Executive Summary The main purpose of this report is to existent the potential security threats that aspects Quality Web Designs network system (QWD). QWD specializes in website and web content design for dissimilar types of business and any type of security threat can significantly disturb its business operations. It is significant to uncover any potential vulnerabilities, assess potential threats, and the potentials of the threat happening. It is also vital to calculate what might happen to the business process and competitive edge of the company if the threat occurs. Two security vulnerabilities in both QWD security policies and software are deliberated in the report. Finally, we discuss the impact the security modifications have on the business process.
Company Overview Quality Web Design (QWD) is an institute that focusses in the Web site and Web content design for all different types of businesses. QWD’s assignment is to deliver best quality Web design that will increase consumer income to QWD’s customer Web sites. QWD’s database comprises over 250,000 branded images and graphical designs that will improve most Web site’s demand to a goal demographic. QWD is able to offer its clients the capability to offer their audience a customized interface. Indifference lot of consistent services were delivered by Quality web Design Company to their customers in such a way that there won’t be any security problems in the organization anymore. There were several limitations to every company and Quality web Design can overcome them.
QWD superiorities itself in having their own web designers that use ritual scripts and applications. This sets the company apart from other competition. The company operates Microsoft Visual Studio Team Foundation Service server to promise constant development of the site from start to end. The company also has its own payroll, marketing, and accounting departments which are significant to the business operations. Security Vulnerabilities Security Policy Vulnerability QWD’s security policy does not discourse the topic of employee’s using company equipment such as the IPhone’s, Windows cell phones, and laptops for personal use. This should be lectured in an Acceptable Use Policy.
By the company not making a policy, only for the company use only they are making the equipment, it grasses the company vulnerable to open occurrences. It is not impracticable to contemplate that employees do use company delivered equipment for personal use. Employees usage the devices to send and receive private emails through non-related company sites such as Gmail, Hotmail, and Yahoo. They use the company devices to surf the web, shop for items, play games, download applications, get on social networks such as Myspace, Facebook, and Twitter, watch videos, and even listen to music. According to one site on employee internet use, employees spend about one-third of their time on the Internet for personal reasons. (Employee Internet Use) This means that out of a regular 40 hour work week, employees are spending 13.
33 hours doing personal Internet usage. This also relates to employees who offer their mobile numbers for personal use on the Internet. Sometimes sites need registration and things such as contact phone numbers must be included, Unfortunately, for some employees, the only number they have to use is the company issued mobile phone. It means that the employee is given that the company mobile phone as their point of contact number.
This type of vulnerability delivers the prospect of pressures beside the company by not having a policy in place. The threat that can arise is if an employee downloads a virus, malware, or Trojan to their mobile phone, laptop, and even desktop. This is especially so for the remote devices because when these are connected to the Exchange server, it can infect the corporate network. If an employee is using their desktop to surf the Internet for private usage and they open an email sent by a contact that has a virus attached, it can infect the network. Another example is if an employee registers for something personal online, such as sweepstakes, this can be a problem. If a hacker gets a hold of the information, the hacker could send a text message that has instructions to download something that contains a virus.
If an employee is under the guess that they have won something that they know they signed up for, many will not hesitate to download the link. Since devices such as mobile phones and laptops are used more often off site by employees, providing them more time to use for their personal use, it makes the risk highly likely. If statistics suggest that employees are on the Internet one-third of the time for private use at work, it would seem to be a lot higher when employees are at home or not at work. This means they are checking emails more often and downloading content which could be infected. They could even let family members and friends use their devices to access the Internet.
Employee Internet Use editorial also conditions that over $85 billion is vanished each year by companies because employees are using company time to access the Internet for personal use. If anything the employee has downloaded and allowed to infect the company network, it is safe to say that number goes up. If infections are passed onto the network, it could halt business processes. In order to fix the problem, it would cause the company time and money.
The company also has to try and assess how much and what type of damage was caused by the attack. It could also keep employees from accessing necessary applications, emails, and work on time sensitive projects. Software VulnerabilityAgreeing to Microsoft Visual Studio (2008), the Team Foundations Server (TFS) is a software implement that offers project administration abilities, recording, work stalking, and source control. Team foundations server also holds a data warehouse where all data from testing implements, source control, and item tracking are stored. QWD customs TFS in its business routes as a warehouse of custom applications, procedural written scripts, and web site templates. The TFS warehouse contains a database code source, an application server, and a web server.
QWD’s TFS server is placed at their corporate office, though it can also be opened distantly by Internet Protocol Security (IPSec) tunnel connecting the corporate office to the database server. TFS has a cross-site scripting (XSS) vulnerability that may give an unofficial remote attacker admission to an application (Cisco, n.d.).
XSS is in the list of the top 10 web application vulnerabilities and signifies 26 percent of assaults from a review done by the Open Web Application Security Project (Nithya, Pandian, & Malarvizhi, 2015). The vulnerability is a result of not sufficient confirmation on user-supplied input in constraints referred to the exaggerated application. A remote attacker who has not been authenticated may use the vulnerability to convince a QWD user to follow a malicious link that leads to a malicious site and use deceptive instructions to convince the user to click the link. If the remote attacker is successful, they can execute cross-site scripting attacks and can motive severe security damages such as cookie hold up and account hijacking (Shar & Tan, 2012).
The vulnerability will result in insignificances to assignment serious business procedure since the attacker can increase access to QWD’s intranet, Microsoft Share Point, the web server, and cookie-based validation. The assailant can delete or alter QWD website patterns and custom written scripts that are deposited on the server. In addition, QWD’s competitive advantage will be exaggerated by the damage of integrity, loss of key customers and associates. Reserved data can be sold to competitors making QWD suffer losses and bear the cost of repair.
Summary In any organization, the corporation must take into explanation any security matters that can offend the company, employees, and its customers. QWD must take into account the vulnerabilities related to its technological procedure and how it can mark the business. It is main to look at the software and security policy vulnerabilities and how to defend the company from any probable pressures and threats. It is supposed that by addressing the satisfactory use policy of company equipment for private use and the wireless access points of company laptops, this can aid in keeping the company network more secure.
References Clancy, Heather. (2011). Mobile device security strategies. Retrieved on March 21, 2012, from http://searchnetworkingchannel.techtarget.com/feature/Mobile-device-security-strategies Defending Cell Phones and PDAs Against Attack (2006 August 9).
Retrieved on March 21, 2012, from http://www.us-cert.gov/cas/tips/ST06-007.html Elliott, Christopher.
(2011) Retrieved on April 10, 2012, from http://www.microsoft.com/business/en-us/resources/technology/broadband-mobility/6-wireless-threats-to-your-business.aspx?fbid=Hsna4GJxWrg Employee Internet Use. Retrieved on March 29, 2012, from http://www.connections-usa.
com/employee-internet-usage.html Evil Twin. Retrieved on April 4, 2012, from http://searchsecurity.techtarget.com/definition/evil-twin Hotspot Usage to Reach 120 Billion Connects by 2015, Says In-Stat (2011 August 29). Retrieved on March 29, 2012, from http://www.
prweb.com/releases/2011/8/prweb8751194.htm MiFiA® 4082 – Intelligent Mobile Hotspot. Retrieved from http://www.novatelwireless.
com/index.php?option=com_content&view=article&id=276:mifir-4082-intelligent-mobile-hotspot&catid=19:mifi&Itemid=12 Mobile Broadband Cards. Retrieved on April 10, 2012, from http://www.todayswirelessworld.com/mobile-broadband-cards/ Mobile Broadband Cards