Aircraft Solution Design Security Assessment and Recommendations

Security Assessment and Recommendation
Aircraft Solutions is a recognized leader in the design and fabrication of component products and services for companies in the electronics, commercial, defense, and aerospace industry. Based in Southern California, Aircraft Solutions has an excellent record of rendering services and employees that are dedicated to providing high quality customer service. The company’s workforce has a large skill base: design engineers, programmers, machinists, and assembly personnel to work in its enormous production plant and various segments of the industry. This assessment is to investigate weaknesses presented in the operations of the Aircraft Solutions business processes. Along with identifying vulnerabilities, an analysis of other related threats, concerns and risks will be presented.
Vulnerability Assessment
After further review to three relevant sections: hardware, software and policy, Aircraft Solutions needs special attention to hardware and policy relates processes. The Defense Division is routed through Headquarters, the Commercial Division is however directly connected to the Internet, but no firewall has been setup. This action is a concern for Aircraft Solutions. A policy vulnerability that has been noticed is the rule that states “routers and firewalls rule-sets would be evaluated once in every two years”. With today’s world and technology changing ever so often security threats happen by Internet hackers, on an everyday basis. This is a rather impractical and long time span for a company to ensure that their security measures are up-to-date. These weaknesses are detailed in the sections below:

Hardware Vulnerability
Aircraft Solution’s Commercial Division, connects to the rest of the world via the Internet causing hardware vulnerabilities due to the absence of security and safety that should be implemented, leaving great concern for major security threats. The Commercial Division is only able to access important data (budgets, shareholder information, contracts, etc…) from the world-wide web because there is no firewall in place to filter web traffic. This drawback maximizes environmental threats due to the lack of a firewall which exposes the network to external attacks and malicious content which can be sent easily over the Internet. According to the National Institute of Standards and Technology, to determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. To measure risk, a risk scale and a risk-level matrix must be developed.
Table 1- Risk-Level Matrix
Threat Likelihood Low (10) Medium (50) High (100)
High (1.0) Low
10 X 1.0=10 Medium
50 X 1.0=50 High
100 X 1.0=100
Medium (0.5) Low
10 X 0.5=5 Medium
50 X 0.5=25 Medium
100 X 0.5=50
Low (0.1) Low
10 X 0.1=1 Low
50 X 0.1=5 Low
100 X 0.1=10
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)

Policy Vulnerability
Company has stated that the current security policy rules for routes and firewalls will be re analyzed every two years. This action will need to be revised due to security threats and hackers attempting to prevail every day. Vendors can provide regular monitoring and ensure patches are current and have been disseminated to protect from external threat and attacks. Aircraft Solution has not determined a definitive policy regarding how and when policy should upgrade equipment and modified business processes. As with any business, it is required that along with changes in company policies as a reaction to various business related factors such as sales fluctuations, changes in the economy, or other environmental factors that impact the company’s infrastructure it is natural and an intrinsic requirement for the security rule-sets related to firewall and router security have to be updated and modified. Using the same rules over again is risky and could lead to various levels of hacking and security breaches. Worst case scenario, if Aircraft Solutions decides to keep policy the way they are, it would just take a couple of disgruntled employees to t spread malicious content and see the company get destroyed through un-expired access permissions or provide that information to people with malicious intent. This could lead to legal problems, monetary loss, while impacting the company’s good will and public image in a very big way.

? Reference
Goguen, A., Feringa, A., Stoneburner, G., (2002). Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology.