Security

Case Study: NPS Public Relations and Marketing

black and white metal frame

As requested, we are currently tasked by you, NPS Public Relations and Marketing, to assess the current state of your organization’s risk management and provide solutions and recommendations on how to better secure your IT systems and data. I need to, tasked by Noah, using the limited information provided, perform a security assessment of my findings. I will be using various risk assessment methodologies, however, will be utilizing the NIST’s numerous terminologies and practices in my approach. I will begin with a quick overview of the situation.

Organization: NPS Public Relations and Marketing.

Point of Contact (PoC): Noah- hired to conduct a risk management analysis.

Project Goal: NPS needs to assess their security and create a risk mitigation plan to prevent future incidents; this includes:

  • Determine an acceptable level of risk.
  • Assess the current level of risk.
  • Reduce risk to an acceptable level.
  • Maintain that level of risk.

NPS Public Relations and Marketing Overview:

  • Headquarters in Chicago.
  • 250 Employees, 100 of which are at the headquarters in a Chicago suburb; its location is deemed not a security risk.
  • The remaining 150 work at offices in other U.S. cities.

NPS Technology:

  • Microsoft servers and PCs, with some MAC PCs.
  • Windows Active Directory services.
  • Web server for marketing website.
  • 2 file share servers.
  • Application server (homegrown CRM system).
  • 5 SQL database servers.
  • Peoplesoft system.

Network and Security:

  • Gateway router and firewall.
  • Antivirus is used but not automatically updated for all systems company-wide.
  • All employees have administrator privileges.
  • No file or disk encryption.
  • Employees often work remotely and only use a username and password for access to the company’s servers.
  • Some employees use GoToMyPC for access.

Recent Security Events:

  • Recently, several computers and office supplies have been stolen.
  • 10 PCs, phones, printers, and multi-function copiers have been stolen out of the office; due to this, customer data and intellectual property has been potentially lost or breached.
  • Two employees recently left the company to work with NPS’s largest competitor, Main Street Marketing; the competitor also landed NPS’s most extensive account.

Current Data Policy:

  • Up to the user’s discretion whether to secure their data files or folders.
  • 60% of employees do not secure their folder; the remaining 40% lock them, thus preventing access from anyone else.
  • Sales staff have been caught with payroll files on their computers (this occurred near the time the equipment was stolen).
  • Vendors can access the company’s website and computers without authorization or supervision.

NPS IT Support:

  • Provided by on-site staff with other responsibilities; this could limit the effectiveness and speed of ticket solving and reduce the performance of security-related tasks.
  • Password resets are handled by giving the employee the generic password reset word, “Cubs-r-gr8”.
  • Employees are not forced to change the password, and there are no restrictions for length or password strength.

Found Threats:

In this section, I will provide found risks with each abovementioned data point, then share my recommendations for removing, transferring, or mitigating them.

  • 250 Employees, 100 of which are at the headquarters in a Chicago suburb; its location is deemed not a security risk.

While your headquarters’ physical security risk level might be lessened in a suburb compared to the inner-city of Chicago, I find that the same security measures should be applied regardless of the location. As you have already seen, threats don’t just exist externally. I recommend a complete physical security review and update, including perimeter deterrents, video surveillance, entry protocols, asset management, etc.

  • Antivirus is used but not automatically updated for all systems company-wide.

Due to each building’s remote location, the mixing of different hardware and software, and the recent adverse security events, a uniform antivirus system should be implemented (both hardware and software) and continuously updated and reviewed. As I will mention later in this report, an increase in IT staff should allow the possibility to hire security-focused roles to manage the antivirus system.

  • All employees have administrator privileges.

This is one of the most significant security threats. Having all employees able to use administrator privileges can cause significant damage to the company, including editing or deleting mission-critical data, installing untrusted or malicious programs, and assisting both internal and external attackers from accomplishing their goals. Only IT management should have administrator privileges, allowing them to issue the privileges to those they see fit, only after following strict policies for vetting those who require access.

  • No file or disk encryption.

Not having any file or disk encryption is a severe security risk; this allows data to be accessed and retrieved at ease for both employees and malicious intruders. With your already open data and security policies, the event of an external threat or disgruntled employee from attempting to access, steal, or damage sensitive company information is significantly increased; due to this, if they did get access, all of your organization’s data would be at risk due to not using encryption. At the very least, BitLocker, native in Windows, can be utilized to encrypt sensitive data; however, once I get access to your company’s specific IT infrastructure and situation, I can locate and create a finely-tuned file and disk encryption scheme that will be both efficient and cost-effective.

  • Employees often work remotely and only use a login and password for access to the company’s servers.

Due to COVID-19, many organizations have their employees work from home; while this may be a solution for the continuance of business operations in these troubling times, there are undoubtedly various security threats that go along with it. Employees working from home and merely logging onto your servers with a standard username and password pose various threats, such as allowing intruders and other unauthorized personnel to use their logins. I would recommend immediately enforcing several changes, including sophisticated password requirements, update schedules, and multi-factor authentication protocols.

  • Some employees use GoToMyPC for access.

Remote employees should all follow the same remote authentication procedures to allow IT and security staff to thoroughly vet and secure any approved methods of accessing your company’s servers. All remote access methods that are not approved should be blacklisted and made common knowledge for all employees. Many remote access programs, while seemingly secure, still allow the remote access’ company to have a direct link to your organization; the risk is significantly increased due to many of the abovementioned security threats, such as not having encryption and sophisticated login procedures.

Recent Security Events:

  • Recently, several computers and office supplies have been stolen.

As seen in the next topic, equipment that is lost or stolen holds more negative attributes than just the devices’ cost. It appears as if your asset management system and your physical security methods are not ideal for the situation. I would recommend an immediate update of your asset management system to include scannable item tags. All high-value or devices that contain sensitive information, such as PCs) should include a security device that is both trackable via GPS and emits an alarm if the device leaves the building. If a device is lost or stolen, the option to remotely wipe the equipment’s data should be considered. A thorough inventory of all equipment should be performed to see if anything else is lost or stolen and update and review your video surveillance system to identify any gaps of coverage.

  • 10 PCs, phones, printers, and multi-function copiers have been stolen out of the office; due to this, customer data and intellectual property has been potentially lost or breached.

While I already mentioned the stolen property in the entry above, I wanted to specifically touch on the gravity of the situation. As I stated earlier, equipment that is lost or stolen holds more negative attributes than just the devices’ cost. If the devices in question held sensitive company data, there might have already been a breach of you or your customer’s data; if this is true, an immediate investigation needs to be performed to understand the severity of the situation, which can lead to anything from changing every login method (usernames, passwords, etc.) to notifying the public about the breach of security.

  • Two employees recently left the company to work with NPS’s largest competitor, Main Street Marketing; the competitor also landed NPS’s most extensive account.

While this situation can frequently occur, there are several things you can do to either help prevent it or help mitigate the negative aspects of the event, including creating a confidentiality agreement and a non-compete clause that limits employees from taking/using company data and going to a competitor in the same field.

Current Data Policy:

  • Up to the user’s discretion whether to secure their data files or folders.

This holds significant security risks as users tend not to secure anything or do it incorrectly, thus opening attack venues and allowing sensitive data to be accessible freely. I recommend ensuring that IT and security staff enforce a uniform data security policy for all users and limit the abilities of standard users to alter anything vital to the business’s operations.

  • 60% of employees do not secure their folder; the remaining 40% lock them, thus preventing access from anyone else.

As I mentioned above, standard employees outside of IT and security staff should not have the ability to freely secure and lock their folders and data; instead, IT and security staff need to decide what is sensitive and the policies to force the securing of these folders.

  • Sales staff have been caught with payroll files on their computers (this occurred near the time the equipment was stolen).

This is a severe issue and is likely caused by the two above threats. Payroll documents and files need to be secured and encrypted, limiting all access from both internal and external users. The fact that the payroll files were found on the sales staff’s PCs means that the content could have easily been accessed from outside of the company, potentially allowing customer data to be leaked.

  • Vendors can access the company’s website and computers without authorization or supervision.

Vendor access to company data and devices needs to be closed immediately and only authorized when vetted by IT and security management in a supervised scenario. Having open access for vendors relies on their company’s security policies, hardware, and software to be adequate, which doesn’t allow us to be in charge of our own risk management.

NPS IT Support:

  • Provided by on-site staff with other responsibilities; this could limit the effectiveness and speed of ticket solving and reduce the performance of security-related tasks.

Having IT staff not specifically designated to a single role can decrease the effectiveness of the entire IT staff; this can also prevent security-related tasks from being accomplished. I recommend performing an analysis of the current IT staff to decipher where each of their strengths are, then separating them by departments while building a security-specific team.

  • Password resets are handled by giving the employee the generic password reset word, “Cubs-r-gr8”.

Password resets need to follow a uniform and strict policy, including verifying the user’s identity who requests it and using a unique, auto-generated password reset work each time a request is sent. Using a generic password reset word, former or disgruntled employees, like the two that recently left to work for your competitor, can theoretically access your systems as they see fit by merely requesting a password reset on any of your user’s accounts.

  • Employees are not forced to change the password, and there are no restrictions for length or password strength.

Without strict password requirements, the security of your organization’s data and that of each user are significantly lessened. I recommend having IT and security staff create strict password reset and complexity requirements, such as requiring a specific character limit (robust), special characters, password history (not allowing the same password used more than once), and automated password reset policies every thirty-plus days).

Summary

While there are a significant number of security risks and threats present with your organization’s current status, I feel that I can quickly and efficiently mitigate or remove all items listed in this document cost-effectively. Without immediate remediation of the abovementioned risks, I believe your company is a prime target for cybercriminals and disgruntled/former employees. Furthermore, the possibility of lost, stolen, or damaged equipment and data is currently very high due to a lack of adequate security, equipment, and data governance/management policies.

Please let me know if you wish to move forward with an in-person meeting with your IT management for a more in-depth analysis of your systems and policies.

Thank you,

William Donaldson,

Project Lead, Tekzor Systems Inc.

References

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved October 21, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s