Portland Design & SEO – Case Study

P

Introduction

Security, especially system security is a vital field of interest for companies working in the information technology industry. The lack of security measures may end up in a security breach. Portland Design & SEO is a medium-sized IT company that provides web hosting design and other related services to its customers. Recently the company has gone through a massive security attack, that resulted in severe damage not only to the system of the company but also to its customer values and reputation. The damage was so severe that it not only gave them a short-term but also a long-term effect. The security breach completely deleted almost 92% of the website hosted on the web servers of Portland Design & SEO. Not only this, but the company also faced malware infection and stolen customer identities and information. The long-term consequences of the security breach cause the company in lost revenue and customers. There were numbers of security that the company was facing, prior then the breach, but due to the negligence, they were failed in mitigating those risks.

Security Issues Prior to the Breach

There was a number of security issues and risks that the company was facing prior to the recent security breach in the company. The in-depth analysis of the security system and the management highlighted multiple causes for the breach. The very first security issue that caused the security breach is the non-compliance with the CSCs (Critical Security Controls). CSCs are the set of actions that are designed and developed, by Centre of Internet Security, in order to provide security measures to the organization in terms of cyber security attack (Center for Internet Security, 2019). The company did not have a regular backup and recovery plan. There was no regular vulnerability scan of the Portland’s server and there was no malware security system installed on their servers. The company also did not have a security management plan in case of any security breach. Besides this, the company was also facing issues in their network protocols configuration. The recent adaptation in hostname scheme resulted in the unchanged configuration of different parts of the network. This change stopped the system to be backed up. Another key issue was the absence of continues monitoring and analysis of the auditing logs. Although the backup was not going on for seven months because of the absence of log analysis, the team was unaware of the issue. Other issues that caused the breach were the lack of management support and the lack of communication in between the security team and the management.

IoT, Cloud, and Block Chain, and Their Complications

The emerging technologies at one hand provide lost of advantages to the IT industry, but on the other hand, also caused multiple complications and threats to the system.

IoT Internet of Things

The very first of these emerging technologies is IoT. IoT or internet of things has changed the way of our lives, the ability to connect almost every type of electronic device with the vast network of the internet has at one hand given us numerous advantages while on the other hand raised the risks of data theft. The information shared through these devices or stored on any one of them has greater chances of being stolen (Burton, 2016).

Cloud

Another emerging technology is cloud computing or simply the cloud. The cloud has given us the ability to minimize the physical hardware and to access the data literally anywhere and at any time. Although, the cloud is used to protect the valuable data from being lost, unfortunately it is actually given up your important information to someone other for securing (Borter, 2012).

Block Chain

The third major innovation is the blockchain. The blockchain is the modern technology that is used to digitalize the currency. Just like the internet of things and the cloud, blockchain also has complications, especially in terms of protecting valuable assets. The primary component of the blockchain is the security key that is required to access the data every time. Since the key is generated by the user only therefore in case of the key loss, the data cannot be retrieved. At the same time since there is only one key for accessing the data the chances for vulnerability increases up to 51% (McKendrick, 2018).

In short modern emerging technologies are advantageous at one hand but on the other hand, may complicate the primary cause of protecting the valuable assets.

Top 20 Critical Security Controls

The top twenty critical security controls that can be used in order to strengthen the defence of the Portland Design & SEO along with their priority are as follows.

Security Control Used Controls in the Company Prioritize Used Controls
Inventory and Control of Authorized and Unauthorized Hardware Devices Not in use Low
Inventory and Control of Authorized and Unauthorized Software Resources Not in use Low
Continuous Vulnerability Scan and Remediation Not in use High
Controlled Use of Administration Rights Parietally in use High
Secure Configuration of Software and Hardware Devices In use Medium
Continuous Monitoring, Analysis, and Monitoring of Audit Logs Not in use High
Web Browsers and Email Protections Not in use Medium
Malware Security Not in use High
Complete Control and Limitation of Network Services, Protocols, and Ports Not in use Medium
Regular Backup and Data Recovery Not in use Very High
Secure Network Configuration, Firewall, Switches, Routers Partially in use Very High
Controlled Boundary Partially in use High
Protection of Data Not in use High
Controlled Access, for Known Services In use Very High
Controlled Access of Wireless Network In use Very High
Monitoring and Control of Accounts In use High
Training and Development Program for Security Awareness Not in use Medium
Software Application Security Not in use Medium
Security Breach Response and Management Not in use Medium
Penetration Testing Not in use Low

(Center for Internet Security, 2019)

Impact of the Breach

The impact of the security breach on Portland Design & SEO was very severe. The impact ranges from short term to long term.

The short-term impact on the company after the breach was the complete shutdown of the system. In order to avoid further damage, the security manager has to shut down the web servers immediately. The result of the shutdown came in complete offline of all the websites hosted on the web servers of the company. The mid-term impacts were the lost data of clients and stolen information of client’s credentials. Since the attacker deleted the large volume of the information storing on the servers, therefore the Portland Design & SEO faced a greater impact in terms of the lost website’s data. The absence of the backup increased the severity of the issue. The company had to collect a chunk of information form their team members desks in order to retrieve the websites of their clients back to their previous state. But still, they failed to completely retrieve all the lost websites. Another impact of the security breach was the stolen SQL data. Although, the company ad not stored the sensitive payment information on their own servers, the client’s credentials regarding the authentication and administration logs were completely stolen. The attacker also placed malware infection in the system that required a complete security check of the whole system. The impact of these security issues caused a lot of time and financial resources of the company. the long-term impact of these issues and the breach resulted in the loss of a large number of angry customers. The company also face potential threats for no new customers in the future. The alert raised by the company in terms of the security breach also provided with more discontinued business for the company. The overall impact of the security breach on the company was severely damaging for both its finance and its reputation.

The summary of the impacts of the breach on Portland Design & SEO is as follows:

  • The complete system of the company was shutdown.
  • All the websites were gone offline.
  • Client’s data and the information was lost.
  • Large number of websites were completely deleted.
  • SQL servers were compromised.
  • Administration and authentication logs were stolen.
  • Malware infection was injected into the system.
  • Customers became disappointed.
  • A large number of customers left the services.

Security Issues and Risk Decision

Risk decisions for the security issues found out in the second point along with the appropriate applicable critical security controls are as follows:

Security Issue Risk Decision Appropriate CSC
Non-compliance with the CSCs rules. Apply the CSC’s rules.

-Transfer

All 20 CSCs Rules
There was no scan for vulnerabilities, and there was no plan proposed for tackling it. Regularly scan the system.

-Avoid

Continuous Vulnerability Scan and Remediation
No malware security, such as antivirus, was installed in the system Install a proper antivirus program

-Mitigate

Malware Security
Although the system was configured to be backed up, there was no backup in the last seven months. Create regular backups

-Avoid

Regular Backup and Data Recovery
There was no management plan available to tackle the potential security breach. Design a security response plan

-Transfer

Security Breach Response and Management
Unsecured networks, with incomplete network configurations, hostname issues. Secure network, Recheck all the configurations.

-Mitigate

Secure Network Configuration, Firewall, Switches, Routers
No activity was recording or being logged. There was no proper monitoring and analysing system for the audit logs. Activate log recording, Regularly analyse recorded logs.

-Avoid

Continuous Monitoring, Analysis, and Monitoring of Audit Logs

BYOD Policy, Drawbacks and Recommendation Portland Design & SEO

BYOD or bring your own devices is one of the modern policies that are widely used in IT organizations. This policy allows employees to bring their personal devices, such as laptops, and tablet to their workplace, especially for using them for the professional work purpose. It increases the creativity in the employee and brings more freedom to them. BYOD is growing at a great pace and is becoming a major part of the corporate culture. Although, the BYOD has many advantages there are some major drawbacks as well. The drawbacks of the BYOD generally revolve around the security of the organizational network and the information, since the BYOD devices are allowed to connect with the network of the organization (Unuth, 2019). In order to cope with the weaknesses of the BYOD, some companies have implemented the BYOD policy. These policies are intended to protect the organizational network, especially the enterprise data (Zumerle, 2013). The polices controls what devices can be used in the BYOD environment, by providing mac address specifications, a device-specific identifier. Besides that, the data in the system is also encrypted in order to minimize the theft risk. Selected applications are allowed to install, that even some time are restricted to work outside the organization premises. These policies and similar ones also have some drawbacks. The first major drawback of the BYOD policies is that an employee can only have a specific device, that can be used in the organizational environment. If he or she wants to use another one he or she has to ask for permission. Only selected models of the devices that are recommended can only take advantage of the BYOD. The BYOD also increases cost on risk and security management of the system (Paganini, 2013). Another key drawback of the BYOD policy is that the company have to pay more to train its employees about the pros and cons of the BYOD.

The current scenario of Portland Design & SEO does not favourable for the adaptation of the BOYD. The key reason for not recommending the BYOD is the lack of the system and network security of the organization. The organization currently needs a resource to strengthen its current network security system.

Penetration Test May Complicate the Risk Management Process

Penetration testing is the process of identifying and evaluating the security structure of a system, network or an application. The penetration testing is carried out in order to find any loopholes, weakness, vulnerabilities, configurational mistakes and the capability of the system or the network to be exposed or to be hacked (Versos, 2014). It is done by simulating a planned cyber attack on the system or network by the organization itself. Although, the penetration testing has many benefits, such as it points the through a scan of the system or the network to find out any vulnerability and it provides the organization with the insight into the need of risk mitigation, but it may sometimes complicate the risk management process. The very first reason or cause for conducting the penetration testing is to find out the loopholes, once the loopholes are found, it requires complete reconsideration of the risk management plan in order to comply it with the results of the penetration testing. If the result of the penetration testing is found to be inaccurate the risk management process based on that result may end up in vain. Sometimes the results from the penetration testing are too complicated that, in order to mitigate those risks, identified in the result, a detailed risk management plan is required to be developed from the very beginning. Since in order to conduct the penetration testing, organizations are required to provide the tester with full access to the system and the network, but normally due to time and resource constraints it is not possible, therefore carrying out the risk management process on the limited result not only result in the complications for the risk managers but also will not be effective (Brecht, 2016).

 

References

Borter, K. (2012). The Complications of Cloud Computing. [online] SmartFile. Available at: https://www.smartfile.com/blog/complications-cloud-computing/ [Accessed 23 Mar. 2019].

Brecht, D. (2016). Pros and Cons in Penetration Testing Services: The Debate Continues. [online] Infosec Resources. Available at: https://resources.infosecinstitute.com/pros-and-cons-in-penetration-testing-services-the-debate-continues/#gref [Accessed 23 Mar. 2019].

Burton, M. (2016). IoT: Risks and Dangers. [online] Metova. Available at: https://metova.com/iot-risks-and-dangers/ [Accessed 23 Mar. 2019].

Center for Internet Security. (2019). CIS Controls. [online] Available at: https://www.cisecurity.org/controls/ [Accessed 23 Mar. 2019].

McKendrick, J. (2018). 9 reasons to be cautious with blockchain. [online] ZDNet. Available at: https://www.zdnet.com/article/9-reasons-to-be-cautious-with-blockchain/ [Accessed 23 Mar. 2019].

Paganini, P. (2013). Importance of a BYOD Policy for Companies. [online] Infosec Resources. Available at: https://resources.infosecinstitute.com/byod-policy-for-companies/#gref [Accessed 23 Mar. 2019].

Versos. (2014). Penetration Testing. [online] Available at: http://www.versos.com.sa/services/riskmanagement/penetrationtesting.htm [Accessed 23 Mar. 2019].

Unuth, N. (2019). Pros and Cons of Bringing Your Own Device at the Workplace. [online] Lifewire. Available at: https://www.lifewire.com/pros-and-cons-of-byod-at-work-3426318 [Accessed 23 Mar. 2019].

Zumerle, D. (2013). Security Think Tank: BYOD security: policy, control, containment, and management. [online] Computer Weekly. Available at: https://www.computerweekly.com/opinion/Security-Think-Tank-BYOD-security-policy-control-containment-and-management [Accessed 23 Mar. 2019].

By admin_writer

BUY RELATED BOOKS