Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,
As requested, here is the completed documentation regarding the identification of the vulnerabilities and potential threats for each of your company’s assets. Included in the analysis, I have added each asset’s vulnerabilities, threat classifications based on S.T.R.I.D.E. (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege), severity ranking (high, medium, low), impact ranking (high, medium, low), as well as their types of threats (environmental, internal, external); armed with this information, a detailed classification of each asset’s potential for threats can be quickly sorted, thus allowing your security professionals, as well as stakeholders, to efficiently prioritize what assets need additional resources, updating, maintenance, and defensive changes. Please let me know if you have any further questions.
Thank you,
William Donaldson, Teckzor Inc.
| Asset | Description | Quantity | Cost (Each) | Cost (Total) | Vulnerabilities | Threats | Severity Ranking | Impact Ranking | Type of Threat |
| Internet | Comcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up) | 1 | Unknown | Unknown | While there is a fully redundant dual-fiber ring consisting of two fiber pairs, if the network does indeed go down, the entire system and security software/hardware will be inaccessible. | Denial of Service | Low | High | Environmental Threat |
| Nexus Core 700 Switches | NX-OS 5.0 | 2 | $7500 | $15,000 | No policy on system updates. Various reported issues. Running NX-OS 5.0. | Denial of Service | Low | Medium | Internal Threat |
| Cisco ME 3600X Switches | 2nd layer, located in each building on campus | 2 | $8500 | $17,000 | Poor password policy. Open access possible with a breach. | Denial of Service, Elevation of Privilege | Medium | High | External Threat |
| Aruba WAPs | Aruba Networks Grid | 125 | $450 | $56,250 | Accessible access to Wi-Fi, allowing the possibility of an attack. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | Medium | External Threat |
| Dell SonicWall NSA 4600 | Connect Comcast Internet to the core network | 2 | $3200 | $6,400 | (External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues. | Denial of Service, Spoofing, Elevation of Privilege | Medium | Medium | External, Internal Threat |
| Aruba 6000 Mod Controllers | Serves Aruba WAPs | 2 | $1200 | $2,400 | (External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | High | External, Internal Threat |
| Barracuda Spam and Virus Firewall | Core network, forwards mail traffic | 2 | $450 | $900 | (External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues. | Denial of Service, Spoofing, Elevation of Privilege | Medium | Medium | External, Internal Threat |
| Cisco 2960-S P.O.E. Switches | 3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANs | Unknown | $650 | $650+ | Power outage would cripple network. | Denial of Service | Low | High | Environmental Threat |
| FTP Server | Enabled for both internal/external networks and remote situations. Also used as a staging server | 1 | $1700 | $1,700 | Encryption/Authentication issues increase the possibility of compromised data. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Low | Medium | External, Internal Threat |
| HP StorageWorks Server (SAN) | 200TByte, provides storage for the HP ProLiant DL380 G7 Servers | 1 | $20,000 | $20,000 | Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal Threat |
| Email Server (Microsoft Exchange Server 2010 SP3 | Internal and external (with public IP address) connections | 1 | $1700 | $1,700 | (External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | Medium | External, Internal Threat |
| Web Server (IIS) | Internal and external (with public IP address) connections | 1 | $1700 | $1,700 | Poor authentication measures allow for unauthorized external access. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | High | External Threat |
| HP ProLiant DL380 G7 Servers | Version 5.1 of VMWare vSphere | 10 | $3000+ | $30,000+ | The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Low | High | External/Internal Threat |
| A.D. Domain Controller | One account for the entire campus | 1 A.D. Account, 2 Controllers | Unknown | Unknown | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | High | Internal Threat |
| First AD Organizational Unit | Campus | 1 | Unknown | Unknown | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal Threat |
| Second A.D. Organizational Unit | Accounting and Finance Group | 1 | Unknown | Unknown | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Denial of Service, Spoofing, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal Threat |
| Dell OptiPlex 3020 Workstations | Windows 7, joined to AD | 400+ | $450 | $180,000 | (Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10. | Denial of Service, Spoofing, Tampering, Repudiation, Elevation of Privilege, Information Disclosure | Low | Medium | Internal/External Threat |
| P.O.S. System | Hosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.1 | 2 | $1000 | $2,000 | Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data. | Denial of Service, Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege | High | High | Internal Threat |
| Off Campus-NAT Firewall | No further data | 1 | $500 | $500 | Poor access/authentication measures. | Denial of Service, Spoofing, Elevation of Privilege Information Disclosure | Medium | Low | Internal/External Threat |
| Off Campus-WAP | Setup by franchise owner | 1 | $450 | $450 | Poor access/authentication measures. | Denial of Service, Spoofing, Information Disclosure Elevation of Privilege | Medium | Low | Internal/External Threat |
| Employees | No further data | 400+ | Unknown | Unknown | Lack of education/training | Spoofing, Tampering, Repudiation, Information Disclosure Elevation of Privilege | Low | High | Internal Threat |
| Symantec Endpoint Protection | All Campus Workstations | 400+ | Unknown | Unknown | Symantec Endpoint Protection’s access should not be given to 1/3 of the employees. | Denial of Service, Repudiation Elevation of Privilege | Medium | High | Internal Threat |
| W.S.U.S. | Updates Microsoft applications | Unknown | Unknown | Unknown | No update policy. | Denial of Service Elevation of Privilege | Low | Medium | Internal Threat |
| Microsoft Internet Explorer 10 | Company Standard Browser | Unknown | Unknown | Unknown | Lack of company-wide enforced browser and settings. | Denial of Service, Repudiation, Information Disclosure Elevation of Privilege | Low | Low | Internal Threat |
| Norton Antivirus Software | Off-Campus | Unknown | Unknown | Unknown | Lack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. admins | Denial of Service, Repudiation, Information Disclosure Elevation of Privilege | Medium | High | Internal/External Threat |
| Microsoft PPTP VPN Clients | (Off-Campus) P.O.S. Processing | Unknown | Unknown | Unknown | Current ability to be minimized, thus allowing malware-infection opportunities. | Denial of Service, Repudiation. Elevation of Privilege | High | High | Internal Threat |
| Campus Building | Physical Location | 1 | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Low | Medium | Internal/External/Environmental Threat | |
| Off-Campus Buildings | Physical Location | 100+ | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Low | Medium | Internal/External/Environmental Threat | |
| Perimeter Fence | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Low | Medium | Internal/External/Environmental Threat | |
| Surveillance Cameras | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Denial of Service. Elevation of Privilege | Low | Medium | Internal/External Threat |
| Smart Card Access Systems | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Denial of Service, Elevation of Privilege | Low | Medium | Internal/External Threat |
| Security Staff | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, skills, and training. | Spoofing, Repudiation, Elevation of Privilege | Low | Medium | Internal/External Threat |
| Security Alarms | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Denial of Service | Low | Medium | Internal/External/Environmental Threat |
| U.P.S. | Campus, 36-hours | Unknown | Possible outdated policies, hardware, and software. | Denial of Service | Low | Medium | Internal/External/Environmental Threat | ||
| Security Fire, Water, etc. Sensors | Campus | Unknown | Unknown | Unknown | Possible outdated security policies, hardware, software, physical structures. | Denial of Service | Low | Medium | Internal/External/Environmental Threat |
| Power Generator | Campus | Unknown | Unknown | Unknown | Possible outdated policies, hardware, and software. | Denial of Service | Low | Medium | Internal/External/Environmental Threat |
| (B.Y.O.D.) Employee Mobile Devices | Campus | Unknown | Unknown | Unknown | No enforced regulations, policies, or hardware/software requirements. | Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Website- http://www.harryandmae.com | Hosted on the single web server, public | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Website- http://www.haryandmae.local. | Hosted on the single web server, private (pay statements, work performance, vacation time, personal information) | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Website- http://www.HandMScranton.com | Owned by franchise owner in Scranton, PA | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Company Facebook Account | Owned by franchise owner in Scranton, PA | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Company Twitter Account | Owned by franchise owner in Scranton, PA | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Company Instagram Account | Owned by franchise owner in Scranton, PA | 1 | Unknown | Unknown | No enforced regulations, policies, or maintenance and security procedures. | Denial of Service, Repudiation, Information Disclosure, Elevation of Privilege | Medium | Medium | Internal/External Threat |
| Total: $321,850+ |
References
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.
Shostack, A. (2020, June 04). STRIDE chart. Retrieved September 16, 2020, from https://www.microsoft.com/security/blog/2007/09/11/stride-chart/.
Categories: Security
Securing The Universe 