Bellevue University Administration Office
Version 1.0
2/5/2020
Controlled Unclassified Information
Operational Overview
Organization Name: Bellevue University
Building: Administration Office
Address: 123 Bellevue University Lane, Bellevue, Nebraska
This organization will handle admissions, supervision of academic affairs (evaluation, hiring, tenure, promotion), official records maintenance, financial flow/record maintenance, maintenance of campus buildings/grounds, security/safety of campus property/people, support/supervision of campus network and computers (with campus IT), private/foundation fundraising, research administration, public affairs (media, local/state/federal government), and student services (library, career counseling, disability programs). All assets will reside at 123 Bellevue University Lane, Bellevue Nebraska. The office will be secured by keycard access 24/7 and closed outside regular operating hours. The office will be operated by a combination of full-time and part-time staff, as well as student workers. Data used in the office is sensitive, consisting of student and staff IDs, names, emails, transcripts, health information, financial accounts, and official university leases, contracts, etc. The office will have visitors, which will include potential students and their families, as well as outside contractors and media.
System Overview
Hardware
| Device Name (Unique Identifier) |
Manufacturer | Model Number | Firmware / OS | Purpose | Building/Room |
| Router1 | Cisco | ISR 4221 | 15.5 | Perimeter Router | Administration Office: Server Room- Rack |
| Firewall1 | Cisco | ASA5508 | 9.1(6) | Firewall | Administration Office: Server Room- Rack |
| Switch01 | Cisco | 2960 | 8.0.3 | Access Switch | Administration Office: Server Room- Rack |
| Switch02 | Cisco | 2960 | 8.0.3 | Access Switch | Administration Office: Supply Closet- Locked Wall-Mounted Rack |
| PC 1(Staff Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 1 |
| PC 2 (Staff Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 1 |
| PC 3 (Staff Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 1 |
| PC 4 (Staff Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 1 |
| PC 5 (Staff Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 1 |
| PC 6 (Student-Worker Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 2 |
| PC 7 (Student-Worker Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Bay 2 |
| PC 8 (IT Terminal) | Dell | Optiplex 7050 | Windows 10 SBH | Workstation | Administration Office: Server Room 1 |
| Server 1 | Hewlett Packard | StoreEasy 1640 | Server 2012 R2 | File Server | Administration Office: Server Room- Rack |
Software
| Manufacturer | Name | Version | Function | License Expiration |
| Adobe | Adobe Acrobat Pro | 19.010.20069 | Document Creation
|
TBD |
| Adobe | Adobe Flash Player | Flash Player 32 | Viewing content created by Adobe Flash platform (multimedia, internet applications, streaming audio and video)
|
TBD |
| Google Chrome | Version 79.0.3945.130 (Official Build) (32-bit) | Browser
|
TBD | |
| Oracle | Oracle Java Runtime Environment | Java SE 13.0.2 | Java Virtual Machine (JVM), Java platform core classes, and supporting Java platform libraries
|
TBD |
| McAfee | McAfee VirusScan Enterprise + Antispyware Enterprise | 8.8 | Antivirus, antispyware, security operations and scans
|
TBD |
| Microsoft | Microsoft Office 2016 Standard (Word, PowerPoint, Outlook) | Standard, 2016 | Word processing, email, create graphs, spreadsheets, letters, presentations
|
TBD |
| Microsoft | Microsoft Windows 10 | Pro- Version 1909 | Workstation Operating System
|
TBD |
| Microsoft | Microsoft Windows Server 2012 R2 Member Server | 6.2 (Build 9200) | Server operating system
|
TBD |
Personnel
| President: Supervise the entire organization and reports to a Board of Trustees. (full read/edit/install access/permission and usage of data). |
| Dean: Supervise individual fields/aspects of the organization and reports to the President. (full read/edit/install access/permission and usage of data). |
| Department Chairs: Leads a particular department and reports to the Dean. (full read/edit/install access/permission and usage of data on their department). |
| Administrative Staff: General University Administration Employees who report to the Dean. (general read/edit access/permission and usage of data on their department). There will be seven full-time and three part-time staff. |
| Contractors: Hired workers from outside the Campus. (no access to (limited read) data unless provided access by both Bellevue University Administration and Campus IT). |
| Student Workers: Students who work in the University Administration Office. (no access to (limited read/edit) data unless provided access by both Bellevue University Administration and Campus IT). No more than four student workers will be working part-time. |
| Students: Students who visit the University Administration Office. (no access to (limited read/edit) data unless provided access by both Bellevue University Administration and Campus IT). |
| Public: Potential students and their parents, vendors, media, etc. (no access to (limited read/edit) data unless provided access by both Bellevue University Administration and Campus IT). |
Assessment Methods
| Test Battery | Test Target (Component, Software, Technology, or Policy) |
Verification Method (E) Examine, (I) Interview, (T) Test |
Output |
| NIST SP 800-53A Rev4 Security Controls Assessment Procedures for L – L – L | System | E, I, T | Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure |
| NIST SP 800-60 Vii C.2.3.1 Budget Formulation Information Type for L-L-L | System | E, I, T | Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure |
| NIST SP 800-60 Vii C.3.5.7 Information Management Information Type for L-L-L | System | E, I, T | Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure |
| NIST SP 800-60 Vii C.3.3.7 Employee Relations Information Type | System | E, I, T | Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure |
| NIST SP 800-60 Vi C.3.3.5 Benefits Management Information Type | System | E, I, T | Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure |
| Assured Compliance Assessment Solution (ACAS) Vulnerability scan(s) | All assets | T | Results will be provided in nessus file |
| Traditional Security Technical Implementation Guide (STIG) | system | E,I,T | STIG Viewer .ckl results will be provided |
| Enclave Testing Security Technical Implementation Guide (STIG) | System | E, I | STIG Viewer .ckl results will be provided |
| Network Perimeter Router L3 Switch STIG – Ver 8, Rel 32 | Router1 | E, I, T | STIG Viewer .ckl results will be provided |
| Firewall SRG – Ver 1, Rel 3 | Firewall1 | E, I, T | STIG Viewer .ckl results will be provided |
| Network Layer 2 Switch STIG – Ver 8, Rel 27 | Switch01, Switch02 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 1 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 2 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 3 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 4 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 5 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 6 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 7 | E, I, T | STIG Viewer .ckl results will be provided |
| Windows 10 STIG Version 1, Release 19 Checklist Details | Workstation: PC 8 | E, I, T | STIG Viewer .ckl results will be provided |
| Microsoft Windows Server 2016 STIG Version 1, Release 12 | Server | E, I, T | STIG Viewer .ckl results will be provided |
| Adobe Acrobat Reader DC Continuous Track STIG Ver 1, Rel 6 | Adobe Flash Player | E, I, T | STIG Viewer .ckl results will be provided |
| Google Chrome Browser STIG for Windows Version 1, Release 18 | Google Chrome | E, I, T | STIG Viewer .ckl results will be provided |
| Oracle JRE 8 Windows STIG Version 1, Release 5 | Oracle Java Runtime Environment | E, I, T | STIG Viewer .ckl results will be provided |
| McAfee Antivirus 8.8 STIG Version 5, Release 21 | McAfee VirusScan Enterprise + Antispyware Enterprise | E, I, T | STIG Viewer .ckl results will be provided |
| Microsoft Office System 2016 STIG Version 1, Release 1 | Microsoft Office 2016 Standard (Word, PowerPoint, Outlook) | E, I, T | STIG Viewer .ckl results will be provided |
Windows Server 2012 / 2012 R2 STIG Version 2, Release 19 |
Microsoft Windows Server 2012 R2 Member Server | E, I, T | STIG Viewer .ckl results will be provided |
Windows 10 STIG Version 1, Release 19 |
Microsoft Windows 10- Pro | E, I, T | STIG Viewer .ckl results will be provided |
Security Assessment
Perimeter Router Security Technical Implementation Guide : : Release: 32 Benchmark Date: 25 Jan 2019
| Vulnerability (In Order of Importance) | Severity | Reasoning |
| Vul ID: V-3160
STIG ID: NET0700 The network element must be running a current and supported operating system with all IAVMs addressed. |
CAT II |
Since the router is missing the last Cat 111 IAVM, the device is not configured to protect against network attacks. |
|
Vul ID: V-3013 STIG ID: NET0340 Network devices must display the DoD-approved login banner warning. |
CAT II |
Due to the lack of a warning banner, unauthorized users will not be informed of the device’s ability to monitor and detect unauthorized usage. |
|
Vul ID: V-3072 STIG ID: NET1624 The running configuration must be synchronized with the startup configuration after changes have been made and implemented. |
CAT III |
Due to the different running and boot configurations, the startup and running configurations are not synchronized; due to this, any changes made will be lost in the event of a router malfunction. |
|
Vul ID: V-3967 STIG ID: NET1624 The network element must time out access to the console port after 10 minutes of inactivity.
|
CAT II |
Due to the device’s current 12-minute timeout setting for console connection, it allows 2 additional minutes for an unauthorized user to gain access if the authorized prior user left the console unattended. |
Firewall: Firewall Security Requirements Guide : : Release: 3 Benchmark Date: 25 Jan 2019
| Vulnerability (In Order of Importance) | Severity | Reasoning |
| Vul ID: V-79489
STIG ID: SRG-NET-000392-FW-000042 The firewall must generate an alert that can be forwarded to, at a minimum, the ISSO, and ISSM when denial-of-service (DoS) incidents are detected. |
CAT III |
Due to the firewall’s configuration not allowing for automated alerts, it is up to the network administrator to check for incidents; relying solely on human-based monitoring is not optimal. |
|
Vul ID: V-79487 STIG ID: SRG-NET-001130FW-000005 The firewall must be configured to allow the system administrator to select a subset of DoD-required auditable events. |
CAT III |
Due to the of selectable audit subsets, in the event of a security breach or to identify trends, the system administrator will not be able to quickly and accurately search and view logs, leading to a vast number of potential issues and risks. |
| Vul ID: V-79441
STIG ID: SRG-NET-00077-FW-000012 The firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum. |
CAT III |
Due to the firewall’s inability to identify nodes within log events, log entries will not be able to fully identify, troubleshoot, and defend against errors, attacks, and other events (when viewing an audit log). |
Layer 2 Switch Security Technical Implementation Guide : : Release: 27 Benchmark Date: 25 Jan 2019
| Vulnerability (In Order of Importance) | Severity | Reasoning |
| Vul ID: V-15434
STIG ID: SV-16261r5_rule The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. |
CAT I |
Due to the switch’s lack of an emergency administration account, in the event of a emergency or unexpected downtime (authentication server not online), the administrator will not be able to access the switch and perform necessary administrative functions. |
Other Hardware/Software Benchmark Date: 25 Jan 2019
| Asset | Reasoning |
| (8) Optiplex 7050 | The results came back clean. |
| (Server)StoreEasy 1640 | The results came back clean. |
Asset Prioritization for Mitigation or Remediation
| Asset (In Order of Importance) | Reasoning |
|
Layer 2 Switch |
Having the only CAT I severity level, the switch’s lack of an emergency administration account needs to be addressed immediately, as the implications and risks involved in not being able to access the switch during server downtime are not acceptable and could result in disaster. |
|
Router 1 |
While still critical for network operations, fixing the router’s vulnerabilities can be postponed until the above asset is complete, due to many of the vulnerabilities’ less serious risks (like the lack of a banner and an additional two minutes of timeout time). However, since the router contained both Cat II and III findings, it should be prioritized before the firewall. |
|
Firewall |
Due to the firewall’s essential intrusion protection and defensive capabilities, the lack of automated alerts, inability to create log subsets, and not being able to identify nodes, all significantly reduce the firewall’s effectiveness, thus diminishing the security of the entire network. However, the firewall has the lowest severity. |
Risk Determination
Through my findings, I found most of the security policies, protocols, and procedures to be adequate at the Bellevue University Administration office, except for the following:
Perimeter Router
Per the STIG, the router had four vulnerabilities that required attention, ranging from CAT II-III. I chose Vul ID: V-3160 as the primary concern, as the lack of the last CAT III IAVM (information assurance vulnerability alert), indicates that the router is not running the most current and approved software version, thus significantly impacting the risk of threats and errors. The second most-critical vulnerability is Vul ID: V-3013, due to the confidentiality and legal implications of not having a DoD-approved logon banner; without the user being aware that they are not allowed access (unless authorized), an unsuspecting individual might proceed to enter the system and access sensitive data and/or damage critical configurations. Also, if the user is unaware of the fact that they are not authorized to enter the system and that they will be monitored while doing so, there can be plausible-deniability in the legal process if any legal actions are taken against the individual. Vul ID: 3072 is the next vulnerability of most-importance, as having varying running and boot configurations, in the event of an unexpected downtime, crash, or error, can delete any changes made to the system upon reboot (due to lack of synchronization). Finally, Vul ID: 3967, while being a higher severity level (CAT II) than the previous Vul ID: 3072 (CAT III), is of least importance, since the extra two minutes before a timeout can be avoided by merely logging out, and also, while any time the authorized user is not present and the system is open is dangerous, two additional minutes isn’t going to be a disaster (but it should still be set at ten minutes as soon as possible).
Firewall
Per the STIG, the firewall had three CAT III vulnerabilities that required attention. I chose Vul ID: V-79489 to be the greatest threat due to the importance of automated alerts in the monitoring process of attacks, errors, and maintenance tasks. Even if the administrator checked the system relentlessly, the probability of human error is too high. Firewalls need to be monitored 24/7 (preferably by multiple individuals), and the easiest way to achieve this is to merely set up an automatic notification system to be alerted of any changes, errors, configuration problems, or attacks (like DoS). Next, Vul ID: 79487 should be addressed, as in the audit process, being able to narrow down searches and minimize the sheer amount of data involved is vital to finding where errors occurred and attacks originated. With the changes of the previous Vul ID: V-79489 enabling automatic notifications, the systems administrator can then, once alerted, easily comb through the logs by creating a specific subset for the search; this will lead to enhanced troubleshooting, maintenance, and security. Finally, Vul ID: V-79441 is of least importance, yet still needs to be quickly fixed. During the enhanced audit procedures of the previous two vulnerabilities, V-79441 allows for the ability to identify nodes within log events; without this, even the most sophisticated alert and audit procedures will fail to recognize which devices the attack or errors occurred first and how to secure each node based on the node/device’s specific hardware/software.
Layer 2 Switch
Per the STIG, the switch has one vulnerability that needs to be addressed; however, it’s the only CAT I severity level of all the assets. Vul ID: V-15434 is critical to fix because in the event of an unexpected downtime or error, while the authorization server is down, the administrator will not be able to access the switch to perform (potentially disaster-preventing) emergency tasks needed to reconcile the situation.
Reasoning for Asset Prioritization
I chose the layer 2 switch as the primary concern of all other assets due to the STIG including the only CAT I vulnerability, and since in the event of the authorization server going offline, the system could be rendered unusable; this significantly puts this asset’s importance of mitigation and remediation at the top of the list. The next most critical asset is the firewall, due to the device’s protective nature on the entire network and the lack of alerts and weaknesses in the auditing/log process. If an attack happened, the administrator would only become aware if they looked at the logs (which could be several hours later due to operating hours), and even if they did catch it in time, they wouldn’t be able to quickly (due to not being able to use subsets) and accurately find where the attack originated (due to not being able to see individual nodes). Finally, the router would be the least-important asset in terms of vulnerability, as the lack of banner doesn’t block intruders (do warnings ever work?) and the additional two minutes of the timeout time, while still dangerous, doesn’t danger the entire system as much as some of the other asset’s vulnerabilities.
References
Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.
Cyberex-Ma. (2020, January 7). cyberex-ma. Retrieved January 16, 2020, from https://public.cyber.mil/stigs/.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AC-2 Account Management.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AC-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AU-1 Audit and Accountability Policies and Procedures.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AU-1.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AT-2 Security Awareness Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/AT-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CM-4 Security Impact Analysis.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CM-4.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CP-3 Contingency Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CP-3.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “IA-2 Identification and Authorization (Organizational users).” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/IA-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “IR-2 Incident Response Training.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/IR-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “MA-1 System Maintenance Policy and Procedures.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/MA-1.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “MP-2 Media Access.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/MP-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PS-3 Personnel Screening.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PS-3.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PE-3 Physical Access Control.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PE-3.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “PL-2 System Security Plan.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/PL-2.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “RA-3 Risk Assessment.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/RA-3.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “CA-3 System Interconnections.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CA-3.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SC-5 Denial of Service Protection.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SC-5.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SI-4 Information System Monitoring.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SI-4.
NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SA-2 Allocation of Resources.” Retrieved from https://nvd.nist.gov/800-53/Rev4/control/SA-2.
Categories: Security, Uncategorized
Securing The Universe 