Case Study: Security Woes

The last two years were bad for the MHR Corporation, and Kulvinder Singh, the CTO, had seen his IT budgets drop down to almost zero. It was time for the annual budgets once again, and after a lot of effort, the MD had agreed to authorize urgent expenditure.

As a part of assessing hardware and software requirements, one of his more enterprising deputies did a quick sampling of the 364 desktop PCs at the corporate office. The results of that survey had just reached his inbox and he was getting a sickening feeling just reading it. More than half the desktops checked did not have their anti-virus software updated with recent virus signature files. Three-fourths had not changed the default e-mail password (user name) and no one had installed OS patches. And one of its local mail servers seemed to be an open relay! For a fleeting moment, he wondered about the situation at the seven branch offices across the country.

MHR used the Net extensively in dealing with its branches, customers and suppliers. Information like contract documents, marketing plans, cheque and draft numbers, bank-account details and collection details was regularly transmitted by e-mail.

Kulvinder’s first thought was that he would recommend that MHR bring in a security consultant. But given the bad times, he knew that that was likely to be shot down. Kulvinder was beginning to feel a bit out of his depth, and was wondering what he should do to ensure that MHR’s data remained safe and secure. The budget constraints also loomed darkly in his mind.

Answer 1

The result of the survey conducted by Kulvinder’s deputy clearly underlines the slipshod state of information security in MHR Corporation. Kulvinder needs to take urgent steps to plug the identified security holes. Availing the MD’s ‘urgent expenditure’ sanction, he should immediately:

Implement organization-wide security awareness and training programs. These can overcome most of the vulnerabilities that surfaced in the survey.

• Implement an anti-virus solution that automates signature-file updating without end-user intervention, and provides enterprise-wide anti-virus management capability;
• Implement robust password management in MHR that enforces default password change at first-time login, periodic changes, and minimum password length;
• Disable relay configuration in email servers;
• Manage enterprise-wide patch updating by use of vendor specific free tools
  
  (eg Microsoft Baseline Security Analyzer);
• Enforce email encryption — internally and with suppliers using tools like
  
  PGP; 
• Budget permitting, implement automatic patch updating, SSL for customers, and VPNs between branch offices, HO and suppliers.

Simultaneously, Kulvinder also needs to plan for a holistic security framework for MHR. He needs to put in place a robust security architecture with the right blend of management, operational, and technical controls to mitigate MHR’s information risks. For this, a comprehensive security assessment needs to be undertaken, followed by development of an enterprise security policy, from which would flow MHR’s security architecture. Considering the dismal state of information security in MHR, it may be presumed that the organization has no internal information security skills. Therefore, Kulvinder would require to appoint an external security consultant to architect a comprehensive solution.

However, for this, Kulvinder has to first convince the MHR top management on the need for a reasonable security budget. Post 11 Sept 2001, there is an enhanced awareness amongst top management on information security. Globally, though IT spending has declined, IT security spending has increased. Therefore, despite bad times, Kulvinder will not face an impossible task convincing his management for

required resources. 

To begin, Kulvinder needs to study MHR’s ‘information assets’ for evaluating their criticality from a business perspective and the impact of their non-availability due to any contingencies. Further, he must also assess potential threats to the information assets, and identify existing vulnerabilities in the IT infrastructure. 

Kulvinder, should then highlight to the management the existing risks and the resources required to manage the risks within acceptable limits. Once resources are committed, Kulvinder should implement a comprehensive IT security policy and architecture to support MHR’s business mission.

Best Solutions from Readers

Many of you sent in solutions to the Security Woes case study published in our February 2003 issue. Here are some of them. Those whose answers are printed will receive gifts from PCQuest

Hemant K Mohapatra, Asst Director, STPI , International Infotech Park, Navi Mumbai

Define security policy



MHR needs to define their security policy for internal and external network access. The awareness of individuals need to enhanced. 

As MHR corporation has nationwide operations, I suggest that a VPN be established for secure transactions between branch offices and HO (head office) and vice versa. The VPN concentrator can be placed at the head office and branch offices can have client devices and S/w to connect to HO. Customers and suppliers can also connect to HO through VPN clients.



Server based mail scanners are available that scans the mails and it’s contents before delivery. The Mail server having an open relay is due to misconfiguration. Mail servers on Linux platform provide a very stable and secured system. They are easy to set up and manage. Many companies offer Linux products that can be used for proxy, mail, firewall bandwidth management etc, all in one.

MS Raghunath, Officer in the Indian Navy

Audit security



At the outset, it would do a lot of good for the CTO to undertake a security audit of the enterprise, either in-house or by an external competent entity. This would enable him to evaluate and quantify the threats the company faces and also to sell his case with the management.

If hiring an external security consultant is not affordable or desirable, train one. The enterprising deputy of his seems to be an ideal candidate with the right aptitude.

In the scenario projected, Training must be given first priority. Training is not only absolutely essential, but shall also give the largest cost–benefits. 

Train/ educate your employees on elementary computer security issues like password management, anti virus measures, acceptable and unacceptable use of resources etc. Even a one day seminar would do wonders.

Note: Do not trust even your vendors when it comes to network security. They may be plain stupid, ignorant if not downright malicious. Verify and validate every security feature that is claimed to be implemented, particularly go through the firewall(s) rules, router(s) rules and access control lists with a fine comb.

Ketan Saitwadekar, Sr Systems Administrator, STAR India, Mumbai

Automate Windows Patches



Updating OS patches to all clients can be managed by installing SMS server from Microsoft. It has a very good feature of filtering clients by their OS versions as well as user-defined configurations. A policy can be set on the SMS server to push OS patches and updates for different OSs like Win 95/98/2000 independently without any user intervention. These patches will install at a predetermined date and time when a user connects to the network.

Robin Vaz, Asst Systems Administrator, Victory Team, Dubai

Virus checks needed



The antivirus software on each desktop PC should be configured to automatically check for latest virus signature files either directly from the Internet or from a shared location in the local network that has the latest downloaded virus signature files. A schedule for checking updates can be set at system startup or on a specific day in a week.

A policy of maximum password age can be implemented so that users do change their passwords after a stipulated period.

Jaydip Nandi, Senior Network Manager, IMG, New Delhi .

Plug vulnerabilities



MHR corporation should immediately undergo a security audit. This is will reveal

all the vulnerabilities and loopholes that exist in the systems and network and the

steps to be taken to safeguard company assets .

Here are some things which could be done: 

• All the offices should have Firewalls and interconnected with VPN with 168-bit triple DES. 
• All the OS should be hardened and proper access control list should be applied to router and switches.
• SSL should be used for e-mail encryption 
• A security policy complying with BS7799 should be formulated. This should cover Network , Personnel and Physical security codes of practices plus best practices on secure behavior too. The policy should be documented and validated and needs to be constantly updated as business goals change.

Now these things needs to be done cost-effectively with budget constraints kept in mind. The best solution is to outsource managed security services from a security service provider. This means that there are no problems of upfront cash flow, capital expenditure, threat of obsolescence, while skilled manpower is readily available

AshokPrabhu, General Manager, Kinfotech, Bangalore 

Data security is critical



While you wish to secure all your critical assets, the focus is on the data. Since you communicate extensively with your clients, branches, suppliers, you need to setup VPN solution for secure communication between your branches and clients and also setup an extranet for suppliers. MHR needs to develop a security policy immediately. Once that is done, install a Security policy manager that conforms to BS 7799 standards on critical servers. Add those security policies that you have developed to the solution. Ensure that you schedule an audit of the same every week/month. The solution can also do vulnerability management so that you are aware of emerging security loopholes.

Next Month’s Case: Server Proliferation

Kasim Sayed was one of the old boys. From a hands-on Unix administrator he had become the CTO of a multi-crore organization. Although he liked to argue in favor of Unix on big iron, Sayed ran the companies heterogeneous network fairly efficiently, and in an emergency, he could actually roll up his sleeves and give his young network administrators a run for their money, on Unix or Windows.

What bothered him now was the proliferation of servers in the organization. At last count there were 37 machines across the country that the IS department classified as servers. These ran a variety of OSs including OS 400, Solaris, Linux, Win 2000, and there was even one machine with NT. These ran a variety of jobs, ranging from accounting, mail for the 1000 plus employees spread across 23 locations, (6 mail servers) an Intranet, sales applications and assorted other activities. Managing so many servers was becoming a big task and he did actually for the days when he could have telneted into a server over a dialup modem. Going by plans for the future, the number of servers could only increase.

His team was divided on what to do. Someone advocated consolidating all the servers into one location with wide pipes to all offices. Another argued that consolidation should be at the regional level. A third was in favor of letting the servers remain as such and instead install an enterprise-wide network management software. A fourth wanted to do away with the multiplicity of hardware and operating systems and move to a uniform server spec and OS, but was not sure which one to choose.