NIST Retail

8/11/2019 NIST Retail

1/48

Risk Assessment Report for Dinny Hall Retail Mart

1

Dinny Hall Retail Mart

MBA-ITBM

Batch: 2013-2015

Prepared By: Group 1 (Div. C)

Ambrish Anand (13030241100)

Ankit Bajaj (13030241102)

Dipesh Golwala (13030241104)

Pratik Patil (13030241118)

Yogesh Shadapuri (13030241139)

Risk Assessment Report

On

Microsoft

Retail Management System

Using

NIST


2/48


2

Table of Contents

1. Introduction4

2. Risk Assessment Approach5

3. IT System Characterization6

4. Risk Identification.10

5. Control Analysis15

6. Risk Likelihood.29

7. Risk Impact Analysis34

8. Overall Risk Assessment Determination...35

9. Recommendations37

10. Result Documentation39


3/48


3

List of Tables

Table A: IT System Inventory and Definition

Table B: Threats Identified

Table C: Threats, Vulnerabilities and Risk

Table D: Security Controls

Table E: Risks-Controls-Factors Correlation

Table F: Risk Likelihood Ratings

Table G: Risk Impact Analysis

Table H: Overall Risk Rating Matrix

Table I: Overall Risk Ratings Table

Table J: Recommendations

Table K: Risk Assessment Matrix


4/48


4

1. INTRODUCTION

1.1 Purpose

The purpose of this risk assessment is to evaluate the adequacy of the Dinny Hall

Supermarkets Microsoft Dynamics Retail Management System (RMS)

IT security. RMS offers

small and midsize retailers a complete point of sale (POS) solution that can be adapted to meet

unique requirements. This powerful software package automates POS processes and store

operations, provides centralized control for multi-store retailers, and integrates with Microsoft

Office system programs, Microsoft Dynamics GP, and other popular applications. This risk

assessment provides a structured qualitative assessment of the RMS operational environment. It

addresses threats, vulnerabilities, risks, impacts and safeguards. The assessment recommends

cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities identified

in Dinny Halls RMS System.

1.2 Scope

The scope of this risk assessment report is to assess the systems use of resources and

controls (implemented or planned), to eliminate and/or manage vulnerabilities exploitable by

threats internal and external to the retail domain. If exploited, these vulnerabilities could

result in:

Unauthorized disclosure of data(customer sensitive information)

Unauthorized modification to the system, its data, or both

Denial of service, access to data or both to authorized users

This Risk Assessment Report evaluates the confidentiality (protection from unauthorized

disclosure of system and data information), integrity(protection from improper modification of

information) and availability (loss of system access) of the system. Recommended security

safeguards will allow management to make decisions about security-related initiatives.


5/48


5

2. RISK ASSESSMENT APPROACH

This risk assessment methodology and approach was conducted using the guidelines in

NIST SP 800-30,Risk Management Guide for Information Technology Systems. The assessment

is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity and

availability. The assessment recommends appropriate security safeguards, permitting

management to make knowledge-based decisions about security-related initiatives. The

methodology addresses the following types of controls:

Management Controls:Management of the Information Technology (IT) security system

and the management and acceptance of risk.

Operational Controls: Security methods focusing on mechanisms implemented and

executed primarily by people (as opposed to systems), including all aspects of physical

security, media safeguards and inventory controls.

Technical Controls:Hardware and software controls providing automated protection to the

system or applications (Technical controls operate within the technical system and

applications).

The NIST RMF, illustrated in Figure 1, provides the covered entity with a disciplined,

structured, extensible, and repeatable process for achieving risk-based protection related to the

operation and use of information systems and the protection of EPHI. It represents aninformation security life cycle that facilitates continuous monitoring and improvement in the

security state of the information systems within the organization.

The flexible nature of the NIST RMF allows other communities of interest to use theframework voluntarily either with the NIST security standards and guidelines or with industry-

specific standards and guidelines. The RMF provides organizations with the flexibility needed to

apply the right security controls to the right information systems at the right time to adequately

protect the critical and sensitive information, missions, and business functions of theorganization.


6/48


6

Figure 1.NIST RMF

The risk assessment methodology encompasses of nine primary steps, which are described

below:

Step 1 - System Characterization

Step 2 - Threat Identification

Step 3 - Vulnerability Identification

Step 4 - Control Analysis

Step 5 - Likelihood Determination

Step 6 - Impact Analysis

Step 7 - Risk Determination

Step 8 - Control Recommendations

Step 9 - Results Documentation

3. IT SYSTEM CHARACTERIZATION:

The purpose of this step is to identify IT system and define Risk assessment boundary,

components and data sensitivity.


7/48


7

Table A : IT System Inventory and Definition

I. IT System Identification and Ownership

IT System

ID

IMS IT System Common Name Inventory Management

System (IMS)

Owned by Dinny Hall Retail Mart

System

Owner

Chris Chapman System administrator Ant Corrie

Data owner William Gomes Data CustodianAnt Corrie, Evans

Thomas

II. IT System Boundary and Components

IT SystemDescription

and

Components

Operating System: Windows Server 2008.

Two servers running in Windows server 2008.

Backup Server operates when main server fails.

Database and backup database are attached to server.

The Systems Payment, Inventory and Supply Chain accesses relevant data

from server.

IT system

Interface TeraData This system ensures data transmission among different network

entities.

All the security aspects of data transfer are handled by TeraData

Employee accessibility rights are defined by TeraData

Initial user id and password are generated by this system

III. IT System Interconnections

Agency or org IT system name IT system name IT System

owner

Interconnect

securityagreement

summary

Retail management

services

Bill Payment

system

BPS Chris

Chapman

No formal

agreement

required asthe system

has common

owner


8/48


8

Diagram of the system and network architecture, including all components of the system and

communications links connecting the components of the system, associated data communications

and networks:

Figure 1 IT System Bo undary Diagram Interconnected Reta il Envi ronm ent)

Retail management

services

Stock

managementsystem

SMS

Chris

Chapman

No formal

agreementrequired as

the system

has common

ownerType of data Confidentiality Integrity Availability

Financial data High. May lead

to unauthorizedtransaction and

fiscal loss to

customer,

thereby harmingcompany

reputation

High Low

Stock details High. If leaked

competitors canmisuse them

High High


9/48


9

Information Flow Diagram:

Security Structure:

Information sent from main outlet

to RMS division data center


10/48


10

4. RISK IDENTIFICATION

The purpose is to identify risks existing in the system. Risks occur when vulnerabilities in

the IT system or its environment can be exploited by threats.

4.1 Identification of Vulnerabilities:

The following were the vulnerabilities identified:

Weak encryption standard is vulnerability for the RMS system. It threatens the

CIA (confidentiality, availability, integrity) aspect of the organization. Encryption

standard is not compliant with the PCI DSS standards (wireless eavesdropping,

wired eavesdropping )

Absence of network monitoring systems.

Absence of processing logs.

No purging of old data.

Storage of critical information in unencrypted format.

Certain inventories dont have their details fed in the system, though they are present in

the stock. So there are risks of theft and other manipulations in which the staffs may be

involved.

Supply chain management system didn't comply with security standards.

The transaction systems and other network connected hardware devices handling

sensitive information used the same usernames and passwords across DH stores

nationwide.

Maintenance Hurdles on remote Sites due to lack of technical expertise.

No timely security patches on in-house systems.

Cyber-attacks as connection with diverse set of networks-in-house, corporate and public.

4.2 Identification of Threats

The following threats were identified:

Any hacker or intruder may get an easy access to the critical information because

of the weak encryption standards implemented.

If at all any intrusion happens it would not be detected because of the inadequate

network monitoring system.


11/48


11

Detection of login details would not be possible because of absence of processing

logs so if at all any security incident happens, the source would not be traceable.

In case of any security breach, the critical data would be easily accessible as it

was present in unencrypted format.

VPN accounts assigned to former employees, which the system administrator didntclose

after the employees service was terminated can become a gateway for hacker intrusion.

The risk of system in the SCM getting hacked, thus revealing inventory details to the

hackers who can sell these information to the competitors of DINNY HALL

Supermarket.

The transaction systems and other network connected hardware devices handling

sensitive information used the same usernames and passwords across stores nationwide.

An attacker who compromised on a system in one store could access the same device at

every DH store nationwide.

Loopholes in the inventory management system would compromise on the

traceability of products kept in retail store.

Systems connected to network- internal or public are susceptible to malware

attacks.

Stealing of credit card information and other sensitive customer data.

The threats identified are listed in table below:

Table B: Threats IdentifiedWirelesseavesdropping

Power loss Communicationfailure

Wired eavesdropping Tornadoes Work place violence

Spoofing Floods DOS Attack

Stored datamanipulation

Bomb threat Rioting

Lost or stolen device Malware Attacks Robbery

Earthquake Fire Cyber terrorism


12/48


12

4.3 Identification of Risks

The following were the risks identified:

Poor network Security would risk the critical information of the company. Access control mismanagement would risk the disclosure of company details

Failures in hardware devices may lead to permanent loss of data.

Disgruntled employees may result in loss of critical company decisions and policies.

Active VPN accounts of ex-employees would result in unauthorized access and risk

the critical information.

Loss of financial information would affect the company image.

Loss of inventory details would give an undue advantage to competitors.

Natural calamity would hamper the business.

Loss of business details would reveal strategies and hamper the long term goals.

Table C: Threats, Vulnerabilities and Risk

Risk

No.

Vulnerabilities Threats Risks of

Compromise

of

Risk Summary

1 Improper

handling of

financial data of

the company.

Loss of confidential data May lossFinancial Data

some

importantfinancial

legers and

balance sheet

internally.

Loss of financialdata, having severe

impact on the

companys brandimage

2 Unencrypted data

and detail ofemployee

Unethically updating

details of employee.

Misuse of

employeesdetails

Loss of employee

details

3 Accidentaldamage to

business

A situation from whichthe company cant recover

Discontinuityof services

Business plan

4 Not well planned

architecture of

company

Loss of data Loss of

resources data

and othersthing which is

important.

Natural calamities

like earthquake,

hurricane etc


13/48


13

5 Water leakage

near the serverroom

Threat of fire. Availability

and integrity

of retail data

Water leakage may

cause short-circuitleading to eruption

of fire.

6 No proper access

control employee

Lack of access control can

be misused leading to

incidents such as data

theft etc

Confidentiality

and integrity

of retail data

Unauthorized access

control

7 Poor network

security

Weak firewall, outdated

antivirus etc

Confidentiality

and integrity

of retail data

Denial of service

attack via dummy

packets

8 Unsecure remote

access

Multiple access points Due to this the

data can beshared withothers.

Masquerading access

points

9 Encryption

standard is not

compliant with

the PCI DSS

standards

wireless eve dropping,

wired eavesdropping,

spoofing, etc may be the

outcome of exploiting this

vulnerability

Confidentiality

and integrity

of retail data

Spoofing

10 Physical accesscontrols notimplemented

Unauthorized peopleaccess in the organization

Tailgating andhence loss ofconfidential

data

Tailgating

11 Hardware-failure Important customer

confidential data may be

lost or corrupted

Confidentiality

and integrity

of retail data

Power loss

12 VPN accounts of

the ex-employees

still in use

Unauthorized access. Confidentiality

and integrity

of retail data

VPN account of ex-

employee

compromised

13 Lack of proper

security practices

Accessible to hackers. Easily

accessible tohackers.

Hacking

14 Customer

sensitive

Misuse of confidential

customer data

Confidentiality

and integrity

Unencrypted

password increases

the chances of


14/48


14

data/password

was also stored

unencrypted.

of retail data security breaches in

the system

15 Disgruntled

employees

Work place violence,

execution of system

sabotage

Confidentiality

and integrity

of retail data

Loss or theft of USB

drives could result incompromise of

confidentiality ofDH

data

16 The transaction

systems and

other network

connectedhardware devices

handling

sensitiveinformation used

the same

usernames andpasswords across

DH stores

nationwide

If the hacker gets through

the network security walls

of one system, he can do

so for other systems too.

Confidentiality

and integrity

of retail data

Compromise of

unexpired/unchanged

passwords could

result in compromiseof confidential

business data

17 Lack of proper

physical security

Robbery Money, Shop

items

Lack of adequate

physical security

leads to robberywhich in turn leads

to physical injury.


15/48


15

5. CONTROL ANALYSIS:

The purpose of control analysis is to provide a report about the control measures

implemented and the control policies that are planned. It is then matched with the risks to

identify which risk needs to be addressed and which can be acceptable to the organization.

Table D : Security ControlsControl Area In-place/Planned Description of Controls

1. Risk Management

1.1

IT security Roles and

Responsibilities

Planned

Required IT Security roles

have been assigned. There is a

CIO appointed who has

appointed roles to individuals.

1.2Business Impact analysis In Place

DH management and staff

conducted and documented a

BIA. It needs to be reviewed

annually and was done also.

1.3 IT system & data

Classification

In Place DH should know how much

data it should store. There

should be provision to store

customer sensitive information

separate from other data. In

short, classification of data

should be there.

1.4 IT system Inventory &

Definition

In Place DH recognizes an inventory of

Sensitive IT data that contains

crucial customer information.

This also includes stock level

and inventory detail included

in the Risk assessment report.


16/48


16

System definition also forms a

part of this report.

1.5 Risk Assessment In Place This report documents the

Risk Assessment of DH in

April 2012

1.6 IT security Audits In Place IT security audit has been

taken care of by Mark Smith,

Internal Audit Director in DH.

An internal audit is planned

annually.

2. Contingency planning

2.1Continuity of operations

planning

In Place

In Place

Ant Corrie is the DH

Coordinator of Operation Plan

Coordination. The DH COOP

identifies all personnel

required for its execution,

includes personnel required

for recovery of the DH, &includes emergency

declaration, notification and

operations procedures.

The COOP document is

classified as sensitive; access

to this document is restricted

to COOP team members, & a

copy of the COOP is stored

off site at Data Recovery

Services, Inc., DHs recovery

site partner. The DH COOP,


17/48


17

including components relating

to the DH is currently being

updated as a result of the

COOP exercise; completion is

expected by Dec 2013.

2.2IT disaster recovery

planning

In Place 1. A Disaster Recovery Plan

(DRP) and Business

Continuity Plan (BCP) for the

DH has been documented

& approved by the Security

Commissioner, Marlin Luther.

This plan calls for:-

Recovery of the DH within 48

hours at a cold site maintained

by Data Recovery Services,

Inc. (DRSI). In order to

support 24-hour recovery of

DH during budget preparation,

the contract with DRSIincludes 24-hour recovery

during this period.

2.3 IT system and data

backup Restoration

In Place DH has a backup and

restoration plan, documented

and approved by Chris

Chapman, the DH system

owner. This plan calls for:

a. Daily full & monthly

incremental backups & review

of backup logs of DH data by

operations staff.


18/48


18

3. IT Systems Security

3.1 IT System Hardening In Place DH systems use Windows 7,

Windows 2008 server and

Oracle 10g benchmark for the

Centre of Internet Security(CIS). Chris Chapman the

BFS system owner, has

approved the

recommendations regarding

the benchmarks

DH operations staff will

determine whether the CIS

benchmarks continue to

provide appropriate protection

by carrying out vulnerabilityscan.

3.2 IT System

Interoperability Security

In Place The RMS system in DH

interacts with the payment

system, Inventory system and

the POS system. The data

sharing is mentioned in the

risk assessment report. Chris

Chapman is the System Owner

of retail system, POS system

and inventory system.

Therefore no written data

sharing agreement is required.

3.3 IT System Development

Life cycle security

PlannedThe DH risk assessment team

analyses all its software in the

various stages of its life cycle

with regards to security

compliance. As documented

throughout this Risk


19/48


19

Assessment report, DH risk

assessment team conducts &

documents a formal Risk

Assessment of the DH every

three years.

3.4 Malicious Code

protection

Planned DH has few antivirus products

installed in the system and

network servers. These

software do the following :-

1) Protects the system from

malicious programs

2)

Scans files retrieved from

various sources

3) Maintains logs for

protection activities

4) Allows administrator to

modify the configurations

The Acceptable User Policy,

under development, willprohibit DH users from

intentionally developing or

experimenting with malicious

programs & knowingly

propagating malicious

programs. This policy is

scheduled to get completed in

October 2012.

4.Logical Access Control

4.1 Account Management Planned The following Policies need to

be implemented:


20/48


20

Access level to be

granted on the basis of

least privilege.

Any change in the

access levels should be

done with the

permission of Chris

Chapman and Ant

Corrie.

Any account, if unused

for 60 days should get

locked. Unlocking of

the account should be

done with the

permission of George

Mathew.

Account monitoring

should be done.

Detailed report shouldbe made to identify

any unusual account

access.

4.2 Password Management In Place Password would expire

after 60 days

Every password

requires 4

alphanumeric

characters, 3 numeric

characters and 1

special characters.

New password and old


21/48


21

password should not

have more the 5

characters in common.

Use of different

password at different

stores.

High encryption

standards for database

passwords.

Use of standard

procedure for handling

the initial user id and

password. User is

required to change the

password in the first

login.

4.3 Remote access In Place VPN account

monitoring system

should establish. Old VPN accounts

should be locked.

Logs should be

maintained that contain

VPN account access

information.

Access level for

different VPN

accounts should be

defined.

5.Personnel Security


22/48


22

5.1 Access Determination

and control

Planned Access control needs

to implemented as per

work area and

hierarchy

Access rights for

people working in

SCM and Payment

system should be

separated.

5.2 IT security awareness

and training

Planned Employee Security

awareness training

should be conducted

on an annually basis

Security training

should be provided to

newly joined

employees

6.Threat Management

6.1 Threat Detection

In Place

Planned

Planned

Ant Corrie is the head forthreat detection. Following

are the components of threat

detection:

1. Regular training sessions

for employee on IT security

training.

2. Regular monitoring of IT

system.

3. Regular evaluation of

security awareness among

employees.

6.2 Incident handling Planned Following are the measures


23/48


23

that are suggested to be

implemented

1. Protocols for handling

security incident

2. Establishment of a

dedicated team to prevent and

handle cyber attacks

3. Identifying different levels

of security incident and

chalking out preventive

measures for the same

4. Establishing hierarchy for

reporting process, in case of

security incident

6.3 Security Monitoring

&logging

Planned 1. Development of logging

capabilities and review

procedures

2. Enabling logging and

retention of logs for 60 days3. Monitoring of security logs

and reporting to security team

in case of security incident

7. IT Asset Management

7.1 IT Asset Control In Place Any personal data storage

devices are not allowed in the

company premises.

All the devices have a unique

ID and Device record has

entry of all the devices as per

the unique ID.

Any allocation of new


24/48


24

devices or change in the

position of the devices should

be done with the permission of

George Mathew and also

should be recorded in Device

Record.

7.2 Software License

Management

In Place

In Place

Documented policies require

the use of only DH (Dinny

Hall Retail Mart), approved

software on its IT systems &

require annual reviews of

whether all software is used in

accordance with license

requirements.

All software used at Dinny

Hall Retail Mart is

appropriately licensed.

7.3 Configuration

Management & Change

Control

In Place Creation and management of

IT assets record.Record should have entries of

all the IT assets and its

valuation.

Security practices as per the

valuation of the device are

implemented.

Any change in the IT

environment

(intentional/accidental) should

be immediately reported to

George Mathew.


25/48


25

The identified risks are associated with the relevant controls in a Risk-Controls Table

(Table E), as below.This correlation determines whether controls exist that respond adequately to

the identified risks.

Table E: Risks-Controls-Factors Correlation

Risk

No.

Risk Summary Correlation of Relevant Controls &

Other Factors

1. Loss of financial data, having severe

impact on the companys brand

image

Overall Security enforcement in DH is

being worked upon. Loopholes are

being analyzed and documented.

2 Loss of employee details Encryption standards and system

security controls are being focused

upon.

3 Business plan DH is coming up with compliance in

BCP and DRP to ensure uninterrupted

business procedures.

4 Natural calamities like earthquake,

hurricane etc

There are no controls relevant to this

risk; neither are there any mitigating or

Exacerbating factors. DH Management

has accepted this risk. However BCP

and DRP are being focused upon to

ensure speedy recovery.

5 Water leakage may cause short-

circuit leading to eruption of fire.

There are no controls relevant to this

risk; neither are there any mitigating or

exacerbating factors. DH Management

has accepted this risk.

6 Unauthorized access control Controls 4.2 and 7.1 determine the

security measures against unauthorized

access. These policies are adhoc based

rather than on roles.


26/48


26

7 Denial of service attack via dummy

packets

Intrusion control measures have been

included in the control analysis

documentation. Intrusion Prevention

System (IPS) is yet to be implemented

in the system.

8 Masquerading access points Masqueraded access points are difficult

to detect and has often succeeded in

fooling the system users. No controls

so far have been effectively

implemented regarding this.

9 Spoofing Spoofingis the creation of TCP/IP

packets using somebody else's IP

address. DH firewall protects the

system from spoofing. However it fails

to give consistent resistance against

spoofing.

10 Tailgating Control 7.1 takes into account the

various risk factors against

unauthorized entry of people inrestricted entry zone. This control has

not been consistently followed posing

greater security threat.

11 Stored data manipulation Stored data can be manipulated by the

employees from the inventory. RFID

tracking and updating in the

corresponding system can help prevent

this. This strategy is yet to be

implemented in DH.

12 Power loss Power loss may result in loss of crucial

data from the system during the

process of transition. Proper backup


27/48


27

systems are being worked upon in

order to avoid this.

13 VPN account of ex-employee

compromised

Controls 4.1 and 7.1 are in place for

closing unneeded and unused user

accounts, but are not enforced.

A mitigating factor is that the risk

depends ongaining access to the client

application.

14 Hacking Hacking is difficult to prevent due to

various flaws present in DHs core

systems. Network security controls are

being enforced in DH.

15 Unencrypted password increases the

chances of security breaches in the

system

Effectiveness of controls requiring

encryption of passwords is low, as

these controls have not been followed.

16 Loss or theft of USB

drives could result in

compromise of

confidentiality of BFSdata

Effectiveness of controls prohibiting

storage of sensitive data on USB drives

is low, as these controls have not been

followed. Threat source capability ishigh as such USB drives are frequently

lost or stolen.

17 Compromise of

unexpired/unchanged

passwords could

result in compromise

of confidential business data

Password management controls such as

changing password within certain

number of days, password should be

above specific length and should

contain mixture of alphabets, numbers,

special characters etc. are emphasized.

18 Lack of adequate physical security

leads to robbery which in turn leads

to physical injury.

Post signs stating that the cash register

only contains minimal cash along with

periodic patrolling by security officer

are emphasized.


28/48


28

6. RISK LIKELIHOOD DETERMINATION

The purpose of this step is to assign a likelihood rating of high, moderate or low to each risk.This rating is a subjective judgment based on the likelihood that vulnerability might be exploitedby a threat.

Table F : Risk Likelihood RatingsRisk no. Risk Summary Risk Likelihood

Evaluation

Risk likelihood

rating

1 Loss of confidential data There are adequate

protections implemented

to avoid this incident.

But it depends on the

occurrence and

compliance of core

security controls by the

organization.

High

2 Loss of staff details staff detail loss may be

not be that crucial to the

organization unless it

involves compromise of

data such as credit card

numbers etc.

Moderate

3 Business plan Business plan of DH can

be of immense value to

its competitors. It can beof major utility to

sabotage its business

strategies thus leading to

fall in its market

High


29/48


29

positions.

4 Natural calamities like

earthquake, hurricane etcThere is no control

against these calamities

in DH, so the

effectiveness of controls

is low.

Low

5 Water leakage may cause

short-circuit leading to

eruption of fire.

There are no controls

against water damage to

DH from the wet-pipe

sprinkler system in the

event of a fire, so the

effectiveness of controls

is low. The likelihood of

fire in the DH is

moderate.

Moderate

6 Unauthorized access control Unauthorized access

control can lead to

confidential data loss or

theft. The likelihood ofthis incident is moderate

in DH

Moderate

7 Denial of service attack via

dummy packetsThe controls in place to

avert these attacks are

very poor. The

likelihood of this

incident is high in DH.

High

8 Masquerading access points Masqueraded access

points are difficult to

detect and has often

succeeded in fooling the

system users. No

High


30/48


30

controls have so far been

effectively implemented

regarding this. The

likelihood of this

incident is high in DH

9 Spoofing DH firewall protects the

system from spoofing

however it fails to give

consistent resistance

against spoofing. The

likelihood of this

incident is moderate in

DH

Moderate

10 Tailgating Controls against

tailgating/unauthorized

physical access have

been a neglect issue thus

posing greater security

threat. Such incident canlead to data theft or loss

from the system due to

presence of intruders in

entry restricted zones.

High

11 Stored data manipulation Stored data can be

manipulated by the

employees or outsiders

from the inventory.

High

12 Power loss Power loss may result in

loss of crucial data from

the system during the

process of transition.

Moderate


31/48


31

Proper backup systems

are yet to be installed.

The likelihood of this

incident is moderate

13 VPN account of ex-employee compromised

Effectiveness of controls

for closing user accounts

is low, as unneeded user

IDs exist on DH Threat

source capability is also

low as the risk is

dependent on learning a

user ID & password &

gaining access to the

client application. There

appear to be adequate

protections against this

risk.

Moderate

14 Hacking Due to lack of proper

system security controlimplementation in DH,

hacking risks are always

on the greater side due to

presence of many

loopholes

High

15 Unencrypted password

increases the chances of

security breaches in the

system

Unencrypted passwords

or weakly encrypted

passwords are easily

hacked with less effort.

High


drives could result in

compromise of

Threat source capability

is high as such drives are

frequently lost or stolen

High


32/48


32

confidentiality of DH

data

USB.

17 Compromise of

unexpired/unchanged

passwords could

result in compromise of

confidential business data

Employees and system

users many a times do

not comply with

password compliance

norms leading to weak

system security.

High

18 Lack of adequate physical

security leads to robbery

which in turn leads to

physical injury.

No installation of panic

buttons, to notify

security officials

quickly, and no security

guard(s) can give way to

robbery.

Moderate


33/48


33

7 RISK IMPACT ANALYSIS

The purpose of this step is to impact rating of high, moderate or low to each risk

identified in Table C. The impact rating is determined based on the severity of the adverse

impact that would result from an occurrence of the risk.

Table G: Risk Impact AnalysisRisk

No.

Risk Summary Risk Impact Risk Impact

Rating

1 Loss of financial data, having severeimpact on the companys brand image

Image of the company ishampered.

High

2 Loss of employee details Managing and collecting all dataagain is difficult.

Moderate

3 Business plan Competitive rival may get thecompanys plan.

High

4 Natural calamities like earthquake,hurricane etc

Damaging the infrastructure ofthe company

Low

5 Fire would activate the water sprinklersystem thereby causing water damage

It causes the sudden loss ofelectricity at Dinny Hall or

shock circuit which hits the

computer

Moderate

6 Unauthorized access control Important data may be hacked

by hackers or some confidentialdata loss of the company

Moderate

7 Denial of service attack via dummypackets

Cyber-attack or may causesviruses in computer which

corrupt the data or update wrongdata.

High

8 Masquerading access points Update the information store in

the system automatically by thehackers from the access point.

High

9 Spoofing Unauthorized data sent to systemby gaining access through

firewall.

Moderate

10 Tailgating Unauthorized access to critical

work places leading breach of

confidentiality and security.

High

11 Stored data manipulation Manipulating data meanschanges in data which isimportant from confidentiality

point of view, bringing system in

danger zone.

High

12 Power loss Unsaved important data loss,

data corruption.

Moderate

13 VPN account of ex-employee It may be misused by ex- Moderate


34/48


34

compromised employee to steal confidential

data.

14 Hacking Viruses, malware creation which

corrupt data or updateunauthorized data

High

15 Unencrypted password increases thechances of security breaches in the

system

Easily detected and hackers cangain access to system.

High


drives could result incompromise of

confidentiality of DH

data

Loss of important confidential

data or stolen by the others rivalsor hackers.

High

17 Old passwords Easily detected and can be

hacked by hackers.

High

18 Robbery Unavailability of adequate

physical security measures leadsto the occurrence of easyrobbery.

High

8 .OVERALL RISK DETERMINATION

The purpose of this step is to calculate an overall risk rating of high, moderate or low for

each risk identified in Table C. The risk rating must be based on both the likelihood of the risk

occurring and on the impact to the COV should the risk occur.

Table H: Overall Risk Rating Matrix

Risk Likelihood

Impact

Low (10) Medium (50) High (100)

High (1.0) Low Risk

(10 x 1.0 = 10)

Medium Risk

(50 x 1.0 = 50)

High Risk

(100 x 1.0 = 100)

Medium (0.5) Low Risk

(10 x 0.5 = 5)

Medium Risk

(50 x 0.5 = 25)

Medium Risk

(100 x 0.5 = 50)

Low (0.1) Low Risk

(10 0.1 = 1)

Low Risk

(50 x 0.1 = 5)

Low Risk

(100 x 0.1 = 10)


35/48


35

Risk Scale: Low(1 to 10), Moderate (> 10 to 50), High(>50 to 100)

Risk rating is assigned to each risk identified and as listed in Table C. The risk rating of

each individual risk was calculated using the guidance provided in NIST SP 800-30.

Table I : Overall Risk Ratings Table

Risk No. Risk Summary Risk Likelihood

Rating

Risk Impact

Rating

Overall

1 Loss of financial data,

having severe impact on the

companys brand image

High High High

2 Loss of employee details Moderate Moderate Moderate

3 Business plan High High High

4 Natural calamities like

earthquake, hurricane etc

Low Low Low

5 Fire would activate the

water sprinkler system

thereby causing waterdamage

Moderate Moderate Moderate

6 Unauthorized accesscontrol


7 Denial of service attack viadummy packets

High High High

8 Masquerading access points High High High

9 Spoofing Moderate Moderate Moderate

10 Tailgating High High High11 Stored data manipulation High High High

12 Power loss Moderate Moderate Moderate

13 VPN account of ex-employee compromised


14 Hacking High High High

15 Unencrypted password

increases the chances ofsecurity breaches in the

system

High High High


drives could result incompromise ofconfidentiality of DH

data

High High High

17 Compromise of

unexpired/unchanged

passwords couldresult in compromise

High High High


36/48


36

of confidential business

data

18 Robbery Moderate High High

9. RECOMMENDATIONS

The purpose of this step is to recommend additional actions required to respond to theidentified risks in DH. The objective is to reduce residual risk to the system its data to a level thatis acceptable as defined by ISM.

Table J: Recommendations

Risk No. Risk Summary Risk Rating Recommendations

1 Loss of financial

data, having severeimpact on thecompanys brand

image

High Financial data should be encrypted and not to

be accessed directly. Access controls shouldbe implemented. It should be accessible onlyto registered financial employee.

2 Loss of employee

details

Moderate Employee data should be encrypted and

stored. Loss if any should be reported

immediately.

3 Business plan High Business employee should know about

business plan and they should not discuss thisplan with colleagues friends and/or relatives.

4 Natural calamities

like earthquake,hurricane etc

Low Highly protected plan to prevent damage from

these natural calamities.

5 Fire would activate

the water sprinkler

system therebycausing water

damage

Moderate None. Replacing the Wet-pipe Sprinkler

System in the Data Center is supposed to be

cost-prohibitive. Executive management haselected to accept this risk.

6 Unauthorized access

control

moderate There should be only authorized access to

register employee. Control team should have

high control on the access.

7 Denial of serviceattack via dummy

packets

High Risk management staff and the PSI supportteam should analyze whether replacing the

existing Intrusion Detection Systems (IDS)

with an Intrusion Prevention System is a

cost effective response to this risk.

8 Masquerading accesspoints

High As an immediate step, the system supportteam should disable the remote OS features.

As documented in planned controls, the


37/48


37

admin Risk management staff and support

team should work to develop a secure methodto allow remote access.

9 Spoofing Moderate The client software should be rewritten sothat clear-text user IDs & passwords are not

used in script and initialization files.10 Tailgating High Ethical practices should be used by every

employee in the organization.

11 Stored data

manipulation

High Taking regular back-ups on a daily/hourly

basis as per requirements.

12 Power loss Moderate Backup power supply should be available.

13 VPN account of ex-

employee

compromised

Moderate System admin should control and block the

accounts of ex-employees as soon as they

leave the organization.

14 Hacking High High security practices to block the hackers.

Network security applications should be

installed to detect hackers if any, existing inthe system.

15 Unencrypted

password

High Store data in encrypted format.


drives

High Admin should include the prohibition on

storing sensitive data on removable media

such as USB drives of the employees.Security Awareness and training programs for

employees should be conducted.

17 Compromise of

unexpired/unchanged

passwords couldresult in compromise

of confidential

business data

High The system support team should encourage

employees to change password regularly

within 30 days and keep strong passwords.

18 Robbery High Along with frequent guard patrolling, panic

buttons need to be installed so that employeescan notify the authorities quickly and easily.

10. RESULT DOCUMENTATION

The final step in risk assessment approach is to complete the Risk Assessment Matrix.Risk Assessment once completed should be documented in an official report or management

brief. Management should take care to assign a priority to the recommendation, assign

responsibility, initiate responsibility and provide a date by which the implementation should be

completed.


38/48


39/48


39

recover DRP to

ensure

uninterrupt

ed business

procedures.

not discuss

this planwith

colleagues

friends

and/orrelatives.

4 Not wellplanned

architect

ure ofcompany

Loss ofdata

Lossof

resour

cesdata

and

others

thingwhich

isimportant.

Naturalcalamities

like

earthquake,hurricane

etc

Low low Low There are

no controls

relevant to

this risk;

neither are

there any

mitigating

or

exacerbatin

g factors.

DH

Manageme

nt has

acceptedthis risk.

However

BCP and

DRP is

being

focused

upon to

ensure

speedy

recovery.

Highlyprotected

plan to

preventdamage

from these

natural

calamities.

5 Water

leakage

Fire Confi

dentia

Fire wouldactivate the

water

Moderate

Moderate

Moderate

There are

no controls

None.Replacing

the Wet-


40/48


40

near the

server

room

lity

and

integri

ty of

retail

data

sprinkler

systemthereby

causing

water

damage

relevant to

this risk;

neither are

there any

mitigating

or

Exacerbatin

g factors.

DH

Manageme

nt has

accepted

this risk.

pipe

SprinklerSystem in

the Data

Center is

supposed tobe cost-

prohibitive.Executive

managemen

t has elected

to acceptthis risk.

6 No

proper

access

control

employe

e

Lack of

access

control

can be

misuse

dleading

to

incident

s such

as data

theft

etc

Confi

dentia

lity

and

integri

ty ofretail

data

Unauthorize

d access

control

Mode

rate

Mode

rate

Mod

erateControls

4.2 and 7.1

determine

the security

measures

againstunauthorize

d access.

These

policies are

ad hoc

based

rather than

on roles.

There

should be

onlyauthorized

access to

register

employee.Control

team shouldhave highcontrol on

the access.

7 Poor

network

security

Weak

firewall

,

outdate

Confi

dentia

lity

and

Denial ofservice

attack via

dummypackets

High High High Intrusion

control

measures

have been

Riskmanagemen

t staff and

the PSIsupport

team should


41/48


41

d anti-

virus

etc

integri

ty of

retail

data

included in

the control

analysis

documentat

ion.

Intrusion

Prevention

System

(IPS) is yet

to be

implemente

d in the

system

analyze

whetherreplacing

the

existing

IntrusionDetection

Systems(IDS)

with an

Intrusion

PreventionSystem is a

cost

effective

response to

this risk.

8 Unsecure

Methods

remoteaccess

Multipl

e

accessdata

Due

to this

thedata

will

shared

withthe

others.

Masqueradi

ng access

points

High High High Masquerad

ed access

points are

difficult to

detect and

has oftensucceeded

in fooling

the system

users. No

controls

have so far

been

effectively

implemente

d regarding

this.

As an

immediate

step, thesystem

support

team

shoulddisable the

remote OSfeatures. Asdocumented

in planned

controls, theadmin

Riskmanagemen

t staff and

supportteam should

work todevelop asecure

method to

allowremote

access.


42/48


42

9 Encrypti

on

standard

is not

complian

t with the

PCI DSS

standards

wireles

s eve

droppin

g,

wired

eavesdr

opping,

spoofin

g, etc

may be

the

outcom

e of

exploiti

ng this

vulnera

bility

Confi

dentia

lity

and

integri

ty of

retail

data

Spoofing Mode

rate

Mode

rate

Mod

erateSpoofing is

the creation

of TCP/IP

packets

using

somebody

else's IP

address.

DH firewall

protects the

system

from

spoofing

however it

fails to give

consistent

resistance

against

spoofing

The client

softwareshould be

rewritten so

that clear-

text userIDs &

passwordsare not

used in

script and

initializationfiles.

10 Physicalaccess

controls

notpracticed

Unauthorized

people

accessin the

organization

Tailgating

and

henceloss

ofconfid

ential

data

Tailgating High High High Control 7.1

takes into

account the

various risk

factors

against

unauthorise

d entry of

people in

restricted

entry zone.

This

Ethicalpractices

should be

used byevery

employee inthe

organization

.


43/48


43

control has

not been

consistently

followed

posing

greater

security

threat.

11 Not

properdata

storage

Loss of

theworkin

g data

andinformational

data

Rewri

teagain

whole

newdatathat

are

loss.

Stored data

manipulation

High High High Stored data

can be

manipulate

d by the

employees

from the

inventory.

RFID

tracking

and

updating inthe

correspondi

ng system

can help

prevent

this. This

strategy is

yet to be

implemente

d in DH.

Taking

regularback-ups on

a

daily/hourlybasis as perrequirement

s.

12 Hardwar

e -failure

Importa

nt

Confi

dentia

Power loss Moderate

Moderate

Moderate

Power loss

may result

Backuppower

supply


44/48


45/48


46/48


46

ed

employe

es

place

violenc

e,

executi

on of

system

sabotag

e

dentia

lity

and

integri

ty of

retail

data

theft of

USBdrives could

result in

compromise

ofconfidential

ity of DHdata

ss of

controls

prohibiting

storage of

sensitive

data on

USB

drives is

low, as

these

controls

have

not been

followed.

Threat

source

capability

is high as

such USBdrives are

frequently

lost or

stolen.

should

include theprohibition

on

storing

sensitivedata on

removablemedia

suchas USB

drives of the

employees.Security

Awareness

and

Training

Programsfor

employeesshould be

conducted.


47/48


47

17 The

transacti

on

systems

and other

network

connecte

d

hardware

devices

handling

sensitive

informati

on used

the same

usernam

es and

passwords across

DH

stores

nationwi

de

If the

hacker

gets

through

the

networ

k

security

walls of

one

system,

he can

do so

for

other

systems

too.

Confi

dentia

lity

and

integri

ty of

retail

data

Compromis

e ofunexpired/u

nchanged

passwords

couldresult in

compromiseof

confidential

business

data

High High High Password

manageme

nt controls

such as

changing

password

within

certain

number of

days,

password

should be

above

specific

length and

should

contain

mixture of

alphabets,numbers,

special

characters

etc are

emphasized

.

The system

supportteam should

encourage

employees

to changepassword

regularlywithin 30

days and

keep strong

passwords.


48/48


18 Lack of

proper

physical

security

Robber

y

Mone

y and

other

assets

Lack of

adequatephysical

security

leads to

robberywhich in

turn leads tophysical

injury.

Mode

rate

High High Post signs

stating that

the cash

register

only

contains

minimal

cash along

with

periodic

patrolling

by security

officer are

emphasized

.

Along with

frequentguard

patrolling,

panic

buttons needto be

installed sothat

employees

can notify

theauthorities

quickly and

easily.

Date post:	03-Jun-2018
Category:	Documents
Upload:	yogesh-shahdadpuri
View:	216 times
Download:	0 times

NIST Retail

Documents