risk assessment - alliance finance

8/9/2019 Risk Assessment - Alliance Finance

http://slidepdf.com/reader/full/risk-assessment-alliance-finance 1/47

Risk Assessment Report

Alliance Finance Co PLC.

This report is an outcome of the risk assessment conducted on Domain Controller System, at

Alliance Finance Co PLC. Ward pl. Colombo.

ICT 4009 IT Contingency Planning

Students - Registration No. Index No.

M.A.S.S Malwattha 2010/ICT/052 10020527

W.A.L.T.C Weliwita 2010/ICT/072 10020721



Risk Assessment – Alliance Finance

1

Acknowledgement

Firstly, we would like to thank Mr. Athula Samarasinghe for giving us the opportunity to

participate in this assessment and providing us with the knowledge, guidance and motivation

to successfully complete this task. Secondly, would like to show our gratitude to the Alliance

Finance employees who supported us in carrying out the risk assessment. Finally, our sincere

gratitude goes to all the parties who aided and motivated us in this regard.




2

Table of Contents

Acknowledgement ..................................................................................................................... 1

List of Tables ............................................................................................................................. 3

1. Introduction ............................................................................................................................ 4

1.1 Purpose ............................................................................................................................. 4

1.2 Scope ................................................................................................................................ 4

1.3 Audience........................................................................................................................... 4

2. Risk Assessment Approach and Methodology ...................................................................... 6

2.1 Risk Assessment Process ................................................................................................. 6

2.1.1 Phase 1 - Pre-Assessment .......................................................................................... 6

2.1.2 Phase 2- Assessment .................................................................................................. 7

2.1.3 Phase 3 – Post Assessment ...................................................................................... 11

3. System Characterization ...................................................................................................... 12

3.1 Functional Description ................................................................................................... 12

3.2 System Environment ...................................................................................................... 12

3.3 System Users .................................................................................................................. 14

3.4 System Dependencies ..................................................................................................... 14

3.5 Supported Programs and Applications ........................................................................... 15

4. Information Sensitivity ........................................................................................................ 16

4.1 Sensitivity ....................................................................................................................... 16

4.2 Protection Requirements ................................................................................................ 17

4.2.1 Protection Requirement findings ............................................................................. 17

5. Identification of Vulnerabilities, Threats and Risks ............................................................ 19

6. Control Analysis .................................................................................................................. 26

7. Risk Likelihood & Impact Determination ........................................................................... 27

8. Overall Risk Determination & Recommendations .............................................................. 38




3

List of Tables

Table 2.1 Risk Likelihood Definitions (1) ................................................................................. 8

Table 2.2 Risk Likelihood Definitions (2) ................................................................................. 9

Table 2.3 Risk Impact Definitions ............................................................................................. 9

Table 2.4 Risk Level Definitions ............................................................................................. 10

Table 2.5 Overall Risk Rating Matrix...................................................................................... 10

Table 3.2 Host Characterization Components ......................................................................... 13

Table 3.3 Domain Controller System Users ............................................................................ 14

Table 4.1 Domain Controller Information Type ...................................................................... 16

Table 4.2 Definitions for C/I/A Ratings .................................................................................. 16Table 5.1 Vulnerabilities, Threats, and Risks .......................................................................... 19

Table 6.1 Risk Controls in place/planned for domain controller ............................................. 26

Table 7.1 Risk Likelihood & Impact ratings ........................................................................... 27

Table 8.1 Overall Risk Rating ................................................................................................. 38




4

1. Introduction

Information systems are vital elements in most businesses since they are essential to carry out

business operations smoothly. If there are disruptions to these information systems, the

business couldn’t be able to continue as it was. Due to the disruptions to the business, therewill be tangible losses such as financial/profit loss as well as intangible losses like loss of

customer goodwill. Thus, it is critical that these systems are able to operate effectively

without excessive interruption.

IT contingency planning supports by reactively and proactively safeguarding the information

systems and related assets from wide range of risks. IT contingency planning refers to a

coordinated strategy involving plans, procedures, and technical measures that enable the

recovery of information systems, operations, and data after a disruption. Risk assessment is

one of the critical activity in IT contingency planning where the system characteristics and

risks are identified and evaluated. Remedial measures are suggested based on the type of the

risk and their impact.

1.1 Purpose

The purpose is to identify how ‘Alliance Finance’ has implemented their IT contingency

plans. In addition, we hope to identify the existing vulnerabilities of the domain controller

system and suggest preventive controls and strategies as well as discuss their effectiveness.

1.2

Scope

This report examines the current hardware, software, operating systems and critical data in

domain controller system. Furthermore, identify the vulnerabilities and suggest remedial

measures and reflect on their effectiveness.

1.3

Audience

This document is primarily aimed for system administrators responsible for information

systems or security at system and operational levels as well as for higher level managerial

personnel who coordinate and support information system contingency planning activities.

Managers

Personnel who are responsible for overseeing information system operations or

mission/business processes that rely on information systems.

Chief Information Officers (CIOs)

Personnel who hold the overall responsibility for the organization’s information systems.




5

System engineers and architects

Architects are responsible for designing, implementing, or modifying information systems.

System administrators

The employees who are responsible for maintaining daily information system operations.




6

2. Risk Assessment Approach and Methodology

The risk assessment conducted followed the guidelines of NIST SP 800-30, Risk

Management Guide for Information Technology System. The assessment is aimed at

assessing the security vulnerabilities affecting confidentiality, integrity and availability ofdomain controller server at Alliance Finance.

At the end of this assessment, the risk assessment team recommends security safeguards to

address identified threats and vulnerabilities. The methodology addresses the following types

of controls:

Management Controls: The management level controls were addressed in order to

manage and accept the risks as well as to manage the IT security systems.

Operational Control: Manual security controls implemented to address the physical

access to servers and media safeguards.

Technical Controls: Automated security controls providing protection to applications

and server systems.

2.1

Risk Assessment Process

This section details the risk assessment process performed during this effort. The process is

divided into pre-assessment, assessment, and post-assessment phases.

2.1.1 Phase 1 - Pre-Assessment

Step 1: Define the nature of the risk assessment

This risk assessment effort provides an independent review of the Alliance Finance Domain

control server to help determine the appropriate level of security. On site interviews,

Questionnaires and documentation reviews were taken as the basis for this effort.

Step 2: Data collection

The data collection phase included interviewing key personal responsible for the domaincontroller server within the organization and reviewing existing documents. Interviews were

complemented with a questionnaire and focused on system characterization, operating system

and software, access control, authentication, network access control, data integrity and

security, monitoring and logging, Intrusion detection, physical security and backups. The

document review enabled the risk assessment team to evaluate compliance with guidelines

and standards that are adhered.

Step 3: Templates

The following templates were used in this risk assessment effort and are included at the

appendix of this document.




7

Questionnaire - Carnegie Mellon Information Security Office Template

NIST Risk Assessment Template

Old Dominion University Risk Assessment Template

2.1.2 Phase 2- Assessment

Step 1: Document Review

The IT policy documents are reviewed at the beginning of the assessment provided by the

domain controller system’s administrator. Furthermore, detailed interview with the system

administrator of the domain controller was carried out to complete the system questionnaire.

This allowed, identifying the system characteristics as well as security threats.

Step 2: System Characterization

In the system characterization step, first, the boundary of the domain controller system was

defined. Then, the hardware, OS/software and network connectivity was identified in order to

describe the system. Additional data on system configuration, backup plan and recovery

related information were gathered as well.

To gather the necessary information, following data gathering techniques were used.

Questionnaire.

A questionnaire was designed to gather the information about the domain controllersystem aimed on characteristics of the system as well as the management and operational

controls planned or used for the IT system. The questionnaire was aimed for operational

employees who are designated in maintaining the domain controller system.

On-site Interviews

In order to fill out the questionnaire, on site interview was conducted with the designated

system administrator of the domain controller system. Further, it allowed the auditors to

observe and gather information about the physical, environmental, and operational

security of the IT system.

Document Review

Policy documents were reviewed in addition to the questionnaire and interview, in order

to identify the security policies related to the domain controller system. These documents

provided information about the security controls used by and planned for the IT system.

Step 3: Threat Identification

The NIST SP 800-30 standard is used as the basis for threat identification. The threats which

are more likely to occur, was identified through interviews and questionnaire. A threat isdefined as “the potential for a particular threat-source to successfully exercise a particular




8

vulnerability”. It is important to identify the threat sources as well as motivations and actions

of these threats that are affected to the domain controller system.

Step 4: Vulnerability Identification

After the threat identification, vulnerability identification was carried out in order to list the

vulnerabilities related to the domain controller system. The NIST SP 800-53, Revision 2,

Security Baseline Worksheet used in documenting the vulnerabilities identified through

interview and the questionnaire.

Step 5: Risk Determination (Calculation/Valuation)

The risk assessment team determined the degree of risk upon a threat being exploited by

vulnerability in this step. The risk for a particular threat was expressed as a function of

likelihood and impact.

Likelihood Analysis

Likelihood is the probability that vulnerability might be exploited in the context of the

associated threat environment.

The following tables defines the likelihood definitions used.

Table 2.1 Risk Likelihood Definitions (1)

Likelihood Likelihood Definition

High The threat source is highly motivated and sufficiently capable, and controls

to prevent the vulnerability from being exercised are ineffective.

Moderate The threat source is motivated and capable, but controls are in place that may

impede successful exercise of the vulnerability.

Low The threat source lacks motivation or capability, or controls are in place to

prevent, or at least significantly impede, the vulnerability from being

exercised.




9

Table 2.2 Risk Likelihood Definitions (2)

Effectiveness of

Controls

Probability of Threat Occurrence

Low Moderate High

LowModerate High High

ModerateLow Moderate High

HighLow Low Moderate

Impact Analysis

The second factor determining the level of a risk is the impact resulting from a successful

exploitation of a prevailing vulnerability. The adverse impact of such successful exploitation

can result in harm to any of the main security goals (Confidentiality, Integrity, and

Availability). Loss of confidentiality can occur from the disclosure of sensitive information

stored in the server. Integrity can be harmed through unauthorized changes to the data stored

in the server. Finally, loss of availability can result from disrupt to server functionality and

operational effectiveness. The following table defines the magnitudes of impacts used.

Table 2.3 Risk Impact Definitions

Magnitude

of Impact

Impact Definition

High Exercise of the vulnerability (1) may result in the highly costly loss of

major tangible assets or resources; (2) may significantly violate, harm, or

impede an organization’s mission, reputation, or interest; or (3) may result

in human death or serious injury.

Moderate Exercise of the vulnerability (1) may result in the costly loss of tangible

assets or resources; (2) may violate, harm or impeded an organization’s

mission, reputation, or interest; or (3) may result in human injury.Low Exercise of the vulnerability (1) may result in the loss of some tangible

assets or resources; (2) may noticeably affect an organization’s mission,

reputation, or interest.

In determining the levels of risks the likelihood of a threat, the impact the threat might cause

if the vulnerability is exploited successfully and the adequacy of existing control measures

for reducing and eliminating risks were taken into consideration. According to that, the

following table defines the different levels of risks.




10

Table 2.4 Risk Level Definitions

Risk

Level

Risk Level Definition

High There is a strong need for corrective measures. An existing system may

continue to operate, but a corrective action plan must be put in place as soonas possible.

Moderate Corrective actions are needed and a plan must be developed to incorporate

these actions within a reasonable period of time.

Low The system’s Authorizing Official must determine whether corrective actions

are still required or decide to accept the risk.

Table 2.5 Overall Risk Rating Matrix

Risk Likelihood Risk Impact

Low(1)

Moderate(5)

High(10)

High(10)

Low

1 x 10 = 10

Moderate

5 x 10 = 50

High

10 x 10 = 100

Moderate(5)

Low

1 x 5 = 5

Moderate

5 x 5 = 25

Moderate

10 x 5 = 50

Low(1)

Low

1 x 1 = 1

Low

5 x 1 = 5

Low

10 x 1 = 10

Step 6: Risk Mitigation Recommendations

The controls that can be used to mitigate or eliminate the identified risks are identified in this

step. Aim of these recommendations is to reduce the level of risk to the domain controller

system and the data contained on it to an acceptable level. The factors that are used in

recommending the controls would be,

Sensitivity of the data and the system

Effectiveness of recommended options Legislation and regulations

Organizational policy

Operational impact

Safety and reliability




11

2.1.3 Phase 3 – Post Assessment

Step 1: Risk Mitigation

Since the total elimination of a risk is impractical, senior management should assess control

recommendations, determine the acceptable level of residual risk, and implement those

mitigations. There are several types of risk mitigation techniques as follows.

Risk Assumption

Accept the potential risk and continue operating the IT system or to implement controls to

lower the risk to an acceptable level.

Risk Avoidance

Eliminate the risk cause and consequences to avoid the risk.

Risk Limitation

Limit the risk by implementing controls that minimize the adverse impact of an

exercising vulnerability.

Risk Planning

Develop a risk mitigation plan that prioritizes, implements, and maintains controls.

Risk Transference

Transfer the risk to a third party by using other options to compensate for the losses

Step 2: Ongoing Monitoring

The milestones to mitigate the risks will be defined and will be used to monitor the successful

completion of the milestones.




12

3. System Characterization

3.1

Functional Description

The domain controller system is a server that responds to security authentication requests

within the server domain in order to allow host access to Windows domain resources. It runs

as a part of the Windows Server 2003 operating system. Access to the domain controller

system is only granted to a few of the selected users who maintain the system. The system

doesn’t have interfaces to other systems.

3.2 System Environment

The domain controller is a Dell Power Edge SC430 server running Windows server 2003

Service pack II. The last update to the operating system is version 5.2 build no 3790. Physical

memory of the server is 2GB; the processor is clocked at 2.8 MHz (Intel Pentium D) and the

storage capacity is 80GB. Redundant power supply is being provided to the server through an

Online UPS that can keep the server running for around 15-20 minutes. There are no network

interfaces other than the LAN. The server hardware components currently have no warranty

and a maintenance agreement is in progress.

Domain Controller is a process/service running on Windows server 2003 that contains

authentication details to respond to authentication requests made. Furthermore, the server is

housed at server room at Alliance Finance Co. PLC Wardplace, Colombo.

The users of the system are located at Alliance Finance Co PLC, Ward Pl. The remote access

is given to their client computers via remote desktop connections. The domain controller

system can only be accessed through LAN of the Alliance Finance premises. Table 3.1 lists

host characterization components for the domain controller.




13

Table 3.1 Host Characterization Components

Host Name Location Status IP Address Platform Software Comments

Domain

Controller

Alliance

Finance Co.

PLC

Wardplace,

Colombo

Operational Not provided Windows server

2003Eset File Security -




14

3.3 System Users

There are only limited number users of who has been granted the access to the domain

controller system. The system administrator role is granted to the assistant manager of IT at

Alliance Finance Co PLC. Furthermore, there are two admin users who are dedicated to the

maintenance of the system.

Table 3.2 Domain Controller System Users

User Category Access Level

Read /

Write/Full

Number

(Estimate)

Home

Organization

Geographic

Location

System

Administrator

Read/Write 1 Alliance Finance Ward Pl,

Colombo

Admin User Read 2 Alliance Finance Ward Pl,

Colombo

3.4

System Dependencies

A dependency is a telecommunication or information technology interconnection or resource

on which the system under review relies for processing, transport, or storage. A relationship

between the domain controller and a dependency can directly affect it’s confidentiality,

integrity and availability since any vulnerabilities, threats and risks of the dependency will be

inherited by the domain controller itself. While there are no specific dependencies for the

domain controller the following generic information technology resources can be identified

as it’s dependencies.

Local Area Networks

Enterprise Policies

o Password policy

o IT policy

o Backup policy

Security Services

o

Firewall

o Access Control lists

o Intrusion detection system

o Antivirus System

Server room staff, Physical, and Environmental Controls

Vulnerability scanning services – an external party is responsible for carrying out

vulnerability scans annually.




15

3.5 Supported Programs and Applications

There is an antivirus program running on the domain controller system. The antivirus is

ESET File Security and the version is 5.1.34.0. It is currently up-to date and operational.




16

4. Information Sensitivity

This section provides details on different types of information handled and processed by the

domain controller and their sensitivity. Sensitivity of the information handled by a system is a

major factor in risk management.

The risk management team used FIPS 199 to reflect on the impact levels and magnitude of

the harm that loss of confidentiality, integrity and availability would have on the operations,

assets and individuals of at Alliance Finance Co. PLC. FIPS 199 have three potential impact

levels (Low, Mid, High) for each of the security objectives.

Domain controller handles mainly one type of information (Personal Identity and

Authentication). Table 4.1 lists information type characterization for the domain controller.

Table 4.1 Domain Controller Information Type

Information Type NIST SP

800-60

Reference

Confidentiality

Low/Moderate/

High

Integrity

Low/Moderate/

High

Availability

Low/Moderate/

High

Personal Identity and

Authentication

Volume II,

Appendix

C.2

Moderate Moderate Moderate

Overall Rating Moderate Moderate Moderate

4.1

SensitivityThe following table provides the definitions for C/I/A ratings for domain controller

Table 4.2 Definitions for C/I/A Ratings

Security Objective Low Moderate High

ConfidentialityPreserving

authorized

restrictions on

information access

and disclosure,

including means

for protection

personal privacy

and proprietary

information

[44 USC, SEC.

The unauthorizeddisclosure of

information could be

expected to have a

limited adverse effect

on organizational

operations,

organizational assets,

or individuals.



expected to have a

serious adverse effect

on organizational

operations,


or individuals.



expected to have a

severe or catastrophic

adverse effect on

organizational

operations,

organizational assets, or

individuals.




17

3542]

I ntegri ty

Guarding against

improper

information

modification or

destruction, and

includes ensuring

information non-

repudiation and

authenticity.

[44 USC, SEC.

3542]

The modification or

destruction of


expected to have alimited adverse effect

on organizational

operations,


or individuals.

The modification or

destruction of


expected to have aserious adverse effect

on organizational

operations,


or individuals.

The modification or

destruction of


expected to have asevere or catastrophic

adverse effect on

organizational

operations,


individuals.

Availability

Ensuring timely

and reliable access

to and use of

information.

[44 USC, SEC.

3542]

The disruption ofaccess to or use of

information or an

information system

could be expected to

have a limited

adverse effect on

organizational

operations,


or individuals.


information or an

information system


have a serious

adverse effect on

organizational

operations,


or individuals.


information or an

information system


have a severe or

catastrophic adverse

effect on organizational

operations,


individuals.

The sensitivity designation of information processed by domain controller is moderate. This

moderate designation is based upon the C/I/A designation of the information type for the

domain controller.

4.2 Protection Requirements

4.2.1 Protection Requirement findings

Confidentiality

Domain controller contains sensitive information that is being used to authenticate users

of different systems in Alliance Finance. This data needs protection from unauthorized

access. If this data were to be exposed to public or even within the organization it could

result in unauthorized and malicious users gaining access to data that should otherwise be

out of their knowledge. It also risks sensitive data being leaked and changed. Therefore,

the unauthorized disclosure of domain controller information could be expected to have a

serious adverse effect on organizational operations, organizational assets, or individuals

and the information and protection measures are rated as Moderate.




18

Integrity

Domain controller system processes authentication information to grant access to a

particular server domain. The authentication information must be fully accurate in order

to grant access to the domain, thus, unauthorized modification of this information would

have a serious impact on login in to the server domain. Therefore, unauthorizedmodifications to the domain controller system’s information cause serious effects on the

Alliance Finance Co PLC’s operations and assets. The current protection measures are

rated as low.

Availability

If domain controller were unavailable even for a shorter period of time, it would have an

immediate impact and would affect the efficiency with which domain controller as well

as other systems typically operates. Therefore, the unavailability of domain controller

information could be expected to have a serious adverse effect on organizationaloperations, organizational assets, or individuals and the information and protection

measures are rated as High.




19

5. Identification of Vulnerabilities, Threats and Risks

In order to identify the potential threats and vulnerabilities, firstly, an interview was

conducted with the personnel who maintain the domain controller system and a questionnaire

was filled out based on the outcomes of the interview. In addition, cert websites were used to

identify further details on these vulnerabilities as well as suitable remedial measures. The

Table 5.1 Vulnerabilities, Threats, and Risks, illustrates the list of vulnerabilities and threats

that the risk assessment team found.

The way vulnerabilities combine with credible threats to create risks is identified Table 5.1.

Table 5.1 Vulnerabilities, Threats, and Risks

Risk

No. Vulnerability Threat

Risk of

Compromise ofRisk Summary

1

Patches to correct

flaws in operating

system software

could fail to

successfully install.

Computer crime

Malicious use

Confidentiality

and integrity of

authentication

data.

Exploitation of flaws

in operating system

could result in

compromise of

confidentiality and

integrity of personal

identity and

authentication data.

2

Loss of firewall

protection.

Computer crime

Malicious use

System compromise

Unauthorized use

Confidentiality

and integrity of

authentication

data.

The system is

protected through

gateprotect hardware

firewall; failure of

this firewall can result

in increasing the

likelihood of other

risks being exploited.

3

Internal access to

server.

Computer crime

Malicious use

Unauthorized use

Confidentiality

and integrity of

authenticationdata

Loss or theft of

personal identity and

authentication data indomain controller

could affect the

confidentiality and

integrity of the data.

4

Hardware

Issues/Equipment

Failure or loss

System Unavailable Inability to access

the system.

Failure of hardware or

equipment may

impact the availability

of the domain

controller




20

Risk


Risk of


5

Single Point of

Failure

System Unavailable Inability to access

the system.

Failure in any part of

the domain controller

could affect othersystems being

properly functioning.

6

Key Person

Dependency

System Unavailable Inability to

adequately

support the

application.

Loss of a key person

responsible for the

domain controller will

result in inability to

operate system

functionality, enhance

them or maintain the

domain controller.

7

Loss of Critical

Documentation,

Data or Software

Malicious use, System

compromise,

Unauthorized access

Confidentiality

and integrity of

authentication

data.

Loss of data, software

or documentation

could result in

disruption of service

8

Data Disclosure Malicious use, System

compromise,

Unauthorized access

Confidentiality

and integrity of

authentication

data.

Disclosure of

sensitive personal

information could

result in identity theft

and/or system access

control issues.

9

Software Issues

from Vendor


compromise,

Unauthorized access

Confidentiality

and integrity of

authentication

data and ability to

provide service.

Software issues by the

vendor may result in

data corruption or

mission critical

system disruption.

10

Poor Password

Practices


compromise,Unauthorized access

Confidentiality

and integrity ofauthentication

data.

Poor password

practices could allowimproper system

access which could

result in data theft,

data corruption,

application system

alteration or

disruption.




21

Risk


Risk of


11

System

Compromise

Malicious use,

Unauthorized access

Confidentiality

and integrity of

authenticationdata.

If the system is

compromised, it can

cause data theft,corruption, system

alteration and

disruption.

12

Lack of Sufficient

Operational

Policies


compromise,

Unauthorized access

Confidentiality

and integrity of

authentication

data.

Improper execution of

operational polices

can cause system

alteration, theft or

disruption.

13

Poor PhysicalSecurity

Malicious use, Systemcompromise,

Unauthorized access

Confidentialityand integrity of

authentication

data.

Due to poor physicalsecurity, unauthorized

personal can

physically access to


which would result in

data theft or

corruption.

14

Functional Lockout System unavailability Inability to access

the system.

If the infrastructure is

not accessible, the

staff will be unable to

access to the domain

controller system.

15

Natural Disaster Hurricanes, floods,

and other weather

phenomenon.

Inability to access

the system.

A natural disaster can

cause power failure in

the server farm,

which disable the

access to domain

controller system.

16

Integrity checkups

are not done

Inability to identify

Unauthorized

modification to data

Integrity of

corporate data.

Integrity of data is not

automatically tested

and unauthorized

modification of data

might go unseen.

17

Logs stored in a

central location

Loss of log data Availability of log

data, indirectly

affects integrity of

the data

Logs are kept in the

domain controller

server




22

Risk


Risk of


18

The role based

access requests are

not documented

Malicious use,

Unauthorized access

Confidentiality

and Integrity of

data

Role based requests

and approvals are

only communicatedthrough emails.

Currently there is no

proper documentation

to track that.

19

Media containing

sensitive data is not

destroyed

Malicious use Confidentiality The backup media

devices containing the

restricted/sensitive

data are not destroyed

or recycled. Instead,

currently they are

locked in a safe.

20

DOS overflow System unavailability Confidentiality

and Availability

of authentication

data

The windows server

2003 service pack 2

allows local users to

obtain sensitive

information from

kernel memory and

cause a denial of

service

21

Untrusted search

path vulnerability

Unauthorized access,

Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

The windows server

2003 service pack 2


gain privileges via a

Trojan horse cmd.exe

file in the current

working directory, as

demonstrated by a

directory that contains

a .bat or .cmd file

22

Read AV

Vulnerability


Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

The windows server

2003 service pack 2


obtain write access to

the PATHRECORD

chain, and

consequently gain

privileges




23

Risk


Risk of


23

Race Condition

Vulnerability


Malicious use of

system components

Confidentiality,

Integrity and

Availability ofauthentication

data

Race condition in

windows server

kernel mode driversallow local users to

gain privileges

24

IPv6 Source

Address Spoofing

Vulnerability


Malicious use of

system components

Confidentiality

and Integrity of

authentication

data

The windows server

2003 service pack 2

allow remote

attackers to bypass

intended IPv4 source-

address restrictions

via a mismatched

IPv6 source address

in a tunneled ISATAP

packet

25

Disk Partition

Driver Elevation of

Privilege

Vulnerability

Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

Windows server 2003

service pack 2 does

not properly allocate

memory, which

allows physically

proximate attackers to

execute arbitrary codeor cause a denial of

service by connecting

a crafted USB device

26

CSRSS Memory

Corruption

Vulnerability


Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

The Client/Server

Run-time Subsystem

in Windows server

2003 service pack 2

does not properly

handle objects in

memory, which


gain privileges via a

crafted application




24

Risk


Risk of


27

OLE Property

Vulnerability

Malicious use of

system components

Confidentiality

and Integrity and

Availability ofauthentication

data

Microsoft Windows

Server 2003 SP2

allow remoteattackers to execute

arbitrary code via a

crafted OLE object in

a file

28

Remote Procedure

Call Vulnerability

Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

Microsoft Windows

Server 2003 SP2

allow remote

attackers to execute

arbitrary code via a

malformed

asynchronous RPC

request

29

Backups are

unencrypted

Unauthorized access Confidentiality

and Integrity of

authentication

data

Backups are written

into optical disks

without encrypting

30

No direct network

link with the

Disaster Recovery

site

Unauthorized access Confidentiality

and Integrity and

Availability of

authentication

data

Theft, misplace of the

backup media while

physically delivering

31

Operating System

is not backed up

System unavailability Availability of

authentication

data

The Operating

System image is not

backed up. Therefore

in case of OS failure,

OS image and all the

patch updates need to

be done from the beginning

32

The Operating

System is not

updated to the

latest version

(Windows server

2012)

Malicious use of

system components

Confidentiality

and Integrity and

Availability of

authentication

data

The current operating

system that runs on


is Windows server

2003. Windows will

stop providing

support for this OS

from 2015 May




25

Risk


Risk of


33

Accounts that are

no longer needed

are not deleted in atimely manner


Malicious use of

system components

Confidentiality

and Integrity of

authenticationdata

The current

procedure, user sends

a request through thedepartment head to

the IT department

manager to delete

user accounts of the

employee who left the

organization. This

process is time

consuming




26

6. Control Analysis

Table 6.1 Risk Controls in place/planned for domain controller

Control Area In-Place/Planned

1 Risk Management

1.1 IT Security Roles & Responsibilities In Place

1.2 Risk Assessment

1.3 IT Security Audits In Place

2 IT Contingency Planning

2.1 Continuity of Operations Planning

2.2 IT Disaster Recovery Planning In Place

2.3 IT System & Data Backup & Restoration In Place

3 IT Systems Security

3.1 IT System Hardening In Place

3.2 Malicious Code Protection In Place

4 Logical Access Control

4.1 Account Management In Place

4.2 Password Management In Place

4.3 Remote Access

5 Data Protection

5.1 Data Storage Media Protection

5.2 Encryption In Place

6 Facilities Security

6.1 Facilities Security In Place

7 Personnel Security

7.1 Access Determination & Control In Place

7.2 IT Security Awareness & Training In Place

8 Threat Management

8.1 Threat Detection In Place

8.2 Incident Handling In Place

8.3 Security Monitoring & Logging In Place

9 IT Asset Management

9.1 IT Asset Control In Place

9.2 Software License Management In Place

9.3 Configuration Management & Change Control In Place




27

7.

Risk Likelihood & Impact Determination

Table 7.1 Risk Likelihood & Impact ratings

Risk

No. Risk Summary Risk Likelihood Evaluation

Risk

Likelihood

Rating

Risk Impact Risk Impact

Rating

1

Exploitation of flaws in operatingsystem could result in compromise of

confidentiality and integrity of

personal identity and authentication

data.

Effectiveness of controls to applyoperating system patches is rated

moderate. This is because the

updates are applied automatically

whenever a new patch is released

without considering a risk benefit

analysis of the release. However,

the updates are applied regularly

and obtained from the vendor

only. Possibility of threat

occurrence is law since only

authorized users are given access

to the domain server.

Low Unauthorizeddisclosure or

modification

of data.

High

2

The system is protected through

gateprotect hardware firewall; failureof this firewall can result in

increasing the likelihood of other

risks being exploited.

Effectiveness of controls is low

since only one firewall is used.Possibility of threat occurrence is

low, because there is no remote

access to domain controller.

Moderate Unauthorized

disclosure ormodification

of data.

High




28

Risk


Risk

Likelihood

Rating


Rating

3

Loss or theft of personal identity and

authentication data in domain

controller could affect the

confidentiality and integrity of the

data.

Access is only provided to select

few authorized personals. Thus,

the effectiveness of controls is

high. Threat probability moderate

due to human nature (writing

down passwords, social attacks,

etc.)

Low Unauthorized

disclosure or

modification of

data.

High

4

Failure of hardware or equipment

may impact the availability of the

domain controller


since there are no warranty

agreements for the hardware and

maintenance agreement is still on

progress. The probability of threat

occurrence is dependent on

hardware, software vendor and

age of the hardware.

Moderate Confidentialit

y and integrity

of

authentication

data could be

compromised.

Moderate

5

Failure in any part of the domain

controller could affect other systems

being properly functioning.

The domain controller runs on

one physical system and no

mirror systems are available. If

the system fails, it takes up to 24

hours to recover from DR site.

Thus, the effectiveness of the

controls is low. The probability of

threat occurrence is dependent on

hardware, software vendor and

age of the hardware.

Moderate Inability to

access the

system.

Moderate




29

Risk


Risk

Likelihood

Rating


Rating

6

Loss of a key person responsible for

the domain controller will result in

inability to operate system

functionality, enhance them or

maintain the domain controller.

Effectiveness of the controls is

low since there are only two key

persons responsible for the

domain controller and no cross

training is provided for

redundancy. There is always a

possibility for key persons to

leave the company or go on leave.

High Inability to

adequately

support the

system.

Low

7

Loss of data, software or

documentation could result in

disruption of service

All software and data are backed

up and validated daily. Software

could be downloaded through

vendor website. Thus, the

effectiveness of controls is high.

Possibility is low to moderate.

Low Confidentiality and integrity

of

authentication

data could be

compromised.

Moderate

8

Disclosure of sensitive personal

information could result in identity

theft and/or system access control

issues.

Staff is properly trained and

educated on the security policies.

Therefore, the possibility of

sensitive information disclosure is

low. Even effective controls and

training cannot stop a person with

appropriate access from doing

something which is wrong. For

that reason, this must be

considered a medium risk.

Moderate Confidentiality

of

authentication

data could be

compromised.

Moderate




30

Risk


Risk

Likelihood

Rating


Rating

9

Software issues by the vendor may

result in data corruption or mission

critical system disruption.

The only software used in the

domain controller is the Antivirus

program. And it is updated

regularly and automatically.

However, the software patches

are not thoroughly tested or

reviewed before applying. Thus,

the effectiveness of the controls is

low.

Moderate Confidentiality

of

authentication

data could be

compromised.

Ability to provide services

could be

compromised.

Moderate

10

Poor password practices could allow

improper system access which could

result in data theft, data corruption,

application system alteration or

disruption.

There is a password policy to

enforce standards in applying a

password, and there are security

awareness training programs

conducted to stress the proper use

of passwords. So, the

effectiveness of the control is

high.

Low Confidentialit

y and integrity

of

authenticationdata could be

compromised.

Moderate

11

If the system is compromised, it can

cause data theft, corruption, systemalteration and disruption.

There is a firewall and an Intruder

Detection System installed. Thuseffectiveness of the controls is

high. Since the domain controller

can only be accessed by the LAN,

probability of system being

compromised is low.

Low Confidentialit

y and integrityofauthentication

data could be

compromised.

Moderate




31

Risk


Risk

Likelihood

Rating


Rating

12

Improper execution of operational

polices can cause system alteration,

theft or disruption.

The policy statements are well

documented and there are training

programs twice a year to educate

employees. All the policies

including backup policy and

password policy is properly

maintained and executed. The

effectiveness of the controls is

high. The probability of

happening this kind of a threat is

moderate due to the human

nature.

Low Confidentiality and integrity

of

authentication

data could be

compromised.

Moderate

13

Due to poor physical security,

unauthorized personal can physically

access to the domain controller which

would result in data theft or

corruption.

The server rooms have physical

security methods implemented

and only few authorized persons

have the access. Thus, the

effectiveness of controls is high.

Probability of unauthorized

persons accessing is low.

Low Confidentialit

y and integrity

ofauthentication

data could be

compromised.

Moderate

14

If the infrastructure is not accessible,

the staff will be unable to access to

the domain controller system.

The effectiveness of the controls

is dependent on the network

resilience. Probability of the

infrastructure becoming

inaccessible is moderate.

Low Inability to

access the

system.

Moderate




32

Risk


Risk

Likelihood

Rating


Rating

15

A natural disaster can cause power

failure in the server farm, which

disable the access to domain

controller system.

Probability of a natural disaster

occurring is low.

Low Inability toaccess the

system.

Moderate

16

Integrity of data is not automatically

tested and unauthorized modificationof data might go unseen.


since there are no automatedmeasures to conduct integrity

checks. Possibility of

unauthorized modification of data

is low.

Moderate Availability

and Integrityof data could be

compromised.

Moderate

17

Logs are kept in the domain

controller server

Effectiveness of existing controls

is low since logs are kept in same

physical server. Possibility of

threat occurring is low.

Moderate Confidentiality and integrity

of data in the

logs could be

compromised.

Moderate

18

Role based requests and approvals

are only communicated through

emails. Currently there is no proper

documentation to track that.


is low since requests are not

documented. Possibility of threat

occurring is low.

Moderate Confidentialit

y and Integrity

of data could

be

compromised.

Moderate

19

The backup media devices containing

the restricted/sensitive data are not

destroyed or recycled. Instead,

currently they are locked in a safe.


is moderate since media is locked

on a safe. Possibility of threat

occurring is low.

Low Confidentiality of data

could be

compromised.

High




33

Risk


Risk

Likelihood

Rating


Rating

20

The windows server 2003 service

pack 2 allows local users to obtain

sensitive information from kernel

memory and cause a denial of service

Effectiveness is high since regular

updates are done. Possibility of

threat occurring is low since there

are only few users granted access.

Moderate Confidentiality,

Availability of

authentication

data could be

compromised.

High

21

The windows server 2003 service pack 2 allows local users to gain

privileges via a Trojan horse cmd.exe

file in the current working directory,

as demonstrated by a directory that

contains a .bat or .cmd file

Effectiveness is high since regularupdates are done. Possibility of

threat occurring is low since there

are only few users granted access.

Low Confidentiality,Integrity and

Availability of

authentication

data could be

compromised.

High

22


pack 2 allows local users to obtain

write access to the PATHRECORD

chain, and consequently gain

privileges

Effectiveness of controls are high

since regular updates are done.

Possibility of threat occurring is

low.

Low Confidentiality,

Integrity and

Availability of

authentication

data could be

compromised.

High




34

Risk


Risk

Likelihood

Rating


Rating

23

Race condition in windows server

kernel mode drivers allow local users

to gain privileges


since regular updates are done.

Possibility of threat occurring is

low.


Integrity and

Availability of

authentication

data could be

compromised.

High

24


pack 2 allow remote attackers to

bypass intended IPv4 source-address

restrictions via a mismatched IPv6

source address in a tunneled ISATAP

packet


since the firewall protection is

available. Probability of threat

occurring is low.

Low Confidentiality

and Integrity of

authentication

data could be

compromised.

Moderate

25

Windows server 2003 service pack 2

does not properly allocate memory,

which allows physically proximate

attackers to execute arbitrary code or

cause a denial of service by

connecting a crafted USB device


since limited number of users

have access to the domain

controller. Probability of threat

occurring is low.


Integrity and

Availability of

authentication

data could be

compromised.

High




35

Risk


Risk

Likelihood

Rating


Rating

26

The Client/Server Run-time

Subsystem in Windows server 2003

service pack 2 does not properly

handle objects in memory, which

allows local users to gain privileges

via a crafted application




controller. Probability of threat

occurring is low.

Low Confidentiality

and Integrity

and Availability

of

authentication

data could be

compromised.

High

27

Microsoft Windows Server 2003 SP2

allow remote attackers to execute

arbitrary code via a crafted OLE

object in a file


since remote access is not granted

to the domain controller.

Probability of threat occurring is

low.

Low Confidentiality

and Integrity

and Availability

of

authentication

data could be

compromised.

High

28


allow remote attackers to execute

arbitrary code via a malformed

asynchronous RPC request




controller. Probability of threatoccurring is low.

Low Confidentiality

and Integrity

and Availability

ofauthentication

data could be

compromised.

High




36

Risk


Risk

Likelihood

Rating


Rating

29

Backups are written into optical disks

without encrypting

Effectiveness of controls are low

since no encryption. Probability

of risk occurring is moderate.

High Confidentiality

and Integrity of

authentication

data could be

compromised.

High

30

Theft, misplace of the backup mediawhile physically delivering

Effectiveness of controls are low.Probability of risk occurring is

low.

Moderate Confidentialityand Integrity

and Availability

of

authentication

data could be

compromised.

High

31

The Operating System image is not

backed up. Therefore in case of OS

failure, OS image and all the patch

updates need to be done from the

beginning

Effectiveness of controls are low

since the whole OS image is not

backed up. Probability of risk

occurring is moderate.

High Availability of

authentication

data could be

compromised.

Moderate

32

The current operating system that

runs on the domain controller isWindows server 2003. Windows will

stop providing support for this OS

from 2015 May

Effectiveness of controls are

moderate since patch updates aredone. Probability of risk

occurring is moderate.

High Confidentiality

and Integrityand Availability

of

authentication

data could be

compromised.

High




37

Risk


Risk

Likelihood

Rating


Rating

33

The current procedure, user sends a

request through the department head

to the IT department manager to

delete user accounts of the employee

who left the organization. This

process is time consuming

Effectiveness of controls are

moderate since there’s existing

process but it’s time consuming.

Probability of risk occurring is

low.

Low Confidentiality

and Integrity of

authentication

data could be

compromised.

High




38

8.

Overall Risk Determination & Recommendations

Table 8.1 Overall Risk Rating

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

1 Backups are written into optical disks

without encrypting High High High (Score 100)

Backups need to be written in

write once disks and must beencrypted and signed with a

message digest

2

The current operating system that runs on

the domain controller is Windows server

2003. Windows will stop providing

support for this OS from 2015 May High High High (Score 100)

OS should be upgraded to the

latest version

3

The system is protected through

gateprotect hardware firewall; failure of

this firewall can result in increasing the

likelihood of other risks being exploited. Moderate High Moderate (Score 50)

It is a good practice to use

multiple firewalls to keep

functioning even when one

firewall fails.

4The windows server 2003 service pack 2

allows local users to obtain sensitive

information from kernel memory and

cause a denial of service Moderate High Moderate (Score 50)

Scan the opened ports in the

server and close the unnecessary ports.

Fix is provided through Windows

update Windows Server 2003

KB2930275




39

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

5Theft, misplace of the backup media while

physically delivering Moderate High Moderate (Score 50)

Direct network link should be

implemented to connect disaster

recovery site to the Alliance

Finance premises

6

The Operating System image is not backed

up. Therefore in case of OS failure, OSimage and all the patch updates need to be

done from the beginning High Moderate Moderate (Score 50)

OS images should be backed up

on a regular basis and should beannually tested least twice.

7

Failure of hardware or equipment may

impact the availability of the domain

controller Moderate Moderate Moderate (Score 25)

Domain controller runs on one

physical server. It is

recommended to have a mirror

server in case of primary server

failure. Furthermore, Service

Level Agreements need to be

signed with the vendor.

8 Failure in any part of the domain controller

could affect other systems being properlyfunctioning. Moderate Moderate Moderate (Score 25)

Domain controller runs on one

physical server. It is

recommended to have a mirror

server in case of primary serverfailure.

9

Disclosure of sensitive personal

information could result in identity theft

and/or system access control issues. Moderate Moderate Moderate (Score 25)

Disclosure of personal data is

mitigated to an acceptable level

using existing controls.




40

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

10

Software issues by the vendor may result

in data corruption or mission critical

system disruption. Moderate Moderate Moderate (Score 25)

Update only on need basis and

review the patches before

updating.

11

Integrity of data is not automatically tested

and unauthorized modification of data

might go unseen. Moderate Moderate Moderate (Score 25)

Implement an automated system

to check the data integrity.

12 Logs are kept in the domain controller

server Moderate Moderate Moderate (Score 25)

Logs should be kept in another

location separate from the domain

controller system.

13

Role based requests and approvals are only

communicated through emails. Currently

there is no proper documentation to track

that. Moderate Moderate Moderate (Score 25)

Proper standards and guidelines

should be created regarding

documenting role based requests.

14

Exploitation of flaws in operating system

could result in compromise of

confidentiality and integrity of personal

identity and authentication data. Low High Low (Score 10)

Even though the risk is low, it is

important to conduct regular

integrity checkups and review the

recent patch updates done.

15

Loss or theft of personal identity and

authentication data in domain controller

could affect the confidentiality and

integrity of the data. Low High Low (Score 10)

The existing controls are

sufficient enough to mitigate the

loss/theft of personal data to an

acceptable level.




41

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

16

Loss of a key person responsible for the

domain controller will result in inability to

operate system functionality, enhance

them or maintain the domain controller. High Low Low (Score 10)

Train few employees to be

responsible for maintaining the

domain controller system (have

redundancy).

17

The backup media devices containing the

restricted/sensitive data are not destroyedor recycled. Instead, currently they are

locked in a safe. Low High Low (Score 10)

Proper procedures should be

implemented in destroying themedia containing sensitive data.

18 The windows server 2003 service pack 2

allows local users to gain privileges via a

Trojan horse cmd.exe file in the current

working directory, as demonstrated by a

directory that contains a .bat or .cmd file Low High Low (Score 10)

Use monitoring tools that

examine the software's process

as it interacts with the operating

system and the network.

Use automated static analysis

tools

Use manual penetration testing,

threat modeling

19

The windows server 2003 service pack 2

allows local users to obtain write access to

the PATHRECORD chain, and

consequently gain privileges Low High Low (Score 10)

Apply the relevant updates.

Administrators are advised to

allow only trusted users to the

system.




42

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

20Race condition in windows server kernel

mode drivers allow local users to gain

privileges Low High Low (Score 10)

Disable the WebClient service



KB2813170

21

Windows server 2003 service pack 2 does

not properly allocate memory, which

allows physically proximate attackers to

execute arbitrary code or cause a denial of

service by connecting a crafted USB

device Low High Low (Score 10)

Permit local access for trusted

individuals only. Where possible, use restricted

environments and restricted

shells.



KB2998579

22

The Client/Server Run-time Subsystem in

Windows server 2003 service pack 2 does

not properly handle objects in memory,

which allows local users to gain privileges

via a crafted application Low High Low (Score 10)



KB2820917




43

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

23


allow remote attackers to execute arbitrary

code via a crafted OLE object in a file Low High Low (Score 10)

Block external access at thenetwork boundary, unless

external parties require service

Deploy network intrusion

detection systems to monitor

network traffic for malicious

activity



KB2876217

24


allow remote attackers to execute arbitrary

code via a malformed asynchronous RPC

request Low High Low (Score 10)



KB2849470

25

The current procedure, user sends a

request through the department head to the

IT department manager to delete user

accounts of the employee who left the

organization. This process is time

consuming Low High Low (Score 10)

Accounts that are no longer

needed should be identified and

removed in a timely manner

26Loss of data, software or documentation

could result in disruption of service Low Moderate Low (Score 5)

Since it takes up-to 24 hours to

full system recovery, faster

backup/recovery plans must be

implemented.




44

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

27

Poor password practices could allow

improper system access which could result

in data theft, data corruption, application

system alteration or disruption. Low Moderate Low (Score 5)

The existing password policy is

sufficient to mitigate this risk.

28

If the system is compromised, it can cause

data theft, corruption, system alterationand disruption. Low Moderate Low (Score 5)

Conduct regular integrity checks

and review access logs regularly.

29Improper execution of operational polices

can cause system alteration, theft or

disruption. Low Moderate Low (Score 5)

The operational policies are

practiced and executed well

enough to mitigate this type of a

risk.

30

Due to poor physical security,

unauthorized personal can physically

access to the domain controller which

would result in data theft or corruption. Low Moderate Low (Score 5)

The physical security levels of the

server farm is acceptable to

mitigate this risk.

31If the infrastructure is not accessible, the

staff will be unable to access to the domaincontroller system. Low Moderate Low (Score 5)

Implement redundancy in the

network infrastructure and have a

plan for immediate replacementof infrastructure hardware.

32

A natural disaster can cause power failure

in the server farm, which disable the

access to domain controller system. Low Moderate Low (Score 5)

Having alternative power

generators at least up to 48 hours

of operational time.




45

Risk

No. Risk Summary

Risk

Likelihoo

d Rating

Risk

Impact

Rating

Overall Risk

Rating

Recommendation

33

The windows server 2003 service pack 2

allow remote attackers to bypass intended

IPv4 source-address restrictions via a

mismatched IPv6 source address in a

tunneled ISATAP packet Low Moderate Low (Score 5)

Configure theDisableIPSourceRouting entry to

a value of 2



KB978338

risk assessment - alliance finance

Documents