I. Vulnerability Assessments (Or “What do we have of value that must be protected?”)
A. The Company Network
Figure 1: Existing Company Network
1. Physical Devices
a) The NETGEAR MR814 Wireless Router (all versions) has two key vulnerabilities. First, the MR814 only supports Wired Equivalent Privacy (WEP) encryption to secure traffic sent over the wireless network [1]. WEP has numerous, well documented vulnerabilities and exploits. In its standard implementation, WEP can be compromised easily with a brute-force approach. If a longer key is used, weaknesses in the WEP protocol allow an attacker to utilize other methods to decrypt all of the traffic sent on the wireless network [2]. There are multiple, easily available tools …show more content…
Wireless networks are vulnerable to remote exploit by an attacker, due to their use of radio frequencies (RF) to transmit data between endpoints. With a wireless network, an attacker does not have to physically connect to any of the network devices in order to gain access. They do not even have to be inside the same room or building. An attacker can sit outside of a building, but still be within the range of the wireless access point (WAP). With a high gain antenna and directional transmitter, an attacker can connect to a WAP from beyond its normal range. An attacker who drives around scanning for WAPs to exploit is conducting an attack known as “wardriving”. In one case, three men were indicted for stealing “credit card numbers and payroll information via businesses’ wireless networks, enabling them to steal more than $750,000 in cash and computer equipment” …show more content…
Federal: The following are a sampling of federal laws that often apply to businesses that maintain an individual’s personal and financial information.
a) The Federal Rules of Civil Procedure (FRCP), Title V, Disclosures and Discovery, Rule 34, specifies that a party in a civil procedure be able:
“to produce and permit the requesting party or its representative to inspect, copy, test or sample the following items in the responding party’s possession, custody, or control: (A) any designated documents or electronically stored information – including… data or data compilations – stored in any medium from which information can be obtained…” [9].
The current structure of the organization’s network, especially the lack of direct control over email records, effective data storage and a backup / archival strategy, makes the company potentially unable to appropriately respond to lawful requests for information in civil procedures. Failure to comply with the court order can result in the company being held in contempt of court and associated penalties being applied