Académique Documents
Professionnel Documents
Culture Documents
Week 14
This document is an outline for the final assessment on the
client network.
Daniel Howell
4/24/2016
Executive Summary
This document is based on the assessment of Cyber Strike Security organizations network. It
well cover the configuration of the network that was assessed, the results of the assessment, and
the recommendation based on the findings.
Cyber Strike Security is an organization that specializes in penetration testing for other
organizations. The penetration testing team is a group of skilled cyber security professionals.
They are new company and most have just graduated top of their class from the University of
Advancing Technology. They are a small organization with 15 full time employees and 5 part
time employees. The organization primarily works with medium size corporation and non-profit
charity groups.
The organization requested a third party to assess their network to insure its security. Being a
penetration testing organization they have possible zero day exploits and custom tools used to
test systems. They also have private knowledge of their primary customers network. They want
to have another group preform the assessment on their network to insure that it is secure. The
assessment was preformed over the course of one month. We were looking for possible
vulnerability in the systems that could result in critical loss of information. The recommendation
that we offer in the final assessment are based on our expertise and are not a guaranteed fix for
the found vulnerability.
The system that is being assessed is the part of the internal network that belongs to the Cyber
Strike Organization. The system contains four workstations, three servers, two switches, and a
router. The three servers hold customer information, company information, and exploitation
tools. The exact configuration is covered in section 3 of this reports.
During the vulnerability scan that was conducted a major vulnerability was found one of the
servers. It is a recent known vulnerability list as CVE-2016-1879 on the CVE list. The
vulnerability allows malicious individuals to launch a denial of service attack against the system.
The server that we found the vulnerability on the server that held the companies custom tools and
exploit database. If that server was to go down the company would not be able to do its job.
During the vulnerability scan that was conducted we found a major vulnerability on the
companys web server. It is a recently found exploit that is listed as CVE-2016-1636 on the CVE
list. The exploit allows malicious individual to bypass the security protocols that are in place to
gain access to the whole system from the web server. If it is not patched the company risks a
massive data leak.
We would like to thank the Cyber Strike team for assisting in the assessment possess. The
assessment was successful and all results are outlined in the following report. All vulnerabilities
are detailed and rated based on the OVCM that was created in cooperation with company.
Table of Contents
Executive Summary ........................................................................................................................ 1
Section 1: Introduction .................................................................................................................... 3
Section 2: Methodology .................................................................................................................. 4
2.1: INFOSEC Assessment Methodology (IAM) ....................................................................... 4
2.2: INFOSEC Evaluation Methodology (IEM) ......................................................................... 4
Section 3: System Description ........................................................................................................ 4
3.1: Device detail ........................................................................................................................ 4
3.2: Mission Statement................................................................................................................ 4
3.3: Critical Information Type .................................................................................................... 5
3.4: Impact Attributes ................................................................................................................. 5
3.5: Impact Values ...................................................................................................................... 5
3.6: System Information Criticality ............................................................................................ 5
Figure 2: Organizational Information Criticality Matrix ........................................................ 5
3.7: Concerns .............................................................................................................................. 6
3.8: Constraints ........................................................................................................................... 6
Section 4: INFOSEC Analysts ........................................................................................................ 6
4.1: High Rated Findings ............................................................................................................ 6
4.2: Medium Rated Findings....................................................................................................... 7
4.3: Low Rated Findings ............................................................................................................. 8
Section 5: Conclusion ..................................................................................................................... 9
Appendix A: Assessment Plan ...................................................................................................... 10
Appendix B: Organizational Vulnerability Critical Matrix .......................................................... 10
Appendix C: Vulnerability Scans ................................................................................................. 10
Section 1: Introduction
This report is based on the vulnerability scans done one the Cyber Strike network. The following
sections of this document outline the results of the security assessment that was performed on the
network. It also includes the methodology that was followed when conducting the assessment.
The Cyber Strike Security organization located in Tempe Arizona operates out a small office
complex. The company specializes in penetration tests for small to medium size networks. The
security assessment was performed on the internal network at the main office. The companys
mission is insure that their clients are able to operate their businesses safely online without the
fear of a critical security breach. Their primary clients are several medium size corporations and
non-profit organizations. The company offers a security testing for whole networks, within a
reasonable size, or segments of a network. For this assessment the company has requested a full
network vulnerability test on their internal network. The company currently has fifteen full time
employees and five part time employees on their payroll. Eight of the full time employees and
two of the part time employees are certified penetration testers who can work in the field and the
remaining five employees are just office staff.
The Cyber Strike organization requested to have the assessment done to insure that their network
secure against possible attacks. Despite being a cyber security company they believe it is good
practice to have a third party organization assess their network for possible vulnerabilities. The
assessment was performed over the course of thirteen weeks from January 11, 2016 to April 17,
2016. This assessment was not an inspection, accreditation, or risk analysis of the clients
system. This assessment was performed at the request of the client. The assessment team does
well not patch any vulnerabilities that are found. They goal is to identify possible vulnerabilities
in the clients network. They well offer a recommendation for any vulnerabilities that are found
during the assessment.
During the assessment the team found that all security protocols were up to date. The clients
security policy was also well organized and up to date. The team was not able to find many
major issues one the system during the assessment.
During the vulnerability scan that was conducted a major vulnerability was found one of the
servers. It is a recent known vulnerability list as CVE-2016-1879 on the CVE list. The
vulnerability allows malicious individuals to launch a denial of service attack against the system.
The server that we found the vulnerability on the server that held the companies custom tools and
exploit database. If that server was to go down the company would not be able to do its job.
During the vulnerability scan that was conducted we found a major vulnerability on the
companys web server. It is a recently found exploit that is listed as CVE-2016-1636 on the CVE
list. The exploit allows malicious individual to bypass the security protocols that are in place to
gain access to the whole system from the web server. If it is not patched the company risks a
massive data leak.
Section 2: Methodology
For this assessment we used the NSA methodology. This methodology consists of two parts.
First is the INFOSEC Assessment Methodology and second is the INFOSEC Evaluation
Methodology. Sections 2.1 and 2.2 explain the two parts of the methodology in detail.
Model
Dell Precision 3000
series
Dell Precision 15
3000
Dell PowerEdge T20
Dell C2660DN Laser
printer
Cisco RV325
Cisco WS-C2950
Operating Systems
Windows 10
Quantity
5
Windows 10
10
FreeBSD
4
1
1
1
16
Customer Information
Employee Information
Business Transactions
Server Locations
Confidentiality
Access is restricted to all but select personnel within the company
Integrity
Critical data can only be changed by certified employees
Availability
Critical data can be accessed when it is needed but only by authorized personnel.
o
o
o
o
o
o
o
o
Medium:
Low:
Confidentiality
Integrity
Availability
Customer Info
Employee Info
Business
Transactions
Server Locations
H
H
M
M
M
M
M
M
L
Technical Findings
High
Medium
Critical Impact Weight
3
2
Vulnerability Weight
6
4
Low
1
2
Organizational/Management Findings
High
Medium
Low
Critical Impact Weight
4.5
3
1.5
Vulnerability Weight
4.5
3
1.5
3.7: Concerns
The client does not want use to attack the systems in a manner that may cause a crash. If they
lose the ability to connect to their servers remotely they well start to lose money and time on
jobs. The serves cannot go down unless it is needed for the assessment. In the event that it is
required a request must be submitted to insure that it can occur during a time in which the server
is not required for operations.
3.8: Constraints
The following constraints have been set by the client.
On site assessments must be planned at least one week in advance.
Servers cannot go down during mission critical times.
Tests that may take down part of the network need to be approved by the client.
Rating: High
INFOSEC Category: N/A
CVE: CVE-2016-1879
CVSS: 7.5
Description: An attacker can cause a denial of service by exploiting the IPv6 setting in the
FreeBSD configuration. The attacker can use this to render the security protocols in place to
prevent a DoS attack null. This would effectively shut down the server that it is targeting.
Recommendation: Update the FreeBSD server to the latest version available. FreeBSD version
9.3, 10.1, and 10.2 are vulnerable to the exploit. Disable IPv6 if it is not being used by the server
to prevent attackers from being able to use it. This well render the exploit useless.
Finding: 2
Rating: High
INFOSEC Category: Identification and Authentication
CVE: CVE-2016-1636
CVSS: 9.8
Description: The exploit allows attacker to bypass security on websites. This would allow the
attacker to gain access to the network from the web server on the DMZ. The exploit used a part
of the security code in google chrome. This leaves the entire internal network at risk.
Recommendation: Update the web server to the latest version. Add a check to the firewall rules
and IP tables. Limit the devices that are able to gain remote access to the network and what those
devices are able to do. This well limit the attacker options if the can get it in. Set the IDS to
monitor for devices that are authorized in the system but are trying to access areas they are not
authorized to. This well help to slow the attackers spread through the system.
Description: An SQL injection exploit using php that allows the attacker to execute a arbitrary
commands. This also allows the attack to gain remote access to the network that the server is
connected to.
Recommendation: Update to the latest version available. Disable the remote access protocols on
the device is it is not needed. If it is required for operations then insure that php is up to date and
security protocols require a dual faction authentication method to gain access to the device
remotely.
Finding: 5
Rating: Medium
INFOSEC Category: Organization
CVE: N/A
CVSS: N/A
Description: Some documents were found online. A simple google search for the company
name .doc showed sever documents that were stored in an online database. The documents
contained some critical data related to the company.
Recommendation: Do not store document in online databases if they contain mission critical
data.
Finding: 6
Rating: Medium
INFOSEC Category: Remote Access
CVE: CVE-2016-2171
CVSS: 6.4
Description: A remote access exploit that allows the attacker to delete users on an Apache
server with the rest API command. The attacker could also give themselves a user account.
Recommendation: Updating to the latest version of Apache Jetspeed security should be enough
to prevent an attack. Disable remote access protocols if able.
Recommendation: Disable hugetlbfs if it is not needed for operations. Updating to the most
current version can render this exploit null. One could also restrict the guest privileges on a
device that is running the vulnerable version.
Finding: 8
Rating: Low
INFOSEC Category: Organization
CVE: N/A
CVSS: N/A
Description: Documents were found stored in an online database. The document did not appear
to have any mission critical information in them but should still be removed.
Recommendation: Remove document from online database if able. If they cannot be removed
encrypt them to restrict access.
Section 5: Conclusion
The company did have good INFOSEC posture for the most part. We were able to find a few
vulnerabilities on their network. We did find two high risk vulnerabilities on the network. The
first finding was an exploit that would allow for a denial of service attack. The second is an
exploit that allows attacker to bypass the DMZ. Referrer to section 4.1 for details on the high risk
vulnerabilities. The company did have good documentation of its network. Their security
policies were strong but mostly focused on outside threats. They need to set a stronger policy for
internal security threats. By following our recommendations they can improve their security
posture and insure a safe work environment.
All of our recommendations are simple and effective. They well not need to purchase any extra
equipment for their network. The will only need to pay labor costs to have someone implement
the recommendations. This could be a little costly depending on time needed however it well
save the company thousands of dollars in loss revenue
All of the recommendation that we have suggested are only recommendation based on own
experts opinion. This assessment was not an inspection of any kind and is only a
recommendation.