Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,
As requested, I have taken the identified threats to your assets a step further by applying my professional recommendations and solutions to resolve or mitigate all found risks to your systems. In the following information, you will find both immediate fixes to the problems, their security controls, and plans for the continued updating, testing, maintenance, and auditing of these systems; this will ensure that my proposed changes not only fix the situation but continue to do so. If you decide to move forward with my recommendations, I can schedule an in-person meeting to clarify the cost of implementation, as well as how to proceed with future security operations.
Please let me know if you have any further questions.
Thank you,
William Donaldson, Teckzor Inc.
| Asset | Description | Vulnerabilities | Control(s) | |
| Internet | Comcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up) | While there is a fully redundant dual-fiber ring consisting of two fiber pairs, the entire system and security software/hardware will be inaccessible if the network does indeed go down. | Preventative, detective, corrective | While the dual-fiber ring is generally sufficient, I would recommend having a backup I.S.P. (even with a slower speed) to ensure the continued operation of the network due to the failure of the primary I.S.P.; this change doesn’t have to be necessarily implemented, but if it does, it can wait. Proper procedures should be created and followed for what to do if an outage occurs, how to switch to the second I.S.P., and what needs to be documented (such as a disaster recovery plan). A UPS (or multiple) should be added to the network infrastructure. |
| Nexus Core 700 Switches | NX-OS 5.0 | No policy on system updates. Various reported issues. Running NX-OS 5.0. | Preventative, detective, corrective, technical, procedural | A policy on system updates and general maintenance should be implemented. NX-OS 5.0 should be updated to the most current version (9.2); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure. |
| Cisco ME 3600X Switches | 2nd layer, located in each building on campus | Poor password policy. Open access possible with a breach. | Preventative, technical, procedural | Each Cisco ME 3600X switch should be replaced with a Cisco ASR 920 and Cisco 2960-X pair to take advantage of updated security settings and redundancy (using two switches instead of one); this should be immediately addressed. Furthermore, the password policies for each device needs to be improved. A UPS (or multiple) should be added to the network infrastructure. |
| Aruba W.A.P.s | Aruba Networks Grid | Accessible access to Wi-Fi, allowing the possibility of an attack. | Preventative, technical, procedural | Each Aruba W.A.P. should be reconfigured with improved password and encryption policies, as well as be wired through the Barracuda Spam & Virus Firewall); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure. |
| Dell SonicWall NSA 4600 | Connect Comcast Internet to the core network | (External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues. | Preventative, detective, corrective, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure); this should be immediately addressed. |
| Aruba 6000 Mod Controllers | Serves Aruba W.A.P.s | (External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues. | Preventative, detective, corrective, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained). The controllers should be connected to the Barracuda Firewalls; this should be immediately addressed. Guest account needs to be disabled); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure. |
| Barracuda Spam and Virus Firewall | Core network, forwards mail traffic | (External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues. | Preventative, detective, corrective, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A plan for updates needs to be introduced. The device itself needs to be placed in front of the Cisco Nexus switches, allowing the Dell SonicWall’s to secure incoming and outgoing traffic on mail and web servers. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed. |
| Cisco 2960-S P.O.E. Switches | 3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANs | Power outage would cripple the network. | Preventative, technical, procedural | A Cisco ASR 920 should be added to each Cisco 2960-X switch to increase security and redundancy. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed. |
| FTP Server | Enabled for both internal/external networks and remote situations. Also used as a staging server | Encryption/Authentication issues increase the possibility of compromised data. | Preventative, technical, procedural | FTP should be replaced with S.F.T.P. and secured with T.L.S. encryption within a DMZ); this should be immediately addressed. |
| H.P. StorageWorks Server (SAN) | 200TByte, provides storage for the H.P. ProLiant DL380 G7 Servers | Lack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns. | Preventative, detective, corrective, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The SAN needs to be encrypted with an updated version of vSphere (6.7); this all should be immediately addressed. |
| Email Server (Microsoft Exchange Server 2010 SP3 | Internal and external (with public I.P. address) connections | (External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities. | Preventative, detective, corrective, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. For external Exchange, the system should be encrypted with S.P.X. and routed through the Dell SonicWall. For internal Exchange, the system should be encrypted with vSphere v6.7 and routed through the domain controllers and the other Dell SonicWall); this all should be immediately addressed. The default policy and settings need to be reconfigured to new, custom settings for the specific situation. Policies and settings need to be regularly audited and maintained); this should be immediately addressed. |
| Web Server (IIS) | Internal and external (with public I.P. address) connections | Poor authentication measures allow for unauthorized external access. | Preventative, technical, procedural | The Internal web server should be reconfigured with strong authentication measures and routed to the Barracuda Firewall with T.L.S. encryption. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed. |
| H.P. ProLiant DL380 G7 Servers | Version 5.1 of VMWare vSphere | The last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities. | Preventative, detective, corrective technical, procedural | Each server needs to be updated to vSphere v6.7, as well as continually-audited, maintained, and updated using new policies. The G7 servers will be routed through each Cisco Nexus switch, in line with the Dell SonicWall and Barracuda firewalls. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed. |
| A.D. Domain Controller | One account for the entire campus | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Preventative, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed. |
| First AD Organizational Unit | Campus | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Preventative, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed. |
| Second A.D. Organizational Unit | Accounting and Finance Group | Default settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege. | Preventative, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed. |
| Dell OptiPlex 3020 Workstations | Windows 7, joined to A.D. | (Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10. | Preventative, detective, corrective technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Windows 10 should be installed on all devices; due to the complexity and length of time it would take to perform a full Windows 10 rollout; this can be postponed until the measures I have listed as immediate have been completed. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. The Workstations will need to be routed through the Cisco 2960 switch, which then routes through a Cisco ASR 920; this can be postponed till the immediate changes are made. |
| P.O.S. System | Hosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.1 | Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data. | Preventative, technical, procedural | The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Each P.O.S. system will be secured with a N.A.T. device with new security settings. Wi-Fi users will be isolated from the network (especially guests); while these issues are critical, they can be postponed until the immediate changes I have outlined have been completed. |
| Off Campus-NAT Firewall | No further data | Poor access/authentication measures. | Preventative, technical, procedural | Policies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately. |
| Off Campus-WAP | Setup by franchise owner | Poor access/authentication measures. | Preventative, technical, procedural | Policies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately, but the campus should come first. |
| Employees | No further data | Lack of education/training | Preventative, technical, procedural | I.T. and infosec staff will conduct regular auditing of user access and conduct training classes at the start of the new security plan, as well as periodic sessions after. Emails, handouts, and posters/infographics will be placed around the company outlining proper Internet etiquette and best-practice security measures. Random intrusion tests will be made. I.T. and infosec staff will need to have regular meetings to go over the proposed changes, updated policies, and general maintenance of all new and old strategies, software changes, equipment, and methods to ensure the success of the security of the company; these changes should be performed immediately, but campus employees should come first. |
| Symantec Endpoint Protection | All Campus Workstations | Symantec Endpoint Protection’s access should not be given to 1/3 of the employees. | Preventative, technical, procedural | Symantec Endpoint Protection’s access needs to be restricted to only specific I.T. and security staff, audited, updated, continuously maintained, and enforced company-wide. |
| W.S.U.S. | Updates Microsoft applications | No update policy. | Preventative, technical, procedural | Specific I.T. and security staff must ensure W.S.U.S. is continuously audited, updated, maintained, and enforced company-wide. |
| Microsoft Internet Explorer 10 | Company Standard Browser | Lack of company-wide enforced browser and settings. | Preventative, technical, procedural | Specific I.T. and security staff must ensure Microsoft Internet Explorer 10 is switched to Microsoft Edge due to the end of life of the service. Edge must be continuously audited, updated, maintained, and enforced company-wide. |
| Norton Antivirus Software | Off-Campus | Lack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. admins | Preventative, technical, procedural | Specific I.T. and security staff must ensure Norton Antivirus is either working with Symantec Endpoint Protection or chose one of them to enforce company-wide, as well as ensure it is continuously audited, updated, and maintained. |
| Microsoft PPTP VPN Clients | (Off-Campus) P.O.S. Processing | Current ability to be minimized, thus allowing malware-infection opportunities. | Preventative, technical, procedural | Specific I.T. and security staff must ensure Microsoft PPTP VPN is continuously audited, updated, maintained, and have its ability to be minimized to be disabled, thus preventing unauthorized usage. |
| Campus Building | Physical Location | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Off-Campus Buildings | Physical Location | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Perimeter Fence | Campus | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Surveillance Cameras | Campus | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Smart Card Access Systems | Campus | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Security Staff | Campus | Possible outdated security policies, skills, and training. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Security Alarms | Campus | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| U.P.S. | Campus, 36-hours | Possible outdated policies, hardware, and software. | Preventative, procedural | Recommend reviewing the U.P.S.’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation. |
| Security Fire, Water, etc. Sensors | Campus | Possible outdated security policies, hardware, software, physical structures. | Preventative, Physical, procedural | Recommend full security review, risk analysis, updating, and continuous review of all physical security facets. |
| Power Generator | Campus | Possible outdated policies, hardware, and software. | Preventative, procedural | Recommend reviewing the power generator’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation. |
| (B.Y.O.D.) Employee Mobile Devices | Campus | No enforced regulations, policies, or hardware/software requirements. | Preventative, technical, procedural | Recommend full review of current employee device policies and developing and pitching both a method to secure the devices and an alternative company-issued device plan. Ideally, by issuing company-owned devices, security would be significantly improved. |
| Website- http://www.harryandmae.com | Hosted on the single web server, public | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
| Website- http://www.haryandmae.local. | Hosted on the single web server, private (pay statements, work performance, vacation time, personal information) | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
| Website- http://www.HandMScranton.com | Owned by franchise owner in Scranton, PA | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
| Company Facebook Account | Owned by franchise owner in Scranton, PA | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
| Company Twitter Account | Owned by franchise owner in Scranton, PA | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
| Company Instagram Account | Owned by franchise owner in Scranton, PA | No enforced regulations, policies, or maintenance and security procedures. | Preventative, technical, procedural | Specific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested. |
References
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.
Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved September 24, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.
Categories: Security
Securing The Universe 