Cenartech Security Case Essay
Order ID:89JHGSJE83839 Style:APA/MLA/Harvard/Chicago Pages:5-10 Instructions:
Cenartech Security Case Essay
Cenartech Security Case: Part 1
Cenartech is a U.S. engineering company, with approximately 400 employees. The firm makes process-monitoring devices for food manufacturing companies and the pharmaceutical and cosmetics manufacturing industries. Customers know the company as an innovative leader in providing highly accurate products with all the latest features. All Cenartech products contain embedded microprocessors, sensors, and displays. Some products are handheld, while others are installed permanently into manufacturing facilities. After operating in an initial period of about seven years as a start-up company, the firm was sold to and is now privately owned by a European parent company. The firm still operates quasi-independently, has its own man- agement structure, and is responsible for its own day-to-day operations. The parent company sets the strategic direction of Cenartech and obtains the profit from operations.
The firm experienced a rapid period of growth starting three years ago. Since that time, the number of employees has approximately doubled. Initial hiring growth was primarily in engi- neering, software, and manufacturing departments. Subsequently, additional hiring occurred in organizational support areas: information technology, finance and accounting, technical support, and human resources.
Cenartech now boasts a substantial information technology installation. A fractional DS3 con- nection to the local exchange carrier provides Internet access for three separate networks that have firewalls between them. One network provides guest wireless access: hosts on this net- work have access to the Internet and nothing else. A second network exists for financial sys- tems. This network has no authorized wireless access points, and access to the Internet is aggressively filtered and firewalled. The third network is for all other employees and func- tions, and this network has a wired component as well as wireless access points that require authentication. Internet access on this network is not highly filtered. All authorized computers on this network require a log-in and each employee has their own username and password. All authorized computers in the building have antivirus software. A centralized, open source antispam package exists to pre-filter all email prior to delivery.
Brian Galven is the manager of the IT department at Cenartech and has been with the com- pany for slightly less than two years. Brian is in his late 30s, is of medium height, and dresses casually, favoring flannel shirts, jeans, and sneakers, although he occasionally dons a sport jacket for meetings with outside vendors. His position at Cenartech represents the greatest
(Whitman 24)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
amount of managerial responsibility that Brian has had, as well as the largest company where he has worked. Prior to Brian’s arrival, Cenartech’s IT department did not have a manager. 3B Instead, employees working on IT reported to the company’s director of finance. The director of finance had also used a number of consultants in the years prior to Brian’s arrival to help the company with major IT projects. Within a year of his arrival, Brian had accomplished much to professionalize the company’s IT operations and personnel. At the time of the events described in this case, Brian had written a first draft of an IT practices manual that spelled out the different tasks that his staff members had to do, everything from backups to cleaning virus and worm infections from laptops. The manual describes all the necessary steps such that any of the IT people can do a task, even if the person who usually does it calls in sick or goes on vacation. At 12 full-time equivalent employees (FTEs), the IT department is not large enough to have a separate security function, so each IT staff member has some security responsibili- ties, but Brian does the most, since he has the most knowledge in the security area.
Given his prior work experience as an information security professional, Brian is a strong advocate of the importance of running and analyzing server logs. From the start of his employment with Cenartech he enabled almost every logging option available on the hosts and servers used by the company. Most of his staff members are unfamiliar with security log analysis, so whenever time permits Brian runs analysis on logs, looking for information about the performance of the networks as well as anything out of the ordinary.
Leading up to the events described in this case, Brian had seen repeated failed log-in attempts on a couple of different accounts, but with four or fewer repeats—an insufficient number to cause a lockout. More recently, an employee came into Brian’s office complaining that she was having trouble logging in; when Brian investigated, he found that she had been locked out because of five failed log-in attempts. “Did you forget your password?” he asked her. She replied that she didn’t think she had, but Brian went ahead and reset her password any- way and he unlocked her account.
After unlocking her account, Brian pored through his security logs, looking for the history of the log-in attempts that had led up to the lockout of the woman’s account. When he had correlated some of the log data, he found that failed log-in attempts had come from a work- station in the engineering cluster. All of the recent failed attempts had occurred around lunch- time, and today’s lockout was preceded by smaller sets of failed log-ins at lunch hours over the past week. Brian had a hunch that one or more of the product engineers were probably fooling around with the system. Given his background in security, however, Brian was not inclined to ignore the event or wait to see what would happen next. Instead, he decided to report what he had found. Current company policy stated that such incident reports must begin with the human resources department, so Brian made an appointment with the adminis- trative assistant of the vice president of human resources.
James Falkirk is the vice president of human resources for Cenartech. He is a tall man in late middle age, always wears a suit and tie, but speaks in an informal way, and asks people to call him Jim. He was the fifth employee hired into the company when it was a start-up more than 15 years ago; he originally served in the role of general manager at a time when the com- pany used consultants and outside vendors for many of its engineering and fabrication tasks. Jim is a close friend and golf partner of Cenartech’s CEO; their association predated the founding of Cenartech. Jim had a modest ownership stake in the firm when it was sold to the German parent company such that he is now financially secure for retirement.
(Whitman 25)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
The citation provided is a guideline. Please check each citation for accuracy before use.
During their meeting, which took about half an hour, Brian explained his findings to Jim. This explanation required substantial effort on Brian’s part, as Jim had minimal IT expe- rience and was surprised to learn that Brian kept records of so many different events on the company’s networks. Brian persevered, however, and was able to explain the nature of the evidence to Jim as well as the fact that the evidence could not pinpoint a particular individual. The log records showed that the failed log-in attempts came from workstations shared among multiple engineers. Whoever had tried the different username/password combinations had not also used his or her legitimate account information in close time proximity on the same work- stations, so it was not even possible to guess which individual had caused the failed log-ins. Jim had difficulty understanding how there was much harm in the failed log-in attempts, and he tended to agree with Brian’s tentative hypothesis that it was just an engineering employee simply “fooling around” without malicious intent. Nonetheless, Jim promised to look into the problem: “I’ll head on down there and talk to the manager of that group and see what’s up with his guys. And I’m sure we’ll figure out what’s going on, so don’t sweat it.”
(Whitman 26)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
Cenartech Security Case: Part 2
Following his meeting with the vice president of human resources, Brian returned to his department and turned his attention to important IT projects. At the top of his list, he was set- ting up a virtual private network (VPN) to help the Cenartech sales staff obtain remote access to client information. The client information resided on databases maintained by the staff in the firm’s business office, so the VPN terminated in Cenartech’s financial systems network. Brian had to customize the restrictive firewall rules on this network to support the operation of the VPN. With his focus on completing the VPN project on schedule, several weeks went by during which Brian had no time to analyze log files. During this period, he also received no complaints from employees about account lockouts.
(Whitman 26)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
Part of the complexity of the VPN project was that the laptops of most members of the sales staff did not have an installed capability for remote management. An IT employee had 3B developed a scripted installation that could run from a CD, but when Brian had sent this to a couple of the salespeople, they had complained that it failed to work. As a result, several of the installation CDs that the IT staffer had created lay unused on a stack on a table in the IT department. Brian had to wait until each member of the sales staff came to the company’s headquarters in order to physically access their laptops and install the VPN client.
As Brian began to deploy the VPN clients and send the salespeople back into the field with their updated laptops, he also began to monitor security logs again. He was surprised to find a greater number of incoming VPN connection attempts than he had expected. When he followed up some of the originating IP addresses, he also found that a number of the connections originated from a local cable Internet Service Provider (ISP). He had expected most of the connections from more distant locales, because the salespeople provisioned with the VPN client were all from other regions of the country. Brian ran more log analy- ses and found that after a brief lull two weeks earlier, that the failed log-in attempts had begun again. Further, he found that while some of the attempted log-ins had again occurred from the engineering cluster around lunchtime, other failed attempts had occurred during the VPN authentication process, mostly after hours, and mostly from IP addresses originating with the local ISP.
Given the recurrence of the original problem, plus the new issues that had arisen with the VPN, Brian requested another meeting with Jim and reported the problems he had seen. This time, Jim got very serious and said, “I’ll go back down there to engineering and read them the riot act. We’ll definitely get this issue cleaned up. You can leave it to me.” Brian felt reassured that Jim was taking the issue more seriously now, and he returned to his projects.
A month went by without incident, but one morning around 7:00 AM, Brian received a fran- tic call from an accountant whose habit was to arrive at work early. The accountant reported that although she could log in to the network, none of her applications would work. Brian rushed into work and found utter chaos. Several database tables had become corrupted, a large number of files had been deleted, and application configurations had been tampered with. Looking at the datestamps on some of the corrupted files, Brian concluded that much of the damage had occurred late the previous evening. He quickly restored a number of files from backups in order to get key users back up and running. Then he organized his IT staff to get to work on restoring everyone else who had been affected. Fortunately, Brian’s atten- tion to standardizing backup procedures and related disaster recovery capabilities meant that his staff had the knowledge and resources to restore almost everything that had been lost and to accomplish this restoration relatively quickly.
The whole process of repairing the damage took about a week, and during this time, Brian collected as much forensic data as he could. Several important findings emerged. First, he found that user accounts existed on some of the financial systems for employees who no lon- ger worked with the firm. Further, these accounts had extensive histories of recent activity from workstations all over the business office. When Brian chatted “off the record” with some of the individuals who worked in the business office (recall that the official policy was that Brian was supposed to address such matters through HR first), he found that many of
(Whitman 27)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
the employees shared the use of archaic, still-active accounts. When previous employees had left the firm’s business office several years ago, they had given their username and password information to their colleagues for the sake of convenience, so that the employees who remained could access the departing person’s files and applications. Previously, no one had disabled the user accounts of these departed employees. Now, however, Brian backed up all of the files that remained in these archaic accounts and then he disabled them.
Next, Brian traced the damage to a connection that had occurred through the VPN. The orig- inating IP address showed that the connection was not from a local ISP, nor was it from an ISP in a locale where any of the company’s salespeople lived. The account that the attacker had used to disrupt the operations in the business office had used one of the “shared” accounts of a departed employee as mentioned above. Additional analysis of the log files showed that the attacker had used the same archaic account through the VPN in the same timeframe to try to gain access to engineering systems, but the firewalls between the different networks had prevented the attacker from connecting. Related, three weeks earlier the same archaic account had been accessed at lunchtime from within the engineering cluster.
In the aftermath of the attack, Brian met with every member of Cenartech’s senior manage- ment, and he realized that his job was on the line. He explained everything that he had ascer- tained about the attacks, and he tried not to sound defensive when describing his existing security measures and what he knew about how they had been circumvented. Brian realized that, with their limited understanding of the technology involved, most of the senior managers seemed to lay blame for the attack on Brian’s deployment of the VPN. When Brian met with Jim, and they reviewed the situation together, Jim resolved to interview personally each mem- ber of the accounting department and the engineering department to see if anyone had further information that would shed light on the attack.
(Whitman 28)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
Cenartech Security Case: Part 3
At the conclusion of their conversation, Brian remembered to ask Jim about the second dialog that Jim had had with the manager of the engineering department. Jim offhandedly said, “Oh, after I chatted again with the manager of that group down there, he caught the guy at it. When all the other folks in his group had gone out to lunch, that guy stuck around and was trying out all kinds of different passwords. So we fired him three weeks ago.”
At this revelation, Brian nearly fell out of his chair. Mustering as much calm as he could, he asked Jim why no one had mentioned the firing of the engineer to someone in the IT depart- ment so that they could deprovision the fired employee’s account access.
Jim said, “You’re right, that would have been a good idea, but you know, we’ve rarely had an employee leave the firm on bad terms, so it’s not something that’s really come up before.”
“But the attack we had last week used an account of an old employee,” Brian replied. “One that had apparently left on good terms. So you see how it doesn’t matter whether the person is fired or just resigns, we have to know when they leave so that we can deactivate their account.”
“Sure, that does make sense,” Jim agreed, “but it wouldn’t have saved us in this case. The hacker who did this didn’t use the account information from the engineer we fired.”
Brian then patiently explained to Jim that indeed it might not have prevented the attack, but if they had consistently removed archaic accounts from the company’s networks, that the attack might have been avoided. Brian concluded the meeting with several new ideas in his mind about the attack, which he shared a few days later in a one-on-one meeting with the CEO of the company. A few weeks later, a few shake-ups occurred in the management structure of the company, and the CEO issued several new policies that Brian had drafted. One of the new policies pertained to greater coordination between HR and IT, particularly regarding notifica- tion of changes in the status of employees—hiring, firing, promotion, etc.
In reflecting on the attack later, Brian believed that the fired engineer was the attacker who caused all the damage. The engineer had apparently used his lunch hour over the past few months to probe the accounts of current and former employees, looking for a username/pass- word combination that would give access to key information systems in the company. The engineer had probably taken a VPN installer disk from the stack on the table in the IT depart- ment and installed the VPN on his own system to continue his probing from home or another location on the Internet. Brian believed that the engineer had eventually hit on the correct password for the archaic account at some point either just before or just after he left the com- pany. Brian was unsure of the engineer’s original intentions for the account probing, and was unsure as to whether the termination of the engineer’s employment had been the trigger for the actual attack. Finally, Brian believed that with records obtained through a legal request to the local ISP that he might obtain enough evidence to bring a criminal case against the engineer, but Cenartech’s CEO decided not to pursue that course.
(Whitman 29)
Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.
RUBRIC
Excellent Quality
95-100%
Introduction 45-41 points
The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned.
Literature Support
91-84 points
The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned.
Methodology
58-53 points
Content is well-organized with headings for each slide and bulleted lists to group related material as needed. Use of font, color, graphics, effects, etc. to enhance readability and presentation content is excellent. Length requirements of 10 slides/pages or less is met.
Average Score
50-85%
40-38 points
More depth/detail for the background and significance is needed, or the research detail is not clear. No search history information is provided.
83-76 points
Review of relevant theoretical literature is evident, but there is little integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are included. Summary of information presented is included. Conclusion may not contain a biblical integration.
52-49 points
Content is somewhat organized, but no structure is apparent. The use of font, color, graphics, effects, etc. is occasionally detracting to the presentation content. Length requirements may not be met.
Poor Quality
0-45%
37-1 points
The background and/or significance are missing. No search history information is provided.
75-1 points
Review of relevant theoretical literature is evident, but there is no integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are not included in the summary of information presented. Conclusion does not contain a biblical integration.
48-1 points
There is no clear or logical organizational structure. No logical sequence is apparent. The use of font, color, graphics, effects etc. is often detracting to the presentation content. Length requirements may not be met
You Can Also Place the Order at www.collegepaper.us/orders/ordernow or www.crucialessay.com/orders/ordernow Cenartech Security Case Essay