Assessing the Systems Environment to Identify Business Risks - A Case Study: Todd Herman Associates, Greensboro, NC

www.ToddHerman.com

	Our Company
	Contact Us
	Our Organization
	Resource Center
	Site Map

	Our Services
	Business Systems
	Business Process Improvement
	Data Analysis & Business Intelligence

	e-Update Archives
	Open Topics
	Case Studies
	Quarterly Reports
	All Newsletters Listed By Date

www.ToddHerman.com > Resource Center > 2005 Newsletters > Case Studies

Todd Herman Associates e-Update

Assessing the Systems Environment to Identify Business Risks

In This Issue:

Are you at risk of being "hacked"?
A case study examining how we helped a company reduce its risk of compromising sensitive data.
Let's discuss how we can help reduce your company's security vulnerabilities.

November 2005

Assessing the Systems Environment to Identify Business Risks

Have you ever considered what might happen if, one day, your Information Systems group discovered that your company's network had been breached from outside the company?

In other words, your company had been "hacked"!

This month's e-update is a case study of a recent client project where management wanted to avoid this nightmarish experience. This case study describes our independent assessment of its network security and illustrates the benefits of being "proactive" instead of "reactive."

Another company that we know did not conduct a proactive assessment, and were hacked from outside the company – that Information Systems group determined that all major servers had been compromised, and thus had to:

Rebuild the operating systems for all the servers.
Reinstall all applications on these servers.
Restore all data from the most recent backups.
Install a new firewall device.
Reconfigure the new and existing firewall devices to work together to provide better security and a true demilitarized zone (DMZ).
Configure servers in the DMZ and behind the firewall to securely communicate with each other.
Involve the law enforcement officials to investigate the security breach.

As a result, this company incurred an enormous of time and expense that would likely have been avoided by performing an assessment such as the one described in this case study.

As you'll see, one significant benefit for our client was to give them peace of mind. Now, a question for you: Would you would sleep better at night knowing that your network's security had been assessed, reviewed, and tested by experienced and credentialed professionals of an objective firm well-known for "finding a better way"?

The way we look at it, you deserve peace of mind, too.

Give us a call today...336-297-4200.

Sincerely yours,

Todd L. Herman

A Case Study:

Assessing the Systems Environment to Identify Business Risks

Situation...

A closely-held company provides various financial, accounting, investment management, and tax services to its clients. Information systems play a critical role in delivering these services.

Problem...

This company outsources much of its information systems function. Executives and management believed that this arrangement was working well, and that the network and certain applications were being adequately maintained and protected under the guidance of their network service provider. Top executives, however, wanted to validate this belief, both for their own peace of mind, as well as to be able to answer questions from clients, auditors, and bankers, should they arise.

Solution...

Our client retained us to assess the various network, infrastructure, and security technologies and techniques in use at the company. Our approach was to:

Perform an Initial Risk Assessment, to assess the level of risk (High, Medium, or Low),

in the areas of...	...in terms of...
Infrastructure Software People Procedures, and Data	Availability Security Integrity, and Maintainability.

Assess internal threats from procedural gaps or weaknesses, lack of training, or maintenance shortcomings.
Work jointly with a business partner specializing in our client’s industry to conduct an External Threat Assessment.
Perform substantive tests for areas identified as "High"; risk to assess whether identified risks are adequately addressed or have appropriate alternative controls.
Summarize the results of tests and our recommendations in an Engagement Report.

An excerpt from the Initial Risk Assessment matrix – jointly discussed and assessed by management and us – provided the basis for the overall scope of the project.

Availability

Security

Integrity

Maintainability

Infrastructure

Overall: Medium

Dependent upon:

External Threat Assessment (ETA)
Support Contracts
Maintenance Contracts

Overall: High

ETA will be required to adequately assess

Overall: High

ETA will be required to adequately assess

Overall: Low

Services are outsourced to an established, highly reputable firm, using appropriate certified technicians for the systems in use.

Software

...

One section from the External Threat Assessment report details risks associated with external IP addresses.

IP Address	Description	Risk	Impact	Recommendation
xxx.xx.xxx.xxx	No such risks identified	High	n/a	n/a
xxx.xx.xxx.xxx	Service: SMTP (25/tcp) The SMTP server is insufficiently protected against relaying	Medium	This permits Spammers to use your e-mail server to send their e-mails	Upgrade your software or improve your configurations so that the SMTP server cannot be used as a mail relay
xxx.xx.xxx.xxx	No such risks identified	Low	n/a	n/a
...	...	...	...	...

One part of our Engagement Report presents key findings and recommendations.

Summary of Findings	Recommendations
Users are not being automatically logged out for periods in excess of 24 hours.	Need to enforce password-protected screen saver when the PC is idle for a period not to exceed 10 minutes, to balance (a) the need for PC being left on overnight to receive software updates, and (b) the need to control network security.
Password policy is currently set at 180 days and history is set to 3. Password length and complexity settings were sufficient.	We recommend the policy to be less than 90 days for expiration and the password history should be at least 12.
POP 3 enabled on mail server, but disabled on firewall.	All unnecessary services at the server level should be turned off.
Identified 6 different virus definitions on the network. Servers had the most recent virus definitions.	Need enhanced push policy to force virus definition updates to individual computers.
Former employees were found enabled in Active Directory (AD)	Disable the person in AD just before employee termination.
Operating system shares of sensitive/restricted data is visible to all who have access to the server.	Viewing of shares should be restricted to necessary individuals only, regardless of underlying security settings. Allowing users to view folders can lead to security breaches.
...	...

Results and Benefits...

Several areas that management had not truly assessed were shown to have better security than believed. The internal and external threat assessments identified specific steps required to mitigate several remaining risks. Upon completion of these steps, management responsible for the Information Systems function will be better able to assess potential risks, through knowledge and techniques learned during this engagement.

Conclusion...

Our client decided to proactively assess and address risks in their systems environment, communicating to employees that systems security is important, and providing their clients and other relevant parties improved confidence in the controls protecting sensitive personal financial information.

For Further Information...

To discuss how we could help your business, please call us at 336.297.4200 to schedule a no-obligation consultation.

Todd Herman & Associates PA
Green Valley Building / 604 Green Valley Road, Suite 303
Greensboro, NC 27408
Phone/Fax: 336.297.4200

Our Services | Our Organization | Business Resource Center | Site Map | Contact Us