XYZ Co. is a hypothetical small credit card processing company that has contracts with major U.S. banks. Last week, they had a major breach of their network security and believe that all of their customer information was exposed. This week, stories are emerging across the nation of identity theft and credit card fraud that point back to the data compromised at XYZ.
Obviously, lawsuits are expected. The CEO and CTO were fired two days ago by the Board of Directors. The CIO was not fired as it was known that he had been trying for the past year to get the CEO and Board of Directors to allow him to hire an Information Security Officer (ISO) to manage XYZ’s overall network security planning and implementation.
The Board authorized the CIO to hire you to be XYZ’s ISO. The CIO is definitely in “damage control mode” at present, but he also knows that in addition to fixing the current problem, XYZ must close all possible security holes and ensure nothing like this ever happens again. Unfortunately, money is very tight due to all the expected costs associated with the security breach.
The CIO needs to brief the Board of Directors on what has to be done immediately. The Board members do not understand networking and security, so technical jargon cannot be used. The Board members lose interest if a briefing takes more than 10 minutes.
Your first task is to prepare a presentation for the CIO. He wants something that he can read once and then present. It must provide concise “cause and effect” information so that the Board will authorize the money, policies, and resources needed to fix security. Time is of the essence!
You start by investigating the basic organization and infrastructure. You find:
1) XYZ has one location: They rent space on two floors in a commercial building. They rent approximately 90% of the 7th floor and 15% of the 6th floor. Their computer room is on the 6th floor (the only room they have on that floor) and all their offices are on the 7th floor.
2) The front door to the building is open from 7am until 7pm daily. The elevators are operational at all times. Every XYZ employee has a key to the building front door and the 7th floor offices. All executive and IT employees have a key to the computer room; other employees do not have a computer room key.
3) XYZ has 43 employees in total.
4) XYZ has 4 executive (you are one of them), 7 administrative, and 6 IT employees. They have flex time schedules, allowing them to start work as early as 7 a.m. (leaving at 3 p.m.) or as late as 11 a.m. (leaving at 7 p.m.). The processing staff numbers 26 individuals, who work three shifts around the clock: 7 a.m. to 3 p.m.; 3 p.m. to 11 p.m.; and 11 p.m. to 7 a.m. Of the 6 IT employees, 3 are telecommuters with domain administrative rights because they are on call 7×24 in case of server or network hardware problems.
5) The office door on the 7th floor is locked after 5pm and is opened at 8am. Outside those hours, everyone must use a key to enter the offices.
6) The door to the computer room is quite sturdy. In fact, it was built to be secure. But during the day it typically is unlocked because the employees find it to be too much trouble to unlock and lock it each time they enter or leave. The spoken company policy is that the door must be locked at all times, but no one can show you that, or any other IT or security policy in writing.
7) The building has suspended ceilings throughout and when you get a ladder and look in the ceiling in the hallway outside the computer room, you can see all the way to the outside wall of the building in the direction of the computer room.
8) In the computer room, XYZ has:
• a. One File Server (Microsoft Windows 2008 Server)
• b. One Database Server (Red Hat Linux ES 3.0)
• c. One Email Server (Microsoft Exchange). This server also provides VPN for the telecommuters.
• d. Two Active Directory Domain Controllers (Microsoft Windows 2003 Server).
• e. One Netgear managed switch
• f. One Netgear router
• g. One Netgear firewall.
9) In the offices, XYZ has:
• a. One Netgear managed switch
• b. A PC for each employee using a mix of Microsoft Windows XP Professional, Microsoft Windows 7 Professional, and Microsoft Windows 10 Professional.
• c. All PCs are a part of the xyz domain.
• d. Local printers on several of the computers.
On your first day, you stay late and on your way out at 8 p.m., you check the computer room door and find it unlocked with no one in the room – you lock the door before leaving.
On your second morning, you arrive at 6 a.m. because you have so much to do and because you can’t sleep. Unfortunately, you have forgotten your door key. You pull out your laptop planning to start roughing out your briefing, and notice that there is a wireless network available that has an SSID of XYZ and is unsecured.
You connect to the XYZ network and find that you can log onto the XYZ file server, mail server, database server and both domain controllers using your XYZ username and password. You find that you can log onto XYZ’s router, firewall, and both managed switches using the username “admin” and the password “password”. You find that you can browse the Internet, too
. While poking around some more, you find that a PC named “CEO” and that you can read the files on that machine.
You decide to conduct some informal interviews with employees to find out what they understand about security and their permissions. You find that everyone has domain administrative permissions and that most cannot explain what that means.
After lunch, you start preparing your presentation. Even though you’ve been “on the job” for only two days, you decide that there are glaring holes that need to be fixed immediately and that a comprehensive security plan would be better done iteratively.
Prepare a presentation for the CIO. This presentation should first and foremost, provide what the CIO has requested; and secondly lay out your immediate plan of action in sufficient detail that you address each of the various problems you have identified already. It also should lay a foundation for additional research but should not try to solve what you do not yet know.