Risk Assessment Report Instructions
INFA 610
Background
This is an individual research project. The objective of the research project is to develop an Information Asset Risk Assessment Report for an organization of your choosing, and worth 25% of your total course grade. The report will be due by the end of the 11th week. The analysis should be conducted using only publicly available information (that is, information obtainable on the Internet, company reports, news reports, journal articles, etc.). The risk analysis should consider legitimate, known threats that pertain to the subject organization. Based on the information gathered, presumed vulnerabilities of the company or organization’s computing and networking infrastructure will be identified. Then, based on the identified threats and vulnerabilities, you will describe the risk profile for the subject organization and suggest recommendations to mitigate the risks.
Your report should be 12 pages, double-spaced, exclusive of cover, title page, table of contents, endnotes and bibliography. Your paper must use APA formatting with the exception that tables and figures can be inserted at the appropriate location rather than added at the end. Submit the report in your Assignment Folder prior to the submission deadline.
Project Proposal
Prior to writing your report, you must submit a short (a page and half) Project Proposal, indicating the name and relevant aspect(s) of the organization you intend to use as a subject for your report. The proposal must be accompanied by an annotated bibliography submitted via the assignment folder. Your instructor will provide feedback as to the suitability of your subject and bibliography. Additional details are provided below.
You will submit a project proposal of your Risk Assessment Report by the end of Session 4. The project proposal will account for 10% of your research paper grade (2.5% of your total course grade).
The project proposal should be a page and half (double spaced) description of the organization that you propose to analyze, with a summary of the scope (e.g., entire organization, key business area, major system, etc.) for the risk assessment you are expected to conduct. The proposal should identify the subject organization with a brief explanation of why you chose the subject for this assignment. The proposal should also describe the research methods to be used and anticipated sources of research information sources. Your instructor will use the proposal to provide feedback on the suitability of the proposed subject organization and the scope you propose, as well as the suitability of the proposed research methods and information sources. If you do not provide a proposal, you will be preparing their Risk Assessment Reports "at risk;" i.e., they will run the risk of delivering a report that is not suitable for this course.
An important step in developing your Risk Assessment Report will be the construction of an Annotated Bibliography. Hav ...
1. Risk Assessment Report Instructions
INFA 610
Background
This is an individual research project. The objective of the
research project is to develop an Information Asset Risk
Assessment Report for an organization of your choosing, and
worth 25% of your total course grade. The report will be due by
the end of the 11th week. The analysis should be conducted
using only publicly available information (that is, information
obtainable on the Internet, company reports, news reports,
journal articles, etc.). The risk analysis should consider
legitimate, known threats that pertain to the subject
organization. Based on the information gathered, presumed
vulnerabilities of the company or organization’s computing and
networking infrastructure will be identified. Then, based on the
identified threats and vulnerabilities, you will describe the risk
profile for the subject organization and suggest
recommendations to mitigate the risks.
Your report should be 12 pages, double-spaced, exclusive of
cover, title page, table of contents, endnotes and bibliography.
Your paper must use APA formatting with the exception that
tables and figures can be inserted at the appropriate location
rather than added at the end. Submit the report in your
Assignment Folder prior to the submission deadline.
Project Proposal
Prior to writing your report, you must submit a short (a page
and half) Project Proposal, indicating the name and relevant
aspect(s) of the organization you intend to use as a subject for
your report. The proposal must be accompanied by an annotated
bibliography submitted via the assignment folder. Your
instructor will provide feedback as to the suitability of your
subject and bibliography. Additional details are provided below.
You will submit a project proposal of your Risk Assessment
2. Report by the end of Session 4. The project proposal will
account for 10% of your research paper grade (2.5% of your
total course grade).
The project proposal should be a page and half (double spaced)
description of the organization that you propose to analyze,
with a summary of the scope (e.g., entire organization, key
business area, major system, etc.) for the risk assessment you
are expected to conduct. The proposal should identify the
subject organization with a brief explanation of why you chose
the subject for this assignment. The proposal should also
describe the research methods to be used and anticipated
sources of research information sources. Your instructor will
use the proposal to provide feedback on the suitability of the
proposed subject organization and the scope you propose, as
well as the suitability of the proposed research methods and
information sources. If you do not provide a proposal, you will
be preparing their Risk Assessment Reports "at risk;" i.e., they
will run the risk of delivering a report that is not suitable for
this course.
An important step in developing your Risk Assessment Report
will be the construction of an Annotated Bibliography. Having
developed and described a subject organization and scope of
analysis in the proposal, the next step is to identify and assess
the value of potential research material. You should identify
five (5) to six (6) significant articles relevant to your subject
organization and to identifying and assessing risks in a context
similar to the scope of your report. For a report of this nature
you may expect to find useful sources in both business-focused
(e.g., Business Source Premier, Business and Company
Resource Center, ABI/Inform) and technically-focused
databases (e.g., ACM Digital Library, IEEE, Gartner.com). The
annotated bibliography will consist of 100-250 words per
article, that describe the main ideas of the article, a discussion
of the usefulness of such an article in understanding various
aspects of you report, and other comments you might have after
3. reading the article. For each article, there should be a complete
reference in APA format. Your Annotated Bibliography will
then form the basis of the sources for your report. (You may
also supplement the references used in your report with
additional reference material.)
Some excellent guidance on how to prepare an annotated
bibliography can be found at
http://www.library.cornell.edu/okuref/research/skill28.htm.
Risk Assessment Report Proposal and Annotated Bibliography
should be submitted by the end of Session 4.
The grading criteria for the proposal are as follows:
1. Organization Selected & Justification (Right Scope and
Relevance): 60%
2. Research methods proposed (Bibliography): 40%
Risk Assessment Report
The Risk Assessment Report should be a polished, graduate-
level paper. Be sure to carefully cite (using correct APA-Style
in-line citations) all sources of information in the report.
UMUC policies regarding plagiarism will apply to the Risk
Assessment Report as well as all other deliverables in this
course. You must submit the report to Turnitn.com to improve
the originality score before submitting the report in the
Assignment Folder. The lower the originality score the better it
is. You should aim for an originality score of 10%..
Please submit questions regarding the research paper to the
INFA610 “Q&A” Conference.
The Risk Assessment Report should be submitted by the end of
Session 11
Risk Assessment Report Overview
4. The objective of this assignment is to develop a Risk
Assessment Report for a company, government agency, or other
organization (the "subject organization"). The analysis will be
conducted using only publicly available information (e.g.,
information obtainable on the Internet, company reports, news
reports, journal articles, etc.) and based on judicious, believable
extrapolation of that information. Your risk analysis should
consider subject organization information assets (computing and
networking infrastructure), their vulnerabilities and legitimate,
known threats that can exploit those vulnerabilities. Your
assignment is then to derive the risk profile for the subject
organization. Your report should also contain recommendations
to mitigate the risks.
There is a wealth of business-oriented and technical information
that can be used to infer likely vulnerabilities and assets for an
organization. It is recommended that students select their
organizations based at least in part on ease of information
gathering, from a public record perspective.
Steps to be followed:
1. Pick a Subject Organization: Follow these guidelines:
a. No insider or proprietary information. All the information
you collect must be readily available for anyone to access. You
will describe in your proposal how you intend to collect your
information.
b. You should pick a company or organization that has
sufficient publicly available information to support a reasonable
risk analysis, particularly including threat and vulnerability
identification.
2. Develop Subject Organization Information: Examples of
relevant information includes:
a. Company/Organization name and location
5. b. Company/Organization management or basic organization
structure
c. Company/Organization industry and purpose (i.e., the nature
of its business)
d. Company/Organization profile (financial information,
standing in its industry, reputation)
e. Identification of relevant aspects of the
company/organization’s computing and network infrastructure,
Note: Do not try to access more information through Social
Engineering, or through attempted cyber attacks or intrusion
attempts.
3. Analyze Risks
a. For the purposes of this assignment, you will follow the
standard risk assessment methodology used within the U.S.
federal government, as described in NIST Special Publication
800-30 (United States. National Institute of Standards and
Technology (2002). Risk Management Guide for Information
Technology Systems (Special Publication 800-30). Retrieved
from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-
30.pdf)
b. In conducting your analysis, focus on identifying threats and
vulnerabilities faced by your subject organization.
c. Based on the threats and vulnerabilities you identify, next
determine both the relative likelihood and severity of impact
that would occur should each of the threats materialize. This
should produce a listing of risks, at least roughly ordered by
their significance to the organization.
d. For the risks you have identified, suggest ways that the
subject organization might respond to mitigate the risk.
6. 4. Prepare Risk Assessment Report
a. Reports should be 12 pages (exclusive of cover, title page,
table of contents, endnotes and bibliography), double-spaced,
and should follow a structure generally corresponding to the
risk assessment process described in NIST Special Publication
800-30.
b. The report should be prepared using the APA Style. All
sources of information should be indicated via in-line citations
and a list of references.
c. Reports should be submitted via the Assignment Folder.
Grading Criteria
As previously stated, the Proposal and Annotated Bibliography
will constitute 10% of your Risk Assessment Report grade
(2.5% of your final grade). You will demonstrate in the final
report your risk assessment subject matter competency and
communication and knowledge competencies. The Risk
Assessment Report, accounting for 22.5% of the final grade,
will be assessed as follows:
· Clear statement of scope to be analyzed and appropriate
coverage of that scope: 10%
· Technical Content (depth and accuracy of information and
analysis): 30%
· Recommendations for risk mitigation or other conclusions
supported by research and analysis: 10%
· Communications competency: 25% (assessed using a graduate
school wide rubric)
· Knowledge competency: 25% (assessed using a graduate
school wide rubric)
7. 3
Risk
Assessment 1
Running Head: RISK ASSESSMENT ON THE NATIONAL
FOOTBALL LEAGUE
Risk Assessment on National Football League Team Websites
Name
University of Maryland University College
Abstract
The National Football League (NFL) is the largest and most
prestigious professional American football league. It was
formed by eleven teams in 1920 as the American Professional
Football Association and adopted the name National Football
League in 1922. The league currently consists of thirty two
from U.S. cities and regions, divided evenly into two
conferences (AFC and NFC), with four, four-team divisions.
The NFL has the highest per-game attendance of any domestic
professional sports league in the world, drawing over 67,000
spectators per game in 2006.
TABLE OF CONTENTS
EXECUTIVE SUMMARY
1.
INTRODUCTION………………………..…………………………
…….
5
1.1
PURPOSE…………………………………………………………..
5
1.2
SCOPE…….………………………………………………………..
8. 5
HYPERLINK l "Background"
1.3
BACKGROUND…….……………………………………………..
5
2.
RISK ASSESSMENT
APPROACH…………………………….…..........
6
2.1
PARTICIPANTS………………………………….……….….…......
...
6
2.2 RISK
MODEL………………………………….………………….......
6
3.
RISK
ASSESSMENT……….…………..…………………………….….
6
3.1 STEP 1: SYSTEM
CHARACTERIZATION…………….....................
6
3.1.1 Information-Gathering
Techniques………………………........
7
3.1.2 System-Related
Information……………………………..………
7
3.1.3 Data Used by
System……………………………………………….8
3.1.4 System
9. Users………………………………………………………...8
3.1.5 Flow
Diagram……………………………………………………….8
3.2 STEP 2: THREAT
IDENTIFICATION……………………………......
9
3.2.1 Threat-Source Identification, Motivation and
Actions.............
9
3.3 STEP 3: VULNERABILITY
IDENTIFICATION……………….….....
10
3.3.1 Vulnerability
Sources…………………………….……………....
10
3.3.2 System Security
Testing…………………………………………...
13
HYPERLINK l "Security_Requirements_Checklist"
3.3.3 Development of Security Requirements
Checklist...……….......
14
3.4 STEP 4: CONTROL
ANALYSIS……………………………………...
14
3.4.1 Control
Methods…………………………………….…………...
15
3.4.2 Control
Categories…………………………………………………
15
3.5 STEP 5: LIKELIHOOD
DETERMINATION………………………....
10. 16
3.6 STEP 6: IMPACT
ANALYSIS………………………………………...
16
3.7 STEP 7: RISK
DETERMINATION…………………………………...
17
3.7.1 Risk-Level
Matrix………………………………...........…………
18
3.7.2 Description of Risk
Level……………………………………….
18
3.8 STEP 8: CONTROL
RECOMMENDATIONS......................................
18
3.9 STEP 9: RESULTS
DOCUMENTATION……….……..………………
22
3.9.1 Risk Assessment
Results……………………………………...22
Appendix A.
References……………………………………………………………
A-1
EXECUTIVE SUMMARY
The National Football League (NFL) is the largest and most
prestigious professional American football league. It was
formed by eleven teams in 1920 as the American Professional
Football Association and adopted the name National Football
League in 1922. The league currently consists of thirty two
from U.S. cities and regions, divided evenly into two
conferences (AFC and NFC), with four, four-team divisions.
The NFL has the highest per-game attendance of any domestic
professional sports league in the world, drawing over 67,000
spectators per game in 2006.
11. NFL teams collect and maintain data on their fans that purchase
tickets and team merchandise. Therefore teams must protect
this information on their networks. Following a Massachusetts
Superior Court ruling, the New England Patriots are now in
possession of customer data from 13,000 users of ticket reseller
site StubHub. The NFL team forbids ticket holders to resell
their passes. The Patriots, however, asked for details
surrounding not only sellers and buyers, but those who made
bids as well. Massachusetts Superior Court Judge Allan van
Gestel ruled that StubHub had to turn the information over to
the Patriots. The decision was the result of a court case lobbed
by the Patriots in an effort to crack down on season ticket
holders who resell their tickets to other people. Massachusetts
has a law against scalping tickets -- ticket holders can only
resell their tickets at a nominal US$2 over the face value of the
ticket. Regardless of anti-scalping laws, the customer data
collected by StubHub as part of its business is now in the hands
of the Patriots, who are widely expected to revoke tickets from
their StubHub-selling season ticket holders. The big question,
then, is whether this kind of court case presents a problem for
online consumers. (Maxcer, 2007)
University of Maryland, University College students have been
tasked to conduct a risk assessment of an organization of their
choosing as an assignment for INFA 610, Computer Security,
Software Assurance, Hardware Assurance, and Security
Management. This risk assessment assesses the use of resources
and controls to eliminate and/or manage vulnerabilities that are
exploitable by threats internal and external to National Football
League team web sites. For the purposes of this risk
assessment, the Green Bay Packers website (developed by DM
Interactive) is used as a model to represent the common NFL
team web site.
1. Introduction
12. 1.1 Purpose
The purpose of this risk assessment is to identify threats and
vulnerabilities related to football franchises of the National
Football League. The risk assessment will be utilized to
identify risk mitigation related to NFL team information
technology systems.
1.2 Scope
The scope of this risk assessment covers a web based
application developed and maintained by DM Interactive for the
NFL’s Green Bay Packers football team. The goal is to take an
overall view of the web site and then select a couple of key
areas for assessment. The Packers.com web site provides fans
with both news and the ability to purchase Green Bay Packers
team merchandise and tickets. Each NFL team is franchised,
and independently operated. However, this risk assessment is
intended to be useful for any of the thirty-two teams that
currently make up the league. In other words, this risk
assessment could be viewed as belonging to the Green Bay
packers, but can also be considered to have relevance relevant
to any team of the NFL with a web site that provides similar
content and merchandise. It is understood that each NFL team
is operated independently and will therefore have a certain
degree of uniqueness from other teams. However, this risk
assessment can easily be modified for those unique instances of
exclusivity. Once again, the development of this risk
assessment is on the website of the NFL’s Green Bay Packers
franchise. The focus will be on the systems that support
electronic commerce (i.e. ticket sales, customer information,
merchandising, etc.) and related functions.
1.3 Background
a. Team Name – Packers
b. Team Location – Green Bay, Wisconsin
c. Industry - National Football League Franchise
13. d. Company profile – Green Bay Packers, Inc.
e. Management – Bob Harlan, President & CEO; John Jones,
COO & Executive Vice President; Mike Hatley, Vice President
of Football Operations.
f. Website – www.packers.com (Houston Business Journal, n.d.)
2. Risk Assessment Approach
2.1 The participants (e.g., risk assessment team members)
Role
Name
System Owner
David Troup
Security Administrator
Bill Red
Database Administrator
John Black
Network Manager
Jane Doe
Risk Assessment Team
Vern Gardner, Joseph Brown, Mary White
2.3 The risk model
This risk assessment was conducted in accordance with the
methodology described in National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-30, Risk
Management Guide for Information Technology Systems.
3. Risk Assessment
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing
process of evaluating threats and vulnerabilities, and
establishing an appropriate risk management program to
mitigate potential monetary losses and harm to an institution's
reputation. The extent of the information security program
should be commensurate with the degree of risk associated with
14. the institution's systems, networks, and information assets. For
example, compared to an information-only Web site,
organizations offering transactional Internet activities are
exposed to greater risks. (FDIC, 1999)
3.1 STEP 1: System Characterization
The Green Bay Packers business website is developed and
maintained by DM Interactive (DMI) of Green Bay, Wisconsin.
DMI was founded in 1995 by David Troup and established itself
early with interactive web site development as an offshoot of a
successful Internet Service Provider. (DM Interactive.com,
n.d.)
The system is used to provide full-scope coverage of the NFL’s
Green Bay Packers via the Packers.com web site. It includes
the latest news about the team, players, special events, statistics
and other items of interest for NFL fans. The system is also
used for e-commerce. Fans can purchase single game football
tickets (Packer’s season tickets have been sold out since 1960),
and a wide variety of Green Bay Packer football related
merchandise. (Packers.com, n.d.)
3.1.1 Information gathering techniques
The information gathering techniques used to perform this risk
assessment includes the use of the Internet and the source of
research information includes corporate and federal security
organizations (i.e. NIST, SANS, Symantec, etc.), periodicals,
journals, and magazines.
3.1.2 System-Related Information
The following components in Table 3.1.2 identify system-
related information for DM Interactive as listed on their Internet
web site. (DM Interactive.com, n.d.)
Component
Description
Applications
Web page developed by DM Interactive of Green Bay,
Wisconsin. Uses custom application development: C, C++,
15. Perl, Python, Cold Fusion, PHP, Java, HTML
Databases
Oracle, MySQL, Postgress, SAP, HO, IBM
Server Configurations/Operating Systems
Unix, Sun, Linux, BSD, OSX
Interconnections
Multiple Carrier Fiber Interconnect. Tier 1 Co-location Facility
Protocols
SSL used for transmission between client web browser and web
server
Table-3.1.2 System-Related Information
3.1.3 Data used by system
Data collected when purchasing merchandise from the Green
Bay Packers web site is listed in Table 3.1.3 below.
Data
Description
Personally Identifiable Information
Includes:
· Name
· Address
· Phone Number
· Email Address
Financial Information
Includes:
· Credit Card #
· Verification Code
· Expiration Date
· Card Type
16. · Authorization Reference
· Transaction Reference
Ordering Information
Includes:
· Merchandise type (i.e. clothing, tickets)
· Date of Order
· Quantity of Order
· Shipping Date
· Method of Shipment
Table-3.1.3 System Data
3.1.4 System users
Table 3.1.4 identifies users of the system.
Users
Description
Customers
Access the system via web browser. Can create a system
account with username and password. Can update personal and
financial information as needed.
DM Interactive IT personnel
Manage the system including firewalls and networks. Maintain
security configuration of the system.
Packers.com operations personnel
Utilize information contained in the database for management
reporting. Generate reports/queries.
Table-3.1.4 System Users
3.1.5 Flow diagram
Figure 1 below is a flow diagram that shows the technology
components reviewed as part of the Packers.com website.
17. Internet
Router
Application
Server
packers.com
Website
Internet Firewall
Database
Internal Firewall
Internet
Router
Application
Server
packers.com
Website
Internet Firewall
Database
Internal Firewall
Figure-1 Flow Diagram
3.2 STEP 2: Threat Identification
Hackers, disgruntled employees, organized crime, and
competitors are all examples of potential internal and external
sources of threat to an information system. The average
Internet user can quickly and easily find information describing
how to break into a variety of systems by exploiting known
security flaws and software bugs with basically any search
Internet search engine. Vulnerability assessment tools can be
misused to probe network systems, then exploiting any
identified weaknesses to gain unauthorized access to a system.
Other sources of threat can include environmental threats such
as power failures, chemicals, and pollution as well as natural
threats such as floods as earthquakes.
18. 3.2.1 Threat-Source Identification, Motivation and Actions
The matrix in table 3.2.1 below provides a threat source,
motivation and threat actions for threat identification. The
threat source any circumstance or event with the potential to
cause harm to an IT system. The motivation is what compels a
threat source to take certain threat actions. The threat actions
describe the measure taken by the threat source.
Threat
Motivation
Threat Actions
Hacker
· Challenge
· Self Image
· Defiance
· Unauthorized access
· Social Engineering
· Computer Crime
Fire/Water Damage
· Accidental Loss
· Damage to equipment
· Damage to physical records and data
Organized Crime
· Money
· Identity Theft
· Data Destruction
· Phishing
· Unauthorized access
· Computer Crime
Insider
19. · Money
· Property
· Getting even
· Human Error
· Negligence and Apathy
· Unauthorized access
· Theft or destruction of data
· Theft of or destruction of equipment
Table-3.2.1 Threat, Motivation and Threat Actions
3.3 STEP 3: Vulnerability Identification
3.3.1 Vulnerability Sources
This section will attempt to identify potential vulnerabilities
applicable to the system-related information for DM Interactive
as listed previously in table 3.1.2.
Table 3.3.1 below provides vulnerability/threat pairs for DM
Interactive.
Vulnerability
Threat-Source
Threat Action
Applications
Hackers, Organized Crime, and other Unauthorized Users
Buffer overflows, backdoors, web defacement.
Databases
Hackers, Organized Crime, and other Unauthorized Users
Gain unauthorized access to sensitive customer data.
Server Configuration / Operating Systems
Hackers, Organized Crime, and other Unauthorized Users
Unauthorized Access, theft, modification, or destruction of data.
20. Botnets, virus, worms, Trojans horse infections.
Interconnections
Hackers, terminated employees, criminals
Port scan for unused services and exploit open unsecured ports.
Protocols
Hackers, Organized Crime
Web Page Spoofing, IP Spoofing, Syn Flood, Smurf
Human Threat
Employees, contracted support personnel, terminated personnel
Unauthorized Access, theft, modification, or destruction of data.
Inadvertent errors. Damage to IS equipment.
Table-3.3.1 Vulnerability/Threat Pairs
Applications: Web application vulnerabilities provide the
potential for an unauthorized party to gain access to critical and
proprietary information, use resources inappropriately, interrupt
business or commit fraud. A Web application is a software
program that typically contains scripts to interact with the end
user. A Web application consists of three components (Figure
2):
· The Web server sends pages to the end user's browser,
· The application server processes the data for the user, and
· The database stores all of required data.
Figure-2 Web Application Components
Web applications have become a universal conduit because of
the rapid growth of the Internet. Some commonly used types of
Web applications are web mail, shopping carts and portals.
These applications allow masses of people to access systems
quickly without geographic restrictions. However, Web
applications introduce a magnitude of security risks and
challenges so it's essential to implement strong security
measures to mitigate significant risks. (Kennedy, 2005)
Databases: The need for database security is clear; yet
21. organizations often get distracted or led astray and don’t
address the problem before it is too late. Consider these
common pitfalls that plague databases:
· Weak user account settings. Databases lack user settings found
in more mature operating system environments where they are
frequently mandated by corporate policy or government
regulations. Often, the default accounts and passwords, which
are commonly known, are not disabled or modified to prevent
access.
· Insufficient segregation of duties. No established security
administrator role exists in the database management area. This
forces database administrators (DBAs) to be both the
administrator for users and passwords as well as the
performance and operations expert, resulting in management
inefficiencies. In addition, it eliminates the opportunity for the
traditional checks and balances in job functions that are sound
business practices.
· Inadequate audit trails. The auditing capabilities of databases
are often ignored in the name of enhanced performance or saved
disk space. Inadequate auditing reduces accountability and
reduces the effectiveness of forensic analysis. These audit
trails are crucial to understanding the actions taken against
certain sets of data; the fact that they log events directly
associated with the data makes them essential to monitoring
access and activities.
· Unused database security features. It is common to build
security into individual applications while neglecting database
security. But security measures that are built into an application
only apply to users of the client software. (Hurwitz, 2001)
Server Configuration / Operating Systems: While there are an
enormous variety of operating systems to choose from, only
four "core" lineages exist in the mainstream -- Windows, OS X,
Linux and UNIX. Each system carries its own baggage of
vulnerabilities ranging from local exploits and user introduced
22. weaknesses to remotely available attack vectors.
As far as "straight-out-of-box" conditions go, both Microsoft's
Windows and Apple's OS X are ripe with remotely accessible
vulnerabilities. Even before enabling the servers, Windows
based machines contain numerous exploitable holes allowing
attackers to not only access the system but also execute
arbitrary code. Both OS X and Windows were susceptible to
additional vulnerabilities after enabling the built-in services.
Once patched, however, both companies support a product that
is secure, at least from the outside.
The UNIX and Linux variants present a much more robust
exterior to the outside. Even when the pre-configured server
binaries are enabled, each system generally maintained its
integrity against remote attacks. Compared with the Microsoft
and Apple products, however, UNIX and Linux systems tend to
have a higher learning curve for acceptance as desktop
platforms. (Schneier, 2007)
Interconnections: System interconnection is the direct
connection of systems for the purpose of sharing information
resources. System interconnection, if not appropriately
protected, may result in a compromise of all connected systems
and the data they store, process, or transmit. It is important that
system operators, information owners, and management obtain
as much information as possible about the vulnerabilities
associated with system interconnection and information sharing
and the increased controls required for mitigating those
vulnerabilities. (NIST, 2003).
Protocols:Routing protocols are subject to attacks that can harm
individual users or network operations as a whole. Routing
protocols are subject to threats at various levels. For example,
threats can affect the transport subsystem, where the routing
protocol can be subject to attacks on its underlying protocol.
An attacker may also attack messages that carry control
23. information in a routing protocol to break a neighboring (e.g.,
peering, adjacency) relationship. An attacker may also attack
messages that carry data information in order to break a
database exchange between two routers or to affect the database
maintenance functionality. (www.faqs.org, 2006)
3.3.2 System Security Testing
Vulnerability scanning will be considered as a possible test of
system security for DM Interactive. One issue with
vulnerability scanners is their impact on the devices they are
scanning. On the one hand you want the scan to be able to be
performed in the background without affecting the device. On
the other hand, you want to be sure that the scan is thorough.
Often, in the interest of being thorough and depending on how
the scanner gathers its information or verifies that the device is
vulnerable, the scan can be intrusive and cause adverse affects
and even system crashes on the device being scanned. (Bradley,
n.d.) A few products such as eEye Retina and SAINT will be
reviewed for possible use on the system.
Penetration testing will also be performed to complement the
review of security controls in place and to ensure that different
components of the system are secure. The core services offered
by the system will be tested. These include: DNS, firewall
systems, password syntax, interconnections, web servers, and
databases.
3.3.3 Development of Security Requirements Checklist
Table 3.3.3 provides a checklist of security requirements
suggested for use in determining DM Interactive’s system’s
vulnerabilities.
Security Area
Security Criteria
Observations
Management Security
Assignment of responsibilities
24. Incident response capability
Periodic review of security controls
Risk assessment
Security and technical training
Policies and procedures
Operational Security
Environmental controls (dust, chemicals, smoke)
Electrical power controls
Facility protection
Temperature control
Technical Security
Communications (e.g. system interconnections, routers)
Discretionary access control
Cryptography
25. Threats and vulnerabilities analysis
Information classification
Identification and authentication
System audit
Table-3.3.3 Security Requirements Checklist
3.4 STEP 4: Control Analysis
T he selection and employment of appropriate security controls
for an information system are important tasks that can have
major implications on the operations and assets of an
organization as well as the welfare of individuals. Security
controls are the management, operational, and technical
safeguards or countermeasures prescribed for an information
system to protect the confidentiality, integrity, and availability
of the system and its information. There are several important
questions that should be answered by organizational officials
when addressing the security considerations for their
information systems:
· What security controls are needed to adequately protect the
information systems that support the operations and assets of
the organization in order for that organization to accomplish its
assigned mission, protect its assets, fulfill its legal
responsibilities, maintain its day-to-day functions, and protect
individuals?
· Have the selected security controls been implemented or is
there a realistic plan for their implementation?
· What is the desired or required level of assurance (i.e.,
26. grounds for confidence) that the selected security controls, as
implemented, are effective5 in their application?
The answers to these questions are not given in isolation but
rather in the context of an effective information security
program for the organization that identifies, controls, and
mitigates risks to its information and information systems.
(NIST, 2006)
3.4.1 Control Methods
Recommended best practices suggest a defense in depth
approach in order to best mitigate potential threats. There are
various methods of control that will:
· Reduce risk changes in enterprise system design and
management
· Reduce risk through improved risk information management
· Neutralize risk through diversification across enterprises,
space, and time
· Retain risk (accept risks as they exist)
3.4.2 Control Categories
Using vulnerability assessment tools and performing regular
penetration analyses will assist DM Interactive in determining
what security weaknesses exist in its information systems.
Detection measures involve analyzing available information to
determine if an information system has been compromised,
misused, or accessed by unauthorized individuals. Detection
measures may be enhanced by the use of intrusion detection
systems (IDSs) that act as a burglar alarm, alerting the DM
Interactive to potential external break-ins or internal misuse of
the system(s) being monitored. An intrusion prevention system
(IPS) can inhibit attempts to violate security policy and
includes such controls as access control enforcement,
encryption, and authentication. Another key area involves
preparing a response program to handle suspected intrusions and
27. system misuse once they are detected. DM Interactive should
have an effective incident response program outlined in a
security policy that prioritizes incidents, discusses appropriate
responses to incidents, and establishes reporting requirements.
(FDIC, 1999)
3.5 STEP 5: Likelihood Determination
The below matrix provides a definition for the level of
likelihood that an exploit can be exercised. I have also assigned
a level of likelihood to each of the defined vulnerabilities.
Likelihood of Occurrence (Weight Factor)
Definition
High (1.0)
The threat source is highly motivated and adequately capable,
and controls to prevent the vulnerability from being exercised
are ineffective.
Medium (0.5)
The threat source is motivated and capable, but controls are in
place that may impede successful exercise of the vulnerability.
Low (0.1)
The threat-source lacks motivation or capability, or controls are
in place to prevent, or significantly impede, the vulnerability
from being exercised.
Table-3.5
3.6 STEP 6: Impact Analysis
The list below defines the impact of an exploited vulnerability.
Using this list, I will assign an impact to the vulnerability.
Impact (Score)
Definition
High (100)
The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
28. Examples:
• A severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform
one or more of its primary functions
• Major damage to organizational assets
• Major financial loss
• Severe or catastrophic harm to individuals involving loss of
life or serious life threatening injuries.
Medium (50)
The loss of confidentiality, integrity, or availability could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals. Examples:
• Significant degradation in mission capability to an extent and
duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is significantly
reduced
• Significant damage to organizational assets
• Significant financial loss
• Significant harm to individuals that does not involve loss of
life or serious life threatening injuries. Controls are in place
that may impede successful exercise of the vulnerability.
Low (10)
The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals. Examples:
• Degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions,
29. but the effectiveness of the functions is noticeably reduced
• Minor damage to organizational assets
• Minor financial loss
• Minor harm to individuals.
Table-3.6
3.7 STEP 7: Risk Determination
The risk determination evaluates the Likelihood of the exploited
threat and the Impact of the exploited vulnerability. The
likelihood level is assigned a value of (1.0 for High), (0.5 for a
Medium), and (0.1 for a Low rating.) The magnitude of the
Impact is placed on a scale of 0-100 (High 100, Medium 50,
Low 10.). Table 3.7 below illustrates the risk determination.
Threat likelihood
Impact
Low
(10)
Medium
(50)
High
(100)
High = 1.0
Low Risk
10 x 1.0 = 10
Medium Risk
30. 50 x 1.0 = 50
High Risk
100 x 1.0 = 100
Medium = 0.5
Low Risk
10 x 0.5 = 5
Medium Risk
50 x 0.5 = 25
High Risk
100 x 0.5 = 50
Low = 0.1
Low Risk
10 x 0.1 = 1
Medium Risk
50 x 0.1 = 5
High Risk
100 x 0.1 = 10
Table 3.7 Risk Determination
3.7.1 Risk Level Matrix
Vulnerability
Low (10)
Medium (50)
High (100)
Risk Level
Applications = 0.5
25
31. Medium
Databases = 0.5
50
High
Server Configuration /
Operating Systems = 1.0
100
High
Interconnections = 0.1
5
Low
Protocols = 0.1
25
Medium
Table-3.7.1 Risk Level Matrix
3.7.2
Description of Risk Level
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to
10)
Vulnerability
Likelihood Level
Applications
Medium
Databases
High
Server Configuration / Operating Systems
High
32. Interconnections
Low
Protocols
Medium
3.8 STEP 8: Control Recommendations
The following section presents the system-related components
with control recommendations that are intended to mitigate
potential threats against DM Interactive system vulnerabilities.
Applications: It is recommended that DM Interactive employ a
system baselining tool. This is by far the easiest and most
effective way to determine what, if anything has been changed
on their system. If a change was anticipated and approved then
the baseline will be updated. If any unauthorized changes are
discovered, DM Interactive may have the ability to reverse them
directly from the utility itself. Antivirus, adware, and spyware
tools are recommended for the system.
Databases: For database controls, the following areas of focus
are recommended:
· Server Security
· Database Connections
· Restricting Database Access
Since the database is not a web server, there should be no such
thing as an anonymous connection. The database back end
should never be on the same machine as the web server. This
makes sense not just for security, but also performance. If your
database server is supplying information to a web server then it
should be configured to allow connections only from that web
server. If it's a back end for a web server, then only that web
server's address should be allowed to access that database
server. (Weidman, n.d.)
For users making database connections via a web page, ensure
33. that you validate all updates to ensure that all updates are
warranted and safe. For example ensure that you are removing
any possible SQL code from a user supplied input. If a normal
user should never be inputting it don't allow the data to ever be
submitted.
There are many ways to restrict open access from the Internet
and each database system has its own set of unique features as
well as each OS. Here are a few methods that are recommended
for DM Interactive:
· Trusted IP addresses - UNIX servers are configured to answer
only pings from a list of trusted hosts. In UNIX, this is
accomplished by configuring the rhosts file, which restricts
server access to a list of specific users.
· Server account disabling- If you suspend the server ID after
three password attempts, attackers are thwarted. Without user
ID suspension, an attacker can run a program that generates
millions of passwords until it guesses the user ID and password
combination.
Oracle has a wealth of authentication methods:
· Kerberos security- This popular "ticket"-based authentication
system sidesteps several security risks.
· Role-based security- Object privileges can be grouped into
roles, which can then be assigned to specific users.
· Grant-execute security- Execution privileges on procedures
can be tightly coupled to users. When a user executes the
procedures, they gain database access, but only within the scope
of the procedure.
· Authentication servers-Secure authentication servers provide
positive identification for external users.
34. · Port access security - All Oracle applications are directed to
listen at a specific port number on the server. Like any standard
HTTP server, the Oracle Web Listener can be configured to
restrict access. (Weidman, n.d.)
Server Configuration / Operating Systems: Recommend
automated mechanism to audit account creation, modification,
and disabling. Employ packet-filtering firewalls; restrict access
to privileged functions (deployed in hardware, software, and
firmware) and security-relevant information to explicitly
authorized personnel. Automatically lock accounts until
released by an administrator when the maximum number of
unsuccessful attempts are exceeded. Employ a secure web
server that uses the Secure Socket Layers (SSL) technology to
establish an encrypted connection between the Web Server and
the client using at least 128-bit encryption technology.
Interconnections: An Intrusion Detection System (IDS) or
Intrusion Prevention System (IPS) should be deployed on the
network in an effort to find network attacks, to analyze and
correlate these anomalies, and to react as needed. The use of
IDS/IPS devices can help to answer the following questions:
· Is the organization under attack?
· What IP/network is the source?
· What IP/network is the target?
· Which attack, if known, is being executed?
In a sense, an intrusion detection/prevention system provides an
ability to see the traffic coming and going across the network
wires. Although an IDS/IPS is as only effective as the
signatures it uses to detect the intrusions, the network
placement of the IDS/IPS sensors, and the analyst examining the
IDS/IPS alerts, it is still a necessary and corroborative network
device to add to an organizations defense in depth strategy.
35. (US CERT, 2005)
Protocols: Employ Internet Protocol Security (IPsec) to protect
communications.
IPsec is the most commonly used network layer security control
for protecting communications. It was developed by the IPsec
Working Group of the Internet Engineering Task Force (IETF)
as a framework of open standards. Depending upon the
implementation and configuration, IPsec can provide the
following types of protection:
· Ensuring the confidentiality of data through the application of
a cryptographic algorithm and a secret key, known only to the
two parties exchanging data. The data that is transmitted can be
decrypted only by someone who has the secret key.
· Assuring the integrity of data through the application of a
message authentication code (MAC), this is a cryptographic
hash of the data. The checksum is sent with the data. The
recipient can detect when the data has been changed, either
intentionally or unintentionally during transit, if a new MAC is
calculated on the received data and it does not match the
original MAC.
· Providing peer authentication to ensure that network traffic
and data are sent from the expected host. The receiving IPsec
endpoint can confirm the identity of the sending IPsec endpoint.
· Providing replay protection to assure that the same data is not
delivered multiple times and that the data is delivered in an
acceptable order. IPsec cannot, however, ensure that the data
has been received in the exact order that it was sent.
· Providing traffic analysis protection by obscuring the
identities of the endpoints and the size of the data. Those who
are monitoring network traffic may not know which parties are
36. communicating, how often communications occur, or how much
data is being exchanged.
· Providing access control by assuring that only authorized
users can access particular network resources. IPsec endpoints
can also allow or block certain types of network traffic, such as
allowing web server access but denying file sharing. (Raddick,
n.d.)
3.9 STEP 9: Results Documentation
This section provides the results of the risk assessment that
describes the threats and vulnerabilities, measures the risk, and
provides recommendations for control implementation.
3.9.1 Risk Assessment Results
Item #
Observation
Threat Source/ Vulnerability
Existing Controls
Likelihood
Impact
Risk Rating
Recommended Controls
1
Server configuration/ operating system does not have a known
good baseline configuration
System/ disaster recovery
None
High
High
High
Require use baselining tools
2
Cross site scripting
37. Hackers/ Cross-site
scripting
None
Medium
Medium
Medium
Validation of all headers,
cookies, query strings, form fields, and hidden fields (i.e., all
parameters) against a
rigorous specification of what should be allowed
3
Data could be
inappropriately
extracted / modified from
DM Interactive database by entering SQL commands into input
fields
Hackers and Criminals /
SQL Injection
Limited
validation
checks on
inputs
38. Medium
High
High
Ensure that all parameters are validated before they are used. A
centralized
component or library is likely to be the most effective, as the
code performing the checking should all be in one place.
Each parameter should be checked against a strict format that
specifies exactly what input will be allowed.
4
Web server and
application server
running unnecessary
services
All / Unnecessary
Services
None
Medium
Medium
Medium
Reconfigure systems to
remove unnecessary services
5
39. Disaster recovery plan has not been
Established
Environment/
Disaster Recovery
Weekly
backup only
Medium
High
Medium
Develop and test a disaster
recovery plan
6
Protocols
Hackers and criminals.
A multitude of attacks such as: TCP connection, spoofing, IP
spoofing, smurf, syn flood,
Solution
s above the transport layer (i.e. SSL and SSH) does not protect
against DOS attacks caused by spoofed packets.
Low
Medium
Medium
40. Implement IPsec
Appendix A: References
Bradley, T. (n.d.). Introduction into Vulnerability Scanning.
Retrieved on November 22, 2007 from
http://netsecurity.about.com/cs/hackertools/a/aa030404.htm
FDIC – Federal Deposit Insurance Corporation. (1999, July).
Risk Assessment Tools and Practices for Information System
Security. Retrieved November 22, 2007 from
http://www.fdic.gov/news/news/
financial/1999/FIL9968a.HTML
Houston Business Journal (n.d.). Green Bay Packers, Inc.
Profile. Retrieved November 24, 2007 from
http://www.bizjournals.com/houston/gen/company.
html?gcode=0ED6ECA3996D4A3B84C9E570D3DB64F5
Hurwitz Group, Inc. (2001, May). Common Vulnerabilities in
Database Security. Retrieved November 30, 2007 from
http://database.ittoolbox.com/pub/AM1015 02d.pdf
Kennedy, S. (2005, February). Common Web Application
Vulnerabilities. Retrieved November 30, 2007 from
http://www.computerworld.com/printthis/2005/0,4814,999
81,00.html
Maxcer, Chris. (2007). Patriots Pummel StubHub – 13,000 to
Nothing. Retrieved October 23, 2007 from
http://www.technewsworld.com/story/59918.html
41. NIST - National Institute of Standards and Technology. (2003,
February). Special Publication 800-18: Guide For Developing
Security Plans For Information Technology Systems. Retrieved
November 30, 2007 from http://csrc.nist.gov/
publications/nistbul/html-archive/april-99.html
NIST - National Institute of Standards and Technology. (2006,
December). Special Publication 800-53: Recommended Security
Controls for Federal Information Systems. Retrieved November
30, 2007 from http://csrc.nist.gov/publications/ PubsDrafts.html
Radack, S. (n.d.). Protecting Sensitive Information Transmitted
in Public Networks. Retrieved December 1, 2007 from
http://www.itl.nist.gov/lab/bulletns/bltnapr06.htm
Schneier, Bruce. (2007, April). 2006 Operating System
Vulnerability Study. Retrieved on November 30, 2007 from
http://www.schneier.com/blog/archives/2007/04/2006_
operating.html
U.S. CERT. (2005, May). White Paper: Current Malware
Theats and Mitigation Strategies. Retrieved November 30, 2007
from http://www.us-cert.gov/reading_room/malware-threats-
mitigation.pdf
Weidman, B. (n.d.). Database Security: Common-Sense
Principles. Retrieved December 1, 2007 from
http://www.governmentsecurity.org/articles/DatabaseSecurityCo
mmon-sensePrinciples.php
www.faqs.org. (2006, October). RFC 4593 - Generic Threats to
42. Routing Protocols. Retrieved November 30, 2007 from
http://www.faqs.org/rfcs/rfc4593.html
Figure Caption
Figure 1. Enhanced Windows metafile image of flow diagram.
Figure 2. Jpeg image of web application components.