Fictional Inc.
Information
Technology Risk Assessment
Prepared
for
Fictional
Inc.
Prepared
By
Nik
Alleyne
2014-09-02
EXECUTIVE SUMMARY
Fictional Inc. requested of Nik Alleyne, to perform a formal Risk Analysis to identity the threats posed to the company. This Risk Analysis also aims to identify technical vulnerabilities within Fictional Inc. infrastructure while identifing and or proposing possible countermeasures.
Fictional Inc. requested of Nik Alleyne, to perform a formal Risk Analysis to identity the threats posed to the company. This Risk Analysis also aims to identify technical vulnerabilities within Fictional Inc. infrastructure while identifing and or proposing possible countermeasures.
Fictional Inc. is a small grocery
retailer and currently does not have an IT staff. Its IT support issues are
contracted out to a third party.
This assessment
identified 2 critical vulnerabilities which should be immediately addressed
by Fictional Inc.’s management
DETAILED ASSESSMENT
1. Introduction
1.1
Purpose
The
purpose of this Risk Assessment is to identify the threats and vulnerabilities
related to the operating of Fictional Inc. Through the identification of these
threats and vulnerabilities, the relevant countermeasures will be recommended.
1.2
Scope of this Risk Assessment
Fictional Inc.’s systems comprises of a PFSense based firewall, a Wireless Access Point which also performs switching functionality. In addition the infrastructure also contains a Windows 2003 Server, Windows 8.1 and Windows XP Desktops. Mobile platforms such as Android 4.0 and Blackberry 10,2 are also in use.
Fictional Inc.’s systems comprises of a PFSense based firewall, a Wireless Access Point which also performs switching functionality. In addition the infrastructure also contains a Windows 2003 Server, Windows 8.1 and Windows XP Desktops. Mobile platforms such as Android 4.0 and Blackberry 10,2 are also in use.
All
of the systems mentioned above are within scope of this formal Risk Assessment.
2. Risk
Assessment Approach
2.1
Participants
Role
|
Participant
|
Third Party Support Personnel
|
Joe Admin
|
Store Owner
|
Jane Owner
|
Risk Assessment Team
|
Nik Alleyne
|
2.2
Techniques used
Technique
|
Description
|
Risk
Assessment Method and guidance
|
This
assessment is being done following the NIST 800-30 (Guide For Conducting Risk
Assessments), NIST 800-37 (Guide for Applying the Risk Management Framework
to Federal Information Systems) and Commonwealth of Virgina Information
Technology Risk Management Guideline Template.
|
Assessment Tools
|
The Nessus Vulnerability Scanner was
used for identifying technical vulnerabilities.
|
Vulnerability Sources
|
Vulnerabilities were primarily
determined based on results received from the Nessus Vulnerability Scanner.
US-Cert
Cisco Systems
|
Countermeasures sources
|
SANS Critical Security Controls for
Effective Cyber Defense.
|
2.3
Identifying Threats
Credible
Threats
|
|
Malicious
Use
|
Compromise
user accounts
|
Power
Loss
|
System
Failure
|
System
Compromise
|
Unauthorized
Access
|
2.4
Risk Model Approach
The
Risk Model used to conduct Fictional Inc.’s Risk Assessment is based on the
Risk Assessment methodology used by OWASP.
Risk
= Likelihood * impact
Threat
Likelihood (Weight)
Threat Rating
|
Threat Description
|
High (1.0)
|
The probability that a threat can exploit
an identified vulnerability is very high as the source may have the means,
motives and opportunity to exploit the vulnerabilities. In addition, the
current controls to mitigate this threat is ineffective.
|
Medium (0.5)
|
The probability that this threat will
occur is medium. Current controls may be effective in mitigating this threat.
|
Low (0.1)
|
The probability that this threat can
be exploited is very low. In addition, the controls in place are effective in
mitigating the threats.
|
Impact
Rating
|
Impact
Description
|
High (100)
|
Occurrence of this risk may result in:
i. Financial loss to the business |
Medium (50)
|
Occurrence of this risk may result in:
i. Damage to the infrastructure ii. Loss of Confidentiality iii. Loss of Integrity iv. Loss of Availability |
Low (10)
|
Occurrence of this risk may result in:
i. Loss of Availability |
Risk Impact
|
|||
Risk Likelihood
|
Low (10)
|
Medium (50)
|
High (100)
|
High (1.0)
|
Low
10
x 1.0 = 10
|
Medium
50
x 1.0 = 50
|
High
100
x 1.0 = 100
|
Medium (.5)
|
Low
10
x 0.5 = 5
|
Medium
50
x 0.5 = 25
|
Medium
100
x 0.5 = 50
|
Low (.1)
|
Low
10
x 0.1 = 1
|
Low
50
x 0.1 = 5
|
Low
100
x 0.1 = 10
|
3. IT
Systems Characterization
3.1
IT Systems
IT Systems
Inventory and Definition
|
||||||
System Name
|
Description
|
Value
|
||||
FICTIONAL-FW
|
Firewall
IP: 192.168.0.1 Services: SSH, HTTPS, NTP, DHCP, RADIUS, IPS, Bandwidth Analysis Traffic Analysis |
Mission Critical
|
||||
FICTIONAL-AP
|
Wireless
Access Point
IP: 192.168.0.2
Services: HTTP
|
High
|
||||
FICTIONAL-PC
|
Desktop Computer running Windows 8.1
IP: 192.168.0.11
Productivity Software: Accounting, Excel, Graphic Designing, Browser |
Medium
|
||||
FICTIONAL-XP
|
Desktop Computer running Windows XP
IP: 192.168.0.14
Productivity Software: Accounting, Excel, Graphic Designing, Browser |
Low
|
||||
FICTIONAL-SRV
|
File Server Running Windows 2003
IP Address:192.168.0.21 |
High
|
||||
FICTIONAL-TABLET
|
Tablet running Android OS 4.0
Productivity Software: Excel, Browser IP Address:192.168.0.14 |
Low
|
||||
FICTIONAL-MOBILE1
|
Mobile Phone running Blackberry OS
10.2
Productivity Software: Excel, Browser
IP Address:192.168.0.15
|
Low
|
||||
FICTIONAL-MOBILE2
|
Mobile Phone running Blackberry OS
10.2
Productivity Software: Excel, Browser
IP Address:192.168.0.16
|
Low
|
3.2
Flow Diagram
The
diagram below identifies all the devices within scope of this Risk Assessment
4. Vulnerability
Statement
4.1
The following vulnerabilities were
identified.
No.
|
Vulnerability
|
Description
|
1.
|
Use of magnetic stripe card reader
|
The use of magnetic stripe card reader
is a critical vulnerability at this time. This vector is being constantly
exploited to gain access to Credit Card Track data.
|
2.
|
Unsupported
Operating System
|
The use of unsupported operating
systems is a critical vulnerability since vendor issued patches and updates
may no longer be available.
|
3.
|
SSL Certificate
Cannot Be Trusted
|
Users would be
unable to verify the authenticity and identity of the systems. This could
make it easier to carry out man-in-the-middle attacks.
|
4.
|
DNS Server Cache
Snooping Remote Information Disclosure
|
This may allow a
remote attacker to determine which domains have recently been resolved via
this name server, and therefore which hosts have been recently visited.
|
5.
|
Web Server
Generic XSS
|
The remote host is
running a web server that fails to adequately sanitize request strings of
malicious JavaScript. By leveraging this issue, an attacker may be able to
cause arbitrary HTML and script code to be executed in a user's browser
within the security context of the affected site.
|
6.
|
Lack of
Centralized Authentication
|
This makes it difficult to disable an
account if compromised. In addition, it means that passwords & other user
and computer controls cannot be done centrally.
|
5. Risk
Assessment Results
Risk No.
|
Vulnerability
|
Threat
|
Risk of Compromise
|
Risk Summary
|
Risk Likelihood rating
|
Risk Impact rating
|
Overall Risk Rating
|
Analysis of Relevant Controls
|
Recommendations
|
1.
|
Use of magnetic stripe card reader
|
Unauthorized Access
Unauthorized Use Malicious Use
System Compromise
|
Confidentiality and Integrity of
Fictional Inc. data may be lost
|
The use of magnetic stripe card reader
is a critical vulnerability at this time. This vector is being constantly
exploited to gain access to Credit Card Track data.
|
High
|
High
|
High
|
None
|
Fictional Inc. should consider working
with a vendor who provides POS terminals that uses hardware based encryption,
since Fictional Inc. does not control the production and or distribution of
Credit Cards.
Consider implementing Firewall rules which restrict access to the POS systems |
2.
|
Unsupported
Operating System
|
Unauthorized Access
System Compromise Malicious Use |
Confidentiality, Integrity and
Availability of data and systems
|
The use of unsupported operating
systems is a critical vulnerability since vendor issued patches and updates
may no longer be available.
|
High
|
Medium
|
Medium
|
Currently no controls are in place for
mitigating this risk.
|
Fictional Inc. should consider
implementing a software inventory and or patch management system which allows
it to track its currently installed used software versions
|
3.
|
SSL Certificate
Cannot Be Trusted
|
Unauthorized Access
System Compromise
|
Integrity of Fictional Inc. data can
be compromised
|
Users would be
unable to verify the authenticity and identity of the systems. This could
make it easier to carry out man-in-the-middle attacks.
|
Medium
|
High
|
Medium
|
None
|
Ensure all new services requiring
certificate services uses a certificate signed by a trusted third party
|
4.
|
DNS Server Cache
Snooping Remote Information Disclosure
|
Malicious Use
Unauthorized Access
|
Availability of Fictional Inc.
Infrastructure can be compromised
|
This may allow a
remote attacker to determine which domains have recently been resolved via
this name server, and therefore which hosts have been recently visited.
|
Low
|
High
|
Low
|
Currently none exists. However, a plan
is in place for obtaining a software patch from the DNS software vendor
|
Fictional Inc. should consider
implementing a software inventory and or patch management system which allows
it to track its currently installed used software versions
|
5.
|
Web Server
Generic XSS
|
Unauthorized use
Unauthorized Access
System Compromise
|
Confidentiality and Integrity of
Fictional Inc. data
|
The remote host is running a web server that fails to
adequately sanitize request strings of malicious JavaScript. By leveraging
this issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
|
Medium
|
Medium
|
Medium
|
The control in place for this
vulnerability is the Firewall. Access to this device is only granted to
specific systems.
|
Conduct quarterly vulnerability scan
to ensure these types of vulnerability can be detected.
Conduct quarterly reviews of the firewall rules |
6.
|
Lack of
Centralized Authentication
|
Unauthorized use Unauthorized Access
System Compromise |
Confidentiality
|
This makes it difficult to disable an
account if compromised. In addition, it means that passwords & other user
and computer controls cannot be done centrally.
|
Medium
|
Medium
|
Medium
|
No control is currently in place to
address user authentication
|
Fictional Inc. should implement a
centralized Directory Server, which allows for the ability of controlling
both users and their computers.
|
6. Summary of Nessus Scan Results
References
(n.d.). Retrieved from tenable.com:
http://www.tenable.com/products/nessus
(n.d.). Retrieved from sans.org:
http://www.sans.org/critical-security-controls
(n.d.). Retrieved from owasp.org:
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
(2014, January 02). Retrieved from us-cert.gov:
https://www.us-cert.gov/ncas/alerts/TA14-002A
Gundert, L. (2014, January 13). Retrieved from
blog.cisco.com:
http://blogs.cisco.com/security/detecting-payment-card-data-breaches-today-to-avoid-becoming-tomorrows-headline/
NIST. (2012, September). Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
VITA. (2006, 11 12). Retrieved from it.vt.edu:
http://www.it.vt.edu/ctssr/risk_assessment/documents/VITA_Risk_Assessment_Instructions.pdf
Well done Nik,
ReplyDeletejust saw this today, its amazing..liked your detailed approach.
thinking if we have to perform many RAs with different contexts at once .. how can we do it quickly .. like with some excel based approach?
Regards,
Umer,
DeleteThanks for the comment! It's much appreciated and I'm glad that you found it helpful.
If you were performing many RAs I would suggest you build a template and try to leverage that. The tool would be dependent on you but if Excel works I would recommend that route.