Security Assessment Findings

Policies and Procedures

The company currently doesn't have any written policies or procedures related to IT security whatsoever.

Asset Management

There is no master asset inventory list of IT-related assets. There is a poorly constructed spreadsheet that contains a spotty list of desktops, laptop, and server computers which appeared to be used occasionally by the as-needed IT contractors when they had support issues to work with hardware vendors to order replacements or parts.

Physical Access Control

The company's office space utilizes standard, physical key door locks and has a fairly robust web-based alarm system with high-definition cameras that record to a central system. More than half of the employees have the alarm's access code and everyone has a key to the office.

Logical Access Control

There doesn't appear to be any form of logical access control in place regarding data residing on the company's file server. Furthermore, you found company files not only on the company's local file server, but also on some USB drives, and personal or "consumer grade" cloud storage service like Google Drive and Dropbox. Even though employees are assigned to specific clients and their associated marketing campaigns, every employee has full control access to all client data on the file server - there are no individual or group controls set. Cloud storage is uncontrolled and varied, based on how each employee decided to setup the share - some drives are only accessible by one employee, while others are open to some or all employees. Human resources and payroll services are handled by an external service company (an ADT-like company), so no sensitive employee information is housed locally.

Network Security

The company utilizes a basic, single home-office-small-office all-in-one wireless access point/firewall/DHCP/Router network device purchased from a local big-box electronics store. It has not been patched or updated since it was installed seven years ago. Other than the built-in packet-filtering firewall, there appear to be no additional network security measures in place. Additionally, the wireless access point is configured to use WPA in personal mode.

The firewall has TCP ports 20, 21, 22, 23, 80, and 443 opened to the Internet and port-forwarding traffic to the IP address of the Windows 2016 server noted below.

Vulnerability Assessment Scan Results

The vulnerability assessment scan results show numerous vulnerabilities for the Windows 10 end-user systems and Windows 2016 Server due to unpatched OS security vulnerabilities in addition to insecure opened network ports. The vulnerability scan indicates that a current version of NMAP is running, an out-of-date Apache web server service is running, and an FTP server service running on the Windows 2016 server.

After interviewing the owner, you find out that the end-user systems and server have not been updated or patched in at least six months, when the last IT contractor (used before the in-house IT staff was hired) was called in to fix a broken laptop. The owner doesn't know what FTP is or why it would be running since employees use the file server to share files in the office, or email to share files with clients. The IT staff staff indicate that no Intranet web pages are hosted on site. Email and website hosting is done with Office365 and SquareSpace.

System Security Measures

The company uses free anti-virus software that doesn't support real-time protection, just scheduled scans. There is no use of disk encryption being used.

Backup and Recovery

The newly hired IT admins set up the file server to be backed up weekly, including the system and data files to a OneDrive on Office365. They tell you they have recovered a couple of files for employees when requested, but other than that they've not tried to recover the server or all the data located in OneDrive. The backup taken last week was 800GB in size, with 130GB of that being the Windows OS backup. The owner says some (about 100GB) of the data files, if lost, would need to be recovered within 24 hours to support his top customers. Losing all the files permanently would be likely close down his business.

LIST 8 RECOMMENDATIONS THAT CAN BE USED TO IMPROVE THE BUSINESSES IT SECURITY POSTURE