YMCA Network Security Analysis - Webber International University

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

215 εμφανίσεις


Network Security Analysis

A paper submitted to Webber International University

in partial fulfillment of requirements for the

Masters in Business Administration degree




Treasa McLean




October 23, 2



IS for Mgt


Fall 2006


Dr. Wunker


Table of Contents

Table of Contents




Major Issues and Features of a Company’s Network Security Policy



Company Background



Network Security Policy Recommend





YMCA Network Security Policy Analysis

Major Issues and Features of a Company’s Network Security Policy

A security policy is
one of the most important policies a company will
In the past, many company’s security policies we
re bound, place in an out of the way

and difficult for employees to locate much less consult. By utilizing the latest

and software
, companies can now have their security policy in digital format
posted on the

intranet site for easy a
ssess by employees.

A company’s
should be carefully planned based on the needs and goals of the company.
The policy

should be legally sound
, enforceable, backed by management and communicated to all
employees. In addition,
the policy

uld specify clear steps for implementation,
monitored and periodically reviewed and updated.

The policy should address the
company’s technology standards as well as accountability and responsibility.
2001; Avolio, 2000; Forcht and Ayers, 2000/2
001; Palmer, 2001;
Yasin, 2001

A company should have a network security policy
to serve as a safe guard to
protect a company’s data, computer system and important/sensitive documents.
a strategically

planned and legally sound security policy, a c
ompany is at risk for data
loss or corruption due


viruses, theft and/or equipment failure and will have limited
legal ramifications for enforcement

if data loss was as a result of intentional malice.

The results to a company of identity theft due to
lack of security can result in a
companying being held legally liable for any damages as a result of this theft. This
could, in fact, cause

financial hardship and


ultimately result in bankruptcy
or company closure.
Unfortunately, t
rusted em
ployees and contract

are found to
penetrate an organization’s security more often than external sources.
This is one of

many reasons why backing up data is critical.
The “cornerstone” of any company’s
security system
is a backup procedure of a company
’s important files. Along with a
secure backup system, a

company’s security policy should address protection of
employees’ personal information as well as client information. The policy should
analyze the possibilities of risks, threats and vulnerab
ilities and specify procedures to
address those issues.
Passwords should be changed regularly and placed in a s

Avolio, 2000; Connolly, 2001;
Forcht and Ayers, 2000/2001;
Yasin, 2001

opic 1: Delete or alter files

The intentional and
unintentional deletion or altering of important files is an
important item to be addressed in a network security plan. This can be accomplished
through user permissions to sensitive folders and drives; password protection of
individual files; and reliable

backup procedures.
With regard to intentional or
unintentional deletion of files
, disposal of sensitive documents need to be handled
carefully. The documents should not be placed in the trash unless they are shredded.
This will prevent unauthorized per
sons from gaining access to the information in the
In addition to a physical shredder, software applications can be purchased
which guarantee digital documents/files will be totally erased. One such shareware
application is the Advanced File Sh
redder. This product uses U

overnment standards
for file deletion guaranteeing that any data recovery programs cannot restore the data.
Relating to tracking alteration of sensitive documents, software tools can be purchased
which monitor servers and n
otify administration of any modifications to documents. One
such tool is Tripwire ASR. This tool establishes a baseline and any revisions to the

baseline results in an administrative alert.
File & disk wipers;

Forcht and Ayers,
; The 60 minute
network security guide, 2002

Topic 2: Take
pictures of important documents

Companies have many important/sensitive documents in hard copy form only.
Part of a company’s security policy should include guidelines for the protection of these
documents ag
ainst theft or destruction. Procedures need to include either scanning of
these important documents and/or photographing them. Scanned documents can be
stores in digital form on the company’s computer system. With a company’s backup
system in place, the
se documents should be secure. In addition, the policy should specify
an off
site location to store pictures of their sensitive documents. This location could be
a similar site as their location for off
site storage of backup files.
A company should als
guard against individuals using cell phones to take pictures of sensitive documents. Cell
phones are now so compact they are virtually undetectable and can result in a serious
breach of security. Some companies have gone so far as to ban cell phones en
tirely from
specific locations within their organization in which sensitive documents are stored. The
introduction of videophones and USB flash drives can be used to capture copies or
pictures of digital documents adding an additional security risk. Thes
e issues need to be
specifically addressed in a company’s security policy since employees represent the
second highest category relating to breach of security.
(Gartenberg, 2002
; Hulme, 2001;

Topic 3: Unauthorized wireless access to network

e unauthorized access to a wireless network can have a security risk on a
company if the right precautions or actions are not taken to prevent company damage.

Automatic protection against data theft, unauthorized wireless network access and
broadband "free
loading" through an easy and intuitive one
click interface, the fact is that
they are gaining access to your network and internet without paying a thing towards the
company or service being provided. If a company has a wireless network they must make
that it is protected by passwords and restrictions that prevent other people from
gaining unauthorized access to the company’s information. You can also purchase
protection against this problem and only authorized people will have access. It would be
the company’s best interest to purchase this protection. Make sure passwords are
, secure
, only authorized users have access to data and the policy on unauthorized
access to data is clear. The more people that can find a way to get passwords and a
the wireless network the more damage can be done to data. Taking time as a company to
go over the security problems that can occur if the wireless internet system is not set up
properly is well worth the time and effort. Having a wireless system cr
eates the
conveniences of transportable devices that will let you access the internet and not be
stationed to one spot. (Karygiannis and Owens; MacAfee; Securing your wireless
network; Wireless security recommendations for Rutgers)

Topic 4: Copying or dow
nloading files

Copying or downloading important files is a way that important data can be lost
or copied by the wrong people. A company must secure data by shredding or putting a
lock on important data. Uninvited programs such as downloads can have virus
es that can
cause a computer to crash. Restricting personal emails may help reduce chance of
corruption of data. There should be no unauthorized access to important files and access
must be restricted with guidelines of how data should be handled. Do not


personal information into the company environment including downloading personal
emails. Whenever you are going to copy or download files into the system, you must
make sure that the files are virus protected. A company must always be aware of
dissatisfied employees that feel that they must try to disturb the network by causing
problems by downloading or copying files that they are not authorized to or downloading
viruses into the system. (Kachapeswaran, 2006; Using the internet downloading fil
2006; Viollis and Kane, 2005)

Topic 5: Unauthorized use of a user account

Unauthorized access of a user’s account is a serious concern for security policy
and safety issues in today’s business world. In a business world that is built on a
based society, it is imperative that today’s organizations continue to find
innovative technologies and ideas to teach employees ways to keep their access to the
organization’s systems and information private and confidential. Not only is it important
find innovative technologies and ideas to teach employees ways to keep their access
confidential, it is also imperative for organizations to know who their attackers could
possibly be.
When it comes to breaching company security, it's the people with dail
unlimited access to company trade secrets, customer lists, and future marketing
campaigns that warrant extra attention
. In other words, it is the employees of the
organization that pose the biggest threat to breaches in the company’s security
. A
ty policy should not be a static document but one that evolves to accommodate
changing economic conditions, business plans, corporate cultures, and operating
. The security policy should be reviewed with all employees on a continual
basis and
should stress the importance of keeping passwords confidential. Employees

should, at all times, be aware of their surrounding to ensure someone is not watching as
they type their password. A sound security policy should also stress the importance of
ting a sound password that does not include common words or continuous numbers.
A sound password should also include special characters. The security policy should
advise employees not to write down their password and never give it out to anyone.
ss; 2001
; Ellis, 2003; Hulme; 2000)

Topic 6: Virus, Worms, Trojan Horses, Blended threat

Viruses, worms, Trojan horses, and blended threats all create serious problems for
companies operating in today’s business environment.
The best hope businesses may
have for fending off growing security threats may be well
defined policies and practices.
The ability to protect against these threats is essential to the success of today’s
organizations. These types of threats present themselves from the inside as well
as the
outside. It is imperative that organization recognize both types of threats and develop
creative ways to fight against them. To keep on top of the latest attack codes and hacker
methods, you must regularly update vulnerability files, including: NID
S signatures;
antivirus signatures; and patches and service packs. Most vendors offer free file updates
as part of annual subscription packages, so staying on top of the vulnerabilities takes only
reasonable effort. There are all sorts of viruses that can

damage a company’s files or
computer networks. The security of a network is only as strong as the organization’s
willingness to accept responsibility for it. The ability of an organization to accept
responsibility for securing its network ensures that t
he organization is willing to take the
necessary measures to protect itself and the company from unwanted attacks on its data.
(Avolio, 2000; Ellis, 2003; Hulme, 2001)


Company Background

The YMCA was founded over 150 years ago in England by George Willia
ms as a
substitute for bible study and prayer and as a way to keep children off the streets. At the
time, the YMCA was a bit unusual because it crosses religious and social lines, which
was very uncommon at the time. Currently, the YMCA has 2,617 facilit
ies and is the
nation’s largest not
profit community service organization in the country. As of
2005, the YMCA has 20.2 million members, 561.909 volunteers, and the YMCA
currently works with 1,712 elementary schools. The YMCA currently has programs
vailable for individuals of all ages, including young and old. The YMCA has programs
available for child care, health and fitness, arts and humanities, family, sports, and team
leadership. Through these programs, the YMCA strives to better individuals in

aspects of life, without regard to social status, race, or religion. By offering these
programs, the YMCA is able to bring together communities and make them a safer, more
enjoyable place for the public to work and live. (YMCA.net, 2005)

The local L
ake Wales YMCA is located at 1001Burns Avenue in Lake Wales,
Florida. They supply the community with an exercise facility, child care in the morning
and afternoon and fun family activities for all. The YMCA supports the community and
supplies it with act
ivities and a safe environment for exercise, swimming and sports. The
Executive Director, Mrs.

Laura Motis, supplied us with information relating to the
network security at the facility.
(L. Motis, personal interview, October 17, 2006)

Network Security P
olicy Recommendations

Each YMCA has the authority to establish their own network security policy. The
Lake Wales YMCA addresses the security policy for their facility within their employee

. All

employees receive a copy of

the handbook

and are re
quired to sign for
At the current time the YMCA does not have a separate document that relates only to
their security

policy. The YMCA
’s present computer setup includes
12 computers

are ne
tworked to one of the computers, which is
being used tempora
rily to store their

(L. Motis, personal interview, October 17, 2006)

The YMCA has several security features in place. A member

in place that requires members to scan their ID cards when entered the facility. When the
cards are

a photograph of the individual assigned to

code on the card is
displayed on a computer screen. This enables the employees to confirm that the person
entering the facility is the same person who owns the membership card.
The YMCA also

user password security in place and email password accounts for authorized

Although backups are created of data and moved to an off
site location, no
standard policy is in place. This is an area of great concern and detailed
recommendations w
ill follow under that specific topic.
L. Motis, personal interview,
October 17, 2006)

Currently, the YMCA does n
ot have a network administrator. T
hey are in the
process of installing a server and setting up a network security system. In addition, an
ndividual is being hired to oversee risk management.
implementing the new network security system, there are several
areas of concern

that should

be considered. According to Laura
Motis, Executive Director of the YMCA, loss of data, data


security an
d employee theft are critical areas which will be addressed during this

to the new network security system

(L. Motis, personal interview, October
17, 2006)

Delete or alter files.

File & disk wipers;

Forcht and Ayers, 2000/2001
; The 60
e network security guide, 2002

The YMCA currently uses a shredder to shred


sensitive documents. There does not appear to be a software program
installed which would guarantee fi
e deletion

for removal of sensitive files located on the
puter/server. The YMCA currently has some security in place with regard to access
to sensitive documents. Permissions are given by the Director for an employee to gain
access to these folders.
This policy appears to be an attempt to restrict any unautho
employees from gaining access to important documents

would result in deletion or
alteration of documents either unintentionally or intentionally.
No software programs
appear to be
in place

would monitor alteration
of sensitive do
(L. Motis, personal interview, October 17, 2006)


pictures of important hardcopy documents would help prevent loss to the
company in the event of theft or water/fire damage. These digital images could be
acquired through the use o
f a digital camera or scanner.
Upon download of these images
to the server

they w
ould then be secure not only on the data server but also on a backup
medium stored in an off
site location
, which is currently within their policy

In addition,
the YMCA, a
s mentioned previously, will be installing a network server system in the
very near future. This system will allow the network administrator to place users in
predefined groups giving group permissions to data access. This will minimize/eliminate
e access to secure network folders thus reducing the risk of deletion or altering of

sensitive documents.
Finally, the installation of two types of software programs would
also help eliminate intentional or unintentional deletion or altering of files.
ftware/shareware programs are available which guarantee digital document/file
in which

any data recovery programs cannot restore the data. There are also
software programs that monitor servers for data deletion/alteration and will notify
ration of any modifications to documents.

(L. Motis, personal interview,
October 17, 2006)

Take pictures of important documents.
(Gartenberg, 2002
; Hulme, 2001;

At this time there is not a policy which would require digital pictures of

sensitive documents
. The YMCA is, however, taking a copy of their data off
site as a form of data security. Employees are
prohibited from bringing cell
phones to work
. Although this policy is in place to prevent personal phone calls on
ness time, it is also a benefit to network security due to the fact that many cell phone

are, in fact,
also camera phones and could be used to take pictures of sensitive

YMCA does not
have a policy
with regard to
use of
rts (useable by
flash drives

CD burners, which are now accessible to
employees. These devices could be used to copy important documents
which would
allow them to be


them from the office site.
(L. Motis, personal interview,
October 17, 200

As mentioned previously, taking pictures of important/sensitive documents would
be benefi

to safeguard against document deletion, alteration and security. In addition,
although there is a policy against cell phone usage at work, setting policy whic
h allows
only authorized employees to have workstations with CD

urners and functioning USB

ports could
prevent compromise of important documents. Workstations in high
traffic area
s, which have these medium devices accessible, should be examined to
etermine the security risk involved and the security policy could be modified
(L. Motis, personal interview, October 17, 2006)

Unauthorized wireless access to network
(Karygiannis and Owens; MacAfee;
Securing your wireless network; Wireless

security recommendations for Rutgers)

YMCA is not set up on a wireless internet system, however, the Executive Director does
have wireless internet in her office. This wireless network is set up through Verizon and
is encrypted so no free loaders ca
n access the internet connection or her system. It is set
up using the Wi
Fi system. (L. Motis, personal interview, October 17, 2006)

Copying or downloading files
(Kachapeswaran, 2006; Using the internet
downloading files, 2006; Viollis and Kane, 2005)

The YMCA backs up their data in
several different ways based on the department. The Child Care department backs up
every night through the internet by a contracted company. The Financial department
backs up their system once a week. Their data include
s the payables and receivables for
the company. A copy of the backup CD’s are taken to an offsite location, however, they
are not stored securely and could be accessed by unauthorized individuals. A security
policy relating to the storage of data at a se
cure off
site location would give the company
the added sense of security needed in the event of data loss at the facility due to
equipment failure, theft or water/fire damage.

(L. Motis, personal interview, October 17,

At the present time the YMCA
does not keep
their data

and critical desktop
computers in secure locations. Basically anybody can access the computers and tamper

with data that could hurt the company. With the lack of security in this area, it is very
possible for anybody who walks by

to access files and the internet when nobody is
looking. If unauthorized users were to visit unethical websites such as pornography,
music downloads or visit My Space it could appear to management that the employee, the
authorized user of the computer, w
as the person accessing the material. This problem
could be addressed by setting up an automatic log off after a specific period of time when
there is no computer activity. In addition, the security policy could require employees to
log off whenever they

leave their work station. This will help prevent unauthorized users
from gaining access to the data or the internet.
(L. Motis, personal interview, October 17,

When studying the security of the offices and computer equipment it was noted
that only

two people have a key to everything at the YMCA. This appears to be a good
policy by narrowing down the number of people who have total access. However,
personnel information is located in a back office and five people have access to that room
at all ti
mes. This is an area that the YMCA should look into to determine if it is essential
to have that many people with keys since it could affect the security of the company as a
whole. The company does maintain a good policy in making sure that the door is l
in the financial office so that the data in that room is secure and the computer is logged
off and turned off.

(L. Motis, personal interview, October 17, 2006)

The YMCA has discontinued their practice of copying social security cards and
drivers’ li
cense, which is certainly a positive step to help prevent identify theft from a
members stand point. All employees’ personal information is stored in the


computer, which, as mentioned previously, appears to be secure.
(L. Motis, personal
iew, October 17, 2006)

As far as the YMCA’s policy for carrying out investigations relating to policy
offenders, the Executive Director prefers to handle as much in house as possible. The
policy includes a verbal warning for the first offense, second offe
nse is a counseling
report that is a written warning and any other offenses will end in suspension or
termination of employment.

(L. Motis, personal interview, October 17, 2006)

Unauthorized use of a user account
Andress; 2001
; Ellis, 2003; Hulme; 2000)

The YMCA’s current security policy concerning issues dealing with unauthorized access
of a user’s account is nearly non
existent. While the YMCA does have a policy
regarding internet and email use on company time, it does not nearly reach the necessary
oundaries regarding safety when it deals with the issue of someone potentially causing
great harm by gaining access to their systems. According to the YMCA of Lake Wales
Executive Director Laura Motis, the organization is currently undertaking a process t
she believes will enhance their security measurers. However, in the mean time, the
YMCA should strongly consider implementing the following recommendations
concerning unauthorized access of a user’s account. According to Laura, current
employees are
permitted to select their own password to log into the system. Being the
director of the center, Laura has required employees to provide her with the password, in
the event that the employee forgets the password or has a need to change it. If past
ence is any indication of the future, this could potentially lead to a damaging
situation. If an employee were to use a password that is similar to something else, such
as their pet’s name, phone number or name, this could easily lead to an individual wit

malicious intentions finding out the password and gaining access to valuable information.
The YMCA should implement a standard password set that all employees must follow.
This password requirement could include a minimum amount of numbers, the
ment for a minimum of at least one special character, and a minimum of at least
one upper and one lower case letter within the password. Being the director of the
organization, it makes sense for Laura to be the only person with the knowledge of other
loyee’s passwords. However, the YMCA should not have these passwords in their
office and should be kept outside in the event a theft occurred. Also, the YMCA has not
required the employees with computer access to frequently change their passwords. The
MCA should implement a policy requiring the employees to frequently change their
passwords a minimum of once a quarter. This simple step could easily prevent repeated
unauthorized access to a users account.

(L. Motis, personal interview, October 17, 2006

Virus, Worms, Trojan Horses, Blended threat
(Avolio, 2000; Ellis, 2003;
Hulme, 2001)
The YMCA currently has no official policy in place regarding viruses,
worms, Trojan horses, and blended threats. Currently, the YMCA relies upon the
director of the
organization, Laura Motis, to attempt to control these very threats to the
companies systems. According to Laura, this is mostly accomplished through her direct
observation of employees. This seems like an insurmountable task given the daily time
nts bestowed upon someone in Laura’s position. The YMCA should immediately
implement a policy regarding internet usage and downloading, email usage and
downloading, and inserting any type of disk or CD into a company’s computer. This
simple step could pr
event major damage from occurring in the event that a virus or worm
should be downloaded. Currently the organization has no safeguards in place to prevent

access to any website an employee chooses to visit. It is highly recommended that the
investigate current technology, including web blockers that would prevent
employees from accessing certain web sites that would be inappropriate to visit during an
employee’s working hours. This type of software is not designed to monitor which web
an employee visits, rather, it is designed to completely restrict or block access from
the sites completely. This would completely prevent access to certain sites that could
potentially cause harm to the employees systems. These web sites could include s
that allow downloading or file sharing, pornographic web sites, or web sites that consume
employee’s time when they are presumed to be working. It is not recommended that the
organization completely deny internet access, it is however recommended tha
t the
organization implement ways to protect its interests. (L. Motis, personal interview,
October 17, 2006)



Andress, M. (2001, November 19). Effective security starts with policies, I

Retrieved August 24, 2006, from

Avolio, F. (2000, March 20). Best practices in network security,
Network Computing

Retrieved August 24, 2006, from

Connolly, P. (2000, July 10). Security starts from within,

Retrieved August

24, 2006, from

Ellis, C. (2003, February). '7 steps' for network security: being prepared and

knowledgeable is the best defens
e against hackers and data thieves

local area

Communications News
. Retrieved August 24, 2006
, from


File & disk wipers. (n.d.).
Retrieved September 25, 2006, from

Forcht, K. and Ayers, W. (2000/2001, Winter). Developing a computer security policy

for organizational use and implementation,

Journal of Computer Information

. Retrieved August 28, 2006, from


rtenberg, M. (2002, June 24). Being tough, gentle with data security,

Retrieved August 28, 2006, from

Hulme, G. (2001, Sept 3). Management takes notice,
on Week
. Retrieved

August 28, 2006, from http://search.ebscohost.com.

Kachapeswaran, A. (2006, May 8). Find more like this Microsoft touts a regimen for

biz network security,
Fort Worth Business Press
. Retrieved on September

28, 2006,


Karygiannis, T. and

Owens, L. (n.d.). Wireless network security 802.11


handheld devices,
National Institute of Standards and Technology
. Retrieved

October 15, 2006, from



nveils 2006

(2005, Oct

Productivity Software
. Retrieved on September 30, 2006, from


Palmer, M. (2001, May/June). Information security policy framework: best practices

for security policy in the e
commerce age,
Information Systems Security

Retrieved August 28, 2006, from

Securing your wireless network. (n.d.).
Practically Networked
. Retrieved October 15,

2006, from http://www.practicallynetworked.com/support/wireless_secure.htm

The 60 minute network security guide. (2002,

July 12).
National Security Agency,
United States of America.
Retrieved September 25, 2006, from

Using the internet downloading files. (2006, January 19).
. Retrieved October
15, 2006, from htt

Viollis, P. and Kane, D. (2005, August

22). Risk control strategies
viruses: the new
weapon of choice for workplace violence offenders,
Computer World.com

Retrieved September 19, 2006, from


Wireless security recommendations for Rutgers. (2006, March 23).
2006 Rutgers

Retrieved October 15, 2006, fr
om http://techdir.rutgers.edu/wireless.html

Yasin, R. (2001, January 8).

Policy Management Hits the Web,
. Retrieved

August 28, 2006, from

YMCA.net. (n.d.)

ved October 20, 2006, from http://www.ymca.net