Memo
To: Private Investigators LLP
From: xxx
Date: xxx
Re: Cyber Security Analysis
This memorandum has been written to outline the current threats facing the XYZ Private Investigation LLP and possible mitigation steps for them. The Cyber Security Analysis was requested and approved by John Smith and the areas reviewed were the production server, client workstations and the web server. Each of these areas were carefully looked at, in some cases employee follow-ups were made to prior complaints and a derivative of the top five threats were documented.

The first area of concern is the production server used on a daily basis by your organization and contains vital information to your organization, as well as confidential and personal information about your clients. This server would be an attacker’s main target as it is the central location for data that could prove to be fruitful to an attacker. This area of concern was examined and the top five threats identified were virus protection, backdoor vulnerabilities, system updates and/or patching, physical security and logical security.

Production Server
The production server is generally a server that runs many crucial services for the daily operations of the network to include active directory and domain name services to name a few. Therefore by not having antivirus software on this system it can be a potential hazard to not only the services, by the data being stored here. Antivirus software today helps protect systems again malicious attacks by Worms, Viruses, and even Trojan’s. Users have complained about having issues with lag on a network, and even corrupt data, and pop-ups. This can all be caused by malicious code that could be mitigated with the use of antivirus.

The second threat is the possibility for backdoor vulnerabilities on the network. The production server should only run services that are needed by the organization. As well to add on to the threat of a virus this could be a potential add on. Attackers want to be able to gain access, and maintain it. In many cases organizations look at a convenience level of having services such as VPN and FTP available to its users, and it ends up being a gateway for attackers to get in. Therefore it is necessary to ensure that only the necessary services are running, and all others are disabled.

The third threat to the production server is the lack of system patching and software updates. In many cases staying up on software updates, and system patching is a very cumbersome task for system administrators. However, it is recommended that at least the security patches being released for your server’s operating system be performed. In many cases these updates improve performance, while mitigating industry recognized threats. Currently your server is not being updated and is a potential victim to simple threats that solutions have already been established for.

Physical security is a key concern for the placement of organizations servers. Currently the production server is out in the open for anyone to gain access to. Therefore the threat of someone introducing or removing data easily from the server is pretty high. Many organizations today find themselves combating internal threats just as much as external threats. A recommendation is to lock the server in a back room with minimal access. This will aid in mitigating physical threats, however don’t be fooled into believing that it will completely stopping this problem.

The last threat to the production server is logical security. This type of security includes user permissions and file share permissions. The security on your data over a network is only as good as the safeguards that are implemented. Permissions should be established to only allow users to access, or complete tasks at the level they are at. Administrator privileges should be narrowed done to only those individuals that need them. As well to protect data from being compromised file shares should be locked down, and users should only have access to the information they need to complete their job. In addition it as well helps to rotate job positions with administrative privileges to ensure that personnel do not easily have the capability to hide their tracks.

CLIENT WORKSTATIONS
Upon an investigation of employee complaints, and concerns it was noted that workstations in the office do not have proper Antivirus protection, as well as firewall protection. This is essential to block the everyday user from being infected by going to websites, downloading infected files, or even opening maliciously embedded code in e-mails. In addition having firewall protection will allow for the blocking of IP spoofing, simple denial of services attacks, or even simple enumeration. It is recommended that an antivirus and firewall combination host based intrusion system be installed on the clients. It can either be a managed or unmanaged setup that will enable each of the workstations to be protected. Since these are the machines used daily these are the machines with the highest threat of an attacker gaining access into the company’s network.

Since in today’s era everyone communicates by E-mail and since it is a popular form of communications it has become a main stream target. Since your employees use e-mail to contact clients, and other organizations it is important to have Spam filters in place to aid in preventing phishing attempts from known sources. A phishing attempt allows an attacker to gain access about a company and even acquire confidential information. This can be prevented by implementing such things as a SPAM killer, or filter that is based on industry developed signatures and blocking common threats. This may not completely mitigate this issue but this and proper employee training can.

Users access to systems is vital on a daily basis, but the level of access should only be granted based on the users need to know. A user should only have access to the systems they need access to as well as only have the highest level of access as the position they sit in requires. Not all users should have local administrative privileges. This way the company can establish a baseline for each of the systems and maintain it. And if users need software installed it can be approved by the systems administrator. This will ensure that it is known to the company what are on its network, its computers, and if it is being updates to ensure it’s not a vulnerability. Currently any individual can download and install applications and this is vulnerability that can cause severe damage to network.

In reviewing the information retrieved from Mr. Smith and talking to employees in the company it was noted that the users do not have knowledge of the potential threats that they could aid in mitigating on a daily basis. It is recommended that the company developing a policy to what users can and cannot do on the network. This policy can also outline possible threats, and mitigation steps that can be easily implemented by the user. This will save on workstation down time, and small threats from developing into major problems. The workstations are only as secure as the personnel operating them, and the policies implemented.

The last threat that faces the workstations is the systems patches for the Operating Systems, and the software updates for applications currently installed on the workstation. It has been noted that users have installed programs as they see fit. Therefore there is no specific baseline for the systems, and no updates or patches have been applied. This can cause severe problems, or backdoors that attackers can utilize to gain access to the network. Such as using flaws in unpatched operating systems, or applications like Adobe reader which allows for micro joined applications to run when a document is opened. These threats can be easily mitigated if updates and patches were applied, and continually accomplished.

COMPANY WEB SERVER & WEBSITE
Like many organizations the XYZ Private Investigators LLP has a web presence that causes many potential threats. As well the convenience of access is usually the main disregard to proper safeguards of critical data, and network equipment. The first threat that is evident to the webserver is unsecured services. This was pretty evident for this analysis after the discovery of the webpage being hacked. Many services such as Telnet, FTP and SMTP are left unsecured and an attacker finds these openings and acquires data, defaces websites, and/or utilizes a mail server to send spam email from. Any of these attacks will cause the company to lose credibility, and being blacklisted by internet registrars. To mitigate these threats the services should be secured with username and passwords that are secure, no anonymous access, and concealing services by removing banners. These are a few steps that will aid in securing external access.

This company utilizes one server to act as both an internal access server and an external access server. It is not recommended to do this because it becomes a major target, that with a simple attack it could completely shut down core resources, or cause data loss. There are a few things that have been noticed with this threat. The first is web shares, which are unprotected and allow external access without authentication. Next is the factor that this server is not patched and has web services running on it. Therefore by utilizing faults in the IIS web engine an attacker could cripple this server and cause a denial of service to this company. It is recommended to separate the physical server, and the web server so that the potential threat of internal and external data from both being corrupted is minimized.

Boundary protection is a major need for this company. To have a server that is accessible by an external user needs to have a heightened level of protection. There should be a hardware firewall that has a DMZ setup in it to allow traffic that you want to access from the web, and from the local network. As well it should protect the local network from access from the outside world. This will mitigate an attacker from entering into local network and stealing confidential data that didn’t need to be on the web.

With any web based application it is noted that there is a level of security that must be maintained. It was noted that the webserver was hacked. As well it was explained that many users externally access the webserver through an application. In general most web applications use a backend database of sorts. Whether it by MS SQL or MYSQL for example the coding that links to these database should be evaluated, tested, and error checked. This will allow for the protection of threats such as SQL injection. This threat could potential give an attacker to gain usernames and passwords or even pull out data that should be confidential. Since a web presence is important to your organization it is recommend that you ensure that proper application implementation strategies are developed, and followed.

The last threat that was noted with the webserver and site is to ensure that system patching is done. Since you are running Microsoft IIS and this is a very vulnerable product it is recommended that you ensure patches are current and remain current. In addition to that if you are using third party web applications that you ensure that databases are updates, the application is updates, and any core services such as PHP and/or ASP engines are updated. This will allow for further avenues of mitigation of an attackers attempt to gain access to a web application or server.

CONCLUSSION
The XYZ Private Investigation LLP is like many small companies today that where blind to the possibility of cyber threats ever causing them a problem. Well that couldn’t be more far from the truth. Every day with the need of technology becoming more prevalent so are the threats that arise. Therefore just taking a look at the threats outlined in this memo, and the possible mitigation steps your company will increase its cyber security by two fold, and maintain its vigilance.