 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study Infrastructure Audit Industry: Oil and Gas Location: Europe This project came about due to the acquisition of a contracting company providing services to the oil and gas industry by our client. Before any IT infrastructure could be integrated between the two companies the parent company sought our IT infrastructure services. Our client required independent assurance regarding the state of the IT infrastructure of the new acquisition before integration began. Our client required immediate access to the data resources of the new acquisition but this could not start until assurances regarding the wider IT infrastructure were given and issues regarding security were clarified. The policies and standards of the new acquisition needed to be assessed and mapped against those of our client. The scope of the technical infrastructure ranged from LAN based desktop machines to Internet infrastructure and hosts on the Internet. Interconnections to branch offices, client and suppliers of the new acquisition were required to be enumerated and included in the scope of the project. The nature of project, infrastructure and time constraints meant that it was decided to split the project into two parts to be performed on-site and off-site in parallel. The on-site actions were to include staff interview, documentation review, build standard audit and policies and standards audits. Off-site actions were to perform a vulnerability assessment of Internet connected hosts. The interviews of staff were performed in order to gather information regarding the Internet and LAN infrastructure, its interconnections and to map the network. Critical data and IT assets were also to be identified and audited. Information to assist in identify these assets was gained mainly by staff interview. Off-site actions involved enumerating the Internet hosts and the Internet platform. Off-site Internet hosts were located in 3rd party hosting and included mail and web servers. Interviews with staff revealed very little documentation was available describing infrastructure and change control was not formalised. Critical IT information was largely held by a few key personnel but was not documented. While limited policy documents were available, these were not formalised and lacked depth, in some circumstances even these policies were not adhered to. The new acquisition was located in a shared building whose basement was used as server and telecoms room. All tenants had access to this room and racks containing equipment owned by our clients were not kept locked. Cables snaked across the floor causing a hazard, cables in racks and under the false floor were also in disarray. The situation meant it was almost impossible to see whether equipment from one tenant of the building was not connected to that of another. While enumerating machines on the LAN of the acquired company a machine was found which allowed full access without any means of authorisation. On further investigation this machine was found to be a type of networked document management system which contained thousands of documents. A proportion of these were highly sensitive and related to various departments. Documents which were downloaded included those from HR containing information on personnel which contained disciplinary and payroll information such as advances given on salary and company loans. Bills and invoices were also seen together with customer and project information related to projects undertaken by the acquired company. As the building in which the acquired company is based is shared the owners of the building provide manned guarding. We were offered a door entry PIN code during one after hours visit by a security guard. This PIN was offered by a guard without being asked. During office hours visitors were observed walking into the building unchallenged by guarding personnel. The results of the off-site component of the project were that the Internet FTP and Web server were compromised. This was due lapses by the Internet hosting provider not adequately protecting the servers, which incidentally hosted multiple hosted client domains. Financial and legal implications could arise from the availability of highly sensitive company and customer information regarding personnel, payroll, finances and projects undertaken for clients. The generally poor level of documentation maintained could result in duplication of effort and operational difficulties should key personnel leave the client. As the web presence of the client which is located in hosting was compromised during the project its likely that image and customer confidence in our client would have been affected had the site been compromised by a rogue intruder. |
