I have been charged with the undertaking of placing possible security failings and urging solutions for Quality Web Design ( QWD ) . The undertaking was completed in two stages. The first stage of the undertaking specifically identified and defined two possible security failings: package and policy. The 2nd stage recommends solutions to these possible failings. I chose a scenario that outlines particulars of the organization’s type of concern. concern procedures. assets. services. and security controls. It is important for any organisation to take necessary stairss in procuring their business’ assets. and customer’s informations.
Furthermore. it is besides of import for these security steps to be effectual. and exhaustively planned. It is as every bit of import. in this interrelated and hi-tech universe. for corporations to besides hold and implement an effectual corporate security policy. because there are both internal and external menaces ( Symantec Corporation. 1995-2010 ) . Company Overview Based on the scenario given. Quality Web Design is an IT corporation. with about 50-100 employees. offering top quality web design services for their clients.
In order to appeal to their mark audience and enhance services. they offer over 250. 000 proprietary images and graphical designs. QWD’s clients can merely entree their corporate web site. There concern procedures include the usage of a depository of website templets. usage written books. and custom applications. This depository is used to supervise undertaking development and quality confidence proving. Additionally. QWD offers IT support for their accounting. paysheet. and selling operations through the usage of their digital assets.
They utilize a Wide Area Network ( WAN ) and an internal Local Area Network ( LAN ) for their offices. There are rigorous technology-based entree controls and a published corporate security manual that covers assorted security patterns. Employees at QWD’s corporate and distant offices have entree to services that include Virtual Private Network ( VPN ) . Outlook Web electronic mail. and Active Sync Exchange waiter. Security Vulnerabilities Listed below are two security exposures: package and policy. These were identified during my initial appraisal of the scenario provided for QWD.
These exposures are important and should be addressed instantly. Security Software Many of QWD’s employees work from distant locations and can entree Virtual Private Network ( VPN ) . Outlook Web electronic mail. and Active Sync Exchange services. They utilize corporate-owned laptops. desktops. and nomadic devices ( IPhones and Windows Mobile 6 ) to remotely entree corporate intranet resources. It is apparent. by the scenario’s hardware profile. that the company has hardware-based firewalls in topographic point for web security. It is besides apparent in the WAN and corporate web diagrams ( see Appendix ) .
Harmonizing to SANS Institute ( 2006 ) . a VPN connexion. in this instance. offers secure connectivity between employees’ computing machines and the corporate web. Furthermore. the VPN connexion is at that place to supply informations confidentiality. informations unity. and hallmark services ( SANS Institute. 2006. pp. 4 ) . Having said this. it appears that QWD is non protected with firewall package on their employee’s distant computing machines. This means that these distant computing machines are non protected from personal onslaughts from the Internet. Harmonizing to Beal ( 2010. pp. 3 ) . “the best protection for your computing machines and web is to utilize both” hardware and package firewalls.
These onslaughts include Trojan Equus caballuss and email worm and the whole thought of package firewall is to protect the “computer from outside efforts to command or derive access” to it ( Beal. 2010. pp. 3 ) . An interloper can utilize an employee’s compromised system to derive entry to the corporate web through an unfastened VPN connexion. Such an onslaught. utilizing an unfastened VPN connexion. can be damaging to the company’s concern procedures. peculiarly their depository of website templets. usage written books. and custom applications ; and. their accounting. paysheet. and marketing operations.
An onslaught to these mission-critical procedures can intend a lessening in the organization’s gross ; client’s personal information being accessed. modified. or even deleted ; and even degraded web public presentation. QWD would lose important patronage and would non be as appealing to their mark audience – non so good for their mission of supplying top quality services. Policy Reducing the exposure of the corporate web from outside onslaughts is important in protecting mission-critical procedures for QWD.
The security appraisal doesn’t terminal with package firewalls for their remote users. The company’s security policy must besides turn to this exposure. QWD has policy in topographic point that speaks to who has entree to informations and the type of informations ; username criterions ; watchword length. complexness. rotary motion. and history ; and security preparation. However. their policy doesn’t reference distant entree devices: installing and constellation of firewall and anti-virus package on all employees’ distant computing machines and acceptable usage.
These are critical in forestalling distant computing machines and nomadic devices from compromising the corporate web ( Ruskwig. 2006. pp. 1 ) . Without such a policy in topographic point. there is no guideline for procuring QWD’s assets. Any distant employee that has Internet connexion that is ever on runs the hazard of infection or even leting entree to the corporate web via their unfastened VPN connexion. Something every bit simple as an employee accessing company resources from a computing machine that is non owned by the organisation can besides bring mayhem on the company’s web.
If an employee losingss their laptop to theft. this could let unauthorised usage of the equipment and entree to sensitive company or even clients information. Mistakes can be made in strategically steering the security of QWD. resources could be wasted in protecting low degree assets. and steps may be misguided without such a policy in topographic point ( Watson. 2005. pp. 10 ) . Recommendations The following package and policy betterments are recommended to Quality Web Design. in order to guarantee that distant desktops. laptops. and nomadic devices do non compromise the corporate web: 1.
All distant desktops and laptops should hold Zone Alarm Extreme Security 2010 Hard Drive Encryption Edition installed and configured to update automatically. It is a comprehensive security package bundle that includes a incorporate antivirus/spyware scan engine. fast virus signature updates. bipartisan firewall. operating system firewall. extra beds. individuality protection services. unafraid on-line backup. practical browse. advanced download protection. unsafe website sensing. cardinal lumberman and screen grabber amming. private browse. Personal computer warm-up. automatic operation. and user-friendly interface ( Check Point Software Technologies Ltd. . 2011 ) .
At a cost of $ 1. 619. 95 for a 50-user battalion. it meets the demands of QWD distant office. offers full protection. and comes with free ascents and online client support. QWD’s IT staff can put in and implement usage of package at no excess cost to the company. 2. Security policy should turn to remote entree devices: installing and constellation of the firewall and anti-virus package on all distant devices and acceptable usage.
The policy should stipulate that merely Zone Alarm Extreme Security 2010 is authorized for anti-virus. firewall. and spyware. and it must be installed by QWD’s IT staff. Unauthorized package is prohibited. Additionally. employees can non link to corporate web without this installing. It should besides stipulate that all distant devices connect to corporate web merely utilizing VPN and how it will work. In add-on to this. the policy should do clear the intent of the policy. computing machine demands. and VPN demands.
Loss bar guidelines will be set in the security policy. including immediate coverage of loss or damaged corporate-issued equipment. Decision It has been a daunting. but interesting undertaking as I attempted to dissect this scenario. place two possible security failings. and recommend solutions. Software and policy failings seem to be the most likely job within the context of the QWD scenario and rather perchance the most easy spotted. However. it is of import for any organisation to closely analyze and turn to their security defects. It could intend their company’s repute and support.