Expert Answer :LINUX ADMI CIT250 – Network Security in the Real W

Solved by a verified expert :Case Study #2: CompanyYNetwork Security in the Real Worldby Rich BrightProfile of Company YCompanyY is a commercial construction company with multiple locationsin Missouri, Kansas and Iowa. It employs approximately 90 people in twelveoffice locations and supports several hundred construction field workers. Officelocations and some job trailers connect using a variety of connection methodsDomain controllers exist in larger offices and these domains have establishedtrust relationships with the corporate home office.A four person, trained andexperienced IT staff was present. The IT staff was able to handle most day to dayIT issues with little outside support. The IT staff was very busy “keeping thejoint running” and had little time available to implement new IT solutions ormanage the network proactively.Business operations included sales, engineering, accounting and fieldconstruction. Local office managers exercised significant autonomy and eachoffice displayed a unique culture. Efforts to centralize IT often met withresistance, but were usually successful. While CompanyY had excellent formalpolicy and documented practices related to information security, such policy wasoften ignored at the local office level. A spirit of “get it done now” trumpedwritten policy in dictating conduct and practice Employee turnover was low fortechnical resources (sales, engineering, job mangament), low level staff turnedover fairly often. Interstaff relations were good among and between departmentswith a flat management hierarchy.CompanyY sought outside consulting services to provide and independent, thirdparty review of technology and practices related to the ongoing informationsecurity needs of CompanyY in order to develop a blueprint for comprehensivelong term strategy an practice. An unofficial goal was to secure a third partyview to help settle disputes within the IT department regarding the best path totake to mitigate growing security threats. Internal IT staff would be responsiblefor enact ing the plan. Annual checkups from the independent party wereplanned. The security review was in part prompted by the assumed theft ofcorporate pricing strategies by a competitor. CompanyY was unsure how theinformation leaked, or even if it was electronic leakage. However, the incidentlead to efforts to improve data security. Baseline Security Audit forCompanyY IndustriesSiteJ, MissouriConducted by Bright IdeasOn July 17, 2006 the Windows computers located atCompanyY’s SiteJ office were inspected as part of a baseline securityaudit. Steps to correct immediate a significant security threats weretaken. Your Windows server was not included in this securitybaseline. Additional information was gathered through interviewswith CompanyY’s IT staff, and informal discussions with otherworkers. The goal of the information security audit was to:Assess existing and needed security measures to protect thebusiness information of the company and privacy of existing andpotential customers regarding daily operation and disaster recovery.Specifically, the general goals of the baseline security audit were to :1. Identify and correct common security flaws at the networklevellevel2. Identify and correct common security flaws at the desktop3. Identify strengths of existing security processes4. Identify areas for security improvements5. Assess weakness in the current disaster recovery planThis document will provide a written overview of the resultswith specific recommendations. Additional verbal reviews andalternative courses of action have be discussed. Bright Ideas will notretain any copies of the detailed data regarding each computer as ameasure to decrease the possibility of theft of detailed informationrelated to your network and networking devices.Your data security is critical to maintaining businessinformation and protecting the privacy of current and potentialcustomers. While there is no such thing as total data security, manysteps can be taken to manage the risk. Your information security is only as strong as the weakest link in a security chain. Securityweakness and process weakness should be noted and corrected asquickly as possible. Mitigation of risk is accomplished by applyingbest industry practices, correcting configuration errors, andupgrading components as needed. The goal in managing datasecurity and mitigating risk is to provide multiple layers of defense,commonly called Defense in Depth. The layers should offerprotection, recognition of breaches in defense and an audit trail todetermine how and from where, successful attacks were launched.Because the threats to your data are ever evolving, network securitymust be seen as a process and not a destination.You must provide physical security of data systems, security atthe network level and security of the individual desktop computer.In simple terms, you must keep bad data traffic away from yourcomputers and monitor your computers and network for bad traffic. Iobserved generally good physical security, patrons do not have accessto data systems. Secure storage of data tapes should be considered.Fundamentally, security on the LAN requires securing thedesktop PC’s, controlling access to the network, identifying allauthorized network devices, monitoring for unauthorized devices,identifying and controlling services and devices shared to networkusers.A new firewall is expected to be installed very soon. We hadanticipated this would be completed before the security baseline.Because the network infrastructure is to be radically changed, limitedanalysis was performed. Common threats were discussed andrelated to how they might apply to the SiteJ Office. The anticipatedimplementation of a Virtual Private Network (VPN) will greatlyenhance your network security and provide additional safeguards forinteroffice communications. Using a firewall to appropriately limitaccess to the network from the outside is only the first step insecuring your network. No analysis of phone lines and modems wasmade. A potential bridging wireless network was found.Strengths of your current network include the excellentdocumentation provided, the use of Network Address Translation(NAT) and the use of strong administrative passwords. Theproposed changes to your network firewalls and the implementationof a VPN are also excellent steps to increase network and data security. Your staff seems genuinely concerned with network securityand recognizes your current defense plan is effective in many ways,yet is in jeopardy of applying outmoded defense models in anincreasingly dangerous security environment.The use of corporate grade antivirus is a good first step inpreventing malware. Unfortunately, while this solution is quite goodat dealing with viruses, it has limited ability to deal with newer,serious and rapidly evolving malware such as adware, spyware,trojans and rootkits. Dealing with these threats becomes moreimportant as you implement site to site VPNs because VPN networktraffic essentially gets a free pass at the network level in your currentdefense plan. Therefore, a compromise at one site could very quicklyattack other company sites.The need for appropriate backups of network deviceconfiguration to facilitate network disaster recovery was discussed.A written record of all network passwords should be maintained at asecure location. This should be done at least quarterly. A copyshould be stored securely offsite.Once basic security of the network has been established,securing the desktop PC must be accomplished. Fundamentally,desktop security requires appropriate updating of the operatingsystem and standard applications software, preventing and detectingmalware, control of user logins and control of network shares.All operating systems used at your facilities are currentlysupported by Microsoft. Some of your computers use the Windows2000 operating system. This operating system moved from"Mainstream Support" to "Extended Support" June 30, 2005. In theextended support phase, Microsoft provides only security relatedfixes and will not add any additional functionality. Extended supportis scheduled to end for Windows 2000 on July 13, 2010. There is noexpectation Microsoft will extend support of any type beyond thatdate.It is critical to secure the operating system against knownthreats by applying appropriate patches provided by themanufacturer. The updating of applications software is alsoimportant in closing known vulnerabilities. Nearly all systems werefound be seriously behind current standards using the Microsoft Update service. With very few exceptions, PC’s were not beingproperly updated and were not configured to download and applycritical patches as soon as they are made available by Microsoft.Many computers required a great many "noncritical" updates. These"noncritical" updates are not automatically downloaded andinstalled. In some cases, these updates play a significant role inmaintaining a secure desktop, despite the fact that Microsoft did notaward the "Critical" rating to the patches. We have discussedadditional options for dealing with both critical and noncriticalupdates.A number of your desktop PC’s were found to containadware, trojans and rootkits. Your antivirus software was unable torespond to many of these threats cloaked with rootkits. It is highlyprobable that the failure to secure the desktops with the most recentoperating system patches is the root cause of these infections.CompanyY does little or nothing to protect its information assetsfrom spyware.Specifically, the computer identified as VicePresident01 shouldbe considered completely compromised. This machine’s hard diskshould be reformatted and reloaded. Applications and user datashould be restored after it has been cleared of additional infections.All passwords should be changed for any and all local and remoteaccess accounts. The complete compromise of the machineVicePresident01 appear to most likely to be the result of very poorupdating of the operating system, coupled with frequent access topornographic sites. A single machine on your network, compromisedas this one was, renders firewall perimeter defenses useless.Because failing to update the operating system leaves theindividual machines defenseless against many of the most commonthreats a user may casually encounter, it poses the most severesecurity risk to your data and data systems. Further analysis wasdeemed warrantless at this point and additional planned securityassessments were aborted. A complete baseline security audit ispossible when additional steps have been taken to secure yourdesktops from common threats.A brief outline of the steps needed to prepare your informationassets for a comprehensive baseline security audit has been includedat the end of this report. This action plan has been verbally discussed in greater detail. As always, Bright Ideas will be available to assistyou in developing IT goals and strategies to meet your needs. Action PlanSecuring CompanyY’s SiteJ Office1) Restrict data loss at the network perimeter by limiting LANexposure.1) Implement a basic firewall2) Limit network access by unauthorized users2) Secure the LAN clients1) Deny admin rights whenever possible2) Implement effective antivirus3) Patch the operating system against known vulnerabilities4) Patch standard applications against known vulnerabilities5) Periodically check for rootkits6) Implement antispyware and privacy software tools7) Implement time sychronization8) Remove unneeded services from clients9) Remove unneeded applications from clients3) Secure the network perimeter1) Implement stateful packet inspection2) Implement network level Intrusion Detection/Prevention3) Provide appropriate logging of network activities4) Assess your own vulnerabilities5) Recognize changes in network behavior and configuration Baseline Security Audit for CompanyY IndustriesSiteC, MissouriExecutive SummaryConducted by Bright IdeasOn August 18, 2007 the Windows computers located atCompanyY’s SiteC office were inspected as part of a baseline securityaudit. Steps to identify significant security threats were taken. Noremediation of threats was performed. Additional information wasgathered through interviews with CompanyY’s IT staff, and informaldiscussions with other workers. The goal of the information securityaudit was to:Assess existing and needed security measures to protect thebusiness information of the company and privacy of existing andpotential customers regarding daily operation and disaster recovery.Specifically, the general goals of the baseline security audit were to :levellevel1. Identify and correct common security flaws at the network2. Identify and correct common security flaws at the desktop3. Identify strengths of existing security processes4. Identify areas for security improvements5. Assess weakness in the current disaster recovery planYour data security is critical to maintaining businessinformation, business continuity and protecting the privacy ofcurrent and potential customers. While there is no such thing as totaldata security, many steps can be taken to manage the risk. Yourinformation security is only as strong as the weakest link in a securitychain. Security weakness and process weakness should be noted andcorrected as quickly as possible. Mitigation of risk is accomplishedby applying best industry practices, correcting configuration errors,and upgrading components as needed. The primary strategy inmanaging data security and mitigating risk is to provide multiplelayers of defense, commonly called Defense in Depth. The layersshould offer protection, recognition of breaches in defense and anaudit trail to determine how and from where, successful attacks were launched. Because the threats to your data are ever evolving,network security must be seen as a process and not a destination.In short, I found your security and disaster planning to beimproving with further improvement required to secure yourenterprise. CompanyY’s network security plan must provide layersof defense and is now overly reliant on perimeter defense alone. Keyfindings include:1) CompanyY’s perimeter defense and avoidance of bad traffic isgood.Critical SonicWall security services expired August 29, 2007 andshould be renewed immediately. Critical errors in perimeter defenselargely involve undesirable exposure of critical network details,rather than key weakness in defense. Unsecured remotemanagement (http) of the firewall must be removed. The most securemanagement strategy disallows all remote management, insteadallowing management across the LAN or VPN only. The regularityand consistency of log and alert review must be improved. Timelyuse of firewall alerts must be improved. The external storage of alertsand logs discloses too much information about your network andconstitutes a very serious threat to the network. Appropriatebackups of network device configuration should be readily available.2) CompanyY’s internal monitoring for security threats is very poor.A methodical approach to fully implementing desktop PC security isnow appropriate. A process to provide timely recognition of threatsinside your LAN must be implemented! Changes in log and alerthandling are needed. Identifying all available network devices(physical and logical) and monitoring for changes should be a routinenetwork management task.Recognition of infection is inadequate. Adequate desktop protectiontoday requires not only antivirus software, but also a desktop firewalland often antispyware software as well. Several desktop PC’s werefound to contain adware and trojans. Scans should be performed atleast once per week. A full system scan should be performed on aroutine, scheduled basis. A maintenance window must beestablished for this activity. Steps should be taken to guarantee all machines are included in thepatch system. CompanyY has made tremendous advances inmaintaining operating systems since the preliminary review of theSiteJ location. However, nearly all systems were found be missingsome recommended updates using the Microsoft Update service.One computer was completely unpatched!3) Password management is average.Secured envelopes containing all needed administrative passwordsand logins for all systems, both internal and external, should be keptat secured offsite locations. Multiple staff members should knowhow to access this information quickly.4) Widespread use of administrator privileges should be reduced.Critical software vendors should be pressured to developapplications which do not require administrative rights to the PC. Aslong as users maintain administrative rights, the local PC and theentire network are at risk from “drive by” surfing or email attacks.No negligence is needed in order to infect your entire network,simply viewing a maliciously crafted email or website can possibblycost your company thousands of dollars in remediation.5) Disaster recovery and data backup plans of CompanyY appearadequate.I found your security and disaster planning to be improvingwith further improvement required to secure your enterprise.CompanyY’s network security plan must provide layers of defenseand is now overly reliant on perimeter defense alone. Data security,privacy protections and disaster recovery should be regarded as aprocess and not a destination. This baseline security audit wasdesigned to identify major issues. Maintaining regular reviews ofyour security and disaster recovery plans must entail adjusting tobusiness changes, known threats, and best practices to safeguardyour data. Monitoring your network, your endpoint devices andpractices is essential to maintaining data security and mitigatingdeveloping risks. Through a process of continual review andenhancement, your systems security will continue to increase withtime. As always, Bright Ideas will be available to assist you indeveloping IT goals and strategies to meet your needs.Analysis ofJuly 2006 Action PlanSecuring CompanyY’s SiteJ Office1) Restrict data loss at the network perimeter by limiting LANexposure.1) Implement a basic firewall2) Limit network access by unauthorized users2) Secure the LAN clients1) Deny admin rights whenever possible2) Implement effective antivirus3) Patch the operating system against known vulnerabilities4) Patch standard applications against known vulnerabilities5) Periodically check for rootkits6) Implement antispyware and privacy software tools7) Implement time synchronization8) Remove unneeded services from clients9) Remove unneeded applications from clients3) Secure the network perimeter1) Implement stateful packet inspection2) Implement network level Intrusion Detection/Prevention3) Provide appropriate logging of network activities4) Assess your own vulnerabilities5) Recognize changes in network behavior and configurationGoal mostly or completely metGoal partially metGoal largely unmet Baseline Security Audit for CompanyY IndustriesSiteC, MissouriFull ReportConducted by Bright IdeasOn August 18, 2007 the Windows computers located atCompanyY’s SiteC office were inspected as part of a baseline securityaudit. Steps to identify significant security threats were taken. Noremediation of threats was performed. Additional information wasgathered through interviews with CompanyY’s IT staff, and informaldiscussions with other workers. The goal of the information securityaudit was to:Assess existing and needed security measures to protect thebusiness information of the company and privacy of existing andpotential customers regarding daily operation and disaster recovery.Specifically, the general goals of the baseline security audit were to :levellevel1. Identify and correct common security flaws at the network2. Identify and correct common security flaws at the desktop3. Identify strengths of existing security processes4. Identify areas for security improvements5. Assess weakness in the current disaster recovery planYour data security is critical to maintaining businessinformation, business continuity and protecting the privacy ofcurrent and potential customers. While there is no such thing as totaldata security, many steps can be taken to manage the risk. Yourinformation security is only as strong as the weakest link in a securitychain. Security weakness and process weakness should be noted andcorrected as quickly as possible. Mitigation of risk is accomplishedby applying best industry practices, correcting configuration errors,and upgrading components as needed. The primary strategy inmanaging data security and mitigating risk is to provide multiplelayers of defense, commonly called Defense in Depth. The layersshould offer protection, recognition of breaches in defense and anaudit trail to determine how and from where, successful attacks were launched. Because the threats to your data are ever evolving,network security must be seen as a process and not a destination.In short, I found your security and disaster planning to beimproving with further improvement required to secure yourenterprise. CompanyY’s network security plan must provide layersof defense and is now overly reliant on perimeter defense alone. Keyfindings include:1) CompanyY’s perimeter defense and avoidance of bad traffic isgood.Critical SonicWall security services expired August 29, 2007 andshould be renewed immediately. Critical errors in perimeter defenselargely involve undesirable exposure of critical network details,rather than key weakness in defense. Unsecured remotemanagement (http) of the firewall must be removed. The most securemanagement strategy disallows all remote management, insteadallowing management across the LAN or VPN only. The regularityand consistency of log and alert review must be improved. Timelyuse of firewall alerts must be improved. The external storage of alertsand logs discloses too much information about your network andconstitutes a very serious threat to the network. Appropriatebackups of network device configuration should be readily available.2) CompanyY’s internal monitoring for security threats is very poor.A methodical approach to fully implementing desktop PC security isnow appropriate. A process to provide timely recognition of threatsinside your LAN must be implemented! Changes in log and alerthandling are needed. Identifying all available network devices(physical and logical) and monitoring for changes should be a routinenetwork management task.Recognition of infection is inadequate. Adequate desktop protectiontoday requires not only antivirus software, but also a desktop firewalland often antispyware software as well. Several desktop PC’s werefound to contain adware and trojans. Scans should be performed atleast once per week. A full system scan should be performed on aroutine, scheduled basis. A maintenance window must beestablished for this activity. Steps should be taken to guarantee all machines are included in thepatch system. CompanyY has made tremendous advances inmaintaining operating systems since the preliminary review of theSiteJ location. However, nearly all systems were found be missingsome recommended updates using the Microsoft Update service andone computer was completely unpatched.3) Password management is average.Secured envelopes containing all needed administrative passwordsand logins for all systems, both internal and external, should be keptat secured offsite locations. Multiple staff members should knowhow to access this information quickly.4) Widespread use of administrator privileges should be reduced.Critical software vendors should be pressured to developapplications which do not require administrative rights to the PC. Aslong as users maintain administrative rights, the local PC and theentire network are at risk from “drive by” surfing or email attacks.No negligence is needed in order to infect your entire network,simply viewing a maliciously crafted email or website can possibblycost your company thousands of dollars in remediation.5) Disaster recovery and data backup plans of CompanyY appearadequate.This document will provide a written overview of the resultswith specific recommendations. Additional verbal reviews andalternative courses of action have be discussed. As always, BrightIdeas will be available to assist you in developing IT goals andstrategies to meet your needs. Bright Ideas will not retain anyprinted copies of the detailed data regarding each computer as ameasure to decrease the possibility of theft of detailed informationrelated to your network and networking devices. Therefore, theCompanyY is expected to provide off…