IT Risk Assessment: Case Study – Public Sector
A risk assessment identifies your most critical business processes and the potential impact of a disruption to those processes.
This includes potential damage events could cause, the amount of time needed to recover or restore operations, and preventive measures or controls that can mitigate the likelihood of an event occurring in the first place.
An IT Risk Assessment also determines what steps, if properly implemented, could reduce the severity of an event.
In this example, we’ve identified the six crucial risk factors for a Public Sector company with 50 work stations and three servers.
1. Firewall Assessment
- Audit of firewall rules to determine what traffic is allowed in/out.
- Assess if firewall interrogates encrypted traffic or whether holes are being “poked” through the wall.
- Check warranty and subscription status of firewall.
- Confirm that firewall scans traffic for virus infected files and detects and responds to intrusion attempts from out- and inside.
- Check intelligent application level filtering capability to block file transfers but allow other productivity functions such as conversing on Skype.
- Check relevant blocking is in place to restrict access to malicious websites (e.g. hacking).
- Check if firewall change log exists to track changes to firewall rules.
- Confirm whether file sharing systems such as Dropbox, OneDrive etc. is blocked to avoid file leakage.
- Check that third-party email systems are blocked to avoid sensitive emails being sent via Gmail, Hotmail, Yahoo and other tools.
- Test restrictions on remote management tools for transferring files such as TeamViewer.
All filtering is disabled on firewall except for website category filtering (e.g. Facebook is blocked). This includes Anti-Virus filtering, Anti-Spyware and Intrusion Prevention.
- Malicious software and viruses can easily pass through the firewall and reach workstations.
- Remote access is easily granted by sending an email link/file or by maliciously granting access.
- Confidential and sensitive customer records and information can be leaked through Dropbox and other file sharing services.
- Enable all protection capabilities to prevent unauthorised internet users from accessing business networks connected to the internet.
- Test scanning on all allowed services to ensure that infections cannot spread through allowed internet access.
- Regular maintenance checks. Changes to firewall rules audited regularly.
- Block third-party email access. Migrate to a remote-control tool with Multi-Factor Authentication (60 second One Time Passwords) which makes it nearly impossible to gain unauthorised access to the network.
Once off with monthly firewall feature check.
2. Remote access
Audit of remote access for users – check VPN/Remote Access design to ensure remote users are restricted.
- Remote access using VPN is used by two users but granted to over 60 accounts.
- Remote access software is installed by users on their own computers for accessing their machines.
- TeamViewer is used for remote access as well as Remote VPN.
- Unauthorised users should not be granted access.
- Unauthorised software for remotely control should not be allowed and blocked on the firewall.
- Remote access grants attackers easy access to the network to steal confidential records.
- Restrict Virtual Private Network (VPN) and connect to SonicWall instead of Small Business Server.
- Block all remote-control applications and apply One Time Password (OTP) Security.
Confirm that no End of Support/End of Life software exist (Windows XP and below, Windows Server 2003 and below, SQL 2005 and below). These are all extremely hackable.
- Passwords do not expire and do not get locked out if guessed.
- Servers have hundreds of missing Microsoft critical and security updates.
- Windows 2003 server exists which is End-Of-Life and has major security risks.
- Infected computers can guess password until they get into the account.
- Missing updates allow infected computers to access all server data using the critical security issues.
- Security gaps grant attackers easy access to the servers and customer sensitive records.
- Configure account lockout after five guesses.
- Install all security updates.
- Remove Windows 2003 server with old respond system.
- Configure all account passwords to expire.
- Remove all administrators except two.
Check whether wireless users are separated from the production network with adequate restrictions in place. (This threat could allow a perpetrator sitting outside the office to access the network.)
- Wi-Fi password is a standard password.
- Password is never changed after staff leaves.
- All devices including mobile connect directly over wireless to the network and can access servers.
- Infected computers/phones or malicious staff can easily share the passphrase and access the wireless network gaining direct server access.
- Sensitive customer records can be leaked through easy access from outside the physical office.
- Connect Wi-Fi router to firewall and restrict to internet only (no server access).
- Change password monthly and especially after staff leaves.
Monthly and ad hoc as staff leaves
5. Security updates & Anti-Ransomware
Check Anti-Virus/Anti-Spyware and whether it is standardised across all endpoints (including whether it is on and updated).
Application behavioural and root cause analysis capabilities assessment to determine where a threat is originating from and blocking it.
- Anti-Virus does not provide Anti-Ransomware protection.
- No regression of encryption attempts.
- Security updates are not being managed.
- Ransomware can be sent to a user using PDF, Word, Excel, PowerPoint, ZIP or a web link.
- Users open legitimate, but infected files and computer and all server files are encrypted.
- Security updates are abused which then infects files.
- Deploy Anti-Ransomware protection.
- Use Security Updates Management to plug holes which ransomware uses.
Determine where sensitive data is stored on the server and on workstations and if backups are encrypted with a restore password required before restoring of data. Is backup data secured from malicious access and sent offsite to tamperproof storage.
- Full backups are stored onsite on drives.
- Access to the room can be achieved by taking the key and removing the drives which are unencrypted.
- Cloud backups uses default Admin/Admin password.
- Data can easily be removed from the office if access is granted to the room.
- Using Cloud backup password, data can be restored without physical access.
- Sensitive information can be extracted from the backups without a password.
- Ensure physical access is limited and Telkom and other providers are not left unsupervised. (Social engineering will allow someone to impersonate a Telkom or Internet Provider employee and can then remove backups.)
- Change Cloud backup password.