, QWD and its clients cannot

communicate with the users and the clients’ customers due to the malfunctioning of the websites

6

(The Myth). The Ponemon Institute “estimates that the average cost of one minute of downtime

due to a DDoS attack is $22,000. The average attack lasts at least an hour, inflicting devastating

and expensive downtime on business operations.” (Xand Launches).

Through SQL Injection, the hackers can obtain unauthorized access to MS SQL 2008

database (DB) server or the DB located in the corporate office. The hackers can create, review,

insert, alter, or remove QWD images or confidential information stored in the QDW back-end

database. Through SQL injection and manipulation, the hackers can potentially can lock or

delete tables stored in the DB at the QWD servers. The malicious manipulation of the data can

cause denial of service to authorized users and can unauthorized-ly grant remote command

executions that are normally reserved for administrators (SQL Injection).

The Affects on the Company Competitive Advantages

More of QWD may go to its competitors to see more similar services to decreased trust

about the security and service provided by QWD. The outrage can cause an increase in volume

of customer inquiries about the outage, which can result in a loss in revenue. The security fear

can drive decline in stock prices and investor confidence. The comprised IT system at QWD can

further be susceptible to multiple attacks within relatively short period of time (DDoS).

With data breach of confidential information (QWD corporate confidential information,

employee private information and client private information) can potentially raise lawsuit not

only against QWD Company itself but also to its employees as well. If hackers are able to

intrude into the system developed by the software developer or engineers, the computer

professional are liable to lawsuits (Five Ways).

7

Justification for Using Dell Sonic NSA 220 M and NSA 6600

Dell SonicWall Firwall TCO Comparison and analysis tool and model take into

consideration of QWD current firewall requirements. Based on the client system requirement and

configuration, Dell TCO make product recommendation that can improve the QWD system

condition and it then make compares the selection of Dell SonicWALL product and service with

a similar version of a Cisco solution. The TCO suggested solution are Dell SonicWall NSA 6600

and NSA 250 QWD system (Dell).

Total TCO Savings 3 Year-over-Year of Dell SonicWall NSA over Cisco ASA is

$381,405. The percentage of difference for Total Cost of Ownership (over 3 years) for Dell

Sonic Wall NSA over Cisco ASA is -88.4%. QWD can save at least 88.4% when it purchases

the Dell product over the Cisco version. Percent of difference projected number of labor FTEs of

Dell SonicWall over Cisco ASA is 74.4%. Staff to device support ratio (Devices per 1 FTE) of

DellSonic Wall is 159.9%. Firewall TCO per user (NPV over 3 years) is 88.4% of Cisco ASA

(Figure 1) (Dell).

Figure 1: Total Cost of Ownership Comparsion

Total Cost of Ownership (TCO)

Dell

SonicWALL Cisco Difference

Percent

Difference

Appliance Hardware and Support $41,321 $144,956 $103,635 71.5%

Additional Security Services $7,664 $282,512 $274,848 97.3%

Implementation / Configuration / $903 $2,810 $1,907 67.9%

8

Training

Ongoing Operational (IT Labor) $125 $1,141 $1,015 89.0%

Total TCO - Total Cost of

Ownership (over 3 years) $50,014 $431,419 $381,405 88.4%

Key Performance Indicators

Dell

SonicWALL Cisco Difference

Percent

Difference

Projected Number of Labor FTEs 0.0 0.1 0.0 74.4%

Staff to Device support ratio (Devices

per 1 FTE) 143.7 55.3 88.4 159.9%

Firewall TCO per user (NPV over 3

years) $50 $431 $381 88.4%

Dell SonicWall NSA products include Comprehensive Gateway Security Suite (CGSS),

Simple Firewall, Gateway Anti-Virus/Anti-Spyware (GAV), Intrusion Prevention Service

Bundle, Application Intelligence and Control , Content Filtering Service , Botnet Filter , Context

Aware Security Support Level, IPSec VPN License, and SSL VPN license. The cost saving of

Dell SonicWall NSA over Cisco ASA is $157,247 and the TCO different of Dell over Cisco is –

92.6%. This mean Dell SonicWall’s security package cost 92.6% less than Cisco version (Figure

2) (Dell).

9

Figure 2: Additional Security Services Appliances and Licensing Costs

Additional Security Services Appliances and

Licensing Costs

Dell

SonicWALL Cisco Difference

Percent

Difference

Selected Deep Packet Inspection Services $0 $149,847 $149,847 100.0%

√

Intrusion Prevention Service (IPS) Appliance

(Dell-Not Req. ) $0 $86,490 $86,490 100.0%

√

Intrusion Prevention Service (IPS) Licensing

(Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0%

√

Application Intelligence and Control (AIC)

(Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0%

√

Content Filtering Service (CFS) (Dell-

Included ) (Cisco-Not Incl. ) $0 $0 $0 100.0%

Selected Client Services $595 $7,995 $7,400 92.6%

√ IPSec VPN (Dell-Included ) $0 $0 $0 0.0%

√ SSL VPN $595 $7,995 $7,400 92.6%

Impact on Business Process

Dell SonicWall technologies integrate both SSL/IPsec VPN into its system. The

SSL/IPsec VPN offers the capability to securely and conveniently extends the corporate network

10

access beyond managed desktops to different user services. Secure Remote Access, powered by

the Sonic Wall SSL/IPsec VPN edition, enables QWD to securely and seamlessly provide

authorized company resources access to a wide ranger of users, contractors, and business

partners on the wide variety of mobile and fixed workstations (SNA 6600, SNA 220).

With inclusive support for unrestricted full-network access, as well as controlled access

select web-based applications and network resources, the sonic wall VPN network platform

provide flexibility needed by any VPN deployment in QWD. The VPN provides an effective and

efficient combination of seamless controlled access, firewall, intrusion prevention inspection and

web threat prevention that empower QWD mobile worker to be productive while protecting

corporate asset or interest (SNA 6600, SNA 220)

Combined SSL/ISpec VPN technology into one platform can deliver a highly

customizable, simple, and flexible one-box solution for VPN deployment environments, and

reduce the expense of deploying remote-access solutions (SNA 6600, SNA 220). Through client-

based SSL or IPsec VPN, corporate managed laptop can remotely access seamlessly to QWD

corporate network resources. Through clientless SSL VPN, remote user such QWD clients may

gain access web-based application from their terminal. Business partner or other professional

affiliation can access to specific QWD resources and application.

NSA 6600 should be located in the corporate office. NSA 6600 supports a wide range of

deployment and application environments, NSA 660 delivers maximum value to QWD with the

most comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features,

performance, and scalability (SNA 6600, SNA 220). The solution is comprised of a single

unified platform: the NSA 6600 and the Secure Mobility Solution, enables QWD to use a highly

effective combination of seamless controlled access, firewall, intrusion prevention inspection

11

and web threat prevention that enables QWD mobile workers , stationary workers and clients to

be productive while helping to improve corporate profit by increasing sales. With Dell inclusive

support for unrestricted full-network access, as well as controlled access to select web-based

applications and network resources in QWD, the platform provides the flexibility required by

any VPN deployment in QWD (Figure 3) (SNA 6600, SNA 220).

Figure 3: Dell NSA 6600 in Corporate Headquarter Office

12

Figure 2: Dell NSA 250 M in Remote Office

13

NSA 250M and NSA 6600 Expert Rating

Category Rating

Feature 5/5

Ease of Use 5/5

Performance 5/5

Documentations 5/5

Support 5/5

Value for Money 5/5

Overall Rating 5/5

The wireless network capabilities offered by NSA 250M and NSA 6600 can empower

mobile worker, who can work anywhere while protected by the security service offered the Dell

technology. Based on the survey answered by the users of the NSA system, it seem that all these

users are 100% satisfied with the system. They give them 5 out 5 for overall rating (NSA

Review). By allowing employee the option to work at home at a certain time of a week can

improve business result. Evidences have shown around two thirds of people want to work at

home and eighty percentage of employee did the survey consider telework as perk.

Approximately 6 out 10 employers identify telecommunication as cost saving plan for the

employer. IBM saves real estate cost by $50 million, and Nortel save $100,000 per employee,

who works at home. Sun Microsystem saves $68 million a year from its telecomm workers

(Advantage).

14

By using Dell to brand its business can potentially attract more customer to QWD. Once

the customers understand the heightened level of protection offered by Dell technology, they are

more willingly to do more business with QWD or even recommend more customers to QWD.

Quality Web Design can potentially experience fewer incidences of system malfunction and data

breach that are resulted from intrusion, denial of service, sql injection or other. By having fewer

number of incidents can potentially reduce the time and expense involved in litigation workload

and cost associated with data breach and unauthorized access.

Hard Solution and Security Service Solution

Dell SonicWALL is a multi-service platform. The security protection extends from the

network core to the perimeter of the system. Unified Threat Management (UTM) integrates

support from SonicWALL’s Gateway Anti-Spyware, Anti-Virus, and Intrusion Protection

service and Application. These all security appliance delivers real-time protection against the

innovative mixtures of threats that include intrusion threat and SQL. The effective combination

of protection against application-layer and content-based attacks is a heightened level of gateway

protection defends against multiple threat coming from the access points (AP) and thoroughly

look through all network layers for threats that either involve or include intrusion threat (SNA

6600, SNA 220).

The Dell SonicWall Intrusion Prevention System (IPS) Service provides network

protection 24 hours a day and 7 days week. Its major specification is 4.5 Gbps, Maximum

Inspected Connection is 500,000, and New Connections/Per Second is 90,000. Dell’s IPS

Service is activated on Dell Sonic WALL and Network Security Appliance (NSA). IPS provides

high performance and deep pocket inspection with countermeasure for complete protection

15

against application exploitation and malicious traffic. The Dell IPS service is scalable to provide

service to organization of all sizes. When QWD expands its business and has more customers, it

still can use the Dell SonicWall system. IPS provides a layer of security enforcement and

protection between each network zone and the Internet and between Internet zones for additional

security against intrusion (SNA 6600, SNA 220).

IPS provides bi-directional and full stack inspection that check for inbound and

outbound of critical application traffic providing defense against a wide variety of attacks, such

as SQL injection, cross-site scripting, remote code execution, shell code payloads, and remote

procedure calls. It has a wide range of payload inspection: it spans a wide range of protocols,

including MySQL, TCP, DNS, HTTP, HTTPS, SMTP, SNMP, POP3, FTP, Telnet, RTP, etc.

Firewall and Networking part of the Dell Sonic Wall offer SYN Flood protection. SYN Flood

provides a defense against DOS attacks using both Layer 2 SYN blacklisting and Layer 3 SYN

proxies. It provides the ability to defend against DOS/DDoS through UDP/ICMP flood

protection and connection rate limiting (SNA 6600, SNA 220).

Dell SonicWall Virtual Private Networking technology can make network and

security management more efficient for network managers/administrator. Using Dell SonicWall

VPN, the network managers can establish a more secure and extensive VPN that can be more

readily to control and manage. Dell Sonic VPN technology includes integrated IPSec VPN, for

securing site-to-site communication. The VPN technology offers both SSL VPN and IPSec VPN

for remote client-secure access. The VPN technology line also offer a complete of Secure

Remote Access/SSL VPN appliances that come with remote access and management capabilities

to a wide range of organizational size with varying network complexities and specification and

security requirement (SNA 6600, SNA 220).

16

Dell NSA 250 M Specification

Operating system SonicOS 5.9

Security Processor 2x 700 MHz

Memory (RAM) 512 MB

Firewall inspection

throughput1

750 Mbps

Full DPI throughput2 130 Mbps

Application inspection

throughput2

250 Mbps

IPS throughput2 250 Mbps

Anti-malware inspection

throughput2

140 Mbps

IMIX throughput3 210 Mbps

SSL Inspection and Decryption

(DPI SSL)2

Available

VPN throughput3 200 Mbps

VLAN interfaces 35

VPN

Site-to-Site VPN Tunnels 50

IPSec VPN clients (Maximum) 2(25)

SSL VPN licenses (Maximum) 2(15)

Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5,

17

SHA-1

Key exchange Diffie Hellman Groups 1, 2, 5, 14

Route-based VPN RIP, OSPF

IP address assignment Static, (DHCP PPPoE, L2TP and PPTP

client), Internal DHCP server, DHCP Relay

NAT modes 1:1, many:1, 1:many, flexible NAT

(overlapping IPS), PAT, transparent mode

Routing protocols BGP, OSPF, RIPv1/v2, static routes, policy-

based routing, multicast

Authentication XAUTH/RADIUS, Active Directory, SSO,

LDAP, Novell, internal user database,

Terminal Services, Citrix

Standards TCP/IP, ICMP, HTTP, HTTPS, IPSec,

ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP,

PPTP, RADIUS, IEEE 802.3

Hardware

Form factor Desktop (1U Rack Mountable Kit Available)

NSA 6600 Specification

Operating system SonicOS 6.2

18

Security Processor 24x 1.0 GHz

Firewall inspection throughput1 12.0 Gbps

Full DPI throughput2 3.0 Gbps

Application inspection throughput2 4.5 Gbps

IPS throughput2 4.5 Gbps

Anti-malware inspection throughput2 3.0 Gbps

IMIX throughput3 3.5 Gbps

SSL Inspection and Decryption (DPI SSL)2 1.3 Gbps

VPN throughput3 5.0 Gbps

VPN

Site-to-Site VPN Tunnels 6000

IPSec VPN clients (Maximum) 2,000 (6,000)

SSL VPN licenses (Maximum) 2 (50)

Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1

Key exchange Diffie Hellman Groups 1, 2, 5, 14

Route-based VPN RIP, OSPF

Networking

IP address assignemnet Static, DHCP, PPPoE, L2TP, PPTP client),

Internal DhCP server, DHCP Relay

Authetnicaiton XAUTH/RADIUS, Active Directory,

SSO, LADP, Novell, Internal user database,

19

Terminal Services, Citrix

Certifications VPNC, ICSA Firewall, ICSA Anti-Virus

Reference

20

Advantage of Telecommuting. (2014). Global Workplace Analytics. http://globalworkplaceanalytics.com/resources/costs-benefits

An Anomaly-Based Approach for Intrusion Detection in Web Traffic. (n.d.) Retrieved from:

http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:hmDApgF38E4J:http://digital.csic.es/bitstream/10261/40544/1/ARTICULOS315428%255B1%255D.pdf%2Bconsequence+intrusion+web+security&oe=UTF-8&hl=en&as_q&nfpr&spell=1&&ct=clnk

Dell SonicWALL Firewall Appliance TCO Comparison. (2014). SonicWall. Retrieved from: https://roianalyst.alinean.com/SonicWALL/

Five Ways Programmers Can be Suit. (n.d.) Retrieved from:

http://www.techinsurance.com/blog/computer-consultants/5-ways-web-programmers-

can-be-sued/

DDoS Boot Camp: Basic Training for an Increasing Cyber Threat . (n.d.) Retrieved from:

www.prolexic.com/...ddos-boot-camp/DDoS_Boot_Camp-Prolexic_executive _

series_white_paper-073113.pdf

How to Prevent Security Breaches from Known Vulnerabilities. (n.d.)

http://www.esecurityplanet.com/network-security/how-to-prevent-security-breaches-

from-known-vulnerabilities.html

HP 2012 Cyber Risk Report. (n.d.) Retrieved from:

www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf

%2BHP+2012+Cyber+Risk+Report&client=safari&rls=en&oe=UTF-

8&hl=en&&ct=clnk

21

NSA 220 Network Security Appliance. (2014). Dell SonicWall. Retrieved from :http://www.sonicwall.com/us/en/products/NSA-220.html

NSA 6600 Next-Generation Firewall (NGFW). (2014).Dell SonicWall. Retrieved from: http://www.sonicwall.com/us/en/products/NSA-6600.html

NSA Review. (2009). Retrieved from :http://www.scmagazine.com/sonicwall-nsa-240/review/2678/

The Myth of the Secure Virtual Desktop Avoid a false sense of security with your VPN

or VDI endpoints. (n.d.) Retrieved from:

http://webcache.googleusercontent.com/search?q=cache:7LfeJvdlN_kJ:http://

www.npcdataguard.com/The%2520Myth%2520of%2520the%2520Secure%2520Virtual

%2520Desktop.pdf

%2BThe+Myth+of+the+Secure+Virtual+Desktop&client=safari&rls=en&oe=UTF-

8&hl=en&&ct=clnk

SEC 517 Course: Security Assessment and Recommendations [class handout]. (2014). New

York, NY: Keller School of Management, New York, NY

Smith, D. (2010). Profiles of major American psychologists [Class handout]. Department of

Psychology, Harvard University, Boston, MA.

SQL Injection Tutorial. (n.d.) Retrieved from :http://www.w3resource.com/sql/sql-injection/sql-

injection.php#sthash.Rq9nWIAW.dpuf

Threats Against a VPN. (n.d.) Retrieved from:

http://etutorials.org/Networking/MPLS+VPN+security/Part+I+MPLS+VPN+and+Security+F

undamentals/Chapter+2.+A+Threat+Model+for+MPLS+VPNs/Threats+Against+a+VPN/

VPNs (Virtual Private Nightmares). Retrieved from:

http://www.secureworks.com/resources/newsletter/2004-05/

22

Why Replace Your IPSec for Remote Access. (n.d.) Retrieved from:

http://webcache.googleusercontent.com/search?q=cache:UnLmTmaPU8wJ:https://

www.sonicwall.com/downloads/WP-ENG-035_Why-Replace-Your-IPSec_US.pdf

%2BWhy+Replace+Your+IPSec+for+Remote+Access&client=safari&rls=en&oe=UTF-

8&hl=en&&ct=clnk

XAND Launches Distributed Denial of Service (DDOS) Protection Services to Proactively

Services to Proactively Safeguard Mission-Critical IT Infrastructure. (n.d.)

http://webcache.googleusercontent.com/search?

client=safari&rls=en&q=cache:ZABMjDDDhLQJ:http://www.xand.com/06/press-

releases/xand-launches-distributed-denial-of-service-ddos-protection-services-to-

proactively-safeguard-mission-critical-it-infrastructure/

%2Bdenial+of+service+percentage+risk&oe=UTF-8&hl=en&&ct=clnk

23