Delta Security Solutions

"The Difference in IT Security"

 

 


BIOME Genetics

IT Security

Audit

 

 

 

 

 

 

 

 

 

 

 

 

Prepared By

 

John McDonald

Delta Security Solutions

August 10th, 2001


 

1 Introduction. 1

2 Overview.. 2

2.1 Executive Summary. 2

3 Threat Assessment 4

3.1 Types of Information. 4

3.2 Classification of Threats 4

3.2.1 Theft of Information. 5

3.2.2 Theft of Resources. 5

3.2.3 Destruction of Information. 6

3.2.4 Destruction of Resources. 7

3.2.5 Denial of Service. 7

4 Issues. 9

4.1 Security Awareness 9

4.2 Security Policies and Procedures 10

4.3 Authority of IT Staff 11

4.4 IT Resources 11

4.5 Monitoring. 12

4.6 File Sharing. 13

4.7 Compartmentalization of Information. 13

4.8 Complexity of IT Environment 14

4.9 Data Center Physical Location. 15

4.10 Firewall 15

4.11 Documentation. 16

4.12 User Accounts and Management 17

4.13 Remote Access 18

4.14 Notebook Computers 18

4.15 Passwords 19

 

 


1        Introduction

 

This document defines the results of an Information Infrastructure (IT) security analysis effort performed by Delta Security Solutions (Delta) for the BIOME Genetics, Inc. (BIOME). The primary goals of this effort were to analyze BIOME current IT environment in the context of security and develop recommendations for improving the level of security.

 

This document contains information that is proprietary and confidential to Delta Security Solutions and BIOME and may not be disclosed, either in part or in whole, to any person or agency outside of Delta or BIOME without the express written consent of both parties.

 

CAUTION: This document contains information regarding the security posture of BIOME's IT infrastructure that, if made available to unauthorized parties, could significantly comprise the security of the organization. Delta recommends that BIOME strictly control access to this document and its contents and only provide the information to individuals with a well defined need-to-know.

2        Overview

 

BIOME currently maintains a moderately sized IT environment, with a mixture of Windows-based, Macintosh and Unix systems. These systems provide a number of functions, including:

 

        File and print services

        General client applications

        Scientific applications

        Financial applications

 

BIOME's network provides Internet access through an ISP connection with WebConnect, which also provides and maintains a Checkpoint firewall as the first line of security. The internal network connects the various systems between 4 floors in the building.

 

The goals of this effort were to understand BIOME's security requirements, analyze the existing IT security infrastructure, and develop recommendations to assist BIOME in meeting their requirements. Phase I of this effort involved analyzing and understanding the type of information currently utilized and managed within BIOME. This consisted of identifying the information utilized by the organization, identifying what IT resources were involved for each process, and assigning a level of criticality to each type of information. Potential threat sources were also analyzed and weighted, based on their probability of occurrence.

 

Phase II consisted of gathering information on the existing security infrastructure within BIOME. This included a wide range of factors that impact security, from general attitudes and awareness by BIOME personnel to the configuration of specific systems. Delta utilized various tools and methods to collect this data, such as personal interviews, port scanning software, physical inspection, and review of log files.

 

Phase III consisted of developing a series of recommendations regarding options for improving the security of the infrastructure.

 

It should be noted that this effort was limited in scope at the request of BIOME. It addresses only the most critical issues and does not provide a detailed assessment of all possible technical issues and their potential solutions. However, all specific items encountered by Delta during the assessment were documented and provided separately from this report.

 

2.1       Executive Summary

 

Overall, Delta would rate the security level of BIOME's IT infrastructure as 'poor' to 'fair' relative to other industry IT infrastructures with similar business models and in the context of probable threats. While the two methods of first-level access control (doors with cards for physical access, a firewall for Internet access) are adequate, there is very little 'depth' to the security once someone gets past one of these two barriers. On the physical side there is no asset management, systems are left logged in, password protection of resources is very weak or, in some cases, non-existent, and the data center is located on the first floor with large picture windows. On the logical side, a large percentage of the information in the infrastructure is shared over the entire infrastructure with little or no access control, there is no security monitoring, and users change the configuration of their systems and install applications at will.

 

Most of the security-related issues can be directly attributed to one of the following high-level factors:

 

        The current IT infrastructure is a legacy from previous IT personnel, and has been allowed to grow and change with little or no control or consideration for security

        The current IT staff lacks the authority to control the infrastructure in a manner consistent with good security practices

        Management has placed little emphasis on IT security in the past

        There is little security awareness among most of the organization

 

While Delta uncovered a large number of individual technical security issues, addressing these would be of little value if the above high-level issues were not resolved first. The best technical security implementation can be easily compromised if users are allowed to place their own concept of convenience above the business needs of the company.

3        Threat Assessment

 

This section provides an overview of the various IT resources that exist within BIOME's infrastructure, along with the potential threats to those resources.

 

3.1       Types of Information

 

The following types of information were identified as existing within BIOME's IT infrastructure.

 

        Financial

        Business Development

        Clinical

        Regulatory

        General Scientific

        Human Resources

        Executive/Corporate

        Facility/Operations

        Intellectual Property

        Information Technology

 

In the following section, each of these types of information is considered in the context of a specific threat.

 

3.2       Classification of Threats

 

Delta identified the following potential threats to BIOME's IT infrastructure:

 

        Theft of information

        Theft of resources

        Destruction of information

        Destruction of resources

        Denial of service

 

In addition, Delta has identified the following threat sources that could impact BIOME:

 

        Current employees

        Former employees

        Industrial espionage (both domestic and foreign)

        Activists who are against genetic research

        Hackers

 

Each specific type of threat is defined in the context of a threat source, and rated in terms of probability of occurrence (low, medium and high) and potential impact to BIOME (also low, medium and high). The specific type of information that could be impacted by each threat source is also considered.

 

Each type of threat is discussed in detail in the following sections.

3.2.1       Theft of Information

Theft of information involves the removal of information from BIOME's infrastructure. The exact purpose of the theft varies, but usually involves some form of financial gain for the perpetrator. This type of event has increased dramatically over the last few years, as individuals and companies have developed increasingly complex methods for stealing information. These can vary from paying a current employee to obtain the necessary data to penetrating the infrastructure and downloading it. It should also be noted that, in recent years, a larger percentage of these types of threats originate with foreign individuals, corporations and governments.

 

Another potential source for theft of information are hackers. Many of these people will view breaking into an IT infrastructure and stealing information as a challenge. In most cases, the information is not used or sold, but the effort is made just to prove the individual can accomplish it.

 

Threat sources and probability of a 'Theft of Information' attack from each source:

 

Source

Probability

Current employees

High

Former employees

High

Industrial espionage

High

Activists

Low

Hackers

Moderate

 

Information at risk:

 

Information Type

Probability

Impact

Financial

Low

Low

Business Development

Moderate

Moderate

Clinical

Moderate

Low

Regulatory

Low

Low

General Scientific

Moderate

Moderate

Human Resources

Low

Low

Executive/Corporate

Low

Low

Facility/Operations

Low

Low

Intellectual Property

High

High

Information Technology

High

High

 

3.2.2       Theft of Resources

Theft of resources usually involves an individual either physically stealing some IT device, or penetrating the infrastructure and utilizing BIOME's systems for their own purposes. An example of this would be a hacker penetrating BIOME's network, then utilizing one of BIOME's servers to distribute pirated copies of software or pornographic material.

 

The major risks to BIOME under a theft of resources threat are the legal and financial ramifications of what the 'stolen' resource is used for. For example, if a hacker were to use one of BIOME's server to distribute child pornography, BIOME's public image would suffer greatly when and if details of the event were made public.

 

A lower-level risk is the use of BIOME IT resources by employees for personal purposes. While this generally has a relatively low impact on the infrastructure as a whole, BIOME's legal and financial exposure may actually be greater, since one of their employees would be involved.

 

Threat sources and probability of a 'Theft of Resources' attack from each source:

 

Source

Probability

Current employees

High

Former employees

High

Industrial espionage

Low

Activists

Low

Hackers

High

 

There is minimal risk to information in the infrastructure under a 'Theft of Resources' threat. In these types of scenarios, the perpetrator is generally more interested in exploiting the resources of the infrastructure for their own purposes, not stealing information.

3.2.3       Destruction of Information

Destruction of information involves deleting important information from BIOME's IT infrastructure. In many cases this destruction can be accidental, and the data can be easily restored from a backup. However, a well-planned attack of this type can result in BIOME losing a significant amount of data, to the point of the company never being able to fully recover.

 

An example of this occurred last year to a company in Atlanta. A member of the IT staff was informed he was about to be laid off, and he immediately wrote and installed a simple worm program that corrupted the data being saved on the backups. After running for 1 month (the time required to recycle all backup tapes), the worm then proceeded to delete the company's critical databases. The result was that the company ended up going out of business, since the data was critical to their operation and could not be re-created.

 

A sub-category of this type of threat is the modification of information. In this case, the perpetrator makes subtle changes to data before it is backed up, and then restores the data to its original form. At some future point (after all the of the backup tapes have been recycled), the data is permanently corrupted and the original data is no longer accessible. This type of attack could have serious consequences on certain types of information within BIOME's infrastructure.

 

Threat sources and probability of a 'Destruction of Information' attack from each source:

 

Source

Probability

Current employees

High

Former employees

Moderate

Industrial espionage

High

Activists

High

Hackers

Low

 

Information at risk:

 

 

Information Type

Probability

Impact

Financial

Low

Moderate

Business Development

Moderate

High

Clinical

Moderate

High

Regulatory

Low

Moderate

General Scientific

Moderate

High

Human Resources

Low

Low

Executive/Corporate

Low

Low

Facility/Operations

Low

Low

Intellectual Property

Moderate

High

Information Technology

Low

High

 

3.2.4       Destruction of Resources

Destruction of resources usually involves the physical destruction of IT resources. The most common source of this type of event would be disgruntled ex-employees and activists who disagree with the work BIOME is doing.

 

An example of this scenario would be an individual breaking into the 1st floor data center and setting off the water sprinkler system. The resulting deluge would destroy a significant portion of BIOME's IT systems.

 

Threat sources and probability of a 'Destruction of Information' attack from each source:

 

Source

Probability

Current employees

Moderate

Former employees

High

Industrial espionage

Low

Activists

High

Hackers

Low

 

3.2.5       Denial of Service

Denial of Service (DoS) attacks are one of the most widely publicized forms of attacks today. Recent events that have been widely publicized in recent years include the DoS attacks on major web sites last year.

 

There is a relatively low probability of this type of attack occurring at BIOME, and, even if such an attack did occur, its impact would be relatively limited and temporary.

 

Threat sources and probability of a 'Denial of Service' attack from each source:

 

Source

Probability

Current employees

Low

Former employees

Moderate

Industrial espionage

Low

Activists

Moderate

Hackers

High

 

 

 

 

4        Issues

 

This section identifies specific issues that impact the security of BIOME's IT infrastructure, along with recommendations for addressing those issues. In addition, several general infrastructure issues are addressed. As mentioned earlier, the effort was limited in scope to addressing the most critical issues.

 

Delta has also included estimates regarding the potential cost of implementing each recommendation. Note that these are estimates only, and Delta is not committing to deliver the stated service or product for the estimated cost. Where possible, Delta has also provided links to additional information on the World Wide Web regarding each recommendation.

 

4.1       Security Awareness

 

One of the most critical security issues within BIOME is a relatively low level of IT security awareness by personnel at many levels in the organization. In many instances, convenience takes precedence over basic IT security, with unattended systems left logged in with no password-protected screensaver, blank passwords for administrator accounts, and general sharing of information across the entire infrastructure. Many of the employees interviewed did not comprehend the importance the IT information and resources, and what their loss of theft could mean to the company.

 

One of the ramifications of this lack of awareness is that BIOME personnel are susceptible to a methodology employed by hackers known as 'social engineering'. Social engineering is a collection of techniques used to gain information from employees regarding the IT infrastructure. This information is then used to penetrate the infrastructure (for more details on social engineering, please refer to the online 'Social Engineering FAQ', located at http://www.mjones.multiservers.com/soceng.htm. Please note that this document contains some strong language and may be offensive to some individuals).

 

A subsequent result of this is that BIOME's IT security lacks any 'depth'. If an intruder gets through the primary access control (the physical doors or the firewall), the entire infrastructure is potentially wide open.

 

Delta recommends that BIOME develop a security awareness training plan for all levels of the organization. This plan should emphasize the importance of protecting IT resources and information, and should be made mandatory for all personnel. In addition, personnel should be made aware of the possible penalties associated with security violations (i.e. writing down passwords, leaving their system logged-in while unattended, etc.). This training should be integrated into BIOME's overall Security Policy (see Section 4.2 for more details).

 

Delta also recommends that BIOME utilize outside resources to develop this training. While the current IT staff is very knowledgeable in the areas of the infrastructure they support, there is currently a lack of advanced experience in developing security policies and training.

 

Delta estimates that contracting an external resource to develop a security awareness training program would require 1-2 staff weeks worth of effort and cost approximately $10,000 to $15,000.

 

An excellent discussion regarding the development of IT security policies has been prepared by the Security, Administration, Networking and Security (SANS) Institute and is available online at http://www.sans.org/infosecFAQ/policy/sec_aware.htm.

 

4.2       Security Policies and Procedures

 

Security policies and procedures are the core of any security infrastructure that exists within an IT organization. They defines what is to be protected, how it is to be protected, and documents the legal and personnel issues associated with IT security. These documents provide a roadmap for the IT staff and management to implement effective security within the organization. At a minimum, the policies and procedures should include the following information:

 

        The types of information to be protected

        The relative value of each type of information

        Potential threats

        A user/group information access management policy

        System configurations

        Infrastructure documentation

        Password policy

        Schedule for regular security reviews

        Security incident response plan

 

Management, the IT staff, the Human Resources department, and legal counsel should develop the policy jointly to ensure that it meets the company's requirements and is technically and organizationally feasible.

 

BIOME does not currently have a formal IT security policy in place. Most of the existing security is the result of legacy configurations by previous IT personnel, and has not been modified, either out of fear of accidentally disabling current functionality or because of resistance by management. For example, when the IT staff attempted to institute passwords for several lab systems that previously had none enabled, they were told by management to remove them for fear of impacting the productivity of the lab personnel.

 

This analysis effort is the first step for BIOME towards developing a comprehensive and effective security policy. Delta recommends that BIOME utilize the results of this effort as the starting point for development of a formal security policy. There are two possible approaches to accomplishing this: purchase a software package that automates the development of a security policy, or contract an external organization to develop one. The first option, purchasing an automated software package, will cost approximately $1,000 to $1,500, depending on the exact package. Contracting an external organization will require an estimated 2 to 3 weeks of effort and cost $15,000 to $20,000.

 

For more details on security policies, including a number of sample policies, please refer to the SANS Instutite's online technical library at http://www.sans.org/infosecFAQ/policy/policy_list.htm.

 

One example of a security policy software package is PentaSafe's security policy tools. This is a combination of books and software tools that provide a complete security policy for the user. For more details, please go to http://www.baselinesoft.com/.

 

 

4.3       Authority of IT Staff

 

In order for any IT security policy to be effective, it must be implemented and monitored by a trained and knowledgeable staff with the authority to enforce it. One of the most significant issues with BIOME's current security posture is that the IT staff lacks the authority to develop and enforce standards regarding IT security. Users are generally free to configure their systems the way they want to, including freely sharing files, setting passwords, installing applications, etc. In situations where the IT staff has attempted to implement tighter security against the user's wishes, management has generally sided with the users. It is impossible to develop and manage effective security if the IT staff does not have the authority to control the configuration, usage and management of the IT infrastructure.

 

Delta recommends that, as part of the IT security policy, the exact level of authority required by the IT staff to implement and manage the policy be spelled out. This should include authority of the IT staff to control:

 

        System and network configurations

        Installed applications

        Level of access

        File sharing

        Password policy

        User access

 

The cost for to implement this recommendation is included in the cost of developing a security policy. Please refer to Section 4.2 for more details. However, as a minimum, BIOME management should verbally define a policy regarding the authority of the IT staff and make all levels of management aware of this policy. As with any policy, the requirements for IT security should be balanced against the business requirements of the company.

 

4.4       IT Resources

 

The IT staff is the key to developing, implementing and managing an effective IT security policy. While the level of IT resources currently employed by BIOME is sufficient to support the company's existing IT operational requirements, none of the IT staff has either the level of experience required nor the time available to develop, implement and manage all of the required aspects of an IT security policy. There are three possible methods of addressing this issue:

 

        Train one of the existing staff on IT security

        Hire an IT security manager

        Outsource the major components of security management

 

The first option would require that one of the IT staff attend approximately 6-8 weeks of intensive security training, and would require approximately 35-50% of that individual's time on an on-going basis. Based on Delta's estimates of training costs and the median salaries for IT personnel in the Boston area, Delta estimates that the initial cost for this approach would be between $40,000 and $60,000, with an on-going yearly cost of between $35,000 and $50,000.

 

The second option, hiring a dedicated IT security manager, would cost BIOME between $90,000 and $125,000 a year for salary, not including benefits.

 

Based on the costs associated with the first two options, Delta recommends that BIOME outsource the more labor- and experience-intensive portions of their security management. Two areas that should be considered for outsourcing are security monitoring and semi-annual security audits.

 

For outsourcing of security monitoring, Delta recommends that BIOME consider a company such as Riptech, Inc. Riptech can provide a 24x7 intrusion detection service (IDS), including management of a firewall and VPN and 24x7 incident reporting and forensic evidence collection, for approximately $2,000 per month. In addition, Riptech provides a host-specific intrusion monitoring solution that can be applied to the critical servers within BIOME's infrastructure. The cost for the host-based IDS is $1,000 per month for the site, plus $400 per month per specific system. They also will be providing web-based access to all security configuration information, such as firewall configuration, VPN access, etc. Note that Delta does not have any type of relationship with Riptech; however, we have worked with them in the past and have found their level of service to be very good. For more details on Riptech, please refer to their website at www.riptech.com.

 

For semi-annual security audits, Delta recommends that BIOME utilize at least two different security consulting companies (a different one for each of the 2 semiannual audits). This will provide a level of cross-checking and validation of the results. Delta estimates that a semi-annual security audit will cost BIOME between $15,000 and $20,000 per audit.

 

Excellent articles on security outsourcing can be found on Information Week's website at http://www.informationweek.com/thisweek/story/IWK20010713S0009, and at Information Security Magazine's website at http://www.infosecuritymag.com/articles/january01/cover.shtml.

 

4.5       Monitoring

 

A critical component of any security implementation is the ability to monitor the network and systems in order to detect the signature of an attempted security penetration. Without monitoring, it is usually impossible to detect if someone breaks into an IT infrastructure and steals information or resources. The penetration is usually only detected if something is deleted or destroyed.

 

As BIOME does not currently employ any kind of security monitoring tool, Delta recommends that some form of monitoring be implemented. There are two options for this - purchasing and installing a security monitoring package, or outsourcing the monitoring.

 

For purchasing a security monitoring package, BIOME should expect to pay between $8,000 and $25,000, depending on the exact tool chosen. BIOME should also be aware that these tools are not easy to install and configure. A rule set has to be developed that balances a high level of sensitivity with excessive false alarms, and resources have to be trained on using the tool. Additional resources will be required to monitor the tool on an on-going basis and update it when required. For more details on the available security monitoring packages, please refer to Information Security Magazine's review at http://www.infosecuritymag.com/articles/august01/cover.shtml.

 

Based on the cost and complexity of implementing an IDS tool in-house, Delta recommends that BIOME outsource security monitoring of the infrastructure. For more details on this option, please refer to Section 4.4, 'IT Resources.

 

4.6       File Sharing

 

File sharing is a common method of sharing information within an infrastructure. However, it is also one of the weakest points in terms of security. In BIOME's infrastructure, users are sharing files utilizing Apple's Appleshare, Windows CIFS file sharing, and Unix NFS file sharing. Each user is free to share whatever files they want, with no constraints or monitoring. While this provides a certain level of convenience for the users, it allows anyone with access to the infrastructure to essentially access all shared information. BIOME currently has 5 Appletalk Zones for sharing files on Apple systems, 2 or 3 Windows workgroups and domains for sharing Windows files, and numerous NFS shares on Unix systems. There are also Unix systems running SAMBA to give them access to Windows shares. There are hundreds of files being shared on BIOME's network, with little or no access control applied to them. Many of the shares were originally set up to provide one-time access and have never been removed, and in some cases, entire hard disks are being shared.

 

Delta recommends that BIOME immediately undertake an effort to bring the file sharing under control. The first step should be an effort to document all existing shares and review them for content and necessity. Next, a methodology should be developed for grouping common shares into fewer shared areas controlled by the IT staff, based on projects, groups, etc. A set of access controls should be implemented to define who gets access to what shares, based on their need to know. Any requests for new shares should be controlled and approved by the IT staff and management, and fully documented, including an expiration date for the share.

 

For one-time shares, a series of common areas should be set up for each type of share (Appleshare, CIFS and NFS). Any files that are placed into these areas should be deleted on a daily basis by an automated tool or script.

 

The ability to create local file shares should be removed from all clients systems. Users should be required to utilize shared areas set up and managed by the IT staff. The IT staff should also perform periodic automated checks of the network to determine if any unauthorized shares have been added and take appropriate corrective action.

 

Delta estimates that implementing this recommendation would require 3 to 4 weeks of effort. The primary cost would be the time of the IT staff to document the existing shares and implement the new shared areas.

 

Delta also recommends that BIOME consider the use of a Network Attached Storage (NAS) device for all files shares. One such device that would meet BIOME's requirements is a Snap Server from Quantum, Inc. These devices provide access to shared areas for Apple, Windows and Unix systems (all three operating systems can share the same files), as well as extensive access control capabilities. A Snap Server 4100, configured with 300GB of storage and RAID5, would cost approximately $3900. An additional benefit of this approach would be that current file servers could be eliminated form the infrastructure, significantly reducing costs and complexity. For more details, please refer to the Snap Appliance web site at http://www.snapappliances.com/.

 

4.7       Compartmentalization of Information

 

One of the cardinal tenants of IT security is the concept of 'need to know'. If an individual does not require access to information to perform their job, they should not have access to the information. BIOME's current IT infrastructure does not provide any classification of information, and therefore no management of access based on classification. Files are freely shared on the network, systems are left logged on, and users can generally log into any system that is part of their domain.

 

Delta recommends that BIOME undertake an effort to classify the various types of information within the infrastructure, and utilize these classifications to develop access control for users. The current classifications identified during this effort are:

 

        Financial

        Business Development

        Clinical

        Regulatory

        General Scientific

        Human Resources

        Executive/Corporate

        Facility/Operations

        Intellectual Property

        Information Technology

 

Access to any system or information shared in the infrastructure should be controlled based on these classifications. Additional sub-classifications should be set up to provide a finer degree of control to the information, such as specific projects, etc. This effort should be accomplished in conjunction with the recommended efforts to document all users (see Section 4.12) and to implement a directory services mechanism (see Section 4.12).

 

Delta estimates that BIOME would require 4 to 6 staff weeks of full-time effort to develop a comprehensive information classification methodology and implement access controls. Note that this assumes that all of the users have been documented and that access control can be accomplished from a single source (i.e. a directory service).

 

4.8       Complexity of IT Environment

 

Complexity can have a significant impact on the level of security in an IT environment. The greater number of discrete components present, the more possible methods there are for an intruder to penetrate and subvert one of them. An additional factor is the increased load on the IT staff - the more components that have an impact on security, the greater the chance that the IT staff will not have the time to monitor and manage all of them. IT complexity also greatly increases the Total Cost of Ownership (TCO) of the environment.

 

BIOME currently employs 4 different version of the MacOS operating system, 2 different versions of the Windows operating system (along with multiple service pack levels), and at least 3 different types of Unix systems. In addition, users are generally free to modify and configure their systems as they desire, including installing applications and patches. The primary reason for this mixed environment is that it has grown in an uncontrolled manner, and the IT staff lacks the time, resource, and authority to consolidate the environment.

 

Delta recommends that BIOME undertake an effort to update and consolidate all of the various systems into a few standard configurations. All client systems will be required to conform to these standard configurations, and users should not have the ability to modify the configuration (i.e. installing patches, applications, utilities, etc.) without approval of the IT staff and management. This would greatly reduce the workload on the IT staff and ensure that the security configuration for all systems is configured in a standard manner. It would also prevent the introduction of various worms, Trojan horses, viruses, etc. associated with freeware and shareware applications that the users may install.

 

Delta estimates that the effort to develop standard configurations for all systems would require 6 to 8 weeks of full-time effort by the IT staff. The actual time and costs associated with implementation of these configurations would vary, depending on the number of systems.

 

For more information on the costs associated with IT complexity, please refer to the InformationWeek Research report titled 'Overcoming IT Complexity', dated April 2001. This paper costs $99 and can be obtained at http://www.informationweekresearch.com/.

 

4.9       Data Center Physical Location

 

In order to provide effective security, physical access to the data center must be controlled. BIOME's data center/staging room is located on the first floor of the building, with large picture windows facing the outside. This provides an excellent method of access for someone wishing to gain access to the data center. Delta estimates that an intruder could destroy a significant portion of BIOME's IT infrastructure, or steal a significant portion of the data in the infrastructure, in less than 1 minute. To illustrate this, consider the following scenarios:

 

        A person who has a reason to dislike BIOME (i.e. a disgruntled ex-employee, an activist who is against genetic research, etc.) approaches the data center at night. They either cut through or break the windows to gain access to the data center. Once inside, they activate the water sprinkler system by holding up a cigarette lighter to one of the sprinkler heads. The resulting deluge of water would damage a significant percentage of BIOME's systems, documentation, etc.

        A person wishing to steal BIOME's data performs the same actions as above, but instead of setting off the sprinkler system, they take all of the backup tapes from the unlocked cabinet in the data center. These tapes contains all of the data in BIOME's IT infrastructure.

 

In the second scenario above, if the person quietly cut the glass late on a weekend, the theft might not even be discovered for several days.

 

In order to strengthen the physical security of the data center, Delta recommends that BIOME add an alarm system to the windows in the data center, as well as a motion sensitive alarm within the data center itself. In addition, BIOME should consider replacing the current water-based sprinkler system with a gas-based fire suppression system to prevent water damage.

 

A second option would be for BIOME to re-locate the data center to a more secure location within the building.

 

Delta was unable to determine the costs associated with either of these options.

 

4.10   Firewall

 

The firewall is the primary method of controlling access between the internal network and the external world (the Internet). BIOME currently employees a Checkpoint firewall running on a Sun server provided by WebConnect as part of their ISP package. While this provides a moderate level of security, BIOME has little or no control over the configuration of the firewall, and is not able to monitor the firewall for possible security activity.

 

Delta recommends that BIOME eliminate the Checkpoint firewall from their contract with WebConnect and implement a Cisco Pix firewall. Additional details on this recommendation can be found in the Business Requirements document produced by Delta in parallel with this effort.

 

Delta also recommends that BIOME implement intrusion detection monitoring of the firewall. For more details on this recommendation, please refer to Section 4.5, 'Monitoring', in this document.

 

An additional consideration for the current firewall is that the current rule set allows access to various non-business required services, such as AOL, through the firewall. When a user within BIOME's infrastructure connects to AOL, they are, in effect, creating a virtual network connection between BIOME's internal network and AOL's network. This connection has been a common source or penetration attacks by hackers, and is generally considered to be very insecure. Delta recommends that access to any non-business required services through the firewall be disabled.

 

4.11   Documentation

 

In order for any security policy to be effectively implemented, the IT staff needs a great deal of information on what is in the infrastructure and how it is configured and used. One of the most common methods of detecting a security breach is to realize that something has changed, either in terms of configuration or behavior. In order to reach this realization, the staff must know how things are currently configured. BIOME's IT staff has started an effort to document the existing servers and their associated applications.

 

Delta recommends that BIOME significantly expand this effort to develop a database that defines all IT resources, including:

 

        Server systems

        Client systems

        Network devices

        Printers

        Users

        All other hardware

 

The information for each device should include, at a minimum, the following:

 

        Location

        Serial numbers

        Peripherals

        Responsible individual

        Type and manufacturer

        OS version

        Firmware version

        Users of the device

        Applications installed

        Configuration

        Change history

 

This information should be stored in a secure location and access tightly controlled. While there are commercial asset management software packages available, most of these would ensue more cost and complexity that BIOME's infrastructure requires at this point. Delta recommends that BIOME implement a simple Access database with the necessary information.

 

Delta estimates that this effort would require 4 to 5 weeks of full-time effort by the IT staff. Given the current load on the staff, BIOME may want to consider contracting this effort to an outside company.

 

4.12   User Accounts and Management

 

In order to effectively control access to information within the infrastructure, the IT staff requires information on who the users are and what level of access they require. Access to this information will ensure that only the required accounts are active in the infrastructure, and that each user can access the information they need.

 

Note that during this effort, Delta found numerous variances from the standard 'best practices' for user account management, including:

 

        Use of the Administrator and Root account by users for everyday work

        Accounts for individuals that are no longer with the company

        Users sharing their accounts

        Account with no passwords

 

In order to gather the information to address this issue, Delta recommends that BIOME undertake a detailed audit of all existing user accounts, along with an audit of all current users. The two lists should be compared to determine which accounts are no longer required, which users have multiple accounts, etc. This effort should be undertaken before BIOME begins its effort to implement a centralized directory services for access control.

 

Delta estimates that this effort will require 2 to 3 weeks of full-time effort by the IT staff.

 

In addition, Delta recommends that an account management policy be developed as part of the IT security policy. The policy should mandate, as a minimum, the following:

 

        Only the IT staff will have access to Administrator and Root accounts

        Each user will have a single account

        Any accounts no longer required will be disabled, and all files belonging to that account should be backed up and deleted

        Users should not share their account with anyone

        Any requests for new accounts must come through the IT staff and be approved by the requestor's manager

        Anytime an account will not be used for 1 week or longer (i.e. vacation, travel, etc.) it will be disabled until required

        HR will inform the IT staff whenever personnel leave the company or go on vacation for 1 week or longer

 

The effort required to develop this policy is included in the effort for the overall IT security policy. For more details, please refer to Section 4.2 , 'Security Policy', in this document.

 

As an additional security precaution, Delta recommends that BIOME change the default name of all 'Administrator' and 'root' passwords to minimize the risk of their being targeted by an attack.

 

4.13   Remote Access

 

BIOME currently employs dial-in modems as the primary method of allowing remote access to the infrastructure. Dial-in modems are typically one of the most common methods of attack for hackers, and many tools are available to assist them with gaining access to the modems (i.e. 'war dialers', 'lurkers', etc.). Another limitation is that the number of simultaneous users is limited to the number of modems available.

 

Delta recommends that BIOME implement a Virtual Private Network (VPN) solution to provide remote access to its employees. Given BIOME's requirements, Delta recommends that a Cisco 300x VPN appliance be implemented (Additional details on this recommendation can be found in the Business Requirements document produced by Delta in parallel with this effort). This solution provides a native client solution for both Windows and Unix platforms. For Apple systems, Delta recommends that BIOME utilize PGP's PGPvpn solution for Apple, with IPSEC and aggressive IKE encryption. Note that implementing this solution will require that all remote Apple systems be running MacOS 8.6 or higher. The cost for the Windows clients is included with the VPN appliance - each Apple client will cost $63 per system for a 2 year license.

 

For more details on PGP's PGPvpn solution, please refer to PGP's web site at http://www.pgp.com/products/pgpnet-vpn-client/default.asp.

 

4.14   Notebook Computers

 

A number of managers within BIOME utilize notebook computers for working on the road and at home. These include both Apple as Windows-based systems. Since these notebooks are utilized by upper-level management, they generally contain information that is critical to the company. However, if any of the notebooks were lost or stolen, it would be a relatively simple task for a hacker to obtain the information from the systems. Even if the system were password protected, the disk drive could be removed and installed as a second drive in another system, allowing complete access to the data.

 

In order to prevent unauthorized access to this data, Delta recommends that BIOME implement a policy of utilizing encryption for the directories and folders that contain sensitive information on these systems. For Windows systems, Delta recommends utilizing the built-in encryption filesystem available for Windows 2000 (this assumes that the system is running Windows 2000). In order to implement this, BIOME will need to implement a simple Microsoft Certificate PKI server within their infrastructure. This server is available as part of the standard Windows 2000 server package, and is fairly simple to configure. The data in the selected folders will be encrypted, and the user will require a password to access it.

 

For Apple notebooks, Delta recommends that BIOME purchase a copy of Intego's DiskGuard for each notebook. This package provide functionality similar to the Windows 2000 encrypted filesystem in that it allows specific folders to be encrypted. The user must then enter a password to access the data.

 

Delta estimates that this recommendation can be implemented in less than 1 week by the IT staff. The Windows 2000 solutions is included with the operating system; Intego's diskGuard costs $50 per system. For more details, please refer to Intego's web site at www.intego.com.

 

Delta also recommends that the IT staff be given control of how any notebooks computers that will carry BIOME data or connect to BIOME's infrastructure are configured, including what applications are installed. For more details on this recommendation, please refer to Section 4.3, 'IT Staff Authority', in this document.

 

Delta also recommends that these same recommendations be applied to any home systems that are used to store BIOME data or access BIOME's infrastructure. If a user that requires access from home is not willing to give the IT staff access to their home system, that user should be supplied with a system that has been pre-configured by BIOME. This can be controlled by ensuring that the IT staff are the only people capable of producing the keys required to access the VPN.

 

4.15   Passwords

 

Passwords are the primary method of access control for most IT infrastructures. They are also the most common cause of security breaches. Some of the most common attacks occur because:

 

        User's use easy-to-guess passwords

        Accounts have no password

        Passwords are never changed

        Passwords are written down by users

        Passwords are shared by users

 

During Delta's investigation, many of these security flaws were found to exist within BIOME's infrastructure. In some cases, systems had Administrator accounts with no password at all.

 

Delta recommends that BIOME implement a strong password policy as part of the overall IT security policy. This should include:

 

        Minimum password lengths (8 characters recommended)

        Passwords must include both upper and lower-case letters, plus at least 1 number

        A maximum password lifetime of 6 months (3 months is recommended), with a password history of at least 10 to prevent the re-use of old passwords

        All accounts must have a password

        Only the IT staff has access to any Administrator and root passwords. For emergency purposes, these passwords can be written down and sealed in an envelope stored in a secure location (such as a locked cabinet in the Presiden't office).

 

For special cases where business requirements would make a strong password policy too much of a burden on users, BIOME should consider implementing a biometric device for system access. These devices are relatively inexpensive (less than $100 per system) and can be attached to virtually any system. The most common form factors are thumbprint scanners and retinal scanners. The access code generated by such a device can be integrated into BIOME's planned directory services project to allow for centralized control.

 

For more details on available biometric devices, please refer to the Information Security Magazine article at http://www.infosecuritymag.com/articles/march00/features1.shtml