Information Security Policy Document

7/27/2019 Information Security Policy Document

1/84

Vantage Point Computing

Benjamin Dahl


2/84

2

IS533 Course Project | Vantage Point Computing

ContentsInformation Security Policy Document .......................................................................................................................... 3

Scope ......................................................................................................................................................................... 3

Overall objectives ...................................................................................................................................................... 3

Standards ....................................................................................................................................................................... 5

Antivirus .................................................................................................................................................................... 5

Penetration Testing .................................................................................................. Error! Bookmark not defined.7

Patch Management ................................................................................................................................................... 8

Vulnerability Scanning ............................................................................................................................................... 9

Firewall/Router logging ........................................................................................................................................... 10

Procedures ................................................................................................................................................................... 11

Antivirus Procedure ................................................................................................................................................. 11

Penetration Testing Procedure ................................................................................................................................ 29

Patch Management Procedure ............................................................................................................................... 43

Vulnerability Scanning Procedures .......................................................................................................................... 50

Firewall/Router logging Procedure ......................................................................................................................... 62

Evidence ....................................................................................................................................................................... 65

Antivirus .................................................................................................................................................................. 65

Penetration Testing ................................................................................................................................................. 71

Patch Management ................................................................................................................................................. 72

Vulnerability Scanning ............................................................................................................................................. 74

Firewall/Router logging ........................................................................................................................................... 75

Corrected Risk Assessment .......................................................................................................................................... 76

Corrected Control Framework ..................................................................................................................................... 79


3/84

Vantage Point Computing |IS533 Course Project 3

Information Security Policy Document

Information is the most critical asset in any organization. Proprietary data, information, and knowledge

are just as valuable to a business as tangible assets. As such, information needs to be suitably protected and

secured in a fashion as rigorous as that of other business assets. This is especially important with the increasing

number of vulnerabilities and threats and the interconnected nature of the business environment.

Information exists in a multitude of formats; information can be digital or analog, and tangible or non-

tangible. Regardless of the form the information takes, controls must be followed in order to secure information.

The goal of information security is to protect information from a varying array of threats to maximize return on

investment, minimize or negate risk, and ensure business continuity.

This goal is achieved by implementing a suitable set of controls which include: policies, processes, and

procedures. These controls are concerned with both hardware, software, and data aspects and need to be created,

implemented, monitored, and reviewed. If necessary, these controls must be revised, amended, or replaced to

adhere to the primary goal of information security. In order to fully adhere to the security and business tenets of

the business, this must be done in conjunction with other business units.

Scope

The scope of this information security policy document is limited to the Vantage Point Computing business

network (SPACEBRIDGE), specifically the laptop (WHEELJACK) which is the primary network connection device.

Overall objectives

The importance of information sharing is critical in the increasingly interconnected business environment.

Security of this information is paramount because information loses value when it is compromised.

If the hardware, software, or information is compromised in any way, full availability cannot be ensured.

In light of the nature of the business, a laptop must be available to ensure continued business operations. Coupled

with the sensitive information contained on the laptop, security controls must be followed by all users in order to

reduce risk and maximize output. All users will be required to attend training for all policies, procedures, and

standards in this document, along with certifying that they have read and understand this document.

The following standards will be covered in this document:

Antivirus: BitDefender Game Safe, real-time Antivirus protection

Penetration Testing: Metasploit Patch Management: Vulnerability Scanning: Firewall/Router Logging:


4/84

4


Vantage Point Computing is concerned with the security of all assets, whether physical or non-physical. As

such, the following requirements must be adhered to:

Compliance with all information presented in this document; including, but not limited to, current versionupdates of all software.

Compliance with instructor agreed upon contractual requirements

Vantage Point Computing considers increased awareness and continued education to be of the utmost

importance. The following vendors and organizations provide this security education, training and awareness:

CompTIA [http://www.comptia.org/] DePaul University[http://www.depaul.edu] DarkReading [http://www.darkreading.com/] US-Cert[http://www.us-cert.gov/] NIST[http://csrc.nist.gov/]

Vantage Point Computing recommends the A+, N+, and Security+ training from CompTIA. DePaul University offers

security focused classes taught by James Krev; Vantage Point Computing recommends all of these classes

(specifically IS433 and IS533). US-CERT, NIST, and DarkReading all provide information, updates, and articles based

on current security topics, issues, and threats. These resources should be utilized on a weekly basis.
http://www.comptia.org/http://www.comptia.org/http://www.comptia.org/http://www.depaul.edu/http://www.depaul.edu/http://www.depaul.edu/http://www.darkreading.com/http://www.darkreading.com/http://www.darkreading.com/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://www.us-cert.gov/http://www.darkreading.com/http://www.depaul.edu/http://www.comptia.org/


5/84


Standards

Antivirus

Description:

BitDefender Game Safe [BitDefender Game Safe]

Protects systems in real time from viruses, spyware, and malware. Includes software firewall to control application access to the Internet. Includes Gamer Mode which allows preferred applications to access the Internet without disabling the

firewall.

Compatible with all Vantage Point Computing systems.Implementation:

BitDefender Game Safe is installed and configured on all Vantage Point Computing systems. These

systems include: WHEELJACK, AUTOBOTS, DECEPTICONS, ASTROTRAIN, HOTROD, SOUNDBEAK, and STARSCREAM.

The software is installed through a single installation file located on the Vantage Point Computing server with a

multiple user license.

Configuration:

Bit Defender Game Safe is configured with the following options:

Antivirus / Antispyware Antiphishing Outlook E-mail protection Gamer Mode

o All alerts and notifications are disabledo Real-time Protection set to Permissiveo Firewall set to Game Mode to accept incoming connectionso Must be enabled with Alt+G hotkey

Automatic Updateso Silent update every 5 hourso Does not update if scan is in progresso Does not update if Game Mode is on

Full System Scan Daily Scano Scan all fileso Scan for viruses and spywareo Minimize scan window to Sys Trayo Schedule: Daily 3:00am

Deep System Scano Scan all fileso Scan for viruses and spyware
http://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.html


6/84

6


o Scan archiveso Scan for hidden files and processeso Schedule: Sunday 3:00am


7/84


Penetration Testing

Description:

Metasploit[Metasploit]

On-demand penetration testing tool. Includes a comprehensive list of exploits and packages for testing Allows the user to test individual exploits. Compatible with all Vantage Point Computing systems.

Implementation:

Metasploit is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup.

The software is installed through a downloadable installation file located on the Vantage Point Computing server.

Configuration:

Metasploit is configured with the following options:

Exploits: windows/smb/ms08_067_netapi (Microsoft Server Service Relative Path Stack Corruption) Target: netapi32.dll (Windows LAN Manager) Payload: windows/meterpreter/bind_tcp (Generic Shell TCP payload) Remote Host: Local IP Address (192.168.0.197)
http://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exe


8/84

8


Patch Management

Description:

Windows Automatic Updates

Automatic Updates for the Windows Operating System Compatible with all Windows Systems

Microsoft Baseline Security Analyzer[MBSA]

On-demand scanning of Microsoft vulnerabilities Allows analysis of system based on manufacturer specifications Compatible with all Windows Systems

Implementation:

Windows Automatic Updates are configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup.

MBSA is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. The software

is installed through a downloadable installation file located on the Vantage Point Computing server.

Configuration:

Windows Automatic Updates are configured with the following options:

Automatic Every day at 2:00 am

MBSA is configured with the following options:

Computer: SPACEBRIDGE\WHEELJACK Check for Windows administrative vulnerabilities Check for weak passwords Check for IIS administrative vulnerabilities Check for SQL administrative vulnerabilities Check for security updates
http://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en


9/84


Vulnerability Scanning

Description:

Tenable Nessus 4.0.1 [Nessus]

Cutting edge Patch, Configuration, and Content Auditing Constantly updated vulnerability library Network Assessment Determine weak points in system security

Implementation:

Tenable Nessus is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE

workgroup. The software is installed through a downloadable installation file located on the Vantage Point

Computing server. The software is installed through a single installation file located on the Vantage Point

Computing server.

Configuration:

Nessus is configured with the following options:

Network: Loopback (127.0.0.1) Default Scan Policy: Options:

o Safe Checks Enabledo Log details on the server

Plugins:o Backdoorso Peer-to-Peer File Sharingo Windowso Windows: Microsoft Bulletinso Windows: User Management
http://www.nessus.org/download/http://www.nessus.org/download/http://www.nessus.org/download/http://www.nessus.org/download/


10/84

10


Firewall/Router Logging

Description:

Logging is enabled for the D-Link DGL4300 Router[DGL4300]

Primary link between all Vantage Point Computing systems and the Internet. Provides 108Mbps 802.11g Wireless Connectivity. 4 Gigabit Ethernet Ports. 1 WAN Port Logging enabled to assess incidents Compatible with all Vantage Point Computing systems.

Implementation:

The DGL4300 router is configured as the primary router for Vantage Point Computing.

Configuration:DGL4300 logging configured with the following options:

What to View :o Firewall & Securityo Systemo Router Status

View Levels :o Criticalo Warningo Informational
http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370


11/84


Procedures

Antivirus Procedure

1. Execute bitdefender_gamesafe.exe.2. Click Next


12/84

12


3. Click Next

4. Select "I accept the License Agreement" then click Next


13/84


5. Click Next

6. Click Install


14/84

14


7. Deselect "Run a quick system scan (may require reboot)" and "Schedule a full system scan every day at 2AM then click Next

8. Allow BitDefender to update and then click OK


15/84


9. Click Next


16/84

16


10. Click Finish

11. Click Yes to restart the computer and apply changes.


17/84


12.After the system restarts, select "My computer is connected to a home, office or trusted network" and clickOK.


18/84

18


13.After BitDefender loads, click Settings.


19/84


14. Click Custom Level.


20/84

20


15. Configure settings as follows and click OK.


21/84


22/84

22


17. Configure the settings as follows and click Custom.


23/84


18. Configure settings as follows and click OK.


24/84


25/84


20. Select Scheduler tab and configure as follows, then click OK.


26/84

26


21. Select Firewall option on the left and configure as follows:


27/84


22. Click Advanced, configure as follows and then click OK.


28/84

28


23. Click Close.

24. Close BitDefender.


29/84


30/84

30


4. Click Next

5. Click Install


31/84


6. Click Yes

7. Click I Agree


32/84

32


8. Click Next

9. Click Install


33/84


10. Click I Agree

11. Click Next


34/84

34


12. Click Next

13. Click Finish


35/84


36/84

36


16. Click Finish

17. Click Finish


37/84


38/84

38


20. Type show exploits and hit Enter on your keyboard

21. The exploits will display

22. Type use windows/smb/ms08_067_netapi and hit Enter on your keyboard


39/84


23. Type show payloads and hit Enter on your keyboard

24. Type set payload windows/meterpreter/bind_tcp and hit Enter on your keyboard


40/84


41/84


26. Hit Enter on your keyboard

27. Type exploit and hit Enter on your keyboard

28.29. The vulnerability will be triggered and results will be displayed.


42/84

42


30. Click the red X to close the Metasploit Console

31. Click the red X to close Metasploit


43/84


Patch Management Procedure

1. Double-click MBSASetup-x86-EN.msi

2. Click Next

3. Select I accept the license agreement and click Next


44/84

44


4. Click Next

5. Click Install6. Click Ok in the Confirmation Window


45/84


7. Launch Microsoft Baseline Security Analyzer 2.1 from your desktop

8. Click Scan a computer

9. Click Start Scan


46/84

46


10. Review the outputs of the scan.11. Click OK


47/84


48/84

48


15. Double-click Security Center

16. Click Turn on Automatic Updates

17. Click Automatic Updates in the Manage security settings for: section


49/84


50/84

50


Vulnerability Scanning Procedures

1. Double-click Nessus-4.0.1-i386.msi

2. Click Next

3. Select I accept the license agreement and click Next


51/84


52/84


53/84


8. Verify the Nessus Server is running, or click Start Server

9. Click the Red X to close Nessus Server Manager


54/84


55/84


56/84


57/84


15. Click + in the Select a scan policy: section

16. Enter the desired policy name in the Policy name: section


58/84


59/84


21. Check Backdoors22. Check Peer-To-Peer File Sharing23. Check Windows24. Check Windows : Microsoft Bulletins25. Check Windows : User Management26. Click Save


60/84


61/84


29. Review the Report details30. Click Export...

31. Choose the location and File name for your report and click Save32. Click the Red X to close Nessus


62/84

62


Firewall/Router Logging Procedure

1. Open web browser (Internet Explorer or Firefox)2. Enter the web address (192.168.0.1)

3. Enter your router password4. Click Log In


63/84


5. The Status page will load

6. Click Logs in the left menu


64/84

64


7. Check the Firewall & Security checkbox8. Check the System checkbox9. Check the Router Status checkbox10. Check the Critical checkbox11. Check the Warning checkbox12. Check the Informational checkbox13. Click Apply Log Settings Now14. Click Ok in the Confirmation window


65/84

Vantage Point Computing |IS533 Course Project Evidence 65

Evidence

Antivirus

1. Verify PC SECURITY, NETWORK SECURITY, and IDENTITY CONTROL are all Protected2. Click History.


66/84


67/84


6. Review .xml file (C:\Documents and Settings\All Users\ApplicationData\BitDefender\Desktop\Profiles\Logs\full_scan\1241971935_1_02.xml) for any issues.

7. Close BitDefender Log File.


68/84

68 EvidenceIS533 Course Project | Vantage Point Computing

8. Select Firewall.

9. Review Firewall events.


69/84


70/84


71/84


Penetration Testing

1. View the output of the Metasploit Vulnerability Test.

2. Verify that the exploit completed, but no session was created


72/84


Patch Management

1. Review the Automatic Updates section of Windows Security Center

2. Open the .mbsa file from %userprofile%\SecurityScans3. Verify update log


73/84


4. Visual Studio was removed from WHEELJACK5.

SQL services have been stopped.

6. The Office Service pack was installed, but is not recognized.


74/84


Vulnerability Scanning

1. Open the Nessus report file

2. Verify there are no Medium or High vulnerabilities.


75/84


Firewall/Router logging

4. Review the Log Details section of the Router page


76/84

76 Corrected Risk AssessmentIS533 Course Project | Vantage Point Computing

Corrected Risk Assessment

I. IntroductionThe purpose of this assessment is to observe and address risks to the WHEELJACK laptop operating on the

Spacebridge network. Performing this risk assessment will allow threat-sources and actions to be discovered,

quantified, and addressed later in a more effective matter. Performing this assessment will ultimately allow thisbusiness critical system to be hardened to maximize availability.

The scope of this assessment is concerned with a single portable system, WHEELJACK. This system is an

Averatec EV3715-EH1 AMD-based laptop running Windows XP Professional Service Pack 3. This machine connects

to three different networks on a regular basis: Spacebridge (Home Office), HALPNT (Work), and DePaul. The system

only has one user, and there are no additional administrators or guest accounts.

II. Risk Assessment ApproachThe only member of the risk assessment team is the business owner/custodian Ben Dahl. There are two

techniques that were used to gather information for the assessment. Tenable Nessus v3.2.1.1 (build 2G301_Q) was

used to scan the machine for open ports and vulnerabilities. In addition to this, Microsoft Baseline Security

Analyzer v2.1 was used to determine if there were any missing Microsoft system patches.

The risk scale for this assessment was built using a risk scale of high, medium, and low. High risk denotes

a threat that has a high likelihood of happening and represents a critical system threat. This may include missing

critical updates, vulnerabilities that have not been patched, and open firewall ports. Medium risk denotes a threat

that could happen, but does not represent a critical system threat. This may include missing non-critical updates,

and software updates. Low risk denotes a threat that has a low likelihood of happening and represents an

inconvenience. This may include lack of surge protection, improper documentation, and low-priority updates.

III. System CharacterizationThis document is concerned with the WHEELJACK laptop and the local hardware and software utilized by

this machine and the primary business owner/data custodian Ben Dahl. The primary mission of this system is

portable completion of work and school projects, technological tether. This system is also used for Internet access,

desktop publishing, data storage, and music management. The system interfaces to the SPACEBRIDGE, HALPNT,

and DePaul networks via wired, wireless, and TightVNC connections. The system contains personal data (contacts,

media, and university work), business information (project documents), cookies, and the following:

Hardware:

Averatec EV3715-EH1 AMD Sempron 3000 (1.8g) 1gb Corsair DDR3200 Toshiba MK8025GAS 80gb Atheros AR5212 A/B/G Comcast Surfboard D-Link DGL4300 Linksys WRT54GL Patriot Xporter XT 16gb


77/84

Vantage Point Computing |IS533 Course Project Corrected Risk Assessment 77

Software:

Windows XP Pro SP3 Office Pro 2007 Enterprise Adobe Reader 9.1 Mozilla Firefox 3.0.8 Acronis True Image TrueCrypt DDWRT Linksys Firmware

The system has been classified as Business Critical with confidential data sensitivity.

IV. Threat StatementThreat Source Threat Action

Machine could be lost by user. System could be left at DePaul

System could be left at Harris Associates

System could be left in public

The system could be compromised by an attacker. Unauthorized access to sensitive information

A natural disaster could compromise the availability of

the system.

Power outage could cause system to be unusable

Flood could lead to destruction of machine

Tornado could lead to destruction of machine

System could be stolen by third party System could be stolen if left in public

System could be stolen if left unsecured

Missing Updates Vulnerability System could be compromised by viruses or malware

Unsecure Networks DePaul or HALPNT network could become compromised

and corrupt system

Remote Connection Vulnerability System could be compromised if connected to unsecure

VPN

Data Compromise or Corruption While using thumbdrives, information transmitted could

become compromised or corrupted

V. Risk Assessment ResultsObservation 1: System is vulnerable due to missing operating system or software updates or incomplete installation

System is missing 33 security updates which, if discovered by an attacker, could be used to compromiseconfidentiality, integrity, or availability of the system.

Existing controls: System is protected by hardware and software firewall. System is protected by strongpasswords. System is backed up on a regular basis. Nessus and MBSA are used for vulnerability and patch

analysis.

Likelihood is low - System has been operational for approximately two years without issue. System is onlypowered on approximately three hours a day. Windows Service Pack 3 was installed on machine soon

after release which decreased likelihood of issue.

Magnitude of impact is low - System can be repaired inexpensively, data is encrypted and backed up. Risk rating is low - Low likelihood and low magnitude of impact along with cost/benefit makes this a low

risk

Recommend implementing automatic updates for Windows and Microsoft Office, as well as running morefrequent Nessus and MBSA scans.

Observation 2: Windows RDP Terminal Service is not run through SSL


78/84


79/84

Vantage Point Computing |IS533 Course Project Corrected Control Framework 79

Corrected Control Framework

Control Objective #1 5.1 Information Security Policy

To provide management direction and support for information security in accordance with business requirements

and relevant laws and regulations.

Risk Mitigation:

To ensure that management has identified the information security program requirements and that employees

understand the programs intent.

Control

Name

Control Description Testing Steps Evidence Requested Point of

Contact

Control 1.1

Information

Security

Policy

Document

Annual

An information

security policy

document is approved

by management,

published and

communicated to all

employees and

relevant external

parties.

1. Obtain a copy of the

information security policy

document and verify that it

defines the programs

intent, compliance with

legislation, commitment to

security awareness and

training, a brief

explanation of the security

standards and procedures.

1. Provide a copy of the

information security policy

document.

Ben


80/84


81/84


82/84

82 Corrected Control FrameworkIS533 Course Project | Vantage Point Computing

Control Objective #4: 12.6 Patch Management

To reduce risks resulting from exploitation of published technical vulnerabilities.

Risk Mitigation:

To ensure that systems are updated with the newest patches for known vulnerabilities.

Control Name Control Description Testing Steps Evidence Requested Point of

Contact

Control 4.1 -

Patch

Management

Standard

Weekly

A patch management

standard is

documented andimplemented to

ensure that systems

have the most current

patches installed.

1. Obtain a copy and

examine the patch

management standardand the related

procedures to determine

if they are being followed.

2. Test the system to

determine if the patch

updates were applied

according to the

procedures outlined andimplemented in a timely

manner.

1. Provide a copy Patch

Management Standard.

2. Provide a print screen of

the patch management

configuration. Provide a

print screen that shows the

most recent system

patches.

Ben


83/84

Vantage Point Computing |IS533 Course Project Corrected Control Framework 83

Control Objective #5: 15.2.2 Vulnerability Scanning

Information systems should be regularly checked for compliance with security implementation standards.

Risk Mitigation:

To ensure that assets remain protected from known exploits or vulnerabilities that may compromise or otherwiseharm an asset.

Control Name Control Description Testing Steps Evidence Requested Point of

Contact

5.1 - Technical

ComplianceStandard

Weekly

A technical compliance

standard isdocumented and

implemented to

describe the process

that should be taken

to determine if

vulnerabilities are

present, and how to

become compliant

should events be

found.

1. Obtain a copy of thestandard.

2. Obtain the latestscan reports.

1. Provide a copy of thestandards and

procedures. Provide a

copy of the outputs of

the vulnerability scan.

2. Provide a copy of theresulting report that

states that

vulnerabilities have

been corrected.

Ben


84/84

Control Objective #6: 10.10.1 Firewall & Router Logging

Audit logs recording user activities, exceptions, and information security events should be produced and kept

for an agreed period to assist in future investigations and access control monitoring.

Risk Mitigation:

To ensure that system activities and traffic

Control

Name

Control Description Testing Steps Evidence Requested Point of

Contact

Control

6.1 - Audit

Logging

Daily /

Weekly

Router and firewall

logging are enabled to

monitor and record all

activity on the network

to ensure security and

safety of corporate and

personal assets.

1. Obtain a copy of thestandard.

2. Enable router andfirewall logging.

3. If an event is recorded,review logs

immediately.

4. Review all logs on aweekly basis.

5. Maintain redundantlog copies.

1. Obtain a copy of thestandard and procedures.

2. Provide log copies.

3. Maintain a secure logbackup.

Ben