Harry & Mae’s Inc Client Presentation; Security Issues and Recommendations Presented by: Angel Hooper, IT Security Consultant February 19, 2017 CYBR 650
Summary Due to a data breach, impacting 25,000 customers, Harry & Mae’s has decided recruit assistance in order to ensure that their security issues are addressed. After successful completion of a systems analysis and threat analysis, an action plan has been put together in order to move forward with necessary changes that are needed to mitigate risks and vulnerabilities to their systems.
Presentation Focus Points ● Systems Analysis Threat Modeling Process ● Threat Analysis ● ● Action Plan
Key Terms Risk can be defined as what, meaning what is at risk. Systems, for example, are at risk. Also consider that this process is a threat modeling process not a risk analysis. We are not determining what is at risk, but rather the vulnerability and threat of an already established risk. Vulnerability can be defined as why systems are at risk. Network security, for example, can be why the systems are at risk. Vulnerabilities are not always an exploit of an asset. Sometimes the vulnerability is a necessary part of the asset. A good example of this is power. By using power, which is necessary, we take the risk that systems might go down due to a power outage. This is a vulnerability of systems being run with power. Threat can be defined as who. For example, external attackers can be the threat to the vulnerability (network) for the at risk (systems). Please be aware that some threats are accepted by an organization. These are threats that are considered part of a risk appetite. Such is the example above with using power.
Systems Analysis
Systems Analysis System Analysis is meant for the studying and design of current systems with new or recommended changes that could be used in order to better the system and its security. This analysis will touch on current computing assets and systems “as-is” with the possible vulnerabilities, while keeping in mind the cost and usability of the current systems. This analysis will include an organizational overview, recap of physical security, network diagram in its current state, cost and vulnerability grid, and any additional information and explanations that might be pertinent to this analysis.
Business Process - Overview The franchise supports other locations and uses a shared Point of Sale (POS) system for other owners to use these services which is an incentive for those business owners. Harry & Mae's Inc also has about 400 employees at their main campus in Windsor, PA. Corporate warehouses are also located here. The business process would appear to be rather straight forward. This diagram, Figure 1, represents the process of transactions at Harry & Mae’s. Figure 1 - Harry & Mae’s Business Flow Process
Network Diagram Based on the information provided, this diagram, figure 1.1, is to represent Harry & Mae's Inc current network infrastructure. This layout will help clarify what needs to be addressed, how everything works together, and how to better security at Harry & Mae’s. Figure 1.1 - Network Diagram
Cost and Vulnerability Breakdown The purpose for this breakdown is to show the current assets that are reported at Harry & Mae’s, the value should something go wrong and those assets need to be replaced, and the possible vulnerability of the item/assets. Based on the information gathered this grid (on the next slide) shows a breakdown of each infrastructure asset, the cost of the asset, and possible vulnerability. The cost referenced here is the purchase/current retail price of the assets. This is important should this assets need to be replaced if the vulnerability should occur and assets become destroyed. Included in this is the possible vulnerability with notes, mentioning the impact of this vulnerability should it occur.
Breakdown Grid This grid, table 1.2, is a visual aid to guide processes into better protecting and development of better security for Harry & Mae's Inc. Table 1.2 - Cost and Vulnerability Breakdown
Breakdown Grid Continued
Breakdown Grid Continued
Vulnerabilities inside Policies & Procedures During the analysis it was determined that Harry & Mae's Inc lacks several policies and procedures in place for employees and security standards. Some of these have become part of the above mention vulnerabilities that were listed. For example, lack of password policies or open WiFi access. It is critical to have policies and procedures in place that aline with physical and virtual security measures in order to ensure maximum protection at Harry & Mae's Inc.
Threat Process Model
Threat Process Model The goal of the threat process model is to determine, assess, and mitigate threats at an organizational level. The importance of this model is the need to verify security of the organization’s applications and infrastructure.
Threat Model Process The process below, figure 1.3, can be repeated multiple times and it should in order to maintain secure systems as much as possible. Multiple steps, noted and defined below, with documentation and a change management process should be utilized with this model. Figure 1.3 - Threat Model Process
Threat Model Process in Detail In order to use the threat modeling provided, a clear process of identification, analysis, and cataloging threats should be taken into account before starting this model. Consider the following process for identification, analysis and how to catalog threats. Please be advised the process and outline has been given some color coordination in order to make this process easier to follow. 1. Identify Risk (identification) ● What is at risk here? Clearly state what systems are at risk; identification of what system, data, or piece of infrastructure that is at risk. 2. Collect and analyze threat information (analysis) ● Verification of threat to defined risk. What is the likelihood of the potential threat? Recognition of threats to infrastructure is critical. These threats can be intentional or accidental in nature. Threats can also be internal or external. 3. Collect and analyze vulnerability information (identification), (analysis) 4. Verification of vulnerability to defined risk. This will define and analyze the vulnerabilities that are related to the infrastructure. (identification), (analysis) 5. Documentation of both threats and vulnerabilities (catalog) Documentation of risk analysis will need to be completed with all relevant information. ● 6. Verification of process, procedures and standards in place for the organization (analysis) ● Once the documentation is presented to the risk assessment committee, the organizational guidelines and policies will need to be addressed with the risks in mind. 7. Evaluate and rank threats and vulnerabilities (analysis), (catalog) The risk assessment committee will need to/or be provided rank threats and vulnerabilities. The committee will need to define if the risks are applicable and/or ● accepted. Accepted risks will be considered part of the risk appetite and the process will end. If the risk is applicable, the process will continue. 8. Recommendations for controls (catalog) ● Documentation will include recommendations for controls to be put in place to address risks. 9. Evaluate impact of controls (analysis) ● Verification of controls and their impact. If necessary, plan for outages, budget changes and new systems implementation. 10. Make necessary changes (catalog) ● Schedule and implement changes. 11. Audit and monitor systems (analysis), (catalog) ● Monitor system changes and audit. Ensure changes are accepted before moving forward to ending/restarting the process. 12. Restart process ● Once the process cycle is completed for the current risk that was defined, this process can be ran again for the next threat/vulnerability pairing.
Examination in Defining & Understanding Threats Threats will typically expose vulnerabilities. This is something to be aware of when we are looking at vulnerabilities and how at risk something is. In securing information technology, we tend to use something called, STRIDE. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Why is is important, is because it gives security professionals a way to analyze security issues with typical threats that might be possible for an organization's infrastructure. For example, considering Harry & Mae’s, which we have identified gaps inside the authentication process of users on specific systems. This is an identified as a vulnerability at Harry & Mae’s. With that comes the threat of say spoofing which could occur if the vulnerability isn’t address. Spoofing would allow users that are not who they say they are login to systems they should not have access too. This is why it's critical to understand and recognize threats and how the vulnerability could allow those threats to actually occur.
Recommend
More recommend