Security Domain and Strategies
Security Domain and Strategies
The Richman Company is a successful and prosperous firm with branches in eight locations throughout the country and Canada. To support its growth, the company uses both an intranet and an extranet network. These networks are essential to the successful operation of the company because they provide the means of communicating with all employees, who use the intranet to enroll in company benefit programs. These networks also allow all of the company’s business partners, vendors and privileged customers to gain information about the company. In recent years, the company has been expanding rapidly. As one of the company’s interns, I have been asked to analyze the company’s vulnerabilities and make a plan to protect company assets and to utilize available technology most effectively. Before making the final proposal, I examined Richman’s use of the intranet and the extranet networks and found problems that require immediate attention.
One problem that results in a grievous vulnerability regards the use of the intranet which Richman hosts for employees. I found that many of the computers were using Internet Explorer with the default setting “Websites in less privileged web control zone can navigate into this zone” enabled. According to Cesar Cerrudo, founder and CEO of Argeniss, a Internet website is able to reference an Intranet website by including a HTML FRAME or IFRAME from the Intranet website. Internet Explorer automatically requests and displays the content without user interaction. IE just displays “Unknown Zone (Mixed)” in the status bar without raising any alerts nor prompting the user for authentication. This security setting allows an internet web page to view/refer to content in Richman’s intranet website. In order to preserve the company’s privacy, this default setting must never be used. For example, all computers must be set to eliminate this window of opportunity for trespass into the company’s protected
The Richman Company is a successful and prosperous firm with branches in eight locations throughout the country and Canada. To support its growth, the company uses both an intranet and an extranet network. These networks are essential to the successful operation of the company because they provide the means of communicating with all employees, who use the intranet to enroll in company benefit programs. These networks also allow all of the company’s business partners, vendors and privileged customers to gain information about the company. In recent years, the company has been expanding rapidly. As one of the company’s interns, I have been asked to analyze the company’s vulnerabilities and make a plan to protect company assets and to utilize available technology most effectively. Before making the final proposal, I examined Richman’s use of the intranet and the extranet networks and found problems that require immediate attention.
One problem that results in a grievous vulnerability regards the use of the intranet which Richman hosts for employees. I found that many of the computers were using Internet Explorer with the default setting “Websites in less privileged web control zone can navigate into this zone” enabled. According to Cesar Cerrudo, founder and CEO of Argeniss, a Internet website is able to reference an Intranet website by including a HTML FRAME or IFRAME from the Intranet website. Internet Explorer automatically requests and displays the content without user interaction. IE just displays “Unknown Zone (Mixed)” in the status bar without raising any alerts nor prompting the user for authentication. This security setting allows an internet web page to view/refer to content in Richman’s intranet website. In order to preserve the company’s privacy, this default setting must never be used. For example, all computers must be set to eliminate this window of opportunity for trespass into the company’s protected