IT Security Assessment
Medical Records at Risk
The CEO of the parent corporation of a large pharmaceutical company contacted us with security concerns regarding his company`s IT systems. Our initial meeting was attended by the CEO and COO of the corporation. The parent corporation had two very large divisions that were operating independently. When questioned about their expectations from this engagement, the CEO stated that: having read recent headlines about the now-infamous T.J. Maxx incident, he started to have grave concerns about the security of his company’s IT infrastructure. He simply had doubts about the assurances that were given to him by his CIO, who had stated that they had no security problems and that what happened at T.J. Maxx could not happen at their organization.
The CEO was particularly concerned about one of the subdivisions. He stated that the patient database of division is extremely critical to their business and, if the competition had ever gotten their hands on this database, the financial impact would be measured in nine digits; if were to be stolen by criminals, it would simply devastate the corporation. He said “not knowing who has access to this database and if it is being properly protected against internal and external threats is what keeps me awake at night.” Our instruction was to first perform a similar attack as that used by the perpetrators of the T.J. Maxx incident and to also perform a Black Box Penetration Testing on this division. We were also asked to evaluate the skill level of the IT personnel we interacted with.
We had to gain the trust and cooperation of the CIO, CISO, and their staff. Without the cooperation of the IT staff, such assessments can be very challenging. This was a very large organization with a sizeable IT staff and several data centers that housed close to 1,500 servers.
Our methodology to this assessment was a combination of business-best practices, along with the experience the assessment team possessed conducting numerous IT Security related investigations and the lessons we learned from those events. In addition, having managed and secured large scale IT infrastructures themselves, members of our assessment team understood the difficulties and challenges faced by the IT staff and could tell the difference between what is on paper and what reality is. As a result, our recommendations reflect this philosophy of practical solutions. Because our objective was to get a true assessment of the security pasture of a large corporation, as opposed to satisfying certain regulatory requirements, we went beyond what was put on paper, but looked into real life practices with a good dose of common sense. In order to achieve our objectives, the following processes were performed:
- Understand the Business Process of the Corporation;
- Identify and interview the Business Process owners to understand the technologies that drive those processes;
- Identify “Crown Jewels” of the Corporation and perform a risk assessment in terms of internal and external threats against Confidentiality, Integrity and Availability of those resources;
- Conduct a business continuity/ disaster recovery assessment;
- Assess the level of competence of the IT staff we interacted with;
- Examine the network topology, look for weaknesses;
- Assess the awareness of end users on security issues;
- Examine a random selection of servers and workstations for configuration issues;
- Perform an extensive vulnerability assessment using state of the art tools;
- Perform a limited Black Box penetration testing targeting the company's employees.
Our email-based phishing attack and WiFi-based attack allowed the members of our team to gain full control of the network via two separate means. We gained access to a large number of servers including the SQL Server where the “Patient Database” is located. As per our initial agreement, we did not actually touch the database -- the contents of which we could have easily taken. We found numerous single points of failure on both the technology and human resources sides. For example, even though the intake software was initially purchased from a vendor with support, a certain member of the IT staff was allowed to make significant changes to the system, which resulted in the vendor dropping their support. Unfortunately, none of the changes were documented. If that individual who had made the changes were to become unavailable for some reason, there was no one who could have maintained and performed troubleshooting of the system. Critical servers were not designed with fault tolerance (clustering, mirroring, etc.). If there was a failure of that particular hardware, critical business processes would have stopped functioning. According to IT staff, it would have taken them a minimum of six hours to recover from such a hardware failure. The vulnerability assessment that was conducted on approximately 30 representative servers out of close-to 1,500 servers utilized by the company. We found that not one server was patched with the latest security updates. All server operating systems were installed with default options and none were hardened. Some servers were still running Windows NT 4 and Windows Server 2000 SP2. They contained an extensive list of critical vulnerabilities and configuration errors. The IT staff lacked the knowledge to properly configure a server for its intended role. There was no automated process in place to remotely deploy updates. Network administrators stated that they deploy updates manually. Considering the number of servers in three data centers, this was an impossible task. There were over 500 user groups in the Active Directory and it was not clear to the network administrators who had access to what information. There was no enforcement of any of the security policies that were put in place. During our end user interviews, we discovered that one of the individuals interviewed had already figured out that the password policy was not being enforced, as she picked her husband’s name as a password without any ill effects. We interviewed three end users, randomly selected to assess the effectiveness of the IT Security Awareness training they had received. In less than three minutes the interviewer managed to make two out of the three users reveal their user accounts and passwords. There was no real disaster recovery or business continuity plan and procedure at the company. The company had no defenses in place for stopping, detecting, and responding to IT security incidences. The organization was fully visible to anomalous activity on their network. In conclusion, we found that the client's network and their data had no defenses against external or internal threats.Back to Case Studies