Security

Harry and Mae’s Case Study: Semester Project

Harry and Mae’s is similar to many modern organizations in that it while its security and IT infrastructure are seemingly sophisticated, several factors can lead to a cyberattack or data loss incident. For example, the event where a member of the cleaning staff used Tom Pierce’s computer to access pornographic material could have simply been prevented by a clean-desk policy. Additionally, due to Harry and Mae’s use of outdated software (Windows 7, firmware/driver updates from 2013, Version 5.1 of VMWare vSphere, etc.), as well as lack of proper authentication and access settings, the company is at severe risk of another data breach (this time, affecting more than the previous 25,000 customers or impacting internal employee/company data).

In my research into Harry and Mae’s IT infrastructure, I have identified each IT asset and listed its known vulnerabilities. To start, Harry and Mae’s is utilizing Comcast’s Business 10Gb as an ISP; while Layer 1 and 2 are redundant, Layer 3 has no redundant connections. If an outage occurred, the entire system would not be inaccessible. While there are mentioned security appliances and devices already in place, the fact that their effectiveness is not known is worrying. The single active directory domain for the entire campus is at risk due to no redundancy; also, its default settings and default domain group policies should be reconfigured to the specific organization’s needs (as well as to increase security).

The disabled password history and complexity requirements need to be re-enabled and configured with best-practice settings. A clean-desk policy needs to be put in place to thwart scenarios such as writing a password down on a note placed on a monitor. Workstations are currently using Windows 7, which is presently phased out. The switch to Windows 10 on all machines needs to be completed immediately. For POS systems, their tendency to become infected with malware should be addressed with constant monitoring, encryption, and proper training of staff. The physical security of the campus seems adequate; however, a thorough audit of all systems and policies should be performed, as well as audits at regular intervals afterward.

 In the communication closets, the patch panels that allow network administrators to bypass a defective switch should be secured and monitored through video surveillance. The wireless mobility controller should be set up as a firewall and not only use default settings, which allow traffic in both directions. The fact the wireless network is not password protected is a severe threat, and the lack of a BYOD policy should be remedied. For security appliances, the two Barracuda firewalls need to have their subscription activated that allows updates to signature files to deal with SPAM and missing emails.

For the second AD Organization Unit set by the Chief Financial Officer for the Accounting and Finance Group, all administrative assistants should not be administrators; a method of least-privilege should be introduced to it. For the servers (SAN), the firmware and drivers have not been updated since July 2013; this needs to be remedied immediately and have a regular software audit conducted henceforth at regular intervals. The HP servers running VMware vSphere Hypervisor (ESXi) version 5.1 should be updated to version 6.7 (or newest version).

The virtual servers currently do not have antivirus software installed; with redundant virtual servers running for domain controllers, Inventory Tracking System (ITS), Point of Sale (POS) system, accounting system, payment processing system, email system, Web site with database support for active content, Windows Routing and Remote Access Server (used for VPN connections,) authentication services, and database management systems, this needs to be remedied immediately by installing proper antivirus and monitoring/audit software/policies. Furthermore, if possible, the virtual machines running Microsoft Windows Server 2012 Datacenter edition should be upgraded to Microsoft Windows Server 2019 Datacenter edition to allow for new security and usability functions.

The Web and email servers have no firewalls on external connections; this should be fixed due to security concerns, as well as having a public IP address on the external network connection. The use of FTP for internal and external networks needs to be audited and possibly changed; having people work from home by using FTP and logging into AD accounts can be risky. For web hosting, using the same server for both public and private parts isn’t recommended as there is no redundancy. IPv4’s use on campus workstations should, if possible, be upgraded to IPv6 and IPSec enabled. Symantec Endpoint Protection’s access, as well as local administrator access, should not be given to 1/3 of the employees, and instead, only IT admins.

While WSUS is utilized to update Microsoft applications, I see no policy on how they are updated; this should be corrected by enforcing regular intervals of policy audits, as well as update during off-hours. Generally, it is better to wait to update after the general population finds bugs, or at least update a test machine before rolling out the update to everyone. Furthermore, the ‘no standard process’ for updating other programs should follow the abovementioned policy for WSUS. For browsers, a single one should be enforced, monitored, and configured, with all others having their access restricted.

For off-campus locations, the WAP routers should not only be set up by the franchise owner, and instead, IT/Infosec should perform the necessary configuration. While allowing free Wi-Fi access for customers is fine (yet poses threats by itself), the network should be separate from the company’s, as well as have strict security software, auditing, and policies. All off-campus Windows 7 machines should be upgraded to Windows 10 as support for Windows 7 has ended. Norton Antivirus for off-campus workstations should be replaced by the same antivirus software that the campus uses, Symantec Endpoint Protection, to have a uniform security system; for this system, all employees should not have access, and instead, only IT admins from the campus.

For hardware-specific vulnerabilities, the following are present:

Internet: Comcast Business Services: (Environmental Threat) While there is a fully redundant dual-fiber ring consisting of two fiber pairs, if the network does indeed go down, the entire system and security software/hardware will be inaccessible.

Nexus Core 700 Switches: (Internal Threat) No policy on system updates. Various reported issues. Running NX-OS 5.0.

Cisco ME 3600X Switches: (External Threat) Poor password policy. Open access possible with a breach.

Aruba WAPs: (External Threat) Accessible access to Wi-Fi allowing the possibility of an attack.

Dell SonicWall NSA 4600: (External Threat) Default policy and settings allowing for the possibility of a breach.

(Internal Threat) Default policy and settings are allowing for the possibility of a breach/error due to no policy for updates. Reported issues.

Aruba 6000 Mod Controllers: (External Threat) Default policy and settings allowing for the possibility of a breach or downed network.

(Internal Threat) Guest account. Reported issues.

Barracuda Spam and Virus Firewall: (External Threat) Network settings/location.

(Internal Threat) No policy for updates. Reported issues.

Cisco 2960-S POE Switches: (Environmental) Power outage would cripple the network.

FTP: (External/Internal Threat) Encryption/Authentication issues increase the possibility of compromised data.

HP StorageWorks Server (SAN): (Internal Threat) Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns.

Email Server (Microsoft Exchange Server 2010 SP3): (External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access.

(Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities.

Web Server (IIS): (External Threat) Poor authentication measures allow for unauthorized external access.

HP ProLiant DL380 G7 Servers: (External/Internal Threat) The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities.

AD Domain Controller: (Internal Threat) Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.

Dell Optiplex 3020 Workstations: (Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures.

(External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10.

POS System: (Internal Threat) Poor system policy and authentication settings, as well as lack of encryption and training, can enable unauthorized access to customer data.

Off Campus-Firewall: (Internal/External Threat) Poor access/authentication measures.

Off Campus-NAT: (Internal/External Threat) Poor access/authentication measures.

Off Campus-WAP: (Internal/External Threat) Poor access/authentication measures.Off Campus-Workstations: (Internal/External Threat) Poor access/authentication measures.

Employees: (Internal Threat) Lack of education/training.

 

1

2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

Stallings, W. (2017). Network Security Essentials: Applications and Standards (Sixth). Pearson.

 

Bellevue University Cybersecurity Program. (n.d.).  Harry & Mae’s Case Study. Retrieved March 31, 2020, from https://s3.us-east-1.amazonaws.com/blackboard.learn.xythos.prod/5a31d48b683a8/1963660?response-content-disposition=inline%3B%20filename%2A%3DUTF-8%27%27Harry%2520and%2520Mae%2520Combined%2520Script%25281%2529.pdf&response-content-type=application%2Fpdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200331T171748Z&X-Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-Credential=AKIAIL7WQYDOOHAZJGWQ%2F20200331%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=01a2f6a674605b7f2ec601eef5ea6a1c290b6ffccd98bd1ce9a92c3d13f09041.

 

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s