Security

Scenario: Harry and Mae’s Inc. Case Study- Identification and Mitigation of Threats

white and brown concrete building

Dear Harry and Mae’s Inc.’s I.T. Staff and Executives,

As requested, I have taken the identified threats to your assets a step further by applying my professional recommendations and solutions to resolve or mitigate all found risks to your systems. In the following information, you will find both immediate fixes to the problems, their security controls, and plans for the continued updating, testing, maintenance, and auditing of these systems; this will ensure that my proposed changes not only fix the situation but continue to do so. If you decide to move forward with my recommendations, I can schedule an in-person meeting to clarify the cost of implementation, as well as how to proceed with future security operations.

Please let me know if you have any further questions.

Thank you,

William Donaldson, Teckzor Inc.

AssetDescriptionVulnerabilitiesControl(s) 
InternetComcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up)While there is a fully redundant dual-fiber ring consisting of two fiber pairs, the entire system and security software/hardware will be inaccessible if the network does indeed go down.Preventative, detective, correctiveWhile the dual-fiber ring is generally sufficient, I would recommend having a backup I.S.P. (even with a slower speed) to ensure the continued operation of the network due to the failure of the primary I.S.P.; this change doesn’t have to be necessarily implemented, but if it does, it can wait. Proper procedures should be created and followed for what to do if an outage occurs, how to switch to the second I.S.P., and what needs to be documented (such as a disaster recovery plan). A UPS (or multiple) should be added to the network infrastructure.
Nexus Core 700 SwitchesNX-OS 5.0No policy on system updates. Various reported issues. Running NX-OS 5.0.Preventative, detective, corrective, technical, proceduralA policy on system updates and general maintenance should be implemented. NX-OS 5.0 should be updated to the most current version (9.2); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure.
Cisco ME 3600X Switches2nd layer, located in each building on campusPoor password policy. Open access possible with a breach.  Preventative, technical, proceduralEach Cisco ME 3600X switch should be replaced with a Cisco ASR 920 and Cisco 2960-X pair to take advantage of updated security settings and redundancy (using two switches instead of one); this should be immediately addressed. Furthermore, the password policies for each device needs to be improved. A UPS (or multiple) should be added to the network infrastructure.
Aruba W.A.P.sAruba Networks GridAccessible access to Wi-Fi, allowing the possibility of an attack.  Preventative, technical, proceduralEach Aruba W.A.P. should be reconfigured with improved password and encryption policies, as well as be wired through the Barracuda Spam & Virus Firewall); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure.
Dell SonicWall NSA 4600Connect Comcast Internet to the core network(External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure); this should be immediately addressed.
Aruba 6000 Mod ControllersServes Aruba W.A.P.s(External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained). The controllers should be connected to the Barracuda Firewalls; this should be immediately addressed.   Guest account needs to be disabled); this should be immediately addressed.  A UPS (or multiple) should be added to the network infrastructure.  
Barracuda Spam and Virus FirewallCore network, forwards mail traffic(External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues.Preventative, detective, corrective, technical, procedural  The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A plan for updates needs to be introduced. The device itself needs to be placed in front of the Cisco Nexus switches, allowing the Dell SonicWall’s to secure incoming and outgoing traffic on mail and web servers. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.
Cisco 2960-S P.O.E. Switches3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANsPower outage would cripple the network.Preventative, technical, proceduralA Cisco ASR 920 should be added to each Cisco 2960-X switch to increase security and redundancy. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.
FTP ServerEnabled for both internal/external networks and remote situations. Also used as a staging serverEncryption/Authentication issues increase the possibility of compromised data.Preventative, technical, proceduralFTP should be replaced with S.F.T.P. and secured with T.L.S. encryption within a DMZ); this should be immediately addressed.
H.P. StorageWorks Server (SAN)200TByte, provides storage for the H.P. ProLiant DL380 G7 ServersLack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The SAN needs to be encrypted with an updated version of vSphere (6.7); this all should be immediately addressed.
Email Server (Microsoft Exchange Server 2010 SP3Internal and external (with public I.P. address) connections(External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. For external Exchange, the system should be encrypted with S.P.X. and routed through the Dell SonicWall. For internal Exchange, the system should be encrypted with vSphere v6.7 and routed through the domain controllers and the other Dell SonicWall); this all should be immediately addressed.   The default policy and settings need to be reconfigured to new, custom settings for the specific situation. Policies and settings need to be regularly audited and maintained); this should be immediately addressed.
Web Server (IIS)Internal and external (with public I.P. address) connectionsPoor authentication measures allow for unauthorized external access.Preventative, technical, proceduralThe Internal web server should be reconfigured with strong authentication measures and routed to the Barracuda Firewall with T.L.S. encryption. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.
H.P. ProLiant DL380 G7 ServersVersion 5.1 of VMWare vSphereThe last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities.Preventative, detective, corrective technical, proceduralEach server needs to be updated to vSphere v6.7, as well as continually-audited, maintained, and updated using new policies. The G7 servers will be routed through each Cisco Nexus switch, in line with the Dell SonicWall and Barracuda firewalls. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.
A.D. Domain ControllerOne account for the entire campusDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.
First AD Organizational UnitCampusDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.
Second A.D. Organizational UnitAccounting and Finance GroupDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.
Dell OptiPlex 3020 WorkstationsWindows 7, joined to A.D.(Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10.Preventative, detective, corrective technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Windows 10 should be installed on all devices; due to the complexity and length of time it would take to perform a full Windows 10 rollout; this can be postponed until the measures I have listed as immediate have been completed. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. The Workstations will need to be routed through the Cisco 2960 switch, which then routes through a Cisco ASR 920; this can be postponed till the immediate changes are made.
P.O.S. SystemHosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.1Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data.  Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Each P.O.S. system will be secured with a N.A.T. device with new security settings. Wi-Fi users will be isolated from the network (especially guests); while these issues are critical, they can be postponed until the immediate changes I have outlined have been completed.
Off Campus-NAT FirewallNo further dataPoor access/authentication measures.Preventative, technical, proceduralPolicies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately.
Off Campus-WAPSetup by franchise ownerPoor access/authentication measures.Preventative, technical, proceduralPolicies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately, but the campus should come first.
EmployeesNo further dataLack of education/trainingPreventative, technical, proceduralI.T. and infosec staff will conduct regular auditing of user access and conduct training classes at the start of the new security plan, as well as periodic sessions after. Emails, handouts, and posters/infographics will be placed around the company outlining proper Internet etiquette and best-practice security measures. Random intrusion tests will be made. I.T. and infosec staff will need to have regular meetings to go over the proposed changes, updated policies, and general maintenance of all new and old strategies, software changes, equipment, and methods to ensure the success of the security of the company; these changes should be performed immediately, but campus employees should come first.
Symantec Endpoint ProtectionAll Campus WorkstationsSymantec Endpoint Protection’s access should not be given to 1/3 of the employees.Preventative, technical, proceduralSymantec Endpoint Protection’s access needs to be restricted to only specific I.T. and security staff, audited, updated, continuously maintained, and enforced company-wide.
W.S.U.S.Updates Microsoft applicationsNo update policy.Preventative, technical, proceduralSpecific I.T. and security staff must ensure W.S.U.S. is continuously audited, updated, maintained, and enforced company-wide.
Microsoft Internet Explorer 10Company Standard BrowserLack of company-wide enforced browser and settings.Preventative, technical, proceduralSpecific I.T. and security staff must ensure Microsoft Internet Explorer 10 is switched to Microsoft Edge due to the end of life of the service. Edge must be continuously audited, updated, maintained, and enforced company-wide.
Norton Antivirus SoftwareOff-CampusLack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. adminsPreventative, technical, proceduralSpecific I.T. and security staff must ensure Norton Antivirus is either working with Symantec Endpoint Protection or chose one of them to enforce company-wide, as well as ensure it is continuously audited, updated, and maintained.
Microsoft PPTP VPN Clients(Off-Campus) P.O.S. ProcessingCurrent ability to be minimized, thus allowing malware-infection opportunities.Preventative, technical, proceduralSpecific I.T. and security staff must ensure Microsoft PPTP VPN is continuously audited, updated, maintained, and have its ability to be minimized to be disabled, thus preventing unauthorized usage.
Campus BuildingPhysical LocationPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Off-Campus BuildingsPhysical LocationPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Perimeter FenceCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Surveillance CamerasCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Smart Card Access SystemsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Security StaffCampusPossible outdated security policies, skills, and training.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Security AlarmsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
U.P.S.Campus, 36-hoursPossible outdated policies, hardware, and software.Preventative, proceduralRecommend reviewing the U.P.S.’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation.
Security Fire, Water, etc. SensorsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.
Power GeneratorCampusPossible outdated policies, hardware, and software.Preventative, proceduralRecommend reviewing the power generator’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation.
(B.Y.O.D.) Employee Mobile DevicesCampusNo enforced regulations, policies, or hardware/software requirements.Preventative, technical, proceduralRecommend full review of current employee device policies and developing and pitching both a method to secure the devices and an alternative company-issued device plan. Ideally, by issuing company-owned devices, security would be significantly improved.
Website-  http://www.harryandmae.comHosted on the single web server, publicNo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.
Website-  http://www.haryandmae.local.Hosted on the single web server, private (pay statements, work performance, vacation time, personal information)No enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.
Website-  http://www.HandMScranton.comOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.
Company Facebook AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.
Company Twitter AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.
Company Instagram AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.

References

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved September 24, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s