Title of Your Assessment

Title of Your Assessment

Your Name

Central Washington University

June 2, 2017

Table of Contents

Overview of Risk Assessment...... 4

Risk Measurement Criteria...... 5

Scope of Assessment...... 6

Security Controls Assessed...... 6

Areas of Concern (or Risks)...... 6

Brute force password cracking...... 7

Malware...... 7

Hackers...... 7

Risk Heat Map...... 7

Risk Mitigation...... 8

Risks to Accept...... 8

Risks to Defer...... 8

Risks to Transfer...... 9

Risks to Mitigate...... 9

Executive Summary

City Dog Walk is a small company that relies heavily on being mobile and nimble in order to compete against larger companies in the same market. As such, City Dog Walk depends upon a simple information system that consists of a CRM server and laptop that provide employees with the mobility needed to do their jobs successfully.

City Dog Walk desired a risk assessment and remediation strategy due to their heavy dependence upon technology. The company uses an integrated CRM system for tracking all customer information and processing orders and management finances so it is critical that the system remain both secure and available.

The assessment performed focused primarily on the laptops run by the City Dog Walk employees since the CRM server is physically protected whereas the laptops are exposed to the public on a daily basis. Scans and audits revealed a number of vulnerabilities, and of those the issues centered around lack of software update patch management mainly for critical security updates, and no password policy nor enforcement of the same.

By employing the Octave Allegro methodology, City Dog walk was provided with a solution plan to mitigate both of their most concerning vulnerabilities, reducing risk to the company while increasing availability of the systems.

Risk Assessment Report

Overview of Risk Assessment

The primary person at the company involved with all facets of the assessment was Taylor Isabell. We met with Taylor a total of five times over the course of four weeks, not including the visits for scans, analysis and remediations. The Octave Allegro assessment involved eight steps. After gaining management support, in this case the support of Taylor Isabell who agreed to move forward with the assessment, we proceeded to the first step which was to establish risk measurement criteria by determining the impact that vulnerabilities may have on the company.

Second step, we identified the asset profile which included the eight laptops and the CRM server. Although the profile footprint could include network infrastructure equipment, and WAN devices, these assess are embedded with limited services and no applications whereas the mobile laptops are exposed to the public on a daily basis and often times contain sensitive company information.

Third step, the information asset containers were identified, in this case Google Docs, Outlook, Excel and Skype. In each case the applications are integrated into the CRM client system and are used for managing company and customer information and communications. The combined containers, as part of a CRM system, enable the company to track customer transactions and facilitate seamless customer service. The containers often store and process sensitive customer and company information.

Fourth, the areas of concern were outlined. Taylor was mostly concerned with the laptops, the information they contain, and the programs they run (primarily the CRM integrated applications) because their mobility and lack of protection in a public place hence the possibility that sensitive information could be stolen from them. The laptops also support wireless networking making a hacking incident in a public place or malware infection over open wireless connections probable.

Fifth, we determined that the most likely threat scenarios include primarily laptop related incidents that centered around their public exposure because they are mobile. Physical access by unauthorized people is not only possible but likely, making laptop security of utmost importance to the company. In addition, the possibility of remote access via wireless by hackers in the general vicinity by leveraging vulnerable services is also a major concern.

The sixth step involved risk identification of which the two primary were lack of patch management and weak authentication policy and enforcement. The option of centralized patch management was discussed. However, since City Dog Walk is a very small company and the laptops are often not present at the main office for over a week, centralized patch management and its expense cannot be justified. Therefore, the discussion proceeded to focus on automated updates as a primary patch management facility.

Seventh step involved analyzing the risks to the assets such as physical access, malware, hackers over the network, in each case accessing the CRM software and integrated applications that contain sensitive information. Although limiting the attack surface is of primary concern, due to budget constraints the discussions focused on areas of primary concern. Since the company and most assets are mobile and most often in a public location, physical access and known vulnerabilities (exploited by malware and hackers) were determined to be the priority.

In the eighth step, the decision for type of mitigation was determined, ultimately to add a password complexity policy and enforcement for the company and also enable auto-updates for all critical assets identified. In addition, a business impact analysis of the vulnerabilities discovered through the use of vulnerability scanners, a SCAP scanner, and manual review revealed that the two major issues that required remediation were authentication and security updates. Since authentication involved trivial or no passwords, the company's information assets were easy prey for malware and hackers. Also, the lack of security patches left the systems open to attack over networks. Although the impact for both was found to be moderate to low, the possibility that sensitive information stored on the CRM server could be obtained through a malcious attack led to discussions of mitigation. Since the company is small the mitigation measures had to work on a small budget. A password policy enforcing complexity and enabling auto updates of security patches was found to be the best approach to resolving these initial issues for the company.

Risk Measurement Criteria

The primary risk measurement criteria used was by performing a business impact analysis focused on vulnerabilities surrounding the laptops used by the employees. Rating the risks in terms of impact based upon the information effected by vulnerabilities on a scale of 1 to 5, along with a qualitative assessment of the severity (either low, medium or high) multiplied together, was used to measure risk.

Each asset, the CRM software, and integrated applications including Outlook, Excel, Google Docs, and Skype, along with the laptops themselves, were analyzed using the rating system above and the possible threat scenarios that most concerned the company. The risk measurement criteria was based upon impact factors including reputation, financial, productivity, safety and health, and fines/legal penalties that could be realized should an incident occur. In each case the impact was scored to determine the level of countermeasure the company should apply to each.

Scope of Assessment

Since the company is small, the focus of the assessment was on the laptops used by the employees. The laptops are used mainly to communicate with customers and manage customer information via a CRM application that is integrated with Skype, Google Docs, Outlook and Excel. The systems not included in the assessment include the CRM server, the network infrastructure (mostly basic wireless LAN), and the mobile devices used by the employees. Hence the only assets involved in this initial assessment were the laptops, CRM application installed on the laptops, and the integrated applications including Skype, Google Docs, Outlook and Excel.

Security Controls Assessed

Table 1. Security Control Assessment
Critical Security Control Identifier / Assessment of Security Control / Results of Assessment
CSC 1.1 / Password Complexity / Not enforced.
CSC 1.2 / Software security updates / Not enabled.
CSC 1.5 / Information security policies / None

Areas of Concern (or Risks)

Unpatched/non-remediated vulnerabilies

• Threat statement: Systems vulnerable to known threats when patches not installed.
• Current Practice: Company does not enable nor enforce automatic update configuration.
• Finding: Security patches not managed and installed in a timely manner.
• Evidence: Automatic updates not installed/enabled and no security update policy.
• Impact: Moderate – enables exploitation via hackers and malware. May expose sensitive information.

Stolen Passwords

• Threat statement: Low complexity passwords are trivial to steal and guess.
• Current Practice: Company does not enable password complexity enforcement nor enforce the use of passwords.
• Finding: No password complexity policy.
• Evidence: Password complexity policy enforcement not enabled and no information security password complexity policy in the company.
• Impact: Low to moderate - could allow unauthorized access to sensitive information.

Brute force password cracking

• Threat statement: Physical or network access brute force cracking is trivial with dictionary and default password lists.
• Current Practice: Company allows easy to remember dictionary and default passwords to be used at employee discretion.
• Finding: Password complexity enforcement not enabled.
• Evidence: Password complexity enforcement not enabled on the systems.
• Impact: Low to moderate – unauthorized access to company systems can result in exposure of sensitive information.

Malware

• Threat statement: Malware can infect systems due to lack of updated security patch application.
• Current Practice: Company operating system configuration is left up to the employee so updated security patches are rarely installed.
• Finding: Patch management not enabled on the systems.
• Evidence: Automatic updates are not enabled.
• Impact: Moderate however could lead to disclosure of sensitive information.

Hackers

• Threat statement: Hackers can access company systems due to unpatched vulnerabilities that exist.
• Current Practice: Company allows employees rather than IT staff to configure patch management for the operating system and applications, and employees rarely enable this feature.
• Finding: Patch management not enabled on the systems.
• Evidence: Automatic updates are not enabled.
• Impact: Moderate however could lead to disclosure of sensitive information.

Risk Heat Map

Risk Mitigation

Risks to Accept

Initially, company management wanted to accept the risks presented, mostly because the risks themselves were not viewed as a real threat to the company. However, after reviewing the consequences that could occur if one of the identified threats were exploited, and the potential company cost and damage to company reputation, the management team elected to mitigate all identified risks.

Risks to Defer

None of the risks identified were deferred once the management team fully understood the potential cost to the company should even one of the vulnerabilities be exploited. Second, since the mitigation countermeasures recommended are very cost effective in terms of budget, and relatively little time would be required by IT staff to make the recommended changes, management agreed that it would ultimately cost the company less to mitigate than to defer the risk.

Risks to Transfer

Of all the risk identified, the one that made the most sense to transfer was the password security and update risks of the integrated Skype application because Skype account management, hence password complexity enforcement, is cloud based. However, since Skype sessions are shared by company personnel and customers, it makes more sense to mitigate using password complexity policy enforcement and requiring Skype application updates both within the integrated environment and for customers that join in Skype sessions. Furthermore, since Skype application updates tend to improve application performance as well as security, mitigation only serves to provide a better customer experience overall, which was the final reason management decided to mitigate rather than transfer.

Risks to Mitigate

The CRM system was to which the employee laptop connects was of primary concern. Although the system provides the company with a centralized client from which to manage customer information, finances, and communications, which ultimately increases business efficiency, the centralized nature of the integrated CRM system leaves the entire company financial state as well as that of customers, at risk if even one password on any of the laptops is compromised. Furthermore, since the CRM system and laptops are not actively monitored to ensure that they are up to date with the latest security patches, it is likely that most of the laptops and the CRM applications installed on the laptops have known vulnerabilities that can be exploited by both hackers and malware. For this reason company management, lead primarily by Taylor Isabell, elected to mitigate these main vulnerabilities rather than to accept, defer or transfer the same because the risk to the company and the potential for a serious information security incident when the vulnerabilities are ignored is simply too great.

Password vulnerabilities due to the use of simple dictionary passwords, birth dates, addresses, default passwords, and even blank passwords, were all permissible within the company and on company computers and software before the assessment was performed. The mitigation activities to resolve this vulnerability started with a meeting of all stakeholders to gain an understanding as to why trivial and default passwords were allowed in the company. It was found that the primary reason is that no one had ever paid much attention to the issue, unaware of the consequences and how easy it would be to access company information with easy to guess or brute force passwords. Since the company is small as is the list of management stakeholders, the meeting concluded with a decision to enforce a password complexity policy. A template RMF password complexity policy was presented from which the company password complexity policy was generated. It was decided that the password complexity enforcement feature in the Windows operating system on the laptops and in the integrated CRM application (it turns out the CRM application also supports password complexity) would be enabled in order to enforce the new company policy. The company IT tech will apply the changes to the company computers and CRM applications within a five day period starting June 12 and ending June 16th because the laptops would all be located at the office during that time. A follow-up assessment to verify the settings changed is set for the week of August 28. Since passwords are a very weak form of authentication the company should really move to strong two factor authentication. However, due to the cost the company management decided to defer such mitigation until Q4 of this year.

Vulnerabilities due to lack of updated software was also discussed at the stakeholder meeting mentioned above. During that meeting it was decided to move forward with mitigation that involves enabling automatic updates on all the company computers to retrieve updates from Microsoft automatically. In addition, updates for the integrated CRM software will be manually checked on a bi-weekly basis and updates installed on all systems immediately when new updates are available. The company will also subscribe to the CRM software vendor email notification system so that the company is immediately notified when security updates are available for download. The company IT tech is responsible for enabling all of the aforementioned changes during the same week that the password complexity policy enforcement is enabled. The follow-up assessment to ensure that all systems remain with auto-updates enabled and functioning properly is also the week of August 28 of this year. The company is willing to accept the residual risk that occurs due to the updates not being centralized and also not being tested on company systems prior to installation. Although the risk is small, there is a chance that systems become unavailable and require repair if an update disables the CRM application, for example. However, since the systems are backed-up at least once a quarter, the management team believes that the proposed configuration is appropriate for the company at this time.

Octave Allegro Worksheets

Allegro Worksheet 1 / Risk Measurement Criteria – Reputation and Customer Confidence
Impact Area / Low / Moderate / High
Reputation / Reputation is minimally affected; little or no effort or expense is required to recover. / Reputation is damaged, and some effort and expense is required to recover. / Reputation is irrevocably destroyed or damaged.
Customer Loss / Less than 20% reduction in customers due to loss of confidence / 20 to 50% reduction in customers due to loss of confidence / More than 50% reduction in customers due to loss of confidence