Vulnerabilities Controls, tools, and strategies Impact to Ted's Tremendous Toys
Weaknesses in an information system, system security The management, operational, and technical controls (i.e., safeguards or
procedures, internal controls, or implementation that countermeasures) prescribed for an information system to protect the
could be exploited or triggered by a threat source (NIST, confidentiality, integrity, and availability of the system and its information
2010). (NIST, 2010).
People Employees Privacy and confidentiality of the Access to system services should be restricted to legitimate users. Ted's currently has a Windows-based single-domain network, with a domain server located on each
data/information of the three floors his company occupies with office and warehouse staff. Although there are no
To prevent eavesdropping, communication within and between the system and formal access controls currently in place, it would be wise to consider leveraging the domain
other users should be encrypted to ensure it is kept both private and servers to authenticate users.
The out-of-date 802.11b wireless network used by the warehouse staff should be redesigned with
Control access to systems and accounts (User ID/password combos, tokens or newer 802.11 technologies that offer WPA2 encryption and additional access controls to prevent
smart cards). accidental or intentional backdoor access to the main network.
Use encryption schemes (WPA2, IPsec, Hashing, SSL, AES, etc.) to prevent Remote access also needs to be protected against unauthorized access, which requires
unauthorized access to the data or messages in transit consideration of a Virtual Private Network (VPN) using encryption from the remote user to the main
network. An upgrade or repalcement of existing Cisco routers and Firewalls may be required to
Use Layer 2 tunneling protocols (L2TP) to provide secure connections between activate this needed feature.
LAN Servers and remote clients.
Customers Integrity of the data Message Authentication Code (using hashing algorithms) and Digital Without existing security controls, Ted's has no way of verifying that communications including
Signatures messages and files are genuine and unaltered. Use of Message Authentication Code ensures the
integrity of the message contents. Digital signatures go one step further in providing authentication
To preserve the integrity of messages sent over the network, messages can and nonrepudiation.
be digitally signed by the sender or by using the message authentication code
(MAC). The code is produced by hashing on both the original message and a
shared secret key. MAC is computationally less expensive than digital
signature. So MAC is preferred if nonrepudiation is not needed. (Zhao, 2008)
Neighbors Authentication of the source and Non- Digital Signatures and PKI 2-key infrastructure With no system in place to authenticate electronic communications that may include sales orders,
repudiation Ted's cannot be certain that such communications are genuine, much less from who they say they
The repudiation threat can be mitigated by using the digital signature are from. Nonrepudiation from the use of digital signatures or a PKI 2-key system ensures that the
technique. The digital signature is produced by ﬁrst hashing the message to data is from who it says it is from.
be sent using a secure hash function, such as SHA1, and then by encrypting
the hash using the sender’s private key (Zhao, 2008).
Guests Access Control To control what information an authenticated user can access or modify, all Ted's is vulernable due to the use of shared user accounts that do not require passwords to access
requests from the user should be mediated by an authorization process. The the system.
user’s requests can contain an authorization token (issued by the information A password policy should be implemented that includes a 90-day reset.
system) to indicate the user’s role and privilege to help determine what Accounts with too many priveleges.
permission can be granted to the user. It is wise to grant the user the least
privilege possible. (Zhao, 2008)
Next to the product or service an organization is known for, the value of
their business information may be the most important asset that
requires security and protection. As a medium-sized toy manufacturer,
Ted's Tremendous Toys is doing greater than $7-million dollars in annual
revenue with a relatively small workforce.
Even without e-commerce, the company has a lot of potential exposure
to liabilities from unauthorized access (intrusion) to its data and
systems, including the leaking of proprietary information to competitors
or stock manipulators, personal information on employees, customer
information, private financal information and transactions, and even
damage to critical systems (that store the data) from natural disaster,
vandalism (physical, as well as virtual with malware), or hackers that
could interrupt systems involved in the manufacturing, warehousing,
accounting and order processing, and delivery of the product to the