Free Essay

Company Security Assessment

In: Computers and Technology

Submitted By bigmickd07
Words 1289
Pages 6
In 2006, a small business was created to provide customers with a close to real-time analysis of their stock portfolios. After months of doing business, several IT Administrators began to notice subtle changes in the corporate network. Shortly after that, the CEO began calling high-level meetings, especially with marketing and finance, to determine why the company’s profits for the last five months (July to December) began to take a downward spiral. Though it seemed that all operations and processes remained unchanged it seemed that the number of new customers registering through their customer portal had dropped drastically over the past last five months. The company has noticed anomalous traffic on port 80 of the Web Server on the DMZ. The edge router’s logs showed that the traffic started six months ago and ended five months later. They noticed five months ago that traffic from the Web servers to the internal application servers decreased each day, although the inbound requests on port 80 remained about the same. Over the last four months, Web server logs contained many http “Post” statements followed by the Website address of one the company’s main competitors. All of the post statements seemed to appear in the logs after new users would click “submit” to register. Based on the information that has been provided it seems that a competitor has been able to compromise the company’s network. This has allowed them to reroute network traffic from users that are attempting to register through the company’s portal to their competitor’s site. The next step in investigating the issue would be to complete an assessment of the network. A review of the traffic that is produced in and out of the company’s network is key to understand what is going on with the network. It is critical to select the appropriate personnel to make up the team that will oversee the security management and assessment activities. Needed on the team are people that have experience in security management and also people that have experience in the financial industry. Team members will have one person from each department, preferably the head or second in command:
Network security Personnel: This person is part of the network security team. They are on the team that manages and maintains all network related security devices such as the Intrusion Prevention Systems, Firewalls...etc.
Operations personnel: These people understand the company’s daily operations.
Finance: This person is on the team that manages the finances of the company. They will be able to provide info on what type of resources can be used for the assessment and the correction of issues.
Executive representative: This person will either be an executive or on the board. Buy-in must come from the top of an organization so it is very important that the CEO has someone within the company to be aware of the actions being performed as part of the assessment.
There will be different roles and tools that will be used as part of the company’s assessment. On the assessment team there will be two primary roles. One of the test team members will be a project manager. This member will make sure that the team stays on track and accomplishes everything they have to accomplish. They will also be the one primarily interfacing with the client. The next team members would be the testers themselves. These testers have already been chosen according to their skill levels and ideally the goal is to have 5 team members. We will ensure that based on the discovery of the companies web servers there will be a team member who is well versed with the OS’s the servers are running. There will also be network level penetration tester to work against the Companies perimeter security devices. The next set of resources is the tools required to complete the security assessment. One of these tools is a port scanner. Port scanning is the “act of systematically scanning a computer’s ports” (What is Port Scanning). The port scanners will scan the IP address spaces and they will report back on any open ports that they find. A free open source utility that will be used, will be Network Mapper (NMap). Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics (NMap). The next type of tool that will be used will be a vulnerability scanner. Nessus is a proprietary comprehensive vulnerability scanner, which is developed by Tenable Network Security (Nessus). It is an open source remote security-scanning tool, which scans computers and gives an alert if it finds any vulnerability that could be used to get access to any computer asset on a network. It has over 1200 checks that can be run against these assets to see if any of them can be exploited. The next tool that will be used is a password-cracking tool called John the Ripper. This tool will be used to attempt to detect and crack passwords that are weak or blank. Once all of the reconnaissance is completed with these tools, the team will use tools to exploit the vulnerabilities that they found to verify that the vulnerabilities actually exist. One of these tools will be Wireshark, which provides us with the ability to analyze network traffic by completing packet analysis.
The assessment will stay consistent with the standard three phase penetration test plan. The first phase is the Pre-Attack Phase, where we will conduct active reconnaissance. Active reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities (What is Active Reconnaisance). This is the part where all of the footprinting for the organization will be performed to get a better understanding of the companies IP scheme and Perimeter Security architecture. Some of the information the team will try to find out will be the physical and logical locations of the Web server’s hosting their customer registration pages as well as the backend data base servers.
Once reconnaissance has been completed the Attack Phase will commence. The team will attempt to penetrate the web servers on the DMZ and their connections with the internal data base servers. This will be used to evaluate the company’s perimeter security device configuration and network architecture setup.
The final phase is the Post-Attack Phase. This is where the penetration testers will go in and remove any and all tools that they used on the network and also any accounts that they may have created for their testing purpose. We will provide a complete report to the company, which will highlight the identified issues and proposed fix actions. Based on the information provided, the timeline for this assessment is 7 weeks. This timeline includes, 2 weeks for the Pre-Attack Phase, 3 weeks for the Attack Phase, and then 2 weeks for the Post-Attack Phase.

References
Network enumeration - Wikipedia, the free encyclopedia. (n.d.). Retrieved August 3, 2013, from http://en.wikipedia.org/wiki/Network_enumeration
Nmap - Free Security Scanner For Network Exploration & Security Audits. (n.d.). Retrieved from http://www.nmap.org/
What is Active Reconnaissance? - Definition from WhatIs.com. (n.d.). Retrieved from http://whatis.techtarget.com/definition/active-reconnaissance
What is Footprinting? - Definition from WhatIs.com. (n.d.). Retrieved from http://searchsecurity.techtarget.com/definition/footprinting
What is Network Scanning? - Definition from WhatIs.com. (n.d.). Retrieved from http://searchmidmarketsecurity.techtarget.com/definition/network-scanning
What is Passive Reconnaissance? - Definition from WhatIs.com. (n.d.). Retrieved from http://whatis.techtarget.com/definition/passive-reconnaissance

Similar Documents

Free Essay

Us V Hilton Corp

...to suppliers who paid assessments while decreasing purchases from those companies who refused. Along with its co-defendant, it is accused of bringing the combined economic power of the hotels against the suppliers who failed to pay. Western International Hotels Co.: Another defendant that was accused of violating the Sherman Act’s provisions with its refusals to deal with the unreasonable restraints on trade. Facts: In Portland, Oregon, representatives of hotels, restaurants and other business entities organized an association to attract potential conventions to their respective city. While at the convention, members were asked to make contributions equal to one percent of their sales in order to help finance. To help bolster their collections, hotel members, including the defendant Hilton Hotel Corp., agrees to give preferential treatment to the suppliers who paid their assessments. But for those who did not pay, actions were set in motion to help decrease the purchases from those particular suppliers. Procedure: The court found that the evidence was clearly sufficient to establish that the defendant hotels agreed to prefer suppliers who paid contributions over those who did not. The primary purpose and direct effect of the defendant’s actions was to bring the combined power of the hotels against those suppliers who did not pay. A corporation is liable for acts of its agents within the scope of their authority even when done against company orders. The court affirmed...

Words: 1427 - Pages: 6

Free Essay

Paying of College Athletes

...Should Student Athletes Receive Stipends Past their Scholarships? Dylan Windom Arkansas State University Intercollegiate athletics has gained a massive amount of popularity over the past few decades. Student-athletes aren’t asking for millions of dollars, they are just asking for enough money to live off of. Television contracts, multi-million dollar coaches, and endorsements are the way to universities and coaches, so it is suitable to provide compensation for the student-athlete who makes these opportunities possible for each university. Proponents of compensating student-athletes for their participation in these revenue-generating sports have been named “pay-for-play” advocates (Haden, 2001, pp.674). “Pay-for-play” brings out the question whether student athletes should receive compensation beyond the tuition, room and board, and books or should they receive zero compensation. The pay-for-play system faces major obstacles such as employment status (workers’ compensation), any federal tax benefits, Title IX, antitrust under the Sherman Act. The first major obstacle that an athlete would face is attaining the employee status. In order for student-athletes to receive additional compensation for their participation in inter-collegiate athletics, they must be recognized as employees of the university (Haden, 2001, pp.674). To follow along with employment status, the pay-for-play advocates encounter additional obstacles in their quest to compensate the...

Words: 1303 - Pages: 6

Free Essay

Regulation of Monopplies and the Microsoft Trial

...The regulation of Monopolies & the Microsoft Trial Research Paper Macroeconomics By: Ashleigh Magliano Introduction: Larger companies can become big threats to other smaller companies that are in a given market due to their power and innovation. Sometimes this can become more than a threat, and it turns to no competition at all between the markets due to the monopolization of a company. A company becomes a monopoly when it gains the control of the industry and has obtained the ability to change the output prices in that specific industry. With such power this opposes a threat to other businesses. The government has set up specific regulations for monopolies to control what they sell, how they sell it, and what services are allowed for consumers. The importance of regulating monopolies is to keep the market alive, to allow freedom for other smaller businesses. This keeps up competition in the market, and also keeps the monopolies from doing anything unreasonable. This has led to numerous trials on major companies, one of the biggest cases would be the trial against Microsoft INC. Acts for Regulating Monopolies: In 1890 the Sherman Antitrust act was put into effect, named after the Senator of Ohio, John Sherman and was the first component for congress to prohibit trust.(General Records of the United States Government, Record number 11) The Sherman Act intended by congress to help keep up competition in markets. Unfortunately the act was written to vague there were...

Words: 2220 - Pages: 9

Free Essay

Oltz vs St. Peters Hospital

...Otiz v. St. Peter's Case Study Joyce Alston Grand Canyon University: HTL-520 Legal Issues with Physicians December 3, 2014 Tafford Oltz was a nurse anesthetist who brought an antitrust action against physician anesthesiologists and the St. Peter’s Community Hospital. This case study involved the violation of antitrust laws deriving from other anesthesiologist in the hospital who not accepted having to compete with Oltz because he was said to have charged rates that were lower and the majority of physicians wanted to use his service. The case study involved the violation of antitrust laws deriving from the law suit issued by Tafford Oltz. (Corrigan and Donaldson, 2000)  Oltz was forced out of his position due to illegal competing techniques by other anesthesiology. The agreement Oltz had with St. Peter’s included an agreement with the hospital that Oltz would provide eighty-four percent of his the surgical services. Oltz made the agreement based on the fact that he would be the primary anesthetist during the term of the agreed contract. The hospital was located in a rural community that it served therefore the patient population may have caused a strain on the family to obtain her level of interest. The lawsuit revealed that the other hospital anesthesiologist conspired to and thee competing with the nurse anesthetist’s lower fees and, as a result, entered into an exclusive contract with the hospital on April 29, 1980, in order to squeeze the nurse anesthetist...

Words: 1145 - Pages: 5

Free Essay

Reflection of Critical Thinking

...Reflection of Critical Thinking Jolene Tucker Hum/114 February 16th 2015 Dr. Belinda Moses Reflection of Critical Thinking Has the United States peaked as a world power?  No, the United States has not peaked as a world power. Reflection of the process of critical thinking: How does the process of critical thinking you used relate to or differ from the process you used to find content for your answer? I found that I am evaluating my way of thinking more. By researching a little, the discovery I made was that in 1890 our Congress enacts an antitrust act. It is a law that was designed to give competition and free enterprise. I broke up the monopolies to give everyone a fair shake. The Act of July 2, 1890 also known as the Sherman Anti-Trust Act states that “Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations, is declared to be illegal” (“Sherman Antitrust Act,” 2014). The Act also provides: "Every person who shall monopolize, or attempt to monopolize, or combine or conspire with any other person or persons, to monopolize any part of the trade or commerce among the several States, or with foreign nations, shall be deemed guilty of a felony” (“Sherman Antitrust Act,” 2014). This act keeps consumers of big businesses from using dishonest means to raise prices falsely, such as deliberately producing too few goods to meet consumer demand and thereby...

Words: 812 - Pages: 4

Free Essay

Ec142 Week 6 Homework

... Economies of scale could foster a monopoly because it deals with very large industries that have the ability to sustain substantial losses in order to reach their long term gains. Smaller companies that wish to enter the business just can’t afford the lost in capital or gains and need to make a profit now. These larger industries could go years’ operating in the red and effectively squeeze out their smaller completion that could not do the same. Some legal barriers that could cause a monopoly could be patents on inventions that are need to make the product. They could also be restriction on product, tax laws and government regulations. One government regulation that ensures the U.S. Postal Service will always be a monopoly is the law that was established that states the U.S. Postal service is the only company that can legally deliver first class mail. This law alone is a barrier for any new company that would like to start a post office business. Ownership of essential resources and cost could foster either a monopoly or oligopoly. By being the only company that has a certain item, resource, tool, machine that can produce a product you can effectively dictate how much of that product is the market and how much it will cost. If that resource (like gold) is rare, then only a few companies will have the resources and funding to sustain the losses it takes to start a new business (such as gold processing)....

Words: 1092 - Pages: 5

Premium Essay

Rthrt

...Billabong International Business Description Billabong International Limited (BBG) produces surfwear and sports apparel and accessories for the surf, skate and snowboard markets. BBG now has a presence in more than 60 countries. The Billabong brand is targeted to both active participants in surf and extreme sports and people who desire to be identified with its image. BBG supports the promotion of the Billabong brand through the sponsorship of athletes and events. 27 July 2012 Recommendation Recommendation: Relative to: _BLANK_ Small Ind (ex Fins) Investment Fundamentals ASX code: Stock price: Market cap: Y\E 30/06/2012 Reported e $m Adjusted e $m EPS adjusted ¢ EPS growth % PE x PE relative x DPS ¢ Yield % Franking % 2012e 39.3 39.4 14.5 -68.8 9.3 0.6 3.0 2.2 0.0 2013e 315.6 60.6 16.5 13.6 8.2 0.8 0.0 0.0 2014e 66.2 66.2 13.9 -16.1 9.7 1.1 0.0 0.0 BBG $1.35 $647m 2015e 81.7 81.7 17.1 23.4 7.9 0.9 Strategy Analysis BBG´s strategy is to differentiate its products through quality, novel designs and branding. Management aims to initially build up a core niche brand then slowly differentiate products to appeal to a broader market without diluting this core. This strategy has been successful in moving designs away from men´s surfwear to the broader general apparel market. Management is duplicating this strategy with its less mature skate brand. This strategy aims to tap latent demand for products within a broader international market.Billabong International reported...

Words: 905 - Pages: 4

Premium Essay

Security Assessment

...Security Assessment Methodology and Tools for Conducting Security Assessment Footprinting and scanning an organization involves gathering information about the organization in both the passive and active forms. Active footprinting involves assessing the required information about the company through the website, while the passive footprinting is where one would find out the information directly with the organization through the customer care or from an employee of the organization. Security assessment of organizations is carried to identify the security issues such as the risks that the company is exposed to through the information is available from the company’s website or the customer care desk. For most organizations, important information about the company is stored in the company’s database through cloud computing of the website (Gupta, 2013). The existence of high risks in an organization requires the need for an intensive security assessment. In conducting the security assessment, the following tools and methodologies are used; Web Application Security Scanner The web application security scanner is a tool that is used by organizations in speeding up the process of identifying the web applications vulnerabilities. Company websites, for instance, are vulnerable to various risks that lead to loss or lack of privacy of the information saved in the company’s database. The tool thus, assists in identifying the vulnerabilities in the shortest time possible....

Words: 652 - Pages: 3

Premium Essay

Risk Assessment in Information Technology

...Risk Assessment in Information Technology Risk Assessment in Information Technology This paper will address risk assessment in Information Technology and discuss factors used to identify all kinds of risks in company network diagram. It will also assess the risk factors that are inclusive for the Company and give the assumptions related to the security data as well as regulatory issues surrounding risk assessment. In addressing the global implications, the paper will propose network security vulnerabilities and recommend the mitigation measures for the vulnerabilities. Cryptography recommendations based on data driven decision-making will be assessed, and develop risk assessment methodologies. Risk assessment in Information Technology Risk assessment is one of the mitigation methods for the Networks design. The scanners or vulnerability tools are used to identify the risks or vulnerabilities within the network design. The risks can be identified by these tools as they extend beyond software detects to incorporate other easily vulnerabilities including mis-configurations (Rouse, 2010). The shareware assessment tools are accessible online and can be used to supplement commercial scanners. Framework of risk assessment * Step 1 – categorizing information and information systems. Here unique department traits are highlighted and assigned impact levels (high, medium or low) in line with the security FISMA’s security objectives (confidentiality, integrity and availability)...

Words: 3240 - Pages: 13

Premium Essay

Gathering Information Pertaining to a Glba Compliance

...insurance companies. Parts of the glass Steagall act of 1933 GLBA allows financial institutions such as banks to act as insurance companies. GLBA covers both financial institutions and insurance companies since both can perform financial services for its customers. This reform requires banks and insurance companies to comply with both the privacy and safeguard rules of GLBA. 2. What is another name for obtaining information under false pretenses and what does it have to do with GLBA? What is an example of the safeguard pertinent to this requirement? Pre-texting or social engineering. GLBA specifically mentions this in title 15 US code chapter 94 sub chapter 2, section 6821. GLBA encourages companies to implement safeguards around pre-texting and social engineering. Security awareness training and periodic reminders of awareness to pre-texting and social engineering is a best practice performed within the user domain. 3. How does GLBA impact information system security and the need for information systems security practitioners and professionals? The safeguards rule within GLBA requires financial institutions and insurance companies to develop security plan detailing how they will protect their customers nonpublic personal information. The safeguards rule impacts the security plan throughout the 7 domains of a typical IT infrastructure in regards to protecting nonpublic personal information. 4. If your organization is a financial institution or insurance company that is...

Words: 1267 - Pages: 6

Premium Essay

Rfp Templete

...METHODOLOGY 10 DELIVERABLES 11 PROJECT MANAGEMENT APPROACH 11 DETAILED AND ITEMIZED PRICING 11 APPENDIX: REFERENCES 11 APPENDIX: PROJECT TEAM STAFFING AND BIOGRAPHIES 11 APPENDIX: COMPANY OVERVIEW 12 EVALUATION FACTORS FOR AWARD 13 CRITERIA 13 SCOPE OF WORK 14 REQUIREMENTS 14 DELIVERABLES 14 USING THIS TEMPLATE Savid Technologies has developed this Request For Proposal (“RFP”) template to help organizations identify and select a quality security vendor to perform professional services work. This template is absed off templates provided by Foundstone, Verisign, and other security institutions including countless RFP responses Savid has provided. It also lists questions organizations should consider asking potential vendors to ensure that a thorough and comprehensive approach to the project will be taken. This template should apply for a variety of information security projects including: External Network Vulnerability Assessment and Penetration Testing Internal Network Vulnerability Assessment and Penetration Testing Web Application Penetration Testing Dial-In / RAS Security Testing DMZ or Network Architecture Designs / Reviews Wireless Network Assessment and Penetration Testing Virtual Infrastructure Security Assessment Server Configuration Reviews Firewall and Router Configuration Reviews VPN Configuration...

Words: 2629 - Pages: 11

Premium Essay

Threat Assessment

...Threat Assessment Robert Nassar SEC 440 February 20, 2012 Threat Assessment When conducting an assessment to a company’s information or (computer) security system, the person or personnel must determine all possible risks that may threaten a company’s security. Risk as defined by OHSAS (Occupational Health & Safety Advisory Services) is the product of the probability of a hazard resulting in an adverse event, times the severity of the event the possibility of losing something. With this being said an assessment needs to include the possibility of loss, and how to minimize the risk of loss or the manageable way to contain all possible risks. To determine what types of risks a company maybe associated with is an on going process since in the cyber world new viruses, worms and thousands of different types of spyware are created everyday, the system must be monitored daily. Vulnerability is the potential point of attack, such as a computer without a password to access the system, which makes the system vulnerable to unauthorized access to the system. If a password was installed to the system it can reduce the risk of unauthorized access. While conducting an assessment one can understand the vulnerabilities and the difficulty of exploiting vulnerability, with a result in containment and deterrence of such a threat, with priority of such threats as a guideline. Depending of the level of threat, the vulnerability of access to a company’s information can be analyzed from high...

Words: 1457 - Pages: 6

Premium Essay

Foods Fantastic Company Case

...IT General Controls Risk Assessment Report Foods Fantastic Company Siqi Li Oct 29TH 2013 Foods Fantastic Company is a public company which mainly operating regional grocery store in Maryland. This Company relies on application programs, such as bar-code scanner, to entre sales to the system. The FFC majority depends on the computer system to run their business. Based on this situation, the Information General Controls review is necessary for this company as the reason that ITGC is the foundation of every categories of the internal control. To review the ITGC will help the audit committee to determine the risk assessment of the internal controls in the company’s information system. The ITGC mainly classified by five areas, such as IT Management, Data Security, Change Management, System Development and Business Continuity Planning. The auditor need to review all the internal controls for this five area to define the risk assessment level in order to main and improve the company’s information system. This will help the company keep operating their business by using their information system correctly and continuously. As I am one of the external auditor team for Foods Fantastic Company, we work to auditor the company’s internal controls for the information technology general control respective. Our team first review the company’s internal controls through five areas that I have talked above; and set up the key aspects for review, which we specialized to suit the FFC....

Words: 1057 - Pages: 5

Premium Essay

It Communications

...xxxxxxxxxxxxx June 19, 2013 xxxxxxxxxx Situation Global Finance Inc. has grown rapidly in the past years, and due to this they have gained a huge customer base. The company invested in the network designed it to be fault tolerant and resilient from any other network failures. However, although the company’s financial status has matured and its network has expanded at a rapid pace, its network security has not kept up with company growth (NIST, 2012). GFI’s network is fairly stable as it has not experienced many outages due to network failures. Global Finance Inc. has hired three network engineers to keep up with the network growth and bandwidth demand by the company employees and the clients. However, this company has not hired any security personnel who can take care of the operational security responsibility. The trusted computing base internal network in the Global Finance Inc. hosts the company’s mission critical systems without which the company’s operation and financial situation would suffer. The Oracle database and email systems are among the most intensively used application servers in the company. Global Finance Inc. cannot afford system outages because its cash flow and financial systems heavily depend on the network stability. This company has experienced denial of service attacks (DOS) twice this year and its Oracle database and email servers has been down at one point for over a week. Concern at hand is the recovery...

Words: 1073 - Pages: 5

Free Essay

Ing Life

...ING Life and Connection and Security Business Solution Brandon Osborne Strayer University Dr. Richard Brown February 15, 2016 ING Life ING Life is the leading provider of life insurance in Canada. The company is based in Ontario and operates out of three regional offices. In 1997, brokers at ING relied on phone, fax, and postal service to process policy information. Response times would take from hours to days to process. The company did have 56-kbps frame wide area network, but it only connected to the Ontario headquarters and the 70 managing general agent offices within the organization. It would send information through TCP/IP to a System Network Architecture (SNA) and route the data to the corporate mainframe in Connecticut. In July of 1999, ING begin to connect its brokers the extranet. All the brokers would have to do now was connect to the Internet and log into the Web server using their browser. The could access the corporate mainframe as if they were using TN3270 terminal with response times being under one minute. Before ING could launch their new public infrastructure, they had a security consultants probe for vulnerabilities in the system. But even as the years go by, new threats and weaknesses endanger the security of ING and the private information that it holds in its systems. Charl Van der Walt (2002) quoted in an article by saying; “The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities...

Words: 862 - Pages: 4