Redacted nts465

{COMPANY}
2015 Spring Semester

Assessment
NTS465-D150101
{COMPANY}
Spring-2015-Assessment
VERSION CONTROL
Version:
1.0
Version Date: 11 April 2015

Version Type: Rough Draft
Version:
1.5

Version Type: Draft
Version:
2.0

Version Type: Final
Version:
2.5
Version Date: 30 October 2015

Version Type: Redaction
1|Page
{COMPANY}
AUTHORS
Project Manager:
Welch, Kenneth
Programmatic Team:
Burnes, Olena
Diley, Nicholas
Granda, Emilio
Olander, Christopher
Torzala, Aaron
Wells, Kristofer
Wright, Douglas
Technical Team:
Schultheiss, Austin
Olson, James
Berube, Joshua
Burnham, Edward
Cope, Zachary
Foleno, Capri
Guile, Ian
Hill, Christopher
Leifson, Angela
Ross, Cleavon
2|Page
{COMPANY}
TABLE OF CONTENTS
Version Control ..............................................................................................................................................1
Authors ...........................................................................................................................................................2
Executive Summary .......................................................................................................................................5
Project Objectives ......................................................................................................................................5
Timeline .....................................................................................................................................................5
Scope ..........................................................................................................................................................6
Rules of Engagement .............................................................................................................................6
Programmatic Team ...............................................................................................................................6
Technical Team ......................................................................................................................................6
Summary of actions that will not be allowed.........................................................................................6
Information Criticality Matrix ...................................................................................................................7
System Criticality Matrix ...........................................................................................................................7
Programmatic Team .......................................................................................................................................8
Summary ....................................................................................................................................................8
Documentation Overview ..........................................................................................................................8
Disaster Recovery Plan ..........................................................................................................................8
Physical and Logical Infrastructure Maps .............................................................................................8
Employee Policies ..................................................................................................................................9
IT Security Measures ...........................................................................................................................10
{COMPANY} Workstation Policy ......................................................................................................10
Terminating Employee Accounts ........................................................................................................10
Windows Server Installations ..............................................................................................................10
Recommendations ................................................................................................................................10
Interviews .................................................................................................................................................11
Findings ...............................................................................................................................................11
Recommendations ................................................................................................................................13
{HIPAA} ................................................................................................. Error! Bookmark not defined.
Findings ...............................................................................................................................................14
Remediation .........................................................................................................................................14
PCI ...........................................................................................................................................................15
Findings ...............................................................................................................................................15
3|Page
{COMPANY}
Remediation .........................................................................................................................................15
Technical Team ............................................................................................................................................16
Summary ..................................................................................................................................................16
Overall Network Security ........................................................................................................................18
RECON - BASED ON PUBLIC KNOWLEDGE ...............................................................................18
Findings ...............................................................................................................................................20
Wireless APs ............................................................................................................................................21
Findings ...............................................................................................................................................21
Remediation .........................................................................................................................................21
Physical Security ......................................................................................................................................21
Findings ...............................................................................................................................................21
Remediation .........................................................................................................................................22
References ....................................................................................................................................................23
Appendix ..................................................................................................................................................23
Technical Bulk Data Area ....................................................................................................................23
4|Page
{COMPANY}
EXECUTIVE SUMMARY
This project covers a full security assessment and evaluation of the client institution - {COMPANY}
({COMPANY}). During this evaluation two teams were used, technical and programmatic, for a more
complete assessment. Working closely with the client the teams identified critical information and
systems for this institution, laid out the scope, created an agreed upon timeline, and conducted an
assessment using a full range of network security tools and techniques. Gathered information is compiled
into this report with the purpose of identifying issues and creating recommendations for further
improvements of {COMPANY} security.
PROJECT OBJECTIVES
Project objectives consisted of but are not limited to; identifying issues and deficiencies in
documentation, policies, and standard operating procedures, networking infrastructures, host setup,
applications, web applications, and employee standards. The overall goals of this security assessment is
to improve the security posture of the customer, {COMPANY}.
TIMELINE
5|Page
{COMPANY}
SCOPE
RULES OF ENGAGEMENT
The rules of engagement stipulate how the assessment team will carry out its tasks and define the
limitations as per customer request. This scope of activities will include both teams to specify what
exactly will be carried out over the duration of the assessment. As per initial agreement, the rules of
engagement are understood as per the following:
PROGRAMMATIC TEAM
1.
2.
3.
4.
Request existing company documentation and policies (HR, IT, C-level)

Conduct anonymous interviews with employees at different levels of the corporation.
Assess general understanding of security concepts and security policies of employees.
Assess policies and training practices for compliances with {HIPAA}, PCI-DSS 3.0, and other
regulations.
5. Define criticality matrixes and assess specific plans on Disaster Recovery and Incident Response.
6. Assess access controls and define what employee types can access sensitive information.
TECHNICAL TEAM
1. Request existing company documentation and network infrastructure and necessary services.
2. Obtain exclusion list that will remain hands-off for the duration of this assessment.
3. Obtain logs and scans of items on the exclusion list or facilitate a testing environment with these
services.
4. Perform unobtrusive network scans to compare with provided infrastructure documentation.
5. Perform vulnerability scans on network equipment per designated times.
6. Perform vulnerability scans on services internally. External services excluding specified web sites
will require coordination with points of contact before being tested.
7. Perform vulnerability evaluation on physical machines selected by points of contact.
8. Perform physical security vulnerability tests.
9. Assess the defensive measures already in place (IDS/IPS, Centralized Logging, Firewalls,
Encryption, Access Controls, Network Segmentation, VPNs)
10. Assess the wireless networks, the access points, and overall security for those networks.
SUMMARY OF ACTIONS THAT WILL NOT BE ALLOWED
1. There will be no exploitation measures taken unless explicitly requested by the customer points of
contact and must be done within a provided testing environment.
2. Trust gained through the interview process will not be used for other exercises. Any employees
interviewed will be excluded from further activities.
3. Impact on services in use must be kept at a minimum and tools used will be configured to favor
time over speed to include this.
6|Page
{COMPANY}
INFORMATION CRITICALITY MATRIX
Confidentiality
Integrity
Accessibility
{CUSTOMER}
Records
High
High
Medium
Financial Records
High
High
Medium
Human Resources
Records
High
High
Medium
Operational Records
High
High
Medium
IT Resource Records
High
Medium
Medium
Confidentiality
Integrity
Accessibility
Email
Medium
Medium
Medium
AD, DNS, and other

internal software
High
High
High
{CUSTOMER}
Information System
{REDACTED}
High
High
High
Finance and
Accounting Systems
High
High
Medium
Website
Medium
High
High
Intranet
Medium
Medium
High
{REDACTED}
System
{REDACTED}
Medium
High
High
SYSTEM CRITICALITY MATRIX
7|Page
{COMPANY}
PROGRAMMATIC TEAM
SUMMARY
The Programmatic Team (IAM) is responsible for ensuring that all IAM requirements and goals are
identified, laid out in an accessible manner and tangibly achieved. Using programmatic team
collaborations, all appropriate documentation was acquired in a timely manner, reviewed securely, gaps in
documentation were identified, and recommendations created. Additionally, the programmatic team
communicated with the project manager and the technical team (IEM) to validate and verify information
in the policies and procedures. Conducting employee interviews using top down programmatic approach
was also one of the overall team tasking.
DOCUMENTATION OVERVIEW
During the pre-assessment phase of the project following documents were received from the client for
review:
1.
2.
3.
4.
5.
6.
7.
Disaster Recovery Plan

Physical and Logical Infrastructure Maps
Employee Policies
IT Security Measures
{COMPANY} Workstation Policy
Terminating Employee Accounts
Windows Server Installations
DISASTER RECOVERY PLAN

The purpose of a disaster recovery (DR) plan is to analyze business processes and definition of the
companys continuity requirements. Through creation of a disaster recovery plan different risks may be
identifies and preventative steps may be implemented in addition to creating plans and procedures in the
event of a disaster.
Provided disaster recovery plan consisted of one page identifying mission critical services and allowable
downtime. It is an important beginning of a DR plan, but it requires to be further completed starting from
identifying possible threats, risk assessment, risk mitigation techniques and to define disaster recovery
procedures and teams.
Current {COMPANY} disaster recovery plan is incomplete.
PHYSICAL AND LOGICAL INFRASTRUCTURE MAPS
Provided documentation contained {NETWORK} Logical Map, {NETWORK} Physical Map
{REDACTED}, {NETWORK} Physical Map - IDF/MDF, {NETWORK} Physical Map {REDACTED},
Network-Map_Revision4 and Public-IP-Addresses_OLD.
8|Page
{COMPANY}
Recommendations include adding detail to the physical/logical maps and keeping the information as up to
date as possible. In addition to adding a physical map to account for {COMPANY} owned machines and
their placement in the infrastructure, security devices, such as {COMPANY} cameras should also be
added to the infrastructure maps.
EMPLOYEE POLICIES
Provided employee policies contained:
1. {REDACTED} Freedom Policy
2. Accidents Policy
3. Affirmative Action & Equal Opportunity Policy
4. Americans with Disabilities Act Employment Responsibilities Policy
5. Bereavement Leave Policy
6. Budget Policy, Building Evacuation Policy
7. {BUILDING} Safety Policy
8. Change of Address or Family Status Policy
9. {COMPANY} Policy on Drugs and Alcohol Policy
10. {COMPANY} Staff and {EMPLOYEE} Compensation Plans
11. Continuing Education & {COMPANY} Scholarship Program Policy
12. Dress Code Policy, Employee Code of Conduct
13. Employee Dependent Educational Benefits Policy
14. Employment Termination
15. Gambling and Money Schemes
16. Federal Work Study (FWS) Policy
17. Hiring Policy
18. Hours of Work and Overtime Policy
19. Kudo Awards Policy
20. Mass Communication Policy
21. Moonlighting Policy
22. Parking Policy
23. Policy on Policy Creation
24. Sexual Harassment Policy
25. {CUSTOMER} Relations Policy
26. Systems Usage Policy
27. Time off Policy
28. {REDACTED} non-discrimination policy
29. Travel Policy
30. {COMPANY} Purchases Policy
31. {COMPANY} Vehicle Policy
Existing policies should be made available to all {CUSTOMERS}, employees/{EMPLOYEE}. During
conducted interviews information was gathered showing that existing policies are not commonly known
and there is no way to access the existing policies.
9|Page
{COMPANY}
Additional detail should be added and policies should be separated and physically printed. Current
policies are all located in one file with no easy way of navigation.
IT SECURITY MEASURES
IT security measures currently exists as a page on the {COMPANY} intranet website. A physical
document was not provided, but rather a screenshot of the webpage. An actual living document should be
created and updated as needed physically and logically in addition to the web site.
Each section on the website at the IT Security Measures page requires more detail and development in
addition to removal of formatting/spelling errors.
IT Security Measures page should be easily accessible and every {CUSTOMER}/employee should be
able to navigate to it.
{COMPANY} WORKSTATION POLICY
{COMPANY} Workstation Policy is informative, but outdated and should be updated. In addition to
description and overview of system domains and naming conventions Workstation Policy should also
include security consideration and needs to be updated regularly.
TERMINATING EMPLOYEE ACCOUNTS
Terminating Employee Accounts was not an actual policy but a step-by step account removal process
guide.
It is recommended that in addition to technical account removal instructions actual policy is created and
added to the document.
WINDOWS SERVER INSTALLATIONS
Windows Server Installation is a series of screenshots designed to assist in the Windows Server
installation process. It is recommended that the screenshots be combined into one document and an
official guide is created.
RECOMMENDATIONS
In addition to improving and expanding on existing documentation it is recommended that following
policies and regulations be added:
1.
2.
3.
4.
5.
6.
7.
{Health Insruance Portability and Accountability Act} ({HIPAA})

{COMPANY} {BUILDING} Access Procedures/Physical Security Policy
Lost ID Badge Policy
Fire Prevention Related Policies
Substance Abuse
Monitoring (paperwork, computers, business phones, etc.)
Network Policy
10 | P a g e
{COMPANY}
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Hacking Policy
System Usage and User Training
Email Usage Policy
Web Content Policy
Software Policy
Password Policy
Backup and Recovery Policy
Remote Access Policy
BYOD Policy
Duties and Responsibilities for each existing position
It is recommended that existing policies that are bunched into Employee Policies file are separated and
elaborated on in greater detail. Each of the existing policies should be printed and provided to each
department in addition to being electronically available.
Technical guides should also be created for Server Installations, Image Creation, Domain and Network
Maintenance. Tasks that are performed by different departments, including IT, are not documented and
procedures are not accounted for. Through good operating procedures and guides, documentation function
obscurity is removed and current and future employees may have better definition of performing required
tasks.
INTERVIEWS
During the course of this security assessment, employee interviews were conducted to gain a more
contextualized data for our review. The interviews were conducted using the top-down approach, starting
from {COMPANY} President, vice-president, Marketing department, Finance department
{REDACTED}, {CUSTOMER} Services, {DEPARTMENT}, {DEPARTMENT}, Physical Security
department, IT department, {BUILDING} Operations, {COMPANY} {EMPLOYEES} and
{CUSTOMERS}.
FINDINGS
{DEPARTMENT} employees were interviewed in the course of the security assessment. During the
interview, questions were asked about filing procedures and if backups are in place for {CUSTOMER}
financial records. It was indicated that financial records are stored on the {COMPANY} {NETWORK}
drive and physical copies are filed away as well. {CUSTOMER} records are to be kept for up to seven
years before being destroyed.
One of the other questions was to describe the training process for employees who work within the
{DEPARTMENT}. It was indicated that standard operating procedures are in place for all employees and
that employees receive training at least once every year. {COMPANY} certifying officials that works
with the {CUSTOMER} veterans receives annual training by the Department of Veterans Affairs in order
to be up to date on any changes for veteran {REDACTED} benefits. {DEPARTMENT} employees were
11 | P a g e
{COMPANY}
asked to give an opinion on the physical security state of the {DEPARTMENT}. It is believed that the
{DEPARTMENT} is as safe as it should be at the moment.
{DEPARTMENT} representatives and employees were also interviewed within the {DEPARTMENT}
throughout the course of the security assessment. Questions presented concerned the handling of
confidential information and the availability of said information. Files were to be kept within network
drives that were accessible only by the respective departments within the {NETWORK} drive, where
physical copies of the information would either be kept locally on the machine or onto personal storage
devices as well. Physical pieces of information are locked up in various cabinets across the extent of the
{DEPARTMENT}, including but not limited to {CUSTOMER} applications, {REDACTED}, and
receipts of payment.
Standard training is expected not to be enforced, rather there are weekly meetings where team building
and outside information may be presented, however there is no set standard or yearly meeting that must
be attended. Training across various compliance policies are enforced by the staff, particularly {HIPAA}
being one of the larger. Security training is minimal across the staff, approached from a top-level-down
approach, where the managers would be made aware of new malicious activity. This would generally
cover policies such as passwords, phishing and malicious software exploitation. Newsletters are also
spread throughout the departments in an effort to current news, however there is no other large scale
security solution.
The {EMPLOYEES} at the front ensure that {CUSTOMERS} check-in with them before proceeding
back to an employees desk and screen covers are over most monitors to ensure that private
{CUSTOMER} information cannot be reviewed by someone simply peaking over anothers shoulder. As
they handle potentially confidential information, it is critical for these systems to be in place, and that any
outside visitation will require check-in before access is permitted.
{EMPLOYEES} at the front desk are not trained to enforce access to the {DEPARTMENT}. In the
course of the security assessment several of the designated team members were able to simply walk back
into the {DEPARTMENT} and acquire system names off of the machines (sticker on the front of the
towers) without being challenged as to the identity and purpose. There is little to no enforcement amongst
the employees and staff, of which there has been conclusion that there would still be the possibility of an
outside entity to come in and take or leave documentation where necessary.
This remains a persistent issue, as the open nature of the {DEPARTMENT} offers for a large vantage
point for anyone seeking information. Processing of confidential information is done within the
{DEPARTMENT}, which includes all possible information included within the {REDACTED}, along
with {REDACTED} progress, applications to the {COMPANY}, and an excess of {REDACTED}. When
brought into question, it has been hinted at concern of the well-being and sanctity of the documents within
the {DEPARTMENT}, that the machines may be compromised, physical mail or documents may be
taken, or left behind as well. As all mail throughout the {COMPANY} is handled throughout the
{DEPARTMENT} and the {DEPARTMENT}, it serves as a large gap in security, which could have
varying results.
12 | P a g e
{COMPANY}
From the information gathered while conducting interviews with the IT department there seems to be lack
of knowledge/information on what is actually being backed up. For the most part we know that the
important stuff is being backed up, but not exactly what is being backed up where or if things that should
be backed up are, in fact, being backed up.
The impact for this finding could potentially be large. Depending on where things are backed up can open
up two things. The first is if the backups, wherever they are, are secured to a certain level of protection.
The second is if something were to happen (hardware failure, natural disaster, etc.) that the
{COMPANY} would be able to get back online as soon as possible and not lose any important
information. This might not necessarily be a leak of information, but just a loss in general, where
{CUSTOMER}s {REDACTED} or payment history is lost.
RECOMMENDATIONS
Interviewed employees answered all of our questions to the best of their knowledge, ability and gave
great feedback. One particular question that was asked of a {DEPARTMENT} was whether or not the
department is PCI compliant and/or if they are even required to be PCI compliant. Employees did not
know what PCI was when asked the questions. If the {DEPARTMENT} manages payments from
{CUSTOMERS} using any form of payment card, they should be following PCI standards to ensure that
{CUSTOMER} financial information is protected.
The first step that should be completed would be to create some sort of chart or map that shows what
information is being backed up and where. From there any additional things that need attention can be
categorized by priority based off of potential impact. After both of these are completed the changes can be
implemented. Overall, this would most likely take quite a bit of time, but not much money since it does
appear the {COMPANY} has current systems in place that would need adjusting, if anything. As for time
the initial evaluation and documentation could take anywhere from 1-2 weeks and the implementation
could be spread out over the course of 2-6 months.
The need for consistent security is ever increasing for each department, most notably in the
{DEPARTMENT}. The office hours for the {DEPARTMENT} representatives is different than those of
the Security staff, of which there are not {EMPLOYEES} on site for the beginning portion of the shifts as
well. This poses a problem due to the quality of information being handled by the department alone. This
information includes the applications, {REDACTED}, and documents pertaining to {REDACTED}
status for the {CUSTOMER}. It is recommended that there are external storage containers for these
documents, or the potential for more physical security as the current storage containers and boxes that
hold this information are accessible through a key that exists within a container that is not locked. The
keys exist in an open area that anyone who knows of the presence could grab them and have access to not
only the mailroom with the cart and {REDACTED} supplies, but also the drawers that contain
{CUSTOMER} request forms and {REDACTED}. The same could be said for the storage closets within
the {DEPARTMENT} as well.
Formal training was a topic that was brought up consistently however the departments provided did not
have a concise plan to work off of in terms of Security Training. Aside from regulatory policies like
{HIPAA} and PCI, there is little to no training except by word of mouth in regards to policies concerning
13 | P a g e
{COMPANY}
matters such as passwords, malicious attempts, and how to handle such issues. One recommendation is to
mitigate such risks and hold yearly or {REDACTED} sessions of which the departments may be
informed of different attempts, and schemes which may or may not be implemented. By enforcing proper
policies and procedures beforehand, it can limit or mitigate damage that may be done from a
compromised account, or to help enforce proper office procedures as well, such as keeping the screens
and documents hidden from public view, or to understand varying situations.
{HIPAA}
{Health Insurance Portability and Accountability Act} ({HIPAA}) governs {REDACTED} records,
{REDACTED} record modifications/amendments and {REDACTED} record disclosure including
additional personal information. {HIPAA} is a federal law that applies to every {REDACTED}and
defines rights of {CUSTOMERS}, {CUSTOMERS} and other eligible {CUSTOMERS} in regards to
{REDACTED} records.
FINDINGS
{HIPAA} requires an annual notification for eligible {CUSTOMERS} and {CUSTOMERS} of their
rights under this federal law.
During a disclosure event of {REDACTED} records eligible {CUSTOMER} or {CUSTOMER} should
be notified of the occurrence of disclosure.
All applicable {HIPAA} information should be documented in form of policies/regulations or operating
procedures and made available to employees, eligible {CUSTOMERS} and {CUSTOMERS}.
REMEDIATION
In accordance with {HIPAA}, {COMPANY} should annually notify {CUSTOMERS} of
{CUSTOMERS} currently in {REDACTED}, or eligible {CUSTOMERS} currently in {REDACTED},
of their rights under {HIPAA}. As part of the annual notification requirement eligible {CUSTOMERS}
and {CUSTOMERS} should be informed of their rights to inspect, review, seek amendments, consent to
disclosures, rights in filing complaints with {REDACTED} and qualifying {COMPANY} official
definitions in regards to {REDACTED} records.
Annual {HIPAA} notifications should also be available to eligible {CUSTOMERS} and
{CUSTOMERS} who are disabled or communicate in languages other than English.
In accordance with {HIPAA} {REDACTED}{COMPANY} should make a reasonable attempt to notify
eligible {CUSTOMER} or {CUSTOMER} of a conducted disclosure of {CUSTOMER} records.
{COMPANY} should compile relevant {HIPAA} regulations and make it available to all employees,
{CUSTOMERS} and {CUSTOMERS}. Currently there are no {HIPAA} documentation and SOPs
available.
{COMPANY} should regularly review information in the {REDACTED} records that is tagged as
Directory information and that may be made public without restrictions by {HIPAA}. Information
14 | P a g e
{COMPANY}
designated as Directory Information may be released upon request even if the {CUSTOMER} prohibited
release of {REDACTED} records in writing.
PCI
Payment Card Industry (PCI) Data Security Standard (DSS) is created by the Security Standards Council
to maintain technical and operational security of cardholder data used during monetary transactions. PCI
standards apply to any entity that stores, processes or transmits cardholder data. {COMPANY} is one of
such entities and must adhere to PCI Data Security Standards.
FINDINGS
The team conducted numerous interviews with various individuals and PCI was brought up in a number
of them. Unfortunately, none of the interviewees were able to provide the assessment team a clear cut
answer on the status of the company being PCI compliant. This is problematic because {CUSTOMERS}
use payment cards to make purchases at the {REDACTED} and to make payments to the {COMPANY}.
The lack of any guidelines to ensure the organization is within PCI compliance means that
{CUSTOMER} financial data may not be protected the way it should be.
REMEDIATION
A recommendation to resolve this issue would be for the organization to look into the PCI compliance
standards and apply them to the organization based on the needs of the organization. The organization can
then hold copies of the current PCI compliance standards in physical form as well as digital form in the
event that the organization is involved in another security assessment. One of the biggest problems that
organization face when undergoing a security assessments is lack of documentation and by having copies
of PCI compliance standards on hand, that issue is remediated.
PCI DSS requires documented security policies for each entity that requires compliance. Implementing
official {COMPANY} security policies and procedures would help achieve PCI compliance.
Security logs and conducted vulnerability scans should be reviewed and assessed at least every sixty days.
15 | P a g e
{COMPANY}
TECHNICAL TEAM
SUMMARY
The Technical Team (IEM) is responsible for ensuring that all INFOSEC Evaluation Methodology
requirements and goals are identified, laid out in an accessible manner and achieved. Through observation
and scans using various tools, including Nikto, Nmap, Wireshark and Nessus, information on the
{COMPANY}s network as well as its physical security was obtained. This information has been
reviewed and documented in order to ensure IEM requirements were being met. All scans were done with
permission from the {COMPANY}s IT team.
Out of Scope (Off Limits)
{REDACTED}
16 | P a g e
{COMPANY}
Within Scope
{REDACTED}
17 | P a g e
{COMPANY}
OVERALL NETWORK SECURITY

As a {COMPANY}, keeping the network secure and usable is more difficult than in most organizations.
However, overall, the {COMPANY} has a good network security setup. Most of the issues that were
found during the on-site evaluation phase require only small implementations to correct. In the Nessus
scans, only three IPs appeared to have any serious vulnerabilities. Many of the issues that were found
with the websites have either been fixed or are easy to correct. As a whole, minor changes are all that is
necessary to improve the {COMPANY}s network security.
RECON - BASED ON PUBLIC KNOWLEDGE
The content displayed below represents information that is easily available to the general public, that have
been discovered after Intelligence Gathering was conducted against the client - {COMPANY}.
This information should be thought of as information that is safe for anyone to view. If this is not the
case, then this information should be changed from the server end, so that it would only contain nonsensitive information.
Description
IP Address
www.{COMPANY}.com
{REDACTED}
intranet.{NETWORK}.com
{REDACTED}
Net Range
{REDACTED}
DNS1.{COMPANY}.COM
{REDACTED}
DNS2.{COMPANY}.COM
{REDACTED}
Server Characteristics
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 16:00:26 GMT
Content-Type: text/html; charset=UTF-8
18 | P a g e
{COMPANY}
Connection: close
X-Powered-By: PHP/5.5.20
Set-Cookie: exp_last_visit=1107792055; expires=Fri, 05-Feb-2016 16:00:55 GMT; MaxAge=31536000; path=/
Set-Cookie: exp_last_activity=1423152055; expires=Fri, 05-Feb-2016 16:00:55 GMT;
Max-Age=31536000; path=/
Set-Cookie:
exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Feb 2015 16:00:55 GMT
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Cache-Control: public
DNS Characteristics
{REDACTED}
WAF (Web Application Firewall) Servers Response
{REDACTED}
From the images displayed, one can see registry information for the clients IP range. We can also gather
some information about the DNS that seems to not be configured to utilize DNSSEC (DNS Security
Extension). However, the DNS does seem to be able to refuse any DNS binding, and displays an error
message. Another scan was also able to detect that one of the servers may not have firewall protection,
while the other does.
Some of the information can encourage additional probing of the network, including the lack of a firewall
on both servers, as well as the taunting error message from DNS binding.
19 | P a g e
{COMPANY}
FINDINGS
Nessus
On Thursday March 19th 2015, a Nessus scan was set up and performed by using the internal IT
department IP range in the hopes of assessing potential vulnerabilities on the {COMPANY} network.
From the scan that was ran, there were three IP addresses that truly had vulnerabilities worth looking into:
1.) {REDACTED} (clientftp.{COMPANY}.com.)
This IP has two medium level threats and one low level threat according to the Nessus system. The
highest priority threat among the two medium level threats would have to be the FTP plaintext injection.
With this vulnerability, one could easily gain access to the FTP server through commands as well as
privilege escalation. As for the other medium level threat, it simply registered due to there being an
outdated version of SSL. This can be fixed by updating to the current version of the service. The last
threat is a low level threat that has been identified as an SSL exploit, which again will be fixed along with
the others when an updated version of SSL is implemented.
2.) {REDACTED/REDACTED} (it.{NETWORK}.com / employees.{COMPANY}.com)
Both have the same medium level vulnerability which are outdated versions of SSL. The appropriate
exploit for this particular vulnerability is commonly referred to as Padding Oracle on Downgraded
Legacy Encryption. This exploit can lead to man in the middle attacks, but is easily mitigated by
implementing transport layer security.
20 | P a g e
{COMPANY}
WIRELESS APS
FINDINGS
{NETWORK} and {NETWORK} AP's are all similarly named
Due to all the access points having the same name, an attack with a Pineapple, or an evil twin attack
would be very easy, and without some sort of monitoring there would be no way of detecting an attack.
Detailed findings of the wireless can be found in the wireless attachment of this report.
REMEDIATION
Spending a short amount of time every certain period of time (once a week or every other week) could
help detect the possibility of these attacks. This time (<30 mins) could be spent recording MAC addresses
around {BUILDING} and comparing them to the list of owned addresses.
PHYSICAL SECURITY
Physical Security is just as important to the overall security of a 21st century organization as network
security is. Physical Security covers the realm of security over tangible entities such as the physical
servers themselves and the building as a whole. Due to the fact that the test in question was targeted
towards a {COMPANY} the overall physical security was enforced rather well. {COMPANY}s are
known for having more of an open {BUILDING} for touring {CUSTOMERS} and {CUSTOMERS} and
strictly locked down sections the vibe of a welcoming {COMPANY} can be suppressed. However, this
does not account for some of the issues that were found in regards to the security cameras as well as
restricted areas remaining open after hours.
FINDINGS
Security Camera issues
One major hole in the {COMPANY}s physical security is the security cameras. Out of all of the
{COMPANY}s external cameras, only four of them work (one of the cameras display twice on the
screen). The rest of the external cameras are broken or off, and show no video feed. The cameras within
the {COMPANY} building have the same issue. Six of the twenty-five cameras are either turned off or
broken.
The security desk is often left unattended allowing pictures to be taken of the screens
There are Security Screens on the monitors however this does not help when there is no one there to
secure the desk
{REDACTED}
{REDACTED}
21 | P a g e
{COMPANY}
Doors to the {DEPARTMENT} and {DEPARTMENT} are not always locked after hours, the
{DEPARTMENT} door has an easy bypass to the need for a checked out card, there is a switch on the
inside of the door which will keep the door unlocked at all times until the key pad is touched again, along
with the ability to easily remove the batteries from the door itself, thereby negating the security of the
room. The doors leading outside are not always locked as they should be. The door that leads to the server
room by the {DEPARTMENT} is always open along with the security camera not being able to fully see
anyone who enters the area, which leads to easy access to the room, which could lead to further theft of
servers, {SYSTEMS} or other high value equipment. The third floor east back door for the {BUILDING}
does not close properly which leads to full access to the building.
{CUSTOMERS}, or outsiders could have access to areas that they should not have access to, which could
lead to theft or to damage to {COMPANY} property. Areas like the {DEPARTMENT} server room
should have a camera in it at least.
REMEDIATION
For the most part this consists of the security guards double checking every door when they do their
rounds. From what I've seen there is only one guard who locks every outside door every time. The server
room door should remain locked from the hallway. The maintenance man for the {BUILDING} would
just have to slightly re-adjust the door in the [BUILDING}. The {DEPARTMENT} is a little more
challenging, they just need to figure out a way to securely lock the access panel.
New policy should be implemented. At a certain time (7:30 - 8:00pm for example) the security guard
should check all entrances and exits, and check all internal rooms which should be locked.
22 | P a g e
{COMPANY}
REFERENCES
APPENDIX
TECHNICAL BULK DATA AREA
Scans (Nessus will be attached separately due to size but will be referenced again)
ASSESSMENT OF WWW.{COMPANY}.COM
The information in this section is an analysis of the clients website located at www.{COMPANY}.com.
The website was scanned utilizing the Nikto web server scanner and the results were analyzed to detail
the findings. The analysis presented several misconfigurations, duplicate pages and obsolete web
documents. There is unnecessary content that is left on the web server that may be default files present
from the installation of the server software.
The analysis finding are as follows:
1. Multiple web index files for the websites homepage. These are listed as index.html AND
default.aspx.
2. Multiple web pages are assumed to be used for testing, but publicly displays no useful
information. These are displayed at http://www.{COMPANY}.com/test.html AND
http://www.{COMPANY}.com/test/
a. {REDACTED}
b. {REDACTED}
3. Multiple sample site web pages that are replicas of the actual home page. These are listed at
http://www.{COMPANY}.com/site/iisamples AND
http://www.{COMPANY}.com/site/biztalkhttprecieve.dll.
4. Server manual (default files) is publicly displayed at http://www.{COMPANY}.com/manual/.
This page is used to assist the developer of the website and is unnecessarily displayed here. Also,
the version information displayed here is slightly outdated, and can aid an attacker in exploiting
any existing vulnerabilities against this version of Apache (version 2.2).
a. {REDACTED}
5. The icons and images folder are displaying all content in a directory listing at
http://www.{COMPANY}.com/icons/ AND http://www.{COMPANY}.com/manual/images/.
These directories should contain their own default index files to avoid being listed the way there
are.
a. {REDACTED}
ASSESSMENT OF HTTPS:// {REDACTED}.{COMPANY}.COM

23 | P a g e
{COMPANY}
This is an assessment of {REDACTED} or https://{REDACTED}.{COMPANY}.com webserver using

the Niko webscanner. There were several revealing portions of data that were indicated by the Niko
webscanner. OSVDB-473 is a specifically revealing vulnerability, as seen below.
{REDACTED}
(Description Provided by CVE) : Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view
path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4)
/_vti_pvt/linkinfo.cnf.
Burpsuite, a platform for web application security testing, was used to test the validity of these claims.
The screen captures below indicate the response the server gave in response to the get requests mentioned
above.
1. Get /_vti_pvt/access.cnf was the GET command used to get the revealing responses from the
server. A password directory is clearly visible in the response, indicating information like the
operating system and internal file structure. The internal IP of {REDACTED} is revealed.
{REDACTED}
2. GET /_vti_pvt/botsinfs.cnf was the command used to obtain revealing information from the server
including sensitive operating system information as well as internal file structure.
3. GET /_vti_pvt/bots.cnf is the command used to generate more sensitive information from the server to
include operating system and internal file structure.
4. Version information can be easily located at http://{REDACTED}/_vti_inf.html. The following screen

cap below will indicate a Front Page Version number of 4.0.2.7802.
24 | P a g e
{COMPANY}
{REDACTED}
5. Further analysis reveals the location of http://{REDACTED}/readme.txt. This readme file indicates
LeechFTP 1.3 (Build 207) released 16.04.99 is running on the server. This information could be used to
attack the service in order to compromise the system. The following link can be used to find potential
sensitive ftp directories. http://{REDACTED}/_vti_pvt/linkinfo.cnf. The following information below
was found in linkinfo.cnf
vti_encoding:SR|utf8-nl
http\://www.sfsu.com/~helpdesk/docs/rules/ethics.htm:old\\ site/webpolicy.htm
old\\ site/development\\ folder/webpolicy.doc
ftp\://{CUSTOMERS}.{COMPANY}.com/:old\\ site/ftp_instructions.doc
ftp\://{CUSTOMERS}.{COMPANY}.com/:subpages/ftpinstructions/content/ftp_instru
ctions.doc
old site/faqsheet_files/filelist.xml:old\\ site/faqsheet.htm
old site/swsinformation_files/filelist.xml:old\\ site/swsinformation.htm
http\://{HIPAA}.{REDACTED}.{REDACTED}.com/{HIPAA}web/:old\\
site/development\\ folder/swsinformation.doc old\\ site/swsinformation.htm
25 | P a g e
{COMPANY}
ASSESSMENT OF HTTP://{REDACTED}.COM
An assessment of http://{REDACTED}.com was conducted through manual analysis and the automated
web scanner Nikto. A screen capture of the Nikto scan can be found below, along with several interesting
but necessarily harming points of data.
{REDACTED}
The manual analysis findings are as follows:
1. A default readme file located here: http://{REDACTED}.com/readme.html reveals the
WordPress version number 3.9.2. This is sensitive information because this WordPress is
outdated and potentially vulnerable to attack. The current WordPress version is 4.1.1.
ASSESSMENT OF HTTP://BLOG.{COMPANY}.COM
The manual analysis findings are as follows and very similar to the previous findings:
1. A default readme file located here: http://blog.{COMPANY}.com/readme.html reveals the
WordPress version number 3.9.2. This is sensitive information because this WordPress is
outdated and potentially vulnerable to attack. The current WordPress version is 4.1.1.
26 | P a g e

Redacted nts465

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Redacted nts465

Uploaded by

Copyright:

Available Formats

{COMPANY}

2015 Spring Semester

Version Date: 11 April 2015

Version Date: 13 April 2015

Version Date: 19 April 2015

Version Date: 30 October 2015

Request existing company documentation and policies (HR, IT, C-level)

INFORMATION CRITICALITY MATRIX

AD, DNS, and other

SYSTEM CRITICALITY MATRIX

Disaster Recovery Plan

DISASTER RECOVERY PLAN

{Health Insruance Portability and Accountability Act} ({HIPAA})

OVERALL NETWORK SECURITY

ASSESSMENT OF HTTPS:// {REDACTED}.{COMPANY}.COM

This is an assessment of {REDACTED} or https://{REDACTED}.{COMPANY}.com webserver using

4. Version information can be easily located at http://{REDACTED}/_vti_inf.html. The following screen

You might also like