Research associated vulnerabilities within www.netbuy.com’s technical and business operations

 

 

 

 

 

Research in
Audit, Measurement, Practice and Control

 

A-1 Introduction

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

www.netbuy.com is a small
online shopping site run by a single owner and administrator. www.netbuy.com.pk
outsources its technical infrastructure to a large Internet Service Provider
and has recently experienced a series of external hacking attacks; thus
interrupting business operations. www.netbuy.com.pk would like an audit
performed on its basic infrastructure components to determine areas of exposure
and weaknesses within its technical environment. However, due to the nature of
the business, this audit will not only need to focus on identifying the
security risks and exposures from the technical standpoint, but it will also
need to perform a more detailed analysis within its business operations.
Because www.netbuy.com.pk is a small business operated by one person and utilizes
an outsourced service, additional security concerns and exposures need to be
addressed. This audit will identify the risks and determine its associated
vulnerabilities within www.netbuy.com’s
technical and business operations environments. The audit will provide
recommendations focused on maximizing the protection of its data while still
maintaining functionality and usability for regular business operations.

 

A-2- Identify
System

 

A-2.1 System Environment

www.netbuy.com provides a
website for users to purchase online home-appliances, Smart Gadgets from home.
The overall environment of www.netbuy.com.pk is composed of one database server
and one web-application server. Each server runs Windows 2003 as the server
operating system. The database runs SQL Server and stores data such as user
details, their shopping-purchasing order as well as credit card information.
This database is populated by user input from the Graphical User Interface that
supported by a separate web server. The web server is built on a Windows 2003
Server and runs Internet Information Services 5.0. This server is accessed on
the front end from user input via the internet. On the backend, the server
communicates with the database server to feed and retrieve requested data.
These two servers are physically located at the Internet Service Provider in
Faisalabad. Both servers are accessed and administered by the system owner, via
terminal services, from the Administrator’s home, using a cable connection to
the internet.

 

 

Focus of the
Audit

As discussed the overall focus of the
audit will be the Application-Web Server. This is because of several reasons.
The major application and service this server runs, Internet Information
Service IIS 5.1, has many known (and of course unknown) vulnerabilities
associated with it. Because this system is accessed from the web, the system
has many access points and is most exposed to external users. This system is
housed at the Internet Service Provider, which can limit the control for the
Administrator. The below table provides more detailed specifications for the
Application-Web Server.

Hardware

Make                                       HP

Model                                     PowerEdge

Processor                                Dual Xeon 2.3 Ghz

Memory                                  3 GB RAM AND HARD DRIVE 40 GB

Software                                 IIS 5.1

Operating
System                   Windows 2003

Service
Pack Level                 Service pack 1           

 

Access                                    Connects to Client workstation via terminal services

Internal
Connections Connects to the
internet

Connects to the Database
server

Physical
Location
                 Faisalabad

Personnel Access                   Administrator            

                                                Shell
Systems

Functionality

Business Purpose                   Runs
applications services and web service information

 

 

1.3 The First Step
to Evaluating Risk

Risks
can be defined as the potential impact of the system’s exposure to a known or
unknown vulnerability. Impacts of risk are evaluated through the potential loss
to confidentiality, integrity and availability of the data. Confidentiality
ensures that information resources are used only by those authorized to do so.
Integrity indicates that the information should be protected from unauthorized
or unintentional modification. Lastly, Availability ensures that information
resources remain accessible whenever needed. This audit will focus on identifying
risks that will pose potential threats to the loss of Confidentiality,
Integrity and Availability to the data. It is important to remember that there
must be a balance between security and business functionality. For example,
solutions that address threats to confidentiality and integrity of data may
also limit the availability of the data. Therefore, in responding to any
potential threats, one must remember how this threat relates to the business
functionality and needs.

 

There
are two categories of risk which will be examined throughout these audit
procedural and technical risks. Procedural risks are associated with business
operations, and its processes, and procedures. Technical risks are associated
with the configurations and maintenance of the physical technical
infrastructure. Due to the nature of www.netbuy.com.pk’s business, procedural
and technical risks are identified as a function of the company’s physical
infrastructure, the principles of small business, and its outsourced
arrangement with Internet Service Provider.

 

 

This audit will
use the following criteria to evaluate the identified risks

Control

Describes
how the given aspect of the business-system should exist and-or function. The “control” therefore is
the definition of what should exist-occur.

 

Concern

Identification
of what could go wrong, both procedural and technical, with the control.

 

Likelihood 

Classification
of how likely this could occur

 

Consequences

Determination
of the effects of an exploited risk and its impacts to confidentiality, integrity and availability of the data

 

A.3.1   Business and Procedural Risk

www.netbuy.com.pk’s
business is operated by one person. No
established security processes, procedures nor checks and balances exist. As a
small business, Netsol.com.pk is confronted with concerns associated with
limitations on budgets, resources, and functional expertise. Furthermore, www.netbuy.com
uses an Internet Service Provider, which therefore
limits many physical as well as information security controls. These
constraints create major obstacles to ensuring security best practices. The
following table discusses these business and procedural risks.

 

A-Limited Resources

Control          

Organization
should have skilled and available resources in order to effectively perform all
necessary business operations.

 

Concern         

Few
and inexperienced resources are operating the www.netbuy.com.pk business, and
therefore, they cannot effectively manage all operations.

 

Likelihood     

High-
In small businesses, it is difficult to financially support many resources with
specialized skills, such as security.

 

Consequences           

The
number of resources working for www.netbuy.com.pk is limited and they do not
have the time or the skills to implement and follow appropriate security
procedures and controls. An exploit can take advantage of this lack of
knowledge and resources.

 

B-Budget Constraints

Control          

Industry
best practice is to allocate 15% of the company’s budget to Information
Technology investment; this would include costs for addressing security.

 

Concern         

Limited
budgets will not be able to support the required hardware, tools, and resources
required to securely operate the business.

 

Likelihood     

High-
In small and particularly startup businesses, funds are limited as they are
funded by few investors. Therefore, operating budgets are at a minimum.

 

Consequences

Budget
does not exist to support the hardware, tools and resources required to support
the existence of security processes and controls within the company. Therefore,
in the case of an exploit, the appropriate tools and resources are not
available to mitigate and remediate the incident.

 

C-Non-standardized security policies and
procedures

 

Control          

A
standardized set of processes should be implemented within any operation to
ensure all security concerns are acknowledged and addressed. Examples of such
processes would be the consistent monitoring of audit logs and verifying users-groups
and permissions allowed into the systems.

 

Concern

Lack
of these security processes indicates that neither attention nor efforts are
made to address security needs. Furthermore, when a security incident does
occur, there is no knowledge or guidance of what to do.

 

Likelihood     

Medium-
Basic business plans should include these standardized processes. Additionally,
contracts with outsourcers should include these policies and procedures.

 

Consequences           

Business
operates in an insecure environment with little awareness of what security
vulnerabilities exist. In the event of an incident, business operations could
cease as little knowledge exists on how to control it.

 

D-Uncontrolled-monitored physical security
and access control

 

Control          

The
business should install physical security measures in order to protect both
their physical and information assets. This would include appropriate locks to
doors, desks and storage areas. Furthermore, there should be established
controlled processes for people who wish to access them.

 

Concern         

Without
any physical security, there is no way of preventing or identifying
unauthorized people from gaining access to proprietary and confidential data.

Likelihood     

Medium-
Most buildings and offices contain some form of physical security. However, the
enforcement of this security is usually out of the business owner’s control, as
physical security is usually managed by an outsourced company.

 

Consequences           

Unauthorized
people will gain access into physical areas and be able to gain access to
proprietary and confidential data; thus compromising its confidentiality,
integrity and availability

 

E-Nonexistent Backup and Storage procedures

 

Control          

Data
stored in the system should be regularly backed up and stored in a secure
place.

 

Concern         

If
data is not regularly backed up, compromises to the system could result in loss
of all data which cannot be restored.

 

Likelihood

Medium-
Back up of data should be a primary concern for the system administrator. In
any system compromise, the data will certainly be altered if not lost.

 

Consequences

If
a system is compromised or mistakenly shut down and data is lost, www.netbuy.com
potentially loses all information, which is detrimental to the
operations of the company.

 

 

A-3.2   Technical Risk

From
a technical perspective, risks are associated with known vulnerabilities and
exploits. www.netbuy.com’s application and web server runs on
Windows 2000 Server and IIS 5.0 which have known vulnerabilities and exploits
associated with them. Without appropriate maintenance and knowledge of these
vulnerabilities, www.netbuy.com runs a serious risk to
external threats. The technical risks are outlined below

 

Default
Installations of the Operating System

Control          

An
“out of the box” installation of the operating system should never be trusted
by system administrators. All operating systems should be uniquely configured
according to the business requirements and appropriately hardened for security
risks.

 

Concern         

OS
are running default installations which have many known security Vulnerabilities-known
exploits associated with them.

 

Likelihood     

High-
Many Administrators, particularly those with less security knowledge, trust the
default installations.

Consequences

It
is easy for an attacker to determine probable vulnerabilities of the Operating
system when it is configured from the default settings.  An attacker will attempt known attacks toward
the system based on the default installation and compromise the system.

 

Default
Installations of Major Application

Control

The
default “out of the box” installation of Internet Information Service 5.0
should be uniquely configured for business requirements and appropriately
hardened for known security risks.

 

Concern

Applications
which are running default installations have many known security
vulnerabilities and exploits.

 

Likelihood

High-
Many Administrators, particularly those with less security knowledge, trust the
default installations

 

Consequences

An
attacker will attempt known attacks toward the system based on the default
installation and compromise the system Exposure to known Vulnerabilities-Exploits

 

Control

Systems
should be tested for and patched on a regular basis against

Known
vulnerabilities

 

Concern

Systems
which are not hardened against known vulnerabilities can be easily compromised
through known and frequent attacks, worms and viruses.

 

Likelihood

High-
Regular maintenance-hardening of systems is often left to the Responsibility of
the administrator and seen as less important. Therefore, time is not spent
toward understanding and learning old and new security vulnerabilities.  This leaves the system unpatched and
vulnerable.

 

Consequences

Systems
can be attacked by common-well known exploits such as Buffer overflows, cross
site scripting, and Denial of Service attacks.

 

Weak Perimeter
Security

Control

System
should be protected by perimeter security controls such as a Firewall to
protect against external access and attacks.

 

Concern

If
there is no layer of perimeter protection, access into systems is Open to any
and all external attacks.

 

Likelihood

Medium-
A majority of ISPs enforce some form of perimeter Protection.  However, the strength of the firewall rules
may be weak as they need to service a variety of needs.

 

Consequences

Systems
can be easily identified, accessed and compromised.

 

Insecure Data in
Transit

Control

Traffic
between connected systems should not be seen to anyone eavesdropping on
network.  SSL should be used.

 

Concern

When
the client machine (administrator’s console) communicates with the servers
stored at the ISP Information is sent in clear text.

 

Likelihood

High-
Most Internet Service providers do not provide private Connections.

 

Consequences
Data is transferred in clear text across the internet.  “Listeners” can Capture, store or alter this
data.

 

A-4 Current State of Practice

Currently www.netby.com.pk has no regular
security auditing, vulnerability assessment or baseline practices. Therefore,
this will be the first audit to be conducted these systems. The following
process and resources will be used to audit www.netbuy.com.pk’s system

1.4.2 Tools The following security tools will be
used to obtain information and identify security vulnerabilities associated
with the system

 

Nessus

This is a free Vulnerability Assessment tool. Nessus identifies running services and open ports within
the system scanned
and identifies known vulnerabilities and exploits associated with them. Nessus
relies heavily on banner information and therefore can result in many false
positives. Careful attention and investigation has to be made on the results of
this tool.

 

Nmap

Free port scanning tool which can be run against
the system to determine open ports-services running on the system

 

 

MS Baseline Security Analyzer

Scans system to determine missing security
patches as well as default installation-mis-configurations in Microsoft
operating systems and applications

 

Snort is a free network traffic monitoring tool which
will be used to collect traffic packets as the web-application server is
accessed.

 

 

A.4.3 Process

Written approval will be obtained from both www.netbuy.com.pk
and the ISP to perform the audit and use of the tools identified

User Ids and passwords will be created for
access to system

 

Baseline and back up of the systems to be
audited will be taken. This will provide an accurate depiction of the current
state of the environment.

 

All relevant documents will be obtained from the
client to begin procedural audit

Technical audit will be performed using the
listed tools above