CRIR -Information Risk Assessment - Final

8/9/2019 CRIR -Information Risk Assessment - Final

1/29

Information Technology Risk Assessment

Caitlyn Raymond International Registry

April 2012


2/29

© 2012 Grant Thornton LLP. All rights reserved.

Contents

Page

Executive Summary 2

Environment Overview 5

Findings Overview 9

Detailed Findings 11

Appendix 26


3/29

Information Technology Risk Assessment-Caitlyn Raymond International Registry 2

2 | P a g e

Executive Summary

Grant Thornton, LLP was engaged by the Caitlin Raymond International Registry (“CRIR”) to perform

an information technology risk assessment based on the ISO 27002 security standard. This assessment

was conducted between February and April 2012 and was intended to provide CRIR with information

about risks that could affect the availability of its technology and information systems or theconfidentiality and integrity of the information contained within them. During this assessment Grant

Thornton conducted:

Interviews with key stakeholders and technology staff

Detailed system and application configuration reviews

Network vulnerability scanning

Onsite hands-on system configuration reviews

Our assessment determined that CRIR has done a good job developing and maintaining proprietary

applications to that support the organization’s business operations. However, we identified a number

of issues within the underlying technology infrastructure that prevent a significant risk to the

organization. These issues stem from recent staffing changes that have left the organization with

inadequate internal resources to support the network or server infrastructure. Specifically, CRIR’s

application development team is attempting to perform server and network administration – tasks that

they do not have the skillset or time to complete effectively.

As a result, CRIR’s technology infrastructure is aging and not well maintained. Some of the hardware,

software and operating systems supporting critical applications are over ten years old and are no longer

supported by the manufacturers. Servers or network devices have been not been built with secure

configurations and are susceptible to common vulnerabilities. Regular maintenance activities including

patching, backups and vulnerability management are either not being performed or are beingperformed ineffectively.

To address these issues with the technology infrastructure, we suggest that Caitlyn Raymond takes

action immediately. First, the organization should look to hire a minimum or one, but ideally two

network / system administrators whose sole focus is to support the technology infrastructure. Next,

the organization should plan a technology refresh, replacing unsupported hardware, software and

operating systems with updated technology.


4/29


3 | P a g e

As an alternative to hiring new staff to support the technology infrastructure, Caitlyn Raymond could

also look to outsource its data center and support functions to a 3rd party hosting and managed services

provider. The organization could also look to merge these functions with UMass Memorial, and allow

the technology teams at the hospital handle these critical tasks.


5/29


4 | P a g e

Project Scope and Approach

In the spring of 2012, Grant Thornton was contracted by the Caitlyn Raymond International Registry

to conduct a risk assessment of its technology infrastructure and applications based on the ISO 27002

information security standard. The focus of the assessment was the infrastructure and core functionality

of CRIR with an emphasis on the ‘Intranet’ application and supporting technologies including webbased services, databases and communications technology, as these govern the majority of CRIR

business functions including its Donor and Patient transactions.

ISO 27002 is an internationally recognized standard for information security that evaluates risks to the

confidentiality, integrity and availability of information assets. The standard is comprised of a number

of high-level sections, as described below:

Information risk management policies and procedures

Security institution

Asset classification and control Personnel security

Physical and environmental security

Communication and operations management

Access control

Systems development and maintenance

Business continuity management

Compliance

Grant Thornton conducted its assessment of Caitlyn Raymond’s technology infrastructure through a

combination of the following activities:

Conducting interviews with key functional and technical personnel

Performing hands-on system configuration reviews

Reviewing documentation provided by Caitlyn Raymond

Using automated tools to collect information on device configuration

Performing vulnerability scans using automated tools


6/29


5 | P a g e

Environment Overview

CRIR Overview

CRIR is a nonprofit organization affiliated with UMass Memorial Medical Center in Massachusetts.

CRIR was originally established in 1986 as a unit within the Division of Hematology-Oncology of the

Department of Pediatrics at the University of Massachusetts Medical Center specifically as acoordinating center for conducting national and international searches for unrelated donors.

CRIR maintains Hub Status in Bone Marrow Donors Worldwide and the European Marrow Donor

Information System, maintains an affiliation with the National Marrow Donor Program, and is a

member registry of the World Marrow Donor Association (WMDA).

Today, The Caitlin Raymond International Registry accesses 89 bone marrow donor registries and cord

blood banks worldwide and has performed a search for more than 64,000 patients. Since its inception,

the Caitlin Raymond International Registry has remained a comprehensive resource for patients and

physicians conducting a search for unrelated bone marrow or cord blood donors.

Information Technology Overview

Caitlyn Raymond’s information technology department has built a proprietary application that allows

employees to administer patients and donors in an efficient and effective manner.

This system was originally developed in the 1980’s using RBase. In the late 1990’s, MS Access was

introduced as a front-end and patient and donor data was moved into a MS SQL database. Recently, a

web-based front-end has replaced Access as the primary application interface providing a more flexible

and secure framework.

This application, referred to internally as ‘The Intranet’ is a complex system with numerous modulesand acts like as an ERP (enterprise resource planning system) system for the organization. The intranet

supports both front-office operations --- i.e. managing donor and patient registration and matching --

as well as back-office functions such as the general ledger, AP / AR and an IT ticketing system. The S

full list of modules can be found below:

Collection of Stem Cells: Donor and patient receiving

Donor Testing Services: Test and register new Donors

Intranet: Administration of Modules


7/29


6 | P a g e

IS Module: IS Project / Inventory Devices / "Internal SharePoint"

Recruitment: User for recruiting new donors

Report Tracker: Used to track documents from within the application

Sample Processing: Management of DNA samples from new donors Ticketing System: IT or operations related tickets

Finance Modules: Finance

Users of “The Intranet” are only allowed to access particular modules based on their logon credentials.

During our assessment, we walked through the user authentication process and evaluated the security

controls in place to prevent unauthorized access. A high-level description of the authentication process

can be found below:

At Log in :

Validate user’s credentials:

Checks if the user’s password has expired and needs to be changed

Checks if the user account is blocked, due to failed login attempt

o One failed login attempt, the account is blocked for 15 seconds

o Two failed login attempts, the account is blocked for 45 seconds

o Three failed login attempts, account is blocked for 15 minutes and IT staff is notified

via email

Creates new session: both the session start and session regenerate ID are used.

Creates a hashed user agent and session string to be stored in session data and user cookies

The session data is stored in a database protected with a username and password.

When appl ication Page loads:

Checks session expiration

Sets session's time to 90 minutes

Verifies the user agent matches the session data and cookies

Prevents SQL injection by using custom SQL statement before change commands are

permitted.

Checks if the IP address is within defined range

User Authentication is verified

User permissions for content are verified

Updates corresponding tables

At Session Close:

Session connections are terminated

Deletes session cookie

Deletes hashed session information from database

User is returned to the login page.


8/29


7 | P a g e

In our opinion, the controls that Caitlyn Raymond’s application development team has implemented to

prevent users from accessing data without authorization are adequate. In general, CRIR has taken the

best practice of using a layered authentication and multiple techniques to mitigate misuse and this has

significantly reduced risk of compromise to the “Intranet” application.

Network Diagram

To support this application, Caitlyn Raymond operates a single data center located within its office

facility in Worcester, Mass. A network diagram can be found below:

As can be seen in the diagram above, Caitlyn Raymond’s network is a flat, layer-2 network. Users,

servers and publicly accessible systems all reside on the same logical network and route by default to aLinksys edge / core firewall / router.

Caitlyn Raymond’s public website is not hosted out of the Worcester, Mass data center, but instead is

hosted at Rackspace, a 3rd party hosting provider. Email services are also outsourced to a cloud-based

provider.

Caitlyn Raymond’s VoIP phone system is provided by and managed by the UMass Memorial Medical

Center and utilizes a separate layer two switched network.


9/29


8 | P a g e

Server Inventory

The table below provides an inventory of servers supported by Caitlyn Raymond’s information technology team:

Host NameOperating

SystemWarranty?

Purchase

DateServer Type CPU Memory Disk Function

Comedian WinXP Y Aug-10HP Compaq

dc5850 AMD Phenom II

X4 810 1.75GB 220GB EMDIS Application

Marvin Suse Linux N Aug-05DELL

PowerEdge2800

(2) 3.0 GHz/2MB Cache

2GBDDR2

36GB, 36GB,73GB, 73GB,

73GB, 73GB SCSI

Not working - MySQL MNetwork Backup to USB

Minerva WinXP N 2003 DealDepot Intel Celeron 512MB 40GB Workstation for Rebe

MycroftUbuntuLinux

N Jun-08 Vision

(2) AMD Athlon(tm) 64X2 Dual Core

Processor 4400

2GBDDR2

3x250GB Dev Intranet and Dev M

NagasakiUbuntuLinux

N Jun-08 Vision

(2) AMD Athlon(tm) 64X2 Dual Core

Processor 4400

2GBDDR2

3x250GBLive MySQL, CUPS Pr

Server, Network BackuUSB HD

NAS N Jul-09 ReadyNAS 2TB Dual Gig RMNW

Network Storage (G

Server1Win2KServer

N Sep-02DELL

PowerEdge1500SC

(2) 1.4 GHz/512Cache

512 MBSDRAM

(2) 18GB 10KRPM Ultra 160

SCSI

Network Print Server, DDHCP, Anti-virus Server

Server, Active Directo Automated Tasks

TerminatorUbuntuLinux

N Apr-08 Vision(2) AMD

Opteron(tm)1212

2GBDDR2

3x250GB Not running

Terminator2UbuntuLinux

N Apr-08 Vision(2) AMD

Opteron(tm)1212

2GBDDR2

3x250GB Live Intranet


10/29


9 | P a g e

Findings Overview

Risk categories

Based upon our review of the overall the control environment of the company, we have identified

number of findings. Each of these findings has been classified as high, medium or low risk based on

the following definitions:

High – A high risk finding is assigned to vulnerabilities that have a high threat or impact

potential and could allow unauthorized privileged access, grant the ability to alter systems in

some way or leave the organization vulnerable to losses of sensitive information and the

potential financial penalties in the event of a breach. It is recommended that these findings are

corrected immediately.

Medium – A medium risk finding is assigned to vulnerabilities that pose a moderate level of

risk to the organization and could allow a threat access to systems with unprivileged access.

Medium risk findings generally represent systematic organizational problems that often lead to

the introduction of new high risk technical findings if they are not corrected.

Low – A low risk finding are areas that do not meet the best practicies put forth in the ISO

standard but do at the same time pose little to no imdediate risk to the environement. If low

risk findings are not corrected, they often lead to the introduction of new medium and high

risk technical and administrative findings.


11/29


10 | P a g e

Summary of Findings

Grant Thornton identified numerous issues within the Caitlyn Raymond technology infrastructure. A

summary can be found in the tables below:

Policy, Process and Organizational Issues Risk

1 No Information security policy Med

2 Information security responsibilities not defined Low

3 Information security processes, standards, and guidelines not established Med

Technical Issues Risk

4 Use of out-of warranty, out-of date or unsupported hardware High

5 Use of consumer based products in an enterprise environment High

6 No patch or vulnerability management for operating systems or applications High

7 No server configuration standards / system hardening High

8 Use of unnecessary or undocumented services and applications Med

9 Use of “administrator”/ “root” account to manage systems High

10 Remote access to Linux systems with “root” account is enabled High

11 Use of weak / or default passwords High

12 IT administrators unable to access network devices Low

13 Broken processes for identity and authentication management Med

14 No system-state backups being taken High

15 Backup tapes stored in IT administrator’s homes High

16 No disaster recovery plan / business continuity management Med

17 UPS devices not properly configured / maintained Low

18 Network diagram does not exist Med

19 Insecure wireless networking configuration High

20 No centralized logging / monitoring system Med

21 No network segmentation Med

22 Changes to Windows systems are made directly in production Low

23 No change control process Med

24 Insecure administrative access to 3rd party hosted web application server High

25 Use of insecure protocols for data transfer / system management Med

26 Desktop operating systems used to support server functions Med

27 Access to financial system controlled by Access Database front-end Med28 Sensitive data not encrypted Med

People Issues Risk

29 IT personnel lack server and network administration skills High

30 Understaffed High


12/29


11 | P a g e

Risk vs. Mitigation Effort

In the chart below we have mapped each of the findings in a three by three matrix based on risk andmitigation effort. We recommend that Caitlyn Raymond address the high-risk findings with a low

mitigation effort first. These findings are located in the upper-left hand corner of the chart.

From there, we suggest working through the findings starting in the upper-left corner and workingdown to the lower-right.

LOW MEDIUM HIGH Use of “administrator” or “root”

account to manage systems Remote access to Linux systems

with “root” account is enabled Use of weak / default passwords No system state backups are taken Backup tapes stored in IT

administrators homes Insecure wireless configuration Insecure administrative access to

3rd party / hosed web applications

Use of consumer based productsin an enterprise environment

No patch of vulnerabilitymanagement for operating systemsor applications

No server configuration standards/ system hardening

Use of out-of warranty orunsupported hardware, softwareand operating systems

IT personnel lack server andnetwork administration skills

Understaffed

Broken process for identity andauthentication management

Network diagram does not exist No change control process Use of insecure protocols for data

transfer / system management Sensitive data not encrypted

No Information Security Policy Information Security Processes,

Standards and Guidelines notEstablished

Desktop operating systems used tosupport server functions

Use of unnecessary orundocumented services andapplications

No network segmentation

No disaster recovery plan /business continuity management

No centralized logging /monitoring system

Access to financial systemcontrolled by Access Databasefront-end

IT administrators unable to accessnetwork devices

UPS devices not properlyconfigured / maintained

Changes to Windows systems aremade directly in production

Information securityresponsibilities not defined

R i s k

Mitigation Effort

L O W

M E D I U M

H I G

H


13/29


12 | P a g e

Detailed Findings

The detailed findings below list the findings categories in detail. The intention is to call out the

underlying cause for vulnerability in the CRIR environment and present remediation options along with

estimated cost and manpower associations for remediation.

Policy, Process and Organizational Issues

1. No Information Security Policy Medium

Description Caitlyn Raymond does not have an information security policythat describes:

Its approach to addressing information security issues Organizational roles and responsibilities as they relate to

information security Acceptable use of information technology systems and

assets Other

Risk Analysis Policies are the corner stone for information security andcompliance in any organization. Without an information securitypolicy, an organization does not have a basis for identifying,

assessing and managing risks.

Remediation Cost/Effort Medium

Recommendations CRIR can look to leverage the information security policies thathas already been developed for the UMass Memorial MedicalCenter to build a security policy of its own and distribute it to allemployees.

Ongoing Effort The security policy will need to be reviewed on an annual basis toensure it remains applicable to new technologies and emergingthreats.

2. Information Security Responsibilities not Defined LowDescription Caitlyn Raymond does not define information security roles and

responsibilities for all members of the organization. Typically,these roles and responsibilities are defined in an informationsecurity policy as described in Finding #1 above.

Risk Analysis Without clearly defined roles and responsibilities for informationsecurity within the CRIR environment there are several criticalsecurity and administration tasks that are not taking place.



14/29


13 | P a g e

Recommendations CRIR needs to define information security roles and respon

sibilities for all employees

Ongoing Effort Information security roles should be periodically reviewed and

updated to ensure they remain consistent with changes inorganizational technology as well as new and emerging threats.

3. Information security processes, standards, and guidelines notestablished

Medium

Description Caitlyn Raymond has not defined operational procedures to beexecuted by information technology that support informationsecurity. Examples of policies and procedures that should bedeveloped include:

Acceptable Use Policy Backup and Restoration Procedures Patch Management Procedures Vulnerability Management Procedures Identity and Authentication Management Procedures Password Policy and Reset Procedures Incident Response Policy Others

Risk Analysis Without defined Processes, standards and guidelines theadministration of servers and the network is conducted in a wayin which security and risk within the environment can not bemeasured or controlled by CRIR staff.


Recommendations Security Processes, standards and guidelines should bedocumented in the sites policies and procedures and staff shouldbe made aware of their responsibilities. All areas of administrationshould be documented for example, patch management, serverupdates, creating and deleting new users. It is very likely thatUHMV already has this done CRIR should use this as a go by fortheir own environment.

Ongoing Effort This should be reviewed anytime updates are made to the sitessecurity policy.


15/29


14 | P a g e

Technical Issues

4. Use of out-of warranty, out-of date or unsupported hardware andsoftware

High

Description Caitlyn Raymond is utilizing hardware, software and operatingsystems that are no longer supported by the manufacturers. Thisincludes numerous out-of-warranty servers and network devicesas well as the use of the Windows 2000 / Ubuntu 8.1 operatingsystems.

Risk Analysis Using out-of-date hardware not only affects system performance,but also leaves the organization susceptible to a sustained outagein the event that a system component fails and replacement partsare not readily available.

Using out-of-support operating systems leaves the organizationsusceptible to newly discovered vulnerabilities which are nolonger patched by the vendor.

Remediation Cost/Effort High

Recommendations CRIR should develop a plan to replace the hardware, softwareand operating systems that are no longer under warranty or are nolonger supported by their vendors.

Ongoing Effort In addition, we recommend that CRIR builds a formalizedprocess for system lifecycle management that plans for regularhardware, software and operating system upgrades to ensure that

they do not fall out of support in the future.

5. Use of consumer based products in an enterprise environment High

Description CRIR has deployed a consumer grade Linksys device as its corerouter / edge firewall. Linksys is intended for home use and isnot robust enough for a corporate environment

Risk Analysis Consumer grade networking equipment does not have thegranular security features needed for a corporate environment.


Recommendations Replace network equipment with business class devices.Ongoing Effort Once replaced CRIR should make sure only business class

devices are used moving forward.


16/29


15 | P a g e

6. No patch or vulnerability management for operating systems orapplications

High

Description Patches and updates are not being applied to servers,

workstations and other devicesRisk Analysis By not applying patches, Caitlyn Raymond is leaving itself

vulnerable to exploits from internal and external sources thatcould result in a breach of sensitive patient or donor data orsystem unavailability.


Recommendations Develop a formal patch and vulnerability management plan,defining when and how patches will be tested and deployed.

Ongoing Effort The patch management and vulnerability management programshould be periodically reviewed to make sure it is functioningcorrectly.

7. No server configuration standards / system hardening High

Description CRIR has not developed system configuration standards forservers or network devices that harden them to prevent mostcommon information security vulnerabilities.

Risk Analysis Servers that are installed “out of the box” without going througha formal hardening procedure could enter the network missingcritical software of firmware patches or even anti-virus definitionsincreasing the threat to the network


Recommendations Create a checklist of security requirements that needs to befollowed and use it when setting up any new equipment.

Ongoing Effort Hardening procedures should be periodically evaluated to ensurethey are current and best fit the organization.

8. Use of unnecessary or undocumented services and applications Medium

Description Servers and network devices on the Caitlyn Raymond networkhave numerous services enabled and configured that are notbeing utilized, including FTP, telnet, HTTP and many others.

Risk Analysis Services are access points to your network, when no longerrequired they are often left unmonitored and vulnerable creating alarger threat footprint for compromise. Services not in use alsotake up valuable system resources.

As an example in we included the output of open services for thedomain controller which had a large amount of services in useincluding ‘Gopher’ and ‘Pop2’ which have not been requiredservices for several years.



17/29


16 | P a g e

Recommendations Disable unnecessary services and if possible determine why theservice was enabled to begin with.

Ongoing Effort Periodic review of open services should be conducted

9. Use of “administrator”/ “root” account to manage systems High

Description Caitlyn Raymond uses the root and / or administrator account tomanage systems instead of using unique usernames attributable toeach individual.

Risk Analysis Administrator and Root accounts are generic accounts that arenot traceable back to an individual system administrator and oftengrant much higher levels of access than needed for basicadministration.

Remediation Cost/Effort Low

Recommendations Admins should have personal accounts set up to log in and dobasic administrative tasks. The password to the root and / oradministrator accounts should be long, complex and should onlybe accessed in the event of a disaster / emergency.

Ongoing Effort Once in place no follow on effort should be required

10. Remote access to Linux systems with “root” account is enabled High

Description Linux systems at Caitlyn Raymond are configured to allow remoteaccess using the “root” account. This configuration enables an

attacker who has compromised the system to gain full control.Risk Analysis The Root account should be restricted to prevent system

compromise and damage to system. The Root account has accessto modify all aspects of the operating system any mistakes made

will modify the system.


Recommendations Authorized users should use sudo to run operations that requireroot level privileges. Use of sudo allows accountability forchanges to the system. Since the user needs to take and log in tothe part of the system they wish to change the chance formistaken modifications is greatly reduced.

Ongoing Effort Once in place CRIR should ensure sudo is used for all remoteadministration.

11. Use of weak / or default passwords High

Description Many systems on the Caitlyn Raymond network have beenconfigured with weak or default administrative passwords.

Risk Analysis Weak and or default passwords are easily compromised by


18/29


17 | P a g e

malicious users granting them unauthorized access to systems andnetwork resources.


Recommendations CRIR should change all default passwords, and require allaccounts including service accounts require strong passwords ofat least 8 characters and a mix of capital, lower case, number andspecial character

Ongoing Effort Once in place CRIR should remain enforce passwordrequirements.

12. IT administrators unable to access network devices Low

Description IT administrators at Caitlyn Raymond have no understanding ofhow to access switches and other network devices. Not only

were the management IP addresses unknown, but usernames,passwords and console access were unavailable as well.

Risk Analysis With no level of access for the current staff the devices arecompletely unmanaged and are not being administered in any

way.


Recommendations Network staff should have full access and control over allnetwork devices. The staff should console into each device, viewthe configuration , note management IP addresses and set upuser-level access as appropriate.

Ongoing Effort Moving forward when anything is added to the network staff

should have appropriate access levels.

13. Broken processes for identity and authentication management Medium

Description Formalized processes for adding and removing system accountshave not been developed. In some instances, systemadministrators no longer with the company have accountsenabled.

Risk Analysis Without strong identity and authentication managementprocesses in place, an organization leaves itself susceptible to acompromise of information by a former employee.


Recommendations Remove or archive accounts from users that are no longer neededmake sure all files and data that is saved has proper permissionsset.

Ongoing Effort Periodic review should be conducted to prevent this frombuilding up in the future. This should be defined in processes andprocedures.


19/29


20/29


19 | P a g e

would experience an extended outage.


Recommendations CRIR should work with UHMV to determine if there is an

existing location that CRIR could restore their servers and criticaldata to and that staff could work from until the primary site wasavailable again.

Ongoing Effort Once developed the plan should be reviewed by IT and executivemanagement at least yearly to ensure it covers all CRIR recoveryneeds.

17. UPS devices not properly configured / maintained Low

Description The UPS devices in the Caitlyn Raymond data center are notconfigured properly and have not had regular annual maintenancedone since their implementation.

Risk Analysis Improper configuration / maintenance could cause UPS units tofail at time of incident. There is currently no generator backup forthe CRIR environment.


Recommendations Work to properly configure the UPS systems to failover togenerator power or do a graceful takedown of the network oncebattery power has dropped. If it is determined that outages due topower must be prevented, CRIR should work to have thenetwork place on a generator backup system.

Ongoing Effort Power management will need to be re-evaluated whenever

network changes occur

18. Detailed documentation of the network and communications linksdo not exist

Medium

Description Caitlyn Raymond does not have a network diagram ordocumentation of network device configuration.

Risk Analysis Without documentation of the network and the communicationlinks it would be very difficult for CRIR to trouble shoot anycommunication/networking issues with the network.

Remediation Cost/Effort LowRecommendations Grant Thornton has provided a detailed Visio diagram as part of

this assessment

Ongoing Effort The Visio diagram should be updated anytime change takes place


21/29


20 | P a g e

19. Insecure wireless networking configuration High

Description Caitlyn Raymond has a wireless access point on its network buthas not applied basic system security parameters that would

prevent unauthorized access.

Note: This device is currently unused by CRIR personnel.

Risk Analysis The wireless implementation was a commercial wireless routerusing WPA for authentication. WPA is easily cracked usingreadily available free utilities, which could allow unauthorizedaccess to the network.


Recommendations It was determined that wireless was no longer needed by the staffat CRIR and powered off. If the device is not required it shouldbe permanently removed from the network.

Ongoing Effort If it is determined in the future that wireless is needed a businessclass device that uses more robust security should be purchasedand used.

20. No centralized logging / monitoring system Medium

Description Caitlyn Raymond has not deployed a centralized system forlogging system access or event logs.

Further, no process for reviewing system access or event logs

stored locally on individual servers or network devices has beenput in place.

Risk Analysis Without centralized event logging and monitoring, ITadministrators will not be able to detect malicious activity on theCRIR network or easily determine the root cause of system andnetwork issues.


Recommendations Deploy centralized logging and monitoring system that will alertIT administrators when key events occur and provide accessreports to management on a regular basis.

Alternatively, Caitlyn Raymond could leverage any logging andmonitoring system already deployed by the UMass MemorialMedical Center or turn to a 3rd party service to provide thisfunctionality.

Ongoing Effort Monitoring and logging will need to be periodically evaluated andupdated to ensure it is best meeting the organizations needs


22/29


21 | P a g e

21. No network segmentation Medium

Description Caitlyn Raymond has deployed a flat, layer two network without VLANs. Regular users have not been placed in a different

segment than IT administrators, servers or publicly accessiblesystems.

Risk Analysis Without network level segmentation, IT administrators arecontrol which systems users on the internal network have accessto. Effectively all users have the ability to access all CRIR systemsusing any available service.


Recommendations Implement multiple VLANs to separate traffic. At a minimum, adonor, patient, server, IT and DMZ VLAN should be deployedalong with the associated access control lists.

Ongoing Effort Network segmentation will need to be evaluated anytime an

organizational or network change takes place.

22. Changes to Windows systems are made directly in production Medium

Description Caitlyn Raymond updates its Microsoft Windows environment without first testing changes in a development environment.

Risk Analysis Updating systems in production prior to testing could causesystems instability or failure. If a mistake is made or a patch doesnot install correctly it will directly affect the production network.


Recommendations Test all changes to the production systems in a lab environmentbefore applying. Use of VMware or other virtualizationtechnologies can simplify this effort.

Ongoing Effort Once a test environment is in place, CRIR should ensure testingprior to deployment to the production network is done movingforward.

23. No change control process Medium

Description A formal change control is not in place for server, operatingsystems, network devices or applications.

Risk Analysis Network systems need periodic updates and configurationchanges for proper operations. Without an appropriate process ingoverning how and when systems and network changes can takeplace changes that are needed could be missed or changes that areimplemented incorrectly could damage the network.


Recommendations Develop a change control program listing how and when changes


23/29


22 | P a g e

can take place on the network including documentation forapproval and back out procedures in case the change needs to beundone.

Ongoing EffortChange control should be periodically reviewed and modified tobest fit CRIR operations.

24. Insecure administrative access to 3rd party hosted web applicationserver

High

Description Caitlyn Raymond has not set up secure access to applicationshosted with 3rd parties, including its email system and public website.

Risk Analysis Insecure communication protocols used for remoteadministration can be intercepted by an attacker. Use of any cleartext or unencrypted protocols over the internet provides an openattack vector for compromise.


Recommendations Administrator should use a secure protocol such as SSH forsecure remote administration

Ongoing Effort CRIR should periodically review communication protocols andmake certain they are providing appropriate security

25. Use of insecure protocols for data transfer / system management Medium

Description Caitlyn Raymond uses telnet, FTP, HTTP and other unencryptedprotocols to manage server and network resources.

Risk Analysis Weak encryption protocols such as older versions of SSL and weak communications protocols such as Telnet and FTP are inuse throughout the CRIR network. Weak encryption can be easilyintercepted and monitored.


Recommendations Insecure management protocols should be disabled. Onlyencrypted communication protocols should be used to manageserver and network devices.

Ongoing Effort CRIR should periodically review what is being used for networktraffic encryption and communications and make sure it is bot up

to date and secure.

26. Desktop operating systems used to support server functions Medium

Description The MDIS and Terminal Server systems at Caitlyn Raymondutilize Windows XP to support a server based function.

Risk Analysis Desktop software does not have the security or stability of serverclass software and has a higher risk of compromise or failure


24/29


23 | P a g e


Recommendations Desktop operating systems should be replaced with serversoftware.

Ongoing Effort When services are deployed CRIR should make sure that thesystem they are on supports it.

27. Access to financial system controlled by Access Database front-end Medium

Description Caitlyn Raymond’s financial system has not been converted to a web-based format and is still accessible using an Access Database

Risk Analysis Access is not scalable or secure enough to be deployed as a frontend solution. The version of Access being used is no longersupported by the vendor.


Recommendations CRIR should continue moving forward with plans to replace theaccess front end with the solution they are using for the rest ofthe “Internet” application.

Ongoing Effort Application staff should continue to replace solutions as theybecome obsolete.

28. Sensitive data not encrypted Medium

Description Donor and patient data stored in databases and flat files

throughout the Caitlyn Raymond network is not encrypted.

Risk Analysis Sensitive data especially sensitive data containing PII (personallyidentifiable information) and financial data will be the primarytarget if systems are compromised.


Recommendations Sensitive data should be stored in encrypted folders or beencrypted at the file level. This will add an additional layer ofsecurity should a system compromise take place. There are severalfree solutions available to CRIR for example Truecrypt forencrypted storage or GPG for file level encryption

Ongoing Effort CRIR should periodically review where sensitive data resides onthe network and ensure it is being secured.


25/29


24 | P a g e

People Issues

29. IT personnel lack server and network administration skills High

Description CRIR Servers are not being adequately supported due to lack ofsystems expertise and training of the staff. Servers at CRIR areshowing signs of failure due to years of being run by staff that

was not trained on systems administration and what is required tomaintain server functionality.

Risk Analysis Almost all of the findings identified earlier in this report areattributable to a lack of system / network administration skills

with the IT function at CRIR.


Recommendations Staff needs to be either be properly trained on serveradministration or additional staff will need to be brought in tomanage the network. A second option is to allow the UMassMemorial Medical Center or 3rd party service providerto take overthe responsibility for server and network management.

Ongoing Effort As technology changes, training, will need to be conducted toensure staff remains knowledgeable on operations andadministration of servers.

30. Understaffed High

Description There are not enough resources available to adequately managethe network. The current structure has two staff memberssplitting their time between network and server operations andtheir primary assignment of managing the ‘Intranet’ application

Risk Analysis Almost all of the findings identified earlier in this report areattributable to a lack of system / network administration skills

with the IT function at CRIR.


Recommendations CRIR should consider hiring at least one additional resource thatis trained in network and server administration. A second optionfor CRIR to consider is to outsource the network and server

administration roles this can be done within the UMass MemorialMedical Center system or with a 3rd party service provider.

Ongoing Effort Staffing size should complement the size of CRIR operations and will need to be assessed whenever organizational changes takeplace.


26/29


25 | P a g e

Appendix A: Tools Utilized

Assessment Tools

Tool Function CRIR Service

Burp Suite Burp Suite is an integrated

platform for performing

security testing of web

applications.

Burp Suite was used to test

security of the “Internet”

application at CRIR. The results of

testing did not uncover any

notable findings.

OWASP-ZAP

(Open Web Application

Security Project – Zed Attack

Proxy)

The Zed Attack Proxy (ZAP) is

an integrated testing tool for

finding vulnerabilities in web

applications. ZAP containsautomated scanners as well as

a set of manual tools to find

security vulnerabilities.

OWASP-ZAP was used to test the

“Internet” application at CRIR for

security and security bypass

vulnerabilities. The results oftesting did not uncover any

notable findings.

Data Collection Scripts Basic system scripts used to

automate the collection

process for gathering system

configurations. System

configurations are reviewed for

vulnerabilities and compliance.

Data collection scripts were

provided to CRIR to collect data

from the Windows and Linux

systems on the CRIR network. The

data returned from the scripts was

used to perform systems

configuration review of the CRIR

systems.

Nessus Vulnerability Scanner Nessus is a network

vulnerability scanner used to

identify possible vulnerabilities

on computer networks.

Nessus was used to scan the CRIR

network. The scan uncovered 163

unique vulnerabilities related to

outdated systems and software as

well as missing system patches

and maintenance.

Nmap

(Network Mapper)

Nmap is a scanning tool used

to discover hosts and services

on a computer network.

Nmap was used to identify

unmanaged switches on the CRIR

network.

TCPView TCPView is a Windows

program that will show you

detailed listings of all TCP andUDP endpoints on your system,

including the local and remote

addresses and state of TCP

connections.

TCPView was run to identify

running services on the CRIR

network. TCPView was able toidentify an excessive number of

services running on the CRIR

network.


27/29


26 | P a g e

Appendix B: Outsourcing Analysis

One potential solution that will address many of the issues uncovered during this assessment is to

outsource the data center and management of the technology infrastructure to the UMass Memorial

Medical Center. In this model, Caitlyn Raymond’s existing IT team will be able to focus on doing what

they do best – developing and managing applications and databases to support the international

registry. Server, network and data center support will be the responsible of UMass’s infrastructure

team and be folded into their existing processes.

While Grant Thornton absolutely recommends this model for IT management as a solution for Caitlyn

Raymond, there are a number of caveats that must be considered.

Technology Refresh Still Required

Even if Caitlyn Raymond migrates its technology infrastructure into UMass’s datacenters, the

underlying technology infrastructure will still need to be refreshed. This will include upgrading

hardware, software and operating systems as well applying secure configurations to all devices.

As a part of this process, Caitlyn Raymond will need to evaluate different options for their technology

including the use of physical vs. virtual servers, directly attached storage vs. NAS / SAN, utilization of

cloud based technologies, shared vs. stand-alone database structures and a host of other key design

choices.

If this exercise is not completed, Caitlyn Raymond will be essentially picking up a problem and moving

it to another location without addressing the underlying issues.

Requirements Definition

While it is expected that UMass would take on the responsibility of managing and maintaining Caitlyn

Raymond’s technology infrastructure in this outsourced model, the registry will still be responsible for

defining requirements for key IT processes for the hospital. For example, backup and patching

schedules, system access policies, data classification systems, system configuration standards and

numerous other items will still need to be developed by Caitlyn Raymond and communicated to

UMass.

Responsibility Matrix

If Caitlyn Raymond does choose this model for IT management, the responsibility for addressing each

of the findings in this report will be split between itself and the UMass Memorial Medical Center. In

the chart below, we’ve assessed which entity will be responsible for addressing each finding:


28/29


27 | P a g e

Policy, Process and Organizational Issues Responsibility

1 No Information security policy CRIR / UMASS

2 Information security responsibilities not defined CRIR / UMASS

3 Information security processes, standards, and guidelines not established UMASS

Technical Issues Responsibility

4 Use of out-of warranty, out-of date or unsupported hardware CRIR

5 Use of consumer based products in an enterprise environment CRIR

6 No patch or vulnerability management for operating systems or

applications

UMASS

7 No server configuration standards / system hardening CRIR / UMASS

8 Use of unnecessary or undocumented services and applications CRIR

9 Use of “administrator”/ “root” account to manage systems CRIR / UMASS10 Remote access to Linux systems with “root” account is enabled CRIR / UMASS

11 Use of weak / or default passwords UMASS

12 IT administrators unable to access network devices UMASS

13 Broken processes for identity and authentication management UMASS

14 No system-state backups being taken UMASS

15 Backup tapes stored in IT administrator’s homes UMASS

16 No disaster recovery plan / business continuity management CRIR / UMASS

17 UPS devices not properly configured / maintained UMASS

18 Network diagram does not exist UMASS

19 Insecure wireless networking configuration UMASS20 No centralized logging / monitoring system UMASS

21 No network segmentation UMASS

22 Changes to Windows systems are made directly in production UMASS

23 No change control process UMASS

24 Insecure administrative access to 3rd party hosted web application server UMASS

25 Use of insecure protocols for data transfer / system management CRIR / UMASS

26 Desktop operating systems used to support server functions CRIR

27 Access to financial system controlled by Access Database front-end CRIR

28 Sensitive data not encrypted CRIR

People Issues Responsibility

29 IT personnel lack server and network administration skills UMASS

30 Understaffed UMASS


29/29

© Grant Thornton LLP All rights reserved.U.S. member firm of Grant Thornton International Ltd.

This proposal is the work of Grant Thornton LLP, the U.S. member firm of Grant ThorntonInternational Ltd, and is in all respects subject to negotiation, agreement and signing of specificcontracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or proprietary material. Dissemination to thirdparties, copying or use of this information is strictly prohibited without the prior written consent of

CRIR -Information Risk Assessment - Final

Documents

Transcript of CRIR -Information Risk Assessment - Final