Oglala Lakota College

ahemcurrentNetworking and Communications

Nov 21, 2013 (3 years and 8 months ago)

150 views


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
1


Oglala Lakota College

Security Evaluation

Site Visit

January
2
4, 2
6
, 28
,

2011





Conducted and Prepared by:



Christine Stagnetto
-
Zweig Consulting

410 W. 2
nd
. Street

Gordon, NE 69343

(308) 282
-

0029



Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
2




Oglala Lakota College

Security Evaluation











Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
3


Table
of Contents

A.

Executive Report


p 4

1.

Introduction


p 4

2.

Weaknesses of the existing network


p 7

3.

Security Policies for Wireless Network

p 18

4.

Network Security

p 24

5.

Security framework


p 25

6.

User Security Policies


p 26

7.

Oglala Lakota College Vulne
rabilities


p 30

8.

Application Security


p 33

9.

Physical Security



p 35

B.

Penetration Testing Proposal p 37

C.

Introduction and Background

p 43

D.

Appendixes p 7
7











Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
4


Oglala Lakota College

Kyle, SD

Report of Evaluation

January 25, 2011

A.

EXECUTIVE REPORT

Introduction

Dr. Giraud
requested me a Security Review on OLC network
, and
it began to conduct

on
January 24, and continue to contact all campuses, including Headquarter.

During my review,

I
support

that Pauli consulting explained in its network evaluation
. As Security Consultant
,

I
review the technology
of the following facilities:

1.


Headquarter at Piya Wiconi as well as Pejuta Haka located in Kyle.

2.

Pine Rid
ge campus located in Pine Ridge

3.


East Wakpamni

campus
located in
Batesland
, SD

4.


Pass Cr
eek campus located in Martin, SD
,

5.

Wounded Knee campus, located in Manderson, SD,

6.


Pahin Sinte campus, located in Porcupine, SD
,

7.

Cheyenne River campus located in Eagle Butte, SD
,

8.

Pass Creek campus located in Allen, SD,

9.


He Sapa (Extension) campus located in Rapid City, SD
,

10.

Oglala (Whit
e Clay) campus, located in Oglala, SD,

11.

Nursing College campus, located in Pine Ridge, SD, and

12.


Eagle Nest College campus located in Wambli, SD
.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
5


The onsite review has been a com
bination of visiting

campuses

, and conducting
interviews to administrative s
taff.
O
bservations
:

after collecting the data
,
working in different
campuses, I observed that all Lab
oratories

are not prepared

for IT students

for best practices
and recommendations

that I have prepared for OLC as Consultant.

After meeting with severa
l of staff, I determined that OLC has a need for network
infrastructure

that is scalable, reliable, and is inexpensive to administer. OLC’s current network
will not allow the next
-
generation services that OLC’s leaders desire.

As a consultant and as stated that Pauli Consulting proposed, as a best practices in
security the recommendations are:

1.

Secure Service
: providing secure administrative computing service. It must be
functionally and physically isolated from access by people
not employed by the OLC
or student by the OLC minimize the risk of unauthorized use.

2.

Integration and Update:
WAN must be updated, and supported productive
collaboration across the system, furthermore; the equipment is out of date
.

3.

Network Design:
as a lar
ge campus network design, the operating increased and must
be updated the infrastructures as follows:



Handle high bandwidth applications such as voice, video, and IP multicast
improve backbone capacity for shared Ethernet or FDDI campus backbones



Support a
pplications based on the equipment



Offer high availability, performance and manageability for intranet.

Suggestions: use layer 2 and 3, or ATM backbone solutions to expand the
large campus network. Typical designs


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
6


4.

We must now define a security strategy for

securing the infrastructure. The need for
enterprise network security shouldn’t be ignored with the proliferation of the Internet.
OLC’
s are continuing to leverage the public infrastructure for connecting
national and international offices, business
partners and new company
acquisitions.

The security requirements and network assessment recommendations
should drive the selection of security equipment, protocols and processes. It identifies
what assets must be protected, what users are allowed access an
d how those assets
will be secured.

5.

Safeguards requirement identification
:
the configuration and management of
firewalls, IDS (Intrusion Detection Systems), and VPN (Virtual Private Networks)
,
are essential facets of a highly secure computer environment. A
s the need for
additional

connectivity among IT services grows and WAN needs to be more secure
and agile.

6.

Communication between buildings:
is critical, and the infrastructure has risks, and
limitations

7.

Major tasks:
hardware and software upgrades, it
includes planning, creation of risk
assessment, installation, configuration, testing and documentation.

The IDS will
monitor network traffic and raise alerts when anomalies or misuse are detected on
networks.

Upgrade includes the planning, creation of ris
k assessment,
implementation, and documentation of higher bandwidth communication lines to
campuses. Efforts must be made to coordinate the upgrade of the network connection
between campuse
s and ensure continued security. Hardware and software upgrades
fro
m the central (Headquarter) network firewall include careful planning, creation of

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
7


risk assessment, installation configuration, extensive testing and documentation. New
hardware and software need to be evaluated and to perform the task of controlling
netwo
rk traffic at the center of the

headquarter campus.

Weaknesses of the existing network include:

Wiring closet:

This is an appropriate wiring closet.






Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
8









Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
9





With the basic physical security hardening of core and mission critical components
including Blades and rack mounted devices under way we need to look at our wiring closet and
cabling.
P
hysical security encompasses both physical connectivity and availabili
ty. It is no good
having the most physically secure components if they are unusable.

Cooling for IT wiring closets are important, because are not planned and failures or overheating
occur in each campus. There no exist sufficient cooling in wiring closets
nor within wiring
closets.

The wiring closets in each campus are not appropriated and need improvements.

The
properly cooling solution for wiring closet should operate with a maximum temperature under
which their devices are designed to operate. For active IT equipment the temperature is usually
104 F (40 C). This is the maximum temperature at which the vend
or is able to guarantee
performance and reliability for the stated warranty period. This temperature is not operating or
providing the same level of availability or longevity as operating
at lower temperatures
.
The

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
10


typical temperatures from IT equipment ar
e between 65 F to 70 F
. The recommended and
allowable operating temperatures for IT equipment is 65
-
70 F (20
-
25 C) and
allowable
59 (15
C).

We need to consider the following methods of cooling closets.


1.

Conduction:

heat can flow through the walls of the space: a closet must be
effectively sealed, and the only way for the heat to leave is by conduction through the
walls. It means that the closet will be hotter than other ambient air within the
building, and the degre
e of temperature rise will be greater as the power level of the
IT equipment increases.
The typical closet requires temperature to be less than 70 F
(25 C) and up to 1000 watts.

The influence closet temperature vs. load relationship and expected impact

Fa
ctor

Expected impact on closet
temperature

Room dimensions

Temperature increases as
room dimensions decrease

Wall, ceiling, floor material

Temperature increases as
construction material
thermal resistance increases

Setback of building air conditioner on nights / weekends

Every degree increase in
building air conditioner
increases closet temperature
by same amount

One wall subject to sun exposure / outdoor temperature on
Temperature increases as

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
11


hot sunny day

wall

area exposed to outdoor
temperature and sun
increase


Material used for walls, ceilings, and floor will provide a similar deviation in the
relationship between temperature and load as the ability to transfer heat differs from one material
to the next. If we substitute the gypsum board walls and acoustic tile

ceiling in the example for 4
inch (10 cm) concrete block walls

and a 4 inch (10 cm) concrete slab floor, our wiring closets
will increase in cooling performance.

Example of construction material on conducting cooling performance


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
12



One common occurrence
that impacts conductive cooling performance is a rise in the building
ambient air temperature, due to weekend cooling setbacks.

This happens during

the weekend and
during the week
, the closet temperature will rise in step. It means that for a critical clos
et that
requires the temperature to be 65
-
70 or less, no load can be supported; and for non
-
critical closet
that allows the temperature to be 90 F (32 C) or less, only 250 can be supported. Most campuses
the air conditioning is setting back to 85 F (29 C)
on the weekend. My recommendation is use a
sole cooling for critical closets when the power load within the closet is less than 400 watts with
consideration given to other factors as mentioned that will impact cooling performance.
Likewise, for non
-
critic
al closets, the load in the closet is less than 1000 W.

The switch of closet
are not appropriated nor lights should be of the low power high efficiency type, and should
automatically shut
off when the door is closed
.

Example of a well
-
ventilated wired clos
et

system

(It is less expensive).


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
13




Adding a dedicated wiring closet zone:



Assurance that static pressure is adequate an constant in the supply duct serving the VAV
(variable air volume) box, especially on hot summer days when the building air
conditioning system is working the most



Very low power density capability


most comfort cooling systems are designed to
provide 4
-
5 watt/ft²

(43


54 watt/m²
) of cooling which equates to 150 watts / rack
(assuming 30 square feet per rack)



Lack of scalabi
lity



High cost of implementation

(Recommended)

2.


Comfort cooling:
all campuses visited have an existing air conditioning system or
combined heat and air conditioning system for creating a comfortable environment
for personnel. These comfort cooling systems typically have air handling ductwork.
The advantages is installin
g additional ducting to closets, but rarely solves closet
cooling problems and often makes them worse.

I can observe in all campuses that IT
devices increasing the temperature inside the closet and it will decrease if the cooling

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
14


system is on. The main po
int is, currently, that the changes in temperature stress IT
equipment more than sustained higher temperature conditions.
The temperature in
campus’s buildings must be maintained in the same level of cooling.

In addition
observations, the central cooling s
ystem is part of a main supplemental heating
system, and it keeps the closet cool in summer time, and heat in winter months. It is
not the appropriate. As showed in the above figures how we can maintain cool the
wired closet is one recommended.

3.

Dedicated cooling:
my recommendations for this method is the most effective way to
gain control of closet temperatures is by installing dedicated closet air conditioning
equipment. However, dedicated air conditioning is much more expensive and
complex than

using a passive or fan assisted ventilation and should only be used
when required.

For example, configurable routers with back panel nameplate power
ratings of 5
-
6 kw only draw 1


2 kw in common user configurations and the correct
determination could eli
minate the need for an air conditioner.

The appropriate
ventilation in a dedicated air conditioner must include:



The ventilation air outside the closet contains significant dust or other
contaminants



The ventilation air outside the closet is subject to exc
essive temperature
swings



Practical constrains make it impossible to add ventilation ducts

In cases as OLC campuses,
ventilation

that utilizes building ambient air is not a

viable alternative and the only practical approach is dedi
cated air conditioning
e
quipment
.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
15



Example of appropriate dedicated air conditioning


4.

UPS (Uninterruptible Power Supply):

my recommendation is to use small
distributed UPS systems in closets to assure business continuity, I didn’t find in

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
16


campuses at OLC, this UPS systems provide a power backup for the closet IT load, or
UPS may be selected to provide extended backup time (i.e., greater than an hour).
During a power outage, the cooling system must continue to operate, and it will keep
the c
loset with a reasonable temperature and limits. This UPS is designed to provide
runtime in excess of 10 minutes, then cooling system must continue to operate during
this period without stress the IT equipment.

It means air conditioner or fan must
continue
the operation when sizing it. Fan assisted ventilation should be used
whenever possible instead of closet air conditioning. Most effective and
recommendation is a fun
-
assisted (less expensive). When back the air conditioning,
the fan
-
assisted turned autom
atically off.




This is a perfect wiring closet fan
-
assisted ventilation unit ( I recommend to have in each
campus)


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
17



In sum, ventilation is the most effective and practical cooling strategy and a well designed and
implemented passive ventilation system is effective for lower power levels while for higher
power closets with VoIP routers or servers, fan
-
assisted ventilati
on is recommended. The use of
existing comfort air conditioning systems for closet cooling is not recommended because it will

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
18


always result in wide closet temperature fluctuations and the solutions given above are the most
appropriated.

A
nother consideration is to have a routed protocols as routed access solutions

configuring
static routes.

(Cisco routers).


Wireless network:

Wi
-
Fi networks (a,b,g, and n). It needs password
, because is no secure. Best security option in
this case should
be CCMP.

The more stronger security is WPA2
-
PSK
-
AES
-
CCMP. Using this
type of security is imperative to use strong password.

Security Policies for Wireless Network


Recommendations


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
19


1.

Activate 802.11 Encryption to make data unintelligible to unauthorized user
s.

For
encrypting networks 802.11i WPA and WEP only encrypts data traversing the wireless
between the client device and the access point.

It is important if it wired network is
physically secured from hackers, but if you permit the access to important in
formation
from Wi
-
Fi, you need more protection.

2.

Utilize IPSec
-
Based VPN (Virtual Private Network) Technology for end
-
to
-
end security
.
For sensitive applications from Wi
-
Fi hotspots is using a VPN system to provide
sufficient end
-
to
-
end encryption and
access control. The best solution is using a full
throttle
, it offers a strong security, but is costly and difficult to manage when there are
hundreds of wireless users. The less costly is implementing 802.11 encryption when users
are operating inside the

enterprise and VPNs.

3.

802.1x
-
Based authentication to control access to network

for Microsoft servers the best is
EAP
-
TLS

4.

Wireless Network on a separate VLAN: a firewall can help keep hackers located on the
VLAN associated with the wireless network. It mean
s if you encrypt the wireless, it
should be private, but no adding encryption it is public network. Avoid it.

5.

Firmware is up
-
to
-
date in clients cards and access points:


performing penetration testing
during security assessments to prove
that the access point has a fragile entry point. It is
easily hackable. It is important to provide adequate physical security for the access point
hardware (e.g., minimizing the risks of someone resetting the access point, be sure to
disable the console po
rt).


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
20


6.

Access point during non
-
usage periods (disable): limit the window of opportunity for a
hacker to use access point to their advantage as a weak interface to the rest of the
network. PoE (Power
-
over
-
Ethernet) equipment provides this feature and is prac
tical.

7.

Assign strong passwords to access points: don’t use default passwords for access points
because is making easy for someone to change configuration parameters on the access
point to their advantage.

8.

Implemented personal firewalls: our system has be
en hacked using our e
-
mail accounts, I
recommend encryption or authentication configured otherwise the operating system
should be attacked.

9.

Control deployment of wireless LANs: this is the more crucial in all campuses,
professors, and students has very sl
ow or no connection. Recommendation: create a
password for students and faculties who are using wireless.

Maintain a list, and each
student and faculty must fill a form requesting the access with their own pin.


Wireless connection at campuses


My concern

about wireless connection at campuses are weak
,
and we need to
answer why? The first thing to consider when deploying wireless is regarding Radio Frequency
(RF) and where you want to provide wireless access, but all campuses have wireless access, and
the
poor signal students and staff cannot work using laptops.

We need to consider how many
users can connect at o
ne time, and
understand that not all
802.11n

access points are built the
same
. There are 3 different flavors: single radio, dual radio, and three
radio access points. The
more radio’s in the access point, the higher the throughput, the higher the throughput, the more
users can connect (e.g., your phone is much bigger with a 3 access point)
.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
21


Some recommendation for optimal wireless capacity planning

broken by the type of
access point according the environment.




We need to consider a wireless site survey is an actual physical site survey done onsite using
various RF measuring tools to analyze the propagation of RF signals with the facility. After
seeing the problem with wireless in all campuses, my recommendation is to apply a wireless
network according to the environment and it will be operating in and it can help more for taking
a determination.

OLC must consider different environments and obsta
cles must be sort as well
interference (e.g., lead lined walls, radio signal generators, etc.) environments such as high
humidity, floating metal particulates. The location and using site survey tools to measure the RF
from an access point set up for the s
urvey. The access point will be moved to several locations
intended to have coverage and the measurements taken there as well and it will provide an RF
performance.

Tools for a physical site survey:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
22





Laptop with site survey software


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
23




RF spectrum analysis s
oftware



Access point configured to operate in a survey mode



Tripod to mount an elevate the access point to desired heights



Portable bat

battery with PoE/PoE + to power the access point



A mobile cart to roll the laptop around on



Various markers to mark the
access point locations



Digital camera to document specific locations


Wireless


With the increasing popularity of consumer Wi
-
Fi devices, the number of students
utilizing college provided services from personal portable devices, rather than college provided
hardware, will continue to increase. The college’s wireless networks will serv
e as a primary
interface for student interconnectivity while students are on campus. At this point, I recommend
to extend the wireless canopy to ensure student and employee areas have access to reliable, high
speed wireless connectivity (e.g., WiMax, to de
termine their viability as a new Wireless
transport). In order to provide OLC students with affordable access to state
-
of
-
the wireless
network technology. Also, must include a closed circuit cable (CCTV) and monitoring networks,
security systems, and net
work infrastructure necessary to support specialized systems. It
specialty networks provides a non
-
standard communication networks.

Another recommendation is developing plans to add redundant network channels that provide a
redundant communication and ens
ure network reliability. Upgrade physical networks and
maintain a proper routine maintenance of network conduits, and remove to prevent conduit jams
and ensure compliance with local, state, and federal electrical and fire codes.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
24


Network Security


Oglala La
kota College is in needs of protecting its network devices (e.g., routers,
switches, and firewalls). Network
-
related sensitive information such as students, faculties and
administrative staff
.

I can see in different campuses that data is not carefully taking care by
administrative staff.

They expose to social engineering. This sensitive information must be
protected
from unauthorized access from insider or outsider, and it should altered the
in
formation, or have DoS attacks (Denial of Service) and the risk assessment involved can be
affected a network.


I recommend to implement a strong security policy, that can provide rules for accessing
the resources on the network
limiting user access. This
policy will act as a resource for users and
audit the network. This implementation of policies increment countermeasurements based on the
attacks that can have the network direct from users.

A good security policy must address
confidentiality, integrity,

and availability of all system resources and data.

A strong security
policy must keep dangerous attackers away, and protect the assets that include people, data,
computing devices, etc. My recommendation is implementing security personnel to control
acce
ss, to scrutinize and maintain security, and to investigate and handle incidents by setting
rules and standards.

Security awareness programs



Must educate employees about the risks and benefits of security policies designed to save
time and money for th
e institution. This program deals with problems such as viruses, threats,
spyware, intruders, and hacking attempts (e.g., faculty e
-
mail

took for sending SPAM, etc. as
occurred last year).

The benefits:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
25




Reduce the risks by educating employees at every leve
l



Are easily implemented



Regulate security through standardized programs



Facilitate tasks like managing users, tracking security, reporting failures, and managing
databases.



Create a Security Department with specialists in the field.

A good training progra
m should cover a good security policy, protecting the confidentiality,
integrity, and availability of resources.




Make security more effective and extensive across the OLC campuses



Change people’s behavior through positive reinforcement and collaboration



Protect assets


Classification systems

Oglala Lakota College must consider all data to be confidential and decide on a case
-
by
-
case basis who is authorized to access those data.
Security team must classify the system and
provide the classification as: (a)
Top secret; (b) Secret, (c) Confidential, (d) Restricted, and (e)
Unclassified
.

At the same time must consider the level of security as confidential, private,
sensitive, and public.

Security framework

My advice for creating a good security policy must cons
ider the following:



It should be simple and practical



It should have a simple tree structure


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
26




It should be accessible by all people who need to access it



It should be easy to manage and maintain

User Security Policies

Password Management Policy

It is one
of the user policies. The user accounts are protected with strong passwords,
and it must be changed every 90 days. The user must request using a form for
opening an e
-
mail account
, if user forgets a password, must contact with a Security
team and it must p
rovide a new password to enter to the system.

IT Policies


These policies are important for keeping the network secure and stable.



Backup policies: what to back up, who backs it up, where it is stored, how long it is
stored, how to test backups, and what
programs are used in the backup process



Server configuration, patch, and modification policies: must removed unneeded services
and define what servers should use intrusion detection systems.



Firewall policy: must define which ports to allow, how to interfa
ce ports or how to
manage ports, and how has access to the control console



General policies: are necessary for general business operations that include the high level
program policy (who is handling the policy, the purpose and scope, and any exception)

and

business continuity plans include crisis management and disaster recovery. Once a
disaster recovery occurs, must be addressed the following:



Server recovery


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
27




Data recovery



End
-
user recovery



Phone system recovery



Emergency response plan



Workplace recovery

D
evelop a Plan for ITIL Implementation: IT must develop an implement a plan for the adoption
of a subset of the ITIL framework.



Data quality: I recommend to develop, document, and implement a set of standards for
storage of all data elements.



Development
standards for architecture, coding, configurability, documentation,
technology, and user experience.



Develop and maintain a college strategic technology plan: develop and implement a
process to periodically review and revise the college’s strategic techno
logy plan, which
should allow anyone from the college community to provide recommendations and
suggestions for the plan.

Partner policy:

any policy defined among a group of partners.

Physical Security


Oglala Lakota College needs a physical security and
monitored and analyzed the risks.
Must train who will be working with valuable physical assets
.

Audit Policy


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
28



The audit policy must be configured to audit only successful events or audit both
successful and unsuccessful events.

Develop a process to ensure
audit findings are addressed in
the
Policy and Procedure revision process to demonstrate remediation of findings


Security Policy



Ensure compliance with state and federal regulation: I recommend to seeks

to assure
compliance with all state and federal regulations (e.g., GLB, FERPA, and Higher
Education Re
-
authorization Act.).
E
stablish an annual review and revision for IT
Guidelines to ensure compliance with state and federal regulations. Review and revis
e IT
Policies and Procedures. Validate compliance with state and federal regulations
.



Perform external audit: it must be conducted by an independent, certified external
consulting organization such as CSA (Computer Security Institute) or ISACA
(Information

Systems Audit and Control Association).



Implement identity and location based zoning: network technology will enable access to
network resources based on the user’s identity and location.



Develop, document, and implement a set of standards for secure serv
er deployments such
as log management, minimize attack surfaces, appropriate access controls, and auditing.



Implement a strong authentication systems for services such as RSA tokens, digital
signatures, or other multi
-
factor authentication systems



Ensure
all IT assets containing sensitive data or provide services are securely housed and
protected from loss and tampering, implement appropriate security measures in
accordance with standards, and best practices to ensure minimal access to IT assets.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
29




Implement

controls to ensure that credentials are issued for a specific purpose and are
used exclusively for that purpose

(e.g., ensure service accounts to be used exclusively by
the service or for installation/upgrade).



Implement an identity management system that

enables the college to provision, de
-
provision, and manage security for all college employees and students.



Define a set of roles based on employee functions for the purpose of standardizing and
automating security provisioning.



Implement an Emergency Not
ification System that enables important emergency
messages to be delivered to employees and students in a timely and reliable manner in the
event of an emergency
.

Security Management


Recommendations: create a risk
-
based security assurance function in order to help
prevent unauthorized access to information and improve our network security, data integrity,
asset management, and software acquisition and development.

Create a responsibil
ity among
stakeholders for protecting access delegation for all college data, and add standards for
appropriate use. Develop and implement processes to remove PII (Personally Identifiable
Information). Create and implement separate secure zones for product
ion, testing, and ensures
data, network, and systems be secure.


Monitoring system

implement a software delivery infrastructure to support the delivery and
management of software applications on college manage desktops and servers.

Access


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
30



I recommend t
o use an access forms
for new employees, students, faculty, and/or administrative
staff
. If they lost or forgot the password, must use the access forms
.

Business Continuity/Disaster Recovery

The development and test execution of a comprehensive Disaster Recovery (DR) and
Business Continuity Plan (BCP) is key to a successful implementation should the need arise. IT
must provide an effective
and robust
disaster recovery and business continuity p
lan that includes
both headquarter and campuses IT assets.


Oglala Lakota College Vulnerabilities

In Scope

The following activities are within the scope of this project:



Interviews with key staff members in charge of policy, administration, day
-
to
-
day
oper
ations, system administration, network management, and facilities
management.



A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.



A series of Network Scans to enumerate addressable devices and t
o assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)



A configuration and security assessment of at most ten key systems at each center.

Out of Scope

The following
activities are NOT part of this security assessment:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
31




Penetration Testing of systems, networks, buildings, laboratories or facilities.



Social Engineering to acquire sensitive information from staff members.



Testing Disaster Recovery Plans, Business Continui
ty Plans, or Emergency
Response Plans.

Vulnerabilities

The OLC has no information security policy. The OLC has no information security policy that is
specific to its needs and goals. I added Appendix with appropriate security policies to be
enforced.

Risk

There are several risks in not having an information security policy



Mistakes can be made in strategic planning without a guideline for security



Resources may be wasted in protecting low value assets, while high value assets
go unprotected.



Without a polic
y, all security measures are merely ad hoc in nature and may be
misguided.

Recommendations



Create a policy that is in
compliance with
Oglala Lakota College

security goals.



Periodically review and update the policy.

Personnel


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
32


o

Staff vulnerabilities
discovered during the interviews with OLC staff. These are
considered significant and steps should be taken to address them.

o

There is no information security officer

An information security officer is responsible for the overall security for an organizatio
n.
He or she must help create security policy, enforce it, and act as the primary security
contact.

Risk

Without an information security officer, important security issues may not received the proper
attention. The overall security of the OLC my suffer.

Re
commendations



Designate an existing employee to fill the role of information security officer, or
hire a qualified candidate for the position.



Provide training opportunities to the information security officer.



Encourage and support the acquisition of sec
urity certification(s).

After reviewing the report written by Pauli Consulting the needs of a network penetration test is
imperative because the vulnerabilities discovered during the assessment must be taken in
consideration
.

The OLC systems are not protec
ted by an appropriated network firewall
.

A firewall is a network gatekeeper based on a configurable set of rules, the firewall determines
which network connections to allow or deny. There are generally three types of attacks that can
be prevented using pro
perly configured firewalls: intrusion, denial
-
of
-
service, and information
theft. There are two types of firewalls: a. one is incorporated into operating systems (software
-

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
33


based) and the second protects the group of networked systems (hardware
-
based). The O
LC
systems are inconsistently protected by software
-
based firewalls. Most of the workstations have
firewall software installed and configured. Some do not.

Risk

There are several risks in running network services without a firewall.



Incoming network
-
based
scans and attacks are not easily detected or prevented.



Attackers target vulnerable network services.



Attacks are not isolated and damage cannot be contained.



Network probing for vulnerabilities slows system and network performance.

Recommendations



Enable
operating system firewalls where available.



Install a hardware
-
based firewall.



Configure firewall rule sets to be very restrictive.

Application security

Vulnerabilities discovered during the assessment
.



Sensitive information within the database is not enc
rypted



Sensitive information in databases can be encrypted to protect confidentiality. If
an attacker gets unauthorized access to the database, sensitive information still
cannot be read.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
34


Risk

If an attacker gains access to the database, sensitive informa
tion stored in the database can be
viewed and modified
.

Recommendations



Examine changes required to support encrypted database tables.



Modify web and database software to work with encrypted data.



Safely store and protect the encryption keys.

Operational s
ecurity

Vulnerabilities

There is no standard for security management
.
A security standard is a document that defines and
describes the process of security management for an organization.

Risk

Without a guideline for security practices, those respons
ible
for security may not apply

adequate controls consistently throughout the OLC
.

Recommendations



Evaluate existing security standards such as ISO 17799.



Modify an existing standard for use within the {CLIENT ORGANIZATION}.



Inform and train personnel on use
of the standard.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
35




Audit information systems and procedures to ensure compliance.

Physical security

Vulnerabilities

OLC has no a Security Department who are enforcing to comply with security policies when are
not existing. The building group contains
vulnerabilities within the OLC office. The security
perimeter group includes the exterior office windows, doors, alarm system, and the surrounding
area. The server room contains server equipment where it needs to be considered in re
-
built
or/and created an
other department.

Building vulnerabilities

There are doors in the interior OLC office area that are normally unlocked or can be forced open
even when locked. The server room is unlocked.

Risk

The doors protect valuable assets of the OLC. A determined attac
ker, thief, or disgruntled
employee could get through these important doors with minimal effort to steal and/or destroy.

Recommendations



Replace current doors with stronger fire doors.



Replace existing door hardware with high security locks.



Weld exterior

hinge pins in place.




Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
36


Security perimeter vulnerabilities

Vulnerabilities

There is no entryway access control system
.
An entryway access control system limits physical
access to a secure area to authorized personnel with the correct PIN number or access
card.
These systems have either a control panel where a correct PIN number must be entered before
entry is allowed or a unique access card (contact or contactless) for each person to enter.
Advanced systems provide log information each time personnel enter

the secure area.

Risk

There are several risks in not having an entryway access control system.



Unauthorized people can enter secure areas unescorted.



There is no record of personnel entries into secure areas.



It is not possible to disable access for a
specific person.

Recommendations



Evaluate available and suitable entryway access systems.



Develop appropriate procedures for assigning and removing access.



Install an appropriate system and assign access rights.

Server area vulnerabilities

The backup media

are not protected from fire, theft, or damage


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
37


The backup media are not protected from fire, theft, or damage

Explanation

The backup media are stored near the backup system on an open shelf in the server area. The
media could be stolen, misplaced, accident
ally erased, dropped, or destroyed in a fire. If a system
or data must be recovered, the media may not be available or functional when needed.

Risk

The operation of the OLC can be impacted if the backup media are not available due to theft,
damage, or fire
.

Recommendations



Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.

B.

Penetration Testing
/Proposal

What is a penetration testing?

A Penetration Test is a method of evaluating the security of a computer system or
network by
simulating an attack by a hacker. The process involves an active analysis of the system for any
weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a
potential attacker, and can involve active exploi
tation of security vulnerabilities. Any security
issues that are found will be presented to the system owner together with an assessment of their
impact and often with a proposal for mitigation or a technical solution.

Why conduct a penetration test?


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
38


From
a business perspective, penetration testing helps safeguard your organization against
failure, through:



Preventing financial loss through fraud (hackers, extortionists and disgruntled employees)
or through lost revenue due to unreliable business systems a
nd processes.



Proving due diligence and compliance to your industry regulators, customers and
shareholders. Non
-
compliance can result in your organization losing business, receiving
heavy fines, gathering bad PR or ultimately failing. At a personal level
it can also mean
the loss of your job, prosecution and sometimes even imprisonment.



Protecting your brand by avoiding loss of consumer confidence and business reputation.

From an operational perspective, penetration testing helps shape information securi
ty strategy
through:



Identifying vulnerabilities and quantifying their impact and likelihood so that they can be
managed proactively; budget can be allocated and corrective measures implemented.

What can be tested?

All parts of the way that your organiza
tion captures, stores and processes information can be
assessed; the systems that the information is stored in, the transmission channels that transport it,
and the processes and personnel that manage it. Examples of areas that are commonly tested are:



Of
f
-
the
-
shelf products (operating systems, applications, databases, networking equipment
etc.)



Bespoke development (dynamic web sites, in
-
house applications etc.)


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
39




Telephony (war
-
dialing, remote access etc.)



Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)



Personnel (screening process, social engineering etc.)



Physical (access controls, dumpster diving etc.)

What should be tested?

Ideally, your organization should have already conducted a risk assessment, so will be aware of
the main threats (such as communications failure, e
-
commerce failure, loss of confidential
information etc.), and can now use a security assessment to identify
any vulnerabilities that are
related to these threats. If you haven't conducted a risk assessment, then it is common to start
with the areas of greatest exposure, such as the public facing systems; web sites, email gateways,
remote access platforms etc.

S
ometimes the 'what' of the process may be dictated by the standards that your
organization

is
required to comply with. For example, a credit
-
card handling standard (like PCI) may require
that all the components that store or process card
-
holder data are as
sessed.

Choosing a security partner

Another critical step to ensure that your project is a success is in choosing which supplier to use.

As an absolute fundamental when choosing a security partner, first eliminate the supplier who
provided the systems th
at will be tested. To use them will create a conflict of interest (will they
really tell you that they deployed the systems insecurely, or quietly ignore some issues).

Detailed below are some questions that you might want to ask your potential security pa
rtner:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
40




Is security assessment their core business?



How long have they been providing security assessment services?



Do they offer a range of services that can be tailored to your specific needs?



Are they vendor independent (do they have NDAs with vendor
s that prevent them
passing information to you)?



Do they perform their own research, or are they dependent on out
-
of
-
date information
that is placed in the public domain by others?



What are their consultant's credentials?



How experienced are the propose
d testing team (how long have they been testing, and
what is their background and age)?



Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?



Are they
recognized

contributors within the security industry (white papers, advisories,
public speakers etc
.
)?



Are the CVs available for the team that will be working on your project?



How would the supplier approach the project?



Do they have a
standardized

methodology th
at meets and exceeds the common ones, such
as OSSTMM, CHECK and OWASP?



Can you get access to a sample report to assess the output (is it something you could give
to your executives; do they communicate the business issues in a non
-
technical manner)?



What

is their policy on confidentiality?



Do they outsource or use contractors?



Are references available from satisfied customers in the same industry sector?



Is there a legal agreement that will protect you from negligence on behalf of the supplier?


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
41




Does the supplier maintain sufficient insurance cover to protect your
organization
?

The most important steps of penetration testing

1.

Enumeration

2.

IP Scanning

3.

Assessing discovered services

4.

Find or write exploits

5.

Exploit the target system

6.

Document the vulner
abilities and recommend on how to close holes
.

Types of penetration testing



Black
-
Box Test: it is closely simulated to that of an external attacker, giving very little or
no knowledge about the systems to be tested (except the IP address ranges or a domain

name).

The penetration tester is usually on his own to gather as much information about
the target network or systems as possible, which can use to perform the test.

o

External penetration testing: servers, core software and other infrastructure

such
as Web servers, mail servers, firewalls and routers.

o

Internal security assessments: similar to external

such as protocol and network
infrastructure vulnerabilities, server operating system and application
vulnerabilities, internal controls, and proce
dures, unsuitable user privileges, and
internal intrawalls separating subnetworks.

o

Application security assessment: similar to external


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
42


o

Network security assessment: identifies risks and vulnerabilities that may harm
network and security policies. It provid
es information that is needed to make
network security decisions.

o

Wireless/remote access security assessment: Deals with the security risks
associated with wireless devices that are under security threat are 802.11 wireless
networking and Internet access t
hrough broadband.

o

Telephony security assessment: deals with the security issues of voice
technologies. Penetration testers may attempt to exploit the PBXs to route calls at
the target’s expense or check mailbox deployment and security, voice over IP
(VoIP)

integration, unauthorized modem use, and associate risks.

o

Social engineering assessment: used by attackers to exploit the human
vulnerabilities within a network.

Testers will be used techniques such as
eavesdropping, dumpster diving, cracking employee pas
swords through guessing,
and trying to memorize access codes by observing people



White
-
Box Test
: the penetration tester is provided with a complete knowledge about the
network or systems to be tested, including IP address schema, source code, OS details,
e
tc. This can be considered as a simulation of an attack by any insider who might be in
possession of the above knowledge.



Grey
-
Box Test: this testing simulate an attack that could be carried out by a disgruntled,
disaffected staff member. The testing team
would be supplied with appropriate user level
privileges and a user account and access permitted to the internal network by relaxation
of specific security policies present on the network i.e., port level security



Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
43


C.

INTRODUCTION AND BACKGROUND

PURPOSE OF
THE REQUEST FOR PROPOSAL

Introduction

Christine Stagnetto
-
Zweig Consultant

was invited by Dr. Giraud

(Instructional Vice
-
President),
and Jim Dudek (Coordinator of Distance Learning Education)
to perform an initial evaluation of
the Oglala Lakota College and the
http://www.olc.edu

website and associated functionality.
Testing will occur between March 21
st

and March 26
th

2011and will be performed via the
Interne
t.

Oglala Lakota College requested a full scale external and internal penetration test and technical
risk analysis for its institution network on the 21
st

of February, 2011. The assessment was to be
done with no prior or internal knowledge of the infrastr
ucture, systems or applications, etc.

Oglala Lakota College is a four year public college located in Kyle, South Dakota. The
enrollment stands at about 1800 students and as educational institution, the College must balance
information security and IT compl
iance issues with the open nature expected of a higher
education institution.

As such, the College requires the services described herein to ensure its security program
adequately meets all needs of the College, while addressing reasonable risks.

Under th
is Service Order, the College authorizes Christine Stagnetto
-
Zweig to conduct certain
independent security assessment services based on industry
-
accepted best practices. Christine
Stagnetto
-
Zweig is highly respected expert on both information security and
regulatory best
practices for IT organizations.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
44


Christine Stagnetto
-
Zweig Consultant has been worked to IT is LLC, established in 2008, served
as an IT audit and compliance firm for regulatory requirements and IT security best practices.

She serves and
provided services covered in:

Regulatory compliance assessments
for:

o The Gramm Leach Bliley Act (GLBA) for financial services

o The Health Information Portability and Accountability Act (HIPAA) for healthcare

o The Federal Information Systems Manageme
nt Act (FISMA) for certain federal systems and
their business partners

o The Sarbanes
-
Oxley Act (SOX) for evaluation of IT controls over financial reporting

General IT security and risk assessments


In accordance with industry best practices for
risk
management and IT governance (NIST SP
-
800 Series, COBIT, FFIEC, etc.).

Incident response
and
computer forensics
-

For known or suspected compromise of
sensitive data, including personally identifiable information (PII), payment card data, intellectual
p
roperty and others.

A sample of serv
ices that complemented Christine Stagnetto
-
Zweig Consultant’s
regulatory practice include:


o Vulnerability Assessments

o Penetration Testing

o Application Security Assessments



o Application Security Code Review

o Business Continuity Planning

o IT Security Training




Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
45


My Understanding of Your Environment

Business Overview

The Colleges operates a fairly centralized IT infrastructure, with
departments leveraging a common IT infrastructure that is managed by a
few personnel. They need to change some infrastructure, it needs be more
robust and strong, needs more IT personnel, a
nd the creation of a new
Security Information Department. To limit the scope of this project, the
College is only concerned with the following systems:



Human Resources



Finance



Registrar Office



Financial Aid



IT



Student Affairs

Network Overview

The systems

is characterized by the following:

# locations


# servers


# of PC’s


Core System


Network Segmentation

VLAN’s


Reporting
Expectations

The College requires two levels of reporting:



Executive Summary


for College Executives, plus to share with
other

appropriate stakeholders deemed appropriate by the College


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
46




Assessment Reports


for College IT staff


Task 1


Project Charter

The engagement is initiated with a project charter designed to align all project participants to
project objectives, tasks, del
iverables and schedules. Key Charter activities are shown in the
table below:

Activity

Activity Description

Introduction and Charter

Introduction of all stakeholders and
coordination of project team members,
dates, deliverables, and expectations.
Establish and agree on roles and
responsibilities for project team members.
Identify primary project contact points for
project activities. De
ployment of secure
project portal for stakeholder
collaboration.

Provide Document Request List

Christine Stagnetto
-
Zweig Consultant

will
provide a “documentation request list” to
扥⁲ 癩敷e搠d猠s~牴r⁔ 獫′⁩渠n摶d湣e
潦⁰o潪散琠te獴sng⁡c瑩癩v楥献⁔桩猠i楳i⁷楬
扥⁡摡灴敤⁴漠~ny⁳灥c楦ic⁥湶楲潮浥n琠

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
47


requirements during the charter.

Timelines and Milestones

Establish and agree o
n timelines and
milestones. Set status meeting dates and
target deliverable timeframes.

Establish Project Management
Processes

Align stakeholders to the project
management process and establish overall
project management roles.


Task 2


Risk Assessme
nt


Christine Stagnetto
-
Zweig Consultant has a proven methodology for Information Risk
Assessment. She will work with the College to develop a standards
-
based IT risk assessment.
The risk assessment process will provide key insight to the business, business p
rocesses,
supporting technology, threats, vulnerabilities and risks within the environment that require
controls.

To output of the Risk
Assessment process will be a prioritized remediation roadmap of
high risk areas mapped to regulatory and business
requirements. The process developed will
provide the methodology and framework for the College to perform ongoing risk management.

Benefits of such an approach include:




Begin the formalization of standards
-
based risk assessment process that aligns to NIS
T
SP800
-
30 (Risk Management Guide for Information Technology Systems) and SP800
-
39
(Managing Risk from Information Systems).


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
48




A more comprehensive understanding of information and technology assets, control
requirements and control programs at the College.




Risk justification for security and control program design and budget




Provides the College the foundation to build a common controls framework aligned to
regulatory requirements and the College’s inherent risk.



Meets requirements for PCI, HIPAA, GLBA
and other IT related regulations


The following diagram highlights the Risk Assessment methodology:

IT Risk Management and Security Governance




Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
49


Sub
-
Task A


IT Asset Classification




Christine

will work with the College to identify information assets and develop IT asset
classifications. The first task within the risk assessment process includes:



Inventory information systems (servers, workstations, network equipment)



Inventory information assets (critical data, sensitive information)



Create security categorization for information



Derive security categorizations for systems


Sub
-
task B


Risk Assessment

Once the information assets have been identified, Christine Stag
netto
-
Zweig Consultant will
work with the College to facilitate the risk assessment process. The risk assessment process
includes:




Inventory business processes



Align business processes to information and systems inventories



Revise information and system

security categorization



Identify regulatory and other compliance requirements



Assess threat environment



Assess control and process vulnerabilities



Identify and assess current controls



Identify residual risk


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
50



Sub
-
Task Deliverable
:

Risk Presentations for Information Systems Management and also
Executive Management.

Sub
-
Task C


Control Framework

Once operations and compliance requirements have been determined,
Christine Stagnetto
-
Zweig
Consultant
will develop a Consolidated Contro
l Framework. This will reflect the necessary
controls to have in place to achieve the desired state in the Risk Assessment. The Control
Framework will be supplemented with alignment to industry best practices, such as NIST and
ISO. This Control Framework w
ill serve as the benchmark for the Gap Analysis.


Sub
-
Task Deliverable
: Control Framework

Task D


Gap Analysis

Christine Stagnetto
-
Zweig Consultant

will benchmark the College between its current state and
desired state, as identified in the Control Fra
mework. The Gap Analysis will provide specific
recommendations for remediation in order to adequately remediate the Risk. The Gap Analysis
further prioritizes the remediation recommendations into a Remediation Roadmap.

The Remediation Roadmap is a timelin
e of remediation activities. It is a planning document that
prioritizes remediation activities based on severity of gap, cost and ease of remediation. It is an
i
terative document that Christine Stagnetto
-
Zweig Consultant
will develop with the College. The
Roadmap also includes initial budget estimate in terms of labor, hardware and software for each
activity.

Christine Stagnetto
-
Zweig Consultant

can help the College execute against the Remediation
Roadmap in separate Service Orders once those gaps are iden
tified.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
51


Sub
-
Task Deliverable
: Gap Analysis & Remediation Roadmap

Task 3

Controls Review




Christine Stagnetto
-
Zweig Consultant has consolidated more than 1,000 industry
-
standard
controls into a Common Controls Framework. Controls are aligned to
Industry Best Practices
including the NIST SP 800 series, ISO 27002, the GLBA, HIPAA, PCI and other regulations.
Controls assessed include:


Administrative

Technical

Physical


IT Security Program and
Policy

Risk Assessment Program

Information Security
Oversight

Incident Response

Personnel Controls

Change Management

System Acquisition &
Development

Vendor Management

Business Continuity Plans

Configuration and

Access Management

Authentication &
Authorization

Network Controls

Remote Access

Application Access

Firewall & Perimeter
Controls

Database Security
Controls

Logging & Monitoring

Backup, Recovery and
Storage


Buildin
g Controls

Datacenter Controls

Identification & Badges

Hardware movement

PC Controls

Laptop, Mobile Device
Controls

Media Controls

Environmental Controls

Data Classification

Document Destruction

Redundancy

Backup Handling


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
52


Maintenance

Segregation of Duties


A/V, Malicious Code
Controls

Intrusion Detection




Objective

The
objective of the analysis is to simulate an attack to assess the institution immunity level,
discover weak links and provide recommendations and guidelines to vulnerable entities
discovered.

This report contains sub
-
sections. Each sub
-
section discusses in
detail all relevant issues or
avenues used by attackers to compromise and to gain unauthorized access to sensitive
information. Every issue includes an overview, issues found and security guidelines, which, if
followed correctly, will ensure the

integrity of the systems/devices/applications.

Offensive Security assessment methodology includes structured review processes based on
recognized “best
-
in
-
class” practices as defined by organizations such as the U.S. National
Security Agency (NSA), BS 779
9/ISO 17799 Information Security Standard and The Common
Criteria (CC).

1.2
Global Objectives

1.

Breach the security of Oglala Lakota College and gain access to sensitive
information on the DMZ Network


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
53


2.

Breach the security of Oglala Lakota College and gain acc
ess to sensitive
information on the internal network

3.

Recommended best security practices and guidelines that would mitigate these
attacks.

4.

Identify threats

5.

Identify vulnerabilities

6.

Analyze risks

7.

Identify recommended corrective actions

8.

Documents results

9.

Gai
n a better understanding of potential network vulnerabilities that may be
visible from the Internet

10.

Determine if the current wireless network is configured securely

11.

Evaluate the security associated with public self
-
service web applications that are
used by

Christine Stagnetto
-
Zweig Consultant


The goal of this step is to develop a list of
the system

vulnerabilities (flaws or weaknesses) that
could be exploited by the potential threat
-
sources. The identification of vulnerabilities can take
many forms based on various types of risk assessments. The following
will be used

to determine
the vulnerabilit
ies within the system

The risk analysis for each vulnerability consists of
assessing the threats and compensating controls to determine the likelihood that vulnerability
could be exploited and the potential impact should the vulnerability be exploited.

M
ethodology


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
54


These activities are part of

Christine Stagnetto
-
Zweig Consultant
’s ongoing risk management
program and are focused on identifying the risk level OLC is currently exposed to so that an
appropriate set of responses to those threats can be develo
ped.

OLC is seeking to identify an select an outside independent organization to perform the activities
listed above. The reminder of this document provides additional information that will allow a
service provider to understand the scope of the effort and

develop a proposal in the format
desired by OLC.

ADMINISTRATIVE

TECHNICAL CONTACT

Any questions concerning technical specifications or Statement of Work (SOW) requirements
must be directed to:


Name


Address


Phone


FAX


Email



CONTRACTUAL CONTACT


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
55


Any questions regarding contractual terms and conditions or proposal format must be directed to:

Name


Address


Phone


FAX


Email




DUE DATES

A written confirmation of the Vendor’s intent to respond to this RFP is required by
XX/XX/XX
.
All proposals are due by
time am/pm on XX/XX/XX
. Any proposal received at the designated
location after the required time and date specified for receipt shall be considered late and non
-
responsive. Any late proposals will not be evaluated for award.


S
CHEDULE OF EVENTS

Event

Date

1. RFP Distribution to Vendors


2. Written Confirmation of Vendors with Bid
Intention


3. Questions from Vendors about scope or approach


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
56


due

4. Responses to Vendors about scope or approach
due


5. Proposal Due Date


6. Target Date for Review of Proposals


7. Final Vendor Selection Discussion(s)
--
Week of


8. Anticipated decision and selection of Vendor(s)


9. Anticipated commencement date of work



Proposal Submission

Award of

the contract resulting from this RFP will be based upon the most responsive Vendor
whose offer will be the most advantageous to OLC in terms of cost, functionality, and other
factors as specified elsewhere in this RFP.

OLC reserves the right to:



Reject an
y or all offers and discontinue this RFP process without obligation or liability to
any potential Vendor,



Accept other than the lowest priced offer,



Award a contract on the basis of initial offers received, without discussions or requests
for best and fina
l offers, and


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
57




Award more than one contract.


Vendor's proposal shall be submitted in several parts as set forth below. The Vendor will confine
its submission to those matters sufficient to define its proposal and to provide an adequate basis
for OLC evalua
tion of the Vendor proposal.

In order to address the needs of this procurement, OLC encourages Vendors to work
cooperatively in presenting integrated solutions. Vendor team arrangements may be desirable to
enable companies involved to complement each other
’s unique capabilities, while offering the
best combination of performance, cost, and delivery for the Penetration Test being provided
under this RFP. OLC will recognize the integrity and validity of Vendor team arrangements
provided that:



The arrangements

are identified and relationships are fully disclosed,
and

A prime Vendor is designated that will be fully responsible for all contract performance

Vendor’s proposal in response to this RFP will be incorporated into the final agreement between
Christine S
tagnetto
-
Zweig


and the selected Vendor(s). The submitted proposals are suggested to
include each of the following sections:

Executive Summary

This project is a multi
-
year project that will procure, develop, install, and support OLC
enhancements in base
technical infrastructure in preparation for providing levels of security.

In this phase of the project, OLC will address:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
58




Penetration testing



Application security assessments

The goals, objectives and outcomes

The OLC has problems with security, and the i
mplementation of the proposed Pen
-
Test will
create a better knowledge of their security problems that have been increased in databases and
Internet as well internal network.

Security is a quality issue and in the cost of quality formula are prevention cos
ts that must be
incurred to avoid perceive future costs of failure.


Identify Threats

This table will be helpful

Table: Threat Source List



Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
59


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
01

Foreign
Intelligence
Service over
the Internet

Outsider



Highest level
of
sophistication



Hacking



Impersonation



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Political Gain



Economic Gain



Military Gain

Substantial



(i.e.,
Governme
nt
Financed)

T
-
02

Terrorist over
the Internet

Outsider



Highest level
of
sophistication



Hacking



Impersonation



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Political Gain



Economic Gain



Military Gain



Denial of
Service



Threaten Harm to
Individuals



Create Chaos

Substantial



(i.e.,
Governme
nt
Financed)


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
60


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
03

Organized
Crime over the
Internet

Outsider



Highest level
of
sophistication



Hacking



Impersonation



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Economic Gain



Political Gain

Moderate to
Substantial

T
-
04

Individual
Hacker over
the Internet

Outsider



Many levels of
sophistication



Hacking



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Challenge



Ego



Rebellion



Create Chaos

Minimal to
Moderate


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
61


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
05

Disgruntled
Former
Employee over
the Internet

Outsider



Many levels of
sophistication



Hacking



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Revenge



Curiosity



Ego



Monetary Gain

Minimal to
Moderate


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
62


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
06

Disgruntled
Employee


System
administrator,
Engineering
team



Local
(physically
on
-
site) via
Intranet
(within the
firewall)

Insider



High degree of
technical
sophistication



Unauthorized
Access



Browsing
Proprietary
Information



Fraud and Theft



Input of
Falsified
/Corrupt
Information



Sabotage

Malicious



Revenge



Curiosity



Ego



Monetary Gain

Moderate


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
63


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
07

Disgruntled
Employee


Technical
support
personnel



Local
(physically
on
-
site) via
Intranet
(within the
firewall)

Insider



High degree of
technical
sophistication



Unauthorized
Access



Browsing
Proprietary
Information



Fraud and Theft



Input of
Falsified
/Corrupt
Information



Sabotage

Malicious



Revenge



Curiosity



Ego



Monetary Gain

Moderate


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
64


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
08

Cleaning crew,
service repair
crew



Local
(physically
on
-
site) and
via Company
Intranet
(within the
firewall)

Insider



Many levels of
technical
sophistication



Social
Engineering



System
Intrusion,
Break
-
ins



Unauthorized
system access

Malicious



Curiosity



Ego



Monetary Gain

Moderate


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
65


Table: Threat Source List


Identifier

Source and
Type

Capabilities

Threat
Scenarios

Intentions/Motivations

Resources

T
-
09

Careless
clerical
employee



Local
(physically
on
-
site) and
via Company
Intranet
(within the
firewall)

Insider



Rudimentary
degree of
technical
sophisticatio
n



Input of Corrupt
Information

Non
-
Malicious



Unintentional Errors
and Omissions

Minimal


These activities are part of

Christine Stagnetto
-
Zweig Consultant
’s

ongoing risk management
program and are focused on identifying the risk level
Christine Stagnetto
-
Zweig Consultant


is
currently exposed to so that an appropriate set of responses to those threats can be developed