Fabrikam Inc. is a defense contractor that develops weapon solutions for the U.S. military. The head office is located in Washington, D.C., and research offices are located in New York and San Francisco. Manufacturing plants are located in Detroit and Albuquerque, and warehouses are located in Houston and Miami. The company's office locations are illustrated in Figure 17.1.
Figure 17.1 Fabrikam locations
Fabrikam has implemented a single-domain model for its Microsoft Windows 2000 domain and is using corp.fabrikam.tld as its forest root domain. Each location is defined as a separate site and is connected to the head office in Washington with a 1.544 megabit-per-second (Mbps) link.
Fabrikam has recently been the victim of a hacking attack. Plans for an advanced radar system that Fabrikam is developing were published in a technology magazine. Both upper management and the U.S. government are furious. Several business partners, including the Department of Defense, are questioning whether Fabrikam has implemented sufficient security to allow them to continue working together. The source of the hacking attack isn't yet known.
The Internal Audit
To determine the cause of the break-in, Fabrikam has hired an Internet security firm to evaluate the current network and determine the cause of the hacking attack. The Internet security firm has determined the following:
- Several projects were deployed before the security configuration was completed. Pressure from outside vendors to complete projects on time forced Fabrikam to deploy certain projects before all security was in place.
- Fabrikam was involved in several projects. Members of one project were unaware of the security issues and designs that were being developed for the other projects. In several circumstances security configuration design was duplicated, and the security implemented for one project weakened the security for another project.
- Fabrikam didn't have a clear corporate policy on security. The security firm couldn't determine the acceptable level of security for Fabrikam because Fabrikam had no company literature describing its acceptable risk level.
- The delays in security projects were related to Public Key Infrastructure (PKI) design issues. Upon further inspection, the security firm found that the tasks related to the PKI design were unassigned. When questioned, the Information Technology (IT) manager revealed that no one had ever been hired to design the organization's PKI. Fabrikam doesn't have any staff personnel with the necessary skills to design a PKI solution.
The Radar System Project
Fabrikam is developing an advanced radar system for the Department of Defense. The radar system can detect stealth-class aircraft.
The radar system designs are stored on a server named HELIOS located at the New York office. Due to the data's confidential nature, you must include the following in the security design:
- Only members of the Radar System project team can access the project server share, named Radar.
- All access to the project server requires mutual authentication of both the user and the HELIOS server. Members of the Radar System project team are using a combination of Windows 98–, Windows NT 4.0–, and Windows 2000–based computers.
- E-mail sent between members of the project team must be protected against inspection and modification.
- All attempts to access the data stored at the HELIOS server must be logged for subsequent review by administrators.
- Members of the project team require varying levels of access to the data stored on the HELIOS server. You need to configure security to allow varying levels of access without granting excess privileges to any member of the project team.
The following personnel have volunteered to help develop the security plan for the Radar System project:
- John Chen, manager of the IT department
- Scott Cooper, systems technologist for the New York office
- Kaarin Dolliver, technical lead of the Radar System project
- Beth Parsons, manager of the Radar System project
- Claus Romanowsky, administrative assistant, New York office
- Lani Ota, security manager, Fabrikam Inc.
- Shelly Szymanski, Human Resources manager
- Jeffrey Weems, graphic artist at the New York office
- Rob Young, developer of the Radar System software