Risk Assessment

MediPharm, Inc.
Main Production Facility
Campus Area Network

By: Duane
IAE-674-L11
MediPharm, Inc.
Main Production Facility
Building 100, room 110
Key Largo, FL 33037

June 2009

EXECUTIVE SUMMARY
The purpose of this Risk Assessment is to analyze Medipharms campus area network,
identify potential threats to the confidentiality, integrity, and availability of the services a
network provides. It will show the strengths and weaknesses of its current network security
posture and determine if the need exists to change or modify existing safeguards or add
additional safeguards.
This risk assessment was performed on the Medipharm Inc. Campus Area Network
environment from 16 through 30 June 2009. It was conducted to provide a qualitative risk
analysis of the campus area network security posture. The system is located within the
MediPharm campus in Key Largo Florida. The primary purpose of the system is to process
payroll and administrative records for Medipharm Inc. personnel. Site personnel stated the
system only processes sensitive unclassified and unclassified non-sensitive data, including
some Privacy Act data.
The corporations assets and values are determined on a worst case impact per
occurrence. Impact categories include: Destruction, Modification, Disclosure and DoS
(Denial of Service). The total value of the corporations assets for the system being analyzed
is estimated at $1,718,406. Once the threats and risk levels are identified, in-place safeguards
and existing vulnerabilities are identified. Recommended Additional countermeasures
attempt to add cost effective safeguards to the network to mitigate the existing
vulnerabilities. The results of the Risk Analysis will allow management to make decisions
regarding best cost and system security.
An analysis of the threats reveals that the most serious issues requiring management
attention are vulnerabilities within the two threats of Destruction or loss caused by Hurricanes
or Tropical Storms and the lack of Security Awareness. Existing safeguards have been identified
and should be tested. ST&E (Security Test and Evaluation) worksheets have been provided by
the design team but have not yet been executed. They are included in Appendix A.
The evaluation of four categories revealed twenty two vulnerabilities in need of attention.
Two of the countermeasures are classified as Mandatory. Implementing the remaining nonmandatory countermeasures will reduce the risk and should be applied as permitted. The
mandatory and recommended countermeasures are listed below.

MANDATORY

Establish Off-site Storage for Backups.

Implement Mandatory Security Awareness Training

RECOMMENDED

Install Water Removal Devices.

Install emergency generators and battery back up.

Implement redundant systems for partial failures.

Document Contingency plans and procedures.

Management should review the cost-effectiveness of these countermeasures, with respect to

the availability of financial and personnel resources or other constraints, and make a formal
determination on implementing the countermeasures.
This risk assessment should be reviewed by Medipharm Inc. every 3 years, when any major
change is made to the assets affecting the overall security posture, when any major change is
made to the data classification category or when any change is made that appears to invalidate
the original conditions of accreditation of the network.

Risk Assessment Team

The Risk Assessment Team provided by Capitol Information Assurance (CIA) 11301
Springfield RD. Laurel, MD20708 (888) 522-7486 is as follows:

Prof Charles L. Cayot Jr.

Duane
Paul Meyer
Mark Sargent
Rex Monk
Local Campus Area Network Administration:
Name

Position

Contact Number

Mr. Al Nevrtel

Information System Security Manager

N/A

Hal N. DeFirewal

Network Security Officer

(999) 222-1151

Mr. Boon D. Ogle

System Manager

(999) 222-1188

Mrs. Hope Yerhapy

Building 45 Terminal Area Security Officer

110-0101

Mrs. Anita Walker

Building 62 Terminal Area Security Officer

110-1010

Mr. I. M. Bonkerz

Building 12 Terminal Area Security Officer

110-1111

The Information System Security Manager, Mr. Al Nevrtel, is the Approval Authority.

Table of Contents

Table of Contents ............................................................................................................................ 4

Introduction ..................................................................................................................................... 5
Asset Descriptions and Valuations ................................................................................................. 7
Hardware .................................................................................................................................................. 7
Software .................................................................................................................................................... 9
Physical ................................................................................................................................................... 11

Threat Descriptions ....................................................................................................................... 12

Unauthorized Network Access ................................................................................................................ 12
Unauthorized Physical Access ................................................................................................................. 14
Natural Disaster ...................................................................................................................................... 16
Theft ........................................................................................................................................................ 18

Additional Recommended Countermeasures ................................................................................ 20

Appendix A ST&E........................................................................................................................ 24

Introduction
Risk Assessments (RAs) attempt to analyze a network with the goal of identifying
potential threats to the confidentiality, integrity, and availability of the services a network
provides. Once the threats are identified, in-place safeguards and existing vulnerabilities are
identified. Recommended Additional countermeasures attempt to add cost effective safeguards to
the network to mitigate the existing vulnerabilities.
The RA is comprised of five sections: Team Establishment, Asset Quantification, Threat
Identification, Risk Evaluation, and an Additional Countermeasure Justification.
The Team Establishment section analyzes the system in order for the appropriate team
members can be chosen to complete the RA. The team members are chosen based on their level
of expertise and responsibility within the corporation. It is important to identify the members of
the approval authority and critical players because their support is instrumental in gaining
employee cooperation, access to assets under analysis, and defining the scope of the RA.
The Asset Quantification section inventories the companys assets and assigns an
estimated value to each individual asset. The Threat Identification section identifies potential
threats to the network and assigns an impact level to each threat. The Risk Evaluation section
evaluates the risk associated with vulnerabilities that threaten each individual asset and assigns
each one a risk level. The Additional Countermeasure section analyzes the feasibility of
additional safeguards that may be required in order to comply with federal regulations. These
sections combined will assist those with approval authority to make the proper business decision.
The RA can only serve to analyze a networks security posture and make
recommendations based on the analysis and regulations governing the administration of
computer networks. The responsibility of complying with these regulations and making the final
decisions regarding the network falls to the approval authority.
This document contains a partial Risk Assessment (RA) for the MediPharm Inc. Campus
Area Network (CAN). The CAN is located in Key Largo, Florida. The RA was conducted in
June 2009. It contains an Asset Descriptions and Valuations section and a Threat Descriptions
section. The team is scheduled to have all sections of the RA completed within two weeks. The
final draft will be available by 31 July 2009.
The Asset Description and Valuation section entails four subsections used to evaluate
particular asset categories: Valuation, Impact Category, Justification, and Total Asset Value. The
Valuation subsection describes assets, and reasons why they are in a particular Impact Category,
it also ascertains their values. The Impact Category subsection assigns one of four impact
categories to each asset category. The Justification subsection justifies ascertained asset values
for the assets in an asset category. The Total Asset Value subsection surmises of all ascertained
asset values of a particular asset category.

There are four Impact Categories: Denial of Service (DoS), Disclosure, Modification, and
Destruction. DoS compromises availability of assets and are limited to the period of time it takes
to regain availability of the assets. Disclosure losses compromise confidentiality of data.
Modification losses compromise integrity. Destruction losses are due to assets being destroyed
and compromise availability. Each Impact Category is assigned as the most severe case may
apply to each asset category. This Risk Assessment is limited to evaluating the following asset
categories:

Hardware
Software
Physical

The Threat Description section entails five subsections used to evaluate threats to the
network: Threat Identification, Existing Safeguards, Noted Vulnerabilities, Miscellaneous
Concerns, and Assessment of Risk. The Threat Identification subsection identifies and describes
potential threats to the network. The Existing Safeguards subsection identifies in-place
safeguards. The Noted Vulnerability subsection lists the noted network vulnerabilities.
Miscellaneous Concerns identifies additional issues that may be of concern. Assessment of risk
assigns a risk level of High, Medium, Low, or Not Applicable (N/A) to threats. This RA is
limited to evaluating the following threat:

Unauthorized network address

Unauthorized physical access
Natural disaster
Theft

Asset Descriptions and Valuations

Hardware:
Valuation
Quantity
Device Name
Manufacturer
Model Number
Dollar Value
File Server
FS-R-US
Z series
18,400
4
Mini-Computer
BOGUS Corp.
B-1000
65,000
1
External Disk Drives
EMS
3880 RAID
45,000
8
Drive Controllers
EMS
3880
60,000
2
Tape Drives
BOGUS Corp.
4520
20,000
4
Tape
Drive
Controller
BOGUS
Corp.
4580
15,000
1
RAS Server
MDS Corp.
1X/Pent V
6,000
1
Firewall
Rattler Corp
R-40 FW
16,000
1
IDS
Monitor
SISCO
IDS-NG
D
50,000
1
IDS Sensors
SISCO
IDS-NG S
27,000
2
Data Switches
SISCO
SISCO RX-7RotorSwitch
25,000
5
Data Routers
SISCO
SISCO 3660
60,000
3
VPN module
EMS
MX900
1,500
1
PCs
MicroSolid
Pentium/Athelon(3.2Ghz)
354,000
177
Printers
MDS Corp
Laser VI+
20,000
20
SmartSwitches
Complexity
Corp.
SSW-585
2,000
20
Total:

408,900

Table 1

All of the hardware is housed in the same campus. This asset category is destruction. The
area is susceptible to hurricanes and helicopter crashes, in addition to other hazards that normally
endanger hardware that is housed in the same facility.
With the exception of terminal equipment and PCs the same hardware configuration is
required if the current configuration is destroyed. Agreements with EMS Corp., MDS Corp., and
Gov Solutions Group are in place to assist in restoring network.

Impact Category: Destruction

Justification: Replacement of the system entails the actual value of the hardware, installation
and configuration of hardware, and the cost associated with Dos. EMS is contracted to provide
services on EMS and BOGUS equipment from between 6:00 a.m.-12 midnight, they charge $140
per hour for hours worked outside of this time frame. MDS services their equipment from 8:00
a.m.-4:00p.m. They charge $140 per hour for hours worked outside of this time frame.
Gov Solutions Group, Inc. is under contract and will support the IT staff restore the entire
network. They estimate that if the facilities are still intact, it will take two days to restore critical
systems and an additional two weeks to order, receive, and implement replacement equipment.
This translates to a total of 96 work week hours, it should be noted that EMS and MDS
technicians may be required for 24 hours beyond the two week period.
At any given time during normal work hours 80 users with an average pay rate of
$25.00/hr will be denied the network services. The cost associated with DoS is $80,000.00. The
total cost to restore the network is the sum of the cost of the hardware the cost for the hardware
to be installed and configured and the cost associated with Dos. Table 2 lists the members of the
IT staff and their hourly rate. The asset value associated with hardware is $894,372.

Title
Grade Hourly Rate 96 hrs Pay
NSO
P-3
$30.00
$2880
Sys. Programmer
P-3
$23.00
$2208
CAN Administrator
P-1
$22.00
$2112
CAN Assistant Admin RA
$18.00
$1728
App. Programmer
P-2
$25.00
$2400
Lead Operator
P-2
$24.50
$2352
Operator
P-1
$19.50
$1872
Operator
P-1
$19.50
$1872
Processing Mgr.
P-5
$45.50
$4368
Cust Svc Mgr
P-3
$25.00
$2400
Cust Svc Tech
RA
$15.00
$1440
Cust Svc Tech
P-1
$20.00
$1920
Cust Svc Tech
P-1
$20.00
$1920
Total:
Table 2

Total Asset Value: $518,372.00

$307.00

$29,472

Software:
Valuation
Software Name
BSVM

UNIX
Windows
Windows
Windows
BPTS
CPS
MESDES
BODATS
RACK
TMS
C
COBOL
ADA
MDS UNIX
ROCKO
Windows
RADIUS
PAYACSYS
PERSREC-DB
NTLM
MS Office

Version
4.5
5.0
Me
2K
XP Pro
N/A
N/A
N/A
N/A
4.0
5.2
N/A
N/A
N/A
8.0
7.2
2003 Server
N/A
N/A
N/A
2
2003 Pro

Type
OS
OS
OS
OS
OS
App
App
App
DB
App
App
Compiler
Compiler
Compiler
OS
App
OS
App
App
DB
App
App

Dollar Value
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
7,000/year
10,000/year
N/A
2,000
12,000
3,000
15,000
20,000
4,000
N/A
N/A
N/A
N/A

Ownership
Own
Own
Own
Own
Own
Own
Own
Own
Own
Lease
Lease
Own
Own
Own
Own
Own
Own
Own
Own
Own
Own
Own

Table 3

Some of the software was developed by the MediPharm and the offsite backup facility is
in a separate building but still on the same campus. The area is prone to hurricanes and a
helicopter crashes. A hurricane or a helicopter crash may destroy the facility and the software
with it.

Impact Category: Destruction

Justification: Back up tapes are stored off site in another building but still on the same campus.
A hurricane could destroy both the main facility and the facility where back up is stored.
MediPharm Inc. has indicated that it will take a systems software programmer six hours to
restore all software from the tape library. The software packages in Table 3 that are not leased
but have a Dollar Value associated with them, have a cost of $56,000.00 associated with

10

replacement. At a rate of $23.00/hr the System Programmer would a total of eight hours; this
translates to a cost of $184.00. The Total Asset Value for this asset category is $56,184.00.

Total Asset Value: $56,184.00

11

Physical:
Valuation
Quantity
Item
Dollar Value
Backup Tapes
5000
250
Spare Toner Cartridges
200
4
Spare RAID disk pack
850
1
4,000
Various Miscellaneous PC parts
Computer Room
725,000
5,000 Sq ft
Total:

735,050

Table 4

The physical assets are also prone to the same vulnerabilities as the rest of the campus. The
Impact Category is destruction. The physical assets are located in an area prone to hurricanes and
are located in the path of helicopter traffic.
Impact Category: Destruction
Justification: This asset category only requires assets to be replaced, the computer room may
require some engineering if the same configuration is not maintained. The cost for this asset
category are simple with only minor variables, therefore the asset value for this asset category is
$735,050.00.
Total Asset Value: $735,050.00

12

Threat Descriptions
Identification

Unauthorized Network Access

Unauthorized network access is detrimental to confidentiality, integrity, and availability
of the network. Since the network is password protected, access may be gained through covert or
obvious means. Passwords protection by itself can be successfully defeated by password
cracking applications, or an authorized user may simply volunteer the password to unauthorized
personnel.
Existing Safeguards

The system generates an audit log that identifies the user who is signing on, what files
are being opened, and pass/fail login attempts.
A web server is not part of the network.
Users are grouped and access privileges are justified before they are approved.
NTLMv2 is used for authentication.
Sealed envelope used to deliver initial password that must be changed immediately.
Passphrases are limited to 15 alphanumeric character minimums.
Administrators do not compromise their passwords and change them frequently.
Access to data files are restricted by RACK privilege structure and users can encrypt
and protect their files with passwords.
Passwords do not echo back.
Terminal Area Security Officers (TASOs) are appointed for all user areas.
The Network Security Officer is appointed.
Network Interface Cards (NICs) are all IPSEC-enhanced
Internet connection protected by firewall and IDS.
Firewalls and the exchange server filter e-mail attachments with mobile code and
scripts.
UNIX uses tripwire
Routers only allow update through the console port.
Anti-virus programs are employed by workstations and servers.
FTP traffic is not allowed.
ICMP responses are filtered.
Wireless access is not authorized.

13

Noted Vulnerabilities

The NSO has too many responsibilities and the company may be vulnerable if he leaves.
IT security awareness training is rare.
User Passwords are only changed semi-annually.
A card for password creation exists, but no Standard Operating Procedures (SOPs) exist
for password creation.
Users have disclosed passwords to other users.
Security Access Procedures have not been formally documented.
Procedures governing terminated employee computer access do not exist.
There are no personnel assigned to monitor the system between 11 p.m. and 7 a.m.
No one is mandated to run regular scans on the network.
Hackers have attempted to gain access to the system.
Unauthorized network access may be gained through the VPN or RAS.
There is unauthorized user internet activity.
E-mail server improperly configured to filter e-mail.

Miscellaneous Concerns

Contractors may have access to the network.

Automatic log off is not configured.
BODATS (Bowling League Database system) may present a vulnerability to the network.
Assessment of Risk
ASSET

RATING

Hardware

Low

Software

High

Data

High

Administrative

Moderate

Personnel

Low

Facility

Not Applicable

Communications

High

User Areas

Not Applicable
Table 5

IMPACT DESCRIPTION

14

Identification

Unauthorized Physical Access

Unauthorized physical access can be gained if individuals are not properly challenged at
the entrance to facilities. Having doors and windows propped open or left unlocked or not
properly latched when closed or finding an unsecured entrance point to exploit all represent
vulnerability to unauthorized access. It may permit an attack on the system to be conducted from
inside the facilities. This could impact the confidentiality, integrity, and availability of the system
or may present a danger to employees.

Existing Safeguards

Emergency procedures have been developed.

TASO are appointed for all user areas.
Corporate Security Officer maintains personnel clearances.
Personnel wear security color coded badges.
Lighting is used to conform to NIST perimeter protection standards.
Restricted Area signs and access lists are posted.
The building entrance has a cipher lock and other doors have fire alarm crash bars.
Visitors must sign in, wear a badges, and be escorted.
Guards are posted at the entrance, where they can view security monitors and they
perform random security checks at night.
Rooms that house the system have cipher locks at the entrance and other doors have fire
alarm crash bars.

Noted Vulnerabilities

Escort procedures are not followed

Escort procedures are not documented
Staff is not maintained on a 24/7 basis.

Miscellaneous Concerns

Security monitors are disabled if power is unavailable.

All windows in the facility must be secured.
Raised floors and drop ceilings.

15

Assessment of Risk

ASSET

RATING IMPACT DESCRIPTION

Hardware

Moderate

Software

Moderate

Data

Moderate

Administrative

Moderate

Personnel

Moderate

Facility

Moderate

Communications

Low

User Areas

Moderate
Table 6

16

Identification

Natural Disaster
Natural disasters are capable of destruction. Hurricanes and tropical storms occur often in
this area and have and will continue to be a vulnerability for this location.

Existing Safeguards

Contracts are in place to restore the network.

Emergency procedures are developed.
Evacuation plans and fire bills are posted.
Lighted exit signs over building doors.
Emergency lighting is available for computer spaces.
A UPS is in place, and provides power to the system and dedicated air conditioning
system in case of power outage.
Automatic dry pipe water sprinklers, CO2 fire extinguishers, and halon room
extinguishers with a one minute warning alarm are used to protect facilities.
Pull-type fire alarm alerts personnel and fire department.
There is a water alarm in place in case of flood.
Plastic sheets are available to protect equipment from water damage.

Noted Vulnerabilities
Redundant system is not available in the event of partial failure.
Tropical storms and Hurricanes cause flooding.
Power outages are common with severe storms and weather.

Miscellaneous Concerns

Sump Pumps should be used in case of flooding.

Offsite facility where back-ups are stored is in the same campus.
Halon is an ozone depleting substance but very effective against fire.

17

Assessment of Risk

ASSET

RATING IMPACT DESCRIPTION

Hardware

High

Software

High

Data

Moderate

Administrative

Moderate

Personnel

Moderate

Facility

High

Communications

High

User Areas

High
Table 7

18

Identification

Theft
Any institution may experience theft. Theft can be committed by employees, contractors
or visitors. Monitoring and inventories are deterrents to theft. Guards posted at the entrances to
the facilities with scanning equipment can monitor what is brought in and what is allowed to be
brought out of the facility.

Existing Safeguards

Emergency procedures have been developed.

TASO are appointed for all user areas.
Corporate Security Officer maintains personnel clearances.
Personnel wear security color coded badges.
Lighting is used to conform to NIST perimeter protection standards.
The entrance has a cipher lock and other doors have fire alarm crash bars.
Visitors must sign in, wear a badges, and be escorted.
Guards are posted at the entrance of where they can view security monitors and they
perform random security checks at night.
Rooms that house the system have cipher locks at the entrance and other doors have fire
alarm crash bars.
Theft has not occurred in the facility in ten years.
Inventory of assets has been performed.

Noted Vulnerabilities

Escort procedures are not followed

Escort procedures are not documented
Staff is not maintained on a 24/7 basis.

Miscellaneous Concerns

Security monitors are disabled if power is unavailable.

All windows in the facility must be secured.
Background checks are not performed on contractors and janitorial staff.

19

Assessment of Risk

ASSET

RATI
NG

IMPACT
DESCRIPTION

Hardware

Low

Software

Low

Data

Low

Administrati
ve

Moderate

Personnel

Low

Facility

Low

Communicati
ons

Low

User Areas

Low
Table 8

20

Additional Recommended Countermeasures

This section of the RA was completed by other team members. A few of the worksheets are
included.

21

ADDITIONAL COUNTERMEASURES DESCRIPTION WORKSHEET

1.

COUNTERMEASURE NAME
Maintain Guards 24/7.

2.

DESCRIPTION
This countermeasure requires maintaining security guards 24/7

3.

VULNERABILITIES COUNTERACTED
Unauthorized access

4.

AREAS OF CONCERN: Confidentiality, Integrity, Availability

5.

ESTIMATED ANNUAL COST

The cost of this countermeasure requires maintaining security guards at the entrances of
building 100 and building 45. The annual cost of contracting additional guards during off
hours is $1200/week times 52 = $62,400

22

ADDITIONAL COUNTERMEASURES DESCRIPTION WORKSHEET

1.

COUNTERMEASURE NAME

Back up Power

2.

DESCRIPTION

This countermeasure requires that emergency generators be installed and maintained. In

the event of power loss the generator would supply power to essential equipment. Non
essential equipment would remain on battery back up for 18 hours.

3.

VULNERABILITIES COUNTERACTED
Power failure

4.

IMPACTS PROTECTED:
Availability

5.

ANNUAL COST

Costs include Initial installation of generators plus annual maintenance fees.

23

ADDITIONAL COUNTERMEASURES EVALUATION WORKSHEET

1.

COUNTERMEASURE NAME:

3.

IMPACTS:

2.

DESCRIPTION

Document Contingency Plan and Procedures

Confidentiality, Integrity, Availability

The plan and procedures should detail emergency response and appropriate activities
required for a contingent situation and should provide a suitable return to normal automated
operations. This countermeasure is estimated to require 100 hours each for the NSO, a CAN
administrator, and administrative support to research, develop and document the procedures.

3.

VULNERABILITIES) COUNTERACTED:
Contingency plan has not been documented and tested.
Data and software backups are not stored off-site.

4.

IMPACTS PROTECTED: Availability

5.

ESTIMATED ANNUAL COST:

1 NSM (03) x $25.21/hour x 100 hours

= $ 2,521

3 contractors x $80/hour x 100 hours

= $ 24,000

TOTAL:

$ 26,521

24

Appendix A ST&E
Test Procedures Form
Test Number: P-1

COUNTERMEASURE NAME: Physical Security

COUNTERMEASURE CATEGORY: Physical
TEST PREPARED: 16 June 2009
TEST PERFORMED:
TEST PERSONNEL:
TEST ENVIRONMENT REQUIRED: Area below raised floor and area above ceiling tiles around the
perimeter of the computer room.
REQUIRED PERSONNEL/DATA: Maintenance Engineer.
TEST DURATION: 1 hour
TEST OBJECTIVE: Verify physical security of computer room.
TEST STEPS:

Have maintenance engineer use a ladder and flash light to verify that walls around computer
room go above drop ceiling.
Have maintenance engineer use flash light to verify that walls around computer room go below
raised flooring.

TEST PASS CRITERIA: Walls around computer room go above ceiling and below raised floor

TEST PASS:

Comments:

TEST FAIL:

25

Test Procedures Form

Test Number: A-1
COUNTERMEASURE NAME: Contingency Plan Testing
COUNTERMEASURE CATEGORY: Administrative
TEST PREPARED: 16 June 2009
TEST PERFORMED:
TEST PERSONNEL:
TEST ENVIRONMENT REQUIRED: N/A
REQUIRED PERSONNEL/DATA: Network Security Officer (NSO) / Current documentation of
Contingency Plan test results.
TEST DURATION: 20 minutes
TEST OBJECTIVE: Verify that Contingency Plan Testing is completed annually and documented.
TEST STEPS:

Verify with the NSO that the Contingency Plan is tested at least annually.
Request the NSO provide documented test results.

TEST PASS CRITERIA: The contingency plan is tested at least annually and results are documented.

TEST PASS:

Comments:

TEST FAIL: