crir -information risk assessment - final
TRANSCRIPT
-
8/9/2019 CRIR -Information Risk Assessment - Final
1/29
Information Technology Risk Assessment
Caitlyn Raymond International Registry
April 2012
-
8/9/2019 CRIR -Information Risk Assessment - Final
2/29
© 2012 Grant Thornton LLP. All rights reserved.
Contents
Page
Executive Summary 2
Environment Overview 5
Findings Overview 9
Detailed Findings 11
Appendix 26
-
8/9/2019 CRIR -Information Risk Assessment - Final
3/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 2
2 | P a g e
Executive Summary
Grant Thornton, LLP was engaged by the Caitlin Raymond International Registry (“CRIR”) to perform
an information technology risk assessment based on the ISO 27002 security standard. This assessment
was conducted between February and April 2012 and was intended to provide CRIR with information
about risks that could affect the availability of its technology and information systems or theconfidentiality and integrity of the information contained within them. During this assessment Grant
Thornton conducted:
Interviews with key stakeholders and technology staff
Detailed system and application configuration reviews
Network vulnerability scanning
Onsite hands-on system configuration reviews
Our assessment determined that CRIR has done a good job developing and maintaining proprietary
applications to that support the organization’s business operations. However, we identified a number
of issues within the underlying technology infrastructure that prevent a significant risk to the
organization. These issues stem from recent staffing changes that have left the organization with
inadequate internal resources to support the network or server infrastructure. Specifically, CRIR’s
application development team is attempting to perform server and network administration – tasks that
they do not have the skillset or time to complete effectively.
As a result, CRIR’s technology infrastructure is aging and not well maintained. Some of the hardware,
software and operating systems supporting critical applications are over ten years old and are no longer
supported by the manufacturers. Servers or network devices have been not been built with secure
configurations and are susceptible to common vulnerabilities. Regular maintenance activities including
patching, backups and vulnerability management are either not being performed or are beingperformed ineffectively.
To address these issues with the technology infrastructure, we suggest that Caitlyn Raymond takes
action immediately. First, the organization should look to hire a minimum or one, but ideally two
network / system administrators whose sole focus is to support the technology infrastructure. Next,
the organization should plan a technology refresh, replacing unsupported hardware, software and
operating systems with updated technology.
-
8/9/2019 CRIR -Information Risk Assessment - Final
4/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 3
3 | P a g e
As an alternative to hiring new staff to support the technology infrastructure, Caitlyn Raymond could
also look to outsource its data center and support functions to a 3rd party hosting and managed services
provider. The organization could also look to merge these functions with UMass Memorial, and allow
the technology teams at the hospital handle these critical tasks.
-
8/9/2019 CRIR -Information Risk Assessment - Final
5/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 4
4 | P a g e
Project Scope and Approach
In the spring of 2012, Grant Thornton was contracted by the Caitlyn Raymond International Registry
to conduct a risk assessment of its technology infrastructure and applications based on the ISO 27002
information security standard. The focus of the assessment was the infrastructure and core functionality
of CRIR with an emphasis on the ‘Intranet’ application and supporting technologies including webbased services, databases and communications technology, as these govern the majority of CRIR
business functions including its Donor and Patient transactions.
ISO 27002 is an internationally recognized standard for information security that evaluates risks to the
confidentiality, integrity and availability of information assets. The standard is comprised of a number
of high-level sections, as described below:
Information risk management policies and procedures
Security institution
Asset classification and control Personnel security
Physical and environmental security
Communication and operations management
Access control
Systems development and maintenance
Business continuity management
Compliance
Grant Thornton conducted its assessment of Caitlyn Raymond’s technology infrastructure through a
combination of the following activities:
Conducting interviews with key functional and technical personnel
Performing hands-on system configuration reviews
Reviewing documentation provided by Caitlyn Raymond
Using automated tools to collect information on device configuration
Performing vulnerability scans using automated tools
-
8/9/2019 CRIR -Information Risk Assessment - Final
6/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 5
5 | P a g e
Environment Overview
CRIR Overview
CRIR is a nonprofit organization affiliated with UMass Memorial Medical Center in Massachusetts.
CRIR was originally established in 1986 as a unit within the Division of Hematology-Oncology of the
Department of Pediatrics at the University of Massachusetts Medical Center specifically as acoordinating center for conducting national and international searches for unrelated donors.
CRIR maintains Hub Status in Bone Marrow Donors Worldwide and the European Marrow Donor
Information System, maintains an affiliation with the National Marrow Donor Program, and is a
member registry of the World Marrow Donor Association (WMDA).
Today, The Caitlin Raymond International Registry accesses 89 bone marrow donor registries and cord
blood banks worldwide and has performed a search for more than 64,000 patients. Since its inception,
the Caitlin Raymond International Registry has remained a comprehensive resource for patients and
physicians conducting a search for unrelated bone marrow or cord blood donors.
Information Technology Overview
Caitlyn Raymond’s information technology department has built a proprietary application that allows
employees to administer patients and donors in an efficient and effective manner.
This system was originally developed in the 1980’s using RBase. In the late 1990’s, MS Access was
introduced as a front-end and patient and donor data was moved into a MS SQL database. Recently, a
web-based front-end has replaced Access as the primary application interface providing a more flexible
and secure framework.
This application, referred to internally as ‘The Intranet’ is a complex system with numerous modulesand acts like as an ERP (enterprise resource planning system) system for the organization. The intranet
supports both front-office operations --- i.e. managing donor and patient registration and matching --
as well as back-office functions such as the general ledger, AP / AR and an IT ticketing system. The S
full list of modules can be found below:
Collection of Stem Cells: Donor and patient receiving
Donor Testing Services: Test and register new Donors
Intranet: Administration of Modules
-
8/9/2019 CRIR -Information Risk Assessment - Final
7/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 6
6 | P a g e
IS Module: IS Project / Inventory Devices / "Internal SharePoint"
Recruitment: User for recruiting new donors
Report Tracker: Used to track documents from within the application
Sample Processing: Management of DNA samples from new donors Ticketing System: IT or operations related tickets
Finance Modules: Finance
Users of “The Intranet” are only allowed to access particular modules based on their logon credentials.
During our assessment, we walked through the user authentication process and evaluated the security
controls in place to prevent unauthorized access. A high-level description of the authentication process
can be found below:
At Log in :
Validate user’s credentials:
Checks if the user’s password has expired and needs to be changed
Checks if the user account is blocked, due to failed login attempt
o One failed login attempt, the account is blocked for 15 seconds
o Two failed login attempts, the account is blocked for 45 seconds
o Three failed login attempts, account is blocked for 15 minutes and IT staff is notified
via email
Creates new session: both the session start and session regenerate ID are used.
Creates a hashed user agent and session string to be stored in session data and user cookies
The session data is stored in a database protected with a username and password.
When appl ication Page loads:
Checks session expiration
Sets session's time to 90 minutes
Verifies the user agent matches the session data and cookies
Prevents SQL injection by using custom SQL statement before change commands are
permitted.
Checks if the IP address is within defined range
User Authentication is verified
User permissions for content are verified
Updates corresponding tables
At Session Close:
Session connections are terminated
Deletes session cookie
Deletes hashed session information from database
User is returned to the login page.
-
8/9/2019 CRIR -Information Risk Assessment - Final
8/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 7
7 | P a g e
In our opinion, the controls that Caitlyn Raymond’s application development team has implemented to
prevent users from accessing data without authorization are adequate. In general, CRIR has taken the
best practice of using a layered authentication and multiple techniques to mitigate misuse and this has
significantly reduced risk of compromise to the “Intranet” application.
Network Diagram
To support this application, Caitlyn Raymond operates a single data center located within its office
facility in Worcester, Mass. A network diagram can be found below:
As can be seen in the diagram above, Caitlyn Raymond’s network is a flat, layer-2 network. Users,
servers and publicly accessible systems all reside on the same logical network and route by default to aLinksys edge / core firewall / router.
Caitlyn Raymond’s public website is not hosted out of the Worcester, Mass data center, but instead is
hosted at Rackspace, a 3rd party hosting provider. Email services are also outsourced to a cloud-based
provider.
Caitlyn Raymond’s VoIP phone system is provided by and managed by the UMass Memorial Medical
Center and utilizes a separate layer two switched network.
-
8/9/2019 CRIR -Information Risk Assessment - Final
9/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 8
8 | P a g e
Server Inventory
The table below provides an inventory of servers supported by Caitlyn Raymond’s information technology team:
Host NameOperating
SystemWarranty?
Purchase
DateServer Type CPU Memory Disk Function
Comedian WinXP Y Aug-10HP Compaq
dc5850 AMD Phenom II
X4 810 1.75GB 220GB EMDIS Application
Marvin Suse Linux N Aug-05DELL
PowerEdge2800
(2) 3.0 GHz/2MB Cache
2GBDDR2
36GB, 36GB,73GB, 73GB,
73GB, 73GB SCSI
Not working - MySQL MNetwork Backup to USB
Minerva WinXP N 2003 DealDepot Intel Celeron 512MB 40GB Workstation for Rebe
MycroftUbuntuLinux
N Jun-08 Vision
(2) AMD Athlon(tm) 64X2 Dual Core
Processor 4400
2GBDDR2
3x250GB Dev Intranet and Dev M
NagasakiUbuntuLinux
N Jun-08 Vision
(2) AMD Athlon(tm) 64X2 Dual Core
Processor 4400
2GBDDR2
3x250GBLive MySQL, CUPS Pr
Server, Network BackuUSB HD
NAS N Jul-09 ReadyNAS 2TB Dual Gig RMNW
Network Storage (G
Server1Win2KServer
N Sep-02DELL
PowerEdge1500SC
(2) 1.4 GHz/512Cache
512 MBSDRAM
(2) 18GB 10KRPM Ultra 160
SCSI
Network Print Server, DDHCP, Anti-virus Server
Server, Active Directo Automated Tasks
TerminatorUbuntuLinux
N Apr-08 Vision(2) AMD
Opteron(tm)1212
2GBDDR2
3x250GB Not running
Terminator2UbuntuLinux
N Apr-08 Vision(2) AMD
Opteron(tm)1212
2GBDDR2
3x250GB Live Intranet
-
8/9/2019 CRIR -Information Risk Assessment - Final
10/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 9
9 | P a g e
Findings Overview
Risk categories
Based upon our review of the overall the control environment of the company, we have identified
number of findings. Each of these findings has been classified as high, medium or low risk based on
the following definitions:
High – A high risk finding is assigned to vulnerabilities that have a high threat or impact
potential and could allow unauthorized privileged access, grant the ability to alter systems in
some way or leave the organization vulnerable to losses of sensitive information and the
potential financial penalties in the event of a breach. It is recommended that these findings are
corrected immediately.
Medium – A medium risk finding is assigned to vulnerabilities that pose a moderate level of
risk to the organization and could allow a threat access to systems with unprivileged access.
Medium risk findings generally represent systematic organizational problems that often lead to
the introduction of new high risk technical findings if they are not corrected.
Low – A low risk finding are areas that do not meet the best practicies put forth in the ISO
standard but do at the same time pose little to no imdediate risk to the environement. If low
risk findings are not corrected, they often lead to the introduction of new medium and high
risk technical and administrative findings.
-
8/9/2019 CRIR -Information Risk Assessment - Final
11/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 10
10 | P a g e
Summary of Findings
Grant Thornton identified numerous issues within the Caitlyn Raymond technology infrastructure. A
summary can be found in the tables below:
Policy, Process and Organizational Issues Risk
1 No Information security policy Med
2 Information security responsibilities not defined Low
3 Information security processes, standards, and guidelines not established Med
Technical Issues Risk
4 Use of out-of warranty, out-of date or unsupported hardware High
5 Use of consumer based products in an enterprise environment High
6 No patch or vulnerability management for operating systems or applications High
7 No server configuration standards / system hardening High
8 Use of unnecessary or undocumented services and applications Med
9 Use of “administrator”/ “root” account to manage systems High
10 Remote access to Linux systems with “root” account is enabled High
11 Use of weak / or default passwords High
12 IT administrators unable to access network devices Low
13 Broken processes for identity and authentication management Med
14 No system-state backups being taken High
15 Backup tapes stored in IT administrator’s homes High
16 No disaster recovery plan / business continuity management Med
17 UPS devices not properly configured / maintained Low
18 Network diagram does not exist Med
19 Insecure wireless networking configuration High
20 No centralized logging / monitoring system Med
21 No network segmentation Med
22 Changes to Windows systems are made directly in production Low
23 No change control process Med
24 Insecure administrative access to 3rd party hosted web application server High
25 Use of insecure protocols for data transfer / system management Med
26 Desktop operating systems used to support server functions Med
27 Access to financial system controlled by Access Database front-end Med28 Sensitive data not encrypted Med
People Issues Risk
29 IT personnel lack server and network administration skills High
30 Understaffed High
-
8/9/2019 CRIR -Information Risk Assessment - Final
12/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 11
11 | P a g e
Risk vs. Mitigation Effort
In the chart below we have mapped each of the findings in a three by three matrix based on risk andmitigation effort. We recommend that Caitlyn Raymond address the high-risk findings with a low
mitigation effort first. These findings are located in the upper-left hand corner of the chart.
From there, we suggest working through the findings starting in the upper-left corner and workingdown to the lower-right.
LOW MEDIUM HIGH Use of “administrator” or “root”
account to manage systems Remote access to Linux systems
with “root” account is enabled Use of weak / default passwords No system state backups are taken Backup tapes stored in IT
administrators homes Insecure wireless configuration Insecure administrative access to
3rd party / hosed web applications
Use of consumer based productsin an enterprise environment
No patch of vulnerabilitymanagement for operating systemsor applications
No server configuration standards/ system hardening
Use of out-of warranty orunsupported hardware, softwareand operating systems
IT personnel lack server andnetwork administration skills
Understaffed
Broken process for identity andauthentication management
Network diagram does not exist No change control process Use of insecure protocols for data
transfer / system management Sensitive data not encrypted
No Information Security Policy Information Security Processes,
Standards and Guidelines notEstablished
Desktop operating systems used tosupport server functions
Use of unnecessary orundocumented services andapplications
No network segmentation
No disaster recovery plan /business continuity management
No centralized logging /monitoring system
Access to financial systemcontrolled by Access Databasefront-end
IT administrators unable to accessnetwork devices
UPS devices not properlyconfigured / maintained
Changes to Windows systems aremade directly in production
Information securityresponsibilities not defined
R i s k
Mitigation Effort
L O W
M E D I U M
H I G
H
-
8/9/2019 CRIR -Information Risk Assessment - Final
13/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 12
12 | P a g e
Detailed Findings
The detailed findings below list the findings categories in detail. The intention is to call out the
underlying cause for vulnerability in the CRIR environment and present remediation options along with
estimated cost and manpower associations for remediation.
Policy, Process and Organizational Issues
1. No Information Security Policy Medium
Description Caitlyn Raymond does not have an information security policythat describes:
Its approach to addressing information security issues Organizational roles and responsibilities as they relate to
information security Acceptable use of information technology systems and
assets Other
Risk Analysis Policies are the corner stone for information security andcompliance in any organization. Without an information securitypolicy, an organization does not have a basis for identifying,
assessing and managing risks.
Remediation Cost/Effort Medium
Recommendations CRIR can look to leverage the information security policies thathas already been developed for the UMass Memorial MedicalCenter to build a security policy of its own and distribute it to allemployees.
Ongoing Effort The security policy will need to be reviewed on an annual basis toensure it remains applicable to new technologies and emergingthreats.
2. Information Security Responsibilities not Defined LowDescription Caitlyn Raymond does not define information security roles and
responsibilities for all members of the organization. Typically,these roles and responsibilities are defined in an informationsecurity policy as described in Finding #1 above.
Risk Analysis Without clearly defined roles and responsibilities for informationsecurity within the CRIR environment there are several criticalsecurity and administration tasks that are not taking place.
Remediation Cost/Effort Medium
-
8/9/2019 CRIR -Information Risk Assessment - Final
14/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 13
13 | P a g e
Recommendations CRIR needs to define information security roles and respon
sibilities for all employees
Ongoing Effort Information security roles should be periodically reviewed and
updated to ensure they remain consistent with changes inorganizational technology as well as new and emerging threats.
3. Information security processes, standards, and guidelines notestablished
Medium
Description Caitlyn Raymond has not defined operational procedures to beexecuted by information technology that support informationsecurity. Examples of policies and procedures that should bedeveloped include:
Acceptable Use Policy Backup and Restoration Procedures Patch Management Procedures Vulnerability Management Procedures Identity and Authentication Management Procedures Password Policy and Reset Procedures Incident Response Policy Others
Risk Analysis Without defined Processes, standards and guidelines theadministration of servers and the network is conducted in a wayin which security and risk within the environment can not bemeasured or controlled by CRIR staff.
Remediation Cost/Effort Medium
Recommendations Security Processes, standards and guidelines should bedocumented in the sites policies and procedures and staff shouldbe made aware of their responsibilities. All areas of administrationshould be documented for example, patch management, serverupdates, creating and deleting new users. It is very likely thatUHMV already has this done CRIR should use this as a go by fortheir own environment.
Ongoing Effort This should be reviewed anytime updates are made to the sitessecurity policy.
-
8/9/2019 CRIR -Information Risk Assessment - Final
15/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 14
14 | P a g e
Technical Issues
4. Use of out-of warranty, out-of date or unsupported hardware andsoftware
High
Description Caitlyn Raymond is utilizing hardware, software and operatingsystems that are no longer supported by the manufacturers. Thisincludes numerous out-of-warranty servers and network devicesas well as the use of the Windows 2000 / Ubuntu 8.1 operatingsystems.
Risk Analysis Using out-of-date hardware not only affects system performance,but also leaves the organization susceptible to a sustained outagein the event that a system component fails and replacement partsare not readily available.
Using out-of-support operating systems leaves the organizationsusceptible to newly discovered vulnerabilities which are nolonger patched by the vendor.
Remediation Cost/Effort High
Recommendations CRIR should develop a plan to replace the hardware, softwareand operating systems that are no longer under warranty or are nolonger supported by their vendors.
Ongoing Effort In addition, we recommend that CRIR builds a formalizedprocess for system lifecycle management that plans for regularhardware, software and operating system upgrades to ensure that
they do not fall out of support in the future.
5. Use of consumer based products in an enterprise environment High
Description CRIR has deployed a consumer grade Linksys device as its corerouter / edge firewall. Linksys is intended for home use and isnot robust enough for a corporate environment
Risk Analysis Consumer grade networking equipment does not have thegranular security features needed for a corporate environment.
Remediation Cost/Effort Medium
Recommendations Replace network equipment with business class devices.Ongoing Effort Once replaced CRIR should make sure only business class
devices are used moving forward.
-
8/9/2019 CRIR -Information Risk Assessment - Final
16/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 15
15 | P a g e
6. No patch or vulnerability management for operating systems orapplications
High
Description Patches and updates are not being applied to servers,
workstations and other devicesRisk Analysis By not applying patches, Caitlyn Raymond is leaving itself
vulnerable to exploits from internal and external sources thatcould result in a breach of sensitive patient or donor data orsystem unavailability.
Remediation Cost/Effort Medium
Recommendations Develop a formal patch and vulnerability management plan,defining when and how patches will be tested and deployed.
Ongoing Effort The patch management and vulnerability management programshould be periodically reviewed to make sure it is functioningcorrectly.
7. No server configuration standards / system hardening High
Description CRIR has not developed system configuration standards forservers or network devices that harden them to prevent mostcommon information security vulnerabilities.
Risk Analysis Servers that are installed “out of the box” without going througha formal hardening procedure could enter the network missingcritical software of firmware patches or even anti-virus definitionsincreasing the threat to the network
Remediation Cost/Effort Medium
Recommendations Create a checklist of security requirements that needs to befollowed and use it when setting up any new equipment.
Ongoing Effort Hardening procedures should be periodically evaluated to ensurethey are current and best fit the organization.
8. Use of unnecessary or undocumented services and applications Medium
Description Servers and network devices on the Caitlyn Raymond networkhave numerous services enabled and configured that are notbeing utilized, including FTP, telnet, HTTP and many others.
Risk Analysis Services are access points to your network, when no longerrequired they are often left unmonitored and vulnerable creating alarger threat footprint for compromise. Services not in use alsotake up valuable system resources.
As an example in we included the output of open services for thedomain controller which had a large amount of services in useincluding ‘Gopher’ and ‘Pop2’ which have not been requiredservices for several years.
Remediation Cost/Effort Medium
-
8/9/2019 CRIR -Information Risk Assessment - Final
17/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 16
16 | P a g e
Recommendations Disable unnecessary services and if possible determine why theservice was enabled to begin with.
Ongoing Effort Periodic review of open services should be conducted
9. Use of “administrator”/ “root” account to manage systems High
Description Caitlyn Raymond uses the root and / or administrator account tomanage systems instead of using unique usernames attributable toeach individual.
Risk Analysis Administrator and Root accounts are generic accounts that arenot traceable back to an individual system administrator and oftengrant much higher levels of access than needed for basicadministration.
Remediation Cost/Effort Low
Recommendations Admins should have personal accounts set up to log in and dobasic administrative tasks. The password to the root and / oradministrator accounts should be long, complex and should onlybe accessed in the event of a disaster / emergency.
Ongoing Effort Once in place no follow on effort should be required
10. Remote access to Linux systems with “root” account is enabled High
Description Linux systems at Caitlyn Raymond are configured to allow remoteaccess using the “root” account. This configuration enables an
attacker who has compromised the system to gain full control.Risk Analysis The Root account should be restricted to prevent system
compromise and damage to system. The Root account has accessto modify all aspects of the operating system any mistakes made
will modify the system.
Remediation Cost/Effort Low
Recommendations Authorized users should use sudo to run operations that requireroot level privileges. Use of sudo allows accountability forchanges to the system. Since the user needs to take and log in tothe part of the system they wish to change the chance formistaken modifications is greatly reduced.
Ongoing Effort Once in place CRIR should ensure sudo is used for all remoteadministration.
11. Use of weak / or default passwords High
Description Many systems on the Caitlyn Raymond network have beenconfigured with weak or default administrative passwords.
Risk Analysis Weak and or default passwords are easily compromised by
-
8/9/2019 CRIR -Information Risk Assessment - Final
18/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 17
17 | P a g e
malicious users granting them unauthorized access to systems andnetwork resources.
Remediation Cost/Effort Low
Recommendations CRIR should change all default passwords, and require allaccounts including service accounts require strong passwords ofat least 8 characters and a mix of capital, lower case, number andspecial character
Ongoing Effort Once in place CRIR should remain enforce passwordrequirements.
12. IT administrators unable to access network devices Low
Description IT administrators at Caitlyn Raymond have no understanding ofhow to access switches and other network devices. Not only
were the management IP addresses unknown, but usernames,passwords and console access were unavailable as well.
Risk Analysis With no level of access for the current staff the devices arecompletely unmanaged and are not being administered in any
way.
Remediation Cost/Effort Low
Recommendations Network staff should have full access and control over allnetwork devices. The staff should console into each device, viewthe configuration , note management IP addresses and set upuser-level access as appropriate.
Ongoing Effort Moving forward when anything is added to the network staff
should have appropriate access levels.
13. Broken processes for identity and authentication management Medium
Description Formalized processes for adding and removing system accountshave not been developed. In some instances, systemadministrators no longer with the company have accountsenabled.
Risk Analysis Without strong identity and authentication managementprocesses in place, an organization leaves itself susceptible to acompromise of information by a former employee.
Remediation Cost/Effort Low
Recommendations Remove or archive accounts from users that are no longer neededmake sure all files and data that is saved has proper permissionsset.
Ongoing Effort Periodic review should be conducted to prevent this frombuilding up in the future. This should be defined in processes andprocedures.
-
8/9/2019 CRIR -Information Risk Assessment - Final
19/29
-
8/9/2019 CRIR -Information Risk Assessment - Final
20/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 19
19 | P a g e
would experience an extended outage.
Remediation Cost/Effort High
Recommendations CRIR should work with UHMV to determine if there is an
existing location that CRIR could restore their servers and criticaldata to and that staff could work from until the primary site wasavailable again.
Ongoing Effort Once developed the plan should be reviewed by IT and executivemanagement at least yearly to ensure it covers all CRIR recoveryneeds.
17. UPS devices not properly configured / maintained Low
Description The UPS devices in the Caitlyn Raymond data center are notconfigured properly and have not had regular annual maintenancedone since their implementation.
Risk Analysis Improper configuration / maintenance could cause UPS units tofail at time of incident. There is currently no generator backup forthe CRIR environment.
Remediation Cost/Effort Medium
Recommendations Work to properly configure the UPS systems to failover togenerator power or do a graceful takedown of the network oncebattery power has dropped. If it is determined that outages due topower must be prevented, CRIR should work to have thenetwork place on a generator backup system.
Ongoing Effort Power management will need to be re-evaluated whenever
network changes occur
18. Detailed documentation of the network and communications linksdo not exist
Medium
Description Caitlyn Raymond does not have a network diagram ordocumentation of network device configuration.
Risk Analysis Without documentation of the network and the communicationlinks it would be very difficult for CRIR to trouble shoot anycommunication/networking issues with the network.
Remediation Cost/Effort LowRecommendations Grant Thornton has provided a detailed Visio diagram as part of
this assessment
Ongoing Effort The Visio diagram should be updated anytime change takes place
-
8/9/2019 CRIR -Information Risk Assessment - Final
21/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 20
20 | P a g e
19. Insecure wireless networking configuration High
Description Caitlyn Raymond has a wireless access point on its network buthas not applied basic system security parameters that would
prevent unauthorized access.
Note: This device is currently unused by CRIR personnel.
Risk Analysis The wireless implementation was a commercial wireless routerusing WPA for authentication. WPA is easily cracked usingreadily available free utilities, which could allow unauthorizedaccess to the network.
Remediation Cost/Effort Low
Recommendations It was determined that wireless was no longer needed by the staffat CRIR and powered off. If the device is not required it shouldbe permanently removed from the network.
Ongoing Effort If it is determined in the future that wireless is needed a businessclass device that uses more robust security should be purchasedand used.
20. No centralized logging / monitoring system Medium
Description Caitlyn Raymond has not deployed a centralized system forlogging system access or event logs.
Further, no process for reviewing system access or event logs
stored locally on individual servers or network devices has beenput in place.
Risk Analysis Without centralized event logging and monitoring, ITadministrators will not be able to detect malicious activity on theCRIR network or easily determine the root cause of system andnetwork issues.
Remediation Cost/Effort High
Recommendations Deploy centralized logging and monitoring system that will alertIT administrators when key events occur and provide accessreports to management on a regular basis.
Alternatively, Caitlyn Raymond could leverage any logging andmonitoring system already deployed by the UMass MemorialMedical Center or turn to a 3rd party service to provide thisfunctionality.
Ongoing Effort Monitoring and logging will need to be periodically evaluated andupdated to ensure it is best meeting the organizations needs
-
8/9/2019 CRIR -Information Risk Assessment - Final
22/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 21
21 | P a g e
21. No network segmentation Medium
Description Caitlyn Raymond has deployed a flat, layer two network without VLANs. Regular users have not been placed in a different
segment than IT administrators, servers or publicly accessiblesystems.
Risk Analysis Without network level segmentation, IT administrators arecontrol which systems users on the internal network have accessto. Effectively all users have the ability to access all CRIR systemsusing any available service.
Remediation Cost/Effort Medium
Recommendations Implement multiple VLANs to separate traffic. At a minimum, adonor, patient, server, IT and DMZ VLAN should be deployedalong with the associated access control lists.
Ongoing Effort Network segmentation will need to be evaluated anytime an
organizational or network change takes place.
22. Changes to Windows systems are made directly in production Medium
Description Caitlyn Raymond updates its Microsoft Windows environment without first testing changes in a development environment.
Risk Analysis Updating systems in production prior to testing could causesystems instability or failure. If a mistake is made or a patch doesnot install correctly it will directly affect the production network.
Remediation Cost/Effort Low
Recommendations Test all changes to the production systems in a lab environmentbefore applying. Use of VMware or other virtualizationtechnologies can simplify this effort.
Ongoing Effort Once a test environment is in place, CRIR should ensure testingprior to deployment to the production network is done movingforward.
23. No change control process Medium
Description A formal change control is not in place for server, operatingsystems, network devices or applications.
Risk Analysis Network systems need periodic updates and configurationchanges for proper operations. Without an appropriate process ingoverning how and when systems and network changes can takeplace changes that are needed could be missed or changes that areimplemented incorrectly could damage the network.
Remediation Cost/Effort Low
Recommendations Develop a change control program listing how and when changes
-
8/9/2019 CRIR -Information Risk Assessment - Final
23/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 22
22 | P a g e
can take place on the network including documentation forapproval and back out procedures in case the change needs to beundone.
Ongoing EffortChange control should be periodically reviewed and modified tobest fit CRIR operations.
24. Insecure administrative access to 3rd party hosted web applicationserver
High
Description Caitlyn Raymond has not set up secure access to applicationshosted with 3rd parties, including its email system and public website.
Risk Analysis Insecure communication protocols used for remoteadministration can be intercepted by an attacker. Use of any cleartext or unencrypted protocols over the internet provides an openattack vector for compromise.
Remediation Cost/Effort Low
Recommendations Administrator should use a secure protocol such as SSH forsecure remote administration
Ongoing Effort CRIR should periodically review communication protocols andmake certain they are providing appropriate security
25. Use of insecure protocols for data transfer / system management Medium
Description Caitlyn Raymond uses telnet, FTP, HTTP and other unencryptedprotocols to manage server and network resources.
Risk Analysis Weak encryption protocols such as older versions of SSL and weak communications protocols such as Telnet and FTP are inuse throughout the CRIR network. Weak encryption can be easilyintercepted and monitored.
Remediation Cost/Effort Low
Recommendations Insecure management protocols should be disabled. Onlyencrypted communication protocols should be used to manageserver and network devices.
Ongoing Effort CRIR should periodically review what is being used for networktraffic encryption and communications and make sure it is bot up
to date and secure.
26. Desktop operating systems used to support server functions Medium
Description The MDIS and Terminal Server systems at Caitlyn Raymondutilize Windows XP to support a server based function.
Risk Analysis Desktop software does not have the security or stability of serverclass software and has a higher risk of compromise or failure
-
8/9/2019 CRIR -Information Risk Assessment - Final
24/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 23
23 | P a g e
Remediation Cost/Effort Medium
Recommendations Desktop operating systems should be replaced with serversoftware.
Ongoing Effort When services are deployed CRIR should make sure that thesystem they are on supports it.
27. Access to financial system controlled by Access Database front-end Medium
Description Caitlyn Raymond’s financial system has not been converted to a web-based format and is still accessible using an Access Database
Risk Analysis Access is not scalable or secure enough to be deployed as a frontend solution. The version of Access being used is no longersupported by the vendor.
Remediation Cost/Effort High
Recommendations CRIR should continue moving forward with plans to replace theaccess front end with the solution they are using for the rest ofthe “Internet” application.
Ongoing Effort Application staff should continue to replace solutions as theybecome obsolete.
28. Sensitive data not encrypted Medium
Description Donor and patient data stored in databases and flat files
throughout the Caitlyn Raymond network is not encrypted.
Risk Analysis Sensitive data especially sensitive data containing PII (personallyidentifiable information) and financial data will be the primarytarget if systems are compromised.
Remediation Cost/Effort Low
Recommendations Sensitive data should be stored in encrypted folders or beencrypted at the file level. This will add an additional layer ofsecurity should a system compromise take place. There are severalfree solutions available to CRIR for example Truecrypt forencrypted storage or GPG for file level encryption
Ongoing Effort CRIR should periodically review where sensitive data resides onthe network and ensure it is being secured.
-
8/9/2019 CRIR -Information Risk Assessment - Final
25/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 24
24 | P a g e
People Issues
29. IT personnel lack server and network administration skills High
Description CRIR Servers are not being adequately supported due to lack ofsystems expertise and training of the staff. Servers at CRIR areshowing signs of failure due to years of being run by staff that
was not trained on systems administration and what is required tomaintain server functionality.
Risk Analysis Almost all of the findings identified earlier in this report areattributable to a lack of system / network administration skills
with the IT function at CRIR.
Remediation Cost/Effort High
Recommendations Staff needs to be either be properly trained on serveradministration or additional staff will need to be brought in tomanage the network. A second option is to allow the UMassMemorial Medical Center or 3rd party service providerto take overthe responsibility for server and network management.
Ongoing Effort As technology changes, training, will need to be conducted toensure staff remains knowledgeable on operations andadministration of servers.
30. Understaffed High
Description There are not enough resources available to adequately managethe network. The current structure has two staff memberssplitting their time between network and server operations andtheir primary assignment of managing the ‘Intranet’ application
Risk Analysis Almost all of the findings identified earlier in this report areattributable to a lack of system / network administration skills
with the IT function at CRIR.
Remediation Cost/Effort High
Recommendations CRIR should consider hiring at least one additional resource thatis trained in network and server administration. A second optionfor CRIR to consider is to outsource the network and server
administration roles this can be done within the UMass MemorialMedical Center system or with a 3rd party service provider.
Ongoing Effort Staffing size should complement the size of CRIR operations and will need to be assessed whenever organizational changes takeplace.
-
8/9/2019 CRIR -Information Risk Assessment - Final
26/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 25
25 | P a g e
Appendix A: Tools Utilized
Assessment Tools
Tool Function CRIR Service
Burp Suite Burp Suite is an integrated
platform for performing
security testing of web
applications.
Burp Suite was used to test
security of the “Internet”
application at CRIR. The results of
testing did not uncover any
notable findings.
OWASP-ZAP
(Open Web Application
Security Project – Zed Attack
Proxy)
The Zed Attack Proxy (ZAP) is
an integrated testing tool for
finding vulnerabilities in web
applications. ZAP containsautomated scanners as well as
a set of manual tools to find
security vulnerabilities.
OWASP-ZAP was used to test the
“Internet” application at CRIR for
security and security bypass
vulnerabilities. The results oftesting did not uncover any
notable findings.
Data Collection Scripts Basic system scripts used to
automate the collection
process for gathering system
configurations. System
configurations are reviewed for
vulnerabilities and compliance.
Data collection scripts were
provided to CRIR to collect data
from the Windows and Linux
systems on the CRIR network. The
data returned from the scripts was
used to perform systems
configuration review of the CRIR
systems.
Nessus Vulnerability Scanner Nessus is a network
vulnerability scanner used to
identify possible vulnerabilities
on computer networks.
Nessus was used to scan the CRIR
network. The scan uncovered 163
unique vulnerabilities related to
outdated systems and software as
well as missing system patches
and maintenance.
Nmap
(Network Mapper)
Nmap is a scanning tool used
to discover hosts and services
on a computer network.
Nmap was used to identify
unmanaged switches on the CRIR
network.
TCPView TCPView is a Windows
program that will show you
detailed listings of all TCP andUDP endpoints on your system,
including the local and remote
addresses and state of TCP
connections.
TCPView was run to identify
running services on the CRIR
network. TCPView was able toidentify an excessive number of
services running on the CRIR
network.
-
8/9/2019 CRIR -Information Risk Assessment - Final
27/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 26
26 | P a g e
Appendix B: Outsourcing Analysis
One potential solution that will address many of the issues uncovered during this assessment is to
outsource the data center and management of the technology infrastructure to the UMass Memorial
Medical Center. In this model, Caitlyn Raymond’s existing IT team will be able to focus on doing what
they do best – developing and managing applications and databases to support the international
registry. Server, network and data center support will be the responsible of UMass’s infrastructure
team and be folded into their existing processes.
While Grant Thornton absolutely recommends this model for IT management as a solution for Caitlyn
Raymond, there are a number of caveats that must be considered.
Technology Refresh Still Required
Even if Caitlyn Raymond migrates its technology infrastructure into UMass’s datacenters, the
underlying technology infrastructure will still need to be refreshed. This will include upgrading
hardware, software and operating systems as well applying secure configurations to all devices.
As a part of this process, Caitlyn Raymond will need to evaluate different options for their technology
including the use of physical vs. virtual servers, directly attached storage vs. NAS / SAN, utilization of
cloud based technologies, shared vs. stand-alone database structures and a host of other key design
choices.
If this exercise is not completed, Caitlyn Raymond will be essentially picking up a problem and moving
it to another location without addressing the underlying issues.
Requirements Definition
While it is expected that UMass would take on the responsibility of managing and maintaining Caitlyn
Raymond’s technology infrastructure in this outsourced model, the registry will still be responsible for
defining requirements for key IT processes for the hospital. For example, backup and patching
schedules, system access policies, data classification systems, system configuration standards and
numerous other items will still need to be developed by Caitlyn Raymond and communicated to
UMass.
Responsibility Matrix
If Caitlyn Raymond does choose this model for IT management, the responsibility for addressing each
of the findings in this report will be split between itself and the UMass Memorial Medical Center. In
the chart below, we’ve assessed which entity will be responsible for addressing each finding:
-
8/9/2019 CRIR -Information Risk Assessment - Final
28/29
Information Technology Risk Assessment-Caitlyn Raymond International Registry 27
27 | P a g e
Policy, Process and Organizational Issues Responsibility
1 No Information security policy CRIR / UMASS
2 Information security responsibilities not defined CRIR / UMASS
3 Information security processes, standards, and guidelines not established UMASS
Technical Issues Responsibility
4 Use of out-of warranty, out-of date or unsupported hardware CRIR
5 Use of consumer based products in an enterprise environment CRIR
6 No patch or vulnerability management for operating systems or
applications
UMASS
7 No server configuration standards / system hardening CRIR / UMASS
8 Use of unnecessary or undocumented services and applications CRIR
9 Use of “administrator”/ “root” account to manage systems CRIR / UMASS10 Remote access to Linux systems with “root” account is enabled CRIR / UMASS
11 Use of weak / or default passwords UMASS
12 IT administrators unable to access network devices UMASS
13 Broken processes for identity and authentication management UMASS
14 No system-state backups being taken UMASS
15 Backup tapes stored in IT administrator’s homes UMASS
16 No disaster recovery plan / business continuity management CRIR / UMASS
17 UPS devices not properly configured / maintained UMASS
18 Network diagram does not exist UMASS
19 Insecure wireless networking configuration UMASS20 No centralized logging / monitoring system UMASS
21 No network segmentation UMASS
22 Changes to Windows systems are made directly in production UMASS
23 No change control process UMASS
24 Insecure administrative access to 3rd party hosted web application server UMASS
25 Use of insecure protocols for data transfer / system management CRIR / UMASS
26 Desktop operating systems used to support server functions CRIR
27 Access to financial system controlled by Access Database front-end CRIR
28 Sensitive data not encrypted CRIR
People Issues Responsibility
29 IT personnel lack server and network administration skills UMASS
30 Understaffed UMASS
-
8/9/2019 CRIR -Information Risk Assessment - Final
29/29
© Grant Thornton LLP All rights reserved.U.S. member firm of Grant Thornton International Ltd.
This proposal is the work of Grant Thornton LLP, the U.S. member firm of Grant ThorntonInternational Ltd, and is in all respects subject to negotiation, agreement and signing of specificcontracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or proprietary material. Dissemination to thirdparties, copying or use of this information is strictly prohibited without the prior written consent of