Information Security Case Study: Haphazard Insurance Ltd

You are a team of IT security consultants employed by InfoSec Limited, an information security, risk mitigation and management organisation.  You will be working on behalf of one of your largest clients “Haphazard Insurance Ltd”. Sheffield Haphazard Insurance is a multinational insurance company with 300 employees spread over 3 sites – Sheffield, Edinburgh and Kansas City.  Initially starting with mobile device and house contents insurance, they have recently started to sell cyber security insurance. The head office and main data centre is based in Sheffield, which holds 200 members of staff. The operations help desk and communications staff work on a 24-hour shift pattern. The two satellite offices each with 50 staff are connected to the head office via a Cisco based site to site VPN and focus primarily in sales and marketing for their respective areas. 20 of these staff are remote workers and connect to their respective satellite office over VPN.

These offices operate on standard 9-5 shift patterns. Each of the satellite offices has an on-premise database that uses mySQL version 5.6 on Windows server 2012 R2. These databases are backed up weekly to the head office data centre. The network infrastructure comprises of Microsoft Active Directory servers and Linux LDAP servers. Its lower layer networking uses Cisco routers and switches using the standard Cisco 3 core hierarchy of Access, Distribution and Core layer networking.

Senior Management

Leroy Mackenzie - Haphazard Consulting CEO

Known to make hasty decisions in his quest to maximise profits, Leroy can be abrasive and narrow minded.

Julie Gardham - Head of IT and Compliance

Graduated from Sheffield Hallam in 2008, Julie is also qualified in project management, ITIL change management and CRISC. Julie is amenable yet assertive and despite having only recently joined Haphazard she has already made some positive changes. Julie has enlisted you to help create the ISMS.

Departmental

• Steve Drake - Network manager
• Alice Rose - Help desk and operations operative

Financials as of last year:

• Revenue - £50 million
• Operating income - £20 million
• Net income - £15 million

Incident Reports from the last 12 Months:

Haphazard has expressed concerns as to the efficacy of its information security policies and systems due to the recent scandals over data loss that the UK government has suffered. This has resulted in an internal audit being performed to establish the health of the companies approach to information security. The audit was performed internally and has uncovered many security breaches, unacceptable risks and data loss in the last 12 months.  

The key areas of the report have been highlighted below:

Key Personnel

The company has recently become the victim of a high number of malware attacks. One major incident involved the Emotet malware, most likely as a result of phishing emails sent to senior staff members that went completely undetected.

 

In addition, there has been an increase in application layer attacks which are breaching the organisation's firewalls. Some have even brought the firewall down causing denial of service to external clients and employees trying to access internal resources legitimately.  

 

Staff in the Kansas office were constantly redirected to websites masquerading as Google, which turned out to be malicious. It seems there is an issue with their DNS, and potentially Haphazard's domain name was hijacked for a period of time.

 

The system's main database in the Sheffield office was breached containing the details of 500 clients. The discovery of the breach was made when the details of these clients were discovered uploaded to the website pastebin. A subsequent investigation discovered that a support technicians email account appeared to have been brute forced. A phishing email had then been sent from that account to the DBA’s email which included a fake link pretending to be to a useful resource. When clicked, the email application appeared to log out. A fake login page was displayed which was used to capture the database administrator’s password - it was only 5 characters in length. This same password also allowed the attacker to reach the database through the company's online portal.  

 

Recent losses of data have been reported throughout the organisation due to hardware failure. Inadequate redundancy and backup provision have been cited as the main offenders. Recent attempts to recover from a flood which had destroyed part of the IT department at the Sheffield site had only limited success. Some servers had been destroyed and no provisions had been made to bring primary systems back on line quickly. In addition some of the key backup tapes failed to restore causing irrevocable losses. Key policies in disaster recovery and risk mitigation have been cited as needing to be revisited.

 

An employee has recently had a laptop containing highly sensitive data stolen from the Kansas office. This incident was leaked to the media causing much embarrassment and loss of reputation. The employee was on an early shift and entered the office at 6.30am to find the laptop missing. However it seemed that the thief had only just left as there were fresh wet foot prints on the floor and reports of a suspicious person leaving the complex at around 6.15am. Initial investigations seem to point to poor security policy being enforced during office cleaning 5-6.30am. This has led to concerns regarding the provisions of physical security throughout the business. The laptop contained sensitive personal data of clients, which were not encrypted.

 

Concerns have been raised over the functionality and usability of the network and many of the applications and resources that utilise it. Particular concern has been raised over the lack of proactive measures that could predict trends of system or network exhaustion. Illustrations of this of this include key system hardware and network utilisation reaching capacity and failing without technical staff being aware of the imminent failure. One example of this involved the exchange mail servers reaching capacity and refusing to send or receive mail. This brought the company to a halt. A backup and upgrade of the system had to be performed off-line before the system could be become operational. Much of the company’s online business registration relied on the mail server being operational. The cost of lost revenue for the 2 days while the system was being upgraded and recovered was calculated at £200,000.