SlideShare una empresa de Scribd logo

Security Risk Assessment for Quality Web Design

Descargar como DOCX, PDF
Ting Yin
Ting Yin

Security Risk Assessment for Quality Web Design

Tecnología
1 de 23
1 Security Risk Assessment for Quality Web Design Ting Yin Submitted to: Jude Lamour SE571 Principles of Information Security and Privacy Keller Graduate School of Management Submitted: November 16, 2014
2 Table of Contents Executive Summary………………………………………………………………………….3 Company Overview…………………………………………………………………………..3 Security Vulnerabilities……………………………………………………………………....3 Threats………………………………………………………………………………… ……4 Risk Assessment ……………………………………………………………………..……..5 The Consequence …………………………………………………………………….…….6 The Affects on The Company Competitive Advantages .......................................................7 The Definition of Solution ………….……………………………………………………..15 Justification …………………………………………………………………………………6 Impact on Business Processes ………………………………………………………………10 Reference…………………………………………………………………………………….19
3 Executive Summary Dell Sonic Firewall TCO recommends QWD to use Dell NSA 250m and NSA 6600 and to replace its current IPSec VPN. NSA 250m and NSA 6600 appliances come with a wide range and heighted level of security protection services and additional security protection hardware and software bundles. Based on a reputable technology survey, NSA 250 m and NSA 6600 are given rating of 5 out of 5 (NSA Review). NSA 6600 system should be located near QWD office headquarters and NSA 250m should be located near in QWD remote office. Both NSA systems have the right tools to protect QWD from intrusion, denial of service, and SQL attacks. In addition to the security protection, NSA systems offer mobile service for workers, business partners, customer, clients or QWD affiliations to be able to collaborate online on QWD related projects. The remote access and connectivity can further improve QWD business process and even increase revenue. Company Overview Quality Web Design (QWD) is a web design and development company that designs and creates client side web application for different industries. The web application that QWD make can help their clients to market their client information in form of web content to the outside world. QWD has a basic Microsoft (MS) shop that uses a Visual Studio (VS) Team Foundation to support its image repository. For quality analysis and site development, QWD uses VS. QWD also utilizes MS SQL Server and MS Exchange (SEC 517). Two Security Vulnerabilities In this paper, I will discuss three security vulnerabilities: one is associated with hardware, the second is associated with the software. The first vulnerability is found within the
4 network infrastructure (hardware). The second vulnerability is associated with SQL injection attack into the client’s web page (SEC 517). Threats Against VPN or Server In this section, two threats against a VPN will be discussed: 1) Intrusions; 2) Denial of Service. Intrusion is a form of threat that offers opportunities for unauthorized outsider to access and to control over parts of the VPN. The parts that can affect could be internal computers, servers, network elements, and other network components. To access into internal information or equipment as hackers or intruders, the malicious individual first inject code for traffic control into the VPN. In a simple case of the virtual invasion and unauthorized internal control is to send a single IP packet to a destination in the VPN (Threat Against). The terminals or phones and other mobile devices that are left opened and neglected are one of the primary reason that unauthorized individual can gain access to the internal resources that lie with QWD. “VPNs will likely continue to be the weakness link in an organization’s security infrastructure for some time to come.” (VPNs Virtual) Any organization is as secure as its weakest links or connections. VPNs provide illusion of a false sense of security, due to “poor implementation and maintenance.” Perhaps, VPN can be considered as one the weakest link in QWD (The Myth). Denial of service is another threat from outside against the VPN. Unlike intrusion discussed above this section, DoS prevents other from accessing the web. For hackers to complete DoS, s/he first needs to able to inject packets into the trusted zone of the VPN. The DoS attack can also interfere the VP user indirectly. When a PE router is affected by DoS attack can affect a given VPN that affect PE, which in turn can negatively affect the connected VPN (Threat Against).
5 The third threat is related to the potential SQL code insertion or injection client’s web application. SQL injection is found as one of most prevalent destructive system attack. Open Web Application Security Project (OWASP) point out SQL injection as the number one threat. Injecting extraneous code into the textboxes can potentially debilitate the entire database. SQL injection can potentially be used to perform the following types of attacks. The injection can allow hacker to illegally logon to the internal application and illegally earn the privilege to manipulate the data stored in database and to disclose confidential information (SQL Injection). Risk Assessment In 2006, the U.K. Department of Trade and Industry (DTI) did a survey and released the results on businesses regarding security incidents. Of organization surveyed, it was found that intrusion was constant at 17 percent in their period of survey study, and failure of equipment was up to 29 percent (Pfleeger, 256) . In an official study, it was found that 87-percent of businesses surveyed have suffered a service degradation up to a full outage in 2013 from a DDoS attack (XAND LAUNCHES). SQL inject was found to be one of the six most commonly reported threats for Web applications. SQL among with other top five threats accounted for 40 percentage of threats found in 2012 (HP 2012). Level of Risk and Its Influence on QWD Operation Threat Level of Risk Denial of Service 4 Intrusion 3 SQL Inject 3 4- Critical: QWD business will not be operational when it encounters the type of threat as listed
6 3- Medium –Critical: QWD business still can somewhat manage its operations, but it has to do it under the interference caused by the threats. The Consequence The consequences of security breach through VPN can lead to the theft of QWD proprietary or confidential information or loss of client information, to the exploitation or manipulation of confidential information, to web page content modification, etc. The authentication method used by IPsec authentication can weaken authentication process and can be unmanageable for QWD in deploying web services for multiple clients’ organizations. The expenses and the complexities associated with IPsec deployment, IPsec VPN selectors are insufficient to meet the need of the authorization-associated policies that QWD must have in today highly regulated environment (The Myth). To compensate the weaker authentication by IPsec VPN, QWD have to create relatively more complicated constituency-orientated policies to limited user access. IPsec VPN remote access need VPN client software and policy configuration at the end devices. With the need of additional supports and resources, QWD simply cannot deliver cost-effective secure remote access to all users from all devices. When a client is connected using IPsec, every resource inside this protected network is potentially available to the user, and therefore vulnerable to misuse and attack from that client during the entire connection (The Myth). DDoS attacks can cause costly and destructive downtime on the client’s hosted applications and resources. During the downtime caused by DDoS, the users of the websites developed and designed by QWD would be able to access the websites and the services that are offered by the clients through the web pages. In the meantime, QWD and its clients cannot communicate with the users and the clients’ customers due to the malfunctioning of the websites
7 (The Myth). The Ponemon Institute “estimates that the average cost of one minute of downtime due to a DDoS attack is $22,000. The average attack lasts at least an hour, inflicting devastating and expensive downtime on business operations.” (Xand Launches). Through SQL Injection, the hackers can obtain unauthorized access to MS SQL 2008 database (DB) server or the DB located in the corporate office. The hackers can create, review, insert, alter, or remove QWD images or confidential information stored in the QDW back-end database. Through SQL injection and manipulation, the hackers can potentially can lock or delete tables stored in the DB at the QWD servers. The malicious manipulation of the data can cause denial of service to authorized users and can unauthorized-ly grant remote command executions that are normally reserved for administrators (SQL Injection). The Affects on the Company Competitive Advantages More of QWD may go to its competitors to see more similar services to decreased trust about the security and service provided by QWD. The outrage can cause an increase in volume of customer inquiries about the outage, which can result in a loss in revenue. The security fear can drive decline in stock prices and investor confidence. The comprised IT system at QWD can further be susceptible to multiple attacks within relatively short period of time (DDoS). With data breach of confidential information (QWD corporate confidential information, employee private information and client private information) can potentially raise lawsuit not only against QWD Company itself but also to its employees as well. If hackers are able to intrude into the system developed by the software developer or engineers, the computer professional are liable to lawsuits (Five Ways).
8 Justification for Using Dell Sonic NSA 220 M and NSA 6600 Dell SonicWall Firwall TCO Comparison and analysis tool and model take into consideration of QWD current firewall requirements. Based on the client system requirement and configuration, Dell TCO make product recommendation that can improve the QWD system condition and it then make compares the selection of Dell SonicWALL product and service with a similar version of a Cisco solution. The TCO suggested solution are Dell SonicWall NSA 6600 and NSA 250 QWD system (Dell). Total TCO Savings 3 Year-over-Year of Dell SonicWall NSA over Cisco ASA is $381,405. The percentage of difference for Total Cost of Ownership (over 3 years) for Dell Sonic Wall NSA over Cisco ASA is -88.4%. QWD can save at least 88.4% when it purchases the Dell product over the Cisco version. Percent of difference projected number of labor FTEs of Dell SonicWall over Cisco ASA is 74.4%. Staff to device support ratio (Devices per 1 FTE) of DellSonic Wall is 159.9%. Firewall TCO per user (NPV over 3 years) is 88.4% of Cisco ASA (Figure 1) (Dell). Figure 1: Total Cost of Ownership Comparsion Total Cost of Ownership (TCO) Dell SonicWALL Cisco Difference Percent Difference Appliance Hardware and Support $41,321 $144,956 $103,635 71.5% Additional Security Services $7,664 $282,512 $274,848 97.3% Implementation / Configuration / $903 $2,810 $1,907 67.9%
9 Training Ongoing Operational (IT Labor) $125 $1,141 $1,015 89.0% Total TCO - Total Cost of Ownership (over 3 years) $50,014 $431,419 $381,405 88.4% Key Performance Indicators Dell SonicWALL Cisco Difference Percent Difference Projected Number of Labor FTEs 0.0 0.1 0.0 74.4% Staff to Device support ratio (Devices per 1 FTE) 143.7 55.3 88.4 159.9% Firewall TCO per user (NPV over 3 years) $50 $431 $381 88.4% Dell SonicWall NSA products include Comprehensive Gateway Security Suite (CGSS), Simple Firewall, Gateway Anti-Virus/Anti-Spyware (GAV), Intrusion Prevention Service Bundle, Application Intelligence and Control , Content Filtering Service , Botnet Filter , Context Aware Security Support Level, IPSec VPN License, and SSL VPN license. The cost saving of Dell SonicWall NSA over Cisco ASA is $157,247 and the TCO different of Dell over Cisco is – 92.6%. This mean Dell SonicWall’s security package cost 92.6% less than Cisco version (Figure 2) (Dell).
10 Figure 2: Additional Security Services Appliances and Licensing Costs Additional Security Services Appliances and Licensing Costs Dell SonicWALL Cisco Difference Percent Difference Selected Deep Packet Inspection Services $0 $149,847 $149,847 100.0% √ Intrusion Prevention Service (IPS) Appliance (Dell-Not Req. ) $0 $86,490 $86,490 100.0% √ Intrusion Prevention Service (IPS) Licensing (Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0% √ Application Intelligence and Control (AIC) (Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0% √ Content Filtering Service (CFS) (Dell- Included ) (Cisco-Not Incl. ) $0 $0 $0 100.0% Selected Client Services $595 $7,995 $7,400 92.6% √ IPSec VPN (Dell-Included ) $0 $0 $0 0.0% √ SSL VPN $595 $7,995 $7,400 92.6% Impact on Business Process Dell SonicWall technologies integrate both SSL/IPsec VPN into its system. The SSL/IPsec VPN offers the capability to securely and conveniently extends the corporate network
11 access beyond managed desktops to different user services. Secure Remote Access, powered by the Sonic Wall SSL/IPsec VPN edition, enables QWD to securely and seamlessly provide authorized company resources access to a wide ranger of users, contractors, and business partners on the wide variety of mobile and fixed workstations (SNA 6600, SNA 220). With inclusive support for unrestricted full-network access, as well as controlled access select web-based applications and network resources, the sonic wall VPN network platform provide flexibility needed by any VPN deployment in QWD. The VPN provides an effective and efficient combination of seamless controlled access, firewall, intrusion prevention inspection and web threat prevention that empower QWD mobile worker to be productive while protecting corporate asset or interest (SNA 6600, SNA 220) Combined SSL/ISpec VPN technology into one platform can deliver a highly customizable, simple, and flexible one-box solution for VPN deployment environments, and reduce the expense of deploying remote-access solutions (SNA 6600, SNA 220). Through client- based SSL or IPsec VPN, corporate managed laptop can remotely access seamlessly to QWD corporate network resources. Through clientless SSL VPN, remote user such QWD clients may gain access web-based application from their terminal. Business partner or other professional affiliation can access to specific QWD resources and application. NSA 6600 should be located in the corporate office. NSA 6600 supports a wide range of deployment and application environments, NSA 660 delivers maximum value to QWD with the most comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features, performance, and scalability (SNA 6600, SNA 220). The solution is comprised of a single unified platform: the NSA 6600 and the Secure Mobility Solution, enables QWD to use a highly effective combination of seamless controlled access, firewall, intrusion prevention inspection
12 and web threat prevention that enables QWD mobile workers , stationary workers and clients to be productive while helping to improve corporate profit by increasing sales. With Dell inclusive support for unrestricted full-network access, as well as controlled access to select web-based applications and network resources in QWD, the platform provides the flexibility required by any VPN deployment in QWD (Figure 3) (SNA 6600, SNA 220). Figure 3: Dell NSA 6600 in Corporate Headquarter Office
13 Figure 2: Dell NSA 250 M in Remote Office
14 NSA 250M and NSA 6600 Expert Rating Category Rating Feature 5/5 Ease of Use 5/5 Performance 5/5 Documentations 5/5 Support 5/5 Value for Money 5/5 Overall Rating 5/5 The wireless network capabilities offered by NSA 250M and NSA 6600 can empower mobile worker, who can work anywhere while protected by the security service offered the Dell technology. Based on the survey answered by the users of the NSA system, it seem that all these users are 100% satisfied with the system. They give them 5 out 5 for overall rating (NSA Review). By allowing employee the option to work at home at a certain time of a week can improve business result. Evidences have shown around two thirds of people want to work at home and eighty percentage of employee did the survey consider telework as perk. Approximately 6 out 10 employers identify telecommunication as cost saving plan for the employer. IBM saves real estate cost by $50 million, and Nortel save $100,000 per employee, who works at home. Sun Microsystem saves $68 million a year from its telecomm workers (Advantage).
15 By using Dell to brand its business can potentially attract more customer to QWD. Once the customers understand the heightened level of protection offered by Dell technology, they are more willingly to do more business with QWD or even recommend more customers to QWD. Quality Web Design can potentially experience fewer incidences of system malfunction and data breach that are resulted from intrusion, denial of service, sql injection or other. By having fewer number of incidents can potentially reduce the time and expense involved in litigation workload and cost associated with data breach and unauthorized access. Hard Solution and Security Service Solution Dell SonicWALL is a multi-service platform. The security protection extends from the network core to the perimeter of the system. Unified Threat Management (UTM) integrates support from SonicWALL’s Gateway Anti-Spyware, Anti-Virus, and Intrusion Protection service and Application. These all security appliance delivers real-time protection against the innovative mixtures of threats that include intrusion threat and SQL. The effective combination of protection against application-layer and content-based attacks is a heightened level of gateway protection defends against multiple threat coming from the access points (AP) and thoroughly look through all network layers for threats that either involve or include intrusion threat (SNA 6600, SNA 220). The Dell SonicWall Intrusion Prevention System (IPS) Service provides network protection 24 hours a day and 7 days week. Its major specification is 4.5 Gbps, Maximum Inspected Connection is 500,000, and New Connections/Per Second is 90,000. Dell’s IPS Service is activated on Dell Sonic WALL and Network Security Appliance (NSA). IPS provides high performance and deep pocket inspection with countermeasure for complete protection
16 against application exploitation and malicious traffic. The Dell IPS service is scalable to provide service to organization of all sizes. When QWD expands its business and has more customers, it still can use the Dell SonicWall system. IPS provides a layer of security enforcement and protection between each network zone and the Internet and between Internet zones for additional security against intrusion (SNA 6600, SNA 220). IPS provides bi-directional and full stack inspection that check for inbound and outbound of critical application traffic providing defense against a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads, and remote procedure calls. It has a wide range of payload inspection: it spans a wide range of protocols, including MySQL, TCP, DNS, HTTP, HTTPS, SMTP, SNMP, POP3, FTP, Telnet, RTP, etc. Firewall and Networking part of the Dell Sonic Wall offer SYN Flood protection. SYN Flood provides a defense against DOS attacks using both Layer 2 SYN blacklisting and Layer 3 SYN proxies. It provides the ability to defend against DOS/DDoS through UDP/ICMP flood protection and connection rate limiting (SNA 6600, SNA 220). Dell SonicWall Virtual Private Networking technology can make network and security management more efficient for network managers/administrator. Using Dell SonicWall VPN, the network managers can establish a more secure and extensive VPN that can be more readily to control and manage. Dell Sonic VPN technology includes integrated IPSec VPN, for securing site-to-site communication. The VPN technology offers both SSL VPN and IPSec VPN for remote client-secure access. The VPN technology line also offer a complete of Secure Remote Access/SSL VPN appliances that come with remote access and management capabilities to a wide range of organizational size with varying network complexities and specification and security requirement (SNA 6600, SNA 220).
17 Dell NSA 250 M Specification Operating system SonicOS 5.9 Security Processor 2x 700 MHz Memory (RAM) 512 MB Firewall inspection throughput1 750 Mbps Full DPI throughput2 130 Mbps Application inspection throughput2 250 Mbps IPS throughput2 250 Mbps Anti-malware inspection throughput2 140 Mbps IMIX throughput3 210 Mbps SSL Inspection and Decryption (DPI SSL)2 Available VPN throughput3 200 Mbps VLAN interfaces 35 VPN Site-to-Site VPN Tunnels 50 IPSec VPN clients (Maximum) 2(25) SSL VPN licenses (Maximum) 2(15)
18 Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1 Key exchange Diffie Hellman Groups 1, 2, 5, 14 Route-based VPN RIP, OSPF IP address assignment Static, (DHCP PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP Relay NAT modes 1:1, many:1, 1:many, flexible NAT (overlapping IPS), PAT, transparent mode Routing protocols BGP, OSPF, RIPv1/v2, static routes, policy- based routing, multicast Authentication XAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, Citrix Standards TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS, IEEE 802.3 Hardware Form factor Desktop (1U Rack Mountable Kit Available) NSA 6600 Specification
19 Operating system SonicOS 6.2 Security Processor 24x 1.0 GHz Firewall inspection throughput1 12.0 Gbps Full DPI throughput2 3.0 Gbps Application inspection throughput2 4.5 Gbps IPS throughput2 4.5 Gbps Anti-malware inspection throughput2 3.0 Gbps IMIX throughput3 3.5 Gbps SSL Inspection and Decryption (DPI SSL)2 1.3 Gbps VPN throughput3 5.0 Gbps VPN Site-to-Site VPN Tunnels 6000 IPSec VPN clients (Maximum) 2,000 (6,000) SSL VPN licenses (Maximum) 2 (50) Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1 Key exchange Diffie Hellman Groups 1, 2, 5, 14 Route-based VPN RIP, OSPF Networking IP address assignemnet Static, DHCP, PPPoE, L2TP, PPTP client), Internal DhCP server, DHCP Relay Authetnicaiton XAUTH/RADIUS, Active Directory,
20 SSO, LADP, Novell, Internal user database, Terminal Services, Citrix Certifications VPNC, ICSA Firewall, ICSA Anti-Virus
21 Reference Advantage of Telecommuting. (2014). Global Workplace Analytics. http://globalworkplaceanalytics.com/resources/costs-benefits An Anomaly-Based Approach for Intrusion Detection in Web Traffic. (n.d.) Retrieved from: http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:hmDAp gF38E4J:http://digital.csic.es/bitstream/10261/40544/1/ARTICULOS315428%255B1% 255D.pdf%2Bconsequence+intrusion+web+security&oe=UTF- 8&hl=en&as_q&nfpr&spell=1&&ct=clnk Dell SonicWALL Firewall Appliance TCO Comparison. (2014). SonicWall. Retrieved from: https://roianalyst.alinean.com/SonicWALL/ Five Ways Programmers Can be Suit. (n.d.) Retrieved from: http://www.techinsurance.com/blog/computer-consultants/5-ways-web-programmers- can-be-sued/ DDoS Boot Camp: Basic Training for an Increasing Cyber Threat . (n.d.) Retrieved from: www.prolexic.com/...ddos-boot-camp/DDoS_Boot_Camp-Prolexic_executive _ series_white_paper-073113.pdf How to Prevent Security Breaches from Known Vulnerabilities. (n.d.) http://www.esecurityplanet.com/network-security/how-to-prevent-security-breaches- from-known-vulnerabilities.html HP 2012 Cyber Risk Report. (n.d.) Retrieved from: www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf %2BHP+2012+Cyber+Risk+Report&client=safari&rls=en&oe=UTF- 8&hl=en&&ct=clnk
22 NSA 220 Network Security Appliance. (2014). Dell SonicWall. Retrieved from :http://www.sonicwall.com/us/en/products/NSA-220.html NSA 6600 Next-Generation Firewall (NGFW). (2014).Dell SonicWall. Retrieved from: http://www.sonicwall.com/us/en/products/NSA-6600.html NSA Review. (2009). Retrieved from :http://www.scmagazine.com/sonicwall-nsa- 240/review/2678/ The Myth of the Secure Virtual Desktop Avoid a false sense of security with your VPN or VDI endpoints. (n.d.) Retrieved from: http://webcache.googleusercontent.com/search?q=cache:7LfeJvdlN_kJ:http://www.npcda taguard.com/The%2520Myth%2520of%2520the%2520Secure%2520Virtual%2520Deskt op.pdf%2BThe+Myth+of+the+Secure+Virtual+Desktop&client=safari&rls=en&oe=UTF -8&hl=en&&ct=clnk SEC 517 Course: Security Assessment and Recommendations [class handout]. (2014). New York, NY: Keller School of Management, New York, NY Smith, D. (2010). Profiles of major American psychologists [Class handout]. Department of Psychology, Harvard University, Boston, MA. SQL Injection Tutorial. (n.d.) Retrieved from :http://www.w3resource.com/sql/sql-injection/sql- injection.php#sthash.Rq9nWIAW.dpuf Threats Against a VPN. (n.d.) Retrieved from: http://etutorials.org/Networking/MPLS+VPN+security/Part+I+MPLS+VPN+and+Security+F undamentals/Chapter+2.+A+Threat+Model+for+MPLS+VPNs/Threats+Against+a+VPN/ VPNs (Virtual Private Nightmares). Retrieved from: http://www.secureworks.com/resources/newsletter/2004-05/ Why Replace Your IPSec for Remote Access. (n.d.) Retrieved from:
23 http://webcache.googleusercontent.com/search?q=cache:UnLmTmaPU8wJ:https://www.s onicwall.com/downloads/WP-ENG-035_Why-Replace-Your- IPSec_US.pdf%2BWhy+Replace+Your+IPSec+for+Remote+Access&client=safari&rls= en&oe=UTF-8&hl=en&&ct=clnk XAND Launches Distributed Denial of Service (DDOS) Protection Services to Proactively Services to Proactively Safeguard Mission-Critical IT Infrastructure. (n.d.) http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:ZABMjD DDhLQJ:http://www.xand.com/06/press-releases/xand-launches-distributed-denial-of- service-ddos-protection-services-to-proactively-safeguard-mission-critical-it- infrastructure/%2Bdenial+of+service+percentage+risk&oe=UTF-8&hl=en&&ct=clnk

Recomendados

INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET Journal
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET- Insider Interruption Identification and Protection by using Forens...IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET- Insider Interruption Identification and Protection by using Forens...IRJET Journal
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 

Recomendados

INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET Journal
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET- Insider Interruption Identification and Protection by using Forens...IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET- Insider Interruption Identification and Protection by using Forens...IRJET Journal
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackMountain States Engineering and Controls
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET Journal
 
Solution Brief
Solution BriefSolution Brief
Solution Briefwebhostingguy
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesKrishna Gehlot
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUUniversity of Essex
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET Journal
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016The Internet of Things
 
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDINTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
 
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docxEnglish 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docxYASHU40
 
N017259396
N017259396N017259396
N017259396IOSR Journals
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Cybersecurity Goes Mainstream
Cybersecurity Goes MainstreamCybersecurity Goes Mainstream
Cybersecurity Goes MainstreamRob Marson
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 

Más contenido relacionado

La actualidad más candente

How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET Journal
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUUniversity of Essex
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET Journal
 
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDINTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
 

La actualidad más candente (14)

Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
 
Solution Brief
Solution BriefSolution Brief
Solution Brief
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
 
1738 1742
1738 17421738 1742
1738 1742
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDINTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
 

Similar a Security Risk Assessment for Quality Web Design

English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docxEnglish 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docxYASHU40
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Cybersecurity Goes Mainstream
Cybersecurity Goes MainstreamCybersecurity Goes Mainstream
Cybersecurity Goes MainstreamRob Marson
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Implementation_of_User_Authentication_as
Implementation_of_User_Authentication_asImplementation_of_User_Authentication_as
Implementation_of_User_Authentication_asMasood Shah
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
Cybersecurity - Poland.pdf
Cybersecurity - Poland.pdfCybersecurity - Poland.pdf
Cybersecurity - Poland.pdfPavelVtek3
 
SVAC Firewall Restriction with Security in Cloud over Virtual Environment
SVAC Firewall Restriction with Security in Cloud over Virtual EnvironmentSVAC Firewall Restriction with Security in Cloud over Virtual Environment
SVAC Firewall Restriction with Security in Cloud over Virtual EnvironmentIJTET Journal
 
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET Journal
 

Similar a Security Risk Assessment for Quality Web Design (20)

English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docxEnglish 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
English 108 Spring 2015Lexicon Assignment SheetA lexicon is a .docx
 
N017259396
N017259396N017259396
N017259396
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Cybersecurity Goes Mainstream
Cybersecurity Goes MainstreamCybersecurity Goes Mainstream
Cybersecurity Goes Mainstream
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Implementation_of_User_Authentication_as
Implementation_of_User_Authentication_asImplementation_of_User_Authentication_as
Implementation_of_User_Authentication_as
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
Cybersecurity - Poland.pdf
Cybersecurity - Poland.pdfCybersecurity - Poland.pdf
Cybersecurity - Poland.pdf
 
DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
SVAC Firewall Restriction with Security in Cloud over Virtual Environment
SVAC Firewall Restriction with Security in Cloud over Virtual EnvironmentSVAC Firewall Restriction with Security in Cloud over Virtual Environment
SVAC Firewall Restriction with Security in Cloud over Virtual Environment
 
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
 
Ea33762765
Ea33762765Ea33762765
Ea33762765
 

Más de Ting Yin

Managing Changes at Intel
Managing Changes at IntelManaging Changes at Intel
Managing Changes at IntelTing Yin
 
iLab Solution II
iLab Solution IIiLab Solution II
iLab Solution IITing Yin
 
Network Management iLab Solution
Network Management iLab SolutionNetwork Management iLab Solution
Network Management iLab SolutionTing Yin
 
Game for Learning
Game for LearningGame for Learning
Game for LearningTing Yin
 
Software Project Management Slide
Software Project Management SlideSoftware Project Management Slide
Software Project Management SlideTing Yin
 
Project Management
Project ManagementProject Management
Project ManagementTing Yin
 
Enterprise Data Warehouse
Enterprise Data Warehouse Enterprise Data Warehouse
Enterprise Data Warehouse Ting Yin
 
Oracle Database
Oracle DatabaseOracle Database
Oracle DatabaseTing Yin
 
Business Intelligence
Business IntelligenceBusiness Intelligence
Business IntelligenceTing Yin
 
Wireframe mobile learning_app_march15_12_pm
Wireframe mobile learning_app_march15_12_pmWireframe mobile learning_app_march15_12_pm
Wireframe mobile learning_app_march15_12_pmTing Yin
 
Ting_Yin_ITS_March15_12PM
Ting_Yin_ITS_March15_12PMTing_Yin_ITS_March15_12PM
Ting_Yin_ITS_March15_12PMTing Yin
 
Ting yin its_financialpla_march15_11am
Ting yin its_financialpla_march15_11amTing yin its_financialpla_march15_11am
Ting yin its_financialpla_march15_11amTing Yin
 
Ting yinits march14_6am
Ting yinits march14_6amTing yinits march14_6am
Ting yinits march14_6amTing Yin
 
HRM: Strategies to Cut Costs and Reduce Risk
HRM: Strategies to Cut Costs and Reduce RiskHRM: Strategies to Cut Costs and Reduce Risk
HRM: Strategies to Cut Costs and Reduce RiskTing Yin
 

Más de Ting Yin (20)

Menu_Oct2
Menu_Oct2Menu_Oct2
Menu_Oct2
 
Menu
MenuMenu
Menu
 
PNA
PNAPNA
PNA
 
RIM
RIMRIM
RIM
 
Network
NetworkNetwork
Network
 
Managing Changes at Intel
Managing Changes at IntelManaging Changes at Intel
Managing Changes at Intel
 
iLab Solution II
iLab Solution IIiLab Solution II
iLab Solution II
 
Network Management iLab Solution
Network Management iLab SolutionNetwork Management iLab Solution
Network Management iLab Solution
 
Game for Learning
Game for LearningGame for Learning
Game for Learning
 
Software Project Management Slide
Software Project Management SlideSoftware Project Management Slide
Software Project Management Slide
 
Project Management
Project ManagementProject Management
Project Management
 
Enterprise Data Warehouse
Enterprise Data Warehouse Enterprise Data Warehouse
Enterprise Data Warehouse
 
Oracle Database
Oracle DatabaseOracle Database
Oracle Database
 
HRIS
HRISHRIS
HRIS
 
Business Intelligence
Business IntelligenceBusiness Intelligence
Business Intelligence
 
Wireframe mobile learning_app_march15_12_pm
Wireframe mobile learning_app_march15_12_pmWireframe mobile learning_app_march15_12_pm
Wireframe mobile learning_app_march15_12_pm
 
Ting_Yin_ITS_March15_12PM
Ting_Yin_ITS_March15_12PMTing_Yin_ITS_March15_12PM
Ting_Yin_ITS_March15_12PM
 
Ting yin its_financialpla_march15_11am
Ting yin its_financialpla_march15_11amTing yin its_financialpla_march15_11am
Ting yin its_financialpla_march15_11am
 
Ting yinits march14_6am
Ting yinits march14_6amTing yinits march14_6am
Ting yinits march14_6am
 
HRM: Strategies to Cut Costs and Reduce Risk
HRM: Strategies to Cut Costs and Reduce RiskHRM: Strategies to Cut Costs and Reduce Risk
HRM: Strategies to Cut Costs and Reduce Risk
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Security Risk Assessment for Quality Web Design

  • 1. 1 Security Risk Assessment for Quality Web Design Ting Yin Submitted to: Jude Lamour SE571 Principles of Information Security and Privacy Keller Graduate School of Management Submitted: November 16, 2014
  • 2. 2 Table of Contents Executive Summary………………………………………………………………………….3 Company Overview…………………………………………………………………………..3 Security Vulnerabilities……………………………………………………………………....3 Threats………………………………………………………………………………… ……4 Risk Assessment ……………………………………………………………………..……..5 The Consequence …………………………………………………………………….…….6 The Affects on The Company Competitive Advantages .......................................................7 The Definition of Solution ………….……………………………………………………..15 Justification …………………………………………………………………………………6 Impact on Business Processes ………………………………………………………………10 Reference…………………………………………………………………………………….19
  • 3. 3 Executive Summary Dell Sonic Firewall TCO recommends QWD to use Dell NSA 250m and NSA 6600 and to replace its current IPSec VPN. NSA 250m and NSA 6600 appliances come with a wide range and heighted level of security protection services and additional security protection hardware and software bundles. Based on a reputable technology survey, NSA 250 m and NSA 6600 are given rating of 5 out of 5 (NSA Review). NSA 6600 system should be located near QWD office headquarters and NSA 250m should be located near in QWD remote office. Both NSA systems have the right tools to protect QWD from intrusion, denial of service, and SQL attacks. In addition to the security protection, NSA systems offer mobile service for workers, business partners, customer, clients or QWD affiliations to be able to collaborate online on QWD related projects. The remote access and connectivity can further improve QWD business process and even increase revenue. Company Overview Quality Web Design (QWD) is a web design and development company that designs and creates client side web application for different industries. The web application that QWD make can help their clients to market their client information in form of web content to the outside world. QWD has a basic Microsoft (MS) shop that uses a Visual Studio (VS) Team Foundation to support its image repository. For quality analysis and site development, QWD uses VS. QWD also utilizes MS SQL Server and MS Exchange (SEC 517). Two Security Vulnerabilities In this paper, I will discuss three security vulnerabilities: one is associated with hardware, the second is associated with the software. The first vulnerability is found within the
  • 4. 4 network infrastructure (hardware). The second vulnerability is associated with SQL injection attack into the client’s web page (SEC 517). Threats Against VPN or Server In this section, two threats against a VPN will be discussed: 1) Intrusions; 2) Denial of Service. Intrusion is a form of threat that offers opportunities for unauthorized outsider to access and to control over parts of the VPN. The parts that can affect could be internal computers, servers, network elements, and other network components. To access into internal information or equipment as hackers or intruders, the malicious individual first inject code for traffic control into the VPN. In a simple case of the virtual invasion and unauthorized internal control is to send a single IP packet to a destination in the VPN (Threat Against). The terminals or phones and other mobile devices that are left opened and neglected are one of the primary reason that unauthorized individual can gain access to the internal resources that lie with QWD. “VPNs will likely continue to be the weakness link in an organization’s security infrastructure for some time to come.” (VPNs Virtual) Any organization is as secure as its weakest links or connections. VPNs provide illusion of a false sense of security, due to “poor implementation and maintenance.” Perhaps, VPN can be considered as one the weakest link in QWD (The Myth). Denial of service is another threat from outside against the VPN. Unlike intrusion discussed above this section, DoS prevents other from accessing the web. For hackers to complete DoS, s/he first needs to able to inject packets into the trusted zone of the VPN. The DoS attack can also interfere the VP user indirectly. When a PE router is affected by DoS attack can affect a given VPN that affect PE, which in turn can negatively affect the connected VPN (Threat Against).
  • 5. 5 The third threat is related to the potential SQL code insertion or injection client’s web application. SQL injection is found as one of most prevalent destructive system attack. Open Web Application Security Project (OWASP) point out SQL injection as the number one threat. Injecting extraneous code into the textboxes can potentially debilitate the entire database. SQL injection can potentially be used to perform the following types of attacks. The injection can allow hacker to illegally logon to the internal application and illegally earn the privilege to manipulate the data stored in database and to disclose confidential information (SQL Injection). Risk Assessment In 2006, the U.K. Department of Trade and Industry (DTI) did a survey and released the results on businesses regarding security incidents. Of organization surveyed, it was found that intrusion was constant at 17 percent in their period of survey study, and failure of equipment was up to 29 percent (Pfleeger, 256) . In an official study, it was found that 87-percent of businesses surveyed have suffered a service degradation up to a full outage in 2013 from a DDoS attack (XAND LAUNCHES). SQL inject was found to be one of the six most commonly reported threats for Web applications. SQL among with other top five threats accounted for 40 percentage of threats found in 2012 (HP 2012). Level of Risk and Its Influence on QWD Operation Threat Level of Risk Denial of Service 4 Intrusion 3 SQL Inject 3 4- Critical: QWD business will not be operational when it encounters the type of threat as listed
  • 6. 6 3- Medium –Critical: QWD business still can somewhat manage its operations, but it has to do it under the interference caused by the threats. The Consequence The consequences of security breach through VPN can lead to the theft of QWD proprietary or confidential information or loss of client information, to the exploitation or manipulation of confidential information, to web page content modification, etc. The authentication method used by IPsec authentication can weaken authentication process and can be unmanageable for QWD in deploying web services for multiple clients’ organizations. The expenses and the complexities associated with IPsec deployment, IPsec VPN selectors are insufficient to meet the need of the authorization-associated policies that QWD must have in today highly regulated environment (The Myth). To compensate the weaker authentication by IPsec VPN, QWD have to create relatively more complicated constituency-orientated policies to limited user access. IPsec VPN remote access need VPN client software and policy configuration at the end devices. With the need of additional supports and resources, QWD simply cannot deliver cost-effective secure remote access to all users from all devices. When a client is connected using IPsec, every resource inside this protected network is potentially available to the user, and therefore vulnerable to misuse and attack from that client during the entire connection (The Myth). DDoS attacks can cause costly and destructive downtime on the client’s hosted applications and resources. During the downtime caused by DDoS, the users of the websites developed and designed by QWD would be able to access the websites and the services that are offered by the clients through the web pages. In the meantime, QWD and its clients cannot communicate with the users and the clients’ customers due to the malfunctioning of the websites
  • 7. 7 (The Myth). The Ponemon Institute “estimates that the average cost of one minute of downtime due to a DDoS attack is $22,000. The average attack lasts at least an hour, inflicting devastating and expensive downtime on business operations.” (Xand Launches). Through SQL Injection, the hackers can obtain unauthorized access to MS SQL 2008 database (DB) server or the DB located in the corporate office. The hackers can create, review, insert, alter, or remove QWD images or confidential information stored in the QDW back-end database. Through SQL injection and manipulation, the hackers can potentially can lock or delete tables stored in the DB at the QWD servers. The malicious manipulation of the data can cause denial of service to authorized users and can unauthorized-ly grant remote command executions that are normally reserved for administrators (SQL Injection). The Affects on the Company Competitive Advantages More of QWD may go to its competitors to see more similar services to decreased trust about the security and service provided by QWD. The outrage can cause an increase in volume of customer inquiries about the outage, which can result in a loss in revenue. The security fear can drive decline in stock prices and investor confidence. The comprised IT system at QWD can further be susceptible to multiple attacks within relatively short period of time (DDoS). With data breach of confidential information (QWD corporate confidential information, employee private information and client private information) can potentially raise lawsuit not only against QWD Company itself but also to its employees as well. If hackers are able to intrude into the system developed by the software developer or engineers, the computer professional are liable to lawsuits (Five Ways).
  • 8. 8 Justification for Using Dell Sonic NSA 220 M and NSA 6600 Dell SonicWall Firwall TCO Comparison and analysis tool and model take into consideration of QWD current firewall requirements. Based on the client system requirement and configuration, Dell TCO make product recommendation that can improve the QWD system condition and it then make compares the selection of Dell SonicWALL product and service with a similar version of a Cisco solution. The TCO suggested solution are Dell SonicWall NSA 6600 and NSA 250 QWD system (Dell). Total TCO Savings 3 Year-over-Year of Dell SonicWall NSA over Cisco ASA is $381,405. The percentage of difference for Total Cost of Ownership (over 3 years) for Dell Sonic Wall NSA over Cisco ASA is -88.4%. QWD can save at least 88.4% when it purchases the Dell product over the Cisco version. Percent of difference projected number of labor FTEs of Dell SonicWall over Cisco ASA is 74.4%. Staff to device support ratio (Devices per 1 FTE) of DellSonic Wall is 159.9%. Firewall TCO per user (NPV over 3 years) is 88.4% of Cisco ASA (Figure 1) (Dell). Figure 1: Total Cost of Ownership Comparsion Total Cost of Ownership (TCO) Dell SonicWALL Cisco Difference Percent Difference Appliance Hardware and Support $41,321 $144,956 $103,635 71.5% Additional Security Services $7,664 $282,512 $274,848 97.3% Implementation / Configuration / $903 $2,810 $1,907 67.9%
  • 9. 9 Training Ongoing Operational (IT Labor) $125 $1,141 $1,015 89.0% Total TCO - Total Cost of Ownership (over 3 years) $50,014 $431,419 $381,405 88.4% Key Performance Indicators Dell SonicWALL Cisco Difference Percent Difference Projected Number of Labor FTEs 0.0 0.1 0.0 74.4% Staff to Device support ratio (Devices per 1 FTE) 143.7 55.3 88.4 159.9% Firewall TCO per user (NPV over 3 years) $50 $431 $381 88.4% Dell SonicWall NSA products include Comprehensive Gateway Security Suite (CGSS), Simple Firewall, Gateway Anti-Virus/Anti-Spyware (GAV), Intrusion Prevention Service Bundle, Application Intelligence and Control , Content Filtering Service , Botnet Filter , Context Aware Security Support Level, IPSec VPN License, and SSL VPN license. The cost saving of Dell SonicWall NSA over Cisco ASA is $157,247 and the TCO different of Dell over Cisco is – 92.6%. This mean Dell SonicWall’s security package cost 92.6% less than Cisco version (Figure 2) (Dell).
  • 10. 10 Figure 2: Additional Security Services Appliances and Licensing Costs Additional Security Services Appliances and Licensing Costs Dell SonicWALL Cisco Difference Percent Difference Selected Deep Packet Inspection Services $0 $149,847 $149,847 100.0% √ Intrusion Prevention Service (IPS) Appliance (Dell-Not Req. ) $0 $86,490 $86,490 100.0% √ Intrusion Prevention Service (IPS) Licensing (Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0% √ Application Intelligence and Control (AIC) (Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0% √ Content Filtering Service (CFS) (Dell- Included ) (Cisco-Not Incl. ) $0 $0 $0 100.0% Selected Client Services $595 $7,995 $7,400 92.6% √ IPSec VPN (Dell-Included ) $0 $0 $0 0.0% √ SSL VPN $595 $7,995 $7,400 92.6% Impact on Business Process Dell SonicWall technologies integrate both SSL/IPsec VPN into its system. The SSL/IPsec VPN offers the capability to securely and conveniently extends the corporate network
  • 11. 11 access beyond managed desktops to different user services. Secure Remote Access, powered by the Sonic Wall SSL/IPsec VPN edition, enables QWD to securely and seamlessly provide authorized company resources access to a wide ranger of users, contractors, and business partners on the wide variety of mobile and fixed workstations (SNA 6600, SNA 220). With inclusive support for unrestricted full-network access, as well as controlled access select web-based applications and network resources, the sonic wall VPN network platform provide flexibility needed by any VPN deployment in QWD. The VPN provides an effective and efficient combination of seamless controlled access, firewall, intrusion prevention inspection and web threat prevention that empower QWD mobile worker to be productive while protecting corporate asset or interest (SNA 6600, SNA 220) Combined SSL/ISpec VPN technology into one platform can deliver a highly customizable, simple, and flexible one-box solution for VPN deployment environments, and reduce the expense of deploying remote-access solutions (SNA 6600, SNA 220). Through client- based SSL or IPsec VPN, corporate managed laptop can remotely access seamlessly to QWD corporate network resources. Through clientless SSL VPN, remote user such QWD clients may gain access web-based application from their terminal. Business partner or other professional affiliation can access to specific QWD resources and application. NSA 6600 should be located in the corporate office. NSA 6600 supports a wide range of deployment and application environments, NSA 660 delivers maximum value to QWD with the most comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features, performance, and scalability (SNA 6600, SNA 220). The solution is comprised of a single unified platform: the NSA 6600 and the Secure Mobility Solution, enables QWD to use a highly effective combination of seamless controlled access, firewall, intrusion prevention inspection
  • 12. 12 and web threat prevention that enables QWD mobile workers , stationary workers and clients to be productive while helping to improve corporate profit by increasing sales. With Dell inclusive support for unrestricted full-network access, as well as controlled access to select web-based applications and network resources in QWD, the platform provides the flexibility required by any VPN deployment in QWD (Figure 3) (SNA 6600, SNA 220). Figure 3: Dell NSA 6600 in Corporate Headquarter Office
  • 13. 13 Figure 2: Dell NSA 250 M in Remote Office
  • 14. 14 NSA 250M and NSA 6600 Expert Rating Category Rating Feature 5/5 Ease of Use 5/5 Performance 5/5 Documentations 5/5 Support 5/5 Value for Money 5/5 Overall Rating 5/5 The wireless network capabilities offered by NSA 250M and NSA 6600 can empower mobile worker, who can work anywhere while protected by the security service offered the Dell technology. Based on the survey answered by the users of the NSA system, it seem that all these users are 100% satisfied with the system. They give them 5 out 5 for overall rating (NSA Review). By allowing employee the option to work at home at a certain time of a week can improve business result. Evidences have shown around two thirds of people want to work at home and eighty percentage of employee did the survey consider telework as perk. Approximately 6 out 10 employers identify telecommunication as cost saving plan for the employer. IBM saves real estate cost by $50 million, and Nortel save $100,000 per employee, who works at home. Sun Microsystem saves $68 million a year from its telecomm workers (Advantage).
  • 15. 15 By using Dell to brand its business can potentially attract more customer to QWD. Once the customers understand the heightened level of protection offered by Dell technology, they are more willingly to do more business with QWD or even recommend more customers to QWD. Quality Web Design can potentially experience fewer incidences of system malfunction and data breach that are resulted from intrusion, denial of service, sql injection or other. By having fewer number of incidents can potentially reduce the time and expense involved in litigation workload and cost associated with data breach and unauthorized access. Hard Solution and Security Service Solution Dell SonicWALL is a multi-service platform. The security protection extends from the network core to the perimeter of the system. Unified Threat Management (UTM) integrates support from SonicWALL’s Gateway Anti-Spyware, Anti-Virus, and Intrusion Protection service and Application. These all security appliance delivers real-time protection against the innovative mixtures of threats that include intrusion threat and SQL. The effective combination of protection against application-layer and content-based attacks is a heightened level of gateway protection defends against multiple threat coming from the access points (AP) and thoroughly look through all network layers for threats that either involve or include intrusion threat (SNA 6600, SNA 220). The Dell SonicWall Intrusion Prevention System (IPS) Service provides network protection 24 hours a day and 7 days week. Its major specification is 4.5 Gbps, Maximum Inspected Connection is 500,000, and New Connections/Per Second is 90,000. Dell’s IPS Service is activated on Dell Sonic WALL and Network Security Appliance (NSA). IPS provides high performance and deep pocket inspection with countermeasure for complete protection
  • 16. 16 against application exploitation and malicious traffic. The Dell IPS service is scalable to provide service to organization of all sizes. When QWD expands its business and has more customers, it still can use the Dell SonicWall system. IPS provides a layer of security enforcement and protection between each network zone and the Internet and between Internet zones for additional security against intrusion (SNA 6600, SNA 220). IPS provides bi-directional and full stack inspection that check for inbound and outbound of critical application traffic providing defense against a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads, and remote procedure calls. It has a wide range of payload inspection: it spans a wide range of protocols, including MySQL, TCP, DNS, HTTP, HTTPS, SMTP, SNMP, POP3, FTP, Telnet, RTP, etc. Firewall and Networking part of the Dell Sonic Wall offer SYN Flood protection. SYN Flood provides a defense against DOS attacks using both Layer 2 SYN blacklisting and Layer 3 SYN proxies. It provides the ability to defend against DOS/DDoS through UDP/ICMP flood protection and connection rate limiting (SNA 6600, SNA 220). Dell SonicWall Virtual Private Networking technology can make network and security management more efficient for network managers/administrator. Using Dell SonicWall VPN, the network managers can establish a more secure and extensive VPN that can be more readily to control and manage. Dell Sonic VPN technology includes integrated IPSec VPN, for securing site-to-site communication. The VPN technology offers both SSL VPN and IPSec VPN for remote client-secure access. The VPN technology line also offer a complete of Secure Remote Access/SSL VPN appliances that come with remote access and management capabilities to a wide range of organizational size with varying network complexities and specification and security requirement (SNA 6600, SNA 220).
  • 17. 17 Dell NSA 250 M Specification Operating system SonicOS 5.9 Security Processor 2x 700 MHz Memory (RAM) 512 MB Firewall inspection throughput1 750 Mbps Full DPI throughput2 130 Mbps Application inspection throughput2 250 Mbps IPS throughput2 250 Mbps Anti-malware inspection throughput2 140 Mbps IMIX throughput3 210 Mbps SSL Inspection and Decryption (DPI SSL)2 Available VPN throughput3 200 Mbps VLAN interfaces 35 VPN Site-to-Site VPN Tunnels 50 IPSec VPN clients (Maximum) 2(25) SSL VPN licenses (Maximum) 2(15)
  • 18. 18 Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1 Key exchange Diffie Hellman Groups 1, 2, 5, 14 Route-based VPN RIP, OSPF IP address assignment Static, (DHCP PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP Relay NAT modes 1:1, many:1, 1:many, flexible NAT (overlapping IPS), PAT, transparent mode Routing protocols BGP, OSPF, RIPv1/v2, static routes, policy- based routing, multicast Authentication XAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, Citrix Standards TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS, IEEE 802.3 Hardware Form factor Desktop (1U Rack Mountable Kit Available) NSA 6600 Specification
  • 19. 19 Operating system SonicOS 6.2 Security Processor 24x 1.0 GHz Firewall inspection throughput1 12.0 Gbps Full DPI throughput2 3.0 Gbps Application inspection throughput2 4.5 Gbps IPS throughput2 4.5 Gbps Anti-malware inspection throughput2 3.0 Gbps IMIX throughput3 3.5 Gbps SSL Inspection and Decryption (DPI SSL)2 1.3 Gbps VPN throughput3 5.0 Gbps VPN Site-to-Site VPN Tunnels 6000 IPSec VPN clients (Maximum) 2,000 (6,000) SSL VPN licenses (Maximum) 2 (50) Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1 Key exchange Diffie Hellman Groups 1, 2, 5, 14 Route-based VPN RIP, OSPF Networking IP address assignemnet Static, DHCP, PPPoE, L2TP, PPTP client), Internal DhCP server, DHCP Relay Authetnicaiton XAUTH/RADIUS, Active Directory,
  • 20. 20 SSO, LADP, Novell, Internal user database, Terminal Services, Citrix Certifications VPNC, ICSA Firewall, ICSA Anti-Virus
  • 21. 21 Reference Advantage of Telecommuting. (2014). Global Workplace Analytics. http://globalworkplaceanalytics.com/resources/costs-benefits An Anomaly-Based Approach for Intrusion Detection in Web Traffic. (n.d.) Retrieved from: http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:hmDAp gF38E4J:http://digital.csic.es/bitstream/10261/40544/1/ARTICULOS315428%255B1% 255D.pdf%2Bconsequence+intrusion+web+security&oe=UTF- 8&hl=en&as_q&nfpr&spell=1&&ct=clnk Dell SonicWALL Firewall Appliance TCO Comparison. (2014). SonicWall. Retrieved from: https://roianalyst.alinean.com/SonicWALL/ Five Ways Programmers Can be Suit. (n.d.) Retrieved from: http://www.techinsurance.com/blog/computer-consultants/5-ways-web-programmers- can-be-sued/ DDoS Boot Camp: Basic Training for an Increasing Cyber Threat . (n.d.) Retrieved from: www.prolexic.com/...ddos-boot-camp/DDoS_Boot_Camp-Prolexic_executive _ series_white_paper-073113.pdf How to Prevent Security Breaches from Known Vulnerabilities. (n.d.) http://www.esecurityplanet.com/network-security/how-to-prevent-security-breaches- from-known-vulnerabilities.html HP 2012 Cyber Risk Report. (n.d.) Retrieved from: www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf %2BHP+2012+Cyber+Risk+Report&client=safari&rls=en&oe=UTF- 8&hl=en&&ct=clnk
  • 22. 22 NSA 220 Network Security Appliance. (2014). Dell SonicWall. Retrieved from :http://www.sonicwall.com/us/en/products/NSA-220.html NSA 6600 Next-Generation Firewall (NGFW). (2014).Dell SonicWall. Retrieved from: http://www.sonicwall.com/us/en/products/NSA-6600.html NSA Review. (2009). Retrieved from :http://www.scmagazine.com/sonicwall-nsa- 240/review/2678/ The Myth of the Secure Virtual Desktop Avoid a false sense of security with your VPN or VDI endpoints. (n.d.) Retrieved from: http://webcache.googleusercontent.com/search?q=cache:7LfeJvdlN_kJ:http://www.npcda taguard.com/The%2520Myth%2520of%2520the%2520Secure%2520Virtual%2520Deskt op.pdf%2BThe+Myth+of+the+Secure+Virtual+Desktop&client=safari&rls=en&oe=UTF -8&hl=en&&ct=clnk SEC 517 Course: Security Assessment and Recommendations [class handout]. (2014). New York, NY: Keller School of Management, New York, NY Smith, D. (2010). Profiles of major American psychologists [Class handout]. Department of Psychology, Harvard University, Boston, MA. SQL Injection Tutorial. (n.d.) Retrieved from :http://www.w3resource.com/sql/sql-injection/sql- injection.php#sthash.Rq9nWIAW.dpuf Threats Against a VPN. (n.d.) Retrieved from: http://etutorials.org/Networking/MPLS+VPN+security/Part+I+MPLS+VPN+and+Security+F undamentals/Chapter+2.+A+Threat+Model+for+MPLS+VPNs/Threats+Against+a+VPN/ VPNs (Virtual Private Nightmares). Retrieved from: http://www.secureworks.com/resources/newsletter/2004-05/ Why Replace Your IPSec for Remote Access. (n.d.) Retrieved from:
  • 23. 23 http://webcache.googleusercontent.com/search?q=cache:UnLmTmaPU8wJ:https://www.s onicwall.com/downloads/WP-ENG-035_Why-Replace-Your- IPSec_US.pdf%2BWhy+Replace+Your+IPSec+for+Remote+Access&client=safari&rls= en&oe=UTF-8&hl=en&&ct=clnk XAND Launches Distributed Denial of Service (DDOS) Protection Services to Proactively Services to Proactively Safeguard Mission-Critical IT Infrastructure. (n.d.) http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:ZABMjD DDhLQJ:http://www.xand.com/06/press-releases/xand-launches-distributed-denial-of- service-ddos-protection-services-to-proactively-safeguard-mission-critical-it- infrastructure/%2Bdenial+of+service+percentage+risk&oe=UTF-8&hl=en&&ct=clnk