Category list

Case Study

< Day Day Up >

Case Study

You should give yourself 20 minutes to review this testlet and complete the questions.

Background

Infinite Horizons is a human resources consulting firm. It is located in Rochester, NY. It has been growing at the rate of 20 percent a year and currently has 200 employees at its headquarters in Rochester. Approximately 175 of the 200 employees are consultants. The consultants often work at many of the customers’ sites.

Computers

The network headquarters consist of 13 Windows Server 2003 machines and 200 Windows XP Professional workstations. Of the 200 workstations, 175 are laptop users. One of the servers is running SQL Server 2000 to support a Customer Relationship Manager (CRM) for the sales department. The company maintains a firewall. All the users have been granted dial-in permissions. The company maintains a VPN server and dial-up access because most of the employees connect from remote locations to the network. Employees can also use Outlook Web Access (OWA) to check their e-mail via a web browser.

WAN Connectivity

The company has a DSL connection to the Internet at 1.5Mbps.

LAN Connectivity

The LAN runs on a 100Mbps network.

Security

The folks at Infinite Horizons pride themselves in maintaining confidentiality of all customers’ data; therefore, security is very important to them. They have implemented password policies and their internal network is protected by a firewall. They have had laptops stolen that contained customer data in the past. They have also had some internal security lapses where shares had the incorrect permissions and employees had access to confidential customer data.

Infinite Horizons needs to protect data between its customers and its corporate headquarters.

Network Usage and Roles

Human Resources Department The HR department uses a database application to maintain resumes and employee information. It also has a file server that stores additional employee confidential information like annual reviews.

IT Department The IT department maintains and supports the network. Members of this department implement physical and network security.

The help desk resolves first-level support issues and issues with employees’ computers.

The server administrators group builds the network and resolves the company’s server and network issues.

Sales Department The sales staff stores shared documents in a share called SALES and personnel sales documents on their local computers. They also need access to a SQL Server 2000 server that hosts their customer relations application and a lead-tracking system. They need to store some of the data on their laptops so it is available whenever they are not connected to the network.

Consultants Consultants use the network to communicate with each other. They are required to fill out forms in the intranet-based time tracking application. They also need to get access to proposals that certain managers are working on to help author them, and they need secure access to their e-mail through the Web.

Security Policy

All users must securely authenticate on the network.

Data that is stored on laptop computers must be secure.

< Day Day Up >

Case Study Questions

1.	What are the two primary risks to security for Infinite Horizons? Customer data on stolen laptop computers Denial of service attack on the Outlook Web Access server Unauthorized access of the network via the dial-in server Unauthorized access by employees to network data Unauthorized access by employees to the customer relationship database Unauthorized capturing and reading data being transmitted over the VPN connection to the company
2.	What are the four security priorities of Infinite Horizons? Preventing denial of service attacks on the Outlook Web Access server Preventing unauthorized network access Securing communications to client sites Protecting employee data on laptop computers Isolating the HR network from the rest of the network via an internal firewall Providing SSL access to intranet resources Secure authentication of all users Enabling Windows Only authentication on SQL Server
3.	What kind of technology would you use to secure data on the laptop computers? NTFS permissions Encrypting file system Biometric scanner for reading employee fingerprints A strong password policy
4.	What technologies would you implement to guard against data corruption? (Choose all that apply.) Virus scanner Backups Access control Smart card reads Data Encryption
5.	What security policy statement would apply to Infinite Horizons? Employees must use strong passwords to access the network as defined by the network administration group . Employees must not lend their smart card to anyone . Employees will not store company data on their laptops. Hardware that requires user interaction must support a smart card reader.
6.	What technology should Infinite Horizons employ to make sure data moving between it and its clients is secure? TCP/IP Firewall Encryption Dial-up
7.	What technological limitation will Infinite Horizons face with regard to implementing security? Password policy cannot be enforced. Consultants may not be able to connect securely from client sites. Laptop data will not be secure. Data exchanged with clients will not be secure.
8.	What compromises will Infinite Horizons have to make to integrate security with a customer’s network? (Choose all that apply.) Different password policies Data not confidentially exchanged Separate passwords, no single login capability No access control of the data
9.	What is the most important goal when securing assets that Infinite Horizons needs to address in its security policy? Integrity of the SQL Server 2000 database Confidentiality of customer data Physical security of the laptop computers Availability of the Outlook Web Access server
10.	What would be included in the security baseline for a laptop computer at Infinite Horizons? Employees must use a smart card to log on to the laptop. Back up the SQL Server database’s transaction logs every three hours and perform a full backup every night. Passwords must have at least eight characters and be complex. Confidential customer data must be encrypted on a laptop.

Answers

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

1.	A, D. All of the answers describe possible risks to the Infinite Horizons network, but you need to consider probability when determining primary risks to the network. Because the company has had laptops with customer data on them stolen in the past and has had issues with employees having unauthorized access to network data, these two options have a higher probability of occurring and need to be mitigated.
2.	B, C, D, G. You need to pay attention to any primary security risks that you have identified and the new security features that the customer would like implemented when deciding the security priorities of a company. Infinite Horizons wants to secure communications to client sites and, through strong password policies, secure authentication of users. It also recognized that data is compromised when laptops are stolen or employees have unauthorized access to resources.
3.	B. Encryption would afford the best protection to the company’s data if it was stolen or lost, which Infinite Horizons considers a risk because it has experienced it in the past. Another option would be to just not allow certain data to be stored on a laptop. NTFS permissions can protect data through access control and are important, but if someone has physical access to the hardware, NTFS permissions can be easily overcome . Likewise, a biometric scanner and strong passwords can be defeated if an attacker has physical access. In the case of Windows, an attacker can just install another copy and use the built-in administrator to access the data, and it is not too difficult to write a program that will read raw data off a hard drive.
4.	A, B, C. Virus scanning helps prevent data corruption due to viruses, Trojan horses, and worms. Controlling access to data will prevent unauthorized users from corrupting or deleting the data. However, because neither virus scanning nor access control is one hundred percent successful, you will need to make sure that you have good backups and can successfully restore them when needed. Smart card readers and data encryption don’t protect the data from corruption. Smart card readers are used to authenticate the user. This information is certainly useful when creating access control lists, but it is not directly related to preventing data corruption. Data encryption guards against a compromise in confidentiality of the data. Encrypted data can still be corrupted.
5.	A. Option A is the only statement that applies to Infinite Horizons according to the scenario. Infinite Horizons does not use smart card technology, so its policy would not mention smart cards. Infinite Horizons allows company data to be stored on laptops and, according to the scenario, wants to address the issue of protecting it because laptops have been stolen.
6.	C. Encryption is the way to secure data that is moving through a public network like the Internet. TCP/IP is the protocol of the Internet, but it does nothing to secure data. A firewall can prevent certain data from entering or leaving the company, but once the data is out on the Internet, a firewall is of little use. Dial-up access is usually over a public network and data would still need to be protected with encryption.
7.	B. The consultants work at client sites much of the time and may not be able to use a VPN or other secure method to access their company resources. Password policy can be enforced with the Windows Server 2003 Security Configuration And Analysis snap-in. Laptop data can be secured with the Encrypting File System (EFS). Data can be exchanged with clients over an agreed-upon technology like HTTP-S or IPSec.
8.	A, C. Infinite Horizons will not use the same technology for authentication as its customers use so, due to technical constraints, will need separate passwords for the customer’s network. This may lead to employees at Infinite Horizons having to deal with different password policies. Confidential exchange and control of data is a requirement for integration, so no compromises will be made in these areas.
9.	B. While all these goals are important to Infinite Horizons, the company has stated that the confidentiality of customer data is the most important directive. If there are trade-offs to security due to technical limitations or resources, confidentiality of data will be the priority.
10.	D. The security baseline would include all of the procedures necessary to implement the security policy for the technology in question. The security policy for Infinite Horizons does not mention smart cards, so smart cards would not be necessary to access laptops. Performing backups of the SQL Server database would be part of the SQL Server baseline but not the baseline for the laptops. The security baseline for accounts would mention the password policy, but again this does not apply to laptop users.