Security

Scenario: Harry and Mae’s Inc. Case Study- Vulnerability Identification

person using magnifying glass enlarging the appearance of his nose and sunglasses

Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,

As requested, here is the completed documentation regarding the identification of the vulnerabilities and potential threats for each of your company’s assets. Included in the analysis, I have added each asset’s vulnerabilities, threat classifications based on S.T.R.I.D.E. (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege), severity ranking (high, medium, low), impact ranking (high, medium, low), as well as their types of threats (environmental, internal, external); armed with this information, a detailed classification of each asset’s potential for threats can be quickly sorted, thus allowing your security professionals, as well as stakeholders, to efficiently prioritize what assets need additional resources, updating, maintenance, and defensive changes. Please let me know if you have any further questions.

Thank you,

William Donaldson, Teckzor Inc.

AssetDescriptionQuantityCost (Each)Cost (Total)VulnerabilitiesThreatsSeverity RankingImpact RankingType of Threat
InternetComcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up)1UnknownUnknownWhile there is a fully redundant dual-fiber ring consisting of two fiber pairs, if the network does indeed go down, the entire system and security software/hardware will be inaccessible.Denial of ServiceLowHighEnvironmental Threat
Nexus Core 700 SwitchesNX-OS 5.02$7500$15,000No policy on system updates. Various reported issues. Running NX-OS 5.0.Denial of ServiceLowMediumInternal Threat
Cisco ME 3600X Switches2nd layer, located in each building on campus2$8500$17,000Poor password policy. Open access possible with a breach.  Denial of Service, Elevation of PrivilegeMediumHighExternal Threat
Aruba WAPsAruba Networks Grid125$450$56,250Accessible access to Wi-Fi, allowing the possibility of an attack.  Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumMediumExternal Threat
Dell SonicWall NSA 4600Connect Comcast Internet to the core network2$3200$6,400(External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues.Denial of Service, Spoofing, Elevation of PrivilegeMediumMediumExternal, Internal Threat
Aruba 6000 Mod ControllersServes Aruba WAPs2$1200$2,400(External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumHighExternal, Internal Threat
Barracuda Spam and Virus FirewallCore network, forwards mail traffic2$450$900(External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues.Denial of Service, Spoofing, Elevation of PrivilegeMediumMediumExternal, Internal Threat
Cisco 2960-S P.O.E. Switches3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANsUnknown$650$650+Power outage would cripple network.Denial of ServiceLowHighEnvironmental Threat
FTP ServerEnabled for both internal/external networks and remote situations. Also used as a staging server1$1700$1,700Encryption/Authentication issues increase the possibility of compromised data.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeLowMediumExternal, Internal Threat    
HP StorageWorks Server (SAN)200TByte, provides storage for the HP ProLiant DL380 G7 Servers1$20,000    $20,000    Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumMediumInternal Threat
Email Server (Microsoft Exchange Server 2010 SP3Internal and external (with public IP address) connections1$1700$1,700(External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumMediumExternal, Internal Threat  
Web Server (IIS)Internal and external (with public IP address) connections1$1700$1,700Poor authentication measures allow for unauthorized external access.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumHighExternal Threat
HP ProLiant DL380 G7 ServersVersion 5.1 of VMWare vSphere10$3000+$30,000+The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeLowHighExternal/Internal Threat
A.D. Domain ControllerOne account for the entire campus1 A.D. Account, 2 ControllersUnknownUnknownDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumHighInternal Threat
First AD Organizational UnitCampus1UnknownUnknownDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumMediumInternal Threat
Second A.D. Organizational UnitAccounting and Finance Group1UnknownUnknownDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Denial of Service, Spoofing, Information Disclosure, Elevation of PrivilegeMediumMediumInternal Threat
Dell OptiPlex 3020 WorkstationsWindows 7, joined to AD400+$450$180,000(Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10.Denial of Service, Spoofing, Tampering, Repudiation, Elevation of Privilege, Information DisclosureLowMediumInternal/External Threat
P.O.S. SystemHosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.12$1000$2,000Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data.  Denial of Service, Spoofing, Tampering, Repudiation, Information Disclosure Elevation of PrivilegeHighHighInternal Threat
Off Campus-NAT FirewallNo further data1$500$500Poor access/authentication measures.Denial of Service, Spoofing, Elevation of Privilege Information DisclosureMediumLowInternal/External Threat
Off Campus-WAPSetup by franchise owner1$450$450Poor access/authentication measures.Denial of Service, Spoofing, Information Disclosure Elevation of PrivilegeMediumLowInternal/External Threat
EmployeesNo further data400+UnknownUnknownLack of education/trainingSpoofing, Tampering, Repudiation, Information Disclosure Elevation of PrivilegeLowHighInternal Threat
Symantec Endpoint ProtectionAll Campus Workstations400+UnknownUnknownSymantec Endpoint Protection’s access should not be given to 1/3 of the employees.Denial of Service, Repudiation Elevation of PrivilegeMediumHighInternal Threat
W.S.U.S.Updates Microsoft applicationsUnknownUnknownUnknownNo update policy.Denial of Service Elevation of PrivilegeLowMediumInternal Threat
Microsoft Internet Explorer 10Company Standard BrowserUnknownUnknownUnknownLack of company-wide enforced browser and settings.Denial of Service, Repudiation, Information Disclosure Elevation of PrivilegeLowLowInternal Threat
Norton Antivirus SoftwareOff-CampusUnknownUnknownUnknownLack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. adminsDenial of Service, Repudiation, Information Disclosure Elevation of PrivilegeMediumHighInternal/External Threat
Microsoft PPTP VPN Clients(Off-Campus) P.O.S. ProcessingUnknownUnknownUnknownCurrent ability to be minimized, thus allowing malware-infection opportunities.Denial of Service, Repudiation. Elevation of PrivilegeHighHighInternal Threat
Campus BuildingPhysical Location1UnknownUnknownPossible outdated security policies, hardware, software, physical structures. LowMediumInternal/External/Environmental Threat
Off-Campus BuildingsPhysical Location100+UnknownUnknownPossible outdated security policies, hardware, software, physical structures. LowMediumInternal/External/Environmental Threat
Perimeter FenceCampusUnknownUnknownUnknownPossible outdated security policies, hardware, software, physical structures. LowMediumInternal/External/Environmental Threat
Surveillance CamerasCampusUnknownUnknownUnknownPossible outdated security policies, hardware, software, physical structures.Denial of Service. Elevation of PrivilegeLowMediumInternal/External Threat
Smart Card Access SystemsCampusUnknownUnknownUnknownPossible outdated security policies, hardware, software, physical structures.Denial of Service, Elevation of PrivilegeLowMediumInternal/External Threat
Security StaffCampusUnknownUnknownUnknownPossible outdated security policies, skills, and training.Spoofing, Repudiation, Elevation of PrivilegeLowMediumInternal/External Threat
Security AlarmsCampusUnknownUnknownUnknownPossible outdated security policies, hardware, software, physical structures.Denial of ServiceLowMediumInternal/External/Environmental Threat
U.P.S.Campus, 36-hoursUnknown  Possible outdated policies, hardware, and software.Denial of ServiceLowMediumInternal/External/Environmental Threat
Security Fire, Water, etc. SensorsCampusUnknownUnknownUnknownPossible outdated security policies, hardware, software, physical structures.Denial of ServiceLowMediumInternal/External/Environmental Threat
Power GeneratorCampusUnknownUnknownUnknownPossible outdated policies, hardware, and software.Denial of ServiceLowMediumInternal/External/Environmental Threat
(B.Y.O.D.) Employee Mobile DevicesCampusUnknownUnknownUnknownNo enforced regulations, policies, or hardware/software requirements.Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Website-  http://www.harryandmae.comHosted on the single web server, public1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Website-  http://www.haryandmae.local.Hosted on the single web server, private (pay statements, work performance, vacation time, personal information)1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Website-  http://www.HandMScranton.comOwned by franchise owner in Scranton, PA1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Company Facebook AccountOwned by franchise owner in Scranton, PA1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Company Twitter AccountOwned by franchise owner in Scranton, PA1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
Company Instagram AccountOwned by franchise owner in Scranton, PA1UnknownUnknownNo enforced regulations, policies, or maintenance and security procedures.Denial of Service, Repudiation, Information Disclosure, Elevation of PrivilegeMediumMediumInternal/External Threat
    Total: $321,850+     

References

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Shostack, A. (2020, June 04). STRIDE chart. Retrieved September 16, 2020, from https://www.microsoft.com/security/blog/2007/09/11/stride-chart/.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s