Cyber Risk Assessment Paper for the City of Suffolk

Cyber Risk Assessment for the City of Suffolk, VA

ODU Cybersecurity Internship

CYSE 368 Fall 2024

Professor Duvall

11/17/2024

Suffolk Team A

Edwin Wells: A graduating senior from the Old Dominion University School of Cyber Security. He is currently interning with COVA CCI in partnership with Valor Cybersecurity providing services for the local community and the City of Suffolk. His role in this internship was as group leader, coordinating team members, dates, communication, and project development for performing a risk assessment of the assigned Public Web Interface Server.

Brayden Greenfield: A sophomore from the Old Dominion University School of Cyber Security. He is currently interning with COVA CCI in partnership with Valor Cybersecurity providing services for the local community and the City of Suffolk. His role in this internship was as assistant group lead, providing communication as needed and performing analysis and assessment of compliance settings of the assigned Public Web Interface Server.

Niko Florido: A junior from the Old Dominion University School of Cyber Security. He is currently interning with COVA CCI in partnership with Valor Cybersecurity providing services for the local community and the City of Suffolk. His role in this internship provided analysis and assessment of identified risks to the assigned Public Web Interface Server.

The City of Suffolk Social Media Presence:

Website: https://www.suffolkva.us/

Twitter: @CityofSuffolk City of Suffolk (@CityofSuffolk) / X

Youtube: CityofSuffolkVA, https://www.youtube.com/CityofSuffolkVA 

Facebook: City of Suffolk, VA City of Suffolk, VA – Municipal Government – Facebook

The City of Suffolk has a diverse range of social media accounts using some of the most popular platforms. This allows the City of Suffolk to reach a diverse range of population groups to keep them up to date with important news and events.

Valor ‘Top 10 Digital Security Checklist’

The City of Suffolk’s cyber security initiative is relatively new. Under 2 years old, we compared their posture to Valor Cybersecurity’s ‘Top 10 Digital Security Checklist’. Despite the checklist being designed with small businesses in mind the checklist still offers good subjects to focus on at a government level. For instance, Valor’s number one “Annual Digital Risk Checkup”, which emphasizes performing an annual assessment of an organization’s digital vulnerabilities for both weaknesses and strengths of defenses. Just like the first element of the checklist our group was able to observe other elements of the checklist performed as well.

The team was able to participate in part of the risk checkup with the City of Suffolk to find and assess vulnerabilities of their system. We also observed Valor’s third element “Backup Data and Software, then Test” with a redundant and reliable back up system. As part of this set up the City of Suffolk has a consistent file backup schedule. Further protecting the City of Suffolk’s system is the use of multi-factor authentication to verify user authenticity before access if granted, which is Valor’s number four on the checklist. There are also several firewalls in place to further protect the infrastructure and data from outside threats, meeting Valor’s number five “Digital Perimeter Guard”.

Finally, in our interactions with the City of Suffolk we were able to find out that their Senior Cybersecurity Administrator Joshua Cox single handedly met Valor’s number six “Draft a Digital Playbook”. Before Mr. Cox joined the Suffolk team the city did not have a playbook in place. Mr. Cox wrote and employed a 200-page long set of policies and procedures for the City of Suffolk to follow.  From our relatively small perspective on a large organization with multiple systems and departments we were able to observe Valor’s checklist in use in a municipal setting.

Asset (Public Web Interface Server)

During our time working with the City of Suffolk, our team was tasked to scan a public web interface server, which is managed by the Parks and Recreation Department. This is a public facing web server within their demilitarized zone (DMZ). Part of our analysis of the server was to do a Vulnerability and Compliance scan using Tenable.io. Note that the Public and Local IP addresses are on file with the city, as well as the attached excel sheet. The results from the vulnerability scan show four Critical and eight High vulnerabilities with an average age of 250 days for the Critical level and 224 days for the High level concerns. Our team was also able to identify a number of applications on the server to include CIFS (Common Internet File System), MSRDP (Microsoft Remote Desktop Protocol), WWW (World Wide Web), SMB (Server Message Block), Apache ActiveMQ, rmi_registry, and epmap (Endpoint Mapper).  

Critical

From our analysis of the vulnerability scans, we addressed the critical vulnerabilities in the following order of greatest threat to least: 

1) KB5044343: Windows Server 2012 R2 Security Update (October 2024)

2) Progress OpenEdge (000253075)

3) Oracle Java JRE

4) Microsoft Windows Server 2012 SEoL 

To start off, the Windows Server Update vulnerability has a Vulnerability Priority Rating (VPR) of 9.9. The control measure is to simply apply security update KB5044343. Applying this one update will eliminate 50 CVE Instances across the total of 87 CVEs on the public web interface server. From applying this one update, more than 50 percent of the CVE’s would be eliminated and thus we recommend prioritizing this remediation first.

The second most unsecure vulnerability is the Progress OpenEdge vulnerability with a VPR of 7.3 and a Common Vulnerability Score (CVS) of 10, the version currently installed is outdated. This vulnerability includes an authentication bypass which fails to handle usernames and passwords properly granting unauthorized access on login attempts. The remediation is to upgrade Progress OpenEdge to version 11.7.19 or later.

The third critical listed is the Oracle Java JRE, with the risk being a detection of an unsupported version. This means the vendor is no longer providing needed security updates and patches causing security vulnerabilities. The best strategy is to upgrade to a new and supported version of Oracle Java JRE.

Finally, due to the complexity of installing hardware including cost, time-consumption, and interdepartmental coordination, the vulnerability that is recommended last is the Microsoft Windows Server 2012 SEoL. The server is currently EoL (End of Life), meaning it is no longer supported by Windows for security updates, patches, and other technical support. The recommended solution is to upgrade the server to a newer and supported version. 

High

Following the Critical vulnerabilities, the top three High vulnerabilities are as follows;

  • Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)
  • VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass (VMSA-2023-0024)
  • Azul Zulu Java Multiple Vulnerabilities (2024-11-12)

 The first recommended priority would be the Print Nightmare with a VPR score of 9.7. The risk regarding this vulnerability exists in the Windows Print Spooler service, which performs privileged file operations. This vulnerability can allow an authenticated attacker to exploit this to bypass and run arbitrary code with system level privileges. A control measure that is advised is to apply the CVE-2021-34527 security update and verify that registry entries are either set to zero or are not defined per the CVE recommendations.

The next vulnerability is the VMware Tools, with a VPR score of 6.7. This is an outdated version and affected by a SAML token signature bypass, bypassing authentication and directly assuming the role of an authenticated user. Upgrading to VMware Tools version 12.3.5 or later is the best solution.

Third is the Azul Zulu Java vulnerabilities with a VPR score of 6.7 and the second highest number of CVE instances of the Critical and High level vulnerabilities. This set of vulnerabilities are missing the appropriate security patches leaving the system at risk for exploitation. We advise to apply the appropriate patch according to the Nov 2024 Azul Zulu OpenJDK Patch Update advisory.

The last three High vulnerabilities are as follows;

  • SSL Medium Strength Cipher Suites Supported (SWEET32)
  • Security Updates for Microsoft .NET Framework (October 2024)
  • Apache Shiro before 1.11.0 Authentication Bypass

First, is that the host supports the use of SSL ciphers, which only offers medium strength encryption. We advise reconfiguring the affected application to avoid use of medium strength ciphers. Next is the Microsoft .NET Framework allowing a denial of service (DoS) to occur due to the remote host missing a security update. Microsoft’s latest security update for .NET Framework is the best solution. The last high vulnerability is the Authentication Bypass of Apache Shiro. When using Apache Shiro with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. It is our recommendation to upgrade to version 1.11.0 or later.

Compliance

Enforcing compliance settings, such as those outlined in the CIS guidelines, is essential for safeguarding systems against unauthorized access, misconfigurations, and potential vulnerabilities. Meeting CIS compliance guidelines reduces the attack surface a threat actor can use.

                In our scans we found that 48 out of 51 items failed our compliance audit. It is our recommendation that the group policy settings are updated to meet compliance standards set by the organization. Additionally, as starting points, we recommend focusing on: 

  1. 18.9.48.1 (L2) Ensure ‘Turn off the advertising ID’ is set to ‘Enabled’
  2. 18.9.20.1.12 (L2) Ensure ‘Turn off Windows Customer Experience Improvement Program’ is set to ‘Enabled’
  3. 18.10.37.2 (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
  4. 18.9.20.1.3 (L2) Ensure ‘Turn off handwriting recognition error reporting’ is set to ‘Enabled’
  5. 18.8.1.1 (L2) Ensure ‘Turn off notifications network usage’ is set to ‘Enabled’

In this environment it is critical to meet compliance because the server is an externally facing server and is accessible to the public. A vulnerability in this server can act as initial access to an attacker, later allowing them to pivot through the network. 

Conclusion

The goal of this SWOT analysis is to find better ways to secure Suffolk’s public web interface server. First, having constant vulnerability scans allow for more visibility into vulnerabilities and overall system health. However, there are some weaknesses that need to be addressed to reduce risk and meet SLA agreements. This comes in the form of patch management and automating compliance requirements. Furthermore, having a hardened image can improve CIS compliance and reduce time spent on hardening machines. Finally, there are some major threats to this machine. One being an RCE vulnerability with Print Nightmare which can allow an attacker to gain initial access to the machine, and the other being an authentication bypass for Progress OpenEdge.

Despite the found vulnerabilities and risks found to this server gains can be made toward mitigating these risks and meeting self and industry standards. Having this baseline identification of risk can provide a springboard for planning future updates, patches, and infrastructure. The cyclical nature of identification and improvement is very important to ensure that the City of Suffolk can provide protection for the data stored and by extension the citizens of Suffolk.