The Risks And Ramifications Of An Information Security - Case Study Example

The Risks And Ramifications Of An Information Security 1.0 Introduction One of the most critical first steps in ensuring information security is risk assessment. A penetration test done on a network provides an invaluable information on ways to launch a baseline security evaluation as it appears from outside the boundaries of an organization’s network. A penetration test entails all the processes of gathering information on the information system of an organization including security infrastructure. The information gathered are then used to identify and attempt to exploit the know or possible vulnerabilities within the system. Penetration test ensures that the new applications, security system and network infrastructure are not vulnerable to security breaches that could enable unauthorized access to an organization’s valuable assets and resources (Conway & Cordingley, 2010). The risks and ramifications associated with information security failure and security breaches are so high especially for companies and organizations dealing with sensitive information like financial details as is the case in this case study. The organization deals with processing numerous credit card information, over 100,000 a day, within a large network of close to 100 store locations. The organization has a large network infrastructure through which information is transmitted on a daily basis. Communication between the company’s headquarters, offices and retail shops could be compromised from any angle given the size of the network infrastructure present in the organization. With such critical information as financial records and details entrusted to the organization, high level information security is therefore imperative and mandatory. Constant network penetration tests will ensure improved security by identifying possible vulnerabilities that exist within the network system and recommending ways in which they can be mitigated before they are exploited by malicious hackers. The value of the information within the organization’s database is high thus the organization’s network infrastructure and security system is always at constant attack attempts. Alongside, risk assessment, penetration test is valuable in validating the controls are in place and acting as required to protect the organization’s valuable assets (Conway & Cordingley, 2010). 2.0 Overview There are a number of guidelines in place to be used in developing an effective and beneficial network penetration test; the assets that are mostly targeted should be identified, the potential intruders and hackers, the likely routes used by the intruders into the organization and how exposed the assets are. 2.1 Scope of the test The penetration test is to be done within a time frame of one week, with the permission and knowledge of the organization’s Chief Information Officer. The organization's core services such as firewall systems, password syntax, mail DNS, file transfer protocol systems (FTP), database servers, routers and web servers should be tested during a penetration test. Wireless systems including other potential methods of accessing the network resources and obtaining information should also be included in the penetration test plan. The results of the penetration test will then be presented to the Chief Information Officer with recommendations that could help mitigate the risks and eliminate the vulnerabilities detected within the network infrastructure and security system. 2.2 Reconnaissance Reconnaissance involves gathering information about the system which will be used to gain access to the target systems. Passive steps such as social engineering can be used to achieve an effective and successful reconnaissance. The attacker utilizes social skills of interaction with the organization’s personnel in order to gain confidential information such as passwords. Such sensitive information as password, unlisted phone numbers and sensitive network information are always divulged by unsuspecting managers and employees. Through social engineering, an attacker can get hold of information and bypass the system security thereby gaining access to unauthorized information and resources. Dumpster diving is another technique for gaining critical information that can compromise the security of an organization. Dumpster diving is when an attacker searches an organization trash in search of sensitive information like phone numbers and passwords. Active reconnaissance on the other hand involves probing an organization’s network with the aim of finding a possible route to access and penetrate the network infrastructure and security system. Active reconnaissance include finding the details of the operating system used by the main servers of the organization, the location of the routers, open ports, details of the services offered and the accessible hosts. Based on the findings of the reconnaissance,an intelligent attack plan is constructed after which a network scanning and enumeration is done. 2.3 Scanning and Enumeration The information collected from the reconnaissance stage is used to scan the organization’s network. Through scanning and enumeration, sensitive information about the target organization’s network is gathered such as the network architecture used by the organization. Scanning and enumeration target such information as the organization’s operating systems, IP addressees, zone transfer information and DNS. Open ports and vulnerable services are detected through system port scanning. Automated tools such as port scanners and Wireshark are utilized to gain the open ports within the network. Vulnerability scanners, network mapping and sweeping can also be used. The point of entry through the attack will be launched is then established (Whitaker & Newman, 2008) 2.4 Gaining Access and Maintaining Access Gaining access to the target network system can be done through LAN, offline or through the internet. The actual attempt to gain access to the organization’s network architecture is done at this stage. Possible system vulnerabilities will be exploited in order to try and gain access to the actual network and bypass the security system just as an actual attacker would do. Backdoor vulnerabilities could be created at this stage using Dialers and Trojan. Techniques such as sniffers are employed to capture packets from the organization’s network. Gaining and maintaining access is the most crucial stage of the penetration testing given that it is at this stage where the real damage is assessed in case an actual hacker get to have access to the network. Factors like the system’s architecture, its configuration and individual skills of the hacker will determine the potential damage to the system (Whitaker & Newman, 2008). 2.5 Covering tracks At this stage the test is aimed at checking whether the track through which the system was accessed can be erased without detection. The log files should be deleted and the system binaries replaced with Trojan files in an effort to cover up the evidence of an attack from the system administrator. 3.0 Detailed Penetration testing 3.1 Attacks used In an effort to gain access to the organization’s network and exploit vulnerabilities within the network system, the following methods of attack were used. Firewalk was used to test the firewall of the organization and determine the access control list from which a network map can be created. Firewalk works the same as Traceroute tool. John the Ripper was used to crack the password with weak syntax. Brute force attack, hybrid and dictionary test was employed in the system through the of L0pht Crack. The modems and phone set for auto answer were scanned using Phonesweep. The web and mail servers were tested using an internet security server (ISS). The systems and servers found to be operating on Unix operating system were scanned using the Nessus vulnerability scanner. 3.2 Tools The following tools were used to gain information which was later used to access the organization’s network. Traceroute was used to identify the communication path between the computers within the organization’s network. Telnet was also used to determine the open ports for TCP/IP communication. The domain servers were queried interactively using Nslook up. The identified network hosts were pinged using the ping command in order to find vulnerable ports open for TCP/IP communication. An ICMP ECHO request was sent to the previously identified hosts, those that sent back reply were vulnerable for attack. 3.3 Reporting Methods The results obtain for the penetration tests should be compiled and recommendations generated that are aimed at minimizing the risks and vulnerabilities as detected by the test. Those vulnerabilities that are significant should be given the first priority and addressed as soon as possible to avoid potential exploitation of such vulnerabilities. Certain vulnerabilities can only be eliminated by changing the whole system where the vulnerability exists. While other recommendations specific to the identified vulnerabilities, enforcing the security policy are the only required condition in order to address most vulnerabilities. 4.0 Summary Organizations dealing with crucial and sensitive data like financial details and personal identification details should heavily invest in information security. Constant penetration tests should be conducted on the network infrastructure and security system of the organization in order to detect and mitigate potential vulnerabilities that might be exploited by malicious hackers. While performing penetration test, the tester should ensure that permission are granted by the CIO and that the staff is made aware that the test is being done. References Conway, R., & Cordingley, J. (2010). Code hacking: a developer's guide to network security. Hingham, Mass.: Charles River Media. Whitaker, A., & Newman, D. P. (2008). Penetration testing and network defense. Indianapolis, IN: Cisco Press. Read More