[internship report] folder... · web view[internship report] [internship report] 3 [internship...

[Internship Report]Prince Mohammed Bin Fahd University College of Computer Engineering and Science

ARAMCOInformation Protection and Planning

Internship Advisor: Dr. Abul BasharIntern: Abdullah Abdul-Aziz Al-Nafisi

Submitted 29/08/2012

Execute Summary:

This report will highlight the three months internship experience in ARAMCO Company during the summer 2012 (from the 16 of June till the 5 of September). The report will mention and discuss some key subjects about the internship period. First, the acknowledgment part, because the internship tasks would not have been possible without the support of many people. After that, the introduction and the company background part, and will mention some historical information about the company. Then, will use the SWOT analysis tool. SWOT stands for strengths, weakness, opportunities and threats that may be faced during the internship period in ARAMCO. After that, will discuss the organizational marketing and

competitive strategy. Then, The job history part which will highlight

the major assignments and the timeframe for each one of them and

also provide a narrative description. After that, will provide a basis

for the technical in the conceptual framework part. The Technical

part will reflect the actual projects undertaken or problems handled

and methodological used, limitations, finding, and suggested

solutions. Finally, the evaluation of the internship experience part,

and will provide a summary of the findings and recommendations.

2 [Internship Report]

Acknowledgment:

The internship experience would not have been possible without the

guidance and the help of several individuals who in one way or

another contributed and extended their valuable assistance in the

preparation and completion of my ARAMCO development plan.

Mr. Fahad Sabeela, my site supervisor for the third month, who

helped me in the Safety orientation and assigned to me some e-

learning courses: Safety Handbook-Basic and Telecommunication

and network security. He also approved my IDP (Individual

Development Plan).

Mr. Abdullah Garieshah, my site supervisor for the second month,

who helped me with the development plan, and assigned to me a

research project to work on.

Mr. Abdurrahman Al-Meniea, my site supervisor for the first

month, who introduced me to the department tasks, co workers and

the tasked handled by each one of them, and scheduled for me some

certain tasks.

Mr. Yazeed Al-Thobayti, the co-worker who is the responsible

person of the access control task. He assigned to me some read

manuals to help me understand how the network devices organized

in ARAMCO, and based on what gives privileges to the users.

[Internship Report] 3

Mr. Tariq Khushaim, the co-worker who helped me in the

unauthorized networks access detection tasks..

Mr. Bandar Al-Harbi, the co-worker who helped me in

understanding patch management task.

Mr. Hussain Haddad, the co-worker who helped me in

understanding network vulnerability management, and assist me in

some network access tasks.

Mr. Mohammed Al-Otaibi, the employment office supervisor. He

helped us in the orientation week and explained to us some major

safety tips.



Table of content:

1. Introduction 6

2. Company Background 9

3. SWOT Analysis 12

4. Organizational marketing strategy 13

5. Organizational competitive strategy 14

6. Job history 15

7. Conceptual framework 16

8. Technical part 21

9. Evaluation of the internship experience 44

10. Summary of findings and recommendations 45

11. Conclusion 46

12. References and Appendices 47

1. Introduction:

The internship that I experienced in ARAMCO was in the information

protection and planning department in Al-Midara Tower. The

division is divided into 5 groups: Communication protection group,

Windows protection group, UNIX & database protection group,

protection monitoring & incident management group and protection

support & log management group. I worked with communication

protection group. The group handles different tasks such as: network

access management, network vulnerability management, compliance,

unauthorized network access detection and security posture

management. In addition to the tasked that I experience and monitor

there were some useful workshops that I attended such as:

understanding the overall process. Also, I delivered a research

project and presentation about VoIP (Voice over Internet Protocol)

security tools, the tools description, tools features, tools comparison

and recommendation. The e-learning courses were very helpful and

available in the ARAMCO websites that covers almost everything in

the area of IT such as: wireless security, telecommunication and

network security. This report will provide detailed information

about the company background, SWOT analysis of the company,

organization marketing and competitive strategy, the job history in

the three months, conceptual framework, technical part, evaluation

of the internship experience and summary of finings and

recommendations.


1.1 Communications Protection Group (CPG)

1.1.1 Introduction:

Communications protection group (CPG) is responsible for securing

Saudi Aramco network devices (routers, switches, proxies, firewalls,

wireless, modem, etc.) through conducting a comprehensive

vulnerability and compliance assessment, security risk analysis,

security patch management, access control management, and

unauthorized modem and wireless access points detection. CPG

produces periodic reports of vulnerable, non-compliant, or

unauthorized systems to proponents for remediation. The overall

objective is to make sure all network devices are in line with the

corporate information protection security standards and guidelines

and security best practices.

1.1.2 Functions:

The primary functions and tasks associated with CPG include:

A. Security Assurance:

Assesses the Network Access to assure secure interconnectivity of

servers, computers, and network devices.

B. Security Vulnerability Assessment:

Conducts and reports vulnerability assessment on network devices

and follows up on them.


C. Security Compliance Management:

- Reviews security changes of network and security systems (such as

Firewalls, VPN, Proxy, Wireless, VoIP, etc.).

- Monitors, reports, and follows up on the security configuration

compliance of network devices against the baselines.

- Detects, reports, and follows up on unauthorized network devices

connected to the corporate network.

D. Security Patching Management:

Reviews and reports in network security patches of network devices

(FW, IPS, routers, switches, VoIP etc.) and follow up on them.

E. Access Management:

Manages access to corporate communications devices such as

Routers, switches, and Firewall, Proxy, Telephone switches, and

transmission devices.


2. Company Background:

Saudi ARAMCO is the national oil company of Saudi Arabia. Saudi

Aramco was estimated to be worth $781 billion in 2005. Making it

the world's most valuable company. Headquartered in Dhahran,

Saudi Arabia, Saudi Aramco operates the world's largest single

hydrocarbon network, the Master Gas System. Its yearly production

is 7.9 billion barrel. It managed over 100 oil and gas fields in Saudi

Arabia, including 279 trillion of natural gas reserves. Saudi Aramco

owns the Ghawar Field, the world's largest oil field, and the Shaybah

Field, one of the world's largest oil fields.

The origins of Saudi Aramco can be traced back to 29 May 1933 when

the Saudi government granted a concession to Standard Oil of

California. The concession allowed them to explore for oil in Saudi

Arabia. After four years of fruitless exploration, the first success came

with the seventh drill site in Dammam, a few miles north of Dhahran

in 1938, a well referred to as Dammam No. 7. This well immediately

produced over 1,500 barrels per day, giving the company confidence

to continue. The company name was changed in 1944 from

California-Arabian Standard Oil Company to Arabian American Oil

Company (or Aramco). Company operations include exploration,

producing, refining, chemicals, distribution and marketing.


Saudi ARAMCO vision and commitment is to remain the world leader

in the production of petroleum-based energy is complemented by

their commitment to help solve a host of pressing issues. They

believe that they can make a difference wherever they do business by

investing in innovation and entrepreneurship, creating educational

opportunities, powering economic progress, increasing

environmental awareness, and working in partnership for energy

sustainability.

Saudi ARAMCO mission is to maximize downstream investment

revenue and to take their maximum sustained crude oil production

capacity to 12 million barrels per day, which will help them meet the

projected call on their crude oil in the decades to come while also

maintaining sufficient spare capacity to help ensure market stability

a key objective of the Kingdom’s oil strategy. Saudi Aramco’s

activities thus cover the whole globe and span the entire petroleum

value chain, from reservoir to petrol pump and petrochemical plant

and everything in between.


The ARAMCO Information protection & Technical planning organization chart:

The Information protection Center Division organization chart:

3. SWOT Analysis:


INFO PROTECTION & TECH PLNG DEPT

ACCESS MANAGEMENT DIV DEMAND MANAGEMENT DIVINFO PROTECTION CENTER

DIV

INFO TECHNOLOGY PLANNING DIV

INFO PROTECTION CENTER DIV

COMMUNICATION PROTECTION GP

PROTECTION MONITORING & INCIDENT MGMT GP

PROTECTION SUPPORT & LOG MGMT GP

UNIX & DATABASE PROTECTION GP

WINDOWS PROTECTION GROUP

Strengths:- Have many principal members with extensive background and education.- One of the largest I.T Networks in Saudi Arabia. - Supported by the government - Has huge potential in terms of

Weaknesses: - Each member focuses in his own task. - Some decisions regarding some vulnerability taken by other unrelated management department.

4. Organizational marketing strategy:

This useful article published in many global websites about ARAMCO marketing strategy:

“Aramco Trading is a new SA unit set up earlier this year to begin by

end-2011 to trade in refined products, maximize downstream

integration and generate value by leveraging its growing global

system. Named Saudi Aramco Product Trading Co. and based in the

kingdom, this will enhance the system of balancing refined petroleum

products and back SA's expanding local and overseas downstream

investment portfolio.

Addressing customers and industry participants at annual IP Week

gathering in London, SA Senior VP for the Downstream Khaled G. al-

Bu'ainain in February said: "Through the establishment of this new

subsidiary, Aramco Trading, we hope to better capture integration

opportunities in our global system, and additionally create more

value for our expanding downstream business in Saudi Arabia and

overseas". He said with energy demand forecast to rise in the long

term, SA continued to demonstrate its commitment to meeting future


Strengths:- Have many principal members with extensive background and education.- One of the largest I.T Networks in Saudi Arabia. - Supported by the government - Has huge potential in terms of

Weaknesses: - Each member focuses in his own task. - Some decisions regarding some vulnerability taken by other unrelated management department.

demand by under-taking a significant downstream capital

programme via investments through its subsidiaries, affiliates and JV

in Saudi Arabia and abroad.

5. Organizational competitive strategy:

Saudi Aramco (SA) is considered to be one of the most valuable

companies in the world with an estimated valuation of between $2.2

trillion to $7 trillion in 2010. It owns most of the crude oil reserves in

Saudi Arabia and some other Middle Eastern site and runs the largest

hydrocarbon distribution network in the world.

Saudi Aramco has a strict competitive strategy based on profit

maximization as well as keeping ahead of the competition and that is

what is necessary for the survival. It has been able to build efficient

capabilities over its supply chain to survive the competition.

Competition in the domestic market is minimal for Saudi Aramco as it

is the state owned player and hence will always get the preference

during major deals in the field of expansion and refining. But for

finished goods like hydrocarbon products, it has significant

competition from other domestic players such as SABIC. Also, in the

overseas markets it must compete with global giants such as Shell, BP


and Exxon etc. but its holds large oil reserves in the home country

offering it a competitive edge.

6. Job history:

Assignment Timeframe Description

Network Access Management

Three Weeks Manages access to corporate

communications devices such as

Routers, switches, and Firewall, Proxy, Telephone switches,

and transmission devices.

Network Vulnerability Management

Two Weeks Conducts and reports vulnerability

assessment on network devices and follows up on them.

Network Compliance Assessment

One Weeks Reviews security changes of network

and security systemsNetwork Access

detectionTwo Weeks Assesses the Network

Access to assure secure

interconnectivity of


servers, computers, and network devices.

Unauthorized network access detection

Two Weeks Monitor the unauthorized access

to the company network

Security Patch management

Two Weeks Reviews and reports in network security patches of network

devices (FW, IPS, routers, switches,

VoIP etc.) and follow up on them.

7. Conceptual framework:

7.1 Communication Access Control Task:

The Below table 1 shows the current infrastructure for Authentication, Authorization, and Accounting (AAA) Servers (Cisco ACS and Steel Belted):

Server Name

Type Server IP address

Location Server model

Server type

csacs-1 Cisco ACS Confidential TCC Appliance(Primary)

Enterprise

csacs-2 Cisco ACS Confidential TCC Appliance(Backup)

Enterprise

dha00730-npgp01

Steel Belted

Confidential TCC Microsoft 2003

(Primary)

Enterprise server

BC335007 Steel Belted

Confidential B840, R1000

Microsoft 2003

(Backup)

Enterprise server

ACS (Cisco Secure Access Control Server) is used in Aramco corporate network to provide AAA Service for the network devices and authorizes the user in a specified privilege depending on which group he is belongs to in the ACS.

Below are the Network devices models on ACS:

All Cisco Routers/Switches/FWTACACS+ (Cisco IOS): Routers/Switches & Huawei RoutersRADIUS (juniper FW) NetscreenRADIUS (Alcatel) 7670


RADIUS (Foundry) SwitchesRADIUS (Marconi BXR) RoutersRADIUS (Marconi ) SwitchesRADIUS (Cisco Aironet) Cisco Access Point (For User’s Access)

Steel Belted Radius (SBR) is used in Aramco corporate network to provide AAA Service for more network devices and it authorizes the user in a specified privilege depending on which group he is belongs to on this server.

Below are the Network devices types/models on SBR:

All Alcatel Switches Models except 7670Aruba Wireless Networks: Switches BelAir Access Points Cisco Aironet Access Point (For Admin’s Access)

Adding New Clients:

The below flowchart clarifies this process:

Removing Decommissioned Clients:



Notify them of Action Completion

Add the New Client(s) in Appropriate Way

Decide to which RADIUS\TACACS+ Servers Need to

be added on

Receive a Notification from Network Admins. to Add

Clients

Decide in which RADIUS\TACACS+ Servers Need to be decommissioned from

Receive a Notification from Network Admins. for Decommissioned Clients

Granting User’s Access & Privileges



CRM Update and Closure

Grant the User the Needed Access

Identifying which Level of Authority will be granted

Review the Request

Receive Approved CRM

Request

Dealing with Expired User’s Access

The below flowchart clarifies the current process:


No

Yes

No

Yes

Revoke Access

User receives notification of

access’s expiration two weeks

ahead

Check if the user applied a new

CRM

User receives notification of

access’s expiration one month ahead

7.2 Vulnerability Assessment:

Vulnerability Assessment Process Overview:

Communication protection group handles network devices vulnerability assessment and compliance. Network operation management and Expec Computer center network support are the divisions responsible for network devices operation and they are the primary customers of communication protection group.

1. Scope and Scan Frequency

Vulnerability assessment is performed against three different zones within Saudi Aramco network. Each zone has a different criticality level, hence frequencies are applied accordingly.

Zone FrequencyExtranet & Internet Every 2 months

Intranet QuarterlyECC Quarterly

The Vulnerability Assessment process consists of five phases: 1. Information Gathering. 2. Scanning in Stages.3. Identifying Vulnerabilities. 4. Reporting and Follow Up.5. Verifying.


8. Technical part:

8.1 Communication Access Control Task:

I worked on several tasks that is related to communication access control task. First I learned the predefined privillages based on the department on each server (Steel belted radius or Access control server).

Granting User’s Access to Cisco Secure - Access Control Server (ACS) Server

Based on the group the user belongs to, the user should be added to the corresponding group in the Active Directory. The corresponding group in the Active Directory will define the privileges the user will get on the ACS server. Table 2 below illustrates these privileges assigned for each group.

Groups/Platforms

TACACS+ (Cisco

Routers)

RADIUS (Cisco

IOS/PIX)

Ascend

Juniper (Routers

)

Foundry

Alcatel 7670

NS (FW)

Data Network Management

Level 15 (Admin) Level 15 (Admin)

Admin Admin Level 0 (Admin)

Level 2 (Admin)

Read Only

Engineering Level 2 (Read Only)

Level 2 (Read Only)

Read Only

Read Only - Limited Access

-

Area Support Level 2 (Read Only)

Level 2 (Read Only)

Read Only


-

Security Level 15 (Admin) Level 15 (Admin)

Admin Admin Level 4 Level 2 (Admin)

-

Monitoring Level 1 (Read Only)

- Read Only


-


CommOps Level 2 (Read Only)

Level 2 (Read Only)

Read Only


-

PMG Level 4 Level 4 - - - - -

NPG Admin Level 2 (Read Only)

Level 2 (Read Only)

Read Only

Read Only - - Read/Write

NPG Access - - - - - - Read Only

NOC Access Level 15 (Admin) Level 15 (Admin)

Admin Admin Level 4 Level 2 (Admin)

Read/Write

BXR Routers - - - Read Only - - -

Table 2: Access Privileges Mapped to Groups in the Active Directory for the ACS server.

How to Add/Remove a User to the Corresponding group in the Active Directory:

In Active Directory Users & Computers, go to: “Aramco.com / Corporate Accounts / Network Devices Administrative Groups” as shown below.

Double click in the group which the user belong to. For example, adding/removing users belong to Area IT. Double click on Area Support Group


Click on the members tab

To Add Users Privileges

Click on Add to add new user.

- Insert the user’s network ID, then click on Check Names


- Two names will appear. Pick the one that does NOT have the home internet property in the description.

- Click on OK

- Now the user has been added to the Area Support Group and he will get the privilege that Area Support Group have in the ACS.

To Remove User Privileges

Just after I reach the Members Tab (see below):


- Select the user to remove and then, click Remove.- Then click yes, to confirm removing user.

Granting User’s Access Privileges to the Steel Belted Radius (SBR) Server:

Table 3 below is given just to give a general idea about assigning access authorization. The table is given for simplification purposes only, and should NOT be used as a guideline for assigning user privileges on SBR servers.


Organization/Platforms Alcatel Switches (Except 7670)

Aruba WirelessDevices

BelAirAccess Points

NIMG Admin Admin AdminEngineering Staffs Read-Only Read-Only Read-Only

Area IT Admin Read-Only Read-OnlyNSSG Read-Only Read-Only Read-Only

Monitoring Staffs Read-Only Read-Only Read-OnlyCommOps Staffs Admin Read-Only Read-Only

IPC/PMIMG Read-Only Read-Only Read-OnlyNPMG Admin Read-Only Read-Only

NOC Analysts (Only) Admin Admin Admin

Table 3 Access Privileges Authorization in the SBR server

To Add Users Privileges

- Log on to the primary SBR server- Ensure that the user is added to his corresponding group in the Active

Directory- Log on to the SBR application “SBR Administrator (Funk Software)”- From the GUI, Click on Users then click on Domain. After that click Add

as shown below:

- In the Name field, write \\ARAMCO\Network ID- Check Use Profile box for pre-defined privilege in the drop menu, as

shown below.


- From the pre-defined privileges available in the drop down menu, select the appropriate privileges:


- Also, you can add more privilege through Return list tap, click Add then put the specified privilege from the scroll menu and below is an example of giving a “read” access to a user for Aruba devices:

To Remove User Privileges: Go to the Domain list, and then select the user to be removed.

Click on delete.

For privileges limitation, click domain list as shown up, scroll for user, double click on his account and remove services upon CRM request.


8.2 Vulnerability Assessment:

1. Information Gathering:

In this phase IPCD/CPG will gather network devices IP addresses from NOMD and ECC organized into types, criticality, OS version, and model. The scope should cover a good sample of network devices, which could give an excellent representation of the network security posture in Saudi Aramco. This process could be automated if NOMD and ECC have a system that includes an updated list of all network devices IP addresses

The term network devices covers all IP based network equipment, such as VPN, firewalls, proxies, switches, routers, IPS, wireless controllers, FAT access points, etc…

[HOW TO] Gather Required Network Devices Information?

You should contact NSSG supervisor, NIMG supervisor, NPMG supervisor and ECC supervisor to assign a representative to work with you.

2. Scanning in phases:

Before performing any scan, a non-service affecting change request has to be created and the following groups have to be notified beforehand:

Network Operation Center *IPTPD/IPCD/Protection Monitoring & Incident Mgmt Group ECC

[HOW TO] Create a Change Request

In order to perform scanning on any system, a change request has to be created. The change request must include and comply with the following:

- All required document must be uploaded- Scanning should always be performed outside working hours- A task has to be created and assigned to NIMG rep or ECC rep.- Most importantly, the change has to be approved by TCC_NETWORKS,

approval group in remedy.


Type in your user name and password then hit log-in:

Then hover over Change Management and click on New Change:

Then fill the request as follows: Summary: Scanning network devices for vulnerabilities as part of IPCD quarterly functions

Notes: Scanning will be performed by some certain scanning Foundstone appliances:


Click on Risk Questions:


Answer as below:

Then click next and answer as below:


Then click save.After that click on implementation plan then attach the IP addresses that need to be scanned:

Then add back out plan and test plan as below:Back out:

Test plan:


Then fill the categorization as below:

Then select the data and time as below:

Finally, click save then next stage.


Note that a scan has been created for all scanning activities. The fact that the “Type” selected is “Cisco” doesn’t mean that this change will only be used for Cisco.

Foundstone User Access Control: To be able to carry out scanning activities, you need to be granted access to Foundstone. You may approach one of the Foundstone Admins within Communication Protection Group.

[HOW TO] Create a Scan Using Foundstone

In order to perform a scan, first of all you have to ensure that you have a static IP address that the Foundstone administrator will have to add to the Foundstone firewall in order for you to access reach the tool. If you don’t have a Foundstone user name and password, ask the Foundstone admin to create one for you with limited access to your business needs.

The user has to hover over the ‘Scans’ menu, and then pick ‘New Scan’.


B. After selecting ‘New Scan’, the user is presented with the following screen. This screen prompts the user. Pick ‘Use Foundstone’s default settings’ option.

C. The following screen is then presented.


An IP address range or specific address can be set.D. The next screen allows the user to pick the targeted vulnerabilities for the scan being created.


The user has to ensure that only non-intrusive scans are being performed.

E. Specific ports can be added to the scan’s default range provide by McAfee.


F. Under ‘Advanced Options’, more tasks can be performed like: ‘Banner Grabbing’ and ‘Service Fingerprinting’.

G. The credentials for targeted devices have to be set in order to perform accurate vulnerability assessment. The following screenshot shows that panel.


H. Username, password, access method can be supplied after clicking ‘New’ as shown in screenshot below. Shell Default and General are to be selected to log-in to any network device. Active Directory User name/password must be used to authenticate to all network devices with the condition that you already have been granted access to network devices. If not, you can apply for network devices access through CRM.

Below represent an example to log-in to a newly configured firewall with local user name password.


I. A report options can be specified for when the scan is done.


Various report options can be changed here.

J. A scan schedule can be set.

The ‘Immediate’ option makes the scan run right after the new scan is saved in this case.


3. Identifying vulnerabilities:

Once the scan is complete, IPCD/CPG will filter out the results and verify the vulnerabilities found. The findings will be categorized into groups based on criticality.

Vulnerabilities are reported by severity. Therefore high impact vulnerabilities will be reported first and then medium and so on in future reports.

Viewing scan status is done by going to Foundstone dashboard and hover over ‘Scan’, then picking ‘Scan Status’.

After that, a screen similar to one below is shown:


The user has to click ‘View Reports’.

Finally, a list of all previous scan can be found from dropdown menu. Make sure to pick ‘Scan Reports’ radio button to see the completed scan reports.


4. Reporting and follow up:

Reports will be generated and sent to NOMD and ECC management. A letter with

high level summary report is sent to NOMD and ECC management and a technical

report is shared with NOMD and ECC network administrators through Sharek.

Some vulnerabilities might require immediate rectifying, while others could take

more time to fix. The technical report should include the methodology that

IPCD/CPG has followed, scope, objective, a list of vulnerabilities founds and

fixing instructions. For report samples, please visit ShareK.

Reports are stored in ShareK and permissions to access these reports are given

to only assign NOMD and ECC network administrator. Access to the technical

reports in Sharek is reviewed quarterly to ensure only authorized personnel

view the reports. Sharek is undergoing regular backup and restoration process

by COD (computer operation deivision). COD can be approached through the

department CSL.

5. Verifying:

In this phase, IPCD/CPG will rescan those vulnerable network devices to make

sure that vulnerabilities were eliminated from the system as suggested in the

report. The verifying phase will start immediately after the due date mentioned

in the findings report. Any vulnerabilities exceeding the defined due date of

repair, will be escalated in accordance to the approved OLA (refer to Sharek).


9. Evaluation of the internship experience:

The internship experience was what the company (ARAMCO) described and

provided to me in the (IDP) Individual Development Plan. The IDP state that I

will work in certain tasks such as: Safety orientation, network access

management, network vulnerability management, network compliance

assessment, network access detection and security posture management.

My Supervisor and Co-workers were helpful and friendly. The site supervisor

provided to me the development plan, also assigned to me a project to work on,

and scheduled to me some workshops to attend. Co-workers in communication

protection group helped me with the tasks that each one of them responsible on.

The level of responsibility given was what I expected. My opportunity to

participate in staff meeting and events was good. I get the experience about how

the staff meeting conducted, and what should I prepare before the meeting.

I was provided with the equipment and training needed to perform my

responsibilities. They provided to me HP Laptop and USB Docking Station. The

task that I was responsible on such as: network access they give the privileges

needed to handle these tasks.

My education at PMU prepared me for the internship. The courses in Network

area helped me the most, such as: Network security, network theory and

network management.

I will recommend Saudi Aramco to work in as an internship student especially

Al-Midra Tower, because of the high technology they have and the various

services and facilities they provides to their employees


10. Summary of findings and recommendations:

Findings:

Communication protection group is the most important group in the Information protection and planning department duo to the different tasks that they handle and the importance of them to ARAMCO.

Some major issues and attacks that occur to the company network require bringing different employees from different departments outside communication protection group.

There are many projects that information protection department work on yearly, and they accomplish a lot of success in many big projects that cost the company a lot of money but the benefit is high.

Employees in the department sometimes take an initiate with their own time to do some additional task with the permission of supervisor to scan and troubleshoot some devices.

In terms of organizing the task, they provided well-written manuals to guide any new comers to the department.

Recommendations:

Some tasks that the department handles need to be separated and divided to other departments own IT group. For example the vulnerability assessment perform a scan to two major areas in ARAMCO. Expec computer center should handle their own vulnerability assessment task.

Some employees should be aware of other tasks that they are not responsible for in the same department, in case if any employee leave the company or go to vacation, so that the function will not pause.

Creating a more competitive environment by presenting the most productive employees with additional benefits.

Most of the department employees were computer science major, and some tasks required a deep technical understanding in network security behaviors, so they most of the times bring someone from engineering side to assist them.


11. Conclusion:

It was a great and gainful experience to work as an intern in Saudi Aramco. I

learned by practice the: discipline, time importance, communication skills, and to

be an organizing and helpful team member. Also, in case I faced an issue how

should I deal with it correctly and whom should I contact first. I have

accomplished the assigned project about VoIP security tools that I researched

and present to the department member with the some recommendations.

Working in Saudi Aramco Company will make you find:

A wide range of roles

They offer a wide variety of jobs in different fields, such as engineering, geology, information technology, medicine, nursing and many more.

A top-notch team

They value teamwork as well as contributions from individuals. You’ll be working alongside a diverse group of professionals with different skills and experience, but all working toward the same goal.

Room to grow

A company is only as good as its people. That’s why they invest in you with world-class training and development at 24 centers across Saudi Arabia and over 3,000 online courses. We’ll encourage you to pursue knowledge and grow your expertise.

Saudi Aramco has the reputation of being a reliable supplier of energy to the world. That takes a lot of people – more than 54,000 from 66 countries.


12. References:

Khalid T. Al-Thinyan Head of Information protection and planning department 03-876-7240 [email protected]

Fahad S. Al-Sabeela Communication protection group leader Site supervisor 03-872-4545 [email protected]

Abdullah Al-GarieshahSecurity Posture managementSite supervisor for 1 month 03-872-2070 [email protected]

Abdulrahman Al-MenieaSecurity Posture [email protected]

Yazeed Al-Thobayti Network Access management [email protected]

Tariq Khushaim Unauthorized network access detection03-872-6817 [email protected]

Hussain Haddad Network vulnerability [email protected]


mailto:[email protected]







13. Appendices:


Weekly LOG [1]

Student Name: Abdullah Abdul-Aziz Mohammed AlNafisiID:

200700679

Internship Site: ARAMCO – Information Protection and Technology

Planning Department

Supervisor’s Name: Abdul-Rahman A. Al-Meniea

Week Beginning: 16/06/2012

Internship Advisor at College: Dr. Abul Bashar

Day and Date: Description of activity

Day 1The First day at ARAMCO was orientation about the company. All the Coop students that will work at ARAMCO in the summer period gathered in the conference room. We signed the Contracts: Work contract, Internet using policy, Driving policy and Salary contract.

Day 2The Second day was completing to the orientation day. This final day of orientation wasfocused on “Safety comes first” topic. I attend two lectures about the safety in ARAMCO and how I should act in proper way in many situations. Finally, I received my “COOP Program Details” including my department and contact person.

Day 3I met my site Supervisor at Information protection department. He gave me a clear explanation about the work process in the department, and he introduced me to department employees. We discussed my development plan, which will include: Network Access Management, unauthorized Devices Detection, Network Vulnerability Assessment and Network Compliance Assessment.

Day 4I have been given an office and Internet access with an ARAMCO ID and Password. Then I went to Bandar Al-Harbi office to understand “SAP” system that ARAMCO is using as management application tool. I learned how can I see the requied tasks that comes every day at this application, and how to distinguish between them. Also, I practice the SAP the whole day and got a good knowledge about it.


Day 5My first task in my “development work plan”: Network Access Management started. I work with a specialist in the department for this task “Yazid Al-Thubaity”. He explained how the process done in “Steel Belted Radius”. Each member of any department can request to access to the company devices. I should first know the permissions allowed for this department whether (Read/Write or Write only). Then how it is done completely till I close the request successfully and what set of things that make me accept /reject a given request. Finally, he gave me a document “Communication Access Control” which contain all the details in 77 pages that I should completely read by the end of this week to be fully understand the task and ready to practice.

1. What new knowledge or skill did you learn on the internship this week? Describe

The Safety presentation that we attend in the first two days was helpful because it discussed the safety in many areas such as: driving, workplace, home and office. Also, after work in my department I have learned the different types of devices that ARAMCO operate, secure and managed. I start on my first task: Network access Management and will continue in the next week.

2. What have you learned in college that you applied on the internship?

The information that I learned in “Network Security” and “Network Theory” courses was really helpful and related to my department work. Especially the topics that talks about: signatures, Bandwidth management and the introduction to: switches, routers and firewall.

3. List any difficulties, mistakes, pleasant or unpleasant experiences that occurred this week. What did you do to correct your mistake (s)?

The only difficulty that I face during my first week was the daily working hours. It start at 7 AM and Finish around 4:30 PM in my department and how to manage it with my assigned reading document that I should completely read during the day. I start to sleep early and get benefit of the time that I’m free on my working office to read partially the assigned document.


4. On what skill or question could you use help in performing your internship responsibilities better?

I think the intern should have good communication skills to help him in the work place to start ask and question some of things that may be not clear at the first. Also, to be completely open to different tasks whether easy or difficult challenging ones.

5. What interesting or challenging experience did you have with your fellow workers or site supervisor? Describe

I set with fellow worker “Turkey Al-Mari” that his responsibility is “Network Compliance” which is the last task that I will learn during my internship period. He starts to present about “Hacking behavior” whether True or False one that system can detect and how can he decide about that. It is very interesting topic that I’m looking forward to experience.

Weekly LOG [2]


200700679


Planning Department

Supervisor’s Name: Abdul-Rahman A. Al-Meniea




Day 1Continue the first task of “Network Access Management”. I learned how network devices spread across “Cisco Secure Access Control Server” and “Steel Belted Radius”. TACACS+ and RADIUS Routers and switches belong to ACS. While Alcatel, Aruba, BelAir and Cisco Aironet belongs to SBR. How they organized, operate and managed by which admin. Day 252 [Internship Report]

I have learned the process overview of adding/ removing clients. The first phase when The network access admin receive a notification from network admin to add clients. Then, he decides to which RADIUS/TACACS+ servers need to be add on. Third step, Add/remove the new clients in appropriate way. Finally, Notify them of action completion.

Day 3I have learned the “granting user Access & Privileges” part. This process does it: First, I receive Approved CRM request then I review it. Then, Identify which level of Authority will be granted. Then, grant the user the needed access. Finally, CRM update closure. I receive the CRM request through Email from CRM System.

Day 4I have learned the “dealing with expired user’s access” part. First, The user receives notification of access’s expiration one. Then, Check if the user applied a new CRM. If Yes then I renew the access. If no, user receives notification of access’s expiration two Weeks ahead to whether apply new request or revoke access.

Day 5The final part of “ Network Access management” is how to deal with “Clients Authentication Issue”. It’s done by this process: Network admins contact communication protection group for clients authentication issue. Then, must investigate on the case, and then decide and answer this important question: Is this issue is related to ACS or SBR systems? Or is it a major issue and affecting many users. If Yes, then the NPMG (Netowrk protection Management group) must involve. If No, resolve the issue or provide the appropriate recommendation to them. Then, close the case. At the end of Wednesday working day I get an introduction to the next task which is “Vulnerability Management process and procedures” with Khushaim, Tariq M. the in charge person in the department.


I have learned how to deal with both Access control server (ACS) and steel belted RADIAS (SBR) and The different network devices that belong to them. Also, how to Add/Remove clients, and how to Add/Remove/modify user privileges to network devices. Finally, how to deal with “clients authentication issue”. I used “critical thinking” and “problem solving” skills practically in this week with a lot of network guidelines documents reading.



Network management course helped me a lot in these topics: network authentication includes wireless authentication, physical convergence and logical networking. The physical convergence of media/protocol and logical network issues. Also, Topics include architectural considerations, security, and policy issues, and IPv6 and addressing dimensions.


When it gets to give privileges to the users: the company gives each employee 2 network ID. One ID that can access all services in ARAMCO inside building only, and the other user can access limited services from home. So, you have to give privileges to the network ID that don’t have “Home access property”. I have learned it through practice and I must consider this important thing always.


I think to have and improve those skills: Flexibility/Adaptability/Managing Multiple Priorities will help in performing my internship responsibilities better. Also, has to organize my self with the time to manage different important things: reading, complete assigned tasks correctly and ask about the things that’s not clear.


The challenging experience was to know the privileges of requested users from his department without referring to the privileges table to see what are the privileges allowed to that department that specified by network management policy to speed up the process. Surely it will come by practice more on the system but sure the important thing is to give the appropriate privileges regardless of time.

Weekly LOG [3]



200700679


Planning Department

Supervisor’s Name: Abdullah Al-Gresha




Day 1This week started the second task “Vulnerability Assessment and Patch Management” With the responsible person “Tariq Khushaim”. Vulnerability assessment is performed against three different zones within Saudi Aramco network. “Extranet & Internet” which is done every 2 months. “Internet” and “ECC” which is done Quarterly. Day 2I leaned that the Vulnerability Assessment process consists of five phases: Information Gathering, Scanning in stages, Identifying Vulnerabilities, Reporting and Follow up and Verifying. I start with Information gathering, which is done by gathering network devices IP addresses and it is organized into types, critically, OS version, and model. The scope Should cover a good sample of network devices which could give an excellent representation of the network security posture in Saudi Aramco.

Day 3The Scanning should be done in phases. I leaned that before performing any scan, a non-service affecting change request has to be created and the management groups have to be notified beforehand. The groups that need to be notified are: Network operation center, protection monitoring & Incident management group. Scanning done by: BMC Remedy Action Request system.

Day 4Once the scan is complete, Information Protection Center Division will filter out the result And verify the vulnerabilities found. The findings will be categorized into groups based on critically. Viewing scan status is done by going to McAfee Foundstone Enterprise.

Day 5I learned the forth phase which is “Reporting and Follow up”. Reports will be generated After the scan, and it will be sent to Network operation management and ECC Expec Computer center. Some vulnerability might require immediate rectifying. While others Could take more times to fix.


The technical report should include the methodology, scope,Objective, a list of vulnerabilities founds and fixing instructions. Will continue the last phase “Verifying” next week.


I have learned about “The Vulnerability management operational” what are the process and what are the procedures. How it’s done in ARAMCO and what to consider including each phase of the process.


Statistical method course was very helpful course to me. It helped me with information gathering process because most of it done in Excel. How to organize the numbers and represent the data correctly to management groups.


There is certain network area that should be excluding before you start to scan. My mentor guide me through out the process to make sure that I didn’t scan something not required.


I think by practice this task many times; I could define which area of ARAMCO network that is from our department responsibility always has issues and vulnerabilities in their network and start to critically think how to reduce that issue that happen very often.


Some employee in ARAMCO that cause the vulnerabilities within their network in some department will deny that they cause the issue to the network, and after long process investigation the result will be weather that they have done the issue or some worker after the work hours they cause the issues to the network.


Weekly LOG [4]




Day 1 and 2I attended a workshop about (UIP) Understanding and improving processes for two days as scheduled before from my supervisor on July 7 and 8. This course is based on the DMAIC Define, measure, analyze, improve and control) improvement methodology of Lean Six Sigma. The focus is on tools and techniques that can be used to drive process improvement quickly (<30 days). This means a focus on process analysis without the heavy data analysis, Also we discussed several fundamental principles related to gathering and analyzing. This class is very interactive where most of the tools learned by applying them to a business simulation. The presenter name: Johnston, Robert

Day 3After my return from the workshop to the department, this week started the second part of the second task “Vulnerability Assessment and Patch Management” which is “Patch management” continuing with the responsible person “Tariq Khushaim”. I learned that by Installing the latest security patches protects the system from any Identified vulnerability. The rise of widespread worms and malicious code targeting known vulnerabilities on un-patched systems, and the resultant downtime and expense they bring, is probably the biggest reason so we must pay an attention to patch management.

Day 4I learned that in order for the members within the Communication Protection Group who will be responsible for this function to be able to handle the patch management process properly and efficiently, they need to subscribe to the vendor security advisory to receive security alerts pertaining to the devices deployed within the corporate network. This has to be done for each vendor


from which Aramco has network devices installed, such as Cisco, Juniper, Alcatel, HP, Aruba and Bluecoat. After doing the subscription, the subscriber is supposed to receive security alerts by email if there is any security breach associated with the network device.

Day 5I learned that in case there is a security alert, either received by email or determined while visiting the website, the analyst must verify the applicability of the security breach to the network devices used by Aramco. Once verified, an email must be sent to the system proponent to take an immediate action to either implement the workaround or apply the patch. The tracking table, then, must be updated with the details such as reporting date, severity, type of network device, impacted OS versions…etc. The proponent must reply with an action plan along with expected completion date. If no response, it will be considered as a repeated item and an escalation process will be followed.


I have learned many useful techniques especially in the workshop that I have attended. The power and common sense of the DMAIC model, Understanding customer requirements and developing a focused problem statement, Using a modified swim lane to map a process, Using Measurement Systems Analysis (MSA) to test the validity of data, Analyzing the process using Value-Add Analysis, Cycle-Time Analysis, and Takt-time Analysis.


Teamwork and leadership course helped me a lot during the business simulation process during the workshop. Also, Statistical method course helped me with the analyzing data part.


In the workshop, we did two-business simulation to handle many requests that come to our company. In the first day we did the first one, we delivered only 20 requests from 120 requests. In the second day, we did the second business simulation after we have learned the useful techniques. We delivered 45 requests from 60, which is a big improvement.



The ability to implement the useful techniques that I have learned to evaluate my daily routine tasks and try to improve its process by understand it much more.


In the workshop we’ve been asked to map our process in the wall in a very detailed way to understand where the request that comes to our company go through (mail, finance, marketing etc..). After we have done the map, which takes from us a very long time. We found out that there are areas in the company that's take time and it’s not necessary part in the company. So, we eliminate some areas and get use of its people in different area that we really need to speed up the process.

Weekly LOG [5]

Student Name: Abdullah Abdul-Aziz Mohammed AlNafisi ID: 200700679

Internship Site: ARAMCO – Information Protection and Technology Planning

Department




Please document in detail the activities in which you participated, specific incidents you observed daily to enable you in answering the attached questions.

Day and Date: Description of activity[Internship Report] 5

9

Day 1The task of this week was to learn about “Compliance Management” with the responsible person “Saeed Al-Bishi”. Complicate Management is on-going process starting from day-to-day security reviews of changes or new deployment up to a comprehensive frequent check of all network devices security configurations. Communications protection group is the entity responsible to review all security aspects attend to be deployed for data communications devices on Saudi Aramco network. Day 2I leaned that the Security setup is the part where an intruder likes to brake to get into to gain from confident information for a bad use or even get glances where shouldn’t. Security setup must be reviewed before deploying, after a period of time (Recertification) and with any changes to ensuring secure setup, which will save a lot for the company security.

Day 3I learned how the process done and through what stages. First, after change request has Been submitted through (Remedy), the communication protection group review the request If it is meet the requirement then the change request will be approved. If no then it will be Rejected. Also, they can make the request change pending until the requirement will be Completed.

Day 4&5I learned that the communications between the requester and IPCD/CPG is done through emails except confidential information where it is usually communicated through the remedy system where only the assigned approvers are able to see the details of the request. Then, I got review of the systems such as: Firewall, MacAfee, bypass proxy, site-to-site VPN, Socks, sap router and MS Internet authentication service.


I learned how to distinguish between an approved change request and rejected ones based on some condition and rules, such as: From IP address to IP address full subnet aren’t allowed except for above 30 static IP addresses, allowed IP address must be joining DNS server, allowed IP address must be domain part and to ensure the right IP address is selected in case of DMZ zone access.


From software engineering 1 and 2, I learned what are the certain conditions that must be applied before make a change in the software and to evaluate the consequences of that change.



I should consider the security ranking (critical, high, medium, low, and informational) of each security configuration in the baseline when I report violations, which I didn’t know at the first.


I didn’t get yet the required access with my ARAMCO ID to remedy and CRM (Customer Relationship management) to start practicing this task and start to receive requests in the system.


I have worked with my supervisor on a project that he is currently working in about wireless security in the company. We have review settings of more the 10 modems and access points to determine different things that are required in policy and guidelines of the company, such as: weather the modem support RADIUS or pre shared key.

Weekly LOG [6]

Student Name: Abdullah Abdul-Aziz Mohammed AlNafisi ID:

200700679

Internship Site: ARAMCO – Information Protection and Technology Planning

Department






Day 1 After the return of the responsible person of “patch management” Bandar Al-Harbi from A workshop that he participate in for the last two weeks, I complete the “patch management” task. I have learned how to subscribe to one of the vendors: Cisco, Alcatel, HP, Aruba, Juniper and Bluecoat to receive security alerts. Security alerts can be received Through Email.

Day 2 I learned how to conduct an assessment to verify whether the security breach is applicable or not, then the action must be decided by the communication management and planning Department. The action could be a new update or workaround: change in the configuration. Day 3The details of the security patch that should be included in the tracking table: Vulnerabilities remediated by the patch, reporting date, severity, type of network device and impacted OS versions. This table is created to gather all the security alerts announced by the vendors and are applicable to the network devices deployed in the corporate network. It facilitates the process of handling and managing network devices security patches.

Day 4Then we discussed the backup process and procedures, The files are placed on Sharek and this is undergoing regular backup process by default. COD is responsible for the backup and restores processes. COD is Computer Operation Department. Maintenance is done by Windows and COD Departments.

Day 5I have learned how to add, remove and modify users. In order for a user to perform scan, the user has to be added to Foundstone’s users’ local database. In order for a user to access Foundstone, the user has to have an account on Foundstone and IP address added to Foundstone firewall permit list. The user has to have a static IP address.


After the completion of the patch management task, I have completed the “Vulnerability assessment and patch management”


task. The 1st part is for Vulnerability Assessment, which is for process and procedures for discovering the vulnerabilities on the network devices. The 2nd part is for patch management process and procedures.


The database for information system helped me in conducting a tracking table, and software engineering we discussed in it the different phases that how certain software should be evaluated.


The responsible persons for the access control management left the department. One for the vacation purpose and the other went to a workshop, so that I have handle the tasks for them.


All writing and research skills, because I wrote different reports this week regarding access control task that I handled


I have been Assigned to one of the department projects which is about “VoIP Security” that I have to write research about it and present it by 20 of august.


Weekly LOG [7]

Student Name: Abdullah Abdul-Aziz Mohammed AlNafisi ID: 200700679

Internship Site: ARAMCO – Information Protection and Technology Planning Department





Day 1 This week started with new department project that I get assigned to by site supervisor, Which is about “Voice over Internet protocol”(VoIP) Security tools and recommendation. I learned that Voice over Internet Protocol (VoIP) is a form of communication that allows you to make phone calls over a broadband internet connection instead of typical analog telephone lines.

Day 2 I learned that the Basic VoIP access usually allows you to call others who are also receiving calls over the internet. While also the Interconnected VoIP services allow you to make and receive calls to and from traditional landline numbers. Also, the advantages and disadvantages of VoIP. The biggest advantage of this is that as you are no longer using the phone company's long distance lines, and you will be able to have long distance conversations for an unlimited length of time, with no additional charge.

Day 3I learned how the VoIP works. The Voice over Internet protocol converts the voice signal from your telephone into a digital signal that can travel over the Internet. If you are calling a regular telephone number, the signal is then converted back at the other end.

Day 4We get more deep in the process of VoIP. Generally the voices that are sent over the IP network are compressed in order to reduce the amount of space required for transmission. There are many technologies that help in reducing the compression process and CODEC is the most appreciated technology for doing so. The speech codec that is used for compression of voice files generally improves the quality of the word spoken and enhances their clarity.

Day 5In case of data loss, the gaps are generally filled by two processes; one is PLC and the other is FEC. PLC or packet loss concealment is a process, in which the packet of information is sent multiple times in order to cover up the loss and the gap created because of the packet lost. However, in FEC or Forward error


correction process, the information from previous packet is added into the next packet so as to maintain the continuity and fill the gap.


I get introduced to the new project “VoIP” and I have seen the VoIP that the company used and how they manage to secure them and I have learned that the default services running on the open ports may be vulnerable to DoS attacks, buffer overflows, or authentication bypass.


In Network security, management and theory courses we have been introduced to similar topic such as: denial of service, how the buffer flow and the authentication vulnerabilities and issues.


When I start my research about the topic I went directly to the point which is “the Security tools” but then I get suggestion from my supervisor to start with brief introduction about the topic, list of advantage and disadvantages then start the VoIP security tools topic.


I rely on my writing and research skills, and the way of writing researches in an APA style and citation.


I spoke in the weekly department meeting in front of all fellow workers and site supervisor and the head of department about my tasks in the department, what have I done so far and what I’m currently working on.


Weekly LOG [8]

Supervisor’s Name: Fahad Sabeela




Day 1 This week started to learn about “Customers Notifications Archiving”. Information protection center and specially communication protection group communicates with different customers in different areas. The communications between IPC\CPG and its customers are in the form of reports, notifications, verification and investigations.

Day 2 I learned that to make sure these communications are retained and kept as a reference for IPC\CPG members and for statistical purposes, the communications will undergo frequent archiving processes. I learned the archiving process, archiving guidelines, first archiving cycle and future archiving cycle.

Day 3 & 4I got more deep into the archiving process. IPC\CPG identified eight areas which require archiving process. For example, in the Vulnerability Assessments Notifications area, the customers are: communication operation and Expec computer center, while the cyclic duration: quarterly and it is highly recommended to do it every quarter. Another Example is patch management notifications area, the customers are: communication operation and network planning management division, and its cyclic duration is per request.


Day 5

I have learned the archiving guidelines, there are a guidelines for Archiving email notifications between Information protection center and specially communication protection group and its customers. For example: Save notifications pertaining to any of the above 8 areas as .pst or .msg. According to the achieving cycle, place the .pst or .msg files in the associated archiving directories on IPC\CPG File Server on certain link. Naming convention for the archiving files should follow a certain format.


I get introduced to the new Topic “Customers Notifications Archiving”. I learned the archiving process, archiving guidelines, first archiving cycle and future archiving cycle.


In “study skills 1&2 courses I learned how to be organized in making portfolio of any course that I will take and how to name it properly, so that when you get back to it it’s easy to find.


I get introduced to a new area in the access management task that I have finished earlier, which is about the active directory that organizes the departments different privileges.


While I worked on the active directory I used my notes and comments on the “network access management” task that I have learned in the first weeks, and it was very useful.



Because ARAMCO is so organized company as I learned this week, me and my fellow worker get back to very old archive files in the system, and that really shows me the benefit of this task.


[internship report] folder... · web view[internship report] [internship report] 3 [internship...

Documents