Cybersecurity Assessment Sample Report prepared by: Akins Email and Identity Email Exposure / Identity Best Practices Check

AD Connect AD is synced to Azure AD with AD Connect. AD Connect is setup to PW sync and is in Exchange Hybrid mode. AD Connect is not using the updated Source Anchor and is not currently setup to auto-update.

Email topology MX records go straight to EOP with O365. All mailboxes have been migrated, hybrid mode is still present because of relay connectors needed for on-prem services. 365 can be leveraged for relay, and hybrid mode can be removed safely after testing.

Identity Integrations w/ Azure AD Client operates EMS E3 licensing from Microsoft, so unlimited apps can be connected. Upon interviewing Doug and looking at possible integrations, these are the desired connections not currently in place:

Paychex - High Priority - Not Integrated

EZ Proxy

Final Site - VU website

GET Funds

R25 Campus Scheduling

Rave

Razors Edge - High Priority - Not Integrated

University Ticketing

Canvas *** Paychex integration is especially recommended, to avoid disparate logins for critical business information systems and to unify insights into App usage. We could also leverage Conditional Access for these systems after integration is performed.

2

Microsoft 365 Secure Score Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security. As of Feb 14, 2018, Secure Score is listed as 124/435. Far above industry average. Accomplished Items:

3

Pending Items for Implementation Review The following list contains the sum of configuration that would achieve maximum security in the 365 ecosystem. We are highlighting the features we believe to be critical in EDU environments.

Multi-Factor Authentication for all Global Admin accounts MFA for all admin accounts is important because a breach of any of those accounts can lead to a breach of any of your data. We found that you had 1 admin out of 4 that did not have MFA enabled.

Enable Client Rules Forwarding Block Enabling Client Rules Forwarding Blocks is recommended because the use of client-side forwarding (rules) to exfiltrate data to external recipients is becoming an increasingly used vector for data exfiltration by bad actors. We found that you had 0 Rules out of 21 that did have blocks enabled. Outbound Spam notifications were resolved by the client team. Email of sensitive data is not auto-encrypted at this time. Rights Management was also found to not be auto-protecting data files.

Enable MFA for all global admins

Enable MFA for all users

Enable Client Rules Forwarding Block Advanced Action

Review sign-ins after multiple failure reports weekly

{Not Scored} enable Information Rights Management (IRM) services

Use audit data

{Not Scored} Do not use transport rule to external domains

{Not Scored} Do not use transport white lists

Review mailbox forwarding rules weekly

Review mailbox access by non-owners report bi-weekly

Review malware detection report weekly

{Not Scored} Do not use mail forwarding rules to external domains

{Not Scored] SPO Sites have classification policies

{Not Scored] Do not allow anonymous calendar sharing

{Not Scored] Do not allow external domain skype communications

Review account provisioning activity report weekly

Review non-global administrators weekly

{Not Scored] Do not allow calendar details sharing

IRM protections applied to documents

{Not Scored] IRM protections applied to email

4

Weak Password Test We ran a test to assess user account password vulnerability. Primary concerns include: 32 user accounts with Empty Passwords 1224 user accounts with Weak Passwords 9279 user accounts with Non-Unique Passwords Full exports can be provided upon request. Fully implemented password and identity policies can right these issues.\

Identity Provider / Integrations Review - including School Data Sync for EDU CANVAS - LMS, COLLEAGUE – SIS. School Data Sync is not in play.

URL Protection Review / Safe Attachments Review Email Security is EOP native, no additional Advanced Threat Protection mechanisms are in play currently.

Identity Security / Protection Capabil it ies Review ID Protect is implemented and in production. Great news! To complete this security protocol we need to implement automatic risk remediation.

5

CEO Fraud Capabil it ies Current Email Security solution is not CEO Fraud capable.

Data Protection [backup, archival, compliance search, DLP] 365 Exchange, SharePoint and OneDrive data is not currently backed up by an alternate cloud service. Archiving for Exchange Online is not configured. Data Loss Prevention Policies are in effect for US PII and US Financial triggers.

Email

6

Encryption Capabil it ies

Email Encryption is enabled in manual trigger mode!

User Security and User Security Awareness

User Based Phishing Test VU is already subscribed to a platform for user security awareness testing and training. Previous campaigns show an almost 20% rate in user click through.

7

Password Policy Domain password policy needs to be implemented from the ground up to observe tactics like password history, complexity requirements, password refresh and expiration. New user account provisioning leaves thousands of users with identical passwords without enforcing changes.

Multifactor Authentication Capabil it ies MFA is a capability based on EMS licensing currently in play. MFA is currently enabled for 3 accounts and enforced for a sub-set of users. All users are not MFA registered which plays into automatic remediation tactics employed by Identity Protection.

Data, Apps and Devices

Data Protection and Rights Management Review Information Protection on documents, and Rights Management is a capability, but it is not in widespread production. VU is exploring the platform and additional use cases.

8

Device Management Capabil it ies Review MDM and MAM are both capabilities with InTune. Device Management and Application Management are not currently configured.

Shadow IT Assessment, Cloud App Security and User Application Insights VU provided a single firewall snapshot to load into the Cloud App Security portal. We used this data to assess Shadow IT – detecting the apps and data flows users have pushed through the network on a given day. This system can be configured for continuous, real-time analytics, alerts and monitoring.

9

The platform can illustrate applications in use, both sanctioned by the school, and those that are considered un-sanctioned. Risk scores are calculated based on the application profile, compliance status and security metrics. Useful recommendations can only be provided if real-time reporting is configured.

186 active alerts were detected by the single snapshot – examples in screenshot above.

Advanced Threat Analytics deployed on local network.

Networking

Review and Document DMZ/LAN/WAN Configurations Client’s network topology is comprised of multiple core collapsed switches and several IDF aggregation switches in a modified hub and spoke format. IDF switches uplinked to the primary core are configured to perform Layer 3 routing. Multiple VLANs exist between connecting links, IDF switches, secondary core, and wireless segments.

WAN access is limited to a small subset of application servers typically open on ports 80/443.

Access Control List Review (Network) There are no explicit access control lists on the network that block Layer 2 and Layer 3 access within the network topology. Higher level security measures are in place that assist in VLAN segmentation via RADIUS accounting within the Bradford and Fortinet configurations.

10

Firewall and Filtering

Web Filtering & Application Filtering Review Client is currently using the Fortigate firewall to perform https filtering and application blocking. Categories have been created to give various levels of access depending on security groups found within LDAP. Faculty have the option to override the policy filters.

The FSSO (Fortinet Single Sign On) is setup to bind IP addresses with AD username through RADIUS accounting. The FSSO is integrated with three other domain controllers on the network (.1/.2/.3).

Network Access Control Systems The software suite Bradford is currently in production and performing NAC enforcement for wired and wireless devices. The current configuration created a guest registration splash page and prompt allowing further access into the network based on security group membership.

Currently, NAC enforcement is based on security group membership and MAC address only. Other NAC components (software updates, presence of antivirus software, DHCP fingerprinting, etc.) are currently not enforced.

Network Security Solution Effectiveness

Application Vulnerabil it ies (LAN & WAN) A security vulnerability assessment was performed on the WAN IP blocks. This assessment serves to determine vulnerabilities found on NAT (outside to inside) enabled servers on the internal LAN. A snapshot of the most common vulnerabilities are found below. Typically, this information is found by using ports 80/443 for web server access.

11

A deep scan of the HP switch infrastructure found several mis-configurations against a best practice template.

Similar findings were discovered with a deep scan audit of the Fortigate firewall.

IPS Policies Intrusion Protection is enabled on all NAT rules (Outside to Inside). IPS policies will detect intrusion attempts that manipulate vulnerabilities on outside facing web/application servers.

12

AV Policies AV Policies are configured on static NAT rules (Outside to Inside).

SSL Inspection SSL Inspection or certificate-based inspection is not currently utilized. The Fortigate firewall is capable of deep SSL inspection. Currently https filtering is configured. This is a technique where the Common Name on the server certificate is inspected before the encrypted session begins.

Wireless

Encryption (WPA2/Enterprise, WEP, Open, etc.) WPA2 Enterprise encryption is utilized within the Ruckus wireless system. WPA2-Enterprise or 802.1x encryption is tied to internal LDAP servers for authentication. In conjunction with the Bradford NAC appliance, endpoints are segmented into different VLANS based on security group membership.

BYOD Policy & Endpoint Onboarding Client currently incorporates a Bring Your Own Device policy. Endpoints are registered through the Bradford NAC enforcement software which is integrated into the wired and wireless networks. Endpoints can be registered via the self-registration prompts or MAC registered manually. The quantities of endpoints per user are limited by the IT department.

Antivirus and Antispyware

Solution Effectiveness Fortinet’s Forticlient for Antivirus is currently deployed as the primary endpoint protection suite. Forticlient is integrated with EMS or Fortinet’s endpoint management system. EMS can push out Forticlient profiles via LDAP integration on any on-network device.

Deployment Status Currently, Forticlient is deployed to all endpoints (Mac and Windows). LDAP is integrated with EMS and remotely updates endpoint updates, AV signatures, and additional filtering rules when an endpoint is online and registered to Client’s internal networks.

Alerting Capabil it ies EMS has the ability to assess endpoints that do not meet baseline criteria and send alerts when a device is found to be out of compliance.

Containment Capabil it ies Via EMS, a compromised device can be quarantined on the network. This will effectively prevent a device from reaching internal networks until remediation occurs.

13

Recommendations Management Subnet, VLAN and Layer 3 Routing Restructuring

Review all subnets, VLANs and Layer 3 routes, and restructure/consolidate for optimal flow and

ease of management. Inspect all switching, review stacking and members, trunked switchport

uplinks, firmware upgrade and VLAN pruning.

Wireless Registration and Dynamic VLAN Assignment Troubleshoot

Wireless registration consistently failing and users are sometimes dropped into the management

VLAN after successfully authenticating. This recommendation includes a full review of the Zone

Director and Bradford configuration with onsite troubleshoot.

FSSO Wireless RADIUS Accounting Integration

FSSO collector agent is not configured to accept accounting information from wireless users.

Integrating FSSO with wireless accounting events will allow for a more accurate reporting of wireless

user traffic as well as logical separation for filtering policies.

FortiAnalyzer with FortiGate Integration

Provides valuable insight and visibility into user traffic and includes robust reporting options.

Core Access Control List

There are currently no ACL’s in place on Core and distribution switches with IP routing enabled. End

users have unrestricted access to network devices and servers on the production and management

VLAN’s.

Wireless Channel and Power Optimization

Access points are configured for auto channeling and power levels. In AP dense areas with high RF

interference, wireless optimization helps to mitigate co-channel interference and can improve client

to AP roaming.

FortiGate Application and Web Filtering Policies per User Group (Students, Staff,

Admin etc)

Currently, only a single application and web filtering security profile is being applied to all outbound

14

user traffic. With FSSO, we can create additional forwarding rules with tailored filtering policies

based off of user type. An example of this would be to allow staff or admins less restricted access to

the internet compared to students.

HP Switch and FortiGate Best Practice

Review and implement HP switch and FortiGate best practices. A deep scan was performed against

industry best practice configurations to determine the current security posture of the HP and

Fortigate switch and firewall solutions.

It is recommended to go through each audit line item to determine if the fix will have an overall

beneficial impact when compared against the current configuration.

IMC – Review and Util ize Available Tools / Features

IMC is a management tool for Client’s switching infrastructure. The overall configuration is dated

and may not be inclusive of all hardware currently in production.

It’s recommended to perform a reconfiguration of IMC to include all switches, address current

issues and setup alerting and reporting to maintain ongoing visibility into the network.

Bradford – Review and Util ize Available Tools / Features

Bradford is a Network Access Control software for authenticating and maintaining users in client’s

current Bring Your Own Device network.

It’s recommended to verify overall configuration, utilize additional features, or find an alternative for

RADIUS policies.

Leverage Ruckus ZoneDirector for Dynamic VLAN Assignment and Guest Registration

In the absence of Bradford, a NAC solution is still recommended for maintaining Client’s BYOD

policy. Ruckus Cloudpath is a NAC-integrated solution that will work with the current Ruckus

wireless infrastructure.

15

Refine Identity Practice

Utilize Azure AD as primary identity hub, extended out from local AD. Integrations with university

apps will mean more control, ability to control access, gain user activity insights. This improves the

user and administration experiences. The apps below have all been identified as integration worthy:

Paycheck - High Priority - Not Integrated

EZ Proxy

Final Site - VU website

GET Funds

R25 Campus Scheduling

Rave

Razors Edge - High Priority - Not Integrated

University Ticketing

Canvas

*** Paychex integration is especially recommended, to avoid disparate logins for critical business

information systems and to unify insights into App usage. We could also leverage Conditional

Access for these systems after integration is performed.

Employ Conditional Access in Azure AD

Once app integrations are performed, we would be leveraging Azure AD for all authentications, app

usage insights and be able to control all applications with a single identity. One of the major

benefits is the Conditional Access policies that would be unlocked on a PER APP basis. We would be

able to secure critical apps with specific conditions, such as – you must belong to group X to access,

or you must be on a VU computer and on campus to access. The conditional logic is stackable per

app, and we could be more relaxed for apps without sensitive data behind them.

Conditional Access deployment would require co-operation with the VU IT Dept.

Establish PW Policy

Here, we would address the existing password policies in Group Policy and ensure they are set and

working. Addressing this would fix the array of Weak / Missing / Non unique PWs we discovered

16

during the assessment. Because of AD Connect, these policies would sync up to 365.

Implement Email Security/Archiving/Backup Solution

An Email Security Suite would provide the university more effective email filtering and ability to

index and preserve all email sent and received. Email filtering allows for things such as attachment

protection, URL rewriting, and data leak prevention to name a few. Archiving allows the storage of

years’ worth of email data BEFORE user modifications [delete, move and purge operations]. Email

backup would allow the restoration of corrupt or missing email data at the user and message level.

Managed Security - Improve Secure Score over t ime

VU’s Secore Score was discovered to be much higher than the industry average. Great job. The

Secure Score analysis we did run identified a few key configurations we should explore, such as

Enable MFA for GA and the blocking of Client Forwarding Rules.

We also recommend regular Security Assessments to update and ensure improvements over time

as the attack landscape evolves. Annual or semi-annual is the recommended cadence.

Hyper-V Best Practice Review

Virtual Infrastructure needs to be evaluated for best practices with a deep dive. After high level

review, cluster configuration does not adhere best practices in terms of load balancing and VM

workload.

MSN Management and Monitoring

We recommend the implementation of Onsite Manager and monthly Server and Network

maintenance. Onsite Manager is a full suite management tool that would allow central control of

Antivirus clients on all workstations, laptops and servers. It allows us to keep servers patched or

updated in monthly maintenance cycles. In addition, we can configure alerts for servers and critical

services, the idea being that when issues occur, IT will be the first to know. The management tool

also contains remote access and remote administration tools, as well as Server Health reports. This

product and benefits would go hand in hand with a Monthly Management Agreement.

To surmise, this one solution addresses many existing requirements: Antivirus Management,

17

Remote Administration, Server Alerts, Critical Service Alerts, Performance Monitoring, Server Health

Reporting, Server Update Management.

DR Playbook

While Veeam backup is in place to perform offsite restore points, there is no disaster recovery plan

in place. If the university is planning to replace the existing nimble arrays for the production

environment, the old arrays could be moved to a DR location and configured as a DR Target. Azure

can also be utilized as a primary or secondary DR recovery point alongside a second physical

location.

Server Upgrades – 2012 R2 or Better!!

All servers running 2008 R2 should be upgraded to the latest release of Windows Server OS –

currently 2012 R2. Benefits would include more stable, secure and compatible servers.

Continue User Awareness Training

Very impressed to discover that VU is already engaging with KnowBe4 to assert user security

awareness. We recommend continuing this practice and running test campaigns monthly to stay

top of mind with users. Round tables with repeat offenders have also proven very successful in

other EDU environments.

Explore School Data Sync

We recommend investigating School Data Sync, which would bring over faculty, students and

rosters over to Azure AD, and inherently, Teams and OneNote for Education. LMS and SIS

integrations and auto-provisioning has been seen to save schools hundreds of hours with preparing

rosters, avoiding online class join confusion and consistent administration to keep 365 and the

learning systems synchronized. This also mitigates the need to import inbound new students in two

or more disparate areas.

18

Cloud Data Backup

As data flows into the 365 system, OneDrive adoption increases and SharePoint becomes built out,

being able to recover data on this platform is going to become important. A common misconception

is that data in 365 is backed up by the platform. While there are measures to prevent accidental

deletes and recycle bins to cover immediate data loss, being able to restore to a point in time is not

supported natively. We can recommend solutions in this space based on VU’s requirements.

*** Azure as Primary DC – Long Term Goal ***

Azure cloud platform to replace on-premise servers and infrastructure as a long-term strategy. The

idea here is to switch from the CAPEX model of refreshing hardware and building out physical

infrastructure and security to the OPEX model of subscribing to a limitless, more highly available

and secure cloud arena to serve up required access to applications, services and systems. The

journey can begin with either a Cloud Readiness Assessment to map out the phased transition.

Another strategy is to begin with a DR project to replicate existing VM’s to Azure, and optimize

continuously in the cloud, using failover as a transition mechanism.

InTune Roll Out

Enrolling devices in InTune, a technology already licensed by VU, would allow easier administration,

application of security policies and standardize the user / device experience across all device

platforms. Windows, iOS, macOS and Android are all supported.

We should also consider using Mobile Application Management to protect app data specifically for

particular applications like Outlook, Paychex and SharePoint.

Information Protection

VU is already utilizing Azure Info Protect to Classify and protect sensitive data for a niche case. We

would recommend and encourage the practice to continue! Excellent work here.

19

Move to Azure ATP for ATA solution

Also impressive is the existing deployment of Advanced Threat Analytics on-prem. This has just

been revamped by Microsoft and the control center has been moved to a cloud service called Azure

ATP. We recommend transitioning this solution to the new service over the near future.

Cloud Readiness Assessment

As mentioned above, a CRA would allow a road-mapped / phased approach to embrace and develop

a cloud transition strategy. We would be assessing all dependencies on local services and

infrastructure as a function of the assessment and the deliverable would be an implementation

schedule to test, verify and failover services to cloud counterparts. Security and User Experience

considerations are top of mind throughout the execution of such an assessment.

Proposed Network Diagram

20

Proposed Server Diagram