Table of contents
- Introduction
- Current situation - main assets
- Vulnerabilities - threats
- Solutions - ways of improvement
- Cost evaluation
- References
1. Introduction
The aim of this Workshop is to carry out security audit of the company and propose improvement solutions. All detailes concerning this fictitious company and the whole task are presented on the following web page.
The framework of the report is presented as follows: Firstly current situation of the company is shortly presented. Assets that should mostly be protected are also identified there. Than, in the next Section, security vulnerabilities are described. In the next part, solutions that should improve situation are introduced. Finally, as the balance between usability and security is very important, cost evaluation is described.
Let's move on to the short company's description.
Current situation:
As it is not possible to protect strongly enough all assets, it is a good idea to focus on most important issues, that seem to constitute the security policy of the company.
The company is an importer and wholesaler of footwear. With about 100 employees and similar number of computers is situated in one building.. Two servers, one for relational database and with financial information system on the second, are a pair of dual-processor Intel systems. They are two years old and run the server version of Windows NT 4. There is also a server used as a DHCP and DAT tap drive server, one Linux used for testing reasons and another Linux machine that runs the web and mail servers. The latter server runs the web server (Apache) of the company, which provides both general corporate and marketing information, as well as password-protected areas where the customers of the company using SQL commands can view price and availability information for certain of the products. The client applications of the system are installed on about two dozen personal computers of varying age, running MS Windows 95 and 98 depending on how old they happen to be.
UTP system connects the company with 10Mbps to the local area network. There is one 24-port hub in the computer room and several additional at the end of cables. Company possesses 4 IP, from which 3 are currently used. All computers use Samba sharing directory application.
More detailed information is present on the following
Workshops' web page
Main assets:
- financial information system situated on dual Intel-processor system;
- relational database situated on the second dual Intel-processor system;
- internet connection.
They influence on global company's security and that's why should mostly be protected.
Back to the
Table of contents.
Staff awareness
Workers seem not to be aware of security importancy. They can be not careful enough about security issues. As, according to statistics, almost 50% of frauds are from employees' side, that is why they should be not only aware of risks but also that their steps are recorded. There can be people present in company that had criminal past, what maybe does not constitute their incompetence but make such person suspected
.
Passwords
There is no password policy and that is why users' accounts can be exposed on attack. Employees are not asked to use complicated passphrases and are not sensitive to handle with them carefully. On machines with Windows 95 or 98 it is possible log as default user, when login and password are unknown.
Rights
In the case text there is no information about rights given to specific users. As this issue is very important all employees should be carefully checked with regard to it. Both administrators, users from different departments and auditors need different rights, that is why this issue should be checked. Audit trails should enable control of processes at some steps of information progress.
Internet connection
Servers that are used by the company are not protected from Internet fraud. In WWW's world there are many possible attackers that exploit bugs in systems' structure. Need to improve this aspect is the first thing that comes to mind when reading the case text. Bad protection against internet attackers can, in result, cause in losing control over the whole system.
Hub
Using 24-port central hub in not only insecure but also very slow. Such appliance forwards response to all connections and that is why can be source of fraud.
Operating system versions
Fact that most of stations has Win 95, Win 98 operating systems causes that system is not protected enough. These operating systems give almost no security to the user that is why they should be upgraded. It is possible that some of machines are old and will not work with more secure operating systems, these stations should be removed.
Physical infrastructure
Both cables that are put on walls often without any general plan and hubs that are installed without general infrastructure plan can also be an object of security bugs. Sneaking cables create not very safe and proper environment for work. It can cause easily that connection can be disturbed either by not careful employee or possible influence of other appliance. Also rooms with servers should be more secured. Now there is no policy concerning this issue. Many people can enter and attack data stored there (also information system database, which is most important).
Cables put on the walls or on the ground without channel can cause fire danger.
Recovery plan
In the workshop text it was not mentioned about general and complex Recovery Plan.
Back to the Table of contents.
Staff awareness
All emploees should attend trainings about security, ways of using passwords, internet and applications properly. If it could be possible, company's Human Resources division could check discretly if new candidates for the positions in company had not broken law in the past.
Passwords
Clean desk
policy should be introduced to provide authentication of every user. It means that nothing can be overlooked in a pile of papers in plain sight and security is asked to check if there is something
present on a desk or a monitor. All users should be forced to change passphrases monthly. Company can use also special application to check these phrases and reject too easy combinations.
Default, guest or visitor logins should not be allowed in operating systems.
Rights
NWD (Not Write Down) policy could be introduced and cause that user that has access to secret document is secret. Also single point of registration (SPR) that probably is present, but not mentioned in the case text gives more security that users have proper rights to files.
Internet connection
The best idea is to install firewalls on 10 Mbps connection. The most reasonable solution seems to be using 2 firewalls, internal and external one. Access to the internal network should be provided after passing physical appliance and internal, software firewall.
To protect company's web page one computer should automatically check if the company's web page was not switched with a fake one. In such case attacker could behave as if he or she was an owner of a page. In case of some failures special alarm should be turned on.
When employees ask request to database through web page, HTTP should be replaced by encrypted HTTPS.
IP for CFO only for historical reasons seems not to be a good idea that is why it should be removed. This computer should be put after firewalls in order to protect information put there.
Hub
Old and slow hub should be replaced by a swithed LAN 100Mbps. It would protect comunication and improve speed significantly. This solution is easy to implement, and no modifications are needed to workstations. Computers can be connected to hubs and they to each port of a switch.
Operating system versions
On all stations with Win 95 and Win 98, other operation system - Windows 2000 - should be installed. Based on NT technology and with the improved Kerberos Authentication Protocol it gives security that should be sufficient to the company.
Physical infrastructure
Cables that are important for departments' connections and which provide important traffic between computers should be checked and fixed. Putting them into channels should improve current bad situation. Of course there is no need to change all cable net, most important and crucial should be installed properly. Also hubs that are situated at the end of them should be checked. They can be old, not working properly or ,if too many free slots are available, it can tempt employees to use them for private aims. Buying new, very sophisticated and expencive devices seems not to be really needed.
Also putting fire extinguishers in easily accessible places should be introduced. All crucial machines should also be respond to water damage - should not be put on the ground in the neighbourhood of water pipes.
Physical protection og the server room should be installed. One list with names of people who can enter the server room should be introduced. Also from the cleaning services' side company needs to feel safe - they could have no access to this room (or rooms). Introducing chip card could be too expencive, but alarm system is inevitable.
Recovery plan
It could be a good idea to use hash check sums to control if some files are being changed, to detect frauds. Every day such sum could be executed and easlily compared with the previous file. Outsourcing the activity of keeping backup files should be implemented. Backups should be made every day and stored in a different building.
Also UPS (Uninterruptible Power Supply) should be implemented to protect whole LAN and all machines against electricity brakes.
IT team
People responsible for the system should take care about updating applications and install crucial programmes on secure machines. Old versions od programmes (Sendmail) let intruders use stack overflow to enter system, that is why it is very important to update them as often as it is only possible.
Other
Documents' destroyers should be bought in order not to keep important information on paper, as it can be dangerous. It is possible that somebody could find data in trush. If everything is damaged by paper shreeder such threat does not exist.
All computers that are based on net operations should not have floppy discs. Threat of information steal and viruses is significantly diminished. Also big number of machines (about 100) maybe is not needed. It should be revised, and remaining items either sold or scraped.
In this Section we also advice not to connect personnel service computer into intranet. These data, which are very important, actually don't need such connection. Such differentiation makes the whole system safer.
Mail programme used by employees - sendmail could be replaced by Qmail. Although sendmail is often configured with minimal security by default, what makes it easy to set up, it is open to attack. Qmail is considered to be more secure and more efficient that sendmail. Qmail's source code is significantly easier to understand for those interested in checking out the innards. Qmail has also been very resistant to security attacks. One example of qmail's approach to security is that only two qmail applications run as root. It was found that qmail is best when setting up a mail server on an existing system.
Back to the Table of contents.
| Device / service |
Number of items |
Price per item |
Estimated cost |
paper shreeder
(Aurora 5 Sheet Cross Cut) |
3 |
35$ |
105$ |
| Qmail |
- |
Freeware |
0$ |
switch
(Cisco) |
1 |
7 500$ |
7 500$ |
alarm in server room
(Rapid Alarm) |
1 |
300$ |
300$ |
cable channels
|
8 |
2 500$ |
20 000$ |
fire extinguisher
(KIDDE) |
20 |
20$ |
400$ |
firewall
(Cisco PIX 515E) |
1 |
2 300$ |
2 300$ |
firewall software
(Norton Personal Firewall) |
80 |
5$ |
400$ |
| employees training |
- |
- |
- |
| Windows 2000 upgrade |
40 |
160$ |
6 400$ |
| Total: |
46 450$ |
