Documente Academic
Documente Profesional
Documente Cultură
OF
NATIONAL ELECTRONIC WEAPONS TECHNOLOGY (NEWT)
LANGLEY, DC
FEBRUARY 2012
PREPARED BY:
TRISHA ROSE
MANCHESTER, CT 06042
THE INFORMATION CONTAINED IN THIS REPORT WAS DERIVED FROM PROPRIETARY DATA
PROVIDED BY (Trisha Rose)
EXECUTIVE SUMMARY
i.
ii.
NEWT has requested the assessment. The assessment will take place between Jan.
9, 2011 and Feb. 8, 2011. This assessment is not an inspection, certification, or risk
analysis. The purpose of this assessment and particular methodology used is to
ensure that the company is as secure as possible in order to preserve the CIA of all
the information and research done at the facilities. The implementation of any of
our recommendations is strictly voluntary on their part and at the discretion of the
organizations management. The implementation of any recommendations
contained herein does not guarantee the elimination of all risks.
iii.
iv.
Some of the major findings during the assessment are Identification &
Authentication, Maintenance, and Training & Awareness. We have recommended
several solutions that include least privilege access control, setting up automatic
backups and updates and also awareness training sessions for the employees.
v.
I just want to take some time to personally thank Amy Rose, Kyle Rose, and Lynn
Rose for assisting me and my team during this assessment. Kevin McLaughlin was
the POC who helped with everything including when there was a problem. Please
feel free to contact the Team Leader, Trisha Rose, at 860-331-3339 if there are any
questions about the assessment.
TABLE OF CONTENTS
I.
INTRODUCTION
1
A. -
B. -
C. -
III.
INFOSEC ANALYSIS
8
8
B. Maintenance
IV.
CONCLUSION
0
I. INTRODUCTION
A. National Electronic Weapons Technology (NEWT) is a Research and Development
firm specializing in the development of Information Warfare tools. These include
virus attacks, electronic flooding techniques, logic bombs, and computer worms.
One hundred percent of NEWTs business is developing tools under contract for
the U.S. government. There are about 25 people who work for this company.
NEWTs main office is located in Langley, D.C. and this is also where the
assessment was performed.
B. NEWT has requested the assessment. The assessment will take place between Jan.
9, 2011 and Feb. 8, 2011. This assessment is not an inspection, certification, or risk
analysis. The purpose of this assessment and particular methodology used is to
ensure that the company is as secure as possible in order to preserve the CIA of all
the information and research done at the facilities. The assessment team gathered
information about the company via interviewing, system and process
demonstrations. Through the efforts of the team members to assess the situation as
fully as possible, three main security problems were identified along with several
solutions for each problem. These problems and solutions are explained in detail in
the InfoSec Analysis Section.
II.
SYSTEM DESCRIPTION
A. There is a Laboratory LAN that contains all of their current warfare tools and any
tools underdevelopment. The internet connection was established to keep up with
the increasing demands of their customers. The corporate network contains all of
the customers information.
B. The main underlying theme in NEWTs mission is creating computer warfare tools
for the government. The importance of this is to protect our country with the best
possible technology at all times.
ORGANIZATIONAL INFORMATION CRITICALITY
High weapons get into wrong hands, war could be started, weapons could be
used against the government
Medium company embarrassment, delay in tool development, loss of
customer(s), loss of money/time/information
Low inconvenience in performing job duties, annoyed customers
Confidentially If this information is released
Integrity If this information is modified
Availability If these resources are destroyed or made unavailable
Critical Information: Internet connection, corporate/lab connection, email, firewall,
tools.
Internet Connection
Corporate/Lab
Connection
Email
Firewall
Tools
High Watermark
Confidentiality
High
High
Integrity
Low
Medium
Availability
Low
Medium
Medium
High
High
High
High
Medium
Low
High
Medium
High
High
High
Confidentiality
High
High
Integrity
Low
Low
Availability
Low
Low
Medium
High
High
Low
High
Low
Low
High
Low
High
High
High
III.
INFOSEC ANALYSIS
IV.
CONCLUSION
A. The INFOSEC posture of the company does need some attention. A majority of
findings resulted from a lack of documented policies and procedures as well as
employee practices. This company could greatly improve their security posture by
taking in consideration the enclosed recommendations.
B. Money can indeed be an issue, especially when integrating new policies,
procedures or employee practices within the company for the first time. Taking the
time and money to ensure the company is secure is extremely important. It can
avoid a major crisis from happening later which will be a lot more costly. If a
warfare tool is released to the public or an enemy of the government (i.e.
customer) than the company could have much more than just financial problems on
their hands. Securing the company covers the companys tracks in more than just a
financial way; it benefits the company by ensuring your products stay with the
company and their customer.
C. While the changes that are recommended can greatly help the company, they are in
no way required for the company to implement. The recommendations our
assessment team gives are recommendations to improve the companys overall
security posture and that is all. Implementation of these recommendations should
be at the discretion of the companys management.
D. While this report has mostly been about what the company can do to increase their
security postures, there are a lot of things that this company does not have to do.
The company was right to install the firewall when creating the connection to the
internet to help keep up with customer demands. Also, ensuring that there is an
anti-virus protection on every computer was also a good move. Without that, the
system could get seized and the company would lose control over their assets.
E. If there are any further questions or comments, please feel free to contact the Team
Leader, Trisha Rose, at 860-331-3339 or trirose@uat.edu. The Team Leader will
help to resolve any issues you may have post-assessment.