Threats and Risks – A risk assessment to vulnerable organizations

Virus
  • Click here to download the original properly formatted document.
  • No matter the network, there will always be attacks on it.  If you are willing to put yourself out there (and in many cases there is no choice) then you have to come to terms with this.  New threats show up every day and we must always be on alert.  A key factor in understanding threats is to create a risk assessment.  This piece is aimed at producing a real-world situation where an organization has already been attacked.  I use this knowledge to create a risk assessment and evaluate what changes should be made.

I have been hired as a Security Administrator for an obviously big corporation.  There is quite a lot of information to go over and figure out what needs to be done where.  From what has been said already this corporation just doesn’t seem to have it together.  I can probably say from the get go that they don’t have much security in place.  What is sad though is that it took an attacker to break in and get a hold of important data for them to just consider doing anything… even then they seem reluctant.

If I am running a team in this job and there are three offices to look over then I will want to split my team up into three.  I will be sending two groups to the smaller offices in Mesa and Tempe and I will stay at the main office in Phoenix.  First off I will want each team to find out exactly what is running on the machines in those offices (I know we have the information already but I imagine in real world, this would be the first step).  Also we’ll want to know any such things like the type of internet connections and network connections.  Are their any data recovery plans in place?  What current security are these computers running?  Have they kept current with Microsoft Updates?  Do they have any firewalls installed?  Are there simple passwords being used?  Just this small information can help aid a proper setup in my opinion.

So once all three groups have gathered general information about each office that is when we can properly figure out a plan.  Communicating with each other is key throughout this project since each office is connected to each other.  I would still prefer we stay in three groups working at all offices at once which will of course be a quicker setup.  This is only after we have completely figured out what we need to do and what type of plan we want to implement.  Do things in a proper order so we don’t cause confusion amongst each other which will cause a much smoother implementation.

First off let’s figure out a risk assessment for the current setup.  I am going by the reminder that they don’t seem to high on security here.  Considering that this is a banking corporation the value of the assets are a 10.  No doubt about that because there is too much money involved and so much personal data from people with accounts here.  It would be very bad if any of this information got out in the wild which seems to be the case already.  The severity would be a 10 as well as of right now.  This place doesn’t seem to think much of security and I’m guessing since it already happened it will happen easily again.  Since there doesn’t seem to be much security in place everything is open season.  The likelihood is a 10 easily due to the fact that it has happened already and it will happen again.  Someone got away with doing it and now they have a little secret.  This WILL happen again and the damages could be much more severe.  Now lets look on to how we can prevent this and lower the likelihood.

One of the first things to look at is the operating system which is basically running everything. This corporation is apparently running Windows Server 2003 on their computers.  This is a good OS which isn’t plagued as badly with security problems as other Microsoft operating systems but it still has its vulnerabilities.  We need to realize what version of Server 2003 is running.  Are thelatest Microsoft patches installed?  What about the latest service pack or any service pack at all?  Having these already gets you more secured from common risks.  So as a start I would like allsystems running this OS to be updated with the latest patches from Microsoft and to update to the latest service pack.

When using Windows Server 2003 I would also like to check the file system.  All computers would be/should be switched to the NTFS file system if they aren’t running it already.  It is vastly better then FAT and there are some interesting security and permission controls that can be used.  A disk quota can be used to minimize the amount of disk space that each user uses.  This will keep users from storing more and possibly unnecessary files (which could be bad files) and in the end you could save disk space by limiting users to an amount.

NTFS has more features as well such as file encryption.  This process is relatively easy to do as it is just a matter of right clicking a file or folder and viewing the advanced tab.  This is pretty nice for keeping unwanted eyes off of user data.  The only person that can see this file is the user who encrypted it.  Teach each user how to encrypt and decrypt their important files and you have a good way of hiding your data from prying eyes.

NTFS can also be used to set permissions on files as well.  Using NTFS permissions can allow certain control over files and folders such as Full Control, Read, Write, etc. This will integrate well from all three offices   Imagine implementing a few of these correctly and properly.  These layers just from NTFS alone will help a lot.  Right away we are putting security in with stuff already available to the corporation which would mean less money spent!

Windows Server 2003 isn’t 100% safe and never will be more than likely just like any other OS but simple and easy solutions can go a long way.  What about the firewall that came along with service pack 1 I believe?  Considering we are updating to the latest service packs we now have the ability to use a basic firewall that is now built in.  Although it is basic it can be very useful and of course there is always the option to step up to a better firewall which will come at a price but are usually worth it.  A product like ZoneAlarm Pro has been around for awhile and is usually highly regarded in the security world.

One last thing to touch on with Windows Server 2003 is to implement some security policies.  We know that people tend to be the weakest link and most people will use easy passwords so they can remember them.  Can this be blamed though?  The problem is if passwords are far too complicated no one will remember them and this just causes frustration amongst people.  Too simple and they are beyond easy to figure out by guessing or using programs that perform dictionary or brute force attacks.  Luckily there are some security policies that can be implemented to keep things fresh, so to speak.

Under account policies we have good security options here.  One is the Password Policy which gives us some options for the password.  Options such as Enforce password history which won’t allow a user to reuse a password for a certain amount of time.  Maximum and Minimum password age will force a user to use a password for so many days without change and also have to change it after so many days.  Minimum password length is what it is, you have to have at least so many characters for the password.  There is also an option for password complexity which forces a password to have uppercase, lowercase, numerical, and non-alphabetic characters.  This can be pretty complex but all these options make sure the users aren’t being too lazy and you can really configure to your needs.

With the Account Lockout Policy, we have the ability to lockdown a system from unwanted users.  We have the ability to configure how many attempts an incorrect password is entered before the lockout kicks in.  There is also the option to set how long this lockout will last and how long till the counter will reset itself.  These are very good for keeping out people who are trying to guess the passwords and log into a users account.  This may cause frustration if a legit user forgets a password and gets locked out but sometimes you just got to deal with that stuff for the sake of security.

In the Local Policies we have some options here that can help track down where instances occurred with the Audit Policy.  What can be done under the audit policy is that we can log successful or failed attempts at certain things such as account logon events, object access, system events, etc.  Why is this important though?  Because when events are audited it logs the success and failure along with dates and times so if something is happening with your system you have the logs to find more information about where or how or what was happening!  This is an excellent and already built in way of security monitoring.

Software Restriction Policies are a good way to configure what types of software you don’t want users running.  This may make some users unhappy that they aren’t able to run certain software that they want but for the sake of security, they should only running what is deemed necessary to begin with.  This can prevent a number of things such as easy exploits.  Most software have some type of exploit which can cause an attacker to do a number of things to a system(s).  We just don’t need unwanted and unneeded problems like this.

I believe many of the security polices listed above can be quickly achieved through the active directory using group policies.  Seeing that there is already an active directory in place here we should then proceed to create group policies for the already mentioned security issues.  Also with active directory we have more options such as creating certain hours when users can be logged on.  What this can do is prevent users from accessing their accounts when they shouldn’t be.  Why allow an account to be freely available when it doesn’t need to be?  Setting logon hours is a good way to prevent unauthorized access in the off hours. With users having internet access we will need to put in some security.  One of the things is to prevent unnecessary downloads.  People will just download whatever they think is neat which could lead to major problems with malicious software.  At the very least we just don’t allow permission for anything downloaded to be run.  We don’t want to completely make users feel like they are trapped but once again, people are the weakest link.    Of course if the users are using Internet Explorer we’ll want to configure the zones.  On the Internet Zone it would probably be a good idea to set this security level to high.  We could probably set the local intranet and also the trusted site zones to medium security which should be fine for these.  It wouldn’t be a bad idea to get a good list of harmful sites out there and add them to the restricted zone to keep users from getting into something they shouldn’t be… even if its by mistake.

Hosting a web server farm is well but will need the proper security.  Customer transactions is something that should be pretty high up on what to protect.  Depending on how these transactions are handled (is this for purchasing or to keep track of their bank accounts?)  Using a type of cryptography would be great to encrypt the data sent through.  Put SSL in place as it is quite popular and quite trusted in many areas of the internet.  SSK will encrypt the information sent and retrieved from these servers.  It is an excellent way of keeping information safe from eavesdropping.

For the e-mail servers, exactly what is the e-mail going to be used for?    E-mail filtering can prevent pesky and unwanted e-mails from arriving in the inbox.  I’m sure we can filter it to allow only e-mails from within the company.  That is a company decision though and I still feel that users would occasionally open up possible malicious e-mail.  We don’t want to run into problems of Phishing or Pharming so besides filtering I would also recommend a memo about rules of e-mails and to just be careful.  If using Outlook as the e-mail program, it would be good to follow along the normal office applications and update it with current patches.

Normal office applications is a bit vague but I would imagine if this is a banking corporation a likelihood is that Microsoft Office or something similar is being used.  Microsoft Office 2007 has plenty of exploits that an attacker can use to gain access or cause problems.  One thing is to get the message across to the user to Not open unknown Office files.  Opening unknown office files can cause an attacker to use these exploits, for a lot of them anyway.  Basically for the normal office applications such as this I would get all the recent updates from Microsoft.  These will patch and fix any exploits and keep the applications updated.

Running RealPlayer is fine but what we got to remember is that it also has its vulnerabilities. First off we’ll want to configure the firewall to allow RealPlayer to work correctly with the streaming media server.  If software restrictions are in place then we’ll want to allow RealPlayer to be used.  We’ll just need to update RealPlayer with any patches to keep it safe from any current exploits much like the normal office applications.

I haven’t seen anything regarding a data recovery plan though.  This should absolutely be created because there is too much information here that simply needs to be readily available if a meltdown would occur..  Imagine if an attacker erased information or something internal just goes bad.  It would be pretty harsh to lose so much information.  This is of course going to cost money but it is a necessity.  It will cost far more in losses if there was no backup in place.  I would think that since Phoenix doesn’t appear to be an area with a high rate of natural disasters we could put the backup system near the main office.  All three offices could essentially use this data backup system to allow all three offices running just fine and less worrisome if something fails.  One must think of all sides and it would be a shame to lose tons of information like this.

Now onto the letter for upper management:

Dear Management,

After performing a risk assessment with my team we have come to the conclusion that your corporation is at a severe risk.  Recently as you have realized you have already had some type of an attack.  Because there wasn’t any detection or monitoring in place, we can’t really track down exactly what happened.  We can however tell you that after evaluating the setup across all three offices that there are plenty of weaknesses that must be addressed.

I propose a plan that will not eat away at your money.  Instead this plan will consist of configuring many parts of the setup that are already there and not properly used.  Why do you need this?  I won’t lie, security is never 100 percent.  This is just how security works in all areas of life.  Let me ask you though, would you rather have a setup that protects your data far more than what it is now?  Would you prefer to leaves these risks alone and at some point you will realize regret when your corporation is under fire from consumers and attackers.  This will happen and all you have to do is look at the statistics of organizations with and without security and data plans.  To be honest and blunt, most do not last very long.

We are willing to share and implement all of our ideas into your setup which will prevent many problems in the future.  As mentioned, the cost is the least of your concerns considering it will cost you far more in the future.  We can use Windows Server 2003 with its active directory and group policies to configure many security areas.  Since this is already installed on the computers you don’t have to worry about spending extra money on this.  I also suggest we incorporate a data recovery plan which does not need to be far from the main office here in Phoenix.  This will cost some money to maintain but if you don’t have a backup plan and your data goes missing, what will you do?  What will you tell the people who have accounts here?  I also suggest that we run SSL on the customer transaction servers.  You want your customers to trust you and setting up proper security measures will do this.

You must spend money to make money.  You will gain more customers just by trust with a proper security plan in place.  If a reputation got out that you were under constant attack and information went missing your corporation will be a public embarrassment.  Customers will go elsewhere that is has a good reputation.  You will lose them and then what will you do?  It may be too late by then to incorporate a proper plan.

Please consider this carefully and realize that even though security is never 100 percent, it is far better then 0 percent.  Remember that my plan is not going to cost you the world and that you will gain a trusted reputation for your customers and in the process, will gain more.  It is a win-win situation.

Thank you,

-Mike

Well I should say that if I was ever in a position like this at some point in time, I would feel pretty good about my situation in life.  This generally and purposely feels like a real life situation which makes me very interested but as such a beginner, very nervous.  We can write up anything on paper here but it doesn’t really apply to the real world.  We can make mistakes (not intentionally) and not be fired or get a bad reputation in the real world.  This to me really seems like something which can make or break you and part of the problem is that no security plan will ever be 100% attack proof.  If you are doing something like this for a company similar to this who thinks security is a waste of money and even though you created a magnificent plan, it seems like one little problem can make the company/organization angry at you.  I feel that it is very tough out there and from the past couple classes a lot of companies don’t like to invest much in security.  When will they understand though that this is such an important part of the puzzle?

Microsoft TechNet

Information on Auditing, Windows Server 2003.  Retrieved May 1, 2008 from

http://technet.microsoft.com/en-us/default.aspx

Verisign

Information on SSL certificates.  Retreived May 1, 2008 from

http://www.verisign.com/ssl/

Melber, D.  (May 03, 2006)

Understanding Windows NTFS permissions.  Retrieved May 1, 2008 from

http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html

Comments are closed.