Executive Summary

At the request of N.E.W.T, a security assessment using the NSA IAM model was performed on the organization from the dates of January 3rd, 2012 through February 14th, 2012. This security assessment report is the culmination of the data that was gathered and analyzed over the course of that time. The purpose of such an assessment is to find the current security posture of the organization, determine what an industry standard security posture should and could be for the organization, and then make recommendations, if any, as to what changes should be made for the organization to reach and maintain that standard.

The IAM process includes live demonstrations by your organization, interviews of different members of N.E.W.T.’s staff, thorough examination of policy and documentation, and observations made by the assessment team. This information gathering was done in phases over the course of the allotted time and was depended on a great deal of information provided by your staff. During this process it was discovered that the areas that needed the most attention were the areas of identification and authentication, maintenance, and training and awareness.

This report includes both the findings of the assessment team as well as the recommendations based on the assessment’s findings. Some of these recommendations can be done in a very short amount of time and do not require much in terms of expenditures. However, other recommendations are quite complex and will require some time and coordination on the part of your organization.

 

Mission Statement

The National Electronic Weapons Technology (N.E.W.T.) specializes in developing electronic tools (i.e. viruses, techniques, logic bombs, computer worms, and other exploits) for the use in technological warfare. The company’s sole customer is the United States Government and has the following general goals:

  • Develop weaponized viruses
  • Provide innovative techniques for attacking hostile networks
  • Improve upon existing exploits

 Organizational Information Criticality

The organizational information criticality chart, shown below, was developed with your organization’s team members during our first visit. This chart is a simple breakdown of the different important information that your organization has and its corresponding “value” in terms of how critical it is to the organization. These different items were also then defined by that same group of team members in terms of time and cost to the organization. These different area’s values were used during the assessment to determine the appropriate level of security as well as how large expenditure should be allowed to be used on them. Not being given a “high” status does not inherently mean it is not important or not protected, but simply that it is not as critical to the organization.


Criticality Definitions:

  • High: Risk of information war tools being distributed to the wrong hands, potential loss of contract, potential international incident, and potential loss of life.
  • Medium: Embarrassment to company and or government officials.
  • Low: Inconvenience/slow down of work.

 

Systems Information Criticality

This chart is similar to the organizational information criticality chart but is instead focused on the systems that are used by the organization instead of the information itself. This chart and its corresponding values and definitions were developed using the same methods as the organizational information criticality chart. The information that was outlined here was used to make decisions on what systems required more security and expenditure in relation to the others. Again, having a “low” or “medium” value does not mean that these systems are not valuable or not protected, just that they are not as critical to the organization as those that are labeled with the “high” value.

Criticality Definitions:

  • High: Risk of information war tools being distributed to the wrong hands, potential loss of contract, potential international incident, and potential loss of life.
  • Medium: Embarrassment to company and or government officials.
  • Low: Inconvenience/slow down of work.


System Configuration

In order to understand the security needs of the systems involved at N.E.W.T., it is necessary to break the system down into its different areas. These descriptions were agreed upon by the assessment team and the network administrator as the most accurate.

The Corporate Network:

The corporate side of the network is kept completely separate from the laboratory network as a matter of security. The system consists of an external web server suspended in a DMZ, which is behind the first router and firewall. Also behind this firewall is a server running WinNT 4.0 which services five workstations (three running WinNT 4 and two running WinNT 3.5) along with one laptop computer running Windows 95. These workstations are connected using a hub. There is also one network laser printer. There are also other live network drops in vacant cubicles in the office area. There is a Unix computer that has the ability to connect to this network whose only user is the chief scientist.

The Laboratory Network:

The laboratory network has no direct access to the internet but is connected to the same Unix computer used by the chief scientist, however there is a filtering router between the workstations and that computer. Behind the filtering router there are two workstations running WinNT 4, and then single workstations running the following operating systems; HP-UX, Linux RH 5.0, UNIX, Win95, IBM AIX. Also connected to this network is a bridge that connects to a VAX Minicomputer that has a dial-in maintenance port that is set to “open”.

 

N.E.W.T Network Diagram

 

Analysis

The information that was gathered as a part of the assessment provided a baseline of your organizations security posture. Using that baseline we have broken down the different problem areas that were found in regards to security. Each of these sections will explain the problem that was found, why it is a security issue, and then give different options as to how those issues can be solved. The three solutions given for each issue are labeled “basic, intermediate, and advanced”. These different options represent a difference in both their scope and their cost.

Identification & Authentication

Findings:

It was discovered that there are some gaps in both policy and practice in the area of identification and authentication. While the practice of requiring an ID card to enter the building is in place, the security to enter the lab is limited to a coded door. It was found that more than just the lab staff knows the code and some of those people have used it in the past out of convenience to reach the other side of the building (using the labs as a throughway). Also, the policies in place regarding user passwords were found to be extremely vulnerable, never requiring password changes and also not requiring complex passwords.

Explanation:

The primary issue here is that the majority of security that is in place is focused on people getting into the building (there are man-traps, security checking I.D. badges, etc…). However, once past the initial security measures it breaks down. The most sensitive area of the building, the labs, are protected only by a keypad combination lock that only has one code. It is also located in an area that splits one part of the building from another save for a somewhat long path around it. This has led to non-lab personnel learning the code and using the lab as a “shortcut”. Also, since there is only one code for the lab area there is no way to know exactly who is entering the lab and when.

The policy regarding user passwords also creates a security issue. It was found that some users have had the same password for several years and that over time other users have either learned or been given passwords out of convenience. This presents a problem in that now there is no way to know for sure who is actually using the username and password. Also, these passwords are not required to be complex so simple easy to guess passwords like “1234” and “password” have been in use for some time. While the desire is not to make working complicated for users, this presents a real security risk. The non-lab areas are not secured at all, even with a coded door. If someone were able to get past the perimeter security (physical or network) those accounts would be extremely likely to be compromised.

Recommendations:

Basic Option:

  • Change the lab door code and only give that code to personnel that should have access to the labs.
  • Institute a domain-wide active directory policy that requires passwords to be changed on a regular basis ( 3 to 6 months) and require complex passwords.

Intermediate Option:

  • Institute a system where each lab person has their own code to the lab door (replace the current coded lock if needed) and add a similar coded lock for the other sensitive areas in the building such as the offices.
  • Institute a domain-wide active directory policy that requires passwords to be changed on a regular basis ( 3 to 6 months) and require complex passwords.

Advanced Option:

  • Issue new smart-card badges to all personnel and replace the coded doors with a system that uses the badges for access to sensitive areas.
  • Institute a domain-wide active directory policy that requires passwords to be changed on a regular basis ( 3 to 6 months) and require complex passwords. Potentially tie this to the user’s smart-card badges for multi-factor authentication.

Maintenance

Findings:

General maintenance of both software and hardware was found to be severely lacking in areas outside of the lab. Nearly all of the workstations were found to have not had their operating systems updated in at least six months. The servers were only slightly more up to date. Also, there does not seem to be any type of schedule for replacing computers, servers, or network equipment.

Explanation:

There are serious security risks associated with having workstations on a network unpatched.  Not only is there the potential for a workstation to be infected with viruses or spyware but also, should someone penetrate the network they have a much larger number of potential exploits that can be used on the machines to compromise them. The same is true, even more so, for the servers. Also, most of the workstations and the servers are running operating systems that are either already in end-of-life status and no longer receive updates anyway, or are running operating systems that are nearing end-of-life. Since the hardware is not being replaced regularly, the current workstations could not reasonably run the newest operating system version.

Recommendations:

Basic Option:

  • Update all operating systems, both workstations and servers, to the most current patch level (or last patch released for end-of-life Operating Systems)
  • Create rotating schedule for workstation and server replacement and alter budgets to allow for the first phase as soon as possible.

Intermediate Option:

  • Upgrade all end-of-life workstations to a non-end-of-life operating systems (likely the same as the most up to date workstations) and update all operating systems to the most current patch level
  • Create rotating schedule for workstation and server replacement. Identify the most likely candidates for workstation replacement and replace approximately 1/3 of them immediately to begin the replacement schedule.

Advanced Option:

  • Replace all aging systems, both workstation and servers, with new machines to receive the most up to date operating system and update all new systems to current patch level.
  • Rank all users in the order in which they will receive their replacement computer in the decided time frame. Use this list to develop a rotating schedule for workstation and server replacement.

Training and Awareness

Findings:

It was learned through interviews that there has been essentially no real training done in regards to security, network or physical. This of course means that there is no schedule for re-occurring training. Also, no consistent policy has been enforced and there are a number of simple social engineering methods that were successful in getting sensitive information and physical access.

Explanation:

As people were interviewed it became obvious that the original team of people that made up the company had backgrounds that were technical in nature and their expertise lent itself well to secure practices. However, as the business grew no formal policies were put into place and those who were brought on during the expansion were not given any particular training in regards to security. As a result the non-technical side of the company is at an extreme risk of unintentional security breaches.  Some members of the assessment team who worked evenings, so were unknown to those who were present during the day, were able to use some fairly simple social engineering techniques to gain access to sensitive information.

Recommendations:

Basic Option:

  • Schedule in-house training for all employees as soon as soon as possible to cover the security basics.
  • Send out a quick list of security guidelines to all employees.
  • Determine best reoccurring schedule for this type of training (at least annually).

Intermediate Option:

  • Send out a quick list of security guidelines to all employees.
  • Schedule a professional security trainer as soon as possible to train employees on good security practices.
  • Determine best reoccurring schedule for this type of training (at least annually).

Advanced Option:

  • Send out a quick list of security guidelines to all employees.
  • Schedule a professional security trainer as soon as possible to train employees on good security practices.
  • Determine best reoccurring schedule for this type of training (at least annually).
  • Provide additional training to the Operations staff for continual training and improvement.

Conclusion

Through the assessment process we have found some areas in which improvements can be made on the existing security structure of the organization. Physical perimeter security has been found to be in good shape, however once inside the building there are problem areas. The first being identification and authentication. Some of these changes can be made immediately, such as changing user password complexity and expiration requirements. Others, such as potentially changing the systems used to gain access to sensitive areas coupled with smart badges could take some time to implement due to the physical changes required (such as adding RFID scanner locks on doors, etc…). Maintenance was another area where some security improvements need to be applied. The hardware and software aspects of the organization are quickly aging into their vendor’s end-of-life statuses; some are already at that point. In order to get your organization to a secure position in this area changes will need to be made over the next several months. In the near term all operating systems outside the labs need to have their security patches updated to the most up to date levels available. In the long term a replacement schedule and hierarchy needs to be developed that will replace old hardware and software and keep the organization up to date as time goes forward.  Lastly, in the area of training and awareness, the assessment found that much of the staff outside of those that work in the lab do not have a clear policy to use or follow in regard to security. In order to get all of your team on the same page security-wise, as well as help them understand the reasons and need for the other changes, an annual or semi-annual training schedule needs to be setup. In the short term a quick overview with them on some of the basics of security and what they can do individually to protect their data and the company can be done. In the long term it might be advisable to either train someone on staff to handle this or bring someone from outside the organization to conduct the training.