CST 481/598

SPRING 2009

ARIZONA STATE UNIVERSITY

UNIQ SECURITY REVIEW

This PDF fill is to have the underlined spaces filled in by

handand the questions at the end ansered then the hardcopy
physically returned to me by 9:20 AM December 16, 2009. I will
be in SANTAN 239 until9:20 AM on the 16th to facilitate the
turnin. The underlines may take one or more words (key off the
length).
 T ABLE OF C ONTENTS

T ABLE OF F IGURES
{deleted}

I NTRODUCTION
UniQ is a software consulting services firm that provides educational
institutions with ‘best-fit’ open source solutions to IT business challenges.
The company’s focus is enterprise deployments of open source software for
campus portals, collaboration, learning, calendaring, email, and integration
technology for higher education.Mr. Ben, a lead systems administrator at
UniQ, provided the information that this report is based on. The company’s
employees are separated into five departments: user experience, user
interface, java development, administration and accounting, and operations.
No special systems are devoted to any of these departments.

The information UniQ handles does not typically include client-specific

information, with the exception of one client, Pancho Systems. They do not
store human resources or health information; instead, that data is
outsourced to another company but available online to the people who use
it. The company also does not store onsite any sensitive electronic data of its
own but does store some sensitive data for at least one client, again, Pancho
Systems. The one exception to onsite sensitive data is UniQ’s financial
information that is stored on hardcopy onsite.

R ISK A SSESSMENT
Risk is defined as
_____________________________________________________________________________
_______________________. The ______ will exploit the _______________ to
compromise confidentiality, integrity, availability, or non-repudiation. There
must be a ___________ to _________, and this ____________ must cause an ______
for there to be a risk to the organization.

A risk assessment starts by identifying ______, assessing potential

____________ and ______, then defining and mapping countermeasures to

[2]
individual ________. Therefore, this document will start with the topic of
______. ________ can be physical, consist solely of information, or be functions
that enable a business process to be carried out. In UniQ’s case, their
physical assets that enable their business function are their workstations and
the equipment in their server room. Information assets consist of UniQ’s
proprietary software products, a certain amount of sensitive client
information (currently only Pancho) that UniQ is hosting, email
communications stored on email servers, and data stored on their fileserver,
databases, and backup server. Functions that keep UniQ in business are their
ability to host client information, their web presence and online demo
servers, their ability to store and retrieve data on their network, access to
the internet, and client’s access to UniQ’s extranet. If any of these assets
were lost, UniQ could suffer monetary loss, productivity, and/or
embarrassment that could cause the loss of business in a commercial
organization such as UniQ.

The ____________ that we will touch on throughout this report will be in

relation to human failings (the organization in general, user community, and
IT staff), weakness in physical security, or flaws in technology that can be
exploited.

The threats to a company like UniQ would primarily be from disaffected

staff, but could also come from a competing commercial group, or less likely,
a hacker group. When Mr. Ben was asked what he thought would be the
most likely threat to UniQ’s business, he replied that it would be an insider.
Therefore, the primary focus will be on the insider threat.
Disaffected staff or an “insider” is an individual currently or at one time was
authorized access to an organization’s information systems, or its data. To
give this authorization requires trust in that individual. Thus, the insider
threat refers to the harmful acts that a trusted insider might carry out. These
acts could be either _________________________________, or
_____________________________, or both. The types of crimes and abuse
associated with insider ________ are significant; the most serious include
_________________,_________________,____________________,_______________,______
______________,___________________, and __________________ Malicious activities
could include an even broader range of ____________, such as negligent use of
sensitive data, fraud, and unauthorized access to sensitive information.

An insider has the ultimate level of resources – access to everything, or at

least their portion of it. Due to their placement, the insider could do the most

[3]
damage. And since insiders are legitimate users of the systems and
networks, technical capability is not necessarily required to carry out an
attack. Something as simple as stealing or destroying hard drives from a
server along with its backup media would have a significant impact.
However, technically capable insiders are able to inflict more damaging and
sophisticated acts, and would likely have the capability to cover their tracks.
The numerous past instances of espionage, corruption, and sabotage within
government agencies and the military are well known. This is despite the
fact that these organizations require clearances with associated background
checks and polygraphs in order to eliminate this _____________ as much as
possible, yet it still happens.

There is also the _______________ of non-malicious acts that could impact

UniQ’s network, such as incorrect or poorly secured configurations, failure to
perform backups leading to data loss, not securing sensitive documents,
physical areas, or network infrastructure properly. A complacent, indifferent,
or incompetent IT worker or other employee could cause as much damage or
downtime as other purpose-driven malicious threats.

To continue the ________ assessment, one then determines risk by

calculating the ________________ and ______________ that any given
__________________ could be exploited, taking into account existing controls.
The culmination of the __________ assessment shows the calculated
___________ for all ________________ and describes whether the _______________
should be accepted or mitigated. If mitigated by the implementation of a
control, one needs to describe what additional security controls will be added
to the system.

R EGULATION & P ROCEDURE

DESCRIPTION
UniQ’s existing _________________ include a single acceptable use
______________ that considers email, phone and internet use. This policy is
signed by employees at the time of hiring, but no other time thereafter.
Employees were asked not to install applications from Google, but there is no
_______________ in place enforcing this. There are no existing _______________
concerning employee privacy, removable storage, or personal
laptop/electronic devices currently in place. Laws and regulations such as
__________________(name AT LEAST 3) are not applicable to UniQ since they

[4]
do not store heath information, they are not a financial institution, nor are
they a publicly traded company.

GLITCHESS & RECOMMENDATIONS

With UniQ’s very limited implementation of company ____________, there is
little protection from unethical, accidental, or malicious actions by
employees. ___________________________________ should be reviewed and
signed by employees on a regular basis, so as to provide a reasonable belief
that the ___________ was not forgotten or thought to be obsolete or
unnecessary.

Since copies of the __________ that UniQ did have were not provided,
further review of their effectiveness could not be accomplished. There was
no employee ______________ and awareness program in place. A lack of
awareness about security __________________ such as opening email
attachments, sharing removable media, expired website certificates, and
failure to install security updates, among many others, opens the door to
accidental, employee-caused security holes in UniQ’s network. Additionally,
no standardized configuration ____________ exist; there is no baseline by
which all workstations or servers are configured by, making it a nightmare
for an admin to fix or prepare for a problem because machines are running
different versions of software and/or are configured with different settings.

T ECHNICAL S ECURITY
DESCRIPTION
Despite UniQ’s rushed, still-incomplete version of its network diagram,
what could garner from it is that the network consists of five “company”
subnets, three of which with IP addresses clearly marked (10.1.1.0/24,
10.15.0.0/16, 192.168.0.0/24) and two others that are only named but have
no marked IP’s (User and Operations). For the sake of clarity, we will assume
the following:

User subnet: 10.1.1.0/24


 Operations subnet: 10.15.0.0/16
 Dev subnet: 192.168.0.0/24
The user subnet contains all workstations as well as Oracle, MySQL, and
PostgreSQL database servers, a Samba file server, and a pair of Windows
2000 servers running Active Directory, LDAP, slapd, DHCP, DNS, and a print
server. The Operations subnet contains a Netbackup server and
workstations, and the GlenLyon development subnet holds a jboss

[5]
application server, MySQL database server, and workstations used for
performance testing.

Two DMZ subnets are also configured, branching from the firewall
(12.164.136.128/26 & 12.164.148.128/26). The first contains demonstration
servers for the company’s uPortal and Sakai web application products, and
the second contains two email servers as well as several extranet servers
running Confluence, Jira, and Timesheet Web applications. All traffic
aggregates at a Checkpoint firewall, and then is sent to a switch and off to
the border router. VPN’s are terminated on the firewall and SSH is running on
one of the internal servers. IP addresses are assigned via DHCP except for
servers of course.

The Checkpoint firewall is set to allow ports 80, 443, 22, and 25, and only
accept email traffic from MXLogic, an outsourced company that takes care of
UniQ’s mail services. UniQ’s wireless network consists of approximately eight
users accessing a D-Link Wi-Fi access point running WPA2 encryption. Their
mail infrastructure consists of one server running IMAP, POP3, and SMTP
(sendmail). This server also has ClamAV and Spamassassin installed on it. A
second email server runs Zimbra, something akin to MS Exchange; active
directory via LDAP is used for authentication.

There are no NIDS/HIDS systems or a centralized syslog server on the

network. No redundancy is implemented with UniQ’s servers, hard drives,
firewall, or internet connection, but a 15kVA UPS is in use. Six weeks of
backups are kept in an on-site fire safe.

[6]
F IGURE 1 - NETWORK DIAGRAM PART 1

[7]
F IGURE 2 - NETWORK DIAGRAM PART 2

HOLES & RECOMMENDATIONS

IT STAFF
When asked for a copy of UniQ’s network diagram, Mr. Ben replied that it
was not available since it was out of date. The same answer was given when
asked for router, switch, or firewall configurations. None were on hand, even
when asked well in advance of the interview for this report. For a lead
network administrator to not have up-to-date, comprehensive network
information indicates a clear lack of professionalism and competence in my
opinion. Not a good sign when the topic of security is the focus.

There is an abundance of inconsistency between what Mr. Ben said in our

interview, and what was listed on his network diagram. For instance, he

[8]
stated that there was a user subnet, a DMZ subnet, and a wireless subnet.
Yet on the diagram there are two DMZ subnets and no wireless subnet or
wireless equipment at all. He also mentioned that there was both a Windows
file server and a Windows application server, as well as two internet
connections, one via Cox for their “hosting” subnet, the other through AT&T
for their “users”; yet there is no evidence of any of this on either of the two
pages of the diagram. There is a pair of Cisco VPN concentrators and a Cisco
IDS 4215 in the server room but not mentioned in the interview or on their
diagram.

Having IT staff that is complacent, unknowledgeable, or unorganized is a

security threat in itself. Having periodic reviews of employee performance
and competency should be implemented by an outside auditing firm.
Companies should not simply hire employees, throw them into their server
room, and expect that their systems are secured and set up properly and
that their information is protected.

WORKSTATION SECURITY
One of the biggest surprises to me was the fact that UniQ was not using
domain logons, and every user is allowed administrator access to their
workstation. Mr. Ben stated that each workstation boots directly into
Windows XP, no authentication. This is completely ridiculous. Any user (or
malicious program) could install anything they want, knowingly or
unknowingly. This is not only a massive security risk, but also a way to kill
productivity, since any game, IM client or other time-wasting distraction can
be installed and ran. UniQ does have Windows 2000 domain controllers, but
none of the workstations require logging into a domain in order to access
UniQ’s network. Thus, there is no centralized user-based security, only share
based security. Not only is this an extremely poor implementation of
security, but also of administration; each shared folder requires its own
password, rather that signing on once via Active Directory and being
assigned a Kerberos ticket as you would within a Windows domain.

Workstation BIOS access and ability to boot from other devices leaves
workstations vulnerable to a malicious individual who could change BIOS
settings to be able to boot to forensics software on CD or USB, allowing them
to pull data out of other user’s Windows accounts or simply image the hard
drive and sift though the data offsite.

Workstation BIOS access and ability to boot from other devices leaves
workstations vulnerable to a malicious user who could change BIOS settings
to be able to boot to forensics software on CD or USB allowing them to

[9]
recover any and all data on a hard drive unless it is encrypted. This attack
could easily be done while the employee was out on lunch, or by custodial
workers that come in after hours. Insider knowledge of when a room would
be empty would be needed, along with skill on how to use forensic software.
Updates are applied “as needed”, but no regular update schedules are used.

NETWORK INFRASTRUCTURE
Users should be located on their own subnet, or even better, each
department should be on its own subnet. This makes segregating users from
information much easier. Inter-departmental traffic should be running though
a router or layer 3 switch using access control lists to filter traffic.
Unnecessary services should be disabled on all servers, and each operating
system type should be configured against a standardized baseline
configuration.

UNATTENDED SESSIONS

Unattended sessions are

another common “human”
_________ allowing anyone to
walkup and use the workstation
without authentication or
authorization. Too many times I
have seen machines left
unattended and the machine was not
locked out while the user left to go
print something, go to the
restroom, or just to mess around
talking in the next room.

A passerby could read, print, or transfer to removable media, any

information that was available to that workstation, as long as they had
enough time to complete the task before the F IGURE 3: UNATTENDED SESSION ( WITH ADMIN
actual user returns. This is where insider RIGHTS )
knowledge would come into play. Knowledge of what times someone leaves
their workstation and how long they typically are gone. Workstations should
automatically lock out after a period of inactivity.

C ONCLUSION

[10]
 The Number of ___________________ encountered at UniQ were significant,
not only in number but in ease of exploitation. The majority of the problem
lies in the IT staff not using the tools that are there, at their fingertips, and
instead sacrificing security for convenience. It’s not only that though, Mr. Ben
was aware of the technical measures brought up during our interview, and
thus knew that they could be implemented. But the attitude I saw when I
asked him if he was using a certain technology or feature seemed to be that
of indifference, as if it didn’t matter, or it didn’t apply to his environment. “As
long as it works, it works” seemed to be the motto. Security is certainly not a
priority for Mr. Ben, and I do not see that working in the best interest of
UniQ.
Controls for ________________ and ______________ are nearly nonexistent.
There is a complete lack of thorough documentation. And what little
documentation that was provided was inaccurate and incomplete. Technical
vulnerabilities existed in the server room in the form of a lack of redundancy,
inconsistent versions and updates, and numerous other baseline security
precautions that are not in place. Workstation security is neglected entirely.
Physical security is sufficient in some areas, and minimal in others. Taking
into account the existing controls at UniQ, the likelihood that a disgruntled
employee or opportunistic janitorial worker could carry out an attack or steal
something of importance is high. The fact that a major security issue may
not have happened yet at UniQ does not preclude the ability to implement a
pre-emptive stance that could mitigate the event. If something were
compromised, failed, or information lost or stolen due to any number of
factors, I do not imagine that any of these issues would bode well for UniQ’s
reputation or continued business success.
_____________________________________________________________________________
1. What additional policies and standards would you expect UniQ to have
in place?

[11]
2. If were providing health system software, what additional policies and
standards would you expect UniQ to have in place. That is in addition to
Question 1.

[12]