Case Study (Assignment)

MIT

Case study
A small pharmaceutical organization has employed an external contractor to maintain their network and systems. The organization has lack of technical expertise and had given all authority to the external contractor to implement and maintain their network. Due to the lack of technical expertise, no one from the organization has been overseeing the project. There are several human resource issues that have now come to light as well as some technical issues. The contractor has not installed the network as specified and has installed a complex solution in order to get employment after the contract ends through maintenance. The following are identified issues:

The current solution uses Windows 2000 as the base server to run terminal sessions for all machines i.e they must login to terminal services to use any application. All of the applications are installed on the server, and remote access to the terminal services is possible from the contractor site. The clients run Windows XP The main database server (Windows 2003) is running a large SQL database (1.3TB) of customer data. The servers are not purchased by the organization No licenses (for all software) can be found The network has been experiencing heavy usage on the weekend, but was not checked There is no documentation for any of the setup There is no firewall in existence apart from a very basic NAT at the Internet Gateway. There is no backup There is no basic security policies implemented (Eg. Password policy etc.) There is no documented list of accounts, rights or usernames The network performance is unacceptable and there are frequent outages There is no documented policy and all users are not aware of any security policies that they have to adhered to There is no content filtering All back-end servers are running with default configuration All systems were not patched since the contractor took over

1| Page

Case Study (Assignment)

MIT

The servers are located in a room where all users have physical access No proper logs were maintained

2| Page

Case Study (Assignment)

MIT

Deliverables
1. What are the risks/threats that this company faces? You are required to document a risk

assessment table. The risk assessment table should include identified assets, assets impact, vulnerability, vulnerability likelihood, risk-rating factor.

(10 marks)

2. What are the types of attacks that you foresee? a. Briefly explain each attack and their impact?

(5 marks)
3. What are your solutions (countermeasures) and justifications to this company? Your

solution should include the following areas: Linking business objectives with security Ethical issues in information security management Security training and education Defending against Internet-based attacks Personnel issues in Information security Physical security issues in Information security Other security related areas thats relevant to the case study

(20 marks)
4. What are other future recommendations that you would propose to this organization?

(5 marks)

3| Page

Case Study (Assignment)

MIT

You should provide 4 parts in a final report. For submission instructions, follow:

Submission Instructions
The report should be set out in the following manner:

Report should contain 2500-3500 words 11 point Times New Roman 1.5 line spaced Margins set to 2.5 cm Justification block justified Footer Should contain your JCU StudentID and Full Name (8 point type) and a Page Number The report should contain an index and have appropriate headings and sub headings The style of the report is a business report and as such it is expected that you present a professional report in both format and style

4| Page