Gather data

  • 15 minutes

To help you navigate the infrastructure threat modeling module, we created a fictitious company, called Woodgrove Bank.

Company background

Woodgrove Bank, established in 2018, is an online banking provider that gives customers the ability to conduct financial transactions and bill payments online.

With no physical locations, Woodgrove relies on an online portal and cross-platform applications for their daily operations.

Customers can choose from free online transfers, high-interest yield savings accounts, and bill payment services.

Transactions are secured using best-in-class encryption, and customer service is available 24 hours a day, 7 days a week.

With transparent fees, real-time status updates, and money back guarantee, Woodgrove has what it takes to gain your business.

Your task

You were recently brought in by Woodgrove Bank's senior leadership team to:

  • Identify infrastructure security gaps, and
  • Find ways to reduce or eliminate risk.

After you met with various employees from different departments and asked them the assessment questions, here's what you found out:

Meeting notes

Category Answers
Access Control domain.
Access control
  • Engineers use VPN to access the network.
  • Files with customer data are stored on file shares and are accessible by everyone.
  • File shares include Network Attached Storage (NAS) device, local shares, and build servers.
  • The bank has two IT admins who are responsible for creating all infrastructure, like file shares, virtual machines, and so forth.
  • IT admins have write access to file shares and admin access to all virtual machines.
  • IT admins grant employees write access to file shares and virtual machines as the need comes up.
  • Access to Microsoft 365 and source code repositories on GitHub, requires only basic credentials.
  • Domain controller is used mainly for local machine access.
  • There are no group policies enforced, like password complexity or expiration.
  • Linux machines can be accessed with local Linux credentials.
  • Shared service accounts with shared passwords are used for conference room machine access.
  • Shared accounts have the same permission levels as regular users.
  • A separate Microsoft Entra ID grants employees access to Microsoft 365.
  • Since they don't have federation, there are multiple credentials for multiple resources: VPN, local machines, GitHub, and at least 10 SaaS services.
  • 2FA is enabled on some resources, but not enforced.
  • Engineers use their own user accounts to make changes to the system.
Secure Development domain.
Secure development
  • Since they’re growing so fast, engineers adopted portions of the Security Development Lifecycle (SDL), but not all.
  • They do code reviews and run a few static and dynamic analysis tools.
  • There are no formal security reviews or threat models.
  • No security training, bug bar guidance, or penetration testing teams.
  • They use GitHub to store their source code.
  • They use an open-source bug management solution to create, triage, and fix bugs.
Business Continuity domain.
Business continuity
  • Backups of critical systems are done weekly on the NAS and monthly on a removable drive, which is kept offsite.
  • Unencrypted backups.
  • They haven't formalized a disaster recovery plan.
  • They haven’t done audits or recovery tests to ensure the backups are working properly.
Cryptography domain.
Cryptography
  • They use self-signed certificates for their development environment.
  • Verisign certificates are used for the public facing website.
  • There are no guidelines on key rotation or certificate expiration.
Asset Management domain.
Asset management
  • They keep data forever, and they don't have guidance for long-term data retention or archive.
  • No data classification or labeling mechanisms in place today to limit access to sensitive data, like credit card numbers and customer information.
  • Instead of classification, employees use specific folders to store documents, like "Financial," or "Human Resources." Access to those folders is unrestricted.
  • Since they're relatively new, they haven't disposed of any assets, so they don't have a formalized deprecation plan.
  • Data at-rest in databases is unencrypted.
  • No mechanisms available to prevent over-sharing of information.
  • The NAS stores: code artifacts, configuration files, and backups from the SQL server, domain controller, and build servers.
  • OneDrive was recently implemented to store company documents.
  • Disks mounted on virtual machines are unencrypted.
  • There are no requirements requiring engineers to lock their stations when they leave.
Legal domain.
Legal
  • Employees sign non-disclosure agreements when they start, along with a recommended use of company property
  • There's a specialized team that handles regulatory compliance.
Incident Response domain.
Incident response
  • No formal incident response program for either the enterprise or product.
Network domain.
Network
  • Network is unsegmented and has no concept of a perimeter network.
  • Firewall has a basic set of inbound and outbound rules.
  • VPN takes credentials and a pregenerated token to create a secure connection to the corporate network.
Operations domain.
Operations
  • Patches and updates are done manually every now and then by either one of the IT administrators.
  • Machines have a basic antivirus solution installed, but there isn’t a way to verify if they’re running properly.
  • Machines aren't joined to a domain.
  • No time-out sessions to autolock machines.
  • The only resource engineers access on their phones is email, so they haven't yet enforced a Mobile Device Management (MDM) solution.
  • The amount of logging and monitoring done in the enterprise is minimal, made up of only of basic VPN and firewall actions.
  • No intelligence platform used today to help the enterprise sift through their logs for potential attacks.
  • Only default rules are used for the firewall.
  • Firewall logs are kept on the same machine for seven days, and then overwritten with new activity.
  • Changes to the production environment require management approval.
Physical and environmental domain.
Physical and environmental
  • There are five build servers, one domain controller, and a NAS device in an unlocked IT room.
  • No cameras or log sheets available.
  • Access to the building requires an RFID badge, but the building owner has access to all the rooms.
  • There are no cameras or guards in the building.
  • No official visitor check-in process.
Governance domain.
Governance
  • No formalized information security policy or risk management program.
  • There are no specialized security training offerings for employees at this time.
Security architecture domain.
Security architecture
  • Virtual machines are created using default images.
  • No process in place to check virtual machine images for known vulnerabilities.
  • No security baselines used.
  • Woodgrove Bank's internal infrastructure is a hybrid of both on-premises and cloud systems.
  • Woodgrove is moving to a cloud-only infrastructure in Azure.
  • There are no IoT devices or container usage in the company.
  • No operating system baselines.
Supplier risk domain.
Supplier
  • They use many third-party SaaS offerings.
  • No formal way to measure security maturity levels or enforce SLAs.