Logistix Inc. Risk Assessment Report
SE578 - Practices for Administration of Physical & Operations SecurityKeller Graduate School of ManagementPREPARED BY: PREPARED ON: APRIL 9, 2011
Over the past several weeks an assessment of Logistix Information Security posture has been under review from the perspective of both an insider looking out hoping to protect the organizations information assets and as an outside looking in attempting to gain unauthorized access to the organizations information assets. The overall objective of this assessment is to get a clear and concise picture of the organizations security posture and determine where any and all potential vulnerabilities lie, determine who might exploit the vulnerability, the likelihood that these vulnerabilities would be exploited, the impact that the organization would suffer as a result of these vulnerabilities being exploited and the recommended courses of actions that the organization could take to mitigate these risks. This document outlines some of the most significant vulnerabilities that Logistix Inc. faces from the perspective of a hacker attempting to gain unauthorized access as well as outlines some recommended courses of action that the organization can take to mitigate those risks. In addition, this document also contains a simple Risk Assessment Matrix that summarizes the identified risks, their threat to the organization and the related courses of action that will need to be taken to mitigate the exposure of the risk.
The first risk to Logistix that has been identified is the use of an unsecure FTP server. Through the uses of an unsecure FTP all information that is transmitted is sent in clear text. This includes any usernames and passwords that are used for authentication. Since this information is allowed to be transmitted over the public Internet anyone attempting to gain unauthorized access to the organization can use free utilities to intercept traffic between the FTP server and the end user accessing information and obtain that users username and password as it is transmitted. Once this information has been obtained, it then can be used to at a minimum gain unauthorized access to the organizations FTP server and access information. Depending on the account information that has been obtained, the malicious user could potentially gain administrative privileges and ultimately access to even more information or resources. This risk is relatively severe and should be addressed quickly, particularly if the organization is only using single-factor authentication such as username and password in order to validate users on the corporate network and determine access to resources. The best solution is to implement a secure FTP solution that takes advantage of encryption through the use of Secure-Shell. With the implementation of secure FTP, the organization can continue to leverage the benefits provided by FTP, however rather than transmitting information in clear text, information is transmitted in an encrypted format. This way if someone decides to eavesdrop and attempt to gain information, rather than obtaining information such as usernames and passwords as they can now, they will only get a bunch of garbage. This is a result of the encryption algorithm used to encrypt the traffic prior to transmission and since the potential attacker doesn’t have the appropriate key to decipher the encrypted information, they will not be able to obtain any useful information.
The second risk to Logistix is in their password policy, or lack thereof. This includes the complexity of the users password, the history previously used passwords, and the frequency in which users are required to change their passwords. Since Logistix uses only a single-factor authentication system, username and password, for user authentication it is important for the user’s passwords to be complex and changed frequently. This will help prevent unauthorized users from using...
References: Bayles, A., Butler, K., Collins, A., Meer, H., Miller, E., Phillips, G. M., et al. (2007). Penetration Tester 's Open Source Toolkit (Vol. II). Burlington, MA: Syngress Publishing Inc.
F.Tipton, H. (2010). Official (ISC)2 Guide to the CISSP CBK, Second Edition. Boca Raton, FL: Auerback Publications.
Harris, S. (2010). CISSPAll-in-One Exam Guide, Fifth Edition. New York, NY: McGraw-Hill.
Mallery, J., Zann, J., Kelly, P., Noonan, W., Seagren, E., Love, P., et al. (2005). Hardening Network Security. New York, NY: McGraw-Hill.
McClure, S., Scambray, J., & Kurtz, G. (2009). Hacking Exposed 6: Network Security Secrets & Solutions. New York, NY: McGraw-Hill.
Miller, L., & Gregory, P. H. (2010). CISSP for Dummies. Hoboken, NJ: Wiley Publishing.
Please join StudyMode to read the full document