Case Study: Information Security Risk Assessment On Sipem Data Analysis Company
- 27th Feb, 2019
- 16:24 PM
A detailed information security risk assessment was done comprehensively on Sipem Data Analysis Company. Sipem Data Analysis basically deals with analyzing data of given individual or organizations and statistics. The assessment that was carried out identified some of the risk items that were to be addressed by the organization at large.
The purpose of this comprehensive assessment was to be able to identify threats and some of the vulnerabilities related to the Sipem Data analysis Company. The objective was to assess the system servers and the databases to determine if they company with the current security requirements and if they have any risk to the confidentiality, integrity and availability of the system.
The Sipem Data Analysis Company comprises of several modules. The scope of the repost was basically to perform a comprehensive assessment of the security of the operating systems. Since this is the core of the system of the organization and it is responsible for data manipulation and analysis. Other components that were considered are database management system and the web application of the organization at large. Since these components are all supported by the operating system being assessed.
Operating System Overview:
Sipem data Analysis company system is built using Linux and windows Internet information Servers. Where Linux is used to perform the networking and holding data in servers while windows is used by employees to record and manipulate data. The system also uses website where they advertise themselves and what they do to the public. The same web application is used to control the daily operation of the organization. Number of staffs and departments can be viewed for the web application.
Operating system Vulnerabilities:
During the assessment, Servers and databases comprising the data of some organizations that were being worked on were not complying with the current Security principles or Security check requirements. For some of the components like documents scanned, we noted to be having unique vulnerabilities that presented either a critical, high or medium risk that could affect the whole system and functionality at large if exploited.
Some of the vulnerabilities found were:
- The web applications used an insecure encryption version which facilitated transfer of data across the network.
- Some of the anti-viruses software that were running on the servers were outdated
- How data was being sent to the database, it used insecure network connections.
Plan and Methodology
Here the team picked participants that were to be used during the assessment Approach. The participants picked were playing major roles in the organization.
- System owner
- System Administrator
- Network Manager
- Risk Assessment Team
The following are some of the techniques used to do the assessments.
- Risk assessment questionnaires- the assessment team used set of customized self-assessment questions. These questions helped the team in identifying the risks within the system.
- Assessment tool- some of the security tools used for testing and reviewing the vulnerability of the system were used.
- Interview- this was conducted among the staffs in order to validate the information
- Visiting the site- the team conducted a visit to the sipem organization firm to review the access and environmental controls of the firm.
- The team also carried out review of the documentation of the system in terms of its security policies, and operational.
The findings after the assessment were based on the components of the system:
- On applications components, in-house developed used Microsoft active server pages which we running under Microsoft internet information server 4.0
- The databases were running on Linux based database servers
- Networks or different departments depended on firewall checkpoints and routers developed by cisco
- Protocol used in transmission between client web browsers and webservers
The following vulnerabilities were found during the analysis:
- Sql injections- this was due to information from website requests since they were not validated before being used by the web application
- Password strength- most of the user accounts password were created inappropriately. Hence making an attacker to guess the password and use them to gain access to the system
- Disaster recovery- here, there were no clear methods to ensure that the ongoing operations of the system in the event of a business interruption or disaster.
Some of the software the team decided to install in the system are Microsoft Baseline Security Analyzer (MBSA) which is will be used to determine security state by assessing missing security updates and recommendations that are supposed to take place within the Microsoft windows environment.
It is also useful in checking the products of Microsoft sql servers which were found to be greatly used at large by the organization.
Another tool to be installed is Linux Os- OpenVAS. This tool is used as a vulnerability scanning during penetration testing.
Based on the findings of the team, the following are some of the recommendations made in regards to protection of the system.
- Users passwords being guessed- the team recommends a different way of assigning passwords to users by enabling them to use special characters.
- On the disaster recovery plans- the team urged the organization to develop and test a data recovery plan in case of any business misappropriation
- The team recommended the reconfiguration of the system to remove unnecessary services.
Accepting Risk- this is the type of risk that happens when a company accepts that the potential loss from a risk is not huge enough to warrant or spending money to prevent it from happening. (Accepting risk, n.d.)
Transferring Risk- it is a risk that exists when there is more than one party involved. This will be written down into a project contract.
Mitigating Risk- here the team limits the impact of the risks identified. So that if the risk occurs, the problem is created in small manageable and easy to fix.
Eliminating Risk- this can be done by changing the plan completely to avoid the risk from having a large impact on the organization.
National Institute of Standards and Technology (NIST) (2014). Assessing security and privacy
Controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
National Institute of Standards and Technology (NIST) (2010). Guide for applying the risk
Management framework to federal information systems. NIST Special Publication 800-37 Revision 1. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf