Conducting a security audit in an enterprise is an essential aspect, considering that “[e]very enterprise faces a multitude of risks”, many of which are related to information systems (Dunn, Cherrington, & Hollander, 2004). The latter is specifically true for organizations with connections between the public internet and their internal network. Huffman Trucking is a US-based, privately-held logistical company operating since 1936. The company’s information system connects the company’s intranet to the public. The present report is the identification and assessment of the organization’s information security.
The company’s information system infrastructure consists of networks in four geographical locations, California, Missouri, New Jersey, and Ohio, which are divided between office and plans. The users of the systems can be divided between employees and customers.
The methodology followed in investigating the security system of Huffman Trucking can be divided into several stages. In the first stage, a preliminary risk analysis was conducted analyzing potential that can be identified and the types of risks they can carry to the organization. The threats and the risks were identified through a review of class readings and an analysis of the network layout of the company provided on the intranet website. The results of the preliminarily identified risks can be seen in Appendix A. The highlighted elements in the list indicate those added after an analysis of the vulnerabilities in the system. As more vulnerable elements were revealed, more threats and risks occurred, which were not identified through the preliminary analysis. A follow-up analysis was conducted on the vulnerabilities.
Vulnerabilities are the weaknesses that were in the system and which enable the threats and the risks identified in the previous section to be identified. The vulnerabilities of the system were identified through an investigation of the company’s information, the results of which can be found in Appendix B. Finally, a cross-over matrix was developed in which the risks and the vulnerabilities were assessed through assigned ranks. The ranks were assigned through analyzing the probability of the risk and the impact that will occur in case it takes place. It should be noted that common risks and threats were grouped based on the similarity of the act itself. The probabilities and the impacts are taken from analyzing the network diagram of the company and a review of literature on the frequency and the impact of popular risks and their impact. The results of such an investigation can be viewed in Appendix C.
The results of the analysis revealed that the highest risks are associated t=with those threats which impact and probability are the most. Such results are largely based on some of the characteristics of the network in the organization, namely the topology of the network, the absence of data protection means, and the physical security represented through the identification of people allowed to physically access to IT infrastructure components, such as servers and routers (Drumheller, 2010). The intrusion and interception probability can be evaluated through market dynamics on Intrusion prevention systems (Shaw, 2009). N that regard the main threats and risks in Huffman Trucking is as follows:
- Correspondence interception.
- Loss or deletion of information
- Unauthorized access to software, databases, and servers.
- Intrusion into servers and databases
- System failure of servers
The recommendations that can be provided for the company can be divided into several categories based on the type of security pillars they are concerned for. The five pillars are authentication, identification, privacy, integrity, and nonrepudiation (McNurlin, Sprague, & Bui, 2009). Crucial vulnerabilities can be seen through authentication and identification, which can be seen through analyzing internal protection measures implemented in the company. The recommendations that can be provided in this area are related technologies and policies, which can be seen through the role control center (RCC). The purpose of such a tool is to increase internal security through enabling centralized management of “authorization for resources distributed throughout the enterprise (Ferraiolo, Ahn, R.Chandramouli, & Gavrila, 2003). The use of RCC is related to logical access controls, which will enable controlling which users access accesses points in networked information systems. Such control which functions each user will be able to perform, which databases he/she will access, and which software users will be able to use (Dunn, et al., 2004, p. 453). Such recommendation addresses the identification pillar of security, while for the authorization, the company might aim to use means better than simple passwords. The reliance on passwords as means of authorization is a weak form of protection, as they can “quickly get into the wrong hands and provide unauthorized access to the system” (Dunn, et al., 2004, p. 453). Other forms of protection that can be considered might include biometric scanners or smart cards and tokens. The benefits of the latter are that their loss can be acknowledged as opposed to password theft.
The roles and the privileges can be used to limit the rights of the users to install third-party software, and the use of external devices in the system. In what concerns surfing pattern, such aspects might be hard to control, specifically when the limits of what sites can be seen appropriate, and which are not. An example of the latter can be seen through some companies limiting the access of their employees to social network websites, while on the other hand, other companies use a social network as a part of website continuity plans where “officials can leverage these sites to maintain contact with critical customers and business partners” (Barr, 2010). Thus, a policy should be developed to address unauthorized use of computer systems and networks, or what is called “time and resource theft” (O’Brien & Marakas, 2009, p. 526). A policy shall be developed that will inform employees on the guidelines in surfing the web and the means that will be used to monitor their activities. Additionally, limiting external risks of intrusion and protection of information can be achieved through intrusion detection and prevention systems (IDPs). Such a solution can be used in addition to firewalls to provide complex protection from external threats.
Targeting interception vulnerability, including emails, and/or any other means for information exchange between the intranet and internet, encryption should be considered within the security plan of the enterprise. Encryption protects data transmitted from and to the system. Considering the size of the organization and its network, hardware solution are preferred in this case over software solutions, although an integrated approach combining both might be the optimal suggestion (Shaw, 2009).
Finally, measures to address continuity should be implemented to target both continuous operations of the intranet as well as the outward as the internal components of the system. Analyzing the network of the company, it can be seen that some of the data in the system are protected through RAID (redundant array of independent disks) (Beekman & Beekman, 2010). Such a method of data protection should be extended throughout the whole enterprise, adding other means that provide strategic recovery plans for the organization. Backup servers should be considered by the company, or it can outsource data center management to a third party. A “professional-grade data center that is located separately from the customer’s primary equipment” will make sure that the data will be protected, while the company itself might manage the equipment and the protection of the data center, an approach that is gaining popularity, called co-location (Barr, 2010).
The present paper analyzed the security risks and vulnerabilities in Huffman Trucking. The analysis revealed several areas of concern, which are related to authentication, identification, and protection. Several recommendations were provided to address those risks and threats, including role control center, access control, and web use policies. For external risks, encryption and intrusion detection and prevention solutions can be considered by the company.
Barr, J. G. (2010). Business Continuity for Web Sites. Faulkner Information Services. Web.
Beekman, G., & Beekman, B. (2010). Tomorrow’s technology and you (Introductory, 9th ed.). Upper Saddle River, N.J.: Pearson Prentice Hall.
CVE. (2002). Security Vulnerabilities Published In 2002 (Overflow). CVE Details. Web.
Drumheller, R. (2010). Conducting an Information Security Gap Analysis. Faulkner Information Services. Web.
Dunn, C. L., Cherrington, J. O., & Hollander, A. S. (2004). Enterprise information systems: a pattern-based approach: McGraw-Hill/Irwin.
Ferraiolo, D. F., Ahn, G.-J., R.Chandramouli, & Gavrila, S. I. (2003). The Role Control Center: Features and Case Studies. Association for Computing Machinery. Web.
McNurlin, B. C., Sprague, R. H., & Bui, T. X. (2009). Information systems management in practice (8th ed.). Upper Saddle River, N.J.: Prentice Hall.
O’Brien, J. A., & Marakas, G. M. (2009). Management information systems (9th ed.). Boston: McGraw-Hill Irwin.
Shaw, R. (2009). Intrusion Prevention Systems Market Trends. Faulkner Information Services. Web.
Appendix A: Preliminary Identified Risks
- The risk of interception of important confidential correspondence intended for internal use during the exchange with web-mail servers.
- The risk of downloading software that might contain “Trojan horses, spyware, and viruses” (Shaw, 2009), the risks include damage to information.
- The use of instant messaging might impose serious security threats, where the content of the message is sent out of the network, even through internal communication (Dunn, et al., 2004, p. 456). Thus, the content of the messages might be intercepted.
- The risks of incepting the database of the organization with a malware, Trojan, or a virus, brought through an external USB drive.
- The risk of copying confidential information to an external drive, i.e. the loss of such information, the destruction of such information, retrieval of such information by third parties, theft, etc.
- The loss of the database through logic attacks.
- Theft of customers’ personal and financial information, the risks include the loss of customers’ confidence, litigations, and the loss of market share with customers going to competitors, financial losses through compensations, etc.
- Risks associated with incorrect processing of customers information, ordering info, and others.
- Risk of intrusion through accessing the intranet from the outside, the risks include unauthorized access to confidential information, copying transmitting information, installing ,malicious software and spyware, DoS attacks preventing various parts of the enterprise to operate, e.g. the web server, the e-mail server, and users’ terminals.
- Network failure
- Gaining access to confidential information
- Intentional deletion of data
- Changing crucial system settings
Appendix B: Vulnerabilities
|The Component||The vulnerability||The Reason|
|Physical: || || |
|System: || || |
|Logical: || || |
Appendix C: Forced Ranking
|Vulnerabilities||Servers||User terminals||Mail servers||Database||Web servers||Software and applications|
|Loss or deletion of information||3||2||3||3||3||1|
|System failure, e.g. outage, network falling, denial of service, website interruption.||3||1||2||3||3||2|
High probability _____ High Impact – 3
Medium Probability _____ Medium Impact – 2
Low Probability _____ Low Impact – 1