Introduction The organization taken for Risk Assessment needs to put all information pertaining to any titles, tags, or specific labels should be kept confidential so any references to such equipment will not contain any names. This report will focuses on a thorough study of security systems in Logistix, Inc.. This study will investigate and evaluate technical security issues, vulnerability and risks involves of Logistix systems from hacker point of view. The purpose of this assessment is only to assess IT security for the company in general which includes system architecture and policy infrastructure. The security assessment will identify areas of vulnerability which are been categorized as
a- Critical
b- High
These priorities depends upon the organization and prevailing circumstances that includes potentially threat to organization. Such vulnerabilities expose security systems to unauthorized access by any kind of malicious activities. It is recommended strongly for the organization to make every effort in order to address policy and architectural vulnerabilities. A numbers of security issues with lesser criticality priority are also recommended in order to assume a secure posture.
Risk Assessment
The scope of risk assessment includes IT resources: Networked Servers, Web, e-mail, application, etc. desktop computers and laptops used by employees. Network Devices including routers, switches, firewalls etc. An exhaustive scanning on entire environment was performed. Scanning was focus on systems such as network infrastructure and servers.
Hacker point of view
Our company has one of high profile computer network system and if a person is trying to get an unauthorized access he might not be an ordinary person, he could be a professional hacker. In this case if we want to check and verify all security vulnerabilities of our network and system we need to take a hacker's view and try to make an unauthorized access for testing purpose to find and block all loop holes in our system. This will allows us to identify trends, systemic problems and patterns which are vulnerable for company’s network and systems. Our primary goals should be to Identifying threats and recommend specific changes to security policies of company to avoid any attack by hackers.
Risk 1: Outdated Operating systems
Outdated operating systems such as win98 provides many loop holes to hackers for getting into system and it’s a huge risk for organization. All operating systems should be updated by latest version of windows such as windows 7 and company should use windows server 2008. Windows server 2008 and windows 7 provide advanced security architecture to ensure security of data. Security policies of Windows Vista are more enhanced in Windows 7. This enhancement includes Users and Infrastructure Protection: Windows 7 provides flexible protection against all kind of malware and intrusions. User are able to get desired control, security and productivity. Secure Platform: Windows 7 has great security enhancements which responds to feedback of customer to make system more manageable and usable.
Securing Anywhere Access: Windows 7 provides appropriate security controls for users as they can access the information they require to be productive, they are in the office or not, they need it.
Risk 2: Wi-Fi access, VPN access by unauthorized device
As in today world Wi-Fi access is part of organizations, it reduces setup time and it is easy in accessibility for employees. All devices using Wi-Fi cannot brought into proxy server security by storing their physical address because these devices keep on changing as employees keep on changing their mobile devices, there is a trend of using mobile devices for email and other communications. So in case of Wi-Fi restricted policy First of all a password need to be implemented for Wi-Fi, in case of access from anywhere in building or outside of office. All access through Wi-Fi should always be routed through proxy server which will verify authentication by verifying user ID and password of user and in case of successful login from a mobile device system should automatically generate an email to user of that account informing that your account is been access through a remote device. The message should also contain Mac address of device so that user can verify his own device. This could also be cater through a SMS sending service that could send an SMS with verification code so the user could verify its access through mobile device. If any device is accessing company network through VPN, then a policy control is required by taking all MAC addresses from laptops of company for mapping them and restricting VPN access to only registered machines.
Unauthorized access through employee’s user ID is another type of threat. We have secure our network to stop any breach from outside without authentications but still if any employee resign while his Mac address and IP are stored in system, he will be able to access from outside. Ex-employee access is most dangerous breach to network as they can easily be authorized by servers by using old IP, user ID and account passwords. As soon as any employee resign from company, his IP address and account should be blocked from that day and a temporary IP with limited access should be given to him which will be blocked on his last day in office. Such IPs which are blocked due to resignation of employee must not be given immediately to any other employee. These Blocked IPs should be maintain by IT. In case if there is a savior need to use that IP then it should be masked with any system’s Mac address so that it could not be used from more than one place. In another case if an employee is active but some other hacker ha his ID from any ID storing server then IT might not allow to regenerate his password unless and until taking the guy on video calling and matching not only his face but also asking some confidential questions to verify identity.
Risk 3: Access Control Issue
Passwords for Windows domain are much weaker and some user has passwords which never expire. Remote client access though VPN and Firewall is not secure enough. Client VPN accounts are static passwords and not integrated with an Active Directory. Access controls on system helps us to determine the IT network resources are flexible enough to retrieve by individuals, and operations (read, write) could be performed on resources. An organization should have clear and defined access control for all IT resources which are mainly consisting of both network access and physical security.
Corrective Action
Define a firewall policy by involving these steps: Identify all network applications and their traffic types then categorize them on the bases of risk. Identify all vulnerabilities which are associated with these application traffic types, Identify best practices in order to securing applications. We need to create a matrix for traffic type which show all method and their risk priorities. An information security policy is a document that helps staff members to defining that what will be their access rights in the system and what they can access and what they cannot access, what they must follow, and what are their responsibilities. A security policy states clearly that what should be implemented. It also defines procedures for the implementation of the security policy.
Operational Control
Internet security policy is implemented to avoid access to any miscellaneous site that could affect system. In this policy a proxy server is installed with limited access to internet but email is allowed as employees use email to communicate. Proxy server is also used for VPN security as all links to internet pass through proxy server. This will protect system from unauthorized access by hacker from a remote place. All physical and IP address should be defined in proxy server layer in order to allow network access to only systems which are company's property. Security of login credentials and documents is implemented by the help of encryption software. Another data server needs to be deployed at head office which is separated from all servers and contains companies financial data this data server is not linked to internet as company do not want to risk data in this server at any cost. Company have strict policy for software installation, it allows only certain software installation on PCs and servers that are certified or recommended by Microsoft. Logs should be maintained as soon as employee log in into system, these log should save user login time, system physical address and authentic IP number. Security cameras should be installed in each floor which could help in identifying person responsible of any breach, hackers using password of any employee.
Technical Controls
In our company the remote-access through VPN offer employees to access their company's network and data from home or while traveling. It allow employees in offices or distributed in various locations to share one consistent virtual network. Security of network can be at stake by using VPN access, we need to use proxy server layer for VPN authentication which also verify MAC address. Firewall rules should be implemented according to security requirement to prevent any breach. DNS and DHCP protocols are need to be implemented by the administrator team to have secure access to routers and IP. Latest and most popular antivirus is installed on server and on all PCs, it should be updated on regular basis to avoid any losses. Internet is a source of learning but it also effect companies operations, security and efficiency. Access to user accounts could be secured using secure email services such as mail2web.com or login.secureserver.net which help employers to access employees email data, such services are more secure in term of security of email accounts and in case of any unauthorized access a forensic evidence could be launch.
Risk Management Matrix
Conclusion
This Risk Assessment Report identifies loop holes in the current network from a hacker’s point of view and the purpose of this report is to provide risk mitigation strategies for management review. This risk Assessment provide the primary access control policies for critical applications and any kind of loss of system integrity , availability, confidentiality that could have much of a debilitating impact on our organization’s processes. The sensitivity for the system and for the information stored within or transmitted by system reflects the importance of the system to our organization. Implementing the risk matrix with recommendation will reduce overall risk and vulnerabilities.
References
Beaver, K., & Davis, T. (2011). Hacking Wireless Networks For Dummies. John Wiley & Sons.
Conway, D., & White, J. M. (2012). Machine Learning for Hackers. O'Reilly Media, Inc.
Himma, K. E. (2007). Internet Security: Hacking, Counterhacking, and Society. Jones & Bartlett Learning.
Kadavy, D. (2011). Design for Hackers. John Wiley & Sons.
McClure, S., Scambray, J., & Kurtz, G. (2012). Hacking Exposed 7. McGraw Hill Professional.
Simpson, T. M., Backman, K., & Corley, E. (2010). Hands-On Ethical Hacking and Network Defense, 2nd. Cengage Learning.
