Delta Security Solutions

"The Difference in IT Security"

 

 

 


IT Infrastructure Security Audit Results

For

Mercy Hospital

 

 

 

 

 

 

 

 

 

 

 

 

Prepared By:

 

John McDonald

Delta Security Solutions

15 May 2001

 


 

 

1   Introduction................................................................................................................... 1

2   Executive Summary....................................................................................................... 2

3   Project Overview............................................................................................................ 4

3.1   Report Structure.................................................................................................................................. 5

4   Critical Issues................................................................................................................ 7

4.1   Firewall................................................................................................................................................. 7

4.2   IT Security Resource........................................................................................................................... 7

5   General Issues................................................................................................................ 9

5.1   Information Valuation & Classification......................................................................................... 9

5.2   Security Policies & Procedures....................................................................................................... 9

5.3   Security Awareness........................................................................................................................... 10

5.4   Legal Processes and Procedures.................................................................................................... 10

5.5   Physical Access................................................................................................................................... 10

5.6   Resource Access Control................................................................................................................. 11

5.7   Security Audits................................................................................................................................... 11

5.8   Remote Sites....................................................................................................................................... 12

5.9   Human Resources.............................................................................................................................. 12

5.10 Contingency Planning....................................................................................................................... 12

5.11 IT Staff Authority............................................................................................................................... 12

6   Technology Issues........................................................................................................ 14

6.1   General Technology Issues.............................................................................................................. 14

Security Tools....................................................................................................................................... 14

Audit Logs............................................................................................................................................. 14

Virus Protection................................................................................................................................... 15

Login Notices....................................................................................................................................... 15

Passwords.............................................................................................................................................. 16

Configuration Management................................................................................................................. 16

Version Control.................................................................................................................................... 17

Security Information Updates............................................................................................................. 17

6.2   Network Issues................................................................................................................................... 18

6.3   Windows NT Issues............................................................................................................................ 20

6.4   AS/400 Issues....................................................................................................................................... 22

6.5   OpenVMS Issues................................................................................................................................. 24

6.6   RS/6000 Issues.................................................................................................................................... 24

6.7   Windows 95 Issues............................................................................................................................. 25

6.8   Novell Netware Systems................................................................................................................... 26

6.9   Other Systems..................................................................................................................................... 26

Sun Systems.......................................................................................................................................... 26

DOS Systems........................................................................................................................................ 26

6.10 Additional Technology Recommendations................................................................................... 26

Honeypot............................................................................................................................................... 26

Alternative Access Methods................................................................................................................ 27

7   Future Directions........................................................................................................ 28

7.1   Patient Record System...................................................................................................................... 28

7.2   Handheld Devices............................................................................................................................... 28

8   Appendix A - Windows NT System Results................................................................ 29

9   Appendix B - Recommended Firewall Configuration............................................... 30


1        Introduction

 

This document defines the results of the Information Technology (IT) Infrastructure Security Audit performed for Mercy Hospital (Mercy) by Delta Security Solutions (Delta).

 

This document contains information that is confidential and proprietary to Delta Security Solutions and Mercy Hospital, and may not be disclosed, either in part or in whole, to any person or agency outside of Delta or Mercy without the express consent of both parties.

 

CAUTION: This document contains information regarding the security posture of Mercy's IT infrastructure that, if made available to unauthorized parties, could significantly comprise the security of the organization. Delta recommends that Mercy strictly control access to this document and its contents and only provide the information to individuals with a well defined need-to-know.

 

2        Executive Summary

 

Mercy Hospital (Mercy), like most modern organizations, is dependent on Information Technology (IT) to accomplish its organizational goals. These include providing the highest level of health care possible for its patients, providing a safe, healthy and productive work environment for its employees, and ensuring the financial health of the organization. The use of IT technology allows Mercy to create, manage and utilize the information necessary to meet these goals. However, as recent articles in the popular press have shown, the use of IT technology also presents additional risks that an organization must address in order to remain effective. As an organization grows and becomes more dependent on IT technology, these risks and the potential damage they represent increase dramatically. An organization must ensure that the information it needs is not only available when required, but protected from unauthorized access and interference as well.

 

In addition to its internal requirements, Mercy is potentially subject to various standards defined for the HealthCare industry. The most critical of these is the Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy Kassebaum bill, which was passed on August 21, 1996. Even though all of the requirements for HIPAA have not been completely finalized as of this date, a significant portion of the act defines a series of requirements for ensuring security and privacy of information stored on computers. This includes administrative procedures, contingency planning, access control, auditing, etc.

 

To assist in meeting its goals for IT security, Mercy contracted Delta to conduct an IT security audit. The purpose of this audit was to analyze the security of Mercy's IT infrastructure, document its current state, and make recommendations on how to improve security. To perform this audit, Delta employed a lead IT Security consultant and several specialized technology consultants to analyze the IT infrastructure, develop an understanding of its current state, and develop specific recommendations. This was accomplished over a 4-week period during April/May 2000.

 

Delta found that, overall, the security of Mercy's IT infrastructure is relatively weak. A number of significant issues were uncovered that show that Mercy is extremely vulnerable to many forms of potential security threats, and that, in reality, Mercy is subjected to such attacks on a regular basis. A security monitoring tool showed that Mercy's IT infrastructure was probed 100's of thousands of times per week, and that several successful attacks were occurring on a weekly basis. These are the known successful attacks, and thus there is a potentially large number of undiscovered ones.

 

During the audit, Delta uncovered a number of specific issues around IT security and has developed recommendations to address them. The following recommendations have been identified as the most critical:

 

q      A firewall should be installed between Mercy's internal network and the Internet to prevent outside access to Mercy's IT resources.

q      Mercy's IT infrastructure has reached a size and complexity where managing security requires a significant amount of resources. Combined with the critical and sensitive nature of the information being managed, this indicates that a full-time IT security specialist should be added to Mercy's IT staff.

q      On numerous occasions during the audit, 'Unauthorized' Delta personnel were able to gain physical access to systems, networks and other IT resources without being challenged. This indicates that Mercy should develop a training plan to increase security awareness by its personnel.

q      Legal aspects of IT security are critical to developing and implementing effective security. The legal staff should work with Human Resources and the IT staff to develop legal policies and procedures as part of Mercy's IT security plan.

q      The primary method for evaluating the cost-effectiveness of any security plan involves assigning a value to the resource that is to be protected. The lack of a formal method for valuating a resource precludes making informed decisions regarding the amount of protection any given resource requires. Mercy should begin an effort to quantify the value of all IT resources.

 

Note that, given the broad range of IT security issues uncovered during the audit, this report focuses on issues that need to be resolved in the short term (next 3-6 months) in order to provide Mercy with a solid security foundation upon which to develop future capabilities (i.e. Public Key Infrastructure (PKI) systems, certificate-based security, integrated cryptography, etc.). Once these issues have been addressed, Mercy should begin a more detailed effort to develop long-term requirements and solutions for security.

 

Delta also wishes to stress the fact that IT security is not a goal - it is on on-going process that will require constant monitoring, modification and updating as Mercy's IT requirements increase and the security threat environment expands and changes.

3        Project Overview

 

Mercy currently maintains a medium-sized IT environment that is used to manage various functions within the organization. Servers consist primarily of Windows NT-based systems, with IBM AS/400 and Compaq OpenVMS servers providing core functionality. Most client systems are Windows NT-based. A few additional miscellaneous systems exist within the infrastructure, including DOS, MacIntosh, Sun/Solaris, etc.

 

The network consists of a campus-type LAN between the various facilities, with a T3 connections to the Internet provided by Harvard University. The hardware consists primarily of Cisco routers.

 

Delta recently undertook an effort to analyze the security of Mercy's IT infrastructure. During the audit, the following areas relating to IT security were reviewed:

 

q      Overall Security Architecture – Delta looked at the overall architecture as it affects Mercy's IT security. This included such areas as a functional breakdown of the different IT groups, a definition of the types of computing architectures implemented, etc. This provided a starting point for the rest of the analysis.

q      Security Physical Layout – This involved analyzing and understanding the different physical locations of the IT technology, such as what buildings, what floors, where the disaster recovery site is located, access control, etc. in the context of security.

q      Network – A security audit of the network was performed, including access control, current security implementation, etc. A detailed network map was prepared, showing all of the network components and their location within the security structure. Network security controls, such as firewalls and proxy servers, were evaluated.

q      Systems - An audit of both the client and server systems was performed, including an inventory, current security levels, security of applications supported, etc.

q      Storage Strategy – An analysis of the storage strategy utilized by Mercy was performed to determine how security is implemented on a storage level.

q      Applications – An inventory of all applications was performed, including version information, utilization rates, known security issues, etc. The implementation of the critical applications was analyzed to determine the impact on the security.

q      End-to-End Analysis - For critical application processes, an end-to-end security analysis was performed. This consisted of analyzing each component of the processing chain to determine its’ security and impact on the overall security.

q      Organization – The organization of the various IT groups was reviewed to gain an understanding of the organizational dynamics and how they affect the security.

q      Processes, Plans and Procedures – The various processes, plans and procedures that support the IT Security were analyzed. This included system and network administration, security practices, disaster recovery, etc.

q      Documentation – Standard policies or procedures implementing security were analyzed, and samples of the documentation itself were reviewed.

q      Tools – The IT organization’s use of various security-related tools was evaluated. This included all software and hardware tools used for management, etc.

q      Strategic IT Plan – The IT organization’s Strategic IT plan was reviewed to determine the effect future plans may have on security.

q      Change-in-Process – Changes currently being made to the IT infrastructure, as well as planned changes, that may affect security were reviewed.

q      User Perceptions – An informal poll was conducted of the IT users to determine their attitudes towards security.

q      Training – Training plans for security awareness, both for staff and users, were reviewed.

 

During this effort, Delta utilized a number of different tools and techniques to gather and analyze data. These included:

 

q      Review of existing documentation – All documentation that exists that provides information on your IT Security was reviewed and incorporated into the analysis effort. This included network diagrams, past analyses, written policies, plans and procedures, etc.

q      Interviews – Delta conducted extensive interviews with your IT staff, management, and user personnel to assist in gathering information about your IT infrastructure.

q      Vendor contacts – Delta contacted the vendors of the technology utilized in the IT Security to gather any information that might be pertinent to the analysis. This included planned upgrades, required patches, end-of-life schedules, etc.

q      Customer Tools – All tools that your IT organization has implemented that provided information regarding the layout or behavior of the IT Security were used. This included network management packages, system management packages, etc.

q      Delta’s Tools – Our consultants came equipped with their own tools for gathering data. Our consultants have a notebook computer with tools that allows them to analyze your systems and networks, and process the data that’s collected.

q      Technology Knowledge – Our consultants are up-to-date on the latest technology offerings, which allowed them to understand your Security and where it’s going.

q      Industry Knowledge – As part of the team, we provided consultants that are familiar with your industry, which allowed them to analyze and understand your Security in the context of your business. For Mercy, this included industry standards such as HIPAA.

 

The project required approximately 3 weeks of effort, with an additional week during the effort where the project team leader was unavailable, for a total of 4 weeks.

 

3.1       Report Structure

 

The recommendations in this report are divided into several sections. Section 4 provides a series of recommendations that Delta views as being the most critical to the security of Mercy's IT infrastructure and should be implemented as soon as possible. Section 5 provides a series of general technical recommendations that are not related to any one technology or portion of Mercy's infrastructure. Section 6 provides technical recommendations that address the specific technology areas employed by Mercy.

 

Each recommendation is also qualified with two cost factors - implementation cost and Total Cost of Ownership (TCO) costs. Implementation costs are what would be incurred to initially implement the recommendation. TCO costs are what would be required to maintain the recommended solution on an on-going basis.

 

The cost values are defined as low, moderate and high, which are based on Delta's understanding of Mercy's current IT technology acquisition cost model. In the case of TCO, costs include an estimated salary value for a resource to maintain the recommended solution on a yearly basis, along with any necessary licensing costs, maintainance contracts, etc.

 

The cost values are estimated as follows:

 

·        Low - under $10,000

·        Moderate - $10,000 to $25,000

·        High - Greater that $25,000

 

Please note that these are rough estimates only, and Delta assumes no responsibility for the actual cost associated with implementation any recommendation.

4        Critical Issues

 

This section defines the issues that Delta feels are the most critical and need to be addressed immediately. The issues addressed by this section are not limited to any one aspect of the IT infrastructure. Each sub-section defines a given issue and provides Delta's recommendations for addressing the issue, along with the relative cost of implementing the recommendation, both in terms of acquisition costs and Total Cost of Ownership (TCO) costs.

 

4.1       Firewall

 

The lack of access control to Mercy's internal LAN is the most critical issue uncovered during the audit. Mercy's network and systems are essentially 'naked' to the world, significantly increasing the potential for success by even the least sophisticated methods of attack. A security monitoring tool showed that Mercy's IT infrastructure was being probed for weaknesses 100's of thousands of times per week, and that an average of several successful attacks were occurring on a weekly basis. The result is a number of known successful attacks, and a potentially larger number of undiscovered ones.

 

Recommendation: Mercy should immediately implement a firewall between the internal LAN and the external Internet connection to Harvard University. Given the extensive use of Cisco systems for Mercy's network, Delta recommends that Mercy implement the following firewall configuration:

 

q      A pair of Cisco PIX 515-model firewalls (dual firewalls would provide a high-availability solution)

q      Firewall to be fronted by a shared Cisco hub to provide load-balancing and ease of failover

 

Acquisition cost for hardware, software and configuration is high, while TCO costs, consisting of maintainance contracts and management time, are moderate.

 

Please refer to Attachment B for more details regarding the recommended firewall configuration.

 

4.2       IT Security Resource

 

Given the size of Mercy's IT infrastructure and its security requirements, Mercy needs a resource dedicated to developing and implementing effective IT security policies and procedures. In order to effectively implement the recommendations within this document, Delta estimates that a minimum of 30 to 40 hours per week of effort will be required on an on-going basis.

 

Recommendation: Delta recommends that Mercy dedicate a resource within the IT department to focus on IT security. This resource should be familiar with the various systems and hardware that Mercy utilizes and have a strong background in IT security. This individual would perform the following tasks:

 

q      Review security audit logs on a regular basis

q      Develop security policies and procedures

q      Audit systems on a regular basis to ensure compliance

q      Audit staff on a regular basis to ensure compliance

q      Work with legal staff to develop a legal framework for IT security issues

q      Work with Human Resources to develop IT security policies and procedures

q      Work with Security to develop procedures for controlling physical access to IT resources

q      Implement and utilize security monitoring tools

 

Acquisition cost for hiring a full-time security manager is high, while TCO costs, consisting of salary and other associated personnel costs, are moderate to high.

 

5        General Issues

 

This section defines issues that address general non-technology related issues within Mercy's IT infrastructure, such as policies and procedures, training, etc. Each sub-section defines a given issue and provides Delta's recommendations for addressing the issue, along with the relative cost of implementing and supporting the recommendation.

 

5.1       Information Valuation & Classification

 

Mercy maintains a significant amount of information within its IT infrastructure, covering a wide range of applications. Currently, there is no formal method for determining how valuable any given piece of information is, or how well it should be protected. The result is that the IT department cannot make informed decisions regarding the level of security to apply to any given information or system.

 

Recommendation: Mercy should develop a formal methodology for valuating and classifying information within the IT infrastructure. The valuation process should include factors such as:

 

q      Cost to create the data

q      Impact on business due to loss of access to the data

q      Potential liability due to disclosure of data

q      Potential liability due to unauthorized modification of data

q      Potential impact to IT security if the information is disclosed to unauthorized persons

 

Cost to implement, consisting of an effort to develop a methodology and qualify existing information, is moderate to high. TCO costs, consisting of on-going reviews for all information and qualification of new information, are moderate to high.

 

5.2       Security Policies & Procedures

 

Mercy's IT department has implemented a basic set of security policies and procedures as part of the overall IT policies and procedures manual. However, these only outline some basic security policies and do not provide the level of detail necessary to fully implement and manage an effective IT security policy.

 

Recommendation: Mercy should develop a detailed set of IT Security policies and procedures as an additional section within the general IT policies and procedures manual. This should include, as a minimum:

 

q      Username and password policies for all systems

q      Access control policies for all systems and applications

q      Procedures for regular auditing

q      Incident handling procedures

q      Information classification and handling procedures

 

Cost to implement, consisting of an effort to develop policies and procedures, is moderate. TCO costs, consisting of on-going reviews of policies and procedures and compliance verification, are moderate.

 

5.3       Security Awareness

 

A significant part of any attempt to gain unauthorized access to IT systems involves obtaining as much information regarding the systems and network as possible. One of the most common methods of obtaining this information is via a process known as 'social engineering'. A prospective intruder may call someone within in the hospital, claim to be from the IT department, and request that user's username and password. In some cases, an intruder may go to one of Mercy's facilities and attempt to gain access in person.

 

During the audit, Delta found that the majority of Mercy personnel were unaware of their roles and responsibilities regarding IT security. The result is that it is relatively easy for a potential intruder to employ social engineering to obtain information on, and access to, Mercy's IT infrastructure.

 

Recommendation: Delta recommends that Mercy develop and implement an IT security awareness program for all users.

 

Cost to implement, consisting of an effort to develop and deliver an IT security awareness program, is moderate. TCO costs, consisting of on-going reviews of the program and delivery to new personnel, are moderate.

 

5.4       Legal Processes and Procedures

 

A significant portion of any effective security policy involves addressing the legal issues associated with IT. This includes areas such as:

 

q      Mercy's response to an attempted break-in to IT systems or theft of information

q      Mercy's legal responsibilities to its patients in the event information is illegally accessed

q      Mercy's potential liability in the event an IT system is compromised

 

Recommendation: Delta recommends that Mercy's legal staff work with an IT security specialist, a human resources representative, and a management representative to develop and implement a policy that defines the legal aspects of IT security issues.

 

Cost to implement, consisting of an effort to develop processes and procedures, is moderate. TCO costs, consisting of on-going reviews of processes and procedures, are low.

 

5.5       Physical Access

 

Controlling physical access to IT resources is critical to the effective management of IT security. A system that is completely secure in terms of network access may be totally open to an intruder that can gain physical access. This can be accomplished by simply booting from a floppy disk with the appropriate utilities installed.

 

During the audit, Delta encountered several instances where physical access to system was not tightly controlled. One example is the PC installed inside the door at 325 Cambridge St. - 'unauthorized' Delta personnel were able to boot the system utilizing a system floppy and could potentially access any information on the system.

 

Recommendation: The IT department should work with Security to ensure that physical access to all system is tightly controlled. Cost to implement is moderate, TCO costs are low.

 

Recommendation: All personnel should be made aware of the dangers of allowing individuals that have not been positively identified to have physical access to their systems. Cost to implement is low, TCO costs are low.

 

Recommendation: All server systems should have BIOS boot password protection enabled and require a password to access the system's BIOS. When feasible, client systems should also implement this restriction. Cost to implement is low, TCO costs are low.

 

Recommendation: All systems should have the ability to boot from a floppy disk disabled. Cost to implement is low, TCO costs are low.

 

5.6       Resource Access Control

 

Controlling access to IT resources is one of the main tenants of IT security. This involves ensuring that personnel only have access the minimum amount of information required to do their job. While the default access control provided with most systems is marginally adequate, a comprehensive policy that defines access control across all IT resources can provide a single, tightly controlled mechanism that maximizes the security capabilities of all systems. One example of this is the use of directory services combined with digital certificates (known as a Public Key Infrastructure) that provides central management of access control for all IT resources. Implementation of this type of automated functionality requires an extensive effort, and is something Mercy should consider in the future. However, qualification of all information and each user's rights to access that information, even if done manually initially, can provide a solid basis for future security automation.

 

It should be noted that this type of access control is one of the core requirements for the HIPAA standard. Organizations must be able to precisely control what type of access any given individual can have to patient information. The only practical way to effectively provide this level of control is with some form of centralized resource access control mechanism.

 

Recommendation: Mercy's IT staff should work with the user base to develop and implement a comprehensive access control plan and policy. This would include identifying every type of information managed by the IT infrastructure, identifying each user, and developing a matrix of the exact level of access each user requires to accomplish their job. Cost to implement, consisting of an effort to develop a comprehensive policy, is moderate. TCO costs, consisting of on-going reviews of the policy and integration of new users and systems, are moderate.

 

5.7       Security Audits

 

Security within any IT infrastructure is not a goal - rather, it is an on-going process that needs to be reviewed on a regular basis. Individuals that work with the infrastructure on a daily basis can sometimes overlook a potential security issue that may be obvious to an outsider. In addition, the regular IT staff is usually busy managing the day-to-day operations and may not have sufficient time to keep up-to-date on all of the latest industry trends and new security problems.

 

Delta's findings show that this audit is the first formal security performed in the last 12 months.

 

Recommendation: Mercy should contract an outside consulting company to perform an IT security on a biannual basis. Cost to implement, consisting of scheduling regular security reviews, is high. There are no TCO costs associated with this recommendation.

 

5.8       Remote Sites

 

Mercy currently supports several remote sites via a frame relay connection. These sites have minimal access to IT resources. However, access at these sites is not tightly monitored and cannot be controlled as easily as local access points.

 

Recommendation: Mercy should develop strict access control methods for any personnel accessing data from remote sites. Extensive monitoring and auditing of remote accesses should be undertaken and reviewed on a regular basis. Cost to implement, consisting of an effort to develop processes and procedures, is moderate. TCO costs, consisting of on-going reviews of processes and procedures, are low.

 

5.9       Human Resources

 

The Human Resources department provides a critical link in the IT security process. They are responsible for developing and implementing the personnel-related portions for any IT security policies and procedures. This includes IT security orientation for new employees, background checks for potential employees, and development of administrative procedures for dealing with violations of the security policy.

 

Mercy's Human Resources currently has a moderately well defined set of guidelines regarding IT systems in general.

 

Recommendation: Mercy's HR department should work with the IT, Legal and Security departments to develop of a comprehensive set IT security policies and procedures. HR should take the lead role in developing policies regarding administrative action for security violations.

 

Cost to implement, consisting of an effort to develop HR policies and procedures, is moderate. TCO costs, consisting of on-going reviews of policies and procedures, are low.

 

5.10   Contingency Planning

 

While not directly a security-related issue, contingency planning can have a significant impact on the security of an IT infrastructure. Many times, organizations will be forced to fall back on their contingency plan to continue operations in the event of an emergency, only to discover that their fallback infrastructure is severely lacking in security. 'Hackers' are generally not known for their altruism, and will view weak security during a crisis as an opportunity to penetrate your systems.

 

Recommendation: Mercy should ensure that any contingency plan (i.e. disaster recovery plan) incorporates security that is equal to the security of the original infrastructure. Cost to implement, consisting of an effort to develop DR security policies and procedures, is moderate. TCO costs, consisting of on-going reviews of policies and procedures, are low.

 

5.11   IT Staff Authority

 

There are a number of groups within Mercy that, to some degree or another, have been granted autonomy in maintaining their own systems and networks, but are still integrated into the Mercy IT infrastructure. However, overall security for the IT infrastructure is still considered to be the responsibility of the IT staff. This creates a situation where the IT staff has the responsibility for security, but is limited in their authority to control and manage all of the resources that may impact security. The result is increased complexity, increased resource utilization, and a reduced level of security.

 

Recommendation: The IT staff should be given complete control over all IT resources within Mercy, regardless of the organizational dynamics involved with any particular group. This is the only way to ensure that a consistent approach to IT security is implemented and maintained within the overall IT infrastructure. The cost to implement is low. TCO costs, consisting of responsibility for the additional systems, are low to moderate.

6        Technology Issues

 

This section addresses issues involving the actual technology employed by Mercy in its IT infrastructure. Each area of technology is addressed in a separate section, and includes individual issues and recommendations. Each recommendation is rated in terms of relative cost to implement and maintain.

 

6.1       General Technology Issues

 

This section addresses issues that impact more than one area of technology within Mercy's infrastructure.

 

Security Tools

The ability to monitor the infrastructure and detect and report any potential security violations is critical to maintaining security. While this process can be performed manually, doing so would require an exorbitant amount of personnel resources. There are many high-quality tools available to assist Mercy in monitoring its infrastructure.

 

Mercy does not currently implement any formal tools for monitoring the security of the infrastructure.

 

Recommendation: Mercy should implement a set of tools that would allow easy monitoring of IT security and provide notification when a potential security problem is detected. Some potential tools include:

 

q      Cisco's CiscoSecure Intrusion Detection System to monitor for potential network attacks (http://www.cisco.com/)

q      Intrusion.com, Inc's Kane Security Monitor to monitor Windows NT security on an on-going basis (http://www.intrusion.com/).

q      Braintree Security Software's Auditor Plus to monitor the OpenVMS system on an on-going basis (http://www.braintree.co.uk/openvms.htm).

q      Powertech's PowerLock to monitor the AS/400 system on an on-going basis (http://www.400security.com/).

q      Microsoft's System Management Server (SMS)  http://www.microsoft.com/ntserver/management/exec/default.asp

 

Cost to implement, consisting of purchasing and implementing the tools, is high. TCO costs, consisting of maintainance contracts and on-going monitoring of the tools, are moderate.

 

Audit Logs

When a security incident occurs, the ability to develop a 'roadmap' of the event that defines exactly what occurred and when is critical to developing solutions to prevent re-occurrences. It can also be an invaluable tool should Mercy decide to pursue legal action against intruders. In order to create such a roadmap, the systems that have been compromised need to be running some form of on-going audit tool. Most operating systems utilized by Mercy (i.e. Windows NT, OpenVMS, AS/400) provide for some form of event auditing and logging.

 

Mercy has not implemented the auditing capabilities on most of its systems.

 

Recommendation: Mercy should enable full auditing capabilities on all of its systems. The audit logs should be backed up on a regular basis utilizing a separate backup process and stored in a secure location. Cost to implement, consisting of enabling and configuring auditing on all systems, is moderate.

 

Recommendation: Mercy should review all audit logs on a regular basis for trends that indicate potential security threats (please refer to the section labeled 'Security Tools' above). TCO costs, consisting of regular reviews of the logs, are high if no automated audit log review tools are used. If automated tools are implemented, TCO costs are moderate.

 

Virus Protection

Viruses are program that attack computer system and attempt to steal, modify or destroy access to resources. The most common form of virus comes as an e-mail attachment (i.e. Melissa, 'I Love You', etc.), and are executed when the user attempts to execute the attachment. The most secure method of intercepting and destroying viruses is at the e-mail server level. Companies such as Symantec and MacAffee provide solutions that run on an organization's Exchange server and scan all incoming and outgoing e-mail to ensure that no viruses are transmitted.

 

However, e-mail is not the only method of transmitting viruses. They can be attached to web pages, passed along via a floppy disk, or copied onto a system via FTP. Because of this, an organization should scan all systems on a regular basis for viruses.

 

Mercy does not currently implement a centralized virus scanning solution, although one is being planned for the Exchange e-mail server.

 

Recommendation: Mercy should implement a virus scanning utility for its e-mail server. Cost to implement, consisting of acquisition and implementation of the utility, is moderate. TCO costs, consisting of a maintainance contract and regular updating of virus definitions, are low.

 

Recommendation: Mercy should implement an enterprise-wide virus scanning solution and ensure that it is updated automatically whenever new virus definitions are available Cost to implement, consisting of acquisition and implementation of the utility, is moderate. TCO costs, consisting of a maintainance contract and regular updating of virus definitions, are low.

 

Login Notices

When a user first logs into a system, a short message is usually displayed (i.e. 'Welcome to …). A judge ruled several years ago that a 'welcome' message negates some portion of an intruder's liability should they manage to penetrate a system. In order to afford all possible legal protection for IT assets, an organization should develop and implement a consistent login message that clearly states that 'unauthorized access is prohibited'.

 

Delta's analysis showed that virtually no systems implemented a login message, and those that did were usually of the 'Welcome…' variety.

 

Recommendation: Mercy's IT staff should work with the legal department to develop and implement a login message that clearly indicates that the system and all of its contents are property of Mercy and that unauthorized access is prohibited. Cost to implement the message on all systems is low. There are no TCO costs.

 

Passwords

Passwords are the primary method of controlling access to resources in most IT environments. Most users are required to enter a password to gain access to a system, network, etc. Given their critical nature, it is imperative that a comprehensive policy towards passwords be developed and implemented. This should include:

 

q      Minimum password length (8 characters recommended)

q      Maximum password lifetime (90 days recommended)

q      Password strength (recommended a mix of characters and numbers as a minimum)

q      Password histories (recommended not allowed to re-use the last 10 passwords)

 

Based on Delta's review, the password scheme's utilized by Mercy on their systems is relatively weak. Many of the systems provided minimal enforcement for strong passwords, and the password policies were inconsistent between systems.

 

As part of the audit, Delta also ran the Password Cracker utility included with the Kane Security Analyzer to analyze the relative strength of passwords on Mercy's Windows NT systems. The results showed that, out of 1227 users examined, approximately 20% (244) of them had 'weak' passwords. These include passwords that are the same as the account name, are the account name spelled backwards, or that exist in a common dictionary. A commonly available password cracker program can easily guess many of these passwords.

 

Recommendation: Mercy should develop a standard policy for passwords and implement that policy consistently among all systems, including the network hardware Cost to implement, consisting of development of a standard policy, is moderate. TCO costs, consisting of on-going review and enforcement of the policy, are low.

 

Configuration Management

One of the primary methods of detecting and tracking potential security penetrations is noticing when a system's configuration has changed in some manner. This may include new applications installed on the system that were not authorized by the IT department, the creation of new user accounts, etc. The NT security auditing tool recommended in Section 6.1 will provide on-going monitoring of user accounts and other factors directly related to security. However, it does not monitor changes to the system's configuration that may be an indirect threat to security, such as the installation of a new application.

 

Recommendation: Mercy should implement a utility that performs regular 'snapshots' of a system's configuration so that, in the event of a security incident, the exact nature of system changes can be determined. One such tool for accomplishing this on Microsoft Windows-based systems is Microsoft's System Management Server for Windows NT Server. This tool will allow Mercy's IT staff to develop and maintain a detailed configuration inventory of all of the Windows NT and Windows 95 systems on the network.

 

For more details, please refer to the following web site:

 

 http://www.microsoft.com/ntserver/management/exec/default.asp

 

Cost to implement, consisting of implementing and configuring the tool, is moderate. TCO costs, consisting of maintainance contracts and regular reviews of system configurations using the tool, are moderate.

 

Version Control

Most software vendors provide regular updates for their products to provide new functionality and fix problems that have been uncovered since the last release. In many cases, when major security related problems are discovered, a vendor will provide a patch specifically created to address that problem. Vendor's web sites should be reviewed on a regular basis in order to ensure that systems and applications are kept up to date with the latest security fixes.

 

 Recommendation: Mercy's IT security personnel should perform a regular check for security-related updates to any applications that Mercy utilizes. Cost to implement, consisting of development of a standard procedure for application update reviews, is moderate. TCO costs, consisting of regular reviews of all vendors' websites for updates, are moderate.

 

Security Information Updates

The world of IT security changes on almost a daily basis. New security weaknesses are discovered in operating systems and applications, new viruses are created, and new methods of attack are developed with an alarming degree of regularity. In order to ensure that the security for IT resources can handle the most up-to-date threats, IT security personnel need to keep abreast of the latest developments.

 

Recommendation: Mercy's IT security personnel should subscribe to one or more e-mail security newsletters and review the information on a daily basis. Some specific recommendations include:

 

Symantec's Antivirus Research Center's newsletter (Virus information)

 

http://www.symantec.com/avcenter/sarcnewsletters.html

 

SecurityFocus newsletter (Operating system- and application-specific security issues)

 

http://www.securityfocus.com/

 

InfoSecurity Magazine on-line edition (General security and product information)

 

http://www.scmagazine.com/

 

Cost to implement, consisting of registering for newsletters, is low. TCO costs, consisting of regular reviews of newsletters, are moderate.
 

6.2       Network Issues

 

This section addresses issues specific to Mercy's network. Delta personnel examined the routers, hubs, systems and other components that control and interact with Mercy's network to gather data on potential security issues and developed recommendations based on industry standard best practices.

 

Issue: There is not firewall between Mercy's LAN and the Internet.

 

Recommendation: Mercy should immediately implement a firewall solution. Given the extensive use of Cisco systems for Mercy's network, Delta recommends that Mercy implement the following firewall configuration:

 

q      A pair of Cisco PIX 515-model firewalls (dual firewalls would provide a high-availability solution)

q      Firewall to be fronted by a shared Cisco hub to provide load-balancing and ease of failover

 

For a diagram of the recommended configuration, please see Appendix B.

 

Cost to implement, consisting of acquisition, installation and configuration of a firewall, is high. TCO costs, consisting of maintainance contracts and management of the firewall, are moderate.

 

Issue: There are several services that should be disabled on the routers as a whole. There are some which have these services disabled already but some that do not.

 

Recommendation: Tcp-small-services and Udp-small-services should be disabled. This will prevent users from using tools like chargen to create a denial of service attack. Chargen allows devices with simple TCP/IP services to respond to subnet pings. The finger service should also be turned off on all systems to prevent users from gaining knowledge of a user account on the device. Although typically used on mail accounts it can also be used to gain knowledge of users on a device. Cost to implement change is low. There are no TCO costs.

 

Issue: There are several ports on the routers that are not secured. Access to these ports could allow an unauthorized user to modify the router's configuration. By default, when you connect to the console or AUX port, you are given user EXEC mode access without a password.

 

Recommendation:  Add AAA authentication to the console, AUX port and VTY ports on the routers. Also, utilize tacacs + with Cisco Secure to authenticate users attempting to log into the routers. Unused router ports should be disabled, and a user EXEC password should be set. Cost to implement is low. There are no TCO costs.

 

Issue: Access control on routers is not limited.

 

Recommendation:  Configure access lists to limit unwanted users from gaining telnet access to routers. This should be done with access-class statement on vty ports. Furthermore, any access should be limited to a certain amount of idle time to prevent users who may walk away from their machines from leaving open a session with a router or other Cisco device. Cost to implement is low. There are no TCO costs.

 

Issue: Access to Simple Network Management Protocol (SNMP) control on routers is not limited.

 

Recommendation:  Change the community string defaults (especially read/write string) and implement access control lists to limit who can use snmp to gain access to the routers. Cost to implement is low. There are no TCO costs.

 

Issue: No limitations exist on the router to prevent the use of unwanted/unsecured services over the network.

 

Recommendation:  Disable all unwanted services coming through the internet router. Right now, all traffic can flow in with no filtering at all. Cost to implement is low. There are no TCO costs.

 

Issue: Mercy's network is subject to 'spoofing' attacks. The idea behind anti-spoofing is that nobody from the outside network should be sending packets to you with a source address of either your inside network address, or certain well-known and reserved addresses.

 

Recommendation:  To prevent Anti-spoofing attacks, use access lists to drop and log any of these packets.  A recent Internet draft is available (draft-manning-dsua-00.txt) which discusses the reserved net blocks that should be blocked at the edge. Cost to implement is low. There are no TCO costs.

 

Issue: Mercy does not currently use routing authentication. This can be a potential risk due to the fact that Mercy may not know who is sending routing updates and most people assume that they know whom they are connected to when in fact, they do not. Cisco IOS allows for route authentication to be set up on a variety of routing protocols.

 

Recommendation: Implement routing authentication. Cost to implement is low. There are no TCO costs.

 

Issue: The Cisco routers are currently configured to respond to many different types of requests for information, most of which are unnecessary to the operation of Mercy's network. For example, by default, when an access list drops a packet, the router returns a type 3, code 13 ICMP (administratively prohibited) message.  This allows potential attackers to know that the router implements access list filters. Also, most UDP scans rely on the target sending back unreachable messages.

 

Recommendation: Limit traceroute and other functionality to control access to Internet router and responses given to devices trying to probe the router for information. Cost to implement is low. There are no TCO costs.

 

Issue: IP redirects and Proxy-ARP are enabled on the routers, but are not required. These services allow ICMP redirect messages to be sent to devices to tell them to use other gateways on the network. Proxy-ARP allows the router to respond on behalf of a host on another subnet.

 

Recommendation:  IP redirects and Proxy-ARP should be disabled on all interfaces where not needed. Cost to implement is low. There are no TCO costs.

 

Issue: IP source routing is enabled on the routers. This can be used to force a packet to take another path than one specified by a routing protocol.

 

Recommendation:  Disable IP source routing on all devices. Cost to implement is low. There are no TCO costs.

 

Issue: IP-directed broadcast is enabled on the routers, but is not required.

 

Recommendation:  Disable IP-directed broadcast to prevent users from gaining knowledge of devices on the net due to broadcast pings. Cost to implement is low. There are no TCO costs.

 

Issue: Passwords on routers are not currently encrypted.

 

Recommendation:  Enable service password encryption on all network devices to prevent users who gain access to the routers from discovering passwords. Cost to implement is low. There are no TCO costs.

 

Issue: HTTP management interface is enabled on routers. This could allow unauthorized users to modify the configuration of the routers.

 

Recommendation:  Disable HTTP management of network devices to prevent people from using http to manage the devices. Cost to implement is low. There are no TCO costs.

 

Issue: Mercy's routers are susceptible to an attack known as SYN flooding. A SYN flood occurs when an attacker sends a TCP SYN segment with an unreachable spoofed source address to an open port on the target.  The victim responds with a SYN, ACK to the unreachable host and the TCP handshake never completes. The victim's connection queue quickly gets filled with half-open connections in the SYN_RCVD state.  At some point, the server TCP will start to drop new SYNs

 

Recommendation: Cisco IOS has a mechanism called TCP Intercept [5] which can be used to help protect against SYN floods. TCP Intercept was introduced in IOS 11.3 and requires a specific feature set (Enterprise or IOS firewall). This problem would be alleviated with a firewall such as PIX, which prevents this type of attack. Cost to implement is low. There are no TCO costs.

 

6.3       Windows NT Issues

 

This section addresses issues specific to Mercy's Windows NT systems. Delta personnel utilized the Kane Security Analyst (KSA) tool and physical inspection to gather data on potential security issues and developed recommendations to address those issues based on industry standard best practices.

 

Appendix A contains a summary of the results of the KSA security tool. Note that none of the systems sampled scored higher than 65% against the security baseline defined by KSA.

 

Issue: Many of the accounts on Mercy's Windows NT system have more privileges than is required for the user to perform their job. This provides access to resources beyond what the users requires and creates a potential security issue.

 

Recommendation: Review all user accounts and ensure that users have only the level of privilege required to perform their job. Cost to implement, consisting of review of all existing user accounts, is moderate. TCO costs, consisting of regular reviews of all accounts, are moderate.

 

Issue: Many of the systems have a 'Guest' account enabled on the system. This is normally used to provide guest users access to the system. However, on most of Mercy's systems, the guest account has never been used. This account provides a potential point of access for intruders.

 

Recommendation: Remove the 'Guest' accounts from all systems. Cost to implement, consisting of elimination of all 'Guest' accounts, is low. There are no TCO costs.

 

Issue: All of the systems reviewed overwrite the Application Event log after a period of time in order to conserve disk space. This log can be useful for developing a 'roadmap' of potential penetrations and other security issues.

 

Recommendation: Backup the Application Event log utilizing a separate backup process on a regular basis. Cost to implement, consisting of development of a procedure for regular backups of the event log, is moderate. TCO costs, consisting of regular backups of the event log, are moderate.

 

Issue: All of the systems reviewed overwrite the System Event log after a period of time in order to conserve disk space. This log can be useful for developing a 'roadmap' of potential penetrations and other security issues.

 

Recommendation: Backup the System Event log utilizing a separate backup process on a regular basis. Cost to implement, consisting of development of a procedure for regular backups of the event log, is moderate. TCO costs, consisting of regular backups of the event log, are moderate.

 

Issue: All of the systems reviewed overwrite the Security Event log after a period of time in order to conserve disk space. This log is critical to developing a 'roadmap' of potential penetrations and other security issues.

 

Recommendation: Backup the Security Event log utilizing a separate backup process on a regular basis. Cost to implement, consisting of development of a procedure for regular backups of the event log, is moderate. TCO costs, consisting of regular backups of the event log, are moderate.

 

Issue: Windows NT provides the capability to perform some action when a security event occurs on the system. This includes sending an e-mail message, calling a pager, etc. This capability should be utilized.

 

Recommendation: Implement the security audit event notification capability on all systems. Cost to implement, consisting of development of a procedure for handling security events, is moderate. TCO costs, consisting of handling any security events, depend on the number of events detected.

 

Issue: Audit log files on all systems should be analyzed on a regular basis to determine if trends are occurring that could indicate a potential security problem. This includes unexplained application failures, repeated security events, excessive resource utilization, etc.

 

Recommendation: Review log files on a regular basis, or implement an automated to perform the analysis. Cost to implement, consisting of development of a procedure for regular reviews of events logs, is moderate. TCO costs, consisting of performing regular reviews of event logs, depend on whether or not automated tools are employed to review logs.

 

Issue: Windows NT provides the capability to provide audit entries for a pre-defined set of events (i.e. login failure, access failure, etc.). These capabilities have not been enabled on any of Mercy's systems.

 

Recommendation: Enable audit events using the User Manager for all systems. Recommended audit events include any type of failure, plus successful logins. Cost to implement, consisting of implementing audit events, is low. TCO costs are part of regular audit log reviews as discussed above.

 

Issue: Several of the systems reviewed provided users with memberships in groups that are beyond what they require to perform their jobs. This increases the risk of a user gaining access to data they are not required to have.

 

Recommendation: Review group memberships on all systems and eliminate unnecessary memberships. Cost to implement, consisting of review of all existing users and their group membership, is moderate. TCO costs, consisting of correct group assignments for future users, are low.

 

Issue: Several of the systems reviewed contained accounts that had not been accessed in several months. Unused accounts can provide potential access to an intruder.

 

Recommendation: Review all accounts and remove any that are no longer being used. Cost to implement, consisting of account reviews and elimination of unused accounts, is low. TCO costs, consisting of regular reviews of all accounts, are low.

 

Issue: Windows NT provides an advanced filesystem known as NTFS. NTFS provides extensive security capabilities in terms of access control, permissions, etc. and is much more secure than the traditional FAT filesystem. While all filesystems should utilize NTFS, it is critical that any root filesystems do so.

 

Recommendation: Ensure that all filesystems are NTFS. Cost to implement, consisting of conversion of all filesystems to NTFS, is low. There are no TCO costs.

 

Issue: Windows NT provides several alternative methods of interacting with the system, known as subsystems. These include a POSIX and an OS/2 subsystem. Both of these subsystems have been proven to be very unsecure, and are not required for Mercy's operations.

 

Recommendation: Remove POSIX and OS/2 subsystems from all systems. Cost to implement, consisting of elimination of non-required subystems, is low. There are no TCO costs.

 

Issue: Windows NT provides a number of capabilities that allow a Windows NT workstation to function as a server. These include Remote Access Service (RAS), File Transfer Protocol (FTP), SQL database server, and Dynamic Host Configuration Protocol. Several of these services provide only weak security and can be exploited to gain access to a system.

 

Recommendation: Eliminate any non-required services. Cost to implement is low. There are no TCO costs.

 

6.4       AS/400 Issues

 

The AS/400 system utilized by Mercy provides a number of critical functions, such as financial management, lab data analysis and order management. As such, the AS/400 should be considered one of the more critical systems within Mercy's IT infrastructure.

 

Delta analyzed the security profile of the AS/400 by reviewing the system parameters that control the system's level of security and developed recommendations to address issues based on industry standard best practices.

 

Issue: The system is currently set to the default security level of 30, which implements basic password and object access security. While this level provides basic management functionality, it does not provide adequate protection against modern penetration techniques. The minimum recommended security level is 40, which provides extensive access control and auditing capabilities.

 

Recommendation: Mercy should upgrade the security level (QSECURITY) on the AS/400 to level 40. Cost to implement is low. There are not TCO costs.

 

Note: In the past, some applications written for the AS/400 have utilized unapproved 'shortcuts' to access functionality in the operating system. While these 'shortcuts' will function correctly under level 30 security, they will fail under level 40 security, due to the additional checks on operating system integrity. Delta has contacted the vendors of all software that Mercy has installed on its AS/400 and has been told that all applications 'should' function correctly. Any application that does not function correctly is forcing Mercy to downgrade security to meet the requirements of the vendor.

 

Issue: Security auditing is currently disabled on the system.

 

Recommendation: Mercy should enable security on the system (QAUDLVL) at its default level of *AUDLVL, and enable critical auditing parameters (*AUTFAIL, *OFCSRV, *PGMFAIL, *SAVRST, and *SERVICE). The object audit flag (*OBJAUD) should be set when more detailed auditing information is required. The audit logs should be reviewed and backed-up on a regular basis. Cost to implement is low. TCO costs consist of space required to store the log files.

 

Issue: The default timeout value for an inactive terminal (QINACTITV) is currently set to 120 minutes. This period is too long to provide adequate log-out protection for unattended terminals.

 

Recommendation: Reduce the inactivity timeout to a value of 15 minutes or less. Cost to implement is low. There are no TCO costs.

 

Issue: The system is currently configured to disable access to a device after 3 failed login attempts. However, the profile associated with the failed attempts is not disabled.

 

Recommendation: Configure the action to take after 3 failed login attempts (QMAXSGNACN) to level 3, which would disable both the device and the user profile associated with the failed login attempts. Cost to implement is low. There are no TCO costs.

 

Issue: The system currently allows a use to re-use an old password when they change their password. This allows a user to continue using the same 1 or 2 passwords continuously.

 

Recommendation: Modify the duplicate password control (QPWDRQDDIF) to level 5, which would disallow the re-use of the last 10 passwords. Cost to implement is low. There are no TCO costs.

 

6.5       OpenVMS Issues

 

Delta reviewed the security profile for the OpenVMS system by physically examining the system and developed recommendations to address issues based on industry standard best practices.

 

Issue: The system has the default auditing enabled, which provides a moderate level of auditing capability.

 

Recommendation: Mercy should increase the level of auditing by adding the following:

 

q      Failed access attempted for any object

q      Use of identifiers as privileges

q      Successful login attempts

q      Modification to the network configuration database

q      Unsuccessful use of privilege

q      Modification of a system parameter

q      Modification of system time

 

Review and backup the audit log utilizing a separate backup process on a regular basis. Cost to implement is moderate. Cost to implement is low to moderate. TCO costs consist of space required to store the logs.

 

Issue: The system should be reviewed on a regular basis to trends that may indicate security issues.

 

Recommendation: Mercy should run the Accounting utility (ACCOUNTING) on a regular basis and review the results. Cost to implement is moderate. TCO costs, consisting of regular reviews of the accounting, are low to moderate.

 

Issue: The access control implementation (i.e. passwords, account limitations, etc.) allow for relatively weak security on the system.

 

Recommendation: Strengthen password requirements (i.e. minimum password length, required character, etc.). Cost to implement is low. There are no TCO costs.

 

Recommendation: Increase restrictions on accounts (i.e. allowed login times and days, etc.) when possible. Cost to implement, consisting of a review of all accounts and establishment of a policy, is low. There are no TCO costs.

 

6.6       RS/6000 Issues

 

Delta reviewed the RS/6000 system running the Digimedics application by direct examination of the system's configuration and developed recommendations to address issues based on industry-standard best practices.

 

Issue: The sendmail and snmpd services are running on the system but are not required. Both of these services provide potential security loopholes.

 

Recommendation: Disable the sendmail and snmpd services. Cost to implement is low. There are no TCO costs.

 

Issue: The inetd.conf configuration file has enabled a number of services that are not required by Mercy. These are:

 

·        FTP

·        Exec

·        Netstat

·        Rwall

·        Sprayd

·        Echo

 

Recommendation: Disable the unnecessary services. Cost to implement is low. There are no TCO costs.

 

Issue: The 'guest' and 'nobody' accounts exist in the /etc/passwd file but are not required.

 

Recommendation: Disable the 'guest' and 'nobody' accounts. Cost to implement is low. There are no TCO costs.

 

Issue: The default timeout for disconnecting an idle telnet session is set to 0, which results in an infinite timeout.

 

Recommendation: Set the default idle timeout in /etc/profile to some value (i.e. 15 minutes). Cost to implement is low. There are no TCO costs.

 

Issue: All of the directories for the Digimedics application (i.e. /digi) are set to UGO read, write and execute (i.e. permissions mask is 777). This allows any user to modify any Digimedics file.

 

Recommendation: Change permissions on all Digimedics directories to the minimum possible level of access. Cost to implement is low. There are no TCO costs.

 

Issue: Filesystems are currently mounted with the Set-UID capability enabled. This allows programs to be run as the root user.

 

Recommendation: Modify all filesystems to disable Set-UID functionality. Cost to implement is low. There are no TCO costs.

 

 

6.7       Windows 95 Issues

 

Delta reviewed the Windows 95 desktop client systems by direct examination of the system's configuration and developed recommendations to address issues based on industry-standard best practices.

 

Overall, the Windows 9x client systems appear to be well secured. The standard build employed by the IT staff does not include network file sharing or printing, which is one of the primary security concerns with Windows 9x-based systems.

 

Issue: Windows 9x does not provide an isolated administrative environment to prevent users from making unauthorized modifications to the system (i.e. installing new applications, etc.). This could result in users making modifications to their system that could compromise security.

 

Recommendation: A tool should be implemented that will allow the IT staff to monitor Windows 9x client systems to verify that their configuration is not changed. Refer to Section 6.1, 'General Technology Issues', for more details on implementing Microsoft's SMS. Cost to implement, consisting of purchasing, installing, and configuring the tool, is moderate. TCO costs, consisting of maintainance contracts and regular reviews of system configurations using the tool, are moderate.

 

6.8       Novell Netware Systems

 

Delta reviewed the Novell Netware server systems by direct examination of the system's configuration and developed recommendations to address issues based on industry-standard best practices.

 

6.9       Other Systems

 

Mercy maintains a number of other various systems within their infrastructure. These are mostly legacy systems that are gradually being replaced. The majority of these systems reside on a separate sub-net maintained by the Research group.

 

Delta briefly reviewed a sample of these systems and developed recommendations.

 

Sun Systems

The Sun systems utilized by the Research group are primarily older SunOS systems. SunOS has a long history of security-related issues and is no longer being maintained by Sun. Delta recommends that these systems be replaced with newer systems as soon a possible to allow for more modern security capabilities.

 

DOS Systems

Short of removing them from the network, it is virtually impossible to adequately protect a DOS-based system from attack. Fortunately, most of these systems are being used for non-critical functions. Delta recommends that these systems be replaced with newer systems as soon a possible to allow for more modern security capabilities.

 

6.10   Additional Technology Recommendations

 

In addition to the technology-related security issues discussed above, Delta has developed two recommendations regarding security technology solutions Mercy may want to consider.

 

Honeypot

A "honeypot" is a tool that can help protect Mercy's network from unauthorized access. The honeypot contains no data or applications critical to Mercy but has enough interesting data to lure a hacker. The honeypot runs on a computer on the network, and its sole purpose is to look and act like a legitimate computer but actually be configured to interact with potential hackers in such a way as to capture details of their attacks. Honeypots are also known as a sacrificial lamb, decoy, or boobytraps. The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from production systems. The longer the hacker stays using the honeypot, the more will be disclosed about their techniques. This information can be used to identify what they are after, what is their skill level, and what tools do they use. All this information is then used to better prepare Mercy's network and host defenses, as well as potential evidence in any legal actions that Mercy may bring against the intruder.

 

Recommendation: Mercy should consider installing a honeypot application to protect its other servers. Delta recommends Network Associates Inc.'s CyberCop Sting application.

 

Alternative Access Methods

Given the additional load some of Delta's recommendations may place on high-level users, Mercy may want to consider implementing an alternative method of system access, such as biometric access control system or smartcards, for selected users. This would reduce the burden of memorizing constantly changing passwords and potentially improve security.

 

Both types of solutions can be implemented for approximately $300.00 per system. Should Mercy desire to pursue this approach, Delta would be happy to provide additional information.

 

Recommendation: Mercy should consider alternative access control methods for heavily burdened users.

7        Future Directions

 

During the audit process, Delta identified two areas of technology that, while not currently implemented, could have a significant impact on IT security in the near future. These are the plans for an automated patient record system and the use of handheld devices by Mercy personnel.

 

7.1       Patient Record System

 

Mercy is currently evaluating the feasibility of implementing an electronic patient record system that would allow the infirmary staff to access a patient's records and medical history from any system in the facility. While this capability represents a dramatic improvement in efficiency for the medical staff, it would also become the second most critical type of system within Mercy's infrastructure (with medical devices being the most critical) in terms of security.

 

As such, this type of system must be carefully evaluated from a security standpoint before any plans are developed for implementation and deployment. Delta recommends that a fully qualified IT security specialist be involved in the early stages of analysis for this project.

 

It should also be noted that such a system would fall squarely under the auspices of the HIPPA act and, as such, would be subject to the security standards defined by the act (when the are finally defined).

 

7.2       Handheld Devices

 

During the audit process, Delta encountered a number of personnel utilizing handheld devices (i.e. Palm, Windows CE) to assist them in their work. This technology is in its infancy right, but is rapidly gaining momentum as a tool in the workplace. Doctors are some of the earliest adopters of this technology, utilizing tools such as patient tracking systems, drug interaction software, etc. with these devices.

 

Mercy currently has no formal policy regarding the use of these devices, and specifically no security requirements defined for their use. Early development and implementation of a security policy that addresses the use of these devices is critical, given the potential value of the information they may carry and the ease with which they can be lost or stolen.


8        Appendix A - Windows NT System Results

 

 

Machine Name

Date Assessed

Account Restric-tions

Pass-word Strength

Access Control

System Monitor-ing

Data Integrity

Data Confi-dence

Average Score

MercyPDC

05/02/2000

52 %

69 %

96 %

57 %

50 %

50 %

62.33 %

FISCAL

05/02/2000

85 %

66 %

88 %

42 %

50 %

50 %

63.50 %

HELPDESK

05/02/2000

85 %

62 %

81 %

42 %

50 %

50 %

61.67 %

ISXSV1

05/02/2000

91 %

62 %

90 %

42 %

50 %

50 %

64.17 %

NTFP01

05/02/2000

89 %

67 %

78 %

42 %

50 %

50 %

62.67 %

NTFP02

05/02/2000

85 %

71 %

87 %

57 %

50 %

50 %

66.67 %

NTMR01

05/02/2000

80 %

66 %

82 %

42 %

50 %

50 %

61.67 %

NTRAD01

05/02/2000

90 %

66 %

88 %

42 %

50 %

50 %

64.33 %

NTSQL01

05/02/2000

89 %

64 %

80 %

42 %

50 %

50 %

62.50 %

NTVSL01

05/02/2000

80 %

66 %

88 %

42 %

50 %

50 %

62.67 %

MercyPDC

05/02/2000

52 %

69 %

96 %

57 %

50 %

50 %

62.33 %

FISCAL

05/02/2000

85 %

66 %

88 %

42 %

50 %

50 %

63.50 %

9        Appendix B - Recommended Firewall Configuration

 

The following diagram illustrates the firewall configuration that Delta recommends be employed by Mercy. It consists of 2 Cisco PIX firewalls, which will provide Mercy with a high degree of redundancy and provide a higher level of performance via load balancing. All incoming traffic is routed to a Cisco 3640 router, which in turns passes the traffic to one of the firewalls.

 


 

 

 


 The firewall rule-base should be configured to allow the absolute minimum types of traffic required for Mercy's IT infrastructure to function correctly.

 

The following list shows a sample quotation for the recommended configuration. Please note that the dollar amounts listed are list price, and do not reflect what Mercy will actually pay for the products.

 

          Networking Product Marketplace for Resellers Shopping List

 

ITEM DETAILS:

Prices shown in USD

-------------------------------------------------------------------------------

Cisco           Disti      Description                     List Qty   Extended

Product #       Product #                                 Price          Price

-------------------------------------------------------------------------------

CISCO3640-RPS   N/A        Cisco 3600 4-slot modular   6,500.00   1   6,500.00

 

MEM3600-32D-INC N/A        32 MB DRAM - Included in    included

 

MEM3600-8FS     N/A        Default Memory for the 36   included

 

SF364C-11.2.18P N/A        Cisco 3640  IOS IP Only F   included

 

WIC-BLANK-PANEL N/A        Blank WAN Interface Card    included

 

NM-BLANK-PANEL  N/A        Blank Network Module Pane   included

 

CD36-C-12.0.7=  N/A        Cisco 3600 IP Feature Pac      15.00   1      15.00

 

MEM3600-8FC=    N/A        8 MB Flash Card for the C     700.00   1     700.00

 

MEM3640-2X16D=  N/A        32MB DRAM for the Cisco 3   1,900.00   1   1,900.00

 

NM-1FE2W=       N/A        1 10/100 Ethernet 2 WAN C   2,300.00   1   2,300.00

 

NM-1HSSI=       N/A        Single port HSSI network    5,000.00   1   5,000.00

 

CAB-HNUL=       N/A        HSSI Cable, Male-to-Male      100.00   1     100.00

 

-------------------------------------------------------------------------------

Configuration Subtotal:                                              16,515.00

-------------------------------------------------------------------------------

PWR600-AC-RPS-N N/A        600W Redundant AC Power S   2,200.00   1   2,200.00

 

CAB-RPSY-2218   N/A        RPS 22/18 Two-to-one DC P   included

 

CAB-7KACA=      N/A        Cisco 7500 Series AC Powe      25.00   2      50.00

 

-------------------------------------------------------------------------------

Configuration Subtotal:                                               2,250.00

-------------------------------------------------------------------------------

CAB-AC=         N/A        AC Power Cord, US              50.00   2     100.00

 

PIX-515-UR-BUN  N/A        PIX 515UR Bundle (Chassis  12,000.00   1  12,000.00

 

CAB-AC          N/A        Power Cord,110V             included

 

PIX-515UR-SW    N/A        PIX 515 Unrestricted Func   included

 

SF-PIX515-4.4   N/A        PIX version 4.4 software    included

 

PIX-BLANK-SLOT  N/A        Blank to fill unused opti   included

 

ACC-4.4-PIX515  N/A        PIX 515 Accessory Kit       included

 

PIX-515-MEM-32  N/A        PIX 515 32MB Memory upgra   included

 

PIX-1FE=        N/A        ONE 10/100 Mbps ETHERNET      200.00   1     200.00

 

-------------------------------------------------------------------------------

Configuration Subtotal:                                              12,200.00

-------------------------------------------------------------------------------

PIX-515-FO-BUN  N/A        PIX 515 Failover (Chassis   3,000.00   1   3,000.00

 

CAB-AC          N/A        Power Cord,110V             included

 

PIX-515-SW-FO   N/A        software license for redu   included

 

SF-PIX515-4.4   N/A        PIX version 4.4 software    included

 

PIX-BLANK-SLOT  N/A        Blank to fill unused opti   included

 

ACC-4.4-PIX515  N/A        PIX 515 Accessory Kit       included

 

PIX-515-MEM-32  N/A        PIX 515 32MB Memory upgra   included

 

PIX-1FE=        N/A        ONE 10/100 Mbps ETHERNET      200.00   1     200.00

 

-------------------------------------------------------------------------------

Configuration Subtotal:                                               3,200.00

-------------------------------------------------------------------------------

WS-C2926T       N/A        Catalyst 10/100 Switch,Fi  13,995.00   2  27,990.00

 

 

-------------------------------------------------------------------------------

Total Price: