Woodburn Graphics, Inc.
Woodburn Graphics Case Study
Jim Pendergast, Director of Planning and Development for Woodburn Graphics, considered what a big step this small company with less than 50 employees was taking with its second-generation Website. Jim reflected on the additional burdens of network administration and security issues that he faced. Woodburn had no actual network administrator, so those duties fell to Jim by default. He had done the job well enough, with the help of his cousin Mike, who was a computer consultant and the chief source of networking advice for the company. But there was no doubt that the extra duties that he faced were a major reason why it had taken more time than expected to launch the company’s second-generation Website. The site had been launched on a test basis to work the bugs out first and to address security issues.
Jim did have growing concerns about Woodburn Graphics’ network security. The delay in launching the Website had been partially due to three different computer network breaches by computer worms—particularly destructive kinds of computer viruses, or more broadly called “malware”—over a period of a couple of months. These worms had apparently invaded the network when employees had innocently opened email attachments from apparently reliable sources. In fact, one of the worms could have been spread just by opening an infected email.
Only after the worms were in the
network did their malicious nature become apparent. The worms caused network
performance to degrade significantly because they were programmed to replicate
themselves across the network, consuming computer processing capability and
network bandwidth. As was almost always the case with this type of malware,
each of the worms had the capability of utilizing email contact lists to email
themselves to other persons inside and outside the company, including
customers. One of the worms had even infected some of the company’s crucial
graphics files, overwriting content with random gibberish or with copies of the
worm itself. The worms were also capable of attacking unpatched vulnerabilities
in the Microsoft Windows operating system and Microsoft Internet Server
software. They then spread themselves using the HTML rendering features used to
display pages in Microsoft Internet Explorer browser; when an infected HTML
file was transferred to another computer, as was done when a Website server was
accessed, that computer became infected.
In each of the three incidents, local consultants had to be brought in to rid the company systems of the worms. The cost of the incidents, largely from lost productivity, was estimated at just under $15,000. For a small company like Woodburn, this was not acceptable.
A day before, Jim had expressed his increasing concern with Woodburn’s information security to Larry Natalie, COO of Woodburn Graphics. He had also questioned whether he could continue to spend as much time with network and security issues given his other job responsibilities. In turn, Larry had sent Jim a memo in which he posed questions about the company’s information security profile. He asked Jim to respond to the following questions:
- How would you describe our network security strategy? Should it be changed?
- What are the risks or threats to our current network systems? Where are we the most vulnerable to exploits?
- What recommendations do you have for dealing with these threats?
- Should we have a network security audit done? If so, can we do it ourselves, or should be bring in a qualified security consultant?
- Finally, you have raised the questions of network administration and who should have the responsibility of the network, including security. What is your recommendation?
Jim read the memo again, reflecting on his assessment of each question. What answers and recommendations should he provide to Larry? He had a considerable personal investment of time and interest in building the company network, but this was not his only area of responsibility. Was it time to turn network oversight over to someone else? And was it indeed time to call in a security expert to deal with the security issues?
Woodburn Graphics, Inc.
Among the information assets that Woodburn needs to project includes; people who involves the employees and non-employees of the company, software, hardware, procedures and data or information. The above information assets can be classified generally as critical, semi-critical as well as under non-critical assets.
Other threats that the company may face besides computer worms include: Employees and consultants. In Woodburn Inc. knowledge had not been offered to employees of the company concerning information security. It was suspected by Jim that the warm infection through attachments in the email was the most likely reason as to why warms infected the system. In addition, consultants including third parties were offered a chance to access critical resources of the company remotely as well as onsite caused the danger of infecting a system through malware transfer. Furthermore, consultants who were unethical could offer competitors critical information concerning the company.
On the other hand, hackers pose a threat to the system. Such individuals utilize different software and capitalized of the vulnerabilities that the system to attain access to resources that are privileged. The intentions of a hacker may include causing the networks to crash, malicious intent, spoiling websites and stealing information from customers.
Among other threats that affected the company included, software failures, spam, compromises to intellectual property, obsolesce and natural disasters among others.
Among the security controls Woodburn currently have in place include; physically, the facility of Woodburn was secure from any external breakings. On the other hand, procedures and policies were in place. Thus, there was appropriate restriction to access of assets that was critical to the company. Besides this, Woodburn had also installed equipment for fire suppressant earlier. In addition, procedures and policies to direct the company over response to disasters physically were taken care of. Furthermore, Woodburn had insured itself against fire as well as other critical physical disasters. However, the company had not considered the inclusion of insurance over cyber security.
The controls that Woodburn should consider introducing into their security profile so as to reduce their exposure to the threats assessed above include:
In the first place, Woodburn should consider policies and procedures. Under this, the policy on email is an example. In the second place, the company should consider education and training. The fact that customers and employees can be security threats, programs that deliver education could enable individuals become aware of the threats as well as the actions that may increase the possibilities of threats. Third, the company should consider the security contingency planning. Under this, focus lies in specifying the immediate response of the company in the case of an event that is disruptive happens. This is achieved through contingency planning.
In the fourth place, Woodburn should consider access controls. Under this, controls may involve the application of authentication for users as well as restriction to access important assets. In addition, the company should consider backup for data. Regularly, it was important to back up data and files. Lastly, the company should consider updating their software. This will ensure that vulnerabilities that hackers use to attack the system is reduced through running updated operating systems as well as programs.
5. According to my opinion, Jim should consider facilitating the audit process on the security control and consider implementing all measures that have been considered in the security control. In addition, as a result of undertaking a lot of responsibilities, Jim should consider the idea of hiring a full-time administrator on the network to assist in monitoring the policies and threats for quick response.
“WOODBURN GRAPHICS, INC. : SECURING THE CORPORATE NETWORK”. THE SOCIETY OF CASE RESEARCH n. pag. Print