Well Known NYC Media Company
Total Page:16
File Type:pdf, Size:1020Kb
Well Known NYC Media Company InVision Assessment PREPARED FOR WELL KNOWN NYC MEDIA COMPANY n Version 2.0 n April 30, 2020 Confidentiality Notice This document contains confidential and proprietary information of CPP Associates and Well Known NYC Media Company, except as noted in this paragraph, may not be shared with any other party. Well Known NYC Media Company may copy or disclose the information contained herein (with the exception of any pricing) as needed for the purpose of providing this information to the end user customer identified in this Assessment Report, provided that any such disclosure of information is accompanied by a requirement to maintain the confidentiality of such information. Except as expressly authorized in the preceding sentence, Well Known NYC Media Company may not copy or disclose without the prior written permission of CPP Associates. Table of Contents Executive Summary ...................................................................................................... 4 1.1 Scope ................................................................................................................ 6 1.2 Network Infrastructure ..................................................................................... 7 1.3 Windows Infrastructure .................................................................................... 8 1.4 Overall Client Risk ........................................................................................... 11 1.5 Servers ........................................................................................................... 14 1.6 SQL Server Risk & Health Report ..................................................................... 18 1.6.1 Identified Web Servers .............................................................................. 19 1.6.2 Time Servers ............................................................................................. 24 1.6.3 Exchange Servers ...................................................................................... 24 1.6.4 SQL Servers ............................................................................................... 25 1.7 Network Printers ............................................................................................ 27 1.8 Key Security Risks ........................................................................................... 30 1.9 Security Management Plan ............................................................................. 33 1.10 Office 365 ....................................................................................................... 35 1.11 Backup ........................................................................................................... 38 1.12 Power ............................................................................................................. 39 1.13 Proactive Maintenance ................................................................................... 40 1.14 Summary ........................................................................................................ 41 1.15 Vmware Lifecycle ............................................................................................ 42 1.16 Microsoft Product Lifecycles ........................................................................... 44 1.16.1 Windows Server OS .................................................................................. 44 1.16.2 SQL Server Product Lifecycle ..................................................................... 57 1.16.3 Windows DesKtop OS Lifecycles ............................................................... 62 1.16.4 Microsoft Bitlocker Management Lifecycles ............................................. 66 1.17 Installed Applications ..................................................................................... 67 Executive Summary CPP Associates conducted a basic vulnerability assessment for The Well Known NYC Media Company and this document will provide a summary of our findings and recommendations. During the assessment, CPP Associates personnel did their best to uncover information about specific IT practices currently in use in your business, and we have listed them in this document. The assessment conducted by our team is a technical review of your IT network and systems. It is important to note that this is not an audit from a security risk perspective. Although we look for evidence of controls and adherence to a set of specifications or control framework, it is a valuation of your practices. Our main objective is to provide you with a professional opinion and insight as to the technical soundness of your IT environment from the perspective of conventional practices utilized in the industry. The methodology used by us for this assessment consisted largely of a comparison of your environment as we interpreted it against industry best practices. Information collected by us about your environment consisted of documents provided to us from you at the on-set of the engagement as well as information we collected while onsite and through communications with your personnel. A good portion of the information we gather is first-hand through the onsite examination of servers, workstations, and network infrastructure. The specific applications and business processes are identified by you. We look at a sample of the workstations to get an understanding of how these applications and processes utilize the IT systems as well as the performance as experienced by the end user. During the assessment CPP Associates found Well Known NYC Media Company infrastructure needs important changes to their environment to improve efficiency for both network and Systems. Well Known NYC Media Company daily operations are at significant risk while running with the current hardware configuration. We have determined storage, switching, and security as our paramount concerns. These areas are highlighted below. This executive summary provides an overview of the issues, and the remainder of the document outlines in detail what those issues are and the remediation plan to go forward. Many, if not all the issues found, are deficiencies or diversions from best practices on equipment and solutions delivered from the previous partner. Issues found outside of the relationship with the previous partner are standard issus that CPP sees across most, if not all environments that are the result of the urgent often crowding out the important. The following list is not comprehensive; just a high-level overview. Detail is outlined in the full report that follows. • Well Known NYC Media Company currently did not provide network diagrams supporting servers, workstations and wireless. • Windows 7, Windows 2003, 2003 R2, 2008, and 2008 R2 are unsupported and highly recommended to upgrade to Windows 10 (for desktops), and Windows Server 2016 or 2019. Staying with unsupported platforms creates unnecessary operational and security risks. If these platforms are required, they should be migrated to a non-routable VLAN with limited internal access and restricted to zero internet access. • Complex and secure passwords are a critical step in protecting confidential company data. During the assessment, CPP Associates discovered that passwords on numerous devices did not conform to a recommended Password Security Policy. Passwords may not be changed during the transition of support staff and should be updated on a regular basis. An additional security risk, from an internal perspective, centers around user accounts that are active but not used and the lack of password complexity and scheduled change requirements associated with the accounts. • There is a legacy environment that is end of life and end of support, including the underlying hardware, hypervisor, and operating systems. CPP believes that many of these issues can be remediated in both a project based and time/materials/consulting retainer basis. Many of the issues will be resolved as part of the onboarding process with InVision, CPP’s managed services platform. Our mission is to provide Well Known NYC Media Company with the ability to grow and execute projects at the rate the business requires and mitigate the day to day that creates the roadblocks that prevent those critical tasks from being executed or implemented. Thank you for this opportunity to earn your business. 1.1 Scope Well Known NYC Media Company has contracted with CPP Associates, to perform a basic vulnerability assessment that discovers, reviews, and documents the following: • Network Infrastructure • Servers & Server Virtualization • Windows Infrastructure • Microsoft O365 • Darkweb ID Scan • Other Identified Concerns This document addresses current architecture, hardware life and life expectancy, general infrastructure services and core components, key applications and services, and the current software used in the Cisco equipment at Well Known NYC Media Company. This document also outlines recommended upgrades based on software vulnerabilities, hardware warranty status and issues, and any end-of-life announcements. If CPP is not able to access specific devices, networks, or solutions and does not have or is not provided with any supporting documentation, those items will be noted as such and excluded from this report. Throughout this document are areas that identify issues. These issues are highlighted with the following text: Identified Issue. The recommendations will be highlighted with the following text: Recommendation. This document