Two Vulnerabilities in QWD’s Network Design Pose a Threat to QWD’s Future
Submitted to: Dean Farwood
SE571 Principle of Information Security and Privacy
Keller Graduate School of Management
Submitted: January 23, 2011
Table of Contents
Executive Summary 3
Company Overview 3
Company Vulnerabilities 4
Corporate Website accessible to customers should be on its own web server in a Demilitarized Zone (DMZ). 4
Microsoft SharePoint can potentially allow Remote Code Execution. 5
Works Cited 7
Purpose of this report is to inform of the possible threat that faces Quality Web Design (QWD) as it continues to improve it services to its customers and provide ...view middle of the document...
I will elaborate further on these two issues in this report and potential solutions to thwart or mitigate an attack.
Quality Web Design (QWD) is an organization that specializes in Web site and Web content design for all types of businesses. QWD's mission is to provide top quality Web design that will increase consumer generated revenue to QWD's customer Web sites. QWD's database contains over 250,000 proprietary images and graphical designs that will enhance most Web site's appeal to a target demographic.
Corporate Website accessible to customers should be on its own web server in a Demilitarized Zone (DMZ).
It is a given that any web server exposed to the Internet will come under attack. In maintaining and fostering a good relationship with its clients, QWD provides its client access to its corporate web site. Yet, QWD’s intranet is also being hosted on the same web server. As websites become more functional QWD’s network design can be at risk should the corporate website become subject to web malware attack. R. Chakraborty (2010), Microsoft® MVP – Consumer Security expert, maintains that “…the Web has …become the primary vehicle for the Malware to enter…[corporate network]…network” (p. 20). This shows that malware can potentially find its way into corporate network through its web presence potentially exposing QWD’s to greater risk and threat. Since, a website is up 24/7 this risk is potentially high if measures are not taken to mitigate this risk.
What is more alarming is that a well-crafted attack can potentially go unnoticed by Intrusion Detection Systems and firewall making it extra difficult to defend and protect vital assets. Easily accessible tools that can be downloaded on the Internet can be used to craft malicious client side scripts and then obfuscated. According to Chakraborty (2010), “This method is… very successful way to evade detection from signature based security applications such as Intrusion Prevention Systems (IPS), Malware Scanners or Web Filtering softwares” (p. 14). Even though QWD’s web service is behind a Juniper ISG2000 integrated Firewall, VPN, and Intrusion Detection and Prevention system such an attack can still make the corporate website and intranet vulnerable and expose the entire corporate network and...