23
11/30/2015 IT Audit Tulsa Community College West Campus Administrator IAN LEWIS, JOEY TRAN, MANG SUM, SUSAN STEWART, ANDREW BABB

IT-Audit C&A

Embed Size (px)

Citation preview

Page 1: IT-Audit C&A

11/30/2015

IT Audit

Tulsa Community College

West Campus

AdministratorIan lewis, Joey Tran, mang sum, Susan stewart, andrew babb

Page 2: IT-Audit C&A

Table of Contents

Executive Summary……………………………………………………………………………….2

Social Engineering………………………………………………………………………………...3

Tornado……………………………………………………………………………………………4

Loss of Power……………………………………………………………………………………..4

Software Updates………………………………………………………………………………….5

Active Directory…………………………………………………………………………………...6

Malicious Internal Access…………………………………………………………………………8

Unauthorized Physical Access…………………………………………………………………….9

Environmental Threats…………………………………………………………………………...11

Malicious External Access……………………………………………………………………….11

Loss of Hardware………………………………………………………………………………...12

Summary Statement……………………………………………………………………………...14

1

IT Audit

Page 3: IT-Audit C&A

Executive Summary

Tulsa Community College, TCC, is a multi-campus higher education institution. The goal of

TCC is to provide education to a diverse student body through various means of instruction.

Because TCC does run a multiple campus college, their technology infrastructures and security

concerns are centralized. Yet, each of the individual campuses do have on site controls particular

to themselves. Since these campus operate somewhat independently, we have chosen to focus on

the TCC West Campus for our project.

Although the West Campus does have many positive security preventions and policies set in

place, we have found important deficiencies that could be immediately improved with little or no

costs involved. The major deficiencies that we found include the following areas; Social

Engineering, Tornado, Loss of Power, Software Updates, Active Directory Services, Malicious

Internal Access, Unauthorized Physical Access, Environmental Threats, Malicious External

Access, and Loss of Hardware.

In conclusion, it is recommended by the team that the security measures suggested within this

audit be implemented during the current budget year. Since some departments throughout the

college struggle with spending, it is important to introduce these controls, early, to help assist

with financial anxieties that the current State of Oklahoma is dealing with.

2

IT Audit

Page 4: IT-Audit C&A

Social Engineering

A successful attempt in Social Engineering results in giving up sensitive information such as

student ID, Date of Birth, Pin Number, E-mail, and Password. Sometimes, even, directing and

exposing internal network structure to hidden or critical systems. Using Social Engineering to

gain knowledge of how the network is set up can lead to having the authentication for that

system. With that authentication, the hacker can easily harm and ruin the reputation of Tulsa

Community College. Harming can include downloading sensitive information such as personal

information, or deleting the entire database.

Risk Mitigation and Loss Expectancy

A security awareness training program must be implemented and launched to assist in preventing

social engineering attacks. If people know what form a social engineering attack is likely to take,

they will be less likely to fall victim to one. Tulsa Community College also must perform

penetration testing using social engineering techniques. This will allow security teams to know

which users pose a risk and can take steps to remediate that risk.

Recommendation

The security awareness training program must continue every 3 months. Using Social

Engineering Toolkit (SET) is a useful tool to create social engineering attacks. Occasionally,

penetrate using social engineering techniques. Based on the results, the duration of the program

and penetration testing must be adjusted. If the result scores are higher than expected, then the

3

IT Audit

Page 5: IT-Audit C&A

continually use of security awareness training program and penetration testing must be

introduced more frequently.

Tornado

Tulsa Community College buildings are built to withstand a Tornado. But, it does not guarantee

the safety of the staff, students, and equipment. Therefore, a lack of Emergency Plan potentially

threatens the safety of staff, students, and equipment in case of Tornado. The Emergency Plan

must be written in detail of the emergency procedure.

Risk Mitigation and Loss Expectancy

As with any threat, there is the possibility of actual loss. The loss associated with this particular

threat would be the actual cost of the buildings and the assets. The natural threat of Tornado

occurs about three times annually. That leads to an Annual Rate of Occurrence (ARO) of 3. The

Single Loss Expectancy SLE from this threat of tornado is projected to be $1,000,000. The value

of SLE doesn’t reflect the true value of the assets. The Annual Loss Expectancy ALE is

calculated to be (SLE * ARO) = $3,000,000 (estimated figures.)

Recommendation

When considering the present stage of the system, we recommended that you follow up and

implement all the recommendation we have provided. However, this is just the conditional: by

implementing the recommendation, we believe that the functionality, efficient and security

should be measure up the standard of regulation and procedure.

Loss of Power

4

IT Audit

Page 6: IT-Audit C&A

A loss of power would result in a loss of access to computers and files stored on the cloud or

locally. A short term loss of power would lead to a temporary interruption of business activities

and cancellation of classes on the campus. Because power is required for classes to run and for

business activities to continue, an extended outage would result in the campus closing for an

extended period of time.

Risk Mitigation and Loss expectancy

The annual loss expectancy for the TCC West Campus would be low. Since the campus is not

the main source of income for Tulsa Community College, the annual loss expectancy will be

low. The Average rate of occurrence for a loss power is estimated at twice per year.

Recommendation

Although the loss expectancy is low for a loss of power of the campus, it is important for the

college to maintain power to their systems at the campus. Previous power outages at other

campuses have ranged from a few minutes to a few hours. TCC West Campus should have a

UPS for the network and servers. The school should also have a UPS system for the

administrative computers, if not all the computers on the campus. The computers should have a

shutdown time set at 45 minutes to give enough time for to save and back up any files. The

network and servers should have a shutdown time set at two hours to provide a large enough

window for power to be restored and allow users to access data without much downtime.

Software Updates

Maintaining software updates are a key factor in maintaining security throughout the system at

TCC. If the computers, servers, and firewall servers are not kept up to date, TCC West Campus

5

IT Audit

Page 7: IT-Audit C&A

can be left vulnerable to attacks and malware. Most activities at TCC are done online now. TCC

has a system center configuration manager (SCCM) that is used to provide patch management

and software distribution. The SCCM at TCC West has been down, therefore, there is no simple

and centralized system to update software and patch the computers. Consequently, a lack of

process for updating software is a potential threat that can compromise the security of not only

the campus, but Tulsa Community College’s entire system.

Risk Mitigation and Loss Expectancy

Failure to properly maintain software updates can range from a low loss expectancy to a high

loss depending on the software that needs to be updated. If security updates are not applied, there

will be a high loss expectancy. A small update such as iTunes or the latest version of Adobe PDF

reader would have little to no loss related to it.

Recommendation

It is recommended that Tulsa Community College West Campus get the SCCM up and running.

Having the SCCM updated will make it efficient and will ensure that all computer systems are

consistently updated. Updating the software will mitigate the risks of having unpatched software.

The threat of hacking is made more difficult by keeping software patched and updated, and, thus,

lowering the potential chances of having a system breach.

Active Directory Services

The failure to properly maintain an Active Directory can potentially produce an insecure

operating environment for the network of the TCC campus. Having the Active Directory

maintained is crucial to ensuring that users in the domain have access to only the resources and

6

IT Audit

Page 8: IT-Audit C&A

information that is required of their respective level in the organization, as it should be based on

the principal of least privilege. In addition, individuals who are no longer associated with the

organization should have their respective rights reviewed, configured, and/or disabled under the

management of Active Directory so as to not provide unauthorized access into the system. This

system contains multiple entities of sensitive and personal data that can potentially be exposed

and compromised due to unauthorized access granted by failure to properly maintain the Active

Directory. The potential of unauthorized access to the system due to an improperly maintained

Active Directory may lead to malicious system attacks, which may cause system downtime

and/or outage. Unauthorized access of an administrative level account due to improper

maintenance of Active Directly may lead to malicious attacks on Active Directory itself,

including the Domain Controller.

Risk Mitigation and Loss Expectancy

In order to properly mitigate the risk of a compromise of the system due to Active Directory, a

combination of controls and policies are needed. An individual must be assigned to manage and

review inactive accounts of individuals who are not associated with the organization. A common

method used should be to review accounts older than a specified age if they exist and aren’t

already disabled, review the account, and take the appropriate action. An example would be to

select an account, review the student and/or individual’s status with the organization, and if they

are no longer associated or attending, then configure the account to be disabled so that no further

access is granted. As our team was able to access the campus network and resources via logins

over a year old from previous student access while attending the campus, this is where our main

focus lies in regard stop mitigating risk via Active Directory.

7

IT Audit

Page 9: IT-Audit C&A

Recommendation

In addition to having implemented a policy and control for maintaining an up to date and secure

Active Directory, the organization must also account for the personnel and time resource needed

to maintain the control. The individual responsible for maintaining the control will review and

configure unused accounts and should maintain a history or log of all changes made to what

accounts and when the changes were made. This will not only serve as documentation for the

organization, but will also allow for a trail to be followed in the event of an audit. Due to the

nature and flux of mainly student statuses in the organization, that this control should be

reviewed at least once every week to maintain secure and updated Active Directory user groups

and accounts.

Malicious Internal Access

Malicious Internal Access is one of the most understated threats when it comes to securing an

organization’s information assets and it is no different for the TCC West Campus. An insider

threat can allow for a loss of extremely sensitive company information and assets. As previously

reviewed in the Active Directory control, the on-going issue of properly maintaining the Active

Directory can allow for increased threat potential of malicious internal access.

Risk Mitigation and Loss Expectancy

There is an enormous amount of trust (or lack of awareness) to any system administrator if an

internal person decided to maliciously access any data while employed by TCC, or even after

termination, if the proper policy is not followed to terminate access following unemployment of

8

IT Audit

Page 10: IT-Audit C&A

an administrator. In addition, access to a terminal to pursue malicious internal access is

complemented by the lack of control over unauthorized physical access.

Recommendation

In order to properly implement risk mitigation for Malicious Internal Access, a number of

measures can be taken. Firstly, an indirect method of risk mitigation is correcting the Active

Directory maintenance security control. This ensures that no user has more access than needed to

any confidential data and ensures that the discontinuation of access is implemented. Another

method, is to deploy a software solution that allows for active monitoring and remote control of

user sessions and access, and reports live monitoring data of any suspicious activity. Multi-

person access authentication can also be implemented in order to reduce the risk of any one

individual obtaining access to data that is not pertinent to their position and to increase

awareness of such attempts. This software implementation, when properly configured, will also

increase available logs and documentation in the event of an incident for inside and outside risk

assessments and/or audits.

Unauthorized Physical Access

When main school hours are not in session, the TCC West Campus’ policy is to have most of the

building’s doors locked and access is not permitted. This policy is currently maintained by

having a selected security personnel travel to each entrance or doorway and manually lock the

doors and entrances. At this time, there is no way to verify that every door was locked to provide

security in the buildings to which access should not be granted. Our main focus was on this risk,

as our group performed a check of this policy and found that we were able to access a building

that was not supposed to be accessible to personnel via an unlocked door. This risk not only

9

IT Audit

Page 11: IT-Audit C&A

allows for property to be stolen, but any sort of documentation that is potentially not properly

secured or information that is exposed can be at risk of theft. In addition, a single unauthorized

access point can allow for multiple access points to become accessible, furthering the potential

damage and security concern.

Risk Mitigation and Loss Expectancy

In order to address loss expectancy, we must review the potential controls that can be

implemented and the damages from a security incident. The cost could range from a few hundred

dollars to multiple thousand depending on the security control implemented. An implementation

of extra personnel rounds, cost of time, and wages must be accounted for. If an electronic system

was implemented, the cost would be multiple thousands for the purchasing of equipment,

maintaining software, training time and expense, and implementation testing that would all

require additional time and training. A security incident involving unauthorized access would

potentially risk a loss of physical assets including any documentation that may have FERPA

regulations attached to it, creating additional incident exposure and possible penalties.

Recommendation

In order to properly mitigate this exposed security control, a number of measures can be taken.

The doors are all manually controlled to be locked or unlocked and each individual door is

separate from all others, and must be individually addressed when this policy is in action. A

possible solution is to implement and maintain an electronic locking control system on all of the

doors on the campus that can be centrally maintained. With such a system it would be possible to

centrally control the securing of doors and access points and an ability to verify that the doors

that need to be secured are indeed locked. A second possible option is having multiple personnel

making the checks on doors, verifying that they are locked, and reporting back with the status of

10

IT Audit

Page 12: IT-Audit C&A

the securing of doors and access points. Although this method is more cumbersome and time

consuming, it is also less expensive and easier to implement with a change of policy. This will

allow for extra safeguarding against potential quality control failures in securing the campus.

Environmental Threats

Environmental threats may occur due to accidents or unexpected changes in the environment.

The impact of an environmental threat, specifically fire may include destruction of information

technology assets and enterprise premises.

Risk Mitigation and Loss Expectancy

The loss associated with the threat of fire is the building structure and the contents. The building

that houses the computer lab is equipped with a fire suppression sprinkler system which is water

based. Any instance of fire in the computer lab will result in a total loss of assets.

The ALE is calculated to be 1% * 3,000,000 SLE = $300,000

Recommendation

Re-evaluate the computer lab fire protection system and have the system re-fitted with a Halon

type system

Malicious Outsider Threats

An outsider threat occurs when someone outside your organization seeks to gain protected

information by infiltrating and taking over the profile of a trusted user. A malicious outsider

depends on the weakness in the authentication process, which is the result of human error.

11

IT Audit

Page 13: IT-Audit C&A

People, process and technology help to reduce the vulnerabilities that exist in products, software

and technologies.

Risk Mitigation and Loss Expectancy

The more commonly used a program is the bigger target it represents and the more likely it is

that vulnerability will be exploited. Existing vulnerabilities remain open, primarily because

security patches that have long been available were never implemented.

Most software companies release patches for download. Contact software vendors to receive

updates, patches or vulnerability alerts. Patch all devices to prevent the vulnerabilities that exist

in products, software or technologies from malicious outsider threats.

There are no costs associated with updates, patches or alerts.

Recommendations

Prevent any vulnerability that exist and routinely monitor anti-virus software for updates and

install the updates as recommended.

Loss of Hardware

Loss of hardware may occur due to environmental damage or theft of hardware from the

premises. The loss of, or damage to hardware will have an immediate impact, which may affect

the institutions staff and student body.

Risk Mitigation and Loss Expectancy

Loss of hardware may occur due to environmental damage or theft of hardware from the

premises. The loss or damage to hardware will have an immediate impact, which may affect

curricular activities. The system units at all workstations are vulnerable to theft. The system units

12

IT Audit

Page 14: IT-Audit C&A

are attached under the desks with a sliding bracket. The ALE is calculated to be 10% * 600 SLE

= $60.00

Recommendations

Purchase and install Byte Brothers Loc Kit 1. This is an industrial adhesive kit. The peel-and-

stick security system provides asset control and prevents theft. There are many other options

available, but this particular kit is the most cost efficient solution. The Loc Kit can be for

purchased for $19.10.

13

IT Audit

Page 15: IT-Audit C&A

Summary Statement

After reviewing all the threats and vulnerabilities revealed through the audit, it is highly

recommended that most, if not all, security controls suggested be implemented within 1-3

months of this assessment. Because of the low cost and feasibility of the recommendations, TCC

West Campus would benefit from the various improvements proposed throughout the campus.

Also, an annual reassessment of these threats and vulnerabilities is recommended to assist with

the nature of technology and the evolving threats that arise from them.

14

IT Audit