Aircraft Solutions

Security Assessment and Recommendations

Submitted by: Submitted to: SE571 Principles of Information Security and Privacy Keller Graduate School of Management Submitted on:

Table of Contents
Aircraft Solutions ............................................................................................................. i Security Assessment and Recommendations ................................................................... i Company Overview ............................................................................................................ 1 Security Vulnerabilities ...................................................................................................... 1 Hardware Vulnerability .............................................................................................. 1 Policy Vulnerability .................................................................................................... 3 Works Cited .......................................................................Error! Bookmark not defined.

Company Overview
Aircraft Solutions (AS) designs and fabricates component products and services for their clients in the electronics, commercial, defense and aerospace industries. AS employees a large and skilled workforce of design engineers, programmers, machinist, assembly personnel. The company utilizes automated equipment in order to increase their production and reduce overall costs. By doing this, they are able to offer cost efficient design and modeling packages to their customers helping them to reduce their overall developmental cost which in turn has helped them to establish long term relationships plenty of repeat business. Aircraft Solutions consists of two separate divisions, the Commercial Division (CD) and the Defense Division (DD). They are located in Chula Vista, California and Santa Ana, California respectively.

Security Vulnerabilities
Hardware Vulnerability

Aircraft Solutions current hardware setup effectively leaves the companys and their clients information vulnerable to prying eyes. The current hardware network setup is only being protected by a firewall, two routers and a switch. Should someone gain access to the system, they may be able to easily gain access to information in several key areas such as human resources, accounting, and or the database. This information could vary from an employees social security number, to proprietary company or client information. The crimes could range from identity theft to corporate espionage and the losses could range from thousands of dollars, all the way to millions and beyond. Firewalls are a good

Firewall Strengths: 1. Helping to enforce security and safety policies of an organization. 2. Restricting access to specified services. Access can even be granted selectively based on authentication functionality. 3. Their singularity of purpose which means that companies need not make any compromises between usability and security. 4. Its appraisal capacity which results in an organization getting to know and monitor all the traffic that sifts through their networks. 5. Being a notification system which can alert people concerned about specific events. Firewall Weaknesses: 1. An inability to fend off attacks from within the system that it is meant to protect. This could take the form of people granting unauthorized access to other users within the network or social engineering assaults or even an authorized user intent on mala fide use of the network. 2. It can only stop the intrusions from the traffic that actually passes through them. 3. It cannot circumvent poorly structured security policies or bad administrative practices. For instance, if a company has a very loosely knit policy on security and over-permissive rules, then a firewall cannot protect data or the network.

Figure A-1 (Operational Strength & Weaknesses of Firewalls , 2013)

start for hardware security however, they have strengths and weaknesses and should not be counted on as a full proof measure or means of security (see figure A-1). Currently Aircraft Solutions only updates the firewall and router rule sets every two years which leaves the company vulnerable in that anyone who would gain access or be given access would have it for a long period of time. All of the servers for AS are currently backed up onsite which could create a problem should a natural disaster, fire, flood, or perhaps even theft of the devices occur. Whether the motive is one of revenge, money or just proving that it can be done, all of the

hardware related issues have a high probability of occurring in todays world and must be addressed in order to avoid a loss of data, money and clients. Policy Vulnerability

The current security policy allows numerous people to have access to the system, possibly even those who do not or should not have access to said information. In order fot the policies and procedures for Aircraft Solutions to be effective, they need to be updated on an annual basis in order to keep up with the ever changing and evolving threats that abound. A security policy extends to more than just the technical infrastructure; every organization's last line of defense in protecting its information from unauthorized access is its employees. Therefore, many believe organizational policy should dictate the need to educate employees about how to protect the organization's information assets. (IT security policy management: Effective polices to mitigate threats, 2013)

References:
IT security policy management: Effective polices to mitigate threats. (2013). Retrieved 07 28, 2013, from SearchSecurity: http://searchsecurity.techtarget.com/tutorial/ITsecurity-policy-management-Effective-polices-to-mitigate-threats Operational Strength & Weaknesses of Firewalls . (2013). Retrieved 07 28, 2013, from Certificationkits.com: http://www.certificationkits.com/cisco-certification/CCNASecurity-Operational-Strength-Weaknesses-ofFirewalls.html#sthash.mcZSM9PR.dpuf

BE SPECIFIC ON THE REQUIREMENTS/WEAKNESSES STATEMENTS. However, you must address more security requirements areas. Your analysis was a little shallow. There are ten major areas (or security domains) that you could possible address. These are found in the CISSP handbook**, which is a definitive sourcebook for practitioners. Specifically these are: Ten Domains: -1. security policies (personnel, administrative), 2. access control systems 3. telecommunications & network security 4. cryptography 5. security architecture & models 6. operational security 7. applications & systems development 8. Business continuity planning & disaster recovery planning 9. Law, Investigation & Ethics 10. Physical You were required to address only two weaknesses areas in this assignment.. You have been given great latitude in this project. Remember to FULLY reference all charts and text you use or depend on. In that vein, for PHASE I to be complete you should have charts showing your business architecture (topology of customers, services, your business footprint.) Use appendices for this. Think of Phase I as a mini-audit of your security needs and what, from a security point of view, you NEED to meet and execute your business concept of operation successfully. . Phase I is also to thought of as putting together the architectural drawings of building a house. What do the blueprint requirements look like. Is there one floor or two, a two car garage, an oversized kitchen? Phase II due in Week 6 is where you use products/services to populate the house with plumbing, electrical fixtures (ALL TO CODE) and, of course, your personal furnishings etc. Building a house takes many months and many decisions have to be made. SO TOO with your project that is why you are doing drafts and doing it in a step wise manner. There are no shortcuts. Remember Phase 2 in week 6 deals with solutions not this paper. I If you went into solutions then you are jumping the gun as you need to stay on a confirmation of requirements. There is an ol saying, if you do not know where you are going any road will take you there. Network diagrams are key. Also, you must follow APA guidelines in your paper formatting. Dr. K **REFERENCE: The CISSP Prep Guide: Mastering the Ten Domains of Computer Security Ronald L. Krutz, Russell Dean Vines ***Also, use search engines (Google etc) to get further background on the domains.

Phase II: the Course Project (comprised of Phase I and II) Recommend solutions to the potential weaknesses from either the Aircraft Solutions or Quality Web Design Company

In this phase of the project you will include Part I (presumably improved as needed based upon Week 3 feedback) and then you will recommend solutions for the security weaknesses you identified in the Phase I. Definition of the solution Hardware solutions must include vendor, major specifications with an emphasis on the security features, and location of placement with diagram. Software solutions must include vendor and major specifications, with an emphasis on security features. Policy solutions must include the complete portion of the policy that addresses the weakness identified. Any outsourced solution must include the above details and the critical elements of the service level agreement. Justification You must address the efficacy of the solution in terms of the identified threats and vulnerabilities; the cost of the solution, including its purchase (if applicable); and its implementation, including training and maintenance. Impact on business processes You must discuss any potential positive or negative effects of the solution on business processes and discuss the need for a trade-off between security and business requirements using quantitative rather than simply qualitative statements. Other required elements include: Cover sheet APA-style In-text citations and Reference section 5 reference minimum Minimum length of solutions: 6 pages, maximum length 10 pages (not counting cover sheet, diagram(s), references). Do not exceed the maximum length.