INFORMATION SYSTEMS SECURITY ASSESSMENT

OF
NATIONAL ELECTRONIC WEAPONS TECHNOLOGY (NEWT)
LANGLEY, DC

FEBRUARY 2012

PREPARED BY:
TRISHA ROSE
MANCHESTER, CT 06042

THE INFORMATION CONTAINED IN THIS REPORT WAS DERIVED FROM PROPRIETARY DATA
PROVIDED BY (Trisha Rose)

EXECUTIVE SUMMARY
i.

National Electronic Weapons Technology (NEWT) is an R&D firm specializing in

the development of Information Warfare tools. These include virus attacks,
electronic flooding techniques, logic bombs, and computer worms. One hundred
percent of NEWTs business is developing these tools under contract for the U.S.
government. There are about 25 people who work for this company.

ii.

NEWT has requested the assessment. The assessment will take place between Jan.
9, 2011 and Feb. 8, 2011. This assessment is not an inspection, certification, or risk
analysis. The purpose of this assessment and particular methodology used is to
ensure that the company is as secure as possible in order to preserve the CIA of all
the information and research done at the facilities. The implementation of any of
our recommendations is strictly voluntary on their part and at the discretion of the
organizations management. The implementation of any recommendations
contained herein does not guarantee the elimination of all risks.

iii.

The Information Warfare tools include Virus attacks, electronic flooding

techniques, logic bombs, and Computer worms. The system is meant to store the
findings and information on all tools and be capable of transferring data between
facilities (lab, corporate, customers, etc.) It is crucial that the tools be kept tightly
controlled. In fact not only are the tools controlled but the information about their
capabilities is controlled.

iv.

Some of the major findings during the assessment are Identification &
Authentication, Maintenance, and Training & Awareness. We have recommended
several solutions that include least privilege access control, setting up automatic
backups and updates and also awareness training sessions for the employees.

v.

I just want to take some time to personally thank Amy Rose, Kyle Rose, and Lynn
Rose for assisting me and my team during this assessment. Kevin McLaughlin was
the POC who helped with everything including when there was a problem. Please
feel free to contact the Team Leader, Trisha Rose, at 860-331-3339 if there are any
questions about the assessment.

TABLE OF CONTENTS

I.

INTRODUCTION
1

II. System Description

A. -

B. -

C. -

III.

INFOSEC ANALYSIS
8
8

B. Maintenance

C. Training and Awareness

IV.

A. Identification and Authentication

CONCLUSION
0

I. INTRODUCTION
A. National Electronic Weapons Technology (NEWT) is a Research and Development
firm specializing in the development of Information Warfare tools. These include
virus attacks, electronic flooding techniques, logic bombs, and computer worms.
One hundred percent of NEWTs business is developing tools under contract for
the U.S. government. There are about 25 people who work for this company.
NEWTs main office is located in Langley, D.C. and this is also where the
assessment was performed.
B. NEWT has requested the assessment. The assessment will take place between Jan.
9, 2011 and Feb. 8, 2011. This assessment is not an inspection, certification, or risk
analysis. The purpose of this assessment and particular methodology used is to
ensure that the company is as secure as possible in order to preserve the CIA of all
the information and research done at the facilities. The assessment team gathered
information about the company via interviewing, system and process
demonstrations. Through the efforts of the team members to assess the situation as
fully as possible, three main security problems were identified along with several
solutions for each problem. These problems and solutions are explained in detail in
the InfoSec Analysis Section.

II.

SYSTEM DESCRIPTION

A. There is a Laboratory LAN that contains all of their current warfare tools and any
tools underdevelopment. The internet connection was established to keep up with
the increasing demands of their customers. The corporate network contains all of
the customers information.
B. The main underlying theme in NEWTs mission is creating computer warfare tools
for the government. The importance of this is to protect our country with the best
possible technology at all times.
ORGANIZATIONAL INFORMATION CRITICALITY
High weapons get into wrong hands, war could be started, weapons could be
used against the government
Medium company embarrassment, delay in tool development, loss of
customer(s), loss of money/time/information
Low inconvenience in performing job duties, annoyed customers
Confidentially If this information is released
Integrity If this information is modified
Availability If these resources are destroyed or made unavailable
Critical Information: Internet connection, corporate/lab connection, email, firewall,
tools.
Internet Connection
Corporate/Lab
Connection
Email
Firewall
Tools
High Watermark

Confidentiality
High
High

Integrity
Low
Medium

Availability
Low
Medium

Medium
High
High

High
High
Medium

Low
High
Medium

High

High

High

SYSTEM(S) INFORMATION CRITICALITY

High weapons get into wrong hands, war could be started, weapons could be
used against the government
Medium company embarrassment, delay in tool development, loss of
customer(s), loss of money/time/information
Low inconvenience in performing job duties, annoyed customers
Confidentially If this information is released
Integrity If this information is modified
Availability If these resources are destroyed or made unavailable

Critical Information: Internet connection, corporate/lab connection, email, firewall,

tools.
Internet Connection
Corporate/Lab
Connection
Email
Firewall
Tools
High Watermark

Confidentiality
High
High

Integrity
Low
Low

Availability
Low
Low

Medium
High
High

Low
High
Low

Low
High
Low

High

High

High

C. Corporate LAN is used for = 3 computers with WinNT 4, 2 computers with

WinNT 3.5, 1 laptop with Win95 and modem, several extra live drops throughout
the vacant offices/cubicles, 1 laser printer used by everyone. There are about 10
total accounts. 2 for each computer. The laptop has all accounts on them and use
of it varies from person to person.
All of this is hooked up to a hub and chief scientist computer with UNIX and
modem.
Laboratory LAN 1 computer with UNIX, 1 computer with HP-UX, 2
computers with WinNT 4 and one of which has a modem, 1 computer with LINUX
RH 5.0, 1 computer with IBM AIX. There are 12 total accounts, two for each
computer.
All of these are connected to a filtering router which then connects to the chief
scientists computer with UNIX.
All of these are also connected to a bridge that then connects to a VAX
Minicomputer and then connects to a Dial-in Maintenance Port which is open.
Internet the hub connects to a WinNT 4.0 server which connects to a router this
router connects to a firewall. There is an external web server that connects
between the router and the firewall. The firewall then connects to another router
before going to the web. This is a TCP/IP connection.

III.

INFOSEC ANALYSIS

A. Identification and Authentication

a) Finding: Everyone uses the same username/password combo to log into
the network.
b) Discussion: This means that a general employee or secretary has just as
much access as a high clearance manager. This is dangerous because that
employee has access to information that could ruin the company.
c) Recommendations: Give everyone their own username and password.
Make sure that each username is tailored so that everyone only has access
to the information that they absolutely need access to in order to perform
their job. Also, it is important to make sure there is a level of complexity to
everyones password that they choose along with a safety net in case
someone forgets a password.
B. Maintenance
a) Finding: The operating system is extremely out dated and the backup
hasnt been run in over a month.
b) Discussion: If the operating system is not up to date, then it hasnt been
updated with the latest security patches. This means that the computers are
open for hackers to come in and take whatever information they want. The
computers are also at high risk to be infected with a computer virus. The
backups are also extremely important. If something were to happen and the
company lost the data stored on their computers. They would also lost an
entire months worth of data, permanently.
c) Recommendations: Increase the backup frequency and set up the backup
to backup automatically during the off hours. Also, ensure that the
operating system backs up automatically every day during off hours, but
before the back up.

C. Training and Awareness

a) Finding: People keep going to insecure websites and downloading
software from the web such as chat programs.
b) Discussion: This presents a security risk by bringing in a factor that may or
may not be accounted for when securing the network. A chat program or
insecure website could provide a weakness that a hacker or virus could
take advantage of and potentially wreak havoc on the network.
c) Recommendations: There should be classes and maybe emails or bulletin
notices that spread awareness of what these types of actions could mean
for the company. If employees are informed of the risk, they may be less
likely to do these things. Also, restricting access to the internet along with
downloading/uploading privileges may be necessary as well.

IV.

CONCLUSION

A. The INFOSEC posture of the company does need some attention. A majority of
findings resulted from a lack of documented policies and procedures as well as
employee practices. This company could greatly improve their security posture by
taking in consideration the enclosed recommendations.
B. Money can indeed be an issue, especially when integrating new policies,
procedures or employee practices within the company for the first time. Taking the
time and money to ensure the company is secure is extremely important. It can
avoid a major crisis from happening later which will be a lot more costly. If a
warfare tool is released to the public or an enemy of the government (i.e.
customer) than the company could have much more than just financial problems on
their hands. Securing the company covers the companys tracks in more than just a
financial way; it benefits the company by ensuring your products stay with the
company and their customer.
C. While the changes that are recommended can greatly help the company, they are in
no way required for the company to implement. The recommendations our
assessment team gives are recommendations to improve the companys overall
security posture and that is all. Implementation of these recommendations should
be at the discretion of the companys management.
D. While this report has mostly been about what the company can do to increase their
security postures, there are a lot of things that this company does not have to do.
The company was right to install the firewall when creating the connection to the
internet to help keep up with customer demands. Also, ensuring that there is an
anti-virus protection on every computer was also a good move. Without that, the
system could get seized and the company would lose control over their assets.
E. If there are any further questions or comments, please feel free to contact the Team
Leader, Trisha Rose, at 860-331-3339 or trirose@uat.edu. The Team Leader will
help to resolve any issues you may have post-assessment.