The internet has become a key tool for business communication and information sharing, and many companies would cease to function if e-mail and web access were denied for any significant period. While the growth and widespread use of the Internet has made it possible for organizations to extend the global reach of businesses, it also exposes enterprise networks to a large variety of security threats. The number of security risks has increased significantly, and at the same time, the dependence on information technology has grown, making the need for comprehensive security programs more important.
At the same time, the jobs of system administrators, who are often responsible for network security, has never been harder and more challenging. Complexity in operating systems, applications and hardware, fuelled by rapid advancements in all these areas, has brought new challenges into systems administration and network management.
This project involved the development and testing of a structured approach to IT security assessment and vulnerability analysis for middle sized corporate networks in Kenya. The approach was developed based on a study carried out on a mid sized corporate network and the recommendations gathered from product vendors and leading bodies in computer security. The outcome is an IT security assessment and vulnerability analysis approach that may be used by organizations for self certification and assurance
Client and Initial Problem
This study was aimed at establishing and testing an approach that can enable small and mid-sized companies deal with IT security problems currently facing corporate networks globally. Mid-sized companies do not have full sized IT departments and that cannot afford expensive security solutions require an alternative approach to security issues. This project tested methods that organizations could adopt in conducting security self-assessments and audits in order to identify gaps in security systems, and proactively address security risks.
The identified client is African Economic Research Consortium (AERC) which was established in 1988 as a public not-for-profit organization devoted to the advancement of economic policy research and training. With funding from donor governments, private foundations and African and international organizations, it has worked alongside African leaders to enable them meet various economic challenges including attracting investments, boosting growth and alleviating poverty.
Unless companies and especially so mid sized ones take up a different approach to network security, the number of reported incidents will continue to rise. This project provides an alternative approach, and offers a method of identifying, categorizing and prioritizing security concerns. The self-assessment approach is highly recommended for use by system administrators
Project Mission Statement
The general idea is to provide a point-in-time level of security and relate the complex relationships between various factors contributing to security or lack thereof in the identified organizations network. Since security is difficult to quantify, the study attempted to use various metrics of measurement based on value of assets and priorities given to those assets by the organization. Once risks, vulnerabilities and exposures are revealed and prioritized, solutions and countermeasures are designed
The objectives of this study were as follows:
- Develop techniques and methods that can be used for security self-assessment and vulnerability analysis.
- Using the techniques developed, test the techniques/methods at the selected site. The methods and techniques in use, should be able to:
Identify the gaps in management and technical environment in dealing with network security: Analyze the existing security arrangements, assess adequacy and compare against standards set by product vendors and leaders in the industry.
Categorize the risks into broader categories, that are easier to address and use metrics portray the gravity of the problems
- Research and document baseline security settings and guidelines for providing adequate security solutions for windows networks
- Suggest practical security improvement solutions. Recommend an audit toolkit that can be used for self-assessments.
Investigation of the Problem Situation
New threats enter the computing environment everyday. New vulnerabilities are discovered. And advancement in development tools has made it easier for developers to create viruses, worms, and hacking tools. Tools are often posted on the Internet as free downloads, and is therefore readily available for use by anyone who has the slightest of computer skills.
Companies face increasing risk from network security breaches, for the following reasons:
- The number of exploitable vulnerabilities is rapidly increasing and the numbers of reported security incidents is also increasing
- Scarcity of qualified security professionals and tighter IT budgets. Systems Administrators have to deal with increasing complexities in Networks and applications that have become more difficult to manage.
- Hacking tools are becoming automated and require less skill to use, increasing the ranks of hackers. And because these tools are automated and designed for large-scale attacks, a single hacker can inflict more damage.
- Malicious self-propagating worms, viruses, and trojans boost damage through a multiplier effect: they keep on "attacking" long after the initial incident.
- Reliance on firewalls. Are firewalls adequate in protecting middle-sized networks?
- The changing roles of system administrators: How are System Administrators dealing with new security challenges in corporate networks? The question arises, are System Administrators taking up new security responsibilities? Are companies that do not have Security Specialists at risk due to reliance on their systems administrators?
To protect corporate assets from the many security issues on the internet, organizations need to take some action and give security some serious considerations. Companies that cannot afford costly security solutions are exposed to great risks, and therefore require a different approach to network security. The approach taken in this study covers all areas of network security and can be used to identify gaps in management and technical operations. The approach prioritizes risks, measures levels of impact and therefore makes it easier to identify cost effective countermeasures. This project will drill down to identify IT risks affecting the network, administrative controls in place, technical controls and the use of penetration and vulnerability assessment tools.
The first step in this project will be a structured approach towards risk management and security assessments as developed by previous work done by security experts in large corporations. This will be followed by an introduction to the methods used for collecting data, overview of the population studied, including a justification for the sample population. Most of the data collected from questionnaires and tools will also be captutered here.
The second step of the project goes into detailed examination of security policies, procedures and the level of coverage towards security. The questionnaire is designed to analyze the existence of policies and procedures as well as check if the procedures are implemented and tested. This will delve further into configuration settings in the server environment to analyze security settings that have been implemented by system administrators in comparison to recommended settings. Additional work will involve the use of penetration and vulnerability testing tools. These tools attempt to demonstrate the effectiveness of methods/practices currently being used with a view of exposing anomalies.
The study thoroughly examines the site for security vulnerabilities, denial of service attacks, and open ports at the perimeter. The tools used actually check the efficiency of system administrators in dealing with security issues. The data collected is used to provide some metrics that measure the level of security achieved in each setting. Further, the vulnerabilities discovered are categorized and the impact of exposure measured in terms of "Single Loss Expectancy", which measures financial losses incurred each time the system is compromised due to one category of vulnerabilities.
A solution or countermeasure is recommended for each of the problem or category of problems discovered. An attempt has been made to make recommendations that are easy to implement and that do not carry financial costs. IT security is mostly dependent on the discipline of IT staff and management. The recommendations provided attempt to address the arising problems in the current security practices in middle sized networks. The paper further discusses the possibilities of flaws in the work done, assumptions made, and recommendations for future work.