Aircraft Solutions Project

The purpose of the report is to assist Aircraft Solutions (AS) in indentifying the most significant Information Technology (IT) security vulnerabilities. AS products and services are at the forefront of the industry and the protection of such is very important as they are an industry leader. The vulnerabilities that will be discussed are the firewall configuration, virtualization of their hardware assets and defining security policy regarding the timeliness of firewall configuration and updates. Company Overview

Aircraft Solutions, headquarters located in San Diego, California develop and fabricate products and services for companies in the electronic, commercial, defense and aerospace industries. AS is made up of two (2) different divisions, the Commercial Division and the Defense Division. The Commercial Division is located in Chula Vista, CA and the Defense Division is located in Santa Ana, CA. AS company strategy is to offer low cost design and computer aided modeling packages to companies and assists them through the lifecycle of their product in an effort to save money for the consumer while profiting from their business. Vulnerabilities

Hardware Vulnerabilities
The hardware infrastructure of the AS Headquarters in San Diego, California had been identified during our recent security assessment as being a potential security weakness to the company’s overall information systems security infrastructure. The system hardware infrastructure comprises of

Five (5) Individual Servers
One (1) Switch
Two (2) Routers
One (1) Firewall

The hardware area of concern was the lack of Firewalls being used to protect the company’s network against intrusion and the networks hardware design and architecture. The firewall configuration at AS San Diego is improperly configured to meet the security needs of the company. The main area of concern was that of the firewall located between AS Main Router and the Router to DD. The security assessment revealed that DD Santa Ana has direct access without firewall authentication to AS San Diego’s network. “Misconfigured network gear represents a major security threat. It’s estimated that 65% of cyber attacks exploit misconfigured systems” (Marsan, 2009). There are many different threats associated with not having properly configured Firewalls and the statistics show that 6.5 companies out of 10 are being attacked because of the vulnerabilities associated to not configuring their systems correctly. There are many threats associated with not having a properly configured Firewall, due to the misconfiguration; our security assessment revealed that the main threat to AS Headquarters would be an infiltration via the exploitation of the firewalls back door.

Attackers can install listening devices that will detect which ports are open on AS’s perimeter firewall. Once it’s determined which ports are open, the Attacker can take advantage of the misconfiguration and deposit or execute backdoor code, or simply access the system without authorization. The consequences associated with not having a properly configured firewall could be the annoyance of adware or as severe as bringing AS operations to a standstill. A majority of AS business operations are controlled through AS San Diego via their headquarters network. The likely hood of a threat is significant, but the risk associated with it is Severe. “Network performance and reliability also are affected by misconfigured gear, it’s estimated that 62% of IP network downtime is due to configuration issues” (Marsan, 2009). AS San Diego IT network could be down for assessment and repairs for as little as a couple days to as long as a couple months. The monetary impact to AS San Diego could be significant for repairs but the financial impact through loss of business could be crippling to AS San Diego bottom line.

Companies will distrust their vendors when they have an understanding that their company’s information is not being protected, which in turn leaves them vulnerable. Businesses will take business elsewhere to ensure the integrity of their information and to protect their companies well being. AS’s hardware footprint is fairly significant in that there are many different pieces of hardware that must be maintained individually. Having such a large footprint raises the risk of equipment malfunction causing a disruption to data processing. Malfunctioning equipment, such as security safeguards may leave AS’s system significantly weak while negating strengths in other parts of the system. Security threats could include unauthorized access to AS’s information systems, hardware theft and hardware destruction.

The likelihood of hardware malfunctioning is pretty significant as there are many different pieces of hardware that make up AS’s footprint. The integration of the hardware is not present in the current footprint; a single system failure could cripple the data flow and availability of information to their users. The consequences of having a large footprint of unreliable / misconfigured hardware is pretty significant in that through one single action of hardware failure, the system can be brought to a standstill pending diagnosis and installation of new hardware. Mission critical business will not be able to be processed as the system that houses the business critical information may be broken or it cannot be accessed. A company’s competitive edge is only as strong as the IT infrastructure it runs on, a single failure will result in the loss of business and potential repeat business. Policy Vulnerabilities

Our analysis of the AS San Diego Headquarters Information System Security Policy identified a severe weakness. AS’s security policy identifies that all firewalls and routers rules are evaluated every two years. Industry standard for firewall re-evaluation is on average 12 months or less depending on the state of the Firewall’s. According to Microsoft “The only periodic maintenance required is the replacement of the licenses for the firewall engines on the management station every 12 months, depending on the environmental conditions within the data center” (Northrup) or as soon as a new patch is released by the software manufacturer. Setting policy to only have the updates take place every two years can quickly outdate your system, leaving AS’s system vulnerable to new threats. The threats to the Firewall are similar to what was identified in the Hardware Vulnerability Assessment in the previous section. A misconfigured/outdated Firewall poses a significant risk in that it can be easily exploited with little to no effort.

New software patches allow a system update to ensure it’s protected against predefined threats that have already been identified and the updates will provide the security features needed to mitigate the risk. Having a weak security policy will leave your system susceptible to both the insider and outsider threat. According to an eCrimes Watch Survey conducted in September 2006 it was identified that of the “Top 10 Most Effective Technologies in Use, Statefull Firewalls came in first with 87 percent of the vote. The theft of intellectual property was reported to be at 30% and of that percentage, 63% were insider threats and 45% were outsider threats” (Bevis, 2007). If or when a threat occurs, the consequences to mission critical business processes will likely take a significant impact as an assessment will need to be completed to assure both AS and its customers that the data within the system is correct and has not been compromised. Compromised data will reduce AS’s competitive edge in that the information they are working with is invalid due to a breach in their security infrastructure. There is the potential of business partnerships being lost due to the security policies AS has put in place. The loss of business partnerships will reduce the competitive edge that AS currently has on the market.

Recommended Solution – Hardware
Virtualization is the creation of a virtual computer system, rather than having actual IT assets. As a recommendation for AS’s firewall misconfiguration and overall hardware footprint, it’s recommended that AS invest in their future and virtualizes their IT infrastructure. The benefits of virtualization are tremendous, from a security perspective there are several benefits that really standout. Virtualization products add a layer of abstraction between the virtual machine and the underlying physical hardware. The abstraction will limit the amount of damage that might occur when a system is successfully tampered with.

Virtualization also has the ability to perform back up and disaster recovery. Due to the hardware and the independence of virtualization, the process of copying the different workloads is greatly simplified. In the event of a security breach, a virtual machine on the host can detect and shut down, as another virtual machine in standby mode can boot on another system. This allows little downtime between getting the system back up and running and allowing for the IT department to troubleshoot the issue on the down machine. From a Physical Security perspective, the reduced footprint will allow ease in securing only a minimal amount of equipment, since we can virtualizes a majority of the current assets into a couple single assets. This will prove beneficial in asset accountability and finding a secure storage space. The below diagram indicates what AS’s current hardware assets are and then what our current hardware assets would be if we virtualized the IT infrastructure. Now Virtualization

Router 2 3
Switch 1 4
Firewall 1 4
Server 5 1

Virtualization will bring much needed change, but the most significant change would be the use of Firewall protection and the reduction in the total number of servers. It is proposed that a public router be installed to handle the inbound traffic (contractors, customers, suppliers) and the traffic from AS’s sister sites in Chula Vista and Santa Ana, California. Once the inbound traffic has made it past the router, a Public Interface Firewall will filter all inbound traffic for authentication. The below diagram illustrates the virtual design of AS San Diego IT infrastructure.

With the installation of the Dell R710 Server, the following servers will be able to be carved into individual VLAN’s within one (1) physical machine. DCNC Server
HR & Compliance Server
Accounting Server
S&M Server
Database Server
Public Interface

Virtual switches will be configured to handle the traffic and maintain the integrity of the individual VLANs. Please take notice to the virtual firewall being proposed between the Database Server and the Public Interface. The use of the virtual firewall will secure the link between AS’s internal and external virtual networks. Another feature is the ability to distinguish the difference between the site/system boundary and the users of the system. Firewalls have been installed to ensure all inbound traffic have some sort of authentication and protection. Impact on Business Processes

The impact on business processes will be noticed in that through virtualization, AS will be able to reduce the cost of IT growth and improve the organizations responsiveness to business needs. The reduction in hardware will reduce management costs, as well as the cost of power, cooling and physical space. There will be financial impact up front, in that AS’s investment will cost approximately $72,000 in new hardware. We feel that virtualization is expensive in the short term, but AS should understand the cost savings associated with the change in technology in the long run, it will take several years to recoup the investment financially.

Recommended Solution – Policy
Security policy is an easy less expensive way to ensure the legitimacy of AS IT assets. It is suggested that AS create a new policy that will outline the following to ensure the IT Administrators conduct semiannual updates to the Firewalls to ensure the security measures are in place with the most current version of software. The policy will need to identify the following:

Hardware – Identify the total number of Firewalls (IP addresses) Vulnerability – Open Ports, Network Scans, Infiltration, Modification/Loss of Data, DoS. Traffic – All incoming and outgoing traffic will need to be permitted to traverse the AS network. Specifics regarding individual employees, customers, clients alike will need to be identified. Security Policy – It is suggested that AS conduct semiannual firewall updates with the most recent software versions and at a minimum annual, if time and budget warrant delay. AS will need to describe WHO will be conducting the work, and what actions will be taken in the event of a security event. As a precautionary measure, it is suggested that a copy of the policy be printed and stored as a hardcopy.

Impact on Business Processes
The impact of security policy on business processes is pretty minimal. The importance of the policy is that it will outline what is required from a security perspective and will define what will happen and who will be involved. It allows the business to plan accordingly for future updates and changes without disrupting normal operations. Budget

Product Manufacturer Price qty Cost Source
7200 Series Router Cisco $ 3,375.00 3 $ 10,125.00 (TWA Communications) ASA 5510 Security Plus Firewall Edition – Security Appliance Cisco $ 2,165.00 4 $ 8,660.00 (Infinity Microsystems) Catalyst 3750 EMI – Switch – 24 Port Cisco $ 6,843.15 4 $ 27,372.60 (Halski Systems) PowerEdge R710/Server Dell $ 3,343.00 1 $ 3,343.00 (Amazon ) Inspiron 6400 Dell $ 1,123.00 20 $ 22,460.00 (Dell)

$ 71,960.60

Summary
In summary, AS has a couple significant IT security related issues. It is suggested that AS invest in their future by financially sponsoring the virtualization of their IT infrastructure. Through virtualization, AS will be able to reduce their footprint and security vulnerabilities. In addition, it has been suggested that AS redefine their security policy regarding the frequency of updates to their firewalls to be semiannual or at a maximum annual updates.

References

(n.d.). Retrieved 04 04, 2011, from Amazon : http://www.amazon.com/Dell-PowerEdge-R710-Server-48GB/dp/B0037S9MTM (n.d.). Retrieved 04 04, 2011, from Dell: www.dell.com
Bevis, J. (2007, July 12). Security Threats Statistics – Resources. Retrieved March 19, 2011, from InfoSecAlways.com: http://infosecalways.com/2007/07/12/security-threat-statistics-resources/ Halski Systems. (n.d.). Retrieved 04 04, 2011, from http://www.halski.com/p-66-cisco-catalyst-3750-emi-switch-24-ports.php Infinity Microsystems. (n.d.). Retrieved 04 04, 2011, from http://www.infinity-micro.com/ProdDisplay1.asp Marsan, C. D. (2009, June 9). Hidden Threat on Corporate Nets: Misconfigured Gear. Retrieved April 4, 2011, from CIO: http://www.cio.com/article/494522/Hidden_Threat_on_Corporate_Nets_Misconfigured_Gear Northrup, T. (n.d.). Security TechCenter. Retrieved March 18, 2011, from Microsoft TechNet: http://technet.microsoft.com/en-us/library/cc700820.aspx TWA Communications. (n.d.). Retrieved 04 03, 2011, from http://www.twacomm.com/catalog/model_7206VXR.htm?pid=1000&utm_source=fgl&utm_medium=prodlist&utm_term=7206VXR