Case Study (CP5603)
The CEO of XYX Bank (a local bank) is concerned about the bank IT infrastructure. The IT/IS functions were outsourced, but he feels it was mismanaged due to several attacks in the recent months. The contract for IT/IS function was terminated immediately.
You have been employed as a security consultant by XYX Bank, to assist them in a risk management process. You’re required to perform risk management study for the bank.
After an investigation, the bank provided some details on their current infrastructure:
• The current solution uses Windows 2003 as the base server to run terminal sessions for all machines i.e they must login to terminal services to use any application. All of the applications are installed on the server.
• The clients run Windows 7.
• The main database server (Windows 2003) is running a large SQL database (1.3TB) of customer data.
• No licenses (for all software) can be found
• The network has been experiencing heavy usage on the weekend, but was not checked
• There is no documentation for any of the setup
• There is no firewall in existence apart from a very basic NAT at the Internet Gateway.
• There is no backup
• There is no basic security policies implemented (Eg. Password policy etc.)
• There is no documented list of accounts, rights or usernames
• The network performance is unacceptable and there are frequent outages
• There is no documented policy and all users are not aware of any security policies that they have to adhered to
• There is no content filtering
• All back-end servers are running with default configuration
• All systems were not patched
• The servers are located in a room where all users have physical access
• No proper logs were maintained
• 2 Domain controllers (Authentication server)
• 2 SQL database servers
• 2 Web servers (Microsoft IIS)
• 2 File and print servers
• Terminal server
• E-mail server (Microsoft Exchange 2000)
You are required to write up a detail report on the following issues to the CEO of XYX Bank.
1. Provide detail asset identification for XYX Bank. You’re required to identify 10 critical information assets with justification. Each asset identified is worth 1 mark. This should be accompanied with a Weighted Factor Analysis Worksheet (5 marks) and Ranked Vulnerability Risk Worksheet (5 marks).
2. Provide detail threat assessment for XYX Bank. You’re required to identify 10 threats (1 threat to each asset) with justification and explanation of the threat. Each threat identified is worth 1 mark.
3. Identify 5 major attacks that XYX Bank would be exposed to and provide detail description/justification for each attack and it should be relevant to the identified threats. 2 marks for each attack and justification.
4. Propose a detail classification scheme for XYX Bank and justify your answer. Classify the assets identified in question 1 in the respective classification level.
5. Identify 15 relevant controls and countermeasures with explanation and justification for the threats and attacks identified in question 2 and 3. Each control/countermeasure worth 1 mark.
6. Plan a security education, training and awareness (SETA) program for XYX Bank. State 5 important points to be included in their SETA program for their employees and justify your answer. Each point worth 2 marks.
7. Future security recommendations for XYX Bank. Identify 5 future security recommendations, each worth 2 marks.
8. Professional report layout (Header/footer, introduction, conclusion, references, spell/grammar check – each worth 2 marks).