Security Overview

(Aircraft Solutions)

followed by an analysis of the degree of risk present. a well respected equipment and component fabrication company. i. This is a significant vulnerability. . careful consideration has narrowed my focus down to the areas of hardware and policy. including the electronics. and policy. but the Commercial department is connected straight to the Internet. The Defense Department must be routed through Headquarters.Introduction The following report concerns a security assessment of Aircraft Solutions (AS). The second weakness I have pinpointed is the security policy stating router and firewall rulesets should be evaluated every two years. software. providing full spectrum design and implementation solutions to multiple industries. Such a time span between rule-set evaluations is also a substantial liability to the continued and unimpeded success of the organization. Aircraft Solutions employs a range of highly qualified professionals and houses an immense production plant. To accompany the exposed weaknesses. an evaluation of the associated threats will be deduced. I find it very curious that there is no firewall implemented between the commercial division and the Internet. in the area of hardware. hardware. My primary objective in this assessment is to identify the existence of vulnerabilities present within the global context of AS operations. commercial. aerospace. with an overall goal of providing high-quality solutions to accommodate specifications from a wide range of customer demands. consideration of the consequences resulting from the unfolding of potential threats will be given due attention. Assessment Of the three given areas of potential investigation pertaining to AS.e. More specifically. Lastly. and defense sectors. Further elaboration of the identified security vulnerabilities is presented below.

To help illustrate the risks of such a threat occurring. which is effectively equivalent to inviting the world in to see everything there is to see. The fact remains in either case that there is a significant increase of this division of AS operations to outside threat. (Northrop. . classified divisional statistics pertaining to budgets. this might include AS’s commercial client’s confidential information. etc. I’ll utilize the typical Risk Matrix. In one view of AS’s network infrastructure. connected to the Internet. deadlines. to include the military. 2010) In this case. Risk Management website. The threat here is characterized by the inability of the CD to filter web traffic. The threat is an open exposure to the uncertainties of the Internet. which is commonly used by a number of companies and organizations. T. or contracts. to any number of automated or personalized attacks or attempts to exploit company vital statistics and/or confidential or classified data. The vulnerability is the absence of a firewall. it even appears as though the CD must transmit through the Internet in order to connect to Headquarters. confidential employee information.Hardware Vulnerabilities The issue pertaining to Aircraft Solution’s hardware weakness is that of the lack of adequate protection implemented between its Commercial Division and the rest of the world. This matrix was borrowed from the Scottish Government’s.

which would then naturally lead to devastation for the clients as well. being characterized in the chart either by orange or red. this brings the level of risk to a near state of emergency. . until such a time as either a tremendous loss of monetary assets and reputation were lost. There are many vendors who specialize in constant rule-set monitoring. which prevent the exploitation of vulnerabilities caused by outdated security configurations. the potential consequences would be marked ‘Extreme’. which could lead to the possible tampering with of client orders. the data could be exploited in such a way as to be manipulated for years undetected. Policy Vulnerability The vulnerability in company policy exists in its security directive stating rulesets for routers and firewalls be evaluated at intervals of two years.Because the possible consequences of the threat of company infiltration by malicious parties could result in not only devastating company-wide data leak but also the potential of client data exploitation. leading to countless losses on all fronts. or even blackmail. Of the associated likely consequences of a worst-case scenario. modification. or worse yet. Because the likelihood is not only possible. The information could be sold to a rival organization. a lot can happen in two years to warrant a much more frequent evaluation timeline. Obviously. which would likely be cause for continue suffering. but quite feasible between likely and certain (optimistically).net. like RedSeal. which could then effectively be used to gain considerable competitive advantage over AS. where all of the company’s data were hi-jacked. the severity of the event would be factored by all of the client’s data being exposed.

in short. and the chances of such vulnerabilities being exploited would logically agree with a ‘possible-to-likely’ rating on the risk matrix. This could amount to forced resignations. when the most damage to the company. the potential exists for malicious programming initiated by hackers to exploit these out dated rule-sets. lost monetary assets. public image. with a little imagination. could be likened to a bank that accumulated too much money to keep in their vault. decided to store it in the lobby instead. and so too should the rule-sets for router and firewall security configurations. Leaving rule-sets stagnant for two years presents the risk of improperly configured security configurations for firewalls and routers due to the natural evolution of the company’s assets and network infrastructure. and then the opportune time is waited for. because there isn’t any way to know how much the company would change in two years. and as a result. as does the company’s exposure to threat.I was unable to find a definitive and quantitative rule for exactly how frequent the evaluation of rule-sets should be conducted. if there were no changes. it is change. or any number of factors bearing influence upon the organization. but in consideration to the natural contractions a company undergoes in response to sales fluctuations and the economy. In the worst case scenario. expansion. but if one thing has been consistent throughout the ages. certain measurable changes within the company’s infrastructure should be expected to change. than two years may suffice. As a result. Feasibly. but out dated rule sets would potentially dictate the wrong rules at the wrong time for the wrong reason. and/or benefit to the hacker might be caused. . The likelihood of this vulnerability being exploited by hackers isn’t at first glance as high as the risk present in the last example. The consequences of these potential vulnerabilities being exploited could be numerous and severe. and a shrunken client base. lawsuits. an intelligent IT employee alerts a group of malicious persons of the weakness. then the vulnerability grows with time. or they could amount to a disgruntled ex-employee causing harm through unexpired access rights. Perhaps not as blatantly drastic. lost contracts. Outdated rule-sets. disaster. If indeed significant change within two years can be assumed. which could lead to disaster.

http://www. Retrieved November 14th.gif Microsoft/Technet.References Northrop. (2010). Firewalls.redseal. Security Assurance/Cyber Defense Consultants. Risk 2010 Retrieved Nov 14th 2010 From. Retrieved Nov 14th 2010 q=risk+assessment+matrix&FORM=IGRE&qpvt=risk+assessment+matrix#focal=5d e8da492dccb1ee1ee75004bd8e9c0f&furl=http%3A%2F%2Fwww. http://www.aspx#XSLTsection12312112020 The Scottish Government: Model for Organizational Risk Management. .

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.