The main goal of any penetration test should be to find the current security baseline (I.E., where are things vulnerable and where are they not). After a final assessment report summary is delivered, Blue Team members are left with the job of how they should pursue fixing any problems that may have been discovered. This can be tedious, however fixing these issues ensure a hardened security posture. 

The City of CNG1032

Suppose we are a Blue Team consisting of senior information security personnel for a city. Let us call our city, the city of CNG1032. Well, the city of CNG1032 recently elected a penetration test, and our vulnerabilities mainly lie in old assets and innate design flaws. We were delivered this attack map topology regarding where our Active Directory Forest is at its weakest. 

 

From the findings of the penetration test, we know that our camera system (Windows7Cameras.cityof1032.local) is running Windows 7, and that the application responsible for the cameras is vulnerable to a novel buffer overflow vulnerability. As well, we now know that our Air Conditioning unit is running SCADA type software on a Windows NT machine (WindowsNT.cityof1032.local). This machine is vulnerable to different operating system-based vulnerabilities due to its age. Unfortunately, both servers are not isolated within our network, and as such allow easy access for anyone with internal network access behind our gateway routers firewall. To make matters worse, both servers are joined to our Active Directory, and our colleagues at the City of CNG1032 regularly sign into these machines to conduct administrative tasks. Due to the age of the operating systems, the Red Team we employed were able to retrieve domain admin credentials through a tool called Mimikatz. This tool abuses credential storage areas within the Windows operating system. Once this team retrieved the credentials, they were able to take over our whole domain, and access other newer less vulnerable systems such as our financial cashiering servers. 

 

They made their point that these machines need to be fixed, and as such we are now left with trying to figure out how to fix them, because the Red Team we hired did not tell us any valuable information aside from we need to get rid of these servers. Their feedback was quite unhelpful. 

Upon hearing all of this, we know that we have the following constraints regarding our remedial efforts towards these machines:

Machine	Constraints
Windows7Cameras.cityof1032.local	The company who developed our original camera software has gone bankrupt and will never release an update for this software. As such, if we want to keep using our cameras, we cannot upgrade from Windows 7, due to some weird development issues with the libraries for the software All our IP cameras were also made by this bankrupt company, and as such to get new camera software that is not vulnerable, we would need to replace all our Cameras as well.
WindowsNT.cityof1032.local	Due to the innate nature of the embedded software of this SCADA device for air conditioning, we can only upgrade our operating system to Windows XP. Replacing the smart air conditioning system will cost several thousands of dollars to do, and as such with our current City budget is not feasible.

There are many actions we can take as Blue Team members to help ensure that these devices do not pose risk to our other assets. For this report, you will need to discuss controls and defensive techniques that will help to prevent catastrophic cyber events within our city government and its facilities. 

Since replacing these machines is not feasible, we are left with implementing compensating controls. Some examples of compensating controls are:

• Removing these machines from our Active Directory Forest
• Implementing Network Isolation measures around these machines to ensure no exposure to our other assets (I.E., DMZs...)
• Updating anything we can, without causing Availability issues with the machines

QUESTIONS:

 

1.) Discuss 3 compensating controls/techniques we could immediately utilize to help address the issue. 

 

2.) Discuss how each of your chosen controls/techniques help to remediate the issues

 

3.) Discuss any other impacts or left-over risk we may have after we implement/conduct your 3 controls/techniques