Harry & Maes Inc Client Presentation; Security Issues and - - PowerPoint PPT Presentation

Harry & Mae’s Inc

Client Presentation; Security Issues and Recommendations Presented by: Angel Hooper, IT Security Consultant

February 19, 2017 CYBR 650

Summary

Due to a data breach, impacting 25,000 customers, Harry & Mae’s has decided recruit assistance in order to ensure that their security issues are addressed. After successful completion of a systems analysis and threat analysis, an action plan has been put together in order to move forward with necessary changes that are needed to mitigate risks and vulnerabilities to their systems.

Presentation Focus Points

• Systems Analysis
• Threat Modeling Process
• Threat Analysis
• Action Plan

Key Terms

Risk can be defined as what, meaning what is at risk. Systems, for example, are at risk. Also consider that this process is a threat modeling process not a risk analysis. We are not determining what is at risk, but rather the vulnerability and threat of an already established risk. Vulnerability can be defined as why systems are at risk. Network security, for example, can be why the systems are at risk. Vulnerabilities are not always an exploit of an asset. Sometimes the vulnerability is a necessary part of the asset. A good example of this is power. By using power, which is necessary, we take the risk that systems might go down due to a power

• utage. This is a vulnerability of systems being run with power.

Threat can be defined as who. For example, external attackers can be the threat to the vulnerability (network) for the at risk (systems). Please be aware that some threats are accepted by an organization. These are threats that are considered part

• f a risk appetite. Such is the example above with using power.

Systems Analysis

Systems Analysis

System Analysis is meant for the studying and design of current systems with new

• r recommended changes that could be used in order to better the system and its
• security. This analysis will touch on current computing assets and systems “as-is”

with the possible vulnerabilities, while keeping in mind the cost and usability of the current systems. This analysis will include an organizational overview, recap of physical security, network diagram in its current state, cost and vulnerability grid, and any additional information and explanations that might be pertinent to this analysis.

Business Process - Overview

The franchise supports other locations and uses a shared Point of Sale (POS) system for other owners to use these services which is an incentive for those business owners. Harry & Mae's Inc also has about 400 employees at their main campus in Windsor, PA. Corporate warehouses are also located here. The business process would appear to be rather straight forward. This diagram, Figure 1, represents the process of transactions at Harry & Mae’s. Figure 1 - Harry & Mae’s Business Flow Process

Network Diagram

Based on the information provided, this diagram, figure 1.1, is to represent Harry & Mae's Inc current network infrastructure. This layout will help clarify what needs to be addressed, how everything works together, and how to better security at Harry & Mae’s. Figure 1.1 - Network Diagram

Cost and Vulnerability Breakdown

The purpose for this breakdown is to show the current assets that are reported at Harry & Mae’s, the value should something go wrong and those assets need to be replaced, and the possible vulnerability of the item/assets. Based on the information gathered this grid (on the next slide) shows a breakdown of each infrastructure asset, the cost of the asset, and possible

• vulnerability. The cost referenced here is the purchase/current retail price of the
• assets. This is important should this assets need to be replaced if the vulnerability

should occur and assets become destroyed. Included in this is the possible vulnerability with notes, mentioning the impact of this vulnerability should it occur.

Breakdown Grid

This grid, table 1.2, is a visual aid to guide processes into better protecting and development of better security for Harry & Mae's Inc. Table 1.2 - Cost and Vulnerability Breakdown

Breakdown Grid Continued

Breakdown Grid Continued

Vulnerabilities inside Policies & Procedures

During the analysis it was determined that Harry & Mae's Inc lacks several policies and procedures in place for employees and security standards. Some of these have become part of the above mention vulnerabilities that were listed. For example, lack of password policies or open WiFi access. It is critical to have policies and procedures in place that aline with physical and virtual security measures in order to ensure maximum protection at Harry & Mae's Inc.

Threat Process Model

Threat Process Model

The goal of the threat process model is to determine, assess, and mitigate threats at an organizational level. The importance of this model is the need to verify security of the organization’s applications and infrastructure.

Threat Model Process

The process below, figure 1.3, can be repeated multiple times and it should in order to maintain secure systems as much as possible. Multiple steps, noted and defined below, with documentation and a change management process should be utilized with this model. Figure 1.3 - Threat Model Process

Threat Model Process in Detail

In order to use the threat modeling provided, a clear process of identification, analysis, and cataloging threats should be taken into account before starting this model. Consider the following process for identification, analysis and how to catalog threats. Please be advised the process and outline has been given some color coordination in order to make this process easier to follow. 1. Identify Risk (identification)

• What is at risk here? Clearly state what systems are at risk; identification of what system, data, or piece of infrastructure that is at risk.

2. Collect and analyze threat information (analysis)

• Verification of threat to defined risk. What is the likelihood of the potential threat? Recognition of threats to infrastructure is critical. These threats can be intentional
• r accidental in nature. Threats can also be internal or external.

3. Collect and analyze vulnerability information (identification), (analysis) 4. Verification of vulnerability to defined risk. This will define and analyze the vulnerabilities that are related to the infrastructure. (identification), (analysis) 5. Documentation of both threats and vulnerabilities (catalog)

• Documentation of risk analysis will need to be completed with all relevant information.

6. Verification of process, procedures and standards in place for the organization (analysis)

• Once the documentation is presented to the risk assessment committee, the organizational guidelines and policies will need to be addressed with the risks in mind.

7. Evaluate and rank threats and vulnerabilities (analysis), (catalog)

• The risk assessment committee will need to/or be provided rank threats and vulnerabilities. The committee will need to define if the risks are applicable and/or
• accepted. Accepted risks will be considered part of the risk appetite and the process will end. If the risk is applicable, the process will continue.

8. Recommendations for controls (catalog)

• Documentation will include recommendations for controls to be put in place to address risks.

9. Evaluate impact of controls (analysis)

• Verification of controls and their impact. If necessary, plan for outages, budget changes and new systems implementation.

10. Make necessary changes (catalog)

• Schedule and implement changes.

11. Audit and monitor systems (analysis), (catalog)

• Monitor system changes and audit. Ensure changes are accepted before moving forward to ending/restarting the process.

12. Restart process

• Once the process cycle is completed for the current risk that was defined, this process can be ran again for the next threat/vulnerability pairing.

Examination in Defining & Understanding Threats

Threats will typically expose vulnerabilities. This is something to be aware of when we are looking at vulnerabilities and how at risk something is. In securing information technology, we tend to use something called, STRIDE. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of

• Privilege. Why is is important, is because it gives security professionals a way to analyze security issues with typical threats

that might be possible for an organization's infrastructure. For example, considering Harry & Mae’s, which we have identified gaps inside the authentication process of users on specific systems. This is an identified as a vulnerability at Harry & Mae’s. With that comes the threat of say spoofing which could occur if the vulnerability isn’t address. Spoofing would allow users that are not who they say they are login to systems they should not have access too. This is why it's critical to understand and recognize threats and how the vulnerability could allow those threats to actually

• ccur.

Ranking Threats

Threats can be ranked and prioritized using multiple methods. However a good rule of thumb that can be used here is Risk = Likelihood * Impact. This a good standardized formula for determining the risk and with that further ranking of threats which can be viewed as high, medium, or low in ranking. When we look at threats and vulnerabilities, addressing those inside this model is key to making this process work successfully. Credible threat sources, such as Common Vulnerabilities and Exposures (CVE), can be found through research. Additional threat sources can be found through researched via new articles, journals, and other institutions in the same industry that may have found these threats through their processes.

Impact & Probability Ranking Matrix

Please note Figure 1.4, that gives a visual on how Risk = Likelihood (Probability) * Impact will look as we work through the threat modeling process. Figure 1.4 - Impact & Probability Ranking Matrix

(Justgetpmp.com, 2017)

Threat Analysis

Threat Analysis

Harry and Mae’s Threat Analysis is meant to identify threats with current systems and infrastructure. The analysis will cover each aspect of the application and the functionality of systems; this will so include architecture and design of Harry & Mae’s equipment. We have identified some vulnerabilities that might allow exploit

• f current systems.

Threat Analysis Report

Table 1.5, shows the results of the threat analysis report. What we have done here is noted the risks, the threats, the vulnerabilities, the ranking of the threat with the risk in mind, if the vulnerability should be mitigated and the impact should the vulnerability if the threat were to occur. Table 1.5 - Threat Analysis Report

Threat Analysis Report Continued

Threat Analysis Continued

Action Plan

Action Plan

Harry and Mae’s Action Plan is meant to address current threats, vulnerabilities, and risks with existing systems and infrastructure. The action plan was developed based on the threat analysis and systems analysis findings that was reported to management prior. The action plan will provide mitigation recommendations in order to address Harry & Mae’s concerns. Please be advised that we are addressing concerns and making recommendations based on information provided. There is always going to be some level of risk with an unknown factor. While this action plan will address the majority of vulnerabilities found, there will always be a need to re-evaluate risks and vulnerabilities as time goes on. Also be aware that certain changes will need to take effect on different aspects of the business. These changes may or may not impact facilities, employees, and customers. Every effort will be made to ensure as minimal impact as possible, with that communication will need to be a constant when this action plan is implemented to ensure all parties are

• n the same page.

Action Plan in Action

The action plan has three (3) major components. These focus on areas inside each part of the organization that should be addressed. These components, once revamped, will have addressed the noted vulnerabilities from the Threat Analysis that was previously completed. Please note the listed plan and table 1.6, for the action plan in action in relationship to these listed components. 1. Organizational Policies and Procedures a. Includes a password and authentication policy i. Without a password and authentication policy, there is chaos with users and employees on systems. Employees can access things they should not. Without proper authentication, Harry & Mae’s risks having attackers logon to the system and cause a security breach. b. Includes system maintenance guidelines, system updates and frequent vulnerability search maintenance checks through CVE or search engine i. In order to ensure the best security possible, systems must be maintained to current updates and with that ensure all systems are checked frequently for known vulnerabilities c. Includes WiFi password policy i. WiFi, without a password policy, allows for any user to access systems. This is a dangerous practice as attackers can logon to the system and gain access to the network. d. Includes a “no default” clause i. Default settings, including passwords, can allow an attacker to access systems - these default settings and passwords are typically public knowledge. e. Includes anti-virus and anti-malware software on all systems and desktops i. Systems lacking anti-virus and anti-malware allow for security breaches to occur more frequently. 2. Location of Network and Systems a. Includes moving systems/network infrastructure around i. Placement of a Wireless Lan Controller and a switch strictly for the WiFi will enhance security of systems ii. Placement of the Baracuda Firewalls in front of the Cisco Nexus switches, will allow the Dell SonicWalls to handle security for the incoming and outgoing web server and mail servers. b. Includes adding a UPS for environmental vulnerability i. Placement of a UPS will add protection against environmental vulnerabilities, i.e. power outage. 3. Organizational Training and Education of Systems a. Organizational policies and procedures for staff i. There seems to be lacking a clear policy and procedure guideline for employees and staff. This will ensure that staff is aware of how to manage, maintain, and continue to be present in the control of their security. b. Education of staff i. Staff needs to be educated regarding how to use systems and how to have an active role in their security. c. Possible on-site security officer to manage Harry & Mae’s security and educational support for staff. i. It is recommended that Harry & Mae’s hires a security officer to be the onsite contact and educator for security and security audits moving forward.

Action Plan in Action Continued

Table 1.6 - Action Plan in Action

Action Plan in Action Continued

Action Plan in Action Continued

Please also find the proposed new network infrastructure diagram, figure 1.7, that addresses the action plan recommended changes for the organization.

Figure 1.7 - Proposed Network Diagram for Harry & Mae’s

Cost & Timeline

Table 1.8 additional information regarding cost and timeline for recommended changes.

Table 1.8 - Cost & Timeline Details

Closing Thoughts

References

CVE.org. (2017). CVE -Common Vulnerabilities and Exposures (CVE). Retrieved from https://cve.mitre.org/index.html Justgetpmp.com. (2017). Probability and Impact Matrix | Just Get PMP. Retrieved from http://www.justgetpmp.com/2012/02/probability-and-impact-matrix.html OWASP.org. (2017). Application Threat Modeling - OWASP. Retrieved from https://www.owasp.org/index.php/Application_Threat_Modeling Shostack, A. (2014). Threat modeling: Designing for security. Indianapolis, IN: Wiley.