Security Overview

(Aircraft Solutions)
 Introduction

The following report concerns a security assessment of Aircraft Solutions (AS), a

well respected equipment and component fabrication company, providing full spectrum

design and implementation solutions to multiple industries, including the electronics,

aerospace, commercial, and defense sectors. Aircraft Solutions employs a range of highly

qualified professionals and houses an immense production plant, with an overall goal of

providing high-quality solutions to accommodate specifications from a wide range of

customer demands. My primary objective in this assessment is to identify the existence of

vulnerabilities present within the global context of AS operations. To accompany the

exposed weaknesses, an evaluation of the associated threats will be deduced, followed by

an analysis of the degree of risk present. Lastly, consideration of the consequences

resulting from the unfolding of potential threats will be given due attention.

Assessment
Of the three given areas of potential investigation pertaining to AS, i.e. hardware,

software, and policy, careful consideration has narrowed my focus down to the areas of

hardware and policy. More specifically, in the area of hardware, I find it very curious that

there is no firewall implemented between the commercial division and the Internet. The

Defense Department must be routed through Headquarters, but the Commercial

department is connected straight to the Internet. This is a significant vulnerability. The

second weakness I have pinpointed is the security policy stating router and firewall rule-

sets should be evaluated every two years. Such a time span between rule-set evaluations

is also a substantial liability to the continued and unimpeded success of the organization.

Further elaboration of the identified security vulnerabilities is presented below.

 Hardware Vulnerabilities

The issue pertaining to Aircraft Solution’s hardware weakness is that of the lack
of adequate protection implemented between its Commercial Division and the rest of the
world, connected to the Internet. In one view of AS’s network infrastructure, it even
appears as though the CD must transmit through the Internet in order to connect to
Headquarters. The fact remains in either case that there is a significant increase of this
division of AS operations to outside threat. The threat here is characterized by the
inability of the CD to filter web traffic, which is effectively equivalent to inviting the
world in to see everything there is to see. (Northrop, T. 2010) In this case, this might
include AS’s commercial client’s confidential information, classified divisional statistics
pertaining to budgets, deadlines, or contracts, confidential employee information, etc.

The vulnerability is the absence of a firewall. The threat is an open exposure to

the uncertainties of the Internet, to any number of automated or personalized attacks or
attempts to exploit company vital statistics and/or confidential or classified data. To help
illustrate the risks of such a threat occurring, I’ll utilize the typical Risk Matrix, which is
commonly used by a number of companies and organizations, to include the military.
This matrix was borrowed from the Scottish Government’s, Risk Management website.
 Because the possible consequences of the threat of company infiltration by

malicious parties could result in not only devastating company-wide data leak but also

the potential of client data exploitation, modification, or even blackmail, the potential

consequences would be marked ‘Extreme’. Because the likelihood is not only possible,

but quite feasible between likely and certain (optimistically), this brings the level of risk

to a near state of emergency, being characterized in the chart either by orange or red.

Of the associated likely consequences of a worst-case scenario, where all of the

company’s data were hi-jacked, the severity of the event would be factored by all of the

client’s data being exposed, which could lead to the possible tampering with of client

orders, which would then naturally lead to devastation for the clients as well. The

information could be sold to a rival organization, which could then effectively be used to

gain considerable competitive advantage over AS, which would likely be cause for

continue suffering, until such a time as either a tremendous loss of monetary assets and

reputation were lost, or worse yet, the data could be exploited in such a way as to be

manipulated for years undetected, leading to countless losses on all fronts.

Policy Vulnerability
The vulnerability in company policy exists in its security directive stating rule-

sets for routers and firewalls be evaluated at intervals of two years. Obviously, a lot can

happen in two years to warrant a much more frequent evaluation timeline. There are

many vendors who specialize in constant rule-set monitoring, like RedSeal.net, which

prevent the exploitation of vulnerabilities caused by outdated security configurations.

 I was unable to find a definitive and quantitative rule for exactly how frequent the
evaluation of rule-sets should be conducted, but in consideration to the natural
contractions a company undergoes in response to sales fluctuations and the economy,
expansion, or any number of factors bearing influence upon the organization, certain
measurable changes within the company’s infrastructure should be expected to change,
and so too should the rule-sets for router and firewall security configurations. Leaving
rule-sets stagnant for two years presents the risk of improperly configured security
configurations for firewalls and routers due to the natural evolution of the company’s
assets and network infrastructure. As a result, the potential exists for malicious
programming initiated by hackers to exploit these out dated rule-sets, which could lead to
disaster.

Outdated rule-sets, with a little imagination, could be likened to a bank that

accumulated too much money to keep in their vault, and as a result, decided to store it in
the lobby instead. Perhaps not as blatantly drastic, but out dated rule sets would
potentially dictate the wrong rules at the wrong time for the wrong reason. The likelihood
of this vulnerability being exploited by hackers isn’t at first glance as high as the risk
present in the last example, because there isn’t any way to know how much the company
would change in two years. Feasibly, if there were no changes, than two years may
suffice, but if one thing has been consistent throughout the ages, it is change. If indeed
significant change within two years can be assumed, then the vulnerability grows with
time, as does the company’s exposure to threat, and the chances of such vulnerabilities
being exploited would logically agree with a ‘possible-to-likely’ rating on the risk matrix.
The consequences of these potential vulnerabilities being exploited could be numerous
and severe, or they could amount to a disgruntled ex-employee causing harm through un-
expired access rights. In the worst case scenario, an intelligent IT employee alerts a group
of malicious persons of the weakness, and then the opportune time is waited for, when
the most damage to the company, and/or benefit to the hacker might be caused. This
could amount to forced resignations, lost contracts, lawsuits, lost monetary assets, public
image, and a shrunken client base, in short, disaster.
 References
Northrop, T. (2010). Firewalls. Microsoft/Technet. Retrieved Nov 14th 2010 from,

http://technet.microsoft.com/enus/library/cc700820.aspx#XSLTsection12312112020

The Scottish Government: Model for Organizational Risk Management. Risk Matrix.

Retrieved November 14th, 2010 from,

http://www.bing.com/images/search?

q=risk+assessment+matrix&FORM=IGRE&qpvt=risk+assessment+matrix#focal=5d

e8da492dccb1ee1ee75004bd8e9c0f&furl=http%3A%2F%2Fwww.scotland.gov.uk

%2FResource%2FImg%2F247049%2F0072144.gif

RedSeal.net. Security Assurance/Cyber Defense Consultants. Retrieved Nov 14th 2010

From,

http://www.redseal.net/solutions/