CRIR -Information Risk Assessment - Final

Information Technology Risk Assessment Caitlyn Raymond International Registry

April 2012

Contents

Page

Executive Summary

2

Environment Overview

5

Findings Overview

9

Detailed Findings

11

Appendix

26

© 2012 Grant Thornton LLP. All rights reserved.

Information Technology Risk Assessment-Caitlyn Raymond International Registry

2

Executive Summary

Grant Thornton, LLP was engaged by the Caitlin Raymond International Registry (“CRIR”) to perform an information technology risk assessment based on the ISO 27002 security standard. This assessment was conducted between February and April 2012 and was intended to provide CRIR with information about risks that could affect the availability of its technology and information systems or the confidentiality and integrity of the information contained within them. During this assessment Grant Thornton conducted:    

Interviews with key stakeholders and technology staff Detailed system and application configuration reviews Network vulnerability scanning Onsite hands-on system configuration reviews

Our assessment determined that CRIR has done a good job developing and maintaining proprietary applications to that support the organization’s business operations. However, we identified a number of issues within the underlying technology infrastructure that prevent a significant risk to the organization. These issues stem from recent staffing changes that have left the organization with inadequate internal resources to support the network or server infrastructure. Specifically, CRIR’s application development team is attempting to perform server and network administration – tasks that they do not have the skillset or time to complete effectively. As a result, CRIR’s technology infrastructure is aging and not well maintained. Some of the hardware, software and operating systems supporting critical applications are over ten years old and are no longer supported by the manufacturers. Servers or network devices have been not been built with secure configurations and are susceptible to common vulnerabilities. Regular maintenance activities including patching, backups and vulnerability management are either not being performed or are being performed ineffectively. To address these issues with the technology infrastructure, we suggest that Caitlyn Raymond takes action immediately. First, the organization should look to hire a minimum or one, but ideally two network / system administrators whose sole focus is to support the technology infrastructure. Next, the organization should plan a technology refresh, replacing unsupported hardware, software and operating systems with updated technology.

2|P a g e


3

As an alternative to hiring new staff to support the technology infrastructure, Caitlyn Raymond could also look to outsource its data center and support functions to a 3rd party hosting and managed services provider. The organization could also look to merge these functions with UMass Memorial, and allow the technology teams at the hospital handle these critical tasks.

3|P a g e


4

Project Scope and Approach

In the spring of 2012, Grant Thornton was contracted by the Caitlyn R aymond International Registry to conduct a risk assessment of its technology infrastructure and applications based on the ISO 27002 information security standard. The focus of the assessment was the infrastructure and core functionality of CRIR with an emphasis on the ‘Intranet’ application and supporting technologies including web based services, databases and communications technology, as these govern the majority of CRIR business functions including its Donor and Patient transactions. ISO 27002 is an internationally recognized standard for information security that evaluates risks to the confidentiality, integrity and availability of information assets. The standard is comprised of a number of high-level sections, as described below: 

Information risk management policies and procedures



Security institution



Asset classification and control



Personnel security



Physical and environmental security



Communication and operations management



Access control



Systems development and maintenance



Business continuity management



Compliance

Grant Thornton conducted its assessment of Caitlyn Raymond’s technology infrastructure through a combination of the following activities: 









Conducting interviews with key functional and technical personnel Performing hands-on system configuration reviews Reviewing documentation provided by Caitlyn Raymond Using automated tools to collect information on device configuration Performing vulnerability scans using automated tools

4|P a g e


5

Environment Overview

CRIR Overview

CRIR is a nonprofit organization affiliated with UMass Memorial Medical Center in Massachusetts. CRIR was originally established in 1986 as a unit within the Division of Hematology-Oncology of the Department of Pediatrics at the University of Massachusetts Medical Center specifically as a coordinating center for conducting national and international searches for unrelated donors. CRIR maintains Hub Status in Bone Marrow Donors Worldwide and the European Marrow Donor Information System, maintains an affiliation with the National Marrow Donor Program, and is a member registry of the World Marrow Donor Association (WMDA). Today, The Caitlin Raymond International Registry accesses 89 bone marrow donor registries and cord blood banks worldwide and has performed a search for more than 64,000 patients. Since its inception, the Caitlin Raymond International Registry has remained a comprehensive resource for patients and physicians conducting a search for unrelated bone marrow or cord blood donors. Information Technology Overview

Caitlyn Raymond’s information technology department has built a proprietary application that allows employees to administer patients and donors in an efficient and effective manner. This system was originally developed in the 1980’s using RBase. In the late 1990’s, MS Access was introduced as a front-end and patient and donor data was moved into a MS SQL database. Recently, a web-based front-end has replaced Access as the primary application interface providing a more flexible and secure framework. This application, referred to internally as ‘The Intranet’ is a complex system with numerous modules and acts like as an ERP (enterprise resource planning system) system for the organization. The intranet supports both front-office operations --- i.e. managing donor and patient registration and matching -as well as back-office functions such as the general ledger, AP / AR and an IT ticketing system. The S full list of modules can be found below:   

Collection of Stem Cells: Donor Testing Services: Intranet:

Donor and patient receiving Test and register new Donors Administration of Modules 5|P a g e


     

IS Module: Recruitment: Report Tracker: Sample Processing: Ticketing System: Finance Modules:

6

IS Project / Inventory Devices / "Internal SharePoint" User for recruiting new donors Used to track documents from within the application Management of DNA samples from new donors IT or operations related tickets Finance

Users of “The Intranet” are only allowed to access particular modules based on their logon credentials. During our assessment, we walked through the user authentication process and evaluated the security controls in place to prevent unauthorized access. A high-level description of the authentication process can be found below: At Login:

Validate user’s credentials: Checks if the user’s password has expired and needs to be changed Checks if the user account is blocked, due to failed login attempt o One failed login attempt, the account is blocked for 15 seconds o Two failed login attempts, the account is blocked for 45 seconds o Three failed login attempts, account is blocked for 15 minutes and IT staff is notified via email  

  

Creates new session: both the session start and session regenerate ID are used. Creates a hashed user agent and session string to be stored in session data and user cookies The session data is stored in a database protected with a username and password.

When application Page loads:    

   

Checks session expiration Sets session's time to 90 minutes Verifies the user agent matches the session data and cookies Prevents SQL injection by using custom SQL statement before change commands are permitted. Checks if the IP address is within defined range User Authentication is verified User permissions for content are verified Updates corresponding tables

At Session Close:    

Session connections are terminated Deletes session cookie Deletes hashed session information from database User is returned to the login page.

6|P a g e


7

In our opinion, the controls that Caitlyn Raymond’s application development team has implemented to prevent users from accessing data without authorization are adequate. In general, CRIR has taken the best practice of using a layered authentication and multiple techniques to mitigate misuse and this has significantly reduced risk of compromise to the “Intranet” application. Network Diagram

To support this application, Caitlyn Raymond operates a single data center located within its office facility in Worcester, Mass. A network diagram can be found below:

As can be seen in the diagram above, Caitlyn Raymond’s network is a flat, layer-2 network. Users, servers and publicly accessible systems all reside on the same logical network and route by default to a Linksys edge / core firewall / router. Caitlyn Raymond’s public website is not hosted out of the Worcester, Mass data center, but instead is hosted at Rackspace, a 3rd party hosting provider. Email services are also outsourced to a cloud-based provider. Caitlyn Raymond’s VoIP phone system is provided by and managed by the UMass Memorial Medical Center and utilizes a separate layer two switched network. 7|P a g e


8

Server Inventory

The table below provides an inventory of servers supported by Caitlyn Raymond’s information technology team:

Host Name

Operating System

Warranty?

Purchase Date

Server Type

CPU

Memory

Disk

Function

Comedian

WinXP

Y

Aug-10

HP Compaq dc5850

AMD Phenom II X4 810

1.75GB

220GB

EMDIS Application

Marvin

Suse Linux

N

Aug-05

DELL PowerEdge 2800

(2) 3.0 GHz/2 MB Cache

2GB DDR2

36GB, 36GB, 73GB, 73GB, 73GB, 73GB SCSI

Not working - MySQL Master, Network Backup to USB HD

Minerva

WinXP

N

2003

DealDepot

Intel Celeron

512MB

40GB

Workstation for Rebecca

Mycroft

Ubuntu Linux

N

Jun-08

Vision

2GB DDR2

3x250GB

Dev Intranet and Dev MySQL

Nagasaki

Ubuntu Linux

N

Jun-08

Vision

2GB DDR2

3x250GB

Live MySQL, CUPS Print Server, Network Backup to USB HD

N

Jul-09

ReadyNAS

2TB Dual Gig RM NW

Network Storage (G:)

512 MB SDRAM

(2) 18GB 10K RPM Ultra 160 SCSI

Network Print Server, DNS, DHCP, Anti-virus Server, File Server, Active Directory, Automated Tasks

2GB DDR2

3x250GB

Not running

2GB DDR2

3x250GB

Live Intranet

NAS

Server1

Win2K Server

N

Sep-02

DELL PowerEdge 1500SC

Terminator

Ubuntu Linux

N

Apr-08

Vision

Terminator2

Ubuntu Linux

N

Apr-08

Vision

(2) AMD Athlon(tm) 64 X2 Dual Core Processor 4400 (2) AMD Athlon(tm) 64 X2 Dual Core Processor 4400

(2) 1.4 GHz/512 Cache (2) AMD Opteron(tm) 1212 (2) AMD Opteron(tm) 1212

8|P a g e


Findings Overview

Risk categories

9


9

Findings Overview

Risk categories

Based upon our review of the overall the control environment of the company, we have identified number of findings. Each of these findings has been classified as high, medium or low risk based on the following definitions: 





High – A high risk finding is assigned to vulnerabilities that have a high threat or impact potential and could allow unauthorized privileged access, grant the ability to alter systems in some way or leave the organization vulnerable to losses of sensitive information and the potential financial penalties in the event of a breach. It is recommended that these findings are corrected immediately. Medium – A medium risk finding is assigned to vulnerabilities that pose a moderate level of risk to the organization and could allow a threat access to systems with unprivileged access. Medium risk findings generally represent systematic organizational problems that often lead to the introduction of new high risk technical findings if they are not corrected. Low – A low risk finding are areas that do not meet the best practicies put forth in the ISO standard but do at the same time pose little to no imdediate risk to the environement. If low risk findings are not corrected, they often lead to the introduction of new medium and high risk technical and administrative findings.

9|P a g e


10

Summary of Findings

Grant Thornton identified numerous issues within the Caitlyn Raymond technology infrastructure. A summary can be found in the tables below:

1 2 3

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

29 30

Policy, Process and Organizational Issues

Risk

No Information security policy Information security responsibilities not defined Information security processes, standards, and guidelines not established

Med Low Med

Technical Issues

Risk

Use of out-of warranty, out-of date or unsupported hardware Use of consumer based products in an enterprise environment No patch or vulnerability management for operating systems or applications No server configuration standards / system hardening Use of unnecessary or undocumented services and applications Use of “administrator”/ “root” account to manage systems Remote access to Linux systems with “root” account is enabled Use of weak / or default passwords IT administrators unable to access network devices Broken processes for identity and authentication management No system-state backups being taken Backup tapes stored in IT administrator’s homes No disaster recovery plan / business continuity management UPS devices not properly configured / maintained Network diagram does not exist Insecure wireless networking configuration No centralized logging / monitoring system No network segmentation Changes to Windows systems are made directly in production No change control process Insecure administrative access to 3rd party hosted web application server Use of insecure protocols for data transfer / system management Desktop operating systems used to support server functions Access to financial system controlled by Access Database front-end Sensitive data not encrypted

High High High High Med High High High Low Med High High Med Low Med High Med Med Low Med High Med Med Med Med

People Issues

Risk

IT personnel lack server and network administration skills Understaffed

High High

10 | P a g e


11

Risk vs. Mitigation Effort

In the chart below we have mapped each of the findings in a three by three matrix based on risk and mitigation effort. We recommend that Caitlyn Raymond address the high-risk findings with a low mitigation effort first. These findings are located in the upper-left hand corner of the chart. From there, we suggest working through the findings starting in the upper-left corner and working down to the lower-right.

LOW 



H G I H

  

 





k s i R

M U I D E M

 



Use of “administrator” or “root” account to manage systems Remote access to Linux systems with “root” account is enabled Use of weak / default passwords No system state backups are taken Backup tapes stored in IT administrators homes Insecure wireless configuration Insecure administrative access to 3rd party / hosed web applications Broken process for identity and authentication management Network diagram does not exist No change control process Use of insecure protocols for data transfer / system management Sensitive data not encrypted

MEDIUM 





 











W O L

IT administrators unable to access network devices UPS devices not properly configured / maintained Changes to Windows systems are made directly in production







Use of out-of warranty or unsupported hardware, software and operating systems IT personnel lack server and network administration skills Understaffed







Use of consumer based products in an enterprise environment No patch of vulnerability management for operating systems or applications No server configuration standards / system hardening

HIGH



No Information Security Policy Information Security Processes, Standards and Guidelines not Established Desktop operating systems used to support server functions Use of unnecessary or undocumented services and applications No network segmentation







No disaster recovery plan / business continuity management No centralized logging / monitoring system Access to financial system controlled by Access Database front-end

Information security responsibilities not defined

Mitigation Effort

11 | P a g e


12

Detailed Findings The detailed findings below list the findings categories in detail. The intention is to call out the underlying cause for vulnerability in the CRIR environment and present remediation options along with estimated cost and manpower associations for remediation.


1.

No Information Security Policy

Description

Medium

Caitlyn Raymond does not have an information security policy that describes: Its approach to addressing information security issues Organizational roles and responsibilities as they relate to information security Acceptable use of information technology systems and assets Other  





Risk Analysis

Policies are the corner stone for information security and compliance in any organization. Without an information security policy, an organization does not have a basis for identifying, assessing and managing risks.

Remediation Cost/Effort

Medium

Recommendations

CRIR can look to leverage the information security policies that has already been developed for the UMass Memorial Medical Center to build a security policy of its own and distribute it to all employees.

Ongoing Effort

The security policy will need to be reviewed on an annual basis to ensure it remains applicable to new technologies and emerging threats.

2. Information Security Responsibilities not Defined

Low

Description

Caitlyn Raymond does not define information security roles and responsibilities for all members of the organization. Typically, these roles and responsibilities are defined in an information security policy as described in Finding #1 above.

Risk Analysis

Without clearly defined roles and responsibilities for information security within the CRIR environment there are several critical security and administration tasks that are not taking place.


Medium 12 | P a g e


13

Recommendations

CRIR needs to define information security roles and respon sibilities for all employees

Ongoing Effort

Information security roles should be periodically reviewed and updated to ensure they remain consistent with changes in organizational technology as well as new and emerging threats.

3. Information security processes, standards, and guidelines not established Description

Medium

Caitlyn Raymond has not defined operational procedures to be executed by information technology that support information security. Examples of policies and procedures that should be developed include: Acceptable Use Policy Backup and Restoration Procedures Patch Management Procedures Vulnerability Management Procedures Identity and Authentication Management Procedures Password Policy and Reset Procedures Incident Response Policy Others        

Risk Analysis

Without defined Processes, standards and guidelines the administration of servers and the network is conducted in a way in which security and risk within the environment can not be measured or controlled by CRIR staff.


Medium

Recommendations

Security Processes, standards and guidelines should be documented in the sites policies and procedures and staff should be made aware of their responsibilities. All areas of administration should be documented for example, patch management, server updates, creating and deleting new users. It is very likely that UHMV already has this done CRIR should use this as a go by for their own environment.

Ongoing Effort

This should be reviewed anytime updates are made to the sites security policy.

13 | P a g e


14

Technical Issues

4. Use of out-of warranty, out-of date or unsupported hardware and software

High

Description

Caitlyn Raymond is utilizing hardware, software and operating systems that are no longer supported by the manufacturers. This includes numerous out-of-warranty servers and network devices as well as the use of the Windows 2000 / Ubuntu 8.1 operating systems.

Risk Analysis

Using out-of-date hardware not only affects system performance, but also leaves the organization susceptible to a sustained outage in the event that a system component fails and replacement parts are not readily available. Using out-of-support operating systems leaves the organization susceptible to newly discovered vulnerabilities which are no longer patched by the vendor.


High

Recommendations

CRIR should develop a plan to replace the hardware, software and operating systems that are no longer under warranty or are no longer supported by their vendors.

Ongoing Effort

In addition, we recommend that CRIR builds a formalized process for system lifecycle management that plans for regular hardware, software and operating system upgrades to ensure that they do not fall out of support in the future.

5. Use of consumer based products in an enterprise environment

High


CRIR has deployed a consumer grade Linksys device as its core router / edge firewall. Linksys is intended for home use and is not robust enough for a corporate environment Consumer grade networking equipment does not have the granular security features needed for a corporate environment. Medium

Recommendations

Replace network equipment with business class devices.

Ongoing Effort

Once replaced CRIR should make sure only business class devices are used moving forward.

Description

Risk Analysis

14 | P a g e


6. No patch or vulnerability management for operating systems or applications Description Risk Analysis

Remediation Cost/Effort Recommendations Ongoing Effort

15

High

Patches and updates are not being applied to servers, workstations and other devices By not applying patches, Caitlyn Raymond is leaving itself vulnerable to exploits from internal and external sources that could result in a breach of sensitive patient or donor data or system unavailability. Medium Develop a formal patch and vulnerability management plan, defining when and how patches will be tested and deployed. The patch management and vulnerability management program should be periodically reviewed to make sure it is functioning correctly.

7. No server configuration standards / system hardening

High

Description

CRIR has not developed system configuration standards for servers or network devices that harden them to prevent most common information security vulnerabilities.

Risk Analysis

Servers that are installed “out of the box ” without going through a formal hardening procedure could enter the network missing critical software of firmware patches or even anti-virus definitions increasing the threat to the network


Medium

Recommendations

Create a checklist of security requirements that needs to be followed and use it when setting up any new equipment.

Ongoing Effort

Hardening procedures should be periodically evaluated to ensure they are current and best fit the organization.

8. Use of unnecessary or undocumented services and applications

Medium

Description

Servers and network devices on the Caitlyn Raymond network have numerous services enabled and configured that are not being utilized, including FTP, telnet, HTTP and many others.

Risk Analysis

Services are access points to your network, when no longer required they are often left unmonitored and vulnerable creating a larger threat footprint for compromise. Services not in use also take up valuable system resources. As an example in we included the output of open services for the domain controller which had a large amount of services in use including ‘Gopher’ and ‘Pop2’ which have not been required services for several years.


Medium 15 | P a g e


16

Recommendations

Disable unnecessary services and if possible determine why the service was enabled to begin with.

Ongoing Effort

Periodic review of open services should be conducted

9. Use of “administrator”/ “root” account to manage systems Description

Risk Analysis

Remediation Cost/Effort Recommendations

Ongoing Effort

High

Caitlyn Raymond uses the root and / or administrator account to manage systems instead of using unique usernames attributable to each individual. Administrator and Root accounts are generic accounts that are not traceable back to an individual system administrator and often grant much higher levels of access than needed for basic administration. Low Admins should have personal accounts set up to log in and do basic administrative tasks. The password to the root and / or administrator accounts should be long, complex and should only be accessed in the event of a disaster / emergency. Once in place no follow on effort should be required

10. Remote access to Linux systems with “root” account is enabled

High

Description

Linux systems at Caitlyn Raymond are configured to allow remote access using the “root” account. This configuration ena bles an attacker who has compromised the system to gain full control.

Risk Analysis

The Root account should be restricted to prevent system compromise and damage to system. The Root account has access to modify all aspects of the operating system any mistakes made will modify the system.


Low

Recommendations

Authorized users should use sudo to run operations that require root level privileges. Use of sudo allows accountability for changes to the system. Since the user needs to take and log in to the part of the system they wish to change the chance for mistaken modifications is greatly reduced.

Ongoing Effort

Once in place CRIR should ensure sudo is used for all remote administration.

11. Use of weak / or default passwords

High

Description

Many systems on the Caitlyn Raymond network have been configured with weak or default administrative passwords.

Risk Analysis

Weak and or default passwords are easily compromised by 16 | P a g e


17

malicious users granting them unauthorized access to systems and network resources. Remediation Cost/Effort

Low

Recommendations

CRIR should change all default passwords, and require all accounts including service accounts require strong passwords of at least 8 characters and a mix of capital, lower case, number and special character

Ongoing Effort

Once in place CRIR should remain enforce password requirements.

12. IT administrators unable to access network devices

Low

Description

IT administrators at Caitlyn Raymond have no understanding of how to access switches and other network devices. Not only were the management IP addresses unknown, but usernames, passwords and console access were unavailable as well.

Risk Analysis

With no level of access for the current staff the devices are completely unmanaged and are not being administered in any way.


Low

Recommendations

Network staff should have full access and control over all network devices. The staff should console into each device, view the configuration , note management IP addresses and set up user-level access as appropriate.

Ongoing Effort

Moving forward when anything is added to the network staff should have appropriate access levels.

13. Broken processes for identity and authentication management

Medium

Description

Formalized processes for adding and removing system accounts have not been developed. In some instances, system administrators no longer with the company have accounts enabled.

Risk Analysis

Without strong identity and authentication management processes in place, an organization leaves itself susceptible to a compromise of information by a former employee.


Low

Recommendations

Remove or archive accounts from users that are no longer needed make sure all files and data that is saved has proper permissions set.

Ongoing Effort

Periodic review should be conducted to prevent this from building up in the future. This should be defined in processes and procedures.

17 | P a g e


18

14. No system-state backups being taken Description

High

Caitlyn Raymond only backs up data residing on critical systems, but not the system state. In addition, no backups are being taken of the configurations of key network devices.

Risk Analysis

Without system state backups, systems and applications will need to be re-built from scratch in the event of a disaster or failure of a critical system component, greatly elongating recovery timeframes.


Low

Recommendations

CRIR should develop a plan backing up the system state of all servers. In addition, copies of network device configurations should be backed up.

Ongoing Effort

Once an appropriate backup solution is in place it will need to be periodically updated to ensure it meets CRIR requirements.

15. Backup tapes stored in IT administrator’s homes

High

Description

Backup tapes are being stored offsite in the network administrator’s house, car , etc.

Risk Analysis

While backup tapes should be stored offsite so that they may be accessed in the event of a disaster, they should never be stored in an employee’s home because the risk of theft or other compromise is greatly increased.


Low

Recommendations

Tapes should be kept in a fireproof safe in a secure offsite facility such as Iron Mountain or in a bank safety deposit box. Alternatively, CRIR could store tapes in another facility that is a part of the UMass Memorial Medical Center network.

Ongoing Effort

Tape management should be periodically reviewed for effectiveness.

16. No disaster recovery plan / business continuity management

Medium

Description

Caitlyn Raymond does not have a formal disaster recovery or business continuity plan.

Risk Analysis

If a situation occurred in which staff where unable to get to the CRIR office or the office was destroyed the network and data 18 | P a g e


19

would experience an extended outage. Remediation Cost/Effort

High

Recommendations

CRIR should work with UHMV to determine if there is an existing location that CRIR could restore their servers and critical data to and that staff could work from until the primary site was available again.

Ongoing Effort

Once developed the plan should be reviewed by IT and executive management at least yearly to ensure it covers all CRIR recovery needs.

17. UPS devices not properly configured / maintained

Low

Description

The UPS devices in the Caitlyn Raymond data center are not configured properly and have not had regular annual maintenance done since their implementation.

Risk Analysis

Improper configuration / maintenance could cause UPS units to fail at time of incident. There is currently no generator backup for the CRIR environment.


Medium

Recommendations

Work to properly configure the UPS systems to failover to generator power or do a graceful takedown of the network once battery power has dropped. If it is determined that outages due to power must be prevented, CRIR should work to have the network place on a generator backup system.

Ongoing Effort

Power management will need to be re-evaluated whenever network changes occur

18. Detailed documentation of the network and communications links do not exist

Medium

Description

Caitlyn Raymond does not have a network diagram or documentation of network device configuration.

Risk Analysis

Without documentation of the network and the communication links it would be very difficult for CRIR to trouble shoot any communication/networking issues with the network.


Low

Recommendations

Grant Thornton has provided a detailed Visio diagram as part of this assessment

Ongoing Effort

The Visio diagram should be updated anytime change takes place

19 | P a g e


19. Insecure wireless networking configuration Description

20

High

Caitlyn Raymond has a wireless access point on its network but has not applied basic system security parameters that would prevent unauthorized access. Note: This device is currently unused by CRIR personnel.

Risk Analysis

The wireless implementation was a commercial wireless router using WPA for authentication. WPA is easily cracked using readily available free utilities, which could allow unauthorized access to the network.


Low

Recommendations

It was determined that wireless was no longer needed by the staff at CRIR and powered off. If the device is not required it should be permanently removed from the network.

Ongoing Effort

If it is determined in the future that wireless is needed a business class device that uses more robust security should be purchased and used.

20. No centralized logging / monitoring system Description

Medium

Caitlyn Raymond has not deployed a centralized system for logging system access or event logs. Further, no process for reviewing system access or event logs stored locally on individual servers or network devices has been put in place.

Risk Analysis

Without centralized event logging and monitoring, IT administrators will not be able to detect malicious activity on the CRIR network or easily determine the root cause of system and network issues.


High

Recommendations

Deploy centralized logging and monitoring system that will alert IT administrators when key events occur and provide access reports to management on a regular basis. Alternatively, Caitlyn Raymond could leverage any logging and monitoring system already deployed by the UMass Memorial Medical Center or turn to a 3 rd party service to provide this functionality.

Ongoing Effort

Monitoring and logging will need to be periodically evaluated and updated to ensure it is best meeting the organizations needs

20 | P a g e


21. No network segmentation

21

Medium

Description

Caitlyn Raymond has deployed a flat, layer two network without VLANs. Regular users have not been placed in a different segment than IT administrators, servers or publicly accessible systems.

Risk Analysis

Without network level segmentation, IT administrators are control which systems users on the internal network have access to. Effectively all users have the ability to access all CRIR systems using any available service.


Medium

Recommendations

Implement multiple VLANs to separate traffic. At a minimum, a donor, patient, server, IT and DMZ VLAN should be deployed along with the associated access control lists.

Ongoing Effort

Network segmentation will need to be evaluated anytime an organizational or network change takes place.

22. Changes to Windows systems are made directly in production

Medium

Description

Caitlyn Raymond updates its Microsoft Windows environment without first testing changes in a development environment.

Risk Analysis

Updating systems in production prior to testing could cause systems instability or failure. If a mistake is made or a patch does not install correctly it will directly affect the production network.


Low

Recommendations

Test all changes to the production systems in a lab environment before applying. Use of VMware or other virtualization technologies can simplify this effort.

Ongoing Effort

Once a test environment is in place, CRIR should ensure testing prior to deployment to the production network is done moving forward.

23. No change control process

Medium


A formal change control is not in place for server, operating systems, network devices or applications. Network systems need periodic updates and configuration changes for proper operations. Without an appropriate process in governing how and when systems and network changes can take place changes that are needed could be missed or changes that are implemented incorrectly could damage the network. Low

Recommendations

Develop a change control program listing how and when changes

Description Risk Analysis

21 | P a g e


Ongoing Effort

22

can take place on the network including documentation for approval and back out procedures in case the change needs to be undone. Change control should be periodically reviewed and modified to best fit CRIR operations.

24. Insecure administrative access to 3rd party hosted web application server

High

Description

Caitlyn Raymond has not set up secure access to applications hosted with 3rd parties, including its email system and public web site.

Risk Analysis

Insecure communication protocols used for remote administration can be intercepted by an attacker. Use of any clear text or unencrypted protocols over the internet provides an open attack vector for compromise.


Low

Recommendations

Administrator should use a secure protocol such as SSH for secure remote administration

Ongoing Effort

CRIR should periodically review communication protocols and make certain they are providing appropriate security

25. Use of insecure protocols for data transfer / system management

Medium

Description

Caitlyn Raymond uses telnet, FTP, HTTP and other unencrypted protocols to manage server and network resources.

Risk Analysis

Weak encryption protocols such as older versions of SSL and weak communications protocols such as Telnet and FTP are in use throughout the CRIR network. Weak encryption can be easily intercepted and monitored.


Low

Recommendations

Insecure management protocols should be disabled. Only encrypted communication protocols should be used to manage server and network devices.

Ongoing Effort

CRIR should periodically review what is being used for network traffic encryption and communications and make sure it is bot up to date and secure.

26. Desktop operating systems used to support server functions

Medium

Description

The MDIS and Terminal Server systems at Caitlyn Raymond utilize Windows XP to support a server based function.

Risk Analysis

Desktop software does not have the security or stability of server class software and has a higher risk of compromise or failure 22 | P a g e


23


Medium

Recommendations

Desktop operating systems should be replaced with server software.

Ongoing Effort

When services are deployed CRIR should make sure that the system they are on supports it.

27. Access to financial system controlled by Access Database front-end

Medium

Description

Caitlyn Raymond’s financial system has not been converted to a web-based format and is still accessible using an Access Database.

Risk Analysis

Access is not scalable or secure enough to be deployed as a front end solution. The version of Access being used is no longer supported by the vendor.


High

Recommendations

CRIR should continue moving forward with plans to replace the access front end with the solution they are using for the rest of the “Internet” application.

Ongoing Effort

Application staff should continue to replace solutions as they become obsolete.

28. Sensitive data not encrypted

Medium

Description

Donor and patient data stored in databases and flat files throughout the Caitlyn Raymond network is not encrypted.

Risk Analysis

Sensitive data especially sensitive data containing PII (personally identifiable information) and financial data will be the primary target if systems are compromised.


Low

Recommendations

Sensitive data should be stored in encrypted folders or be encrypted at the file level. This will add an additional layer of security should a system compromise take place. There are several free solutions available to CRIR for example Truecrypt for encrypted storage or GPG for file level encryption

Ongoing Effort

CRIR should periodically review where sensitive data resides on the network and ensure it is being secured.

23 | P a g e


24

People Issues

29. IT personnel lack server and network administration skills

High

Description

CRIR Servers are not being adequately supported due to lack of systems expertise and training of the staff. Servers at CRIR are showing signs of failure due to years of being run by staff that was not trained on systems administration and what is required to maintain server functionality.

Risk Analysis

Almost all of the findings identified earlier in this report are attributable to a lack of system / network administration skills with the IT function at CRIR.


High

Recommendations

Staff needs to be either be properly trained on server administration or additional staff will need to be brought in to manage the network. A second option is to allow the UMass Memorial Medical Center or 3 rd party service providerto take over the responsibility for server and network management.

Ongoing Effort

As technology changes, training, will need to be conducted to ensure staff remains knowledgeable on operations and administration of servers.

30. Understaffed

High

Description

There are not enough resources available to adequately manage the network. The current structure has two staff members splitting their time between network and server operations and their primary assignment of managing the ‘Intranet’ application

Risk Analysis

Almost all of the findings identified earlier in this report are attributable to a lack of system / network administration skills with the IT function at CRIR.


High

Recommendations

CRIR should consider hiring at least one additional resource that is trained in network and server administration. A second option for CRIR to consider is to outsource the network and server administration roles this can be done within the UMass Memorial Medical Center system or with a 3 rd party service provider.

Ongoing Effort

Staffing size should complement the size of CRIR operations and will need to be assessed whenever organizational changes take place.

24 | P a g e


25

Appendix A: Tools Utilized Tool Burp Suite

Assessment Tools Function

CRIR Service

Burp Suite is an integrated platform for performing security testing of web applications.

Burp Suite was used to test security of the “Internet” application at CRIR. The results of testing did not uncover any notable findings.

OWASP-ZAP (Open Web Application Security Project – Zed Attack Proxy)

The Zed Attack Proxy (ZAP) is an integrated testing tool for finding vulnerabilities in web applications. ZAP contains automated scanners as well as a set of manual tools to find security vulnerabilities.

OWASP-ZAP was used to test the “Internet” application at CRIR for security and security bypass vulnerabilities. The results of testing did not uncover any notable findings.

Data Collection Scripts

Basic system scripts used to automate the collection process for gathering system configurations. System configurations are reviewed for vulnerabilities and compliance.

Data collection scripts were provided to CRIR to collect data from the Windows and Linux systems on the CRIR network. The data returned from the scripts was used to perform systems configuration review of the CRIR systems.

Nessus Vulnerability Scanner

Nessus is a network vulnerability scanner used to identify possible vulnerabilities on computer networks.

Nessus was used to scan the CRIR network. The scan uncovered 163 unique vulnerabilities related to outdated systems and software as well as missing system patches and maintenance.

Nmap (Network Mapper)

Nmap is a scanning tool used to discover hosts and services on a computer network.

Nmap was used to identify unmanaged switches on the CRIR network.

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

TCPView was run to identify running services on the CRIR network. TCPView was able to identify an excessive number of services running on the CRIR network.

TCPView

25 | P a g e


26

Appendix B: Outsourcing Analysis One potential solution that will address many of the issues uncovered during this assessment is to outsource the data center and management of the technology infrastructure to the UMass Memorial Medical Center. In this model, Caitlyn Raymond’s existing IT team will be able to focus on doing what they do best – developing and managing applications and databases to support the international registry. Server, network and data center support will be the responsible of UMass’s infrastructure team and be folded into their existing processes. While Grant Thornton absolutely recommends this model for IT management as a solution for Caitlyn Raymond, there are a number of caveats that must be considered. Technology Refresh Still Required

Even if Caitlyn Raymond migrates its technology infrastructure into UMass’s datacenters, the underlying technology infrastructure will still need to be refreshed. This will include upgrading hardware, software and operating systems as well applying secure configurations to all devices.

As a part of this process, Caitlyn Raymond will need to evaluate different options for their technology including the use of physical vs. virtual servers, directly attached storage vs. NAS / SAN, utilization of cloud based technologies, shared vs. stand-alone database structures and a host of other key design choices. If this exercise is not completed, Caitlyn Raymond will be essentially picking up a problem and moving it to another location without addressing the underlying issues. Requirements Definition

While it is expected that UMass would take on the responsibility of managing and maintaining Caitlyn Raymond’s technology infrastructure in this outsourced model, the registry will still be responsible for defining requirements for key IT processes for the hospital. For example, backup and patching schedules, system access policies, data classification systems, system configuration standards and numerous other items will still need to be developed by Caitlyn Raymond and communicated to UMass. Responsibility Matrix

If Caitlyn Raymond does choose this model for IT management, the responsibility for addressing each of the findings in this report will be split between itself and the UMass Memorial Medical Center. In the chart below, we’ve assessed which entity will be responsible for addressing each finding:

26 | P a g e



1 2 3

No Information security policy Information security responsibilities not defined Information security processes, standards, and guidelines not established

Technical Issues

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Use of out-of warranty, out-of date or unsupported hardware Use of consumer based products in an enterprise environment No patch or vulnerability management for operating systems or applications No server configuration standards / system hardening Use of unnecessary or undocumented services and applications Use of “administrator”/ “root” account to manage systems Remote access to Linux systems with “root” account is enabled Use of weak / or default passwords IT administrators unable to access network devices Broken processes for identity and authentication management No system-state backups being taken Backup tapes stored in IT administrator’s homes No disaster recovery plan / business continuity management UPS devices not properly configured / maintained Network diagram does not exist Insecure wireless networking configuration No centralized logging / monitoring system No network segmentation Changes to Windows systems are made directly in production No change control process Insecure administrative access to 3rd party hosted web application server Use of insecure protocols for data transfer / system management Desktop operating systems used to support server functions Access to financial system controlled by Access Database front-end Sensitive data not encrypted

People Issues

29 30

IT personnel lack server and network administration skills Understaffed

27

Responsibility CRIR / UMASS CRIR / UMASS UMASS

Responsibility CRIR CRIR UMASS CRIR / UMASS CRIR CRIR / UMASS CRIR / UMASS UMASS UMASS UMASS UMASS UMASS CRIR / UMASS UMASS UMASS UMASS UMASS UMASS UMASS UMASS UMASS CRIR / UMASS CRIR CRIR CRIR

Responsibility UMASS UMASS

27 | P a g e

© Grant Thornton LLP All rights reserved. U.S. member firm of Grant Thornton International Ltd. This proposal is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd, and is in all respects subject to negotiation, agreement and signing of specific contracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or proprietary material. Dissemination to third parties, copying or use of this i nformation is strictly prohibited without the prior written consent of Grant Thornton LLP.

CRIR -Information Risk Assessment - Final

Recommend Documents