college/Fall-2024/CS-3113/Group-Project/4-Draft-Report/Draft-Report.typ

383 lines
27 KiB
Plaintext
Raw Normal View History

#let gold = rgb("#ffc500")
#set text(font: "Calibri", size: 12.5pt)
#show link: set text(blue)
#let gradient_fill = (
color.hsl(230deg, 60%, 20%),
color.hsl(225deg, 60%, 15%),
color.hsl(220deg, 60%, 15%),
color.hsl(220deg, 60%, 15%),
color.hsl(220deg, 60%, 15%),
color.hsl(220deg, 60%, 15%),
color.hsl(210deg, 60%, 15%),
color.hsl(210deg, 80%, 20%),
)
#set heading(numbering: "1.1.")
#show heading.where(level: 1): it => (
context {
if counter(heading).get().first() != 1 {
pagebreak()
}
let inset = (x: 8pt, y: 5pt)
block(
inset: inset,
radius: 100%,
fill: gold,
text(
font: "Roboto",
fill: black,
size: 1.2em,
tracking: .1pt,
weight: "black",
)[#it],
)
}
)
#let navy = rgb("#00265E")
#show heading.where(level: 2): it => {
let inset = (x: 8pt, y: 5pt)
block(
inset: inset,
radius: 100%,
fill: navy,
text(
font: "Roboto",
fill: white,
size: 1.1em,
weight: "bold",
)[#it],
)
}
#show heading.where(level: 3): it => {
let inset = (x: 8pt, y: 5pt)
block(
inset: inset,
radius: 100%,
fill: red.darken(50%),
text(
font: "Roboto",
fill: white,
size: 1.15em,
weight: "bold",
)[#it],
)
}
#let shieldnet_font = "IBM Plex Sans"
#let title = [NARO, INC. Cybersecurity Assessment Report]
#set page(
"us-letter",
margin: (x: 1in, top: 1in, bottom: 1in),
header: context if here().page() > 1 {
align(
center + horizon,
box(
width: page.width + 4em,
height: 100%,
fill: gradient.linear(..gradient_fill),
[
#place(left + horizon, dx: +page.margin.length)[
#text(
size: 1.1em,
fill: gold,
font: shieldnet_font,
weight: "black",
)[SHIELDNET CYBERSECURITY],
#text(size: 1.1em, fill: white)[#title],
]
#let icon_size = 45%
#place(
right + horizon,
dx: -page.margin.length,
box(
baseline: icon_size,
image(
"./assets/shieldnet-logo-7.svg",
height: icon_size,
fit: "contain",
),
),
)
],
),
)
},
footer: context if here().page() > 1 {
text(
size: 0.8em,
fill: color.luma(35%),
[
#v(1.5em)
ShieldNet Cybersecurity
#h(1fr)
#{
here().page() - 1
}
#align(
center + bottom,
block(
width: page.width,
height: 20%,
fill: gradient.linear(..gradient_fill),
),
)
],
)
},
)
// COVER PAGE
#set page(background: context if here().page() == 1 {
box(
fill: gradient.linear(angle: 60deg, ..gradient_fill),
width: 100%,
height: 100%,
)
place(
top + center,
rect(
width: 100%,
height: 100%,
fill: pattern(
size: (18pt, 18pt),
place(
dy: 3pt,
dx: 1pt,
circle(
radius: 3.5pt,
fill: blue.darken(65%),
),
),
),
),
)
let globe = read("./assets/globe-thick.svg").replace(
"#000000",
blue.darken(40%).to-hex(),
)
place(
bottom + right,
dy: 70pt,
dx: 120pt,
rotate(-20deg, image.decode(globe, height: 600pt)),
)
let darken_amount = 30%
place(
top + right,
stack(
dir: btt,
..{
let rect_height = 30pt
(
rect(
width: 50pt,
height: rect_height,
fill: red.darken(darken_amount),
),
rect(
width: 75pt,
height: rect_height,
fill: gold.darken(darken_amount),
),
rect(
width: 100pt,
height: rect_height,
fill: blue.darken(darken_amount),
),
)
},
),
)
place(
horizon + left,
rect(
fill: blue.darken(darken_amount),
height: 100%,
width: 8pt,
),
)
} else {
rotate(45deg, text(size: 250pt, fill: white.darken(6%))[DRAFT])
})
#context {
let icon_size = 36pt
place(
left + top,
align(
horizon,
grid(
columns: 2,
column-gutter: 5pt,
image(
"./assets/shieldnet-logo-7.svg",
height: icon_size,
fit: "contain",
),
text(
size: 1.6em,
font: shieldnet_font,
fill: gold,
weight: "black",
)[SHIELDNET\ CYBERSECURITY],
),
),
)
place(
center + horizon,
box(
width: page.width,
text(
font: "Roboto",
size: 5em,
fill: blue.lighten(75%),
weight: "black",
)[#title],
),
)
place(
left + bottom,
dy: +8%,
text(
size: .75em,
fill: white,
style: "italic",
)[ShieldNet Cybersecurity _|_ Prepared for NARO, Inc.],
)
}
#pagebreak()
#set par(
leading: 1em,
spacing: 2.25em,
)
// Actual Content
= ABSTRACT
ShieldNet Cyber Security was contracted by NARO, Inc to conduct a cybersecurity audit on its organization. NARO, a small business that specializes in Electric Vehicle (EV) technology, is a non-profit conducting research and development on a small-footprint solar-based vehicle charger that could be installed in apartment complexes. Given the technical nature of the organizations activities, its fitting that employing adequate cybersecurity measures will ensure the continued and sustained operation of their business, which is currently 35 employees strong. ShieldNet took on the task of evaluating the organizations cybersecurity to find their weaknesses, and provide fixes to maintain their security in the future.
ShieldNet was given an overview of operations by NARO to assist in understanding how and where they were likely to be exploited. This included information ranging from the physical office spaces to wireless infrastructure and a run-down of NAROs outsourced IT contractor. ShieldNet also provided NARO with an Audit Checklist to help gauge, at an objective level, where it lies in terms of cybersecurity practice. This helped ShieldNet understand where the organization was putting its effort into keeping their organization secure, and what may need consideration for the future.
Despite the efforts made by NARO to secure their organization, ShieldNet discovered various variabilities that posed a threat to their information integrity. Some were physical, such as the physical offices potentially allowing unauthorized entry, while others were digital, such as the existence of unencrypted backups. The organization had made more than minimal efforts to ensure security, however there are errors that need correction.
We recommend that NARO follow-up this assessment with another audit as soon as six months following its conclusion, or as late as a year. ShieldNet stresses that while improvements to NAROs security handling can help in the short-term, its important for the long-term that NARO maintains the process of evaluating its cybersecurity so it can stay ahead of threats to its organization. It is here wed like to thank NARO, Inc for its cooperation with our auditing practices, especially William Donaldson III, whos insight and dedication to the project allowed us to conduct our best work in uncovering critical flaws that needed immediate addressing.
= TABLE OF CONTENTS
#par(leading: .95em, outline(title: none, indent: 1.25em))
= INTRODUCTION
This section lays out the background, the reasons why NARO chose to undergo a cybersecurity assessment, the scope of the assessment, what was and wasn't evaluated during the assessment, and finally the organization of this report.
== Background
Cybersecurity threats have been expanding targets to include energy infrastructure and energy research companies. As a result, the Department of Energys (DOE) Office of Energy Efficiency and Renewable Energy (EERE) delivered a report to congress in May of 2021 to improve cybersecurity among energy companies. Due to this, NARO, Inc. (NARO) contracted with ShieldNet to undertake a cybersecurity assessment in the wake of increasing scrutiny from the DOEs EERE surrounding NAROs solar energy technologies.
== Scope
*TO BE FILLED OUT WHEN OUR ACTIVITIES ARE BETTER UNDERSTOOD. SOME OF THIS MAY NEED TO BE MADE UP DUE TO THE LACK OF INFORMATION PROVIDED.*
== Report Organization
The remaining content within this report is organized as follows: Section 2 provides an overview of NAROs systems. Section 3 breaks down the methodologies employed by ShieldNet during our cybersecurity assessment and section 4 describes the ShieldNet audit teams activities done during the cybersecurity assessment. The results of the assessment and the teams recommended mitigations can be found within section 5. Section 6 is the final conclusions of the ShieldNet team and additional proposed actions to be taken by NARO based upon this assessment.
= SYSTEM OVERVIEW
NARO provided ShieldNet with various documentation regarding its physical and digital infrastructure. This information laid the groundwork for the vulnerabilities ShieldNet investigated. It also provided useful information regarding what was already secure, and what was being done right. NAROs offices house its 35 employees, and its digital infrastructure consists of a few workstations, laptops, and a server room.
== Physical Office Spaces
NARO leases two separate office spaces, one for engineers and R&D, and another for administrative staff. The engineering building is its own building, however, the administrative office shares a floor with another organization, Geological Analysis and Surveying (GAS). NARO and GAS share many sections of the building, including custodial rooms, storage, a kitchen, and most notably, a server room. There are 20 staff members that work in the engineering department, and 15 staff members working in the administrative department, totaling 35 employees between the two buildings. The engineering building has basic security features, including proximity cards for access to the engineering office, PIN locks for entering the vehicle bays from the office, and padlocks preventing access to the vehicle bay from the overhead doors on the outside. There also exists a lab for testing equipment and a hazmat storage area, however, the organization of the building regarding these two rooms is not explicit.
The building the administrative team is occupying has a second floor, which is currently under renovation. The exterior building doors are left unlocked so construction crews can easily access the building while GAS and NARO are not present/working. The administrative office doors from the lobby are left unlocked during normal working hours, making their proximity card readers only necessary outside of working hours. The receptionist can also bypass the magnetic door locks with a button located at their desk. Leaving the office is as simple as walking to the exit, as the magnetic locks will automatically disengage.
== Workstations
NARO utilizes very few workstations compared to laptops. The only workstations present across the two buildings are located in the vehicle bay in the engineering building. NARO utilized workstations in this particular area to collect data on vehicle charging that is not capable of being captured by a laptop due to the lack of expansion card support. All devices outside of this (and presumably excepting the servers), are laptops.
== Laptops
NARO has many windows laptops, each with Office 365, Nord VPN, and Zoom softwares installed. Additionally, many laptops have MatLab, and employees have permissions to download other applications like TikTok, seemingly without needing approval. Laptops update automatically and use the pre-installed Windows Defender as their main antivirus and firewall and use BitLocker for data encryption. Laptops are not stored anywhere when not in use and can be taken home by employees or left on desks unattended. Laptops are monitored and interaction through the laptop is logged into a central logging system. Information can also be deleted remotely on all laptops through this monitoring system. A few older laptops are stored in a storage cabinet.
== Remote Access
Employees can connect to the NARO network with a VPN that is installed on every laptop, or access work emails through Office 365. The VPN requires NARO username and password to access. According to NAROs checklist results, this VPN can also be accessed through personal devices (phones, home laptops, etc.). Their network drive is also accessible through OneDrive.
== Server Room
The server room is located in the NARO administrative building. Their physical server room is shared with GAS, however the networks are separate between NARO and GAS. Each desk, and subsequently each employee, seems to have access to a network KTM that allows direct access to the servers. Unfortunately, the server room seems to lack protections from leaks caused by other rooms in the building according to NARO, Inc. Additional Information. The server room also houses the on-site, physical backup devices.
== Servers
NARO has 17 servers split between two different brands, Dell and Supermicro. The Dell servers are used for the Windows Domain and run Windows Server 2019, while the Supermicro servers are for R&D data and run Ubuntu 18.04.6 LTS.
== Wireless
NARO utilizes both a NARO business network, where authentication is required and MAC address filtering is applied, and a NARO guest network where no authentication is required. The two networks are connected via directional antennas on both buildings.
== IT Support
IT support is outsourced to PITA, who has configured automatic updates on all necessary systems. A PITA consultant comes in every two months to update systems and software that require it, and will come in if there is a failure in anything. PITA has remote access to all systems configured via TeamViewer. So far, PITA has made 2 - 3 visits to NARO for required maintenance after an occurring failure or critical issue. Additionally, PITA seems to be responsible for keeping backups and checking logs for malicious activity.
= ASSESSMENT METHODOLOGY
ShieldNets team utilized an assessment methodology based upon NISTIR-7621 known as ShieldNets Small Organization Security Assurance (SOSA) Methodology. The SOSA Methodology was chosen due to NAROs categorization as a small business. SOSA is expanded upon in the following sections.
== The SOSA Methodology
SOSA was developed with the security challenges small businesses, non-profits, and other small entities face in mind. Small businesses often have security concerns already handled or otherwise remediated differently in larger companies and organizations. SOSA is designed to be flexible to the widely varying needs found within small organizations and was purposely designed to be broadly applicable to any small organization. The SOSA Methodology has five primary phases derived from NISTIR-7621, those being: Identify, Protect, Detect, Respond, and Recover. These phases are described in detail in the following sections.
=== Identify
The Identify phase of the SOSA Methodology develops an organizational understanding of how to manage cybersecurity risk to systems, assets, data, and capabilities. It gives an organization, in this case NARO, an understanding of their existing business security stance, their current resources, and builds an awareness of their cybersecurity risks. This enables an organization to prioritize its efforts to remediate, enhance, and reduce security risks related to their business needs. The Identify phase may result in recommendations to modify asset management processes, improved business environment awareness, enhancing governance of risk, and recommended improvements to an organizations risk management strategy.
=== Protect
The Protect phase of the SOSA Methodology drives the development of appropriate safeguards to be used within a given organization. This phase supports creating methods or implementing services that limit or contain the potential impact of a security event. Observations from this phase can include access control implementations, improvements to staff training, enhancing data security, implementing information protection procedures, implementation of security maintenance, and implementation of protective technologies.
=== Detect
The Detect phase is responsible for the identification of controls and activities that should be implemented to improve an organizations discovery and recognition of cybersecurity events. The goal is to enhance the timely discovery of cybersecurity events to enhance an organizations resilience in their risk management strategies. Recommendations can include improving the identification of anomalies and events, implementing continuous security monitoring, and detection process improvements.
=== Respond
The Respond phase assists in the development of appropriate actions to take in the face of a cybersecurity event. The Respond phase supports an organizations ability to reduce the impact of a potential cybersecurity event and improve critical service uptime. Recommendations coming from this phase may include response planning, communications enhancement, mitigating risk vectors, and general organizational security response improvements.
=== Recover
The Recover phase handles the restoration of assets and operations impacted by a cybersecurity incident. It supports the timely restoration of operations which reduces the felt effects of cybersecurity incidents. This may include recommendations surrounding recovery planning, recovery improvements, and recovery communication improvements.
= ASSESSMENT ACTIVITIES
NARO provided ShieldNet with various documentation of its work environment, both physical and digital to assist in vulnerability discovery. ShieldNet also provided NARO with an Audit Checklist with the purpose of understanding its current minimum cybersecurity requirements. This directly influenced some of ShieldNets investigative activities, the results of which will be explained in the following section.
== NARO Overview Review
NARO provided ShieldNet Cyber Security with various insights into its operational facilities and procedures. This included information regarding its offices, devices, servers, network infrastructure, and IT support. This information was necessary for us to understand where NARO was most vulnerable, and where attacks are most likely to occur from. A follow up from William Donaldson III provided additional insight into NAROs wireless networking, as well as the backup procedures provided by an outsourced IT company, PITA.
== Audit Checklist
NARO was made to fill out an audit checklist to help us understand what cybersecurity procedures/policies the company already had in place. ShieldNet Cyber Security was able to make many conclusions from the results of this checklist, including what practices in place were sufficient, what could use improvement, and what requires immediate implementation.
== Email Phishing
Phishing emails are a common way for an attacker to gain access to sensitive information. Attackers typically pose as an organization or individual of importance, such as someone with immediate work or familial relation to the target, and attempt to make the target click on a malicious link or download a dangerous file. Phishing can be conducted in a variety of manners, however, our team focused on email phishing schemes targeting NARO staff. In an ideal scenario, email services would filter out attempts to phish for private information. Most significant email services have sufficient spam filtering, but no filter is perfect.
We conducted multiple phishing campaigns, targeting both engineering and administrative staff by posing as various individuals or companies. Many of the schemes involved mimicking threats of compromised account security, asking users to follow a link to reset their password that would have been designed to capture account credentials. Others involved sending attachments and seeing how many targets downloaded/opened them.
The goal of the phishing schemes were not to actively steal any employee account information or to install malicious software on NARO or user machines *(I AM PUTTING THIS HERE BECAUSE WE HAVE NOT DISCUSSED NARO RULES OF ENGAGEMENT, AND I DOUBT NARO WANTS SHIELDNET TO STEAL EMPLOYEE INFORMATION FOR THE SAKE OF EXAMPLE)*, but to instead understand the threat such schemes poses on employees and NARO as a whole.
= RESULTS AND RECOMMENDATIONS
The findings from Section 4s assessment activities are laid out below. This includes an evaluation of NAROs strengths, weaknesses, and general observations as discovered by ShieldNet. Strengths observed show what NARO is doing correctly, and should continue to do. Weaknesses reveal vulnerabilities NAROs current infrastructure holds, their severity, and how NARO can mitigate them. General observations dont fall into either category, but instead can be read as cautions that could offer improvement, without having an immediate threat to cybersecurity.
== Weaknesses
*(Moderate) Exterior doors are left unlocked outside of NARO business hours*\
#box(inset: (
left: 2em,
))[#underline[Justification]: As outlined in the overview of NARO, the external doors to the building housing the administrative office are left unlocked because of the “off-hour” work nature of the construction crew renovating the second floor. While on its own, this wouldnt be a significant threat to the administrative offices security, the reception desk has a button which disables the magnetic locks to NAROs administrative office. Assuming the reception desk is not manned outside of typical business hours, the unlocked doors and reception bypass button could be utilized by a bad actor to grant unauthorized access into NAROs administrative office. The engineering building is not exploitable in this manner, since all points of entry into that building require either a proximity card, PIN, or destructive means to enter.]
#box(inset: (
left: 2em,
))[#underline[Mitigations]: We recommend NARO implements a multi-factor means of opening doors to the administrative office. Requiring a proximity card of an authorized employee in addition to pressing the button would minimize the risk that anyone who can simply press the reception desk button would be able to enter the office. A PIN could also be used, however, NARO would need to ensure that the PIN could not be seen when being entered by the receptionist. In this situation, a proximity card is both convenient for the receptionist and minimizes the risk of the second factor becoming redundant if the PIN were to be leaked.]
*(Severe) NARO and GAS share server rooms*\
#box(inset: (
left: 2em,
))[#underline[Justification]: NARO and GAS sharing the first floor also means they share a server room. This is remarkably dangerous because individuals outside of the NARO organization can access the physical server modules NARO utilizes. This also means NAROs security of the server room is reliant on GASs ability to keep the server room secure. If either of them falter, both of their servers are at risk. Perhaps most distressingly, NARO keeps hard drives with unencrypted backup data in the server room. Even if these are under lock and key, if anyone were to possess those drives, any and all data on them would be easily accessible.]
#box(inset: (
left: 2em,
))[#underline[Mitigations]: Unless NARO can move office spaces into an area where they can have an isolated server room, nothing can be done about the shared nature of the server room. Instead, NARO should act as though the server room is already compromised. This means including multiple means of protecting the physical servers from unauthorized access (such as physically locking the racks from being tampered with easily) and ensuring any and all devices stored in the server room are essentially impossible to be read by encrypting them. Ideally, backups should be stored off-site where no one but trusted NARO employees could access them.]
== Strengths
- The engineering building is, all-around, very secure from unauthorized access. An unorganized individual would have trouble getting anywhere from attacking it. A simple component of this security is that the locks to the vehicle bays overhead doors are located on the interior of the vehicle bay. This prevents attackers from using simple destructive means to break the locks and gain access to the vehicle bay. An attacker would likely need to have insider knowledge of the overhead doors and its locks if they wanted to attack them.
== Observations
*No workstations are present in the administrative office*\
#box(inset: (
left: 2em,
))[#underline[Description]: Since the only devices used for work in the administrative office are laptops and the server room, there are no physical workstations that can be accessed in the administrative office. Despite this, laptops may still be left behind by employees on their desks.]
#box(inset: (
left: 2em,
))[#underline[Recommendations]: NARO should encourage employees to take their work devices home at the end of the work day, or provide the ability to lock them up either in their desk or somewhere else in the office to keep them from immediate contact. Even though the laptops are encrypted and password protected, they can still be stolen if left unattended.]
= CONCLUSION AND FOLLOW-UP ACTIVITIES
The cybersecurity assessment team ShieldNet covers the evaluation of NARO, inc. and their cybersecurity practices. This assessment focuses on evaluating NAROs physical and digital security, especially concerning its shared facilities. The ShieldNet team utilized the Small Organization Security Assurance (SOSA) Methodology, which is based on NISTIR-7621 and tailored for small organizations. The findings included several vulnerabilities but also included its best practices that will ensure great security.
The assessment identified various vulnerabilities in NAROs cybersecurity, specifically around shared facilities and device access controls. This also includes that NARO shares a server room with Geological Analysis and Surveying (GAS), which compromises the security of NAROs servers and physical backups and unauthorized access from non-NARO representatives, which presents a risk to the integrity of NAROs data. External doors to NAROs administrative office are left unlocked outside business hours and NAROs dependence on laptops, which can be left unattended in unsecured areas, creates vulnerabilities. Although equipped with basic security software, laptops and data backups lack sufficient physical protections or encryption.
For follow-on activities, in order to strengthen security, NARO should take these recommended steps to ensure a matured system design:
+ Improving physical security is a priority, including moving to a dedicated server room or adding locked racks and restricted access in shared spaces.
+ Additional controls like multi-factor access for the administrative office would further reduce risks.
+ All data backups should be encrypted, ideally with off-site storage for added safety. For device security, NARO could provide lockable storage for laptops and restrict VPN access to NARO devices with multi-factor authentication. Regular cybersecurity training, such as phishing simulations, will help employees stay alert to potential threats.
+ Finally, regular security audits, vulnerability scans, and penetration tests will ensure NAROs defenses remain strong and up to date against evolving threats.