VLT Task 1

Security Policies and Standards

Information Security Risk Analysis

The Server

# Threat Description Source Likelihood Severit Controllabil

of y of ity
Occurrenc Impact
e
1 Ransomware Malicious Malicious Medium High Medium
software that agent,
encrypts Uninformed
files and administrat
holds them or
random for a
requested
amount of
money
2 Patch OS vendors Poor High High High
Vulnerabilities regularly administrati
release on
patches and
hotfixes for
critical
vulnerabilitie
s
3 Poor OS Natively Poor High High High
Hardening many administrati
services and on
applications
on servers
are very
unsecure.
These
services
create
vulnerabilitie
s if not
properly
configured.
4 Disgruntled Employees Malicious Low High Low
Employees have more user, Lack
insight and of security
access to a policy
 corporate
network than
anyone in
the outside
world. A
disgruntled
employee
can bring a
network
down quickly
during a
heated
scenario.
5 Environment A server Poor Medium High High
failing due to administrati
much on,
moisture in technology
the air or the failure,
server room
not being
properly
cooled is an
example of
how an
environment
al threat
could cause
detrimental
damage to a
network.

Server Threat Prevention Recommendations

Ransomware Ransomware is a threat than can bring down an entire server

infrastructure. There are steps that can be taken to help prevent and lessen
the damage that ransomware can cause. First, ensure that no users are
logging in with administrator privileges. Ransomware attempts to perform
installation which encrypt files using the local account and if the local account
has administrator privileges or domain administrator privileges it increases
the compromised surface. If a user needs to install software or perform a task
that requires administrator privileges, they should be utilizing the run-as
feature and elevating themselves to the needed account.
Patch Vulnerabilities Performing updates and patching server infrastructure
is critical to ensuring reliability in a server environment. Vendors release
critical security hot fixes at random and server administrators should check
daily to ensure that they are staying on top of current vulnerabilities. Server
administrators should also have a scheduled weekly patch and/or
 maintenance window; this window may not be needed every week but it is
important to have the option to install any critical updates if/when they come
available.
Poor OS Hardening Natively servers have many services enabled that may
not be necessary for the server to perform its intended goals. It is important
to disable any services that are running that re not necessary and utilize
windows firewall to permit only needed ports and protocols. Group policy
should be utilized to enforce strong passwords, account lockout policy,
restrict logon to administrators and disable guest accounts. A screen saver
should also be configured to lock the server if left unattended for a pre-
determined amount of time.
Disgruntled Employees Internal users can be one of the largest threats to a
network because they already have physical and logical access. Preventing
disgruntled employees from causing some type of harm can be difficult but
steps can be taken to attempt to lessen any damage done. A least privilege
policy helps ensure that users are only provided with enough permissions to
complete their job functions. This type of policy aides in ensuring that if a
user has malicious intent the scope of what can be attacked is minimal.
Mandatory vacation policies can assist by ensuring that employees are taking
needed time off work and it also gives an opportunity for a supervisor to
review the kind of work an employee has been performing. This type of policy
can assist a supervisor in noticing if an employee has begun performing any
types of malicious actions or if any other issues are present.
Environment Many environmental variables can cause unnecessary outages
for a server environment. Servers should be on uninterruptable power
supplies with a long enough battery life to properly shutdown the equipment.
Servers being shutdown improperly increase the chance of having operation
system corruption, file corruption and data loss. Facility personal and the
information technology department should work together to ensure that the
server room has reliable and proper cooling. If adequate cooling is not
available, servers can get to hot which can cause hardware issue or if the
wrong cooling system is in place it can get to humid in the room which can
cause hardware issues for server equipment as well.
The Workstations

# Threat Description Source Likelihoo Severity Controllabil

d of of ity
Occurren Impact
ce
1 Phishing An attempt Malicious High High Medium
for a Agent,
malicious Untrained
agent to User
obtain
personal
information,
such as
 banking
information,
usernames
and
passwords,
by sending
fake
electronic
communicati
on that
could seem
legitimate
2 Rootkit Malicious Malicious Medium High Medium
software Agent,
that allows a Untrained
hacker to User
gain
unauthorize
d access to
a machine
while
staying
undetected
3 Spyware Malicious Malicious Medium medium Medium
software Agent,
that collects Untrained
data from a User
users PC
and returns
it to the
malicious
agent while
staying
undetected
4 Keystroke Malicious Malicious Low High Medium
Logging software Agent,
that records Untrained
a users User
every
keystroke
and returns
them to a
malicious
user. This
can be used
to steal
website
 logins,
banking
information
and
company
proprietary
information
5 Botnet Malicious Malicious Low Medium Medium
software Agent,
that infects Untrained
a PC and User
forces it to
perform
actions like
sending
spam or
phishing
emails
without the
users
knowledge

Workstation Threat Prevention Recommendations

Phishing Phishing is an attack that can have devastating outcomes for

personnel or companies. Phishing leverages the weakest part of companys
information technology security which is the human aspect. Human nature is
by default to be trusting and have the desire to help people so if an individual
gets an email that looks legitimate they may click on a link or provide some
information that shouldnt be given out. The primary method for prevention is
to provide users with training either annually or every six months.
Information technology departments can also send out fake phishing emails
to employees to see who clicks this link. This can be a way to figure out which
user need further training on how to spot phishing attempts.
Rootkit Rootkits are malicious pieces of software that can be extremely hard
to detect. Once infected by a rootkit one of the primary ways to remove it is
to perform a boot-time virus scan. This type of scan runs prior to the
operation system initializing and may allow the software to find the malicious
code since it has not been executed and started hiding itself yet. Some
vendors, such as Websense, say that they have ways of catching rootkits on
the network before they ever hit the PC. OS Hardening and only allowing
verifiable digitally singed software to run can help prevent rootkits. It is also
important to have up to date antivirus software because that will be your
workstations first line of defense.
Spyware Spyware is a type of malicious software that requires end user
training to prevent. There is the ability to have anti-virus and anti-spyware
software installed on a PC but it is still good practice to have informed users.
 Users should be informed not to click on pop-up windows and if a pop-up
window was to occur to close the window by using the red X in the title bar
and not clicking the close button on the pop-up window itself. It is also good
practice to manipulate internet browser settings to block pop-up windows and
to only allow cookies from the website you are currently visiting.
Keystroke Logging Keystroke loggers are a variant of spyware. It is
recommended to have anti-spyware software installed to aide in preventing
keystroke loggers. Network appliances, such as the Blue Coat Spyware
Interceptor, are created to help in preventing these types of attacks. The
installation of a signature based intrusion detection system can also assist in
preventing these types of attacks but it is very important to keep the
signatures up to date and monitor the appliance regularly.
Botnet Botnets are a variant of malware with some of the prevention
techniques being the same as some of the other threats. It is important to
have anti-virus software installed with updated definitions. A network based
intrusion detection system with updated signatures can aide in locating and
preventing malware. Ensure that all updates and patches are installed for the
operating system and any installed applications. It is also important to
educate users on what kinds of links to click on websites and in emails.
Uneducated users may click on links in emails or on websites that install
malicious software, such as Botnets.

The Website

# Threat Description Source Likelihoo Severity Controllabil

d of of ity
Occurren Impact
ce
1 Injection A type of Malicious Medium High High
attack in Agent, Poor
which the Administrati
attacker on
would input
data without
proper
validation
that could
result in the
database
returning
information
it shouldnt
2 Cross-Site An attack Malicious Medium Medium High
Scripting where the Agent, Poor
attacker Administrati
injects a on
 malicious
payload to
bypass
access
controls
3 Denial of An attack Malicious Low Medium Medium
Service that Agent, Poor
temporarily Administrati
prevents on
legitimate
users from
accessing a
server
resource
4 Brute Force A method of Malicious Medium Medium High
Attack cracking a Agent, Poor
password Administrati
based on on
trial and
error of
attempting
various
passwords
5 Buffer An attack Malicious Medium High High
Overflow where an Agent, Poor
application Administrati
attempts to on
write data to
a buffer and
writes more
data than
the buffer
can handle
which
causes the
application
to overwrite
adjacent
memory
locations

Website Threat Prevention Recommendations

Injections There are multiple ways developers can prevent injection attacks,
one of the main methods being white list input validation. White list input
validation creates a list of what the user can input in the field and any string
that does not match the white list then it is not sent to the database as a
 query. Character replacement treats the ampersand symbol as a SQLPlus
variable and if enabled could enable an attacker to retrieve private data. It is
recommended to disable character replacement. The policy of least privilege
is also recommended for database accounts. It is only recommended to
provide accounts with the least amount of privileges necessary to complete
their needed functions.
Cross-site scripting Cross-site scripting is a serious and often attempted
attack by individuals with malicious intent. One of the first ways to prevent
cross-site scripting attacks is to not allow any untrusted data to be inputted
into an HTML document. It is also critical to never accept JavaScript code
from any untrusted sources. It is also recommended to utilize a content
security policy by implementing a client based source whitelist which creates
a list of applications the browser will allow to load resources from.
Denial of Service Denial of service and distributed denial of service attacks
are generally done using a few various type of applications. The applications,
if a standard attack, utilize some known port types and administrators can
block these ports at the edge router to aide in preventing denial of service
attacks. It is also good practice to rate limit ICMP and SYN packets. TCP
communication utilizes SYN packets so if the rate limiting is to low it could
affect non malicious traffic. It is also recommended to alter some registry
keys in Windows Server that can assist in preventing denial of service
attacks. These registry keys include items such as: synattackprotect,
tcpmaxconnectresponseretransmissions and tcpmaxdataretransmissions.
Brute Force Brute force attacks can generally be prevented a bit easier than
other types of attacks. It is recommended to setup all account with strong
passwords with a minimum of ten characters. The attacker could still attempt
many times to break through the username and password security so it is
recommended to set an account lockout threshold of three attempts. This
would give the attacker only three attempts to succeed before an
administrator must intervene and unlock the account. Multi-factor
authentication is also a solution for brute force attacks. Multi-factor
authentication usually requires authentication to be with something you
have, such as a smartcard or fingerprint, and something you know, such as a
username and password.
Buffer Overflow Buffer overflow is another common web server attack but,
with the right precautions, can be prevented. One of the main prevention
techniques to implement to prevent buffer overflow attacks is validation
input. Validation input is used to keep unexpected data from being processed.
It is also important to ensure that the operating system the web server is on
is fully patched. It is also important to regularly utilize vulnerability scanning
to see if your web application is susceptible to this or any other
vulnerabilities. Vulnerability scanning can also assist in making your you are
not missing any important security patches.
Sources:
Jason Ragland(09/08/2015). Windows Server 2012 R2 Hardening Checklist.
Retrieved From
https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Check
list

Mike Chapple(10/26/2015) Security Matters: Rootkit Attacks and How to Prevent

Them. Retrieved From http://www.gocertify.com/articles/security-matter-rootkit-
attacks-and-how-to-prevent-them.html

Mindi McDowell and Matt Lytle(02/06/2013). Security Tip(ST04-016) Retrieved From

https://www.us-cert.gov/ncas/tips/ST04-016

Unknown(Unknown). How to bette proected your PC from botnets and malware.

Retrived From https://www.microsoft.com/en-us/safety/pc-security/botnet.aspx

OWASP(05/25/2016). SQL Injection Prevention Cheat Sheet Retrieved From

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

OWASP(03/27/2016). XSS (Cross Site Scripting) Prevention Cheat Sheet Retrieved

from
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_She
et

Cisco(04/22/2008). Strategies to Protect Against Distributed Denail of Service.

Retrieved from http://www.cisco.com/c/en/us/support/docs/security-
vpn/kerberos/13634-newsflash.html.
Michael Cretzman and Todd Weeks(unknown). Best Practices for Preventing
DoS/Denial of Service Attacks. Retrieved from https://msdn.microsoft.com/en-
us/library/cc750213.aspx.

OWASP(09/03/2014). Buffer Overflows. Retrieved from

https://www.owasp.org/index.php/Buffer_Overflows.