Beruflich Dokumente
Kultur Dokumente
MediPharm, Inc.
Main Production Facility
Campus Area Network
By: Duane
IAE-674-L11
MediPharm, Inc.
Main Production Facility
Building 100, room 110
Key Largo, FL 33037
June 2009
EXECUTIVE SUMMARY
The purpose of this Risk Assessment is to analyze Medipharms campus area network,
identify potential threats to the confidentiality, integrity, and availability of the services a
network provides. It will show the strengths and weaknesses of its current network security
posture and determine if the need exists to change or modify existing safeguards or add
additional safeguards.
This risk assessment was performed on the Medipharm Inc. Campus Area Network
environment from 16 through 30 June 2009. It was conducted to provide a qualitative risk
analysis of the campus area network security posture. The system is located within the
MediPharm campus in Key Largo Florida. The primary purpose of the system is to process
payroll and administrative records for Medipharm Inc. personnel. Site personnel stated the
system only processes sensitive unclassified and unclassified non-sensitive data, including
some Privacy Act data.
The corporations assets and values are determined on a worst case impact per
occurrence. Impact categories include: Destruction, Modification, Disclosure and DoS
(Denial of Service). The total value of the corporations assets for the system being analyzed
is estimated at $1,718,406. Once the threats and risk levels are identified, in-place safeguards
and existing vulnerabilities are identified. Recommended Additional countermeasures
attempt to add cost effective safeguards to the network to mitigate the existing
vulnerabilities. The results of the Risk Analysis will allow management to make decisions
regarding best cost and system security.
An analysis of the threats reveals that the most serious issues requiring management
attention are vulnerabilities within the two threats of Destruction or loss caused by Hurricanes
or Tropical Storms and the lack of Security Awareness. Existing safeguards have been identified
and should be tested. ST&E (Security Test and Evaluation) worksheets have been provided by
the design team but have not yet been executed. They are included in Appendix A.
The evaluation of four categories revealed twenty two vulnerabilities in need of attention.
Two of the countermeasures are classified as Mandatory. Implementing the remaining nonmandatory countermeasures will reduce the risk and should be applied as permitted. The
mandatory and recommended countermeasures are listed below.
MANDATORY
RECOMMENDED
Position
Contact Number
Mr. Al Nevrtel
N/A
Hal N. DeFirewal
(999) 222-1151
System Manager
(999) 222-1188
110-0101
110-1010
Mr. I. M. Bonkerz
110-1111
The Information System Security Manager, Mr. Al Nevrtel, is the Approval Authority.
Table of Contents
Introduction
Risk Assessments (RAs) attempt to analyze a network with the goal of identifying
potential threats to the confidentiality, integrity, and availability of the services a network
provides. Once the threats are identified, in-place safeguards and existing vulnerabilities are
identified. Recommended Additional countermeasures attempt to add cost effective safeguards to
the network to mitigate the existing vulnerabilities.
The RA is comprised of five sections: Team Establishment, Asset Quantification, Threat
Identification, Risk Evaluation, and an Additional Countermeasure Justification.
The Team Establishment section analyzes the system in order for the appropriate team
members can be chosen to complete the RA. The team members are chosen based on their level
of expertise and responsibility within the corporation. It is important to identify the members of
the approval authority and critical players because their support is instrumental in gaining
employee cooperation, access to assets under analysis, and defining the scope of the RA.
The Asset Quantification section inventories the companys assets and assigns an
estimated value to each individual asset. The Threat Identification section identifies potential
threats to the network and assigns an impact level to each threat. The Risk Evaluation section
evaluates the risk associated with vulnerabilities that threaten each individual asset and assigns
each one a risk level. The Additional Countermeasure section analyzes the feasibility of
additional safeguards that may be required in order to comply with federal regulations. These
sections combined will assist those with approval authority to make the proper business decision.
The RA can only serve to analyze a networks security posture and make
recommendations based on the analysis and regulations governing the administration of
computer networks. The responsibility of complying with these regulations and making the final
decisions regarding the network falls to the approval authority.
This document contains a partial Risk Assessment (RA) for the MediPharm Inc. Campus
Area Network (CAN). The CAN is located in Key Largo, Florida. The RA was conducted in
June 2009. It contains an Asset Descriptions and Valuations section and a Threat Descriptions
section. The team is scheduled to have all sections of the RA completed within two weeks. The
final draft will be available by 31 July 2009.
The Asset Description and Valuation section entails four subsections used to evaluate
particular asset categories: Valuation, Impact Category, Justification, and Total Asset Value. The
Valuation subsection describes assets, and reasons why they are in a particular Impact Category,
it also ascertains their values. The Impact Category subsection assigns one of four impact
categories to each asset category. The Justification subsection justifies ascertained asset values
for the assets in an asset category. The Total Asset Value subsection surmises of all ascertained
asset values of a particular asset category.
There are four Impact Categories: Denial of Service (DoS), Disclosure, Modification, and
Destruction. DoS compromises availability of assets and are limited to the period of time it takes
to regain availability of the assets. Disclosure losses compromise confidentiality of data.
Modification losses compromise integrity. Destruction losses are due to assets being destroyed
and compromise availability. Each Impact Category is assigned as the most severe case may
apply to each asset category. This Risk Assessment is limited to evaluating the following asset
categories:
Hardware
Software
Physical
The Threat Description section entails five subsections used to evaluate threats to the
network: Threat Identification, Existing Safeguards, Noted Vulnerabilities, Miscellaneous
Concerns, and Assessment of Risk. The Threat Identification subsection identifies and describes
potential threats to the network. The Existing Safeguards subsection identifies in-place
safeguards. The Noted Vulnerability subsection lists the noted network vulnerabilities.
Miscellaneous Concerns identifies additional issues that may be of concern. Assessment of risk
assigns a risk level of High, Medium, Low, or Not Applicable (N/A) to threats. This RA is
limited to evaluating the following threat:
408,900
Table 1
All of the hardware is housed in the same campus. This asset category is destruction. The
area is susceptible to hurricanes and helicopter crashes, in addition to other hazards that normally
endanger hardware that is housed in the same facility.
With the exception of terminal equipment and PCs the same hardware configuration is
required if the current configuration is destroyed. Agreements with EMS Corp., MDS Corp., and
Gov Solutions Group are in place to assist in restoring network.
Justification: Replacement of the system entails the actual value of the hardware, installation
and configuration of hardware, and the cost associated with Dos. EMS is contracted to provide
services on EMS and BOGUS equipment from between 6:00 a.m.-12 midnight, they charge $140
per hour for hours worked outside of this time frame. MDS services their equipment from 8:00
a.m.-4:00p.m. They charge $140 per hour for hours worked outside of this time frame.
Gov Solutions Group, Inc. is under contract and will support the IT staff restore the entire
network. They estimate that if the facilities are still intact, it will take two days to restore critical
systems and an additional two weeks to order, receive, and implement replacement equipment.
This translates to a total of 96 work week hours, it should be noted that EMS and MDS
technicians may be required for 24 hours beyond the two week period.
At any given time during normal work hours 80 users with an average pay rate of
$25.00/hr will be denied the network services. The cost associated with DoS is $80,000.00. The
total cost to restore the network is the sum of the cost of the hardware the cost for the hardware
to be installed and configured and the cost associated with Dos. Table 2 lists the members of the
IT staff and their hourly rate. The asset value associated with hardware is $894,372.
Title
Grade Hourly Rate 96 hrs Pay
NSO
P-3
$30.00
$2880
Sys. Programmer
P-3
$23.00
$2208
CAN Administrator
P-1
$22.00
$2112
CAN Assistant Admin RA
$18.00
$1728
App. Programmer
P-2
$25.00
$2400
Lead Operator
P-2
$24.50
$2352
Operator
P-1
$19.50
$1872
Operator
P-1
$19.50
$1872
Processing Mgr.
P-5
$45.50
$4368
Cust Svc Mgr
P-3
$25.00
$2400
Cust Svc Tech
RA
$15.00
$1440
Cust Svc Tech
P-1
$20.00
$1920
Cust Svc Tech
P-1
$20.00
$1920
Total:
Table 2
$307.00
$29,472
Software:
Valuation
Software Name
BSVM
UNIX
Windows
Windows
Windows
BPTS
CPS
MESDES
BODATS
RACK
TMS
C
COBOL
ADA
MDS UNIX
ROCKO
Windows
RADIUS
PAYACSYS
PERSREC-DB
NTLM
MS Office
Version
4.5
5.0
Me
2K
XP Pro
N/A
N/A
N/A
N/A
4.0
5.2
N/A
N/A
N/A
8.0
7.2
2003 Server
N/A
N/A
N/A
2
2003 Pro
Type
OS
OS
OS
OS
OS
App
App
App
DB
App
App
Compiler
Compiler
Compiler
OS
App
OS
App
App
DB
App
App
Dollar Value
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
7,000/year
10,000/year
N/A
2,000
12,000
3,000
15,000
20,000
4,000
N/A
N/A
N/A
N/A
Ownership
Own
Own
Own
Own
Own
Own
Own
Own
Own
Lease
Lease
Own
Own
Own
Own
Own
Own
Own
Own
Own
Own
Own
Table 3
Some of the software was developed by the MediPharm and the offsite backup facility is
in a separate building but still on the same campus. The area is prone to hurricanes and a
helicopter crashes. A hurricane or a helicopter crash may destroy the facility and the software
with it.
Justification: Back up tapes are stored off site in another building but still on the same campus.
A hurricane could destroy both the main facility and the facility where back up is stored.
MediPharm Inc. has indicated that it will take a systems software programmer six hours to
restore all software from the tape library. The software packages in Table 3 that are not leased
but have a Dollar Value associated with them, have a cost of $56,000.00 associated with
10
replacement. At a rate of $23.00/hr the System Programmer would a total of eight hours; this
translates to a cost of $184.00. The Total Asset Value for this asset category is $56,184.00.
11
Physical:
Valuation
Quantity
Item
Dollar Value
Backup Tapes
5000
250
Spare Toner Cartridges
200
4
Spare RAID disk pack
850
1
4,000
Various Miscellaneous PC parts
Computer Room
725,000
5,000 Sq ft
Total:
735,050
Table 4
The physical assets are also prone to the same vulnerabilities as the rest of the campus. The
Impact Category is destruction. The physical assets are located in an area prone to hurricanes and
are located in the path of helicopter traffic.
Impact Category: Destruction
Justification: This asset category only requires assets to be replaced, the computer room may
require some engineering if the same configuration is not maintained. The cost for this asset
category are simple with only minor variables, therefore the asset value for this asset category is
$735,050.00.
Total Asset Value: $735,050.00
12
Threat Descriptions
Identification
The system generates an audit log that identifies the user who is signing on, what files
are being opened, and pass/fail login attempts.
A web server is not part of the network.
Users are grouped and access privileges are justified before they are approved.
NTLMv2 is used for authentication.
Sealed envelope used to deliver initial password that must be changed immediately.
Passphrases are limited to 15 alphanumeric character minimums.
Administrators do not compromise their passwords and change them frequently.
Access to data files are restricted by RACK privilege structure and users can encrypt
and protect their files with passwords.
Passwords do not echo back.
Terminal Area Security Officers (TASOs) are appointed for all user areas.
The Network Security Officer is appointed.
Network Interface Cards (NICs) are all IPSEC-enhanced
Internet connection protected by firewall and IDS.
Firewalls and the exchange server filter e-mail attachments with mobile code and
scripts.
UNIX uses tripwire
Routers only allow update through the console port.
Anti-virus programs are employed by workstations and servers.
FTP traffic is not allowed.
ICMP responses are filtered.
Wireless access is not authorized.
13
Noted Vulnerabilities
The NSO has too many responsibilities and the company may be vulnerable if he leaves.
IT security awareness training is rare.
User Passwords are only changed semi-annually.
A card for password creation exists, but no Standard Operating Procedures (SOPs) exist
for password creation.
Users have disclosed passwords to other users.
Security Access Procedures have not been formally documented.
Procedures governing terminated employee computer access do not exist.
There are no personnel assigned to monitor the system between 11 p.m. and 7 a.m.
No one is mandated to run regular scans on the network.
Hackers have attempted to gain access to the system.
Unauthorized network access may be gained through the VPN or RAS.
There is unauthorized user internet activity.
E-mail server improperly configured to filter e-mail.
Miscellaneous Concerns
RATING
Hardware
Low
Software
High
Data
High
Administrative
Moderate
Personnel
Low
Facility
Not Applicable
Communications
High
User Areas
Not Applicable
Table 5
IMPACT DESCRIPTION
14
Identification
Existing Safeguards
Noted Vulnerabilities
Miscellaneous Concerns
15
Assessment of Risk
ASSET
Hardware
Moderate
Software
Moderate
Data
Moderate
Administrative
Moderate
Personnel
Moderate
Facility
Moderate
Communications
Low
User Areas
Moderate
Table 6
16
Identification
Natural Disaster
Natural disasters are capable of destruction. Hurricanes and tropical storms occur often in
this area and have and will continue to be a vulnerability for this location.
Existing Safeguards
Noted Vulnerabilities
Redundant system is not available in the event of partial failure.
Tropical storms and Hurricanes cause flooding.
Power outages are common with severe storms and weather.
Miscellaneous Concerns
17
Assessment of Risk
ASSET
Hardware
High
Software
High
Data
Moderate
Administrative
Moderate
Personnel
Moderate
Facility
High
Communications
High
User Areas
High
Table 7
18
Identification
Theft
Any institution may experience theft. Theft can be committed by employees, contractors
or visitors. Monitoring and inventories are deterrents to theft. Guards posted at the entrances to
the facilities with scanning equipment can monitor what is brought in and what is allowed to be
brought out of the facility.
Existing Safeguards
Noted Vulnerabilities
Miscellaneous Concerns
19
Assessment of Risk
ASSET
RATI
NG
IMPACT
DESCRIPTION
Hardware
Low
Software
Low
Data
Low
Administrati
ve
Moderate
Personnel
Low
Facility
Low
Communicati
ons
Low
User Areas
Low
Table 8
20
This section of the RA was completed by other team members. A few of the worksheets are
included.
21
1.
COUNTERMEASURE NAME
Maintain Guards 24/7.
2.
DESCRIPTION
This countermeasure requires maintaining security guards 24/7
3.
VULNERABILITIES COUNTERACTED
Unauthorized access
4.
5.
22
1.
COUNTERMEASURE NAME
Back up Power
2.
DESCRIPTION
3.
VULNERABILITIES COUNTERACTED
Power failure
4.
IMPACTS PROTECTED:
Availability
5.
ANNUAL COST
23
1.
COUNTERMEASURE NAME:
3.
IMPACTS:
2.
DESCRIPTION
The plan and procedures should detail emergency response and appropriate activities
required for a contingent situation and should provide a suitable return to normal automated
operations. This countermeasure is estimated to require 100 hours each for the NSO, a CAN
administrator, and administrative support to research, develop and document the procedures.
3.
VULNERABILITIES) COUNTERACTED:
Contingency plan has not been documented and tested.
Data and software backups are not stored off-site.
4.
5.
= $ 2,521
= $ 24,000
TOTAL:
$ 26,521
24
Appendix A ST&E
Test Procedures Form
Test Number: P-1
Have maintenance engineer use a ladder and flash light to verify that walls around computer
room go above drop ceiling.
Have maintenance engineer use flash light to verify that walls around computer room go below
raised flooring.
TEST PASS CRITERIA: Walls around computer room go above ceiling and below raised floor
TEST PASS:
Comments:
TEST FAIL:
25
Verify with the NSO that the Contingency Plan is tested at least annually.
Request the NSO provide documented test results.
TEST PASS CRITERIA: The contingency plan is tested at least annually and results are documented.
TEST PASS:
Comments:
TEST FAIL: