Vulnerability Assessment Report
BEACHWEAR CLOTHING
Vulnerability Assessment Report Recommendations for Improvements to Security Christine Cogswell 6/30/2014
This document is a vulnerability assessment as well as recommendations to improve the information security at Beachwear Clothing. It addresses Security policies, Business Continuity and the software currently in place.
Table of Contents Vulnerability Assessment Plan
................................................................. 3
Asset Identification ..................................................................................................................... 3 Threat Identification and Evaluation .......................................................... 4 Vulnerability Impact Scale ......................................................................................................... 4 Threat Evaluation- People ........................................................................................................... 4 Threat Evaluation-Physical ......................................................................................................... 5 Threat Evaluation-Data (outsourced) .......................................................................................... 5 Threat Evaluation -Hardware ...................................................................................................... 6 Threat Evaluation -Software ....................................................................................................... 6 Vulnerability Appraisal ......................................................................... 7 Baseline Security ......................................................................................................................... 7 Risk Assessment and Mitigation ................................................................ 8 People .......................................................................................................................................... 8 Physical ....................................................................................................................................... 9 Data ........................................................................................................................................... 11 hardware .................................................................................................................................... 12 Software .................................................................................................................................... 14 Passwords ....................................................................................... 15 Password policy settings ........................................................................................................... 15 Account lockout policy settings ................................................................................................ 16 Software Threats ............................................................................... 17 Security Policy .................................................................................. 18
...................................................................... 20 Recommendations .............................................................................. 21 Business Continuity Plan
Beachwear Clothing Vulnerability Assessment Report
1|Page
BEACHWEAR CLOTHING SECURITY CONCEPTS PROJECT SPECIFICATIONS Beachwear Clothing employs 108 people. The company’s headquarters is located on the fourth floor of a rented office building in Billerica, MA. Currently, there are 3 retail stores, one in Massachusetts, one in Rhode Island and one in Florida. Headquarters in Billerica, MA:
President: Chris Cogswell Vice-President: 1 Office Workers: 15
3 Retail Stores:
General Manager: 1 Store manager: 3 Retail Workers: 20 in each store
Sales Force:
Sales Reps: 15
Suppliers:
Suppliers: 10 in United States Supplier: 1 in Canada Supplier: 1in Mexico
Cloud Business Management Software Suite: NetSuite
Beachwear Clothing Vulnerability Assessment Report
2|Page
VULNERABILITY ASSESSMENT PLAN ASSET IDENTIFICATION
People Assets o President o Vice-President o Employees Office workers Store Managers Retail workers Sales Reps Cleaning staff (outsourced) Suppliers Celebrity spokesperson o Customers Physical Assets o Building o Inventory o Office furniture o Retail store assets (other than inventory) Data Assets o Accounting Records o Employee records o Customer records o Supplier records o Sales Rep records o Inventory records Hardware Assets o Office computers, network equipment, printers o Store computers, cash registers, printers o Sales Reps laptops o Sales Reps cellphones o Sales Reps Tokens o Pillar Checkpoint Security Towers o Super Tags Software Assets o Microsoft Office o Microsoft Security Essentials o NetSuite
Beachwear Clothing Vulnerability Assessment Report
3|Page
THREAT IDENTIFICATION AND EVALUATION VULNERABILITY IMPACT SCALE (CIAMPA, 2012, P. 129)
THREAT EVALUATION- PEOPLE People
Threat Example
Impact
Death Retirement
Significant
Office Workers General Manager Store Managers Retail Workers Sales Reps Cleaning Staff Suppliers Celebrity Spokesperson
Significant to Major
Customers
Theft Human Error Disgruntled Employee Not following security policies Unauthorized access Theft Going out of business Celebrity Spokesperson Scandal Theft –Minor (100)
President Vice-President
Small Impact Major Significant Small Impact Significant
Beachwear Clothing Vulnerability Assessment Report
4|Page
THREAT EVALUATION-PHYSICAL Physical
Threat Example
Impact
Building
Natural Disasters Fire Storms Power Outages Rent Increase Minor Increase Major Not able to renew lease
Significant to Catastrophic
Small Impact Major Significant
Catastrophic
Production stopped because of strike at supplier Shipping stopped because of strike from shipping company
Catastrophic
Minor theft by employees
Small Impact
Major theft by employees
Significant
Aging and outdated furniture Vandalism Theft Pillar Checkpoint Security Towers not working
Small Impact Small Impact to Significant
Inventory
Office Furniture Retail Store Assets (other than inventory)
THREAT EVALUATION-DATA (OUTSOURCED) Data-Outsourced Records: Accounting Records Employee Records Supplier Records Sales Rep Records Inventory Records
Threat Example
Impact
Major
Server Down Terrorist attack on Web Network Failures
Beachwear Clothing Vulnerability Assessment Report
5|Page
THREAT EVALUATION-HARDWARE Hardware
Threat Example
Impact
Breakage (Human) Breakage (Software) Theft
Significant to Catastrophic
Aging
Small Impact to Significant
Breakage (Human) Breakage (Software) Theft System Hacked Vandalism Aging
Significant to Catastrophic
Retail store computers Cash Registers Printers Pillar Checkpoint Security Tower Super Tags
Sales Reps iPads Sales Reps cellphones Sales Rep Tokens
Breakage (Human) Breakage (Software) Theft
Significant to Major
Aging
Small Impact to Significant
Office Computers Network equipment Printers
Small Impact to Significant
THREAT EVALUATION-SOFTWARE Software
Threat Example
Impact
Significant to Major
Application Programs Email Microsoft Office 2013 Microsoft Security Essentials
Software attacks from virus, worms, DOS, spam, spyware and malware Software failure or errors Technical obsolesce Unauthorized users
Beachwear Clothing Vulnerability Assessment Report
6|Page
VULNERABILITY APPRAISAL BASELINE SECURITY
Asset
Baseline Security in Place
People
Passwords Screensavers Badges Tokens
Building Billerica
Badges for employees to enter building President and Vice-President Office’s key locked Fire Extinguishers Sprinkler Systems Backup Generators Security Cameras
Retail Stores
Manager Office key locked Fire Extinguishers Sprinkler Systems Backup Generators Pillar Checkpoint Security Towers Super Tags 2 Security Cameras
Data (outsourced) Hardware
All data is outsourced to NetSuite Power Strips Locked cabinet (for Super Tags)
Software
Scheduled downtime for maintenance, upgrades and updates Virus protection
Beachwear Clothing Vulnerability Assessment Report
7|Page
RISK ASSESSMENT AND MITIGATION Risk can never be totally eliminated, but can be minimized by the application of IT security controls. The decision as to what level risk will be accepted will be based on management review of the identified IT security controls needed to mitigate risk versus the potential impact of implementing those controls on available resources and system operations. The Risk Assessment identifies the current level of risk for the application and provides risk mitigation recommendations for management review (DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT, n.d.) . PEOPLE Asset
Vulnerability
Risk Mitigation
President and Vice-President
Accident resulting in death or injury of President and Vice-President traveling together President or VicePresident retires Security breach because of weak passwords
President and Vice-President should never Diminish travel on the same airplane
All Employees
Not following security policies
Employee leaving job Injury on the job Retail Workers
Sales Reps
Theft of bathing suits or accessories from store Broken, lost or stolen tokens Broken, stolen or lost iPads/laptops
Diminish Transfer Accept
Plan to interview possible candidates six months prior to retirement Enforce stronger password *See: Password Policy Settings and Account Lockout Policy Settings tables for parameters Conduct security education training for new employees and mandatory follow up training every six months for all employees Access to all systems immediately revoked. Accounts, passwords, badges deleted or disabled. Key locks changed. OSHA training Insurance Mandatory bag check whenever an employee leaves the store
Diminish
Insurance coverage which includes device replacement and 24/7 technical support Insurance coverage which includes device replacement and 24/7 technical support. Passwords on all devices.
Transfer
Beachwear Clothing Vulnerability Assessment Report
Diminish
Diminish
Diminish
Diminish Transfer Diminish
Transfer Diminish
8|Page
Sales Reps
Celebrity Spokesperson Customers
Cleaning Staff (outsourced) Suppliers
Broken, lost or stolen cell phones
Insurance coverage which includes device replacement and 24/7 technical support. Passwords on cellphones. Scandal resulting Require celebrity to sign a morals clause in damage to brand as part of contract Theft of bathing Pillar Security Checkpoint Towers suits or accessories installed at exits and Super Tags installed from store on all items costing over $25.00 Install 6 additional security cameras in each store Loss prevention training for new employees and mandatory follow up training every six months for all employees Customer Offer coupons, incentives and rewards. dissatisfaction from results of store closing, fire, natural disasters, etc. Theft of bathing Security cameras. suits or accessories from store Supplier going out Add 3 additional suppliers to business. of business
Transfer Diminish Diminish Diminish and Accept Diminish Diminish
Diminish
Diminish
Diminish
PHYSICAL Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Building
Natural Disaster causing the office space in Billerica shut down. Any disaster resulting in employees leaving the building Fire Fire causing the office space in Billerica shut down
Insurance and Cold-site contract with Building owner
Transfer Diminish
Conduct employee safety and fire awareness training and drills
Diminish
Fire and Sprinkler Systems Fire Insurance and Cold-site contract with Building owner
Diminish Transfer Diminish
Beachwear Clothing Vulnerability Assessment Report
9|Page
Water and smoke damage from fire Power outage
Inventory
Retail Store Assets (other than inventory)
Office Furniture
Fire Insurance
Transfer
Back-up generators
Diminish
Minor rent increase Major rent increase Look for other building rentals and compare costs. Building owner Immediately employ reputable realtor to will not renew secure another rental building. Begin lease at end of planning on transfer of employees and term equipment. No product Have contracts for products from 5 because of a strike additional suppliers at suppliers business No product Insurance because of fire and water damage Loss of inventory Add 5% additional inventory to each from theft order to make up for the loss Broken windows Insurance and from vandalism Security cameras outside of stores
Accept
Manikins damaged from vandalism Pillar Checkpoint Security Towers not working Employees stealing office supplies Employees have no pride in their surroundings because of aging and outdated office furniture and may lead to having no pride in their work.
Insurance and Security cameras Fix or replace with new towers. Purchase extended warranty
Transfer Diminish Transfer
Security cameras installed in office and back rooms of retail store.
Diminish
Every year put money in the budget to replace the oldest office furniture.
Accept or Diminish
Beachwear Clothing Vulnerability Assessment Report
10 | P a g e
Accept Diminish
Diminish
Transfer
Accept Transfer Diminish
DATA Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Data on computers, laptops, iPads and cellphones
Attackers discover and compromise covered data on devices that are not secured against vulnerabilities Overly permissive default configuration settings provide an attacker with the ability to access data without authorization Attackers use and deploy malicious software to gain unauthorized access to systems and sensitive data. Data is compromised, lost, stolen or managed incorrectly resulting in security breach
Automate daily vulnerability testing. Generate alerts and escalate visibility of critical vulnerabilities within 48 hours. Compare prior scans to verify that vulnerabilities are addressed. Secure device configurations
Diminish
Allow installations of software packages required for business purposes only
Diminish
All data is outsourced to NetSuite
Transfer
Data from HR, accounting, customer accounts, and supplier accounts
Beachwear Clothing Vulnerability Assessment Report
Diminish
11 | P a g e
HARDWARE Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Equipment failure
Purchase extended warranty and 24/7 tech support
Transfer
Aging and outdated devices running slow or not able to handle newer software Unauthorized use of equipment
Every year put money in the budget to replace the oldest devices.
Diminish
Restricted areas clearly marked for authorized personnel only. Employee training about authorization policies UPS and Back-up generators
Diminish
Insurance
Transfer
Schedule weekly maintenance Log all print jobs
Diminish Diminish
Set security configurations based on industry standards
Diminish
Purchase a maintenance and extended warranty contract with 24/7 tech support
Transfer
Office Computers Retail Store Computers Network equipment Printers
Power loss resulting from storm or natural disaster Equipment stolen
Cash Registers Pillar Checkpoint Security Tower Super Tags
Device sluggish Unauthorized printing of documents Device default configuration setting provide attacker with ability to access data Cash Registers and Pillar Checkpoint stop working
Beachwear Clothing Vulnerability Assessment Report
Diminish
12 | P a g e
Sales Reps iPads and laptops Sales Reps cellphones Sales Rep Tokens
Super Tags not working Super Tags stolen Outdated equipment Equipment vandalized
Purchase extended warranty
Transfer
Keep in locked cabinet Every year put money in the budget to replace the oldest devices. Insurance
Diminish Diminish
iPads, laptops or cell phones dropped and broken
Purchase a maintenance and extended warranty contract with 24/7 tech support
Transfer
iPads, laptops or cell phones hacked iPads, laptops, cell phones, or token stolen Token not working
Use encryption, passwords, employee Diminish security training, and antivirus programs. Insurance and Transfer Remote Wipe Software with GPS tracking Diminish
Purchase a maintenance and extended warranty contract with 24/7 tech support Outdated iPad does Replace with new not work well with newer software Portable media lost Require passwords and encryption on all or stolen portable media
Beachwear Clothing Vulnerability Assessment Report
Transfer
Transfer Accept or Diminish Diminish
13 | P a g e
SOFTWARE Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Software attacks from virus, worms, DOS, spam, spyware and malware
Purchase Antivirus protection with 24/7 tech support
Transfer
Zero-day attacks, hacker attacks, data interception and theft Software security breach, failure or errors Software modified intentionally to bypass security Outdated software is unsecure Employee opens an infected attachment
Firewall, Anti-virus software, Intrusion prevention systems
Diminish
Schedule weekly maintenance, patches and security updates
Diminish
Firewall, Anti-virus software, Intrusion prevention systems Replace or upgrade
Diminish
Conduct security education training for new employees and mandatory follow up training every six months for all employees
Diminish
Employee attacked by social engineering
Conduct security education training for new employees and mandatory follow up training every six months for all employees Apply group policy and set user access level
Diminish
Application Programs Email Microsoft Office 2013
Unauthorized user accessing application
Diminish
Diminish
* Refer to Department of Housing and Urban Development table .for additional threats and potential impacts
Beachwear Clothing Vulnerability Assessment Report
14 | P a g e
PASSWORDS PASSWORD POLICY SETTINGS (CIAMPA, 2012, P. 386)
Beachwear Clothing Vulnerability Assessment Report
15 | P a g e
ACCOUNT LOCKOUT POLICY SETTINGS (CIAMPA, 2012, P. 387)
Beachwear Clothing Vulnerability Assessment Report
16 | P a g e
SOFTWARE THREATS
√
Unauthorized Modification Unauthorized Disclosure
Description
Denial of Service Destruction
Software Threats and Potential Impacts (DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT, n.d.)
√
√
√
√
√
√
√
√
√
√
Program Errors/ Software malfunction or failure resulting from insufficient configuration controls (i.e., testing Software new releases, performing virus scans). Failure
√
Hacking/ Social Engineering
Software may be modified intentionally to bypass system security controls, manipulate data, or cause denial of service. Social engineering used by a hacker to gathers data for use in modifying or manipulating the system.
√
Malicious Code
Malicious software such as viruses or worms may be introduced to the system, causing damage to the data or software.
√
User Errors/ Omissions
Application and support system components may be inappropriately modified or destroyed due to unintentional administrator or user error.
√
Browsing/ Disclosure
Intentional unauthorized access to confidential information by outsiders or by personnel with system access but not having a need to know
√
Eavesdropping/ interception
Intentional unauthorized access to confidential information through technical means (sniffing/interception) or by personnel having some level of system access but not having a need to know (eavesdropping)
√
Data Integrity Loss
Attacks on the integrity of system data by intentional alteration.
Misuse/Abuse
Individuals may employ system resources for unauthorized purposes.
√
√
√
√
Program Errors/Software Failure
Software malfunction or failure resulting from insufficient configuration controls (i.e., testing new releases, performing virus scans).
√
√
√
√
√
Beachwear Clothing Vulnerability Assessment Report
17 | P a g e
SECURITY POLICY
Development team representatives for Security Policies o Senior level administrator and member of management who can enforce the policy Create a written security policy for all employees and presented at orientation session after employee is hired. Includes plans to protect the company's physical and information technology (IT) assets. Acceptable use policy o Defines actions users may perform while accessing systems Employees agree to abide by the Internet code of behavior policy which includes the following: Email/texting only business related content Wireless communication policyo Employees agree to have any BYOD approved by the security manager Screensavers and Passwords policy Screensavers set for 15 minutes of inactivity or employee will run the screensavers if device is left unattended Privacy policy o Outlines how organization uses personal information it collects Company will not give any personal information unless agreed to in writing by employee o Outlines how an employee uses companies information Employees agree to not divulge any company information or other employee information and sign a confidentiality contract Security-related human resource policy o Presented at employee orientation session after employee is hired o Actions to be taken when employee is terminated All passwords and accounts are immediately disabled Employee is escorted out of the building by security All devices are immediately confiscated Password management and complexity policy o Standards of password creation Change passwords every 60 days Password must be at least 12 characters and have uppercase, lowercase and non-alphabetic characters Account lockout after 5 failed attempts Disposal and destruction policy o Addresses disposal of confidential resources Paper records containing confidential information must be shredded Electronic or machine-readable records containing confidential information require a two-step process. Deletion of the contents of digital files and emptying of the desktop recycling bin Beachwear Clothing Vulnerability Assessment Report
18 | P a g e
Commercially available software applications used to remove all data from the storage device. A destruction record describing and documenting any data or physical device destroyed, who authorized the destruction, as well as the date, agent, and method of destruction. Awareness and Training Policies o Security, loss prevention, disaster education o Training and drills Hardware Security Policy o Laptops, computers, cellphones, flash drives, and iPads Computer Tokens for remote access Passwords and screensavers Remote Wipe Software with GPS tracking Disposal and destruction policy of equipment Software Security Policy o Group policy setting in place including Application access protocols implemented by security setting access control limits for each employee using role based access control o Network Security Guidelines All sales reps will use Virtual Lans to access company data All in one network security appliances used to provide the following: Virus protection, anti-spyware, content filtering, encryption, firewall, intrusion protection and web filtering Cleaning Crew Security Policy o Background checks/CORI
Beachwear Clothing Vulnerability Assessment Report
19 | P a g e
BUSINESS CONTINUITY PLAN Business continuity planning and testing is required in order for Beachwear Clothing to maintain operations and services in the face of a disruptive event.
Disaster Recovery Plan o Request Disaster Recovery Plan from XXX. Ensure plan includes data backup, fault tolerances and security encryption Emergency Response Plan Preparedness Policy o Assign roles for emergency response Crisis Communication plan and incident management plan o Customers Clearly mark exit signs o Employees Fire drills and procedures Training and Testing o Train personnel; clarify roles and responsibilities o Reinforce knowledge of procedures, facilities, systems and equipment o Improve individual performance as well as organizational coordination and communications o Evaluate policies, plans, procedures and the knowledge and skills of team members o Reveal weaknesses and resource gaps Monitor and document security incidents Document external contacts Document critical equipment and software Identify contingency location Security reassessment every 6 months Review and Revise as needed
Beachwear Clothing Vulnerability Assessment Report
20 | P a g e
RECOMMENDATIONS Physical facility:
Set up a cold-site contract Install backup generators in all retail stores and office building Install UPS
Computers, Printers, Laptops:
Budget for replacement for aging computers, laptops, iPads, cellphones and storage devices Install software program on all portable devices (phones, laptops) that can remotely wipe and disable the device Budget for encrypted thumb drives
Network and Data:
Set up VPN to replace Remote Desktop for employees working remotely Install all in one security appliance Install Intrusion Detection Software Contract with company to do yearly penetration testing Protect unused ports on servers by blocking them or change default ports used by most programs to make it more difficult to hack Invest in multiple virus software or contract with company to provide those services Schedule weekly maintenance, patches and security updates
Employee Training:
Mandatory OSHA training Conduct security education training for new employees and mandatory follow up training every six months for all employees
Retail Store:
Purchase locked cabinet to store supertags Install additional security cameras in backroom, on sales floor and outside of building
Beachwear Clothing Vulnerability Assessment Report
21 | P a g e
References Anti-Theft Retail Store Security Equipment, Shoplifting Loss Prevention, Security Tags. (2014). Retrieved from http://www.sensortags.com/ Business Continuity Plan. (2012, December 19). Retrieved from http://www.ready.gov/business/implementation/continuity Ciampa, M. D. (2012). Security guide to network security fundamentals. Boston, MA: Course Technology, Cengage Learning. Continuous Vulnerability Assessment & Remediation Guideline. (2013, July). Retrieved from https%3A%2F%2Fsecurity.berkeley.edu%2Fcontent%2Fcontinuousvulnerability-assessment-remediationguideline%3Fdestination%3Dnode%2F398 DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT. (n.d.). Retrieved from http://hud.gov/offices/adm/hudclips/guidebooks/2400.25G/240025g4RATem pGUID.pdf NetSuite. (2014). Retrieved from http://www.netsuite.com/portal/products/netsuite.shtml OSHA Directorate of Training and Education. (2014). Retrieved from https://www.osha.gov/dte/index.html Program Management. (2013, May 2). Retrieved from http://www.ready.gov/programmanagement
Beachwear Clothing Vulnerability Assessment Report
22 | P a g e
Vulnerability Assessment Report Recommendations for Improvements to Security Christine Cogswell 6/30/2014
This document is a vulnerability assessment as well as recommendations to improve the information security at Beachwear Clothing. It addresses Security policies, Business Continuity and the software currently in place.
Table of Contents Vulnerability Assessment Plan
................................................................. 3
Asset Identification ..................................................................................................................... 3 Threat Identification and Evaluation .......................................................... 4 Vulnerability Impact Scale ......................................................................................................... 4 Threat Evaluation- People ........................................................................................................... 4 Threat Evaluation-Physical ......................................................................................................... 5 Threat Evaluation-Data (outsourced) .......................................................................................... 5 Threat Evaluation -Hardware ...................................................................................................... 6 Threat Evaluation -Software ....................................................................................................... 6 Vulnerability Appraisal ......................................................................... 7 Baseline Security ......................................................................................................................... 7 Risk Assessment and Mitigation ................................................................ 8 People .......................................................................................................................................... 8 Physical ....................................................................................................................................... 9 Data ........................................................................................................................................... 11 hardware .................................................................................................................................... 12 Software .................................................................................................................................... 14 Passwords ....................................................................................... 15 Password policy settings ........................................................................................................... 15 Account lockout policy settings ................................................................................................ 16 Software Threats ............................................................................... 17 Security Policy .................................................................................. 18
...................................................................... 20 Recommendations .............................................................................. 21 Business Continuity Plan
Beachwear Clothing Vulnerability Assessment Report
1|Page
BEACHWEAR CLOTHING SECURITY CONCEPTS PROJECT SPECIFICATIONS Beachwear Clothing employs 108 people. The company’s headquarters is located on the fourth floor of a rented office building in Billerica, MA. Currently, there are 3 retail stores, one in Massachusetts, one in Rhode Island and one in Florida. Headquarters in Billerica, MA:
President: Chris Cogswell Vice-President: 1 Office Workers: 15
3 Retail Stores:
General Manager: 1 Store manager: 3 Retail Workers: 20 in each store
Sales Force:
Sales Reps: 15
Suppliers:
Suppliers: 10 in United States Supplier: 1 in Canada Supplier: 1in Mexico
Cloud Business Management Software Suite: NetSuite
Beachwear Clothing Vulnerability Assessment Report
2|Page
VULNERABILITY ASSESSMENT PLAN ASSET IDENTIFICATION
People Assets o President o Vice-President o Employees Office workers Store Managers Retail workers Sales Reps Cleaning staff (outsourced) Suppliers Celebrity spokesperson o Customers Physical Assets o Building o Inventory o Office furniture o Retail store assets (other than inventory) Data Assets o Accounting Records o Employee records o Customer records o Supplier records o Sales Rep records o Inventory records Hardware Assets o Office computers, network equipment, printers o Store computers, cash registers, printers o Sales Reps laptops o Sales Reps cellphones o Sales Reps Tokens o Pillar Checkpoint Security Towers o Super Tags Software Assets o Microsoft Office o Microsoft Security Essentials o NetSuite
Beachwear Clothing Vulnerability Assessment Report
3|Page
THREAT IDENTIFICATION AND EVALUATION VULNERABILITY IMPACT SCALE (CIAMPA, 2012, P. 129)
THREAT EVALUATION- PEOPLE People
Threat Example
Impact
Death Retirement
Significant
Office Workers General Manager Store Managers Retail Workers Sales Reps Cleaning Staff Suppliers Celebrity Spokesperson
Significant to Major
Customers
Theft Human Error Disgruntled Employee Not following security policies Unauthorized access Theft Going out of business Celebrity Spokesperson Scandal Theft –Minor (100)
President Vice-President
Small Impact Major Significant Small Impact Significant
Beachwear Clothing Vulnerability Assessment Report
4|Page
THREAT EVALUATION-PHYSICAL Physical
Threat Example
Impact
Building
Natural Disasters Fire Storms Power Outages Rent Increase Minor Increase Major Not able to renew lease
Significant to Catastrophic
Small Impact Major Significant
Catastrophic
Production stopped because of strike at supplier Shipping stopped because of strike from shipping company
Catastrophic
Minor theft by employees
Small Impact
Major theft by employees
Significant
Aging and outdated furniture Vandalism Theft Pillar Checkpoint Security Towers not working
Small Impact Small Impact to Significant
Inventory
Office Furniture Retail Store Assets (other than inventory)
THREAT EVALUATION-DATA (OUTSOURCED) Data-Outsourced Records: Accounting Records Employee Records Supplier Records Sales Rep Records Inventory Records
Threat Example
Impact
Major
Server Down Terrorist attack on Web Network Failures
Beachwear Clothing Vulnerability Assessment Report
5|Page
THREAT EVALUATION-HARDWARE Hardware
Threat Example
Impact
Breakage (Human) Breakage (Software) Theft
Significant to Catastrophic
Aging
Small Impact to Significant
Breakage (Human) Breakage (Software) Theft System Hacked Vandalism Aging
Significant to Catastrophic
Retail store computers Cash Registers Printers Pillar Checkpoint Security Tower Super Tags
Sales Reps iPads Sales Reps cellphones Sales Rep Tokens
Breakage (Human) Breakage (Software) Theft
Significant to Major
Aging
Small Impact to Significant
Office Computers Network equipment Printers
Small Impact to Significant
THREAT EVALUATION-SOFTWARE Software
Threat Example
Impact
Significant to Major
Application Programs Email Microsoft Office 2013 Microsoft Security Essentials
Software attacks from virus, worms, DOS, spam, spyware and malware Software failure or errors Technical obsolesce Unauthorized users
Beachwear Clothing Vulnerability Assessment Report
6|Page
VULNERABILITY APPRAISAL BASELINE SECURITY
Asset
Baseline Security in Place
People
Passwords Screensavers Badges Tokens
Building Billerica
Badges for employees to enter building President and Vice-President Office’s key locked Fire Extinguishers Sprinkler Systems Backup Generators Security Cameras
Retail Stores
Manager Office key locked Fire Extinguishers Sprinkler Systems Backup Generators Pillar Checkpoint Security Towers Super Tags 2 Security Cameras
Data (outsourced) Hardware
All data is outsourced to NetSuite Power Strips Locked cabinet (for Super Tags)
Software
Scheduled downtime for maintenance, upgrades and updates Virus protection
Beachwear Clothing Vulnerability Assessment Report
7|Page
RISK ASSESSMENT AND MITIGATION Risk can never be totally eliminated, but can be minimized by the application of IT security controls. The decision as to what level risk will be accepted will be based on management review of the identified IT security controls needed to mitigate risk versus the potential impact of implementing those controls on available resources and system operations. The Risk Assessment identifies the current level of risk for the application and provides risk mitigation recommendations for management review (DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT, n.d.) . PEOPLE Asset
Vulnerability
Risk Mitigation
President and Vice-President
Accident resulting in death or injury of President and Vice-President traveling together President or VicePresident retires Security breach because of weak passwords
President and Vice-President should never Diminish travel on the same airplane
All Employees
Not following security policies
Employee leaving job Injury on the job Retail Workers
Sales Reps
Theft of bathing suits or accessories from store Broken, lost or stolen tokens Broken, stolen or lost iPads/laptops
Diminish Transfer Accept
Plan to interview possible candidates six months prior to retirement Enforce stronger password *See: Password Policy Settings and Account Lockout Policy Settings tables for parameters Conduct security education training for new employees and mandatory follow up training every six months for all employees Access to all systems immediately revoked. Accounts, passwords, badges deleted or disabled. Key locks changed. OSHA training Insurance Mandatory bag check whenever an employee leaves the store
Diminish
Insurance coverage which includes device replacement and 24/7 technical support Insurance coverage which includes device replacement and 24/7 technical support. Passwords on all devices.
Transfer
Beachwear Clothing Vulnerability Assessment Report
Diminish
Diminish
Diminish
Diminish Transfer Diminish
Transfer Diminish
8|Page
Sales Reps
Celebrity Spokesperson Customers
Cleaning Staff (outsourced) Suppliers
Broken, lost or stolen cell phones
Insurance coverage which includes device replacement and 24/7 technical support. Passwords on cellphones. Scandal resulting Require celebrity to sign a morals clause in damage to brand as part of contract Theft of bathing Pillar Security Checkpoint Towers suits or accessories installed at exits and Super Tags installed from store on all items costing over $25.00 Install 6 additional security cameras in each store Loss prevention training for new employees and mandatory follow up training every six months for all employees Customer Offer coupons, incentives and rewards. dissatisfaction from results of store closing, fire, natural disasters, etc. Theft of bathing Security cameras. suits or accessories from store Supplier going out Add 3 additional suppliers to business. of business
Transfer Diminish Diminish Diminish and Accept Diminish Diminish
Diminish
Diminish
Diminish
PHYSICAL Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Building
Natural Disaster causing the office space in Billerica shut down. Any disaster resulting in employees leaving the building Fire Fire causing the office space in Billerica shut down
Insurance and Cold-site contract with Building owner
Transfer Diminish
Conduct employee safety and fire awareness training and drills
Diminish
Fire and Sprinkler Systems Fire Insurance and Cold-site contract with Building owner
Diminish Transfer Diminish
Beachwear Clothing Vulnerability Assessment Report
9|Page
Water and smoke damage from fire Power outage
Inventory
Retail Store Assets (other than inventory)
Office Furniture
Fire Insurance
Transfer
Back-up generators
Diminish
Minor rent increase Major rent increase Look for other building rentals and compare costs. Building owner Immediately employ reputable realtor to will not renew secure another rental building. Begin lease at end of planning on transfer of employees and term equipment. No product Have contracts for products from 5 because of a strike additional suppliers at suppliers business No product Insurance because of fire and water damage Loss of inventory Add 5% additional inventory to each from theft order to make up for the loss Broken windows Insurance and from vandalism Security cameras outside of stores
Accept
Manikins damaged from vandalism Pillar Checkpoint Security Towers not working Employees stealing office supplies Employees have no pride in their surroundings because of aging and outdated office furniture and may lead to having no pride in their work.
Insurance and Security cameras Fix or replace with new towers. Purchase extended warranty
Transfer Diminish Transfer
Security cameras installed in office and back rooms of retail store.
Diminish
Every year put money in the budget to replace the oldest office furniture.
Accept or Diminish
Beachwear Clothing Vulnerability Assessment Report
10 | P a g e
Accept Diminish
Diminish
Transfer
Accept Transfer Diminish
DATA Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Data on computers, laptops, iPads and cellphones
Attackers discover and compromise covered data on devices that are not secured against vulnerabilities Overly permissive default configuration settings provide an attacker with the ability to access data without authorization Attackers use and deploy malicious software to gain unauthorized access to systems and sensitive data. Data is compromised, lost, stolen or managed incorrectly resulting in security breach
Automate daily vulnerability testing. Generate alerts and escalate visibility of critical vulnerabilities within 48 hours. Compare prior scans to verify that vulnerabilities are addressed. Secure device configurations
Diminish
Allow installations of software packages required for business purposes only
Diminish
All data is outsourced to NetSuite
Transfer
Data from HR, accounting, customer accounts, and supplier accounts
Beachwear Clothing Vulnerability Assessment Report
Diminish
11 | P a g e
HARDWARE Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Equipment failure
Purchase extended warranty and 24/7 tech support
Transfer
Aging and outdated devices running slow or not able to handle newer software Unauthorized use of equipment
Every year put money in the budget to replace the oldest devices.
Diminish
Restricted areas clearly marked for authorized personnel only. Employee training about authorization policies UPS and Back-up generators
Diminish
Insurance
Transfer
Schedule weekly maintenance Log all print jobs
Diminish Diminish
Set security configurations based on industry standards
Diminish
Purchase a maintenance and extended warranty contract with 24/7 tech support
Transfer
Office Computers Retail Store Computers Network equipment Printers
Power loss resulting from storm or natural disaster Equipment stolen
Cash Registers Pillar Checkpoint Security Tower Super Tags
Device sluggish Unauthorized printing of documents Device default configuration setting provide attacker with ability to access data Cash Registers and Pillar Checkpoint stop working
Beachwear Clothing Vulnerability Assessment Report
Diminish
12 | P a g e
Sales Reps iPads and laptops Sales Reps cellphones Sales Rep Tokens
Super Tags not working Super Tags stolen Outdated equipment Equipment vandalized
Purchase extended warranty
Transfer
Keep in locked cabinet Every year put money in the budget to replace the oldest devices. Insurance
Diminish Diminish
iPads, laptops or cell phones dropped and broken
Purchase a maintenance and extended warranty contract with 24/7 tech support
Transfer
iPads, laptops or cell phones hacked iPads, laptops, cell phones, or token stolen Token not working
Use encryption, passwords, employee Diminish security training, and antivirus programs. Insurance and Transfer Remote Wipe Software with GPS tracking Diminish
Purchase a maintenance and extended warranty contract with 24/7 tech support Outdated iPad does Replace with new not work well with newer software Portable media lost Require passwords and encryption on all or stolen portable media
Beachwear Clothing Vulnerability Assessment Report
Transfer
Transfer Accept or Diminish Diminish
13 | P a g e
SOFTWARE Asset
Vulnerability
Risk Mitigation
Diminish Transfer Accept
Software attacks from virus, worms, DOS, spam, spyware and malware
Purchase Antivirus protection with 24/7 tech support
Transfer
Zero-day attacks, hacker attacks, data interception and theft Software security breach, failure or errors Software modified intentionally to bypass security Outdated software is unsecure Employee opens an infected attachment
Firewall, Anti-virus software, Intrusion prevention systems
Diminish
Schedule weekly maintenance, patches and security updates
Diminish
Firewall, Anti-virus software, Intrusion prevention systems Replace or upgrade
Diminish
Conduct security education training for new employees and mandatory follow up training every six months for all employees
Diminish
Employee attacked by social engineering
Conduct security education training for new employees and mandatory follow up training every six months for all employees Apply group policy and set user access level
Diminish
Application Programs Email Microsoft Office 2013
Unauthorized user accessing application
Diminish
Diminish
* Refer to Department of Housing and Urban Development table .for additional threats and potential impacts
Beachwear Clothing Vulnerability Assessment Report
14 | P a g e
PASSWORDS PASSWORD POLICY SETTINGS (CIAMPA, 2012, P. 386)
Beachwear Clothing Vulnerability Assessment Report
15 | P a g e
ACCOUNT LOCKOUT POLICY SETTINGS (CIAMPA, 2012, P. 387)
Beachwear Clothing Vulnerability Assessment Report
16 | P a g e
SOFTWARE THREATS
√
Unauthorized Modification Unauthorized Disclosure
Description
Denial of Service Destruction
Software Threats and Potential Impacts (DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT, n.d.)
√
√
√
√
√
√
√
√
√
√
Program Errors/ Software malfunction or failure resulting from insufficient configuration controls (i.e., testing Software new releases, performing virus scans). Failure
√
Hacking/ Social Engineering
Software may be modified intentionally to bypass system security controls, manipulate data, or cause denial of service. Social engineering used by a hacker to gathers data for use in modifying or manipulating the system.
√
Malicious Code
Malicious software such as viruses or worms may be introduced to the system, causing damage to the data or software.
√
User Errors/ Omissions
Application and support system components may be inappropriately modified or destroyed due to unintentional administrator or user error.
√
Browsing/ Disclosure
Intentional unauthorized access to confidential information by outsiders or by personnel with system access but not having a need to know
√
Eavesdropping/ interception
Intentional unauthorized access to confidential information through technical means (sniffing/interception) or by personnel having some level of system access but not having a need to know (eavesdropping)
√
Data Integrity Loss
Attacks on the integrity of system data by intentional alteration.
Misuse/Abuse
Individuals may employ system resources for unauthorized purposes.
√
√
√
√
Program Errors/Software Failure
Software malfunction or failure resulting from insufficient configuration controls (i.e., testing new releases, performing virus scans).
√
√
√
√
√
Beachwear Clothing Vulnerability Assessment Report
17 | P a g e
SECURITY POLICY
Development team representatives for Security Policies o Senior level administrator and member of management who can enforce the policy Create a written security policy for all employees and presented at orientation session after employee is hired. Includes plans to protect the company's physical and information technology (IT) assets. Acceptable use policy o Defines actions users may perform while accessing systems Employees agree to abide by the Internet code of behavior policy which includes the following: Email/texting only business related content Wireless communication policyo Employees agree to have any BYOD approved by the security manager Screensavers and Passwords policy Screensavers set for 15 minutes of inactivity or employee will run the screensavers if device is left unattended Privacy policy o Outlines how organization uses personal information it collects Company will not give any personal information unless agreed to in writing by employee o Outlines how an employee uses companies information Employees agree to not divulge any company information or other employee information and sign a confidentiality contract Security-related human resource policy o Presented at employee orientation session after employee is hired o Actions to be taken when employee is terminated All passwords and accounts are immediately disabled Employee is escorted out of the building by security All devices are immediately confiscated Password management and complexity policy o Standards of password creation Change passwords every 60 days Password must be at least 12 characters and have uppercase, lowercase and non-alphabetic characters Account lockout after 5 failed attempts Disposal and destruction policy o Addresses disposal of confidential resources Paper records containing confidential information must be shredded Electronic or machine-readable records containing confidential information require a two-step process. Deletion of the contents of digital files and emptying of the desktop recycling bin Beachwear Clothing Vulnerability Assessment Report
18 | P a g e
Commercially available software applications used to remove all data from the storage device. A destruction record describing and documenting any data or physical device destroyed, who authorized the destruction, as well as the date, agent, and method of destruction. Awareness and Training Policies o Security, loss prevention, disaster education o Training and drills Hardware Security Policy o Laptops, computers, cellphones, flash drives, and iPads Computer Tokens for remote access Passwords and screensavers Remote Wipe Software with GPS tracking Disposal and destruction policy of equipment Software Security Policy o Group policy setting in place including Application access protocols implemented by security setting access control limits for each employee using role based access control o Network Security Guidelines All sales reps will use Virtual Lans to access company data All in one network security appliances used to provide the following: Virus protection, anti-spyware, content filtering, encryption, firewall, intrusion protection and web filtering Cleaning Crew Security Policy o Background checks/CORI
Beachwear Clothing Vulnerability Assessment Report
19 | P a g e
BUSINESS CONTINUITY PLAN Business continuity planning and testing is required in order for Beachwear Clothing to maintain operations and services in the face of a disruptive event.
Disaster Recovery Plan o Request Disaster Recovery Plan from XXX. Ensure plan includes data backup, fault tolerances and security encryption Emergency Response Plan Preparedness Policy o Assign roles for emergency response Crisis Communication plan and incident management plan o Customers Clearly mark exit signs o Employees Fire drills and procedures Training and Testing o Train personnel; clarify roles and responsibilities o Reinforce knowledge of procedures, facilities, systems and equipment o Improve individual performance as well as organizational coordination and communications o Evaluate policies, plans, procedures and the knowledge and skills of team members o Reveal weaknesses and resource gaps Monitor and document security incidents Document external contacts Document critical equipment and software Identify contingency location Security reassessment every 6 months Review and Revise as needed
Beachwear Clothing Vulnerability Assessment Report
20 | P a g e
RECOMMENDATIONS Physical facility:
Set up a cold-site contract Install backup generators in all retail stores and office building Install UPS
Computers, Printers, Laptops:
Budget for replacement for aging computers, laptops, iPads, cellphones and storage devices Install software program on all portable devices (phones, laptops) that can remotely wipe and disable the device Budget for encrypted thumb drives
Network and Data:
Set up VPN to replace Remote Desktop for employees working remotely Install all in one security appliance Install Intrusion Detection Software Contract with company to do yearly penetration testing Protect unused ports on servers by blocking them or change default ports used by most programs to make it more difficult to hack Invest in multiple virus software or contract with company to provide those services Schedule weekly maintenance, patches and security updates
Employee Training:
Mandatory OSHA training Conduct security education training for new employees and mandatory follow up training every six months for all employees
Retail Store:
Purchase locked cabinet to store supertags Install additional security cameras in backroom, on sales floor and outside of building
Beachwear Clothing Vulnerability Assessment Report
21 | P a g e
References Anti-Theft Retail Store Security Equipment, Shoplifting Loss Prevention, Security Tags. (2014). Retrieved from http://www.sensortags.com/ Business Continuity Plan. (2012, December 19). Retrieved from http://www.ready.gov/business/implementation/continuity Ciampa, M. D. (2012). Security guide to network security fundamentals. Boston, MA: Course Technology, Cengage Learning. Continuous Vulnerability Assessment & Remediation Guideline. (2013, July). Retrieved from https%3A%2F%2Fsecurity.berkeley.edu%2Fcontent%2Fcontinuousvulnerability-assessment-remediationguideline%3Fdestination%3Dnode%2F398 DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT. (n.d.). Retrieved from http://hud.gov/offices/adm/hudclips/guidebooks/2400.25G/240025g4RATem pGUID.pdf NetSuite. (2014). Retrieved from http://www.netsuite.com/portal/products/netsuite.shtml OSHA Directorate of Training and Education. (2014). Retrieved from https://www.osha.gov/dte/index.html Program Management. (2013, May 2). Retrieved from http://www.ready.gov/programmanagement
Beachwear Clothing Vulnerability Assessment Report
22 | P a g e
