New Millennium Company is concerned about the security of its information system. It hosts a company Web site that is accessible through the Internet

Certain employees can access New Millennium's private network through the Internet as well. Employees can also access the Internet through the private network. The chief security officer for the company is worried about hackers and intruder attacks on both its Web site as well as the private network.

Required:
a. What Internet-related vulnerabilities may be present in New Millennium's information system?
b. What procedures or steps might be implemented to strengthen system security?
What will be an ideal response?

Answer:
a. Since New Millennium's system is accessible via the Internet, vulnerabilities may arise from weaknesses in any of five major areas:
• The operating system or its configuration
• The Web server or its configuration
• The private network or its configuration
• Various server programs
• Lack of adherence to established general security procedures

b. The following procedures may help to strengthen system security:
• The chief security officer needs to be aware of advisory bulletins for security updates and new information on configuration issues, and take appropriate action when necessary to secure the operating system.
• The company should have in operation a firewall that restricts incoming traffic on network computers. The firewall can also be configured to limit outgoing traffic or block access to certain IP addresses on the Internet.
• The company should use a proxy server to monitor and route traffic to and from its private network and restrict access only to authorized users.
• All servers should have the latest anti-virus software installed to continually monitor for the possibility of viruses entering into or migrating within the system.
• The FTP server should be equipped with the encryption-based software that prevents "clear" transmission of passwords and computer files of a highly sensitive nature.
• Web usage and all network traffic should be monitored to ensure that unauthorized activity is not occurring. The chief security officer should hold employee-training sessions on software/hardware security policies and enforce those policies.
• Passwords should be routinely changed and employees should not be allowed to choose "easy-to-remember" passwords.
• The chief security officer should routinely review log files for unusual network traffic and file transfers.