NTS 465 Final Report

Week 14
This document is an outline for the final assessment on the
client network.
Daniel Howell
4/24/2016

Executive Summary
This document is based on the assessment of Cyber Strike Security organizations network. It
well cover the configuration of the network that was assessed, the results of the assessment, and
the recommendation based on the findings.
Cyber Strike Security is an organization that specializes in penetration testing for other
organizations. The penetration testing team is a group of skilled cyber security professionals.
They are new company and most have just graduated top of their class from the University of
Advancing Technology. They are a small organization with 15 full time employees and 5 part
time employees. The organization primarily works with medium size corporation and non-profit
charity groups.
The organization requested a third party to assess their network to insure its security. Being a
penetration testing organization they have possible zero day exploits and custom tools used to
test systems. They also have private knowledge of their primary customers network. They want
to have another group preform the assessment on their network to insure that it is secure. The
assessment was preformed over the course of one month. We were looking for possible
vulnerability in the systems that could result in critical loss of information. The recommendation
that we offer in the final assessment are based on our expertise and are not a guaranteed fix for
the found vulnerability.
The system that is being assessed is the part of the internal network that belongs to the Cyber
Strike Organization. The system contains four workstations, three servers, two switches, and a
router. The three servers hold customer information, company information, and exploitation
tools. The exact configuration is covered in section 3 of this reports.
During the vulnerability scan that was conducted a major vulnerability was found one of the
servers. It is a recent known vulnerability list as CVE-2016-1879 on the CVE list. The
vulnerability allows malicious individuals to launch a denial of service attack against the system.
The server that we found the vulnerability on the server that held the companies custom tools and
exploit database. If that server was to go down the company would not be able to do its job.
During the vulnerability scan that was conducted we found a major vulnerability on the
companys web server. It is a recently found exploit that is listed as CVE-2016-1636 on the CVE
list. The exploit allows malicious individual to bypass the security protocols that are in place to
gain access to the whole system from the web server. If it is not patched the company risks a
massive data leak.
We would like to thank the Cyber Strike team for assisting in the assessment possess. The
assessment was successful and all results are outlined in the following report. All vulnerabilities
are detailed and rated based on the OVCM that was created in cooperation with company.

Table of Contents
Executive Summary ........................................................................................................................ 1
Section 1: Introduction .................................................................................................................... 3
Section 2: Methodology .................................................................................................................. 4
2.1: INFOSEC Assessment Methodology (IAM) ....................................................................... 4
2.2: INFOSEC Evaluation Methodology (IEM) ......................................................................... 4
Section 3: System Description ........................................................................................................ 4
3.1: Device detail ........................................................................................................................ 4
3.2: Mission Statement................................................................................................................ 4
3.3: Critical Information Type .................................................................................................... 5
3.4: Impact Attributes ................................................................................................................. 5
3.5: Impact Values ...................................................................................................................... 5
3.6: System Information Criticality ............................................................................................ 5
Figure 2: Organizational Information Criticality Matrix ........................................................ 5
3.7: Concerns .............................................................................................................................. 6
3.8: Constraints ........................................................................................................................... 6
Section 4: INFOSEC Analysts ........................................................................................................ 6
4.1: High Rated Findings ............................................................................................................ 6
4.2: Medium Rated Findings....................................................................................................... 7
4.3: Low Rated Findings ............................................................................................................. 8
Section 5: Conclusion ..................................................................................................................... 9
Appendix A: Assessment Plan ...................................................................................................... 10
Appendix B: Organizational Vulnerability Critical Matrix .......................................................... 10
Appendix C: Vulnerability Scans ................................................................................................. 10

Section 1: Introduction
This report is based on the vulnerability scans done one the Cyber Strike network. The following
sections of this document outline the results of the security assessment that was performed on the
network. It also includes the methodology that was followed when conducting the assessment.
The Cyber Strike Security organization located in Tempe Arizona operates out a small office
complex. The company specializes in penetration tests for small to medium size networks. The
security assessment was performed on the internal network at the main office. The companys
mission is insure that their clients are able to operate their businesses safely online without the
fear of a critical security breach. Their primary clients are several medium size corporations and
non-profit organizations. The company offers a security testing for whole networks, within a
reasonable size, or segments of a network. For this assessment the company has requested a full
network vulnerability test on their internal network. The company currently has fifteen full time
employees and five part time employees on their payroll. Eight of the full time employees and
two of the part time employees are certified penetration testers who can work in the field and the
remaining five employees are just office staff.
The Cyber Strike organization requested to have the assessment done to insure that their network
secure against possible attacks. Despite being a cyber security company they believe it is good
practice to have a third party organization assess their network for possible vulnerabilities. The
assessment was performed over the course of thirteen weeks from January 11, 2016 to April 17,
2016. This assessment was not an inspection, accreditation, or risk analysis of the clients
system. This assessment was performed at the request of the client. The assessment team does
well not patch any vulnerabilities that are found. They goal is to identify possible vulnerabilities
in the clients network. They well offer a recommendation for any vulnerabilities that are found
during the assessment.
During the assessment the team found that all security protocols were up to date. The clients
security policy was also well organized and up to date. The team was not able to find many
major issues one the system during the assessment.
During the vulnerability scan that was conducted a major vulnerability was found one of the
servers. It is a recent known vulnerability list as CVE-2016-1879 on the CVE list. The
vulnerability allows malicious individuals to launch a denial of service attack against the system.
The server that we found the vulnerability on the server that held the companies custom tools and
exploit database. If that server was to go down the company would not be able to do its job.
During the vulnerability scan that was conducted we found a major vulnerability on the
companys web server. It is a recently found exploit that is listed as CVE-2016-1636 on the CVE
list. The exploit allows malicious individual to bypass the security protocols that are in place to
gain access to the whole system from the web server. If it is not patched the company risks a
massive data leak.

Section 2: Methodology
For this assessment we used the NSA methodology. This methodology consists of two parts.
First is the INFOSEC Assessment Methodology and second is the INFOSEC Evaluation
Methodology. Sections 2.1 and 2.2 explain the two parts of the methodology in detail.

2.1: INFOSEC Assessment Methodology (IAM)

The part of the methodology focuses on creating a technical assessment plan that the assessment
team will use while conducting the assessment. Idealy this part of the methodology should be
conducted before the any work on the clients systems is attempted. The plan outlines areas such
as points of contact, mission, critical information, customer concerns, documentation, and a
timeline. The assessment plan that was created for this assessment is included in this document
under Appendix A.

2.2: INFOSEC Evaluation Methodology (IEM)

This part of the methodology builds on to the IAM. This is the hands on part of the methodology.
Using the IAM the assessment team creates a step by step plan to conduct the assessment. This
usually includes what scans well be used, what will be scanned, legal requirement, data analysis,
and final results of the assessment. This part of the assessment plan is included in this document
under Appendix A.

Section 3: System Description

The assessment is only on the device on the internal network at the clients office. This is a small
network only a few device. This section goes of the layout of the network and the organization
critical vulnerability matrix.

3.1: Device detail

Device
Workstation
Laptop
Servers
Printer
Router
Switch
Phone

Model
Dell Precision 3000
series
Dell Precision 15
3000
Dell PowerEdge T20
Dell C2660DN Laser
printer
Cisco RV325
Cisco WS-C2950

Operating Systems
Windows 10

Quantity
5

Windows 10

10

FreeBSD

4
1
1
1
16

3.2: Mission Statement

Cyber Strike is dedicated to providing quality security testing at affordable rates for all
businesses.

3.3: Critical Information Type

The critical information types listed were set by the client. These are the information types that
the client believes to be critical to their operations.

Customer Information
Employee Information
Business Transactions
Server Locations

3.4: Impact Attributes

Confidentiality
Access is restricted to all but select personnel within the company
Integrity
Critical data can only be changed by certified employees
Availability
Critical data can be accessed when it is needed but only by authorized personnel.

3.5: Impact Values

High:
o
o
o
o

Downtime greater than 5 hours

Loss of $500,000 or more
Loss of 5 or more lives
Power outage longer than 3 days

o
o
o
o

Downtime greater than 2 hours but less than 5

Loss of more than $300,000 but less than $500,000
Loss of more than 2 lives but less than 5
Power outage longer than 1 day but less than 3

o
o
o
o

Downtime greater than hour but less than 2

Loss of more than $100,000 but less than $300,000
Loss of more than 1 life but less than 2
Power outage for more than a day but less than 1

Medium:

Low:

3.6: System Information Criticality

The following matrix shows the critical information types. Each information type was rated as
High, Medium, or Low in regards to its relevance to confidentiality, integrity, and availability.
The client listed customer information, employee information, business transactions, and server
locations as it critical information types. Referrer to Appendix B for the full OCVM document.
Figure 2: Organizational Information Criticality Matrix

Confidentiality

Integrity

Availability

Customer Info
Employee Info
Business
Transactions
Server Locations

H
H
M

M
M
M

M
M
L

Technical Findings
High
Medium
Critical Impact Weight
3
2
Vulnerability Weight
6
4

Low
1
2

Organizational/Management Findings
High
Medium
Low
Critical Impact Weight
4.5
3
1.5
Vulnerability Weight
4.5
3
1.5

3.7: Concerns
The client does not want use to attack the systems in a manner that may cause a crash. If they
lose the ability to connect to their servers remotely they well start to lose money and time on
jobs. The serves cannot go down unless it is needed for the assessment. In the event that it is
required a request must be submitted to insure that it can occur during a time in which the server
is not required for operations.

3.8: Constraints
The following constraints have been set by the client.
On site assessments must be planned at least one week in advance.
Servers cannot go down during mission critical times.
Tests that may take down part of the network need to be approved by the client.

Section 4: INFOSEC Analysts

This section outlines the findings of the vulnerability scans that were conducted during the
assessment. Referrer Appendix C to view the vulnerability scan documents.

4.1: High Rated Findings

Finding: 1

Rating: High
INFOSEC Category: N/A
CVE: CVE-2016-1879
CVSS: 7.5
Description: An attacker can cause a denial of service by exploiting the IPv6 setting in the
FreeBSD configuration. The attacker can use this to render the security protocols in place to
prevent a DoS attack null. This would effectively shut down the server that it is targeting.
Recommendation: Update the FreeBSD server to the latest version available. FreeBSD version
9.3, 10.1, and 10.2 are vulnerable to the exploit. Disable IPv6 if it is not being used by the server
to prevent attackers from being able to use it. This well render the exploit useless.
Finding: 2
Rating: High
INFOSEC Category: Identification and Authentication
CVE: CVE-2016-1636
CVSS: 9.8
Description: The exploit allows attacker to bypass security on websites. This would allow the
attacker to gain access to the network from the web server on the DMZ. The exploit used a part
of the security code in google chrome. This leaves the entire internal network at risk.
Recommendation: Update the web server to the latest version. Add a check to the firewall rules
and IP tables. Limit the devices that are able to gain remote access to the network and what those
devices are able to do. This well limit the attacker options if the can get it in. Set the IDS to
monitor for devices that are authorized in the system but are trying to access areas they are not
authorized to. This well help to slow the attackers spread through the system.

4.2: Medium Rated Findings

Rating: Medium
INFOSEC Category: Organization
CVE: N/A
CVSS: N/A
Description: Unencrypted files contain critical information were found on a server. The file
contained invoices on business transactions between the company and its clients.
Recommendation: Encrypt the files as soon as possible.
Finding: 4
Rating: Medium
INFOSEC Category: Authorization
CVE: CVE-2016-3172
CVSS: 6.5

Description: An SQL injection exploit using php that allows the attacker to execute a arbitrary
commands. This also allows the attack to gain remote access to the network that the server is
connected to.
Recommendation: Update to the latest version available. Disable the remote access protocols on
the device is it is not needed. If it is required for operations then insure that php is up to date and
security protocols require a dual faction authentication method to gain access to the device
remotely.
Finding: 5
Rating: Medium
INFOSEC Category: Organization
CVE: N/A
CVSS: N/A
Description: Some documents were found online. A simple google search for the company
name .doc showed sever documents that were stored in an online database. The documents
contained some critical data related to the company.
Recommendation: Do not store document in online databases if they contain mission critical
data.
Finding: 6
Rating: Medium
INFOSEC Category: Remote Access
CVE: CVE-2016-2171
CVSS: 6.4
Description: A remote access exploit that allows the attacker to delete users on an Apache
server with the rest API command. The attacker could also give themselves a user account.
Recommendation: Updating to the latest version of Apache Jetspeed security should be enough
to prevent an attack. Disable remote access protocols if able.

4.3: Low Rated Findings

Finding: 7
Rating: Low
INFOSEC Category:
CVE: CVE-2016-3961
CVSS: 2.1
Description: Devices running Xen and Linux kernels version 4.5.x do not properly suppress
hugetlbfs support. The exploit allows any guest on that device to launch a denial of service attack
on the system resulting in a crash.

Recommendation: Disable hugetlbfs if it is not needed for operations. Updating to the most
current version can render this exploit null. One could also restrict the guest privileges on a
device that is running the vulnerable version.
Finding: 8
Rating: Low
INFOSEC Category: Organization
CVE: N/A
CVSS: N/A
Description: Documents were found stored in an online database. The document did not appear
to have any mission critical information in them but should still be removed.
Recommendation: Remove document from online database if able. If they cannot be removed
encrypt them to restrict access.

Section 5: Conclusion
The company did have good INFOSEC posture for the most part. We were able to find a few
vulnerabilities on their network. We did find two high risk vulnerabilities on the network. The
first finding was an exploit that would allow for a denial of service attack. The second is an
exploit that allows attacker to bypass the DMZ. Referrer to section 4.1 for details on the high risk
vulnerabilities. The company did have good documentation of its network. Their security
policies were strong but mostly focused on outside threats. They need to set a stronger policy for
internal security threats. By following our recommendations they can improve their security
posture and insure a safe work environment.
All of our recommendations are simple and effective. They well not need to purchase any extra
equipment for their network. The will only need to pay labor costs to have someone implement
the recommendations. This could be a little costly depending on time needed however it well
save the company thousands of dollars in loss revenue
All of the recommendation that we have suggested are only recommendation based on own
experts opinion. This assessment was not an inspection of any kind and is only a
recommendation.

Appendix A: Assessment Plan

Howell-Daniel-week4-Assessment_Plan

Appendix B: Organizational Vulnerability Critical Matrix

Howell-Daniel-week10-OVCM

Appendix C: Vulnerability Scans

Howell-Daniel-week11-web scanner
Howell-Daniel-week10-nessus scan