This is an actual assesment we have done. We do roughly 15 of these per month. This is intended to provide detailed info on the security of your data and network. Please contact us for YOUR Exposure Assesment ASAP.

Network Assessment Detailed Review

Client:             Client
Date:               January 13, 2009
Contact:          IT Departmentl

1. Data Protection:                                                  Fail

1.          Backups offsite / onsite:                     Fail – Exchange data not backed up offsite

A key part of a security administrator’s job is developing a plan to mitigate damages after the inevitable disaster occurs. Since your goal is to keep the computers running with as little interruption as possible, nothing will give you a better sense of security than having a recent backup available. But to make backups a solid component in your overall security plan, you need to coordinate your efforts with a backup routine that regularly stores data offsite.

1. Backup points – daily, hourly, real time:     Fail – Daily only, no continuous backup solution

A method, apparatus, and article of manufacture for performing a point-in-time backup using multiple copy technologies includes steps of suspending execution of updates to the source data; determining what point-in-time backup technology is supported by the device by determining the device and extents of the source data; processing each of the extents as determined by the backup technology supported and copying the source data in point-in-time; and backing up copied entire source data to a target media. If the backup process fails, the method, apparatus, and article of manufacture provides a restart function.

1. Backup and Disaster Recovery Check:                        Fail

1.          Shadow copy:                         Fail – Not implemented

Accidental file deletion or modification is a common cause of data loss. This feature automatically creates point-in-time copies of files as you work, so you can quickly and easily retrieve versions of a document you may have accidentally deleted. Shadow copy creates copies on a scheduled basis of files that have changed. Since only incremental changes are saved, minimal disk space is used for shadow copies.

1. ASR updates being done:                Fail – No ASR’s

The ASR process allows to restore the system disk (usually the C: drive) including the Windows files, all Registry settings and all user programs and data, allowing to recover a completely crashed system. To use this procedure you must be able to boot the Windows XP Pro Setup-program from the installation CD-ROM.
During the restore process all data previously found on the System partition (usually C:) will be erased, then XP/2003 will be reinstalled, and the data from the ASR backup will be restored.

1.          Can we recover from a media only restore (recreate catalogs etc):                Fail - untested

The catalog entries will be rebuilt when you do an import on the media. You must have the catalog to do a restore so the import consists of two steps 1. read the tape and build the necessary catalog entries 2. read the tape and gather file information

1. Can we do a bare metal recovery:                Fail – IDR’s not being updated

Bare-metal restore is a technique in the field of data recovery and restoration where the backed up data is available in a form which allows one to restore a computer system from "bare metal", i.e. without any requirements as to previously installed software or operating system.

Typically, the backed up data includes the necessary operating system, applications and data components to rebuild or restore the backed up system to an entirely separate piece of hardware. In some configurations, the hardware receiving the restore needs to have an identical configuration to the hardware that was the source of the backup, although virtualization techniques and careful planning can enable a bare-metal restore to a hardware configuration different from the original.

1.          RAID:                                                             Pass

RAID (Redundant Array of Independent Disks) is a technology that employs the simultaneous use of two or more hard disk drives to achieve greater levels of performance, reliability, and/or larger data volume sizes.
"RAID" is now used as an umbrella term for computer data storage schemes that can divide and replicate data among multiple hard disk drives. RAID's various designs all involve two key design goals: increased data reliability and increased input/output performance. When several physical disks are set up to use RAID technology, they are said to be in a RAID array. This array distributes data across several disks, but the array is seen by the computer user and operating system as one single disk. RAID can be set up to serve several different purposes.
Following is a brief summary of the most commonly used RAID levels:

1. Active Support Agreements:      Pass

Current agreements set forth the terms and conditions under which vendors will provide maintenance and related services to the client for hardware and software.

1. Licenses, software stored securely including OS and Client Apps:    Fail – Not secured in safe and offsite

Software manuals, software, and license materials for client applications and operating systems stored in a secure location.  These are normally placed in a fireproof safe offsite, with copies used at the clients premise.

1. User names and passwords documented:         Fail – documented but not secured offsite

Username and passwords recorded electronically and physically for past and present users.  This data should also be stored in a secure location with proper security in place.

1. Adequate backup scenario for amount of data:          Fail – Suggest additional storage for month end backups

In an information environment, an organization's success is tightly coupled to its ability to store and manage information. Storage systems provide a critical part of an organization's network infrastructure. With the amount of data growing at an incredible rate, your storage strategy must keep pace. In designing a storage strategy for your organization, you must select the right technology for your primary storage system, implement solid backup procedures and ensure ongoing management of the system. An organization's library of software applications can easily exceed many gigabytes, and the quantity of data can range in the terabytes. Financial systems, customer databases, electronic documents, bitmap images, digital sound and video are but some examples of the data on which organizations rely. A key part of the network infrastructure involves the hardware and software that stores the organization's ever-growing data. In designing a data storage strategy for an organization's network, the stakes are extremely high. The data stored on the network is a vital resource that cannot be re-created. Give care to provide adequate capacity, fast performance and reliable access, but at all means never allow data loss.

1. Security Policies and Procedures:          Fail

1.          Email access                            Pass

Are emails secured from users creating their own unauthorized copies of the data?

1. Data access                          Fail – data not secure against copy and removal

Can Client data be copied and stored without the clients authorization?

1.          Remote access             Fail – network access over internet across open ports

Are securities parameters in place to secure and monitor remote connections?

1. Cell Phones                          Fail – no policies for cell phone data

Can data from cell phones be copied and stored without the clients authorization?

1.          Strong Passwords                   Fail – Strong passwords not enforced

Do password Policies incorporate strong password policies that include a set password length, alphanumeric characters, expiration periods, and upper case characters?

1. Email Redundancy:                                Fail – no redundant email system

Redundancy is the provision of multiple interchangeable components to perform a single function in order to cope with failures, errors and emergency situations. Redundancy normally applies primarily to hardware, but in this case also to internet network links, physical server hardware and software capabilities.

1. Local copy of website:    Pass

Maintaining a copy of your company’s website and/or database data on your local network as well as in a secure offsite location to protect against ISP outages, issues with web designers, and hackers.  Multiple revisions should also be saved as changes are made.

1. Local copy of DNS records and change history:          Fail – No documentation or change history

Maintaining a copy of your company’s DNS data on your local network as well as in a secure offsite location to protect against ISP outages, issues with web designers, and hackers.  Multiple revisions should also be saved as changes are made.

1. Policy for lost or stolen computer equipment and phones:     Fail – no policies

Policies need to be defined to document what to do in the event of computer and phone equipment being lost or stolen.  These policies can include options to retrieve the equipment and protect sensitive data as well as procedures to restore users functionality.  Authorities will ask for Make, Model, and Serial numbers of lost or stolen equipment.

1. Fax Data stored in multiple locations redundancy:     Fail – paper only

Procedures to store data in multiple locations for ease of access and redundancy

1. Critical PC’s documented:         Fail – Client states that Ron’s PC is critical and only backed up yearly

Documentation for computers and software that perform a business critical functions and/or have custom software configurations
Examples include:

1. Computers used to analyze financial data via spreadsheets, databases, statistics programs, or data analysis tools.
2. Computers used to report financial data to agencies or institutions

1. Antivirus Installed and Current:           Pass
1.          Anti-Virus: protection against viruses, worms and trojans
2. Anti-Spyware: protection against spyware, adware and identity-theft
3.          Anti-Rootkit: protection against hidden threats (rootkits)
4. Web Shield & LinkScanner: protection against malicious websites
5.          Optional Firewall: protection against unauthorized access

1. Condition of Cabling:                 Fail – Cabling needs wire management and formal documentation
1.          The network cabling should be properly installed as well as supported during and after the installation process.  Many network problems are caused by the improper installation of the network infrastructure.  A properly installed cable plant should last for many years, even in a hostile environment such as aircraft.

1. Cables should be securely tied so there is minimal movement.  All cable should be loosely bundled using Velcro cable ties or similar cable restraint.  Velcro cable ties are far superior to the old style cable ties since the old ones can be cinched tightly enough to damage the cable.  Velcro ties also make it easier to update the cable plant by either adding or removing cables.  Fiber optic cables and coax are superior to UTP and STP by being less susceptible to the type of damage caused by over tightened cable ties.  UTP and STP will compress, distorting the cable and causing signal attenuation and excessive crosstalk between the pairs at that point.  If a UTP or STP cable has several points along its length with over tightened cable ties, the cable will not perform up to its rated potential.  It is much harder to cause the same type of problem with either fiber or coax due to the way the cable is constructed.  Both of these cables have more structural integrity because the signal-carrying portion of the cable is farther from the outside sheath.

1.          Equally as important as the design of the network, the termination of the cabling can drastically affect the entire cabling system.  UTP, STP and ScTP will all have similar reliability problems due to the fact that they use crimp style connectors and can be very problematic in vibrating and temperature extreme environments.  This type of connector works well in a static environment but was not been designed to survive in a high vibration environment.  The connector is an eight-position modular jack that pinches the wire between the slots of a displacement connector, slightly deforming the wire.  If subjected to tension on the cable the wire will begin to detach causing the connection to become intermittent.  A high vibration environment would cause this type of intermittent connection to happen much sooner.

1. Fiber optical connectors are constructed by using an adhesive or epoxy to secure the fiber into the body of the connector.  Once complete, the connector is one piece without any parts that may fatigue with vibration.  FC style connectors are superior to any bayonet style connectors since they ensure a tight and secure connection by screwing together.  A disadvantage of fiber would be the difficulty of repairing broken connectors in the field.  This type of connector requires a considerable skill level and experience to terminate.  This potential problem could be overcome by the installation of additional pairs of terminated fiber running to each location.  The cost of the additional fiber would be low and would provide a very reliable network.

1.          Coax connectors are constructed by crimping both the center conductor and the connector body to the cable.  This produces a very solid connector that can handle considerable vibration.  The termination process is very simple and cable repairs can be easily done in the field with minimal training. However coax style cable, connector, and network equipment have become scarce since its network speed has been limited to 10 Mb/s.

1.          One of the easiest network installation methods is wireless. All that is required is to place an Access Point (AP) in an open area and attach it to a cable network if needed. The AP should not be located near any large metal or water filled objects. It should also not be placed in a location where it is "shielded" or surrounded by metal. Any of these conditions will greatly affect performance of the system. See the NCAB wireless policy for approved uses.

1. Server Room Secure:      Pass

1.          You should control and log access to the room via security cards, biometrics or other auditable methods. Avoid punch codes because they can be shared. Consider using security cameras within the Windows server room, using your room’s dimensions as a guide to determine their placement.

1. Server Room Climate:    Pass

Windows servers generate a lot of heat and are sensitive to high temperatures and fluctuations in humidity. A stable environment can improve uptime and extend the life of your hardware. An ideal Windows server room environmental control system design should be modular, expandable and flexible.
The server room environmental controls design should also account for air temperature. Your air conditioning capacity will depend on the size of your room, lighting, number of people working in the room, quantity of electrical equipment and the heat generated by that equipment. In short, you'll need to determine the total load power in watts generated by all of these devices in order to determine their thermal output.
Environmental engineering can determine cooling requirements based on these factors, as exact calculation methods are beyond the scope of this paper. If possible, build redundancy and overcapacity into the environmental systems to allow for failures, maintenance downtime and temporary capacity spikes.
Air flow in and around Windows server racks is also crucial, and you'll need to work with your environmental engineering department to work out the server room design in terms of air conditioning types, duct placement and ceiling vs. floor-
Be on the lookout for hotspots and stagnant air flow. Temperature and humidity sensors can be placed throughout a data center to monitor conditions, but there are several simple steps you can take to improve airflow. Also, here are some air flow do's and don't to consider, following these steps can help you regulate server room humidity and temperature.

1. DON'T use shelves in your racks. Shelves trap heat and restrict air flow.
2. DON'T use glass doors, which can trap heat and reduce air flow through the rack. Use fully vented doors, or remove the doors entirely.
3. DO use blanking panels to close off open spaces in racks. These open spaces create traps for hot air within the rack and reduce air flow.
4. DO perform your own tests on fan trays and roof fans to decide if they are worth the expense. They are common, but some critics say they provide little benefit for the electricity they use.
5. DO make sure your racks are deep enough to allow air flow around cables, which can obstruct ventilation and cause overheating.
6. DO place racks in rows and reverse the direction of how alternate rows face. This helps separate the hot exhaust air from the intake air. The front of a rack should never be facing the back of another rack.
7. DO space out high-capacity racks, which can generate tremendous amounts of heat and increase power requirements.

Another important element to consider when designing the environmental controls for your Windows server is humidity levels. Low humidity levels increase the risk of static electricity, and high amounts of relative humidity can contribute to corrosion as well as lowering the heat removal capacity of your equipment. The relative humidity in a data center should generally be kept between 40-55 percent.

1. Router / Firewall:                        Fail
1.          Adequate:                   Pass
2. Updated:                  Fail – updates not checked
3.          Documented:  Fail – configuration not documented and no change logs

Solutions that integrate firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention (IPS), and content security services in a flexible, modular product.  Firewalls provide a series of  intelligent threat defense and secure communications services that stop attacks before they impact business continuity.  Designed to protect networks of all sizes, firewalls enable organizations to lower their overall deployment and operations costs while delivering comprehensive multilayer security.

1. Wireless Security:                        Fail – inadequate documentation

Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network:
1) Secure your wireless router or access point administration interface 
Almost all routers and access points have an administrator password that's needed to log into the device and modify any configuration settings. Most devices use a weak default password like "password" or the manufacturer's name, and some don't have a default password at all.  As soon as you set up a new WLAN router or access point, your first step should be to change the default password to something else. You may not use this password very often, so be sure to write it down in a safe place so you can refer to it if needed. Without it, the only way to access the router or access point may be to reset it to factory default settings which will wipe away any configuration changes you've made. 
2) Don't broadcast your SSID
Most WLAN access points and routers automatically (and continually) broadcast the network's name, or SSID (Service Set IDentifier). This makes setting up wireless clients extremely convenient since you can locate a WLAN without having to know what it's called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbors and passers-by (though it will still be detectible by WLAN "sniffers"). 
3)Enable WPA encryption instead of WEP
802.11's WEP (Wired Equivalency Privacy) encryption has well-known weaknesses that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. A better way to protect your WLAN is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is also easier to use, since your password characters aren't limited to 0-9 and A-F as they are with WEP. WPA support is built into Windows XP (with the latest Service Pack) and virtually all modern wireless hardware and operating systems. A more recent version, WPA2, is found in newer hardware and provides even stronger encryption, but you'll probably need to download an XP patch in order to use it.  
4) Remember that WEP is better than nothing 
If you find that some of your wireless devices only support WEP encryption (this is often the case with non-PC devices like media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because in spite of it's flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, don't use an encryption key that's easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often-- preferably every week.
5) Use MAC filtering for access control
 Unlike IP addresses, MAC addresses are unique to specific network adapters, so by turning on MAC filtering you can limit network access to only your systems (or those you know about). In order to use MAC filtering you need to find (and enter into the router or AP) the 12-character MAC address of every system that will connect to the network, so it can be inconvenient to set up, especially if you have a lot of wireless clients or if your clients change a lot. MAC addresses can be "spoofed" (imitated) by a knowledgable person, so while it's not a guarantee of security, it does add another hurdle for potential intruders to jump. 
6) Reduce your WLAN transmitter power
You won't find this feature on all wireless routers and access points, but some allow you lower the power of your WLAN transmitter and thus reduce the range of the signal. Although it's usually impossible to fine-tune a signal so precisely that it won't leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN. 
7) Disable remote administration
Most WLAN routers have the ability to be remotely administered via the Internet. Ideally, you should use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Otherwise, almost anyone anywhere could potentially find and access your router. As a rule, unless you absolutely need this capability, it's best to keep remote administration turned off. (It's usually turned off by default, but it's always a good idea to check.)

1. Multiple Global Catalogs present if multiple AD servers present:     Pass

A global catalog server is a Windows domain controller that has been assigned the global catalog server role. It contains a full read/write copy of the domains schema and application partitions, just like any other Windows domain controller.
A global catalog server also contains a partial replica of all other domain partitions in the Active Directory (AD) forest. These partial replicas are read-only, and contain the most-queried attributes for each object in the AD forest. For example, replicas of user objects would contain commonly searched attributes like first name, last name, and email address.
At the Active Directory level, a global catalog server's biggest task is to facilitate the logon process. When a user initiates the logon process, the global catalog server provides the domain controller with the necessary universal group membership information. It also resolves User Principal Names (UPNs) when the domain controller involved in the authentication process has no knowledge of the account.
If a network's global catalog server fails, the only user who will be able to log on is the administrator. The exception to the rule: On extremely small networks, the Universal Group Membership Caching feature can be used in place of a global catalog server.
A global catalog server also performs a number of critical tasks at the Exchange Server level. For example, in order to send and receive email, both the Exchange server and Microsoft Outlook client must be able to query a global catalog server.

1. Offsite tests against public network:     Fail – multiple DNS test fails
1.          DNS
2. Web

Public network checks to verify proper configuration of public DNS records, propagation across DNS servers , public access to restricted areas, and ability to make unauthorized changes.

Additional Notes:      Too many Active Directory Domain Controllers.  Two video servers need 2 gigs of additional ram each.  Image server running out of hard drive space.