SECURITY - GOVERNANCE - RISK - COMPLIANCE
Security Assessment, IT Services
September 21, 2016
An organization had dependencies on several different infrastructure system1 and components to enable its business continuity. Any system used to support their primary business operations and delivering its services had to be regarded as critical2. Hence, anything that compromised (or were refer to as risk for) these systems and could cause a high3 business impact, was regarded as critical and need to be evaluated as such. They needed an cybersecuity assessment performed, in order to provide the organization a current status of their security posture and, its cybersecurity protection in place, to ensure confidentiality, integrity and availability (CIA) of their system and data.
(1System and componnts is here referred to as all infrastructure servers, middleware, software, applications, firewalls, network, network components, system automated processes and automated system tools that is used for core business enablement.)
(2Criticality is based on the outage and system unavailability to perform business. Any systems regarded as non-critical systems was left out from the scope.)
(3High business impact is any disruption of service on critical system that is defined as system used for core business operation.)
Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.
This organizations business was not to develop or manufacturing products. Their core business was a service provider supplying project leaders, architcets, consultants and testers to different organizations within several sectors. In the context to this, they did now have critical infrastructure such as Data Warehouse and/or Factory Robotics doing their core daily business, nor where they the typical subject of espionage or targets for DDoS attacks or any similar high level of business threats. Critical asset the organization needed to rely on, in order to manage their daily operations, was client portal (client request for service), 3’rd party vendor portal (vendor portal for sub-contractor) and their corporate internal business systems such as Finance, email and HR systems).
In order to identify vulnerabilities a system, network and data assessment and vulnerability testing was performed on all critical systems and components. Assessment results was then analyzed to verify actual threats and sort out false findings and known deviation of system that has risk acceptance documented.
These vulnerability tests and assessments was performed through various analysis such as;
· Review firewall configuration for external network firewalls and web-application firewalls to detect improper network topology or settings that can compromise data
· Assessment of router filtering rules and configurations
· Scan for weak authentication mechanisms (e.g. system admin non-authorized changes)
· Assess the configuration of vulnerable e-mail and DNS servers to detect improper settings
· Network sweep to detect potential network-layer Web server exploits
· Assess configuration of database servers to detect improper settings
· Perform SNMP checks
· Assess FTP servers to detect any vulnerabilities
The test for known vulnerabilities and nomalies was performed on each system, network and network component in critical asset inventory. A vulnerability can fall into one or more categories (examples):
· Unauthorized network/system/data access
· Unauthorized system changes/disabled service or protocol
· Information leakage/loss/disclosure
· System compromise
· Unauthorized command execution
· Denial of service (DoS)
· System Log analyses (search for anomality’s in system or user behaviour)
All in the assessment detected vulnerabilities and identified risks was validated as either true or false findings.