SE571 Course Project: Security Assessment and Recommendations

Scenarios
Scenario One
Company Overview Aircraft Solutions (AS) is a recognized leader in the design and fabrication of component products and services for companies in the electronics, commercial, defense, and aerospace industry. Located in Southern California, AS has a dedicated, trained workforce and maintains a large capacity plant and extensive equipment to meet customer requirements. Much of the equipment is automated to increase production while reducing costs. The company's workforce has a large skill base: design engineers, programmers, machinists, and assembly personnel to work its highly-automated production systems. The mission of AS is to provide customer success through machined products and related services, and to meet cost, quality, and schedule requirements. The company strategy is to offer low-cost design and computer-aided modeling packages to customers to reduce their development expenses. AS will help the customer through all phases of new product deployment, from initial prototypes through final large-volume production and assembly. By involving itself in all phases of customer product development, AS hopes to establish long-term relationships and secure repeated follow-on business with its customers. In addition, AS continues to invest heavily in workforce education and training, so as to improve capability to serve its customers.

Company Geographic Layout Aircraft Solutions' headquarters is in San Diego, California. The Commercial Division (CD) is 40 miles east in San Diego County. The Defense Division (DD) is located in Orange County in the city of Santa Ana, California. These geographic locations are close to intermodal transport hubs that have global reach. Products can be easily shipped anywhere in the world by combined truck, rail, ship, and air transportation methods.

The system administrators are members of an information technology (IT) group within the organization. They are responsible for selecting and installing hardware, software and related upgrades, implementing information security measures, and maintaining support to ensure the manufacturing execution system is working properly. They also are heavily involved in training the workforce to use and interact with the information systems. Their duties include planning for and responding to emergency events such as power outages, attempts at cyber-attack, and natural disasters. The users at AS are employees, customers, suppliers, and contractors who need to access the company network. System access by users at different levels of the network is set strictly on a need-to-know basis. Controls are in place to secure confidential and proprietary information from unauthorized access. Users are responsible for entering and processing data and information, such as generating reports to be used for decision-making. Business Process AS uses Business Process Management (BPM) to handle end-to-end processes that span multiple systems and organizations. The BPM system is designed to connect customers, vendors, and suppliers to share information and maintain a timely business dialogue. BPM also aligns internal business operations with IT support to maintain production in support of customer requirements. Business process effectiveness begins with the IT organization. Customer data such as project information, computer-aided design and development models are sorted and stored in designated servers. The Design Engineering department is responsible for reviewing the electronic models, interacting with the customer and making necessary modifications with customer approval, then placing them in an Engineering Release (ER) directory for programming. As soon as these electronic models are released, programmers use them to create production programs. All final programs must be thoroughly verified for accuracy before releasing to the Proof For Production (PFP) directory for manufacturing to make the production first article. From the production floor, machinists download PFP programs directly to their DCNC (Direct Computer Numerical Control) machines for execution. After any further processing, completed products are inspected for verification to customer requirements, then they are moved

to the Shipping department for delivery. A continuous improvement and feedback loop system is in used to correct any deficiencies in the production process. The BPM system is capable of handling multiple projects simultaneously across every department of the company. BPM is set up to manage all aspects of business operations, including accounting, human resources, sales and marketing, and compliance activities concurrently. Current IT Architecture The figures shown below depict the current IT architecture and present network infrastructure of Aircraft Solutions.

Security Controls in Place The current security controls include independent anti-virus software on every workstation and server, host-based intrusion detection systems on the servers in the corporate office. Security policy requires that all firewalls and router rule sets are evaluated every two years and that all local servers are backed up to network attached storage devices maintained at the server location.

Scenario Two
Company Overview Quality Web Design (QWD) is an organization that specializes in Web site and Web content design for all types of businesses. QWD's mission is to provide top quality Web design that will increase consumer generated revenue to QWD's customer Web sites. QWD's database contains over 250,000 proprietary images and graphical designs that will enhance most Web site's appeal to a target demographic. Business Processes Quality Web Design has several mission critical business processes. First is the use of the repository of Web site templates, custom written scripts and/or custom applications. This repository is stored in a Microsoft Visual Studio Team Foundation Service (TFS) server. This application is used to monitor the project development lifecycle of custom Visual Studio applications from inception to deployment, including the quality assurance testing phase. Other critical business processes are QWD's accounting, payroll and Marketing operations all of which are supported by IT assets. There are strict technology-based access controls associated with each of these systems to ensure that only authorized personnel can access them. Digital Assets These are shown in the network diagrams below WAN (2) T1 Frame Relay circuits connected to the Internet. ISP controlled Internet routers Corporate Firewall Model: Juniper ISG2000 integrated Firewall, VPN, and Intrusion Detection and Prevention system. Remote office firewall is a Juniper SSG140. L2TP/IPSec VPN tunnel between the corporate firewall and the office firewall to allow for secure data flow. Corporate Office Internal LAN switch is an HP 5400zl series with 147 ports with 10/100/1000 GB connectivity. (2) HP ProCurve MSM410 Access Point US wireless access points.

 Remote Office:

Microsoft TFS code repository consists of 1 Web server, 1 application server, and 1 database code repository. Web server includes, Microsoft Share Point portal for department document and Web sites. Corporate intranet site. Microsoft SQL 2008 Database server used for storage of custom designed graphics and custom application image control system. File and Print server services. Microsoft Exchange 2007 email servers, include (2) Client Access (CAS) and Hub Transport (HT) Servers, 1 backend mailbox servers. HP Storage Works SAN with 6 TB disk space. (2) Microsoft Windows 2008 domain controllers. Approximately 50 user computers, 35 laptops and 15 desktops. (4) network printers (30) Mobile devices, IPhones, and Windows Mobile 6 devices.

HP ProCurve Switch 3500yl-48G0PWR intelligent Edge. This is a 48 10/100/1000 GB port intelligent switch. (2) HP ProCurve MSM410 Access Point US wireless access points. Microsoft TFS code repository, consists of 1 Web server, 1 application server that connects to the database server in the corporate office through the IPSec tunnel.

(2) Microsoft Windows 2008 domain controllers. File and Print server services. Approximately 20 user computers, 15 laptops and 5 desktops. (2) Network printers (15) Mobile devices consisting of IPhones, and Windows Mobile 6 devices.

Externally Published Services Corporate and remote offices have the following services that are accessible for employees. From corporate owned computer or mobile device employees can access VPN, Outlook Web

Access for email, or Active Sync for Exchange server. On any computer in the world employees can access Outlook Web Access for email. Customers are only allowed to access to the Corporate Web site. Security Controls There is a published corporate security manual that covers the following security practices. Username standard including having a separate account for any elevated privileges. Password length, complexity, rotation and history requirements. Data classification levels depend upon what type of data each system contains and security group accounts control access to each data classification level. Security training is also describe and required communications quarterly and annual training classes.

WAN Diagram

Internet

Tu n

ne

T1

Of fic e

ec

IP T1 Se cT un

O ffi c

Internet router

IP S

ne

l
Internet router

DZM
Corporate Firewall Office Firewall

Corporate Network
Corporate Network Diagram

Office Network

Internet

T1 ISP Router

Office Firewall Internal LAN

Wireless Access Point

Wireless Access Point

TFS code repository

Web Services Database Server File Server

Email Server Active Directory Server Print Server

Wireless Connection Company Owned Laptop Company Owned Mobile Device Company Owned Desktop