C843 – KOP1 Performance Assessment PDF

Preview

Summary

This is the paper I wrote on how to deal with a breach such as the one suffered by Azumer. This deals with implementing proper controls....

Description

Kristopher Paschal StudentID 001334901

C843 – KOP1 PERFORMANCE ASSESSMENT

PART 1: INCIDENT ANALYSIS AND RESPONSE

A – SUCCESS OF THE ATTACK There are many issues with the Info Sec stance of Azumer Water, and all of the issues I am about to list stem from the “reactive approach” to security, taken by CEO Maria Rodriguez. She was likely under the impression that smaller organizations are less of a target to hackers and settled for the old “Security through Obscurity” framework! Always the worst possible choice. A high-level view of the things that are bad about the setup of Azumer Water include all of the following. A database is kept on a local machine with no mention of any sort of mal-ware protection or HIPS/HIDS. The database contains all sorts of PII- last four of the volunteer’s social security number, basic contact information- all the things that make Identity Theft possible and makes the database an enticing target for such hackers. There isn’t much in the way of physical security to the actual access of the physical machine. There is no mention of a Data Loss Prevention mechanism to stop the practice of plugging in a USB stick and copying the data over by employees, or anyone else. The data at rest is not encrypted and it seems as there is no access control, like MFA, to the database. As I will show later, this is a violation of Federal Regulations. The final nail in the database coffin is a complete lack of a backup process. Never mind the legal liabilities brought about by this breach, now the whole company’s business process is brought to a halt and who knows how long it will take to piece the operation back together. It is stated that while the employees have a company email address, they use their personal email to communicate with John Smith. This is poor practice since it is hard to configure the myriad of different email accounts for security. Another poor practice is allowing the employees the BYOD option without a NAC mechanism to access the security posture of the personal devices. Network Access Control leads me to the mention of the use of WEP for their wireless access. Terrible. I will move here to include the total lack of a security education, training and awareness program (SETA). As I will describe later, this vulnerability led directly to the attack and subsequent breach. To have an enterprise level firewall but not configure it for use defies simple logic, as does having a weak password policy and not even enforcing that. I guess the logic in not having a Penetration Test or any sort of Vulnerability Assessment fits perfectly with the “security policies” of Azumer Water. After all, those things are costly and would be pointless with all the aforementioned security flaws perpetuated by the organizational culture at Azumer.

Kristopher Paschal StudentID 001334901

With all the flaws mentioned above, I want to focus on two specific vulnerabilities. The first is the lack of a SETA program. SETA programs help businesses to educate and inform their employees about basic network security issues and expectations—helping to prevent commonplace cybersecurity mistakes that lead to damaging data breaches. (Dosal, 2019) This training would have possibly instructed John Smith, along with other employees of Azumer, the dangers of clicking links from emails from unknown sources. According to the website Security Intelligence, in 2018 and 2019, attackers used phishing as an entry point for one-third of all attacks tracked by IBM X-Force Incident Response and Intelligence Services (IRIS) — the most commonly used of all known attack vectors. (Singleton, 2020) The second, and equally important vulnerability in the Azumer infrastructure was their lack of a strong password policy. Any hacker, regardless of the color of his/her hat, knows that their best friend is the weak password. Once the email link was clicked by John Smith, likely dropping mal-ware and opening a shell into his workstation, the job was halfway done. But the other half of a hacker’s job is to gain further access, known as pivoting. This requires a password and there are several tools available that can grab hashes – the stored representations of a user’s password- and then either brute force it, use a dictionary or more likely, run the hashes against a rainbow table to crack it. Regardless of how the attackers at Elecktores obtained the password, it was the key to getting further into the infrastructure. Being able to move laterally, or pivot, into the database is where the real trouble began. B – CIA AND PII COMPROMISE At Azumer, the database contained the PII of the over 1000 volunteers, including their basic contact information, last 4 of their social security number and their background checks. The ISO/IEC 27002 and the NIST SP 800-53 security frameworks offer guidance in the controls that offer protection to customers in relation to CIA and PII. CONFIDENTALITY- According to ISO/IEC 27002, section 9.4 states “Information access should be restricted in accordance with the access control policy e.g., through secure log-on, password management, control over privileged utilities and restricted access to program source code.” (ISO, 2013) The fact that the hackers from Elecktores were able to access this information is evident in the fact that they then used the information to email volunteers, asking for donations. INTEGRITY – Data integrity is threatened when its original state is altered, damaged or corrupted. According to ISO/IEC 27002, section 10.1 states “There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management. (ISO, 2013) It is obvious in the Azumer breach that the integrity was compromised because their complete database was deleted.

Kristopher Paschal StudentID 001334901

AVAILABILITY – Data has availability when authorized users have access to it in usable form. NIST SP 800-53 states “Security and privacy requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission needs to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy. (NIST, 2020) With the deletion of the Azumer database, their data is no longer available. PII- Personally Identifiable Information is any information that can identify a person. A secure organization is expected to keep any such information private. NIST SP 800-53 states “When a system processes PII, the information security program and the privacy program have a shared responsibility for managing the security risks for the PII in the system.” (NIST, 2020) Azumer failed to accomplish this task when their lack of security allowed for the data breach. C – FEDERAL REGULATIONS Azumer Water is a supporting agency for the Federal Emergency Management Agency (FEMA) in their emergency relief efforts. The FISMA “act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.” (FISMA, 2002) Under this arrangement, Azumer Water is in violation of The Privacy Act of 1974 when they failed to protect the PII of their customers, or volunteers as it were. This Act “establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.” (Privacy Act. 2020)

D - MITIGATION STEPS Due to total lack of any information assurance processes at Azumer, in this instance it is near impossible to mitigate the disaster that has occurred. The database was deleted and the company had no backup. The normal course of action would be to follow the NIST SP 800-61 Computer Security Incident Handling Guideline. The incident response process includes a 4-step process consisting of Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity. (Chapple, 2017) Since John Smith initially clicked on the link, his workstation is likely patient 0 so this is a good place to start. His workstation should be disconnected from the network and a forensic image of the disk, along with an image of the RAM should be captured and forensically investigated to determine the exact malware signatures. The current network connections should be logged and investigated along with running processes, but since it has been almost 72 hours, and the database was exfiltrated and then deleted, it is likely that the hackers are long gone. Along with the traces of their work. It is likely safest to completely wipe his machine, after a copy is made for analysis, and re-install from a clean disk image. After analysis, all other workstations and devices connected to the network should be examined for signs of compromise, using the evidence and signatures from John Smith’s machine.

Kristopher Paschal StudentID 001334901

It is also prudent to notify the persons affected by the breach. States have different laws but the Information Governance Group LLC states “Roughly half of the states require breach reporting to the state’s Attorney General or other designated state agencies, triggered at various specified thresholds of affected individuals, ranging from one to over 1,000. And a majority of the states require breach reporting to credit agencies, triggered at differing thresholds, from one to over 10,000.” (Sloan, 2018) E – INCIDENT RESPONSE PLAN As stated in the preceding section, the NIST SP 800-61 Computer Security Incident Handling Guideline, the incident response process includes a 4-step process consisting of Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity. (Chapple, 2017) The Preparation phase ensures that a CSIRT has proper policy foundation, operating procedures and appropriate training to recognize and respond to a security event. (Chapple, 2017) With no IR plan or CSIRT, Azumer and John Smith specifically, had no idea that anything was amiss. Had he and others been properly trained and prepared, he would have paused at the link and possibly deleted the email. At the least he would have determined something was wrong when the link landed him on a non-existent page. He could have then moved into the Containment, Eradication and Recovery phase of the IR plan. This includes selecting an appropriate containment strategy, implementing strategy, gather additional evidence, identify the attacker and eradicate the effects. (Chapple, 2017)

PART II – RISK ASSESSMENT AND MANAGEMENT

F – FEDERAL REGULATION COMPLIANCE Since Azumer Water had no Info Sec structure and no security framework, they had no way of protecting the CIA and PII of the volunteer’s data. The fact that they contract through FEMA means they fall under FISMA and those requirements put them under the purview of The Privacy Act of 1974. To be compliant with FISMA, and by proxy, The Privacy Act of 1974, Azumer should use the ISO/ICE 27002:2013 security framework to build an Info Sec program capable of protecting the PII data in their database along with other company data and information systems. This will raise the overall security posture of Azumer while bringing them into compliance with Federal regulations. The specific violation, being out of compliance with The Privacy Act of 1974, is a result of PII data stored in the database in clear text. Azumer Water should implement a policy of data encryption, specifically encryption of Data at Rest. This way, even if the data is exfiltrated in another successful attack, the confidentiality of the data is secure.

G – TECHNICAL SOLUTIONS

Kristopher Paschal StudentID 001334901

When it comes to technical solutions to address the effects of a data breach, there are several that are available to Azumer. A technical control is a security control that the computer system executes. As the new Information Security Officer at Azumer, my first order of business would be to get the enterprise level firewall in place and configured to restrict access to the critical database. I would make sure to exert the principle of least privilege, giving access to only a select few people. I would likely configure static IP address to the workstations of the selected people needing access and I would use ACLs to deny access to all other IP addresses. I would then make sure to encrypt the data at rest. I would also place HIPS software on the machine running the database, rigged to send an email alert to myself should it encounter attempted access from unapproved IP addresses. I would also require Multi Factor Authentication to the database that works in conjunction with a new password policy. The Operating Systems would be configured with new password technical controls and I would use a newer technology called password safes or password storage. These utilities can have significant impact on password security. Tools like KeePass, Password Safe and LastPass can provide a useful means of maintaining distinct passwords without large numbers of supporting calls. (Chapple, 2017) I would have an email filter applied to the company email server to scan for suspicious emails that worked in conjunction with a new administrative control I would also implement. Namely, a policy that required all email communications to be conducted through the company server using the company provided email that each employee already had. Finally, I would implement Data Loss Prevention software to prevent any type of Data Leakage, along with anti-virus software on all employee workstations. As a final technical control, I would upgrade the legacy WEP access point to a new 802.11n AP that used WPA2-Enterprise, complete with a functioning RADIUS server. Instead of NAC, a technical control, I would simply opt for another administrative control by banning personal devices.

H - ORGANIZATIONAL STRUCTURE Azumer Water, by nature of having only 10 full-time employees, is what is considered a small organization. There is also the fact that there is not a lot of network infrastructure and not excessive amounts of data flowing in and out. In other words, it is doubtful that this limited system will generate a massive number of alerts when the full security posture is up and running. With this small infrastructure in mind, I would call myself the CISO, though in practice, I would actually function more as a security manager/security technician once the technical controls that will protect the network are in place. As CISO, I would report directly to the CEO, Maria Rodriguez. I would gain her approval and input on the policies and processes I wanted to implement and determine such things as budget and economic feasibility of the controls and processes. I would also be responsible for conducting the SETA training, on a one-on-one basis, and I will likely wear the hat of the IT manager as well. Since John Smith is already in charge of the database, I would deem him as Information System Owner, since this database is the lion’s share of the Information System. He would report to me about

Kristopher Paschal StudentID 001334901 security issues, should they arise and but would be the main person in charge of the system. I would be responsible for maintaining the patch management and security posture of the machine. I would automate the backup process of the critical database. Once the controls were in place, and an IDS and log aggregating software was in place and generating alerts, I would review the volume and determine if an additional analyst was needed to assist me in keeping up with the monitoring. If it was necessary, this analyst would also be my teammate on the IR team.

I - RISK MANAGEMENT While there are many risks facing Azumer, I want to focus on 2. I will list them out in the order of importance, in my view of the incident and the ramifications to the organization. 1. Risk 1: Loss/Destruction of database with no Backup  Likelihood – HIGH since the Hacktivist group had been publicly attacking Azumer and had been planning a cyber operation.  Severity – HIGH as it would affect the whole of the Information System  Impact – HIGH since the business processes grinds to a halt and cannot function without the database. 2. Risk 2: No SETA about phishing attempts through email  Likelihood – HIGH since phishing is “responsible for one third of all attacks”. (Singleton, 2020)  Severity – HIGH since all systems connected to the network could be compromised.  Impact – HIGH as any breach can affect CIA of valuable data and organization reputation.

When it comes to managing risks to Azumer, I would recommend the NIST SP 800-37 Rev.1 RMF. The 5 components under this framework are Identification, Measure and Assessment, Mitigation, Reporting & Monitoring and Governance. To identify these listed risks, Azumer Information Security, had there been any, would have inventoried all information assets and then listed them in importance to the business process. Then each asset would be scored using such metrics as Threats, Vulnerabilities, Impact to organization, Likelihood and predisposing conditions in the organization that increase or decrease likelihood. Under this step in the process, Azumer would have recognized that Business Continuity would be very difficult if a data loss occurred and there was no back up. They would have known this was an extreme vulnerability and that the impact would be dire. Also, they could have factored in the publicly levied threats from Elecktores. This would have done the work of the second step, Measurement and Assessment, and Azumer would have known that they were extremely vulnerable and actors were

Kristopher Paschal StudentID 001334901 actively stalking them. The third step, Risk mitigation would have been easily implemented. AWS Buckets offers extremely cheap cold storage for data. It would have been relatively cheap to back up the database off-site. Risk Monitoring and reporting requires knowing about the risks you face and staying compliance. The process would have documented the risk, which virtually would be non-existent once a backup process was in place. So long as regular backups were monitored and taking place, this risk falls to Low. The last step, Governance, is simply codifying the other steps into a risk governance system. The exact same series of steps could have brought the second listed risk to low. It is common knowledge to Security Professionals that successful phishing attempts account for a large portion of breaches in IT. The Identifying stage would have shown light on the lack of SETA training for employees such as John Smith. In such a small company, user awareness and training could have been done easily. Employees could have been made aware of the dangers and although the risk isn’t completely eliminated, it could have been drastically reduced. Especially in light of the public threats from Elecktores

REFERENCES Chapple, M. J., & Seidl, D. (2017). CompTIA CSA+ Study Guide Exam CS0-001. Indianapolis: John Wiley & Sons. Dosal, E. (2019, Jan 22). Building a Security Education, Training, & Awareness Program. Retrieved March 12, 2021, from https://www.compuquip.com/blog/security-education-training-awareness Singleton, C., & Carruthers, S. (2020, Mar 03). State of the Phish: IBM X-Force Reveals Current Phishing Trends. Retrieved March 12, 2021, from https://securityintelligence.com/posts/state-of-the-phish-ibm-xforce-reveals-current-phishing-attack-trends/ ISO/IEC 27002:2013. (2013). Information Technology – Security Techniques – Code of Practice for Information Security Controls (second edition). Retrieved March 12, 2021, from https://www.iso27001security.com/html/27002.html National Institute of Standards and Technology, Special Publication 800-53 Revision 5. (2020, September). Security and Privacy Controls for Information Systems and Organizations....