Changes between Version 6 and Version 7 of UhlLinuxServer Risk Assessment
- Timestamp:
- 08/26/16 14:15:38 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
UhlLinuxServer Risk Assessment
v6 v7 13 13 === 1.2 Likelihood 14 14 15 - 1.2.1 The servers are available on the Internet and so open to attack15 - 1.2.1 The servers are available on the UHL Intranet and so an attack is unlikely 16 16 17 17 === 1.3 Mitigation 18 18 19 - 1.3.1 Access via ssh is only allowed from within the University of Leicester 20 - 1.3.2 Servers are behind a proxy server, which attackers would have to compromise before accessing the server itself. 21 - 1.3.3 Only ports 80 and 443 communication is allowed through the proxy server 22 - 1.3.4 VMs are backed up daily to allow a restore if a corruption occurs 23 - 1.3.5 Software is available online or from source repositories (SVN or Git) 19 - 1.3.1 Access via ssh is only allowed from within UHL 20 - 1.3.2 VMs are backed up daily to allow a restore if a corruption occurs 21 - 1.3.3 Software is available online or from source repositories (SVN or Git) 24 22 25 23 === 1.4 Improvements … … 38 36 === 2.2 Likelihood 39 37 40 - 2.2.1 The servers are available on the internet and so open to attack38 - 2.2.1 The servers are available on the UHL Intranet and so an attack is unlikely 41 39 42 40 === 2.3 Mitigation 43 41 44 - 2.3.1 Database users are only allowed to connect from the local host. 45 - 2.3.2 Database port are only available from the local host. 46 - 2.3.3 VMs are backed up daily to allow a restore if a corruption occurs 47 - 2.3.4 Databases are backed up daily with a history of 3 months to allow for recovery 48 - 2.3.5 Database server can only write data to the temp and database directories 42 - 2.3.1 VMs are backed up daily to allow a restore if a corruption occurs 43 - 2.3.2 Databases are backed up daily with a history of 3 months to allow for recovery 44 - 2.3.3 Database server can only write data to the temp and database directories 49 45 50 46 === 2.4 Improvements … … 67 63 === 3.3 Mitigation 68 64 69 - 3.3.1 Use LDAP to connect to servers to disallow sharing of passwords 70 - 3.3.2 Remove user accounts as soon as employees leave. 71 - 3.3.3 Backups of VMs are kept securely off site. 72 - 3.3.4 Software is kept in source repositories, which track changes and can be restored back to any point. 65 - 3.3.1 Remove user accounts as soon as employees leave. 66 - 3.3.2 Backups of VMs are kept securely off site. 67 - 3.3.3 Software is kept in source repositories, which track changes and can be restored back to any point. 73 68 74 69 === 3.4 Improvements … … 83 78 === 4.2 Likelihood 84 79 85 - 4. 1.3 Applications are visible on the internet so attacks will occur80 - 4.2.1 The servers are available on the UHL Intranet and so an attack is unlikely 86 81 87 82 === 4.3 Mitigation 88 83 89 - 4.3.1 Use Apache config to restrict access to University of Leicester Network were appropriate 90 - 4.3.2 Enforce a strong password policy 91 - 4.3.3 Use LDAP authentication where possible 84 - 4.3.1 Enforce a strong password policy 85 - 4.3.2 Use LDAP authentication where possible 92 86 93 87 === 4.4 Improvements 94 95 - 4.4.1 Investigate what measures are installed on the proxy to mitigate against attack [[#578]]96 88 97 89 == 5 Communication Interception … … 103 95 === 5.2 Likelihood 104 96 105 - 5.2.1 Applications are visible on the internet so attacks will occur97 - 5.2.1 The servers are available on the UHL Intranet and so an attack is unlikely 106 98 107 99 === 5.3 Mitigation … … 122 114 === 6.2 Likelihood 123 115 124 - 6.2.1 Vulnerabilities in software are constantly coming to light and internet available sights are always at risk.116 - 6.2.1 Vulnerabilities in software are constantly coming to light, but sites are only visible within the UHL network. 125 117 126 118 === 6.3 Mitigation 127 119 128 120 - 6.3.1 Software is kept up to date 129 - 6.3.2 Exploits often involve opening SSH ports, that are restricted through the proxy 130 - 6.3.3 Applications are run as a restricted user account that does not have permission to make configuration changes 121 - 6.3.2 Applications are run as a restricted user account that does not have permission to make configuration changes 131 122 132 123 === 6.4 Improvements