13 Jul Risk Management After completing your master’s degree, you have been hired by a contracting company as an information systems security officer, or ISSO, supporting systems for federa

CST 630 Project Resources

Deliverables

· Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

· **I will provide** Lab report: A document sharing your lab experience and providing screenshots to demonstrate that you performed the lab. Attach it to the SAR as an artifact.

Risk Management

After completing your master's degree, you have been hired by a contracting company as an information systems security officer, or ISSO, supporting systems for federal clients. One morning, your boss asks you to come to her office. She tells you that you'll be working on a network security audit. Network security audits, based on FISMA standards, are used annually to determine the effectiveness of our security controls. The boss explains: "Prior to the security audit, I will need you to test, execute, collect, and compile your results into a security assessment report, or SAR. Once you're finished, you will submit the report to me and the executive leadership."

Later, you receive a follow-up email from your boss with instructions. First you will conduct a risk and threat assessment of the enterprise network. Next, you will perform black box testing of the network using network analysis tools. After identifying any network vulnerabilities, you will lead efforts to remedy and mitigate those vulnerabilities using appropriate risk management controls. You will then perform a white box test, and compile the results in the final security assessment report. And provide this to leadership, along with an executive briefing in your lab analysis, so management has a baseline view of the security posture of the enterprise network, before the actual external IT audit. The email ends with this note: "Thank you for taking this on. Our executive leadership is excited to learn of your findings."

Step 1: Conduct a Security Analysis Baseline

In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).

You will get your information from this data-flow diagram and report ( I will upload this), which is generated by the Microsoft Threat Modeling Tool 2016.

Microsoft Threat Modeling Tool 2016

Threat modeling helps cybersecurity professionals visualize and better understand their network environment and data flow. Threat modeling can be a critical aspect of software and system design. This can allow secure coding practices to be implemented in the software or system design.

The Microsoft Threat Modeling Tool 2016 is a free tool that helps cybersecurity professionals. The tool includes a variety of modules such as template editors, threat grids, and data flow diagrams. These features are interactive and require user input. Once a system is defined into the tool, the Microsoft Threat Modeling Tool 2016 displays a representation of the threats using threat grids and data flow diagrams. Users can then work with the threats shown as well as include additional threats they feel are appropriate, in order to create workable models that change and improve over time.

Cybersecurity professionals can also use the tool to perform "what if" scenarios to see what would happen if they made a change or added some systems and devices to the network.

The scope should include network IT security for the whole organization.

Include the following areas in this portion of the SAR:

· Security requirements and goals for the preliminary security baseline activity.

· Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.

Attacks to Enterprise Networks

Attacks on enterprise networks are becoming increasingly common. There are many different methods of enterprise attacks: viruses, worms, Trojans, denial-of-service attacks, session hijacking, and social engineering.

Viruses are malicious code that executes by reproducing itself and infecting other programs, files, and directories through modification. Viruses can spread through systems and inadvertently take up hard drive space. They can slow computer processing speeds and affect user access. Although viruses can sometimes access confidential information and spam users through pop-ups or emails, not all viruses carry a destructive payload.

Worms, similar to viruses, replicate to transfer throughout a network, but in many cases do not carry malicious payloads. Worms use the existing network infrastructure to spread, and they bring about issues and damage to network systems by creating "backdoors." Worms are different from viruses in that they do not need to attach themselves to executable code or programs. Because worms spread through vast networks, they also use a large amount of bandwidth and can effectively slow networks. Some famous worms include the Conficker, Morris, and Mydock.

Trojans are malware that mislead users into believing that they are using legitimate software. Trojans can be used for destructive purposes such as modifying and corrupting files and data on the infected computer, identity theft, or spying by installing keystroke logging or compromising user webcams.

Denial-of-service (DoS) attacks are launched to deny users from accessing services such as the internet or certain applications. The main method to launch DoS attacks is by flooding the targeted system with an enormous number of requests. Unable to cope with the relentless assault, servers become busy and cannot respond to legitimate authentication or access requests. A modification on the classic DoS attack is the distributed denial-of-service attack (DDoS), where the attacker can use many different source IP addresses to launch requests.

Session hijacking involves taking over a legitimate computer session through the use of unverified cookies, cross-site scripting vulnerabilities, or other malware. Attackers can guess responses of two communicating machines to intercept, translate, and participate in communications.

Social engineering exploits are commonly used to attack or discover information about an enterprise. Social engineering uses knowledge about human nature and in some cases, personal details about targets to manipulate people for access and information regarding the enterprise. Social engineering can involve complex endeavors such as using publicly available information to target and pressure high-ranking personnel at organizations to obtain sensitive information. This is known as whaling.

In other cases, social engineering can be the simple act of just walking in behind someone holding the door open; this is known as tailgating. One of the most known social engineering attacks is the attempt to trick users into opening malicious emails or links, known as phishing.

Overall, there are several different attack vectors on enterprise networks, and they are advancing in complexity and subtlety. Organizations must use comprehensive defense-in-depth strategies and create sound cybersecurity practices to be better protected.

· Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: local area network (LAN), metropolitan area network (MAN), wide area network (WAN), enterprise. Use these questions to guide you:

Security Posture

The term security posture is synonymous with security analysis baseline. A security analysis baseline is a holistic approach to determining the general level of security and risk within an organization at a given point. It can also be referred to as the "normal" security posture of an organization. This analysis is usually conducted by a review team. Skilled team members generally produce higher-quality baselines.

While developing a security analysis baseline, an inventory analysis of the hardware and software being deployed on a network is conducted. This helps determine the vulnerability level of systems based on presence or absence of patching. Furthermore, the criticality of the systems can be determined based on the value of the data and the communication links to the outside environment.

A thorough risk analysis should be conducted to identify threats and vulnerabilities, the likelihood of the threat landscape exploiting these vulnerabilities, as well as the risk mitigation strategy. During a baseline security analysis, policies and procedures are thoroughly reviewed to determine the controls that are in place. In addition, the current levels of security tools and technologies in place, such as encryption, firewalls, applications, and endpoints, are also examined.

Going deeper, penetration tests are conducted to further determine the likelihood of system vulnerabilities being exploited. A white box or black box test can be conducted. During a white box test, the attacker knows about the internal structure of the attack landscape. By contrast, during a black box test, the attacker does not have any information on the internals of the systems and is attempting to perform the penetration test as an actual malicious attacker.

During these tests, attempts are made to exploit vulnerabilities by conducting attacks as well as packet and network analysis to get deeper into the network and to learn more about its users. A security analysis baseline provides a clearer picture of the current state of the security posture of an organization.

· What are the security risks and concerns?

· What are ways to get real-time understanding of the security posture at any time?

· How regularly should the security of the enterprise network be tested, and what type of tests should be used?

· What are the processes in play, or to be established to respond to an incident?

· Workforce skill is a critical success factor in any security program, and any security assessment must also review this component. Lack of a skilled workforce could also be a security vulnerability. Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required?

· Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?

· Describe the ways to detect these malicious codes and what tactics bad actors use for evading detection.

· Public and private access areas, web access points. Include in the network diagram the delineation between open and closed networks, where they coexist, and show the connections to the internet.

Open and Closed Networks

The difference between an open and closed network is the authentication and security in place. The same hardware and software can be used for either network; it is more of a design for use rather than a topology.

Open Networks

An open network, also known as a public network, is one that is accessible to anyone. On an open network, the internet is accessible, and the network has the ability to connect to other networks.

There are security concerns associated with a public network such as packet sniffing, inadvertently sharing information with other computers on the network, and malware. To avoid some of the issues, users should turn off sharing, use a virtual private network (VPN) when possible, enable a firewall, and use encrypted communications such as HTTPS and TLS.

Some operating systems like Windows provide default security configurations, depending on the type of network selected. For example, the operating system security configuration will be more relaxed when selecting “home” network versus “public” network. A home network is assumed to have fewer threats than a public network with unlimited unknown users.

Closed Networks

In a closed network, in addition to authenticating and authorizing users, the network requires the devices also to be authenticated and authorized. Data and communications that are sent and received within a closed network do not have any external connectivity to the extranet. Outside parties and or devices are prohibited from accessing closed networks, as they are considered potentially malicious and untrustworthy.

A closed network can also refer to a wireless local area network (WLAN), where users and devices must be aware of the name or the service set identifier (SSID) to connect to wireless access points within the network if the WLAN is not sending out its name in beacon frames.

Devices that do not have the SSID of the WLAN and preauthorization to access will have no access to the closed network. Constructed properly, closed networks can be effective in mitigating potential external and internal malicious users and devices.

· Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?

· Operating systems, servers, network management systems as they relate to data in transit vulnerabilities:

Data in Transit Vulnerabilities

Data in transit can be exposed to a wide range of vulnerabilities. The following is a discussion of some of these types of vulnerabilities.

Endpoint Access Vulnerabilities

The world today is a vast technological landscape with an increasing number of portable and personal devices. These endpoints include mobile devices and wireless devices such as laptops, phones, and tablets. Such devices can have complex vulnerabilities for security threats.

Endpoint vulnerabilities can be caused by three primary gaps in protection and knowledge.

Gap Vulnerability

User Gaps – A large number of endpoint security vulnerabilities arise from gaps in the user's knowledge. Attackers target users through social engineering, malicious links in emails and web pages, or installing software on endpoint devices.

Operational Gaps – Many corporations rely on intrusion detection technologies to protect their endpoints. Endpoint threats take advantage of detection-only security deployments to compromise vulnerabilities before corporations become aware of incidents.

Technical Gaps – Signature-based intrusion detection solutions cannot keep up with the constantly increasing attack surface of threats, for which there might not be available signatures.

External Storage Vulnerabilities

Users enjoy flexibility when they have convenient access to personal and business data through the use of portable external storage devices. However, as the use of portable devices to store and transfer data increases, the risk an organization faces also increases. Organizations can face challenges in protecting against data loss or unauthorized transmission. They can face obstacles that prevent the installation of drivers for devices. Organizations can also fail to prevent the installation of malware capable of using external storage devices to traverse a network.

External storage devices are an easy way for attackers to spread malware throughout an organizational network. In some cases, external storage devices possess "smart" capabilities such as wireless or Bluetooth. Attackers can use sniffing tools on public networks to take advantage of wireless capabilities to infect storage devices. In many cases, personal and external storage devices are able to bypass the security protections attached to organizationally owned equipment.

The following are best practices to assist with external storage vulnerabilities:

compile a list of authorized and unauthorized external storage devices

compile a list of authorized and unauthorized drivers

install host-based antivirus systems that scan external storage devices for malware

encrypt all data transmitted through external hard drives

Media Access Control and Ethernet Vulnerabilities

Media access control is a sublayer of the OSI model that describes how devices are connected together at the hardware level. Ethernet is a media access protocol that is traditionally used in local area networks (LANs). An Ethernet port, also known as a LAN port, is the port that connects the computer to the network. The physical connector used for this access is RJ45; it looks like a wide version of the RJ12, the connector commonly used for landline telephones. This connector plugs into a network interface card (NIC), which is also called an Ethernet card to transmit on an ethernet network. Each Ethernet card has a unique media access control (MAC) address.

A common issue with Ethernet is that it broadcasts frames, and any computer connected to the Ethernet wiring can potentially read the other frames being broadcast on the network. Akin to eavesdropping, this process of collecting and reading network transmission is called network sniffing. Network switches can help in reducing packet sniffing.

Network cables must be protected from damage and tampering; this can be done with special cable protectors. Networks are also vulnerable to attacks that attempt to pull data from frames, cause buffer overflow, or cause denial of service. These vulnerabilities are normally patched by vendors when discovered; however, finding these vulnerabilities can be challenging. A denial-of-service attack is more readily identifiable than an hacker sniffing and pulling data from frames.

Virtual Private Network Vulnerabilities

Virtual private networks (VPNs) provide an encrypted connection over a less secure network (Burke, 2016). This allows users to securely connect to an intranet from a computer that is not on the network or connect two internal sites using a gateway device.

VPNs typically mask the true IP address of the machines using the VPN. However, there are vulnerabilities that can unmask the true IP address due to port forwarding services. These vulnerabilities are conducted by attackers that have access to multiple VPN services and lure the victims to connect to another VPN service that forces the user to provide the real IP address (Vijayan, 2015).

In addition, because VPNs are dependent upon less secure connections like the internet, they can suffer from service issues from the internet service provider. If the internet is down, there is no way to connect to the VPN unless the user connects to another network with internet access. Furthermore, there are VPNs that have been exposed to vulnerabilities while switching access points inadvertently. Hackers could attack when this occurs because it could disrupt the end-to-end encryption, which normally accompanies VPNs.

References

Burke, J. (2015). Virtual private network. http://searchenterprisewan.techtarget.com/definition/virtual-private-network

Vijayan, J. (2015, December 1). Port fail vulnerability exposes real IP addresses of VPN users. https://securityintelligence.com/news/port-fail-vulnerability-exposes-real-ip-addresses-of-vpn-users/

· endpoint access vulnerabilities

· external storage vulnerabilities

· media access control and Ethernet vulnerabilities

· virtual private network vulnerabilities

· Possible applications. This network will incorporate a BYOD (bring your own device) policy in the future. The IT auditing team and leadership need to understand current mobile applications and possible future applications and other wireless integrations. You will use some of this information in Project 2 and also in Project 5.

The overall SAR should detail the security measures needed, or implementation status of those in progress, to address the identified vulnerabilities. Include:

· remediation

Remediating a cybersecurity incident, also referred to as responding to an incident, entails containment and eradication of the incident.

Once the incident has been successfully identified, the incident handler can move to the next phase of the process—containment. Containment involves determining if the incident can be isolated, and working with system owners and network administrators to help contain the problem.

Incident handlers working with other security teams can help back up the system, as well as save forensic copies for evidence. To do this, a response team and a plan must be created. The plan must specify the roles of the team members. The team should include a representative from the legal department, a business manager, a representative to communicate with the stakeholders and the public about the incident, and technical staff to contain the incident. There should be also be strategy in place for the board and the executive leadership.

Response times that are within a short-term range, depending on the business and industry, generally take hours, days, or weeks. Response times in the intermediate range take weeks to months. Finally, response times that take more than a few months or a year are considered long-term (Deloitte, 2016).

References

Deloitte. (2016). Cyber crisis management: Readiness, response, and recovery. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-cm-cyber-pov.pdf

· mitigation

Cybersecurity programs must have comprehensive strategies for risk and risk mitigation. Risk mitigation occurs late in the risk framework life cycle—after risk is identified, assessed, and prioritized. Risk mitigation is the systematic handling of risk in a manner appropriate for an organization. Risk mitigation is a key step within the risk framework. For effective cybersecurity, every organization should have a comprehensive risk mitigation policy.

Once risk is identified and assessed, there are many options to deal with it. Risk can be accepted, avoided, controlled, transferred, or watched/monitored. All strategies can be applicable to a particular situation in a modern organization. A strong understanding of the business mission, practices, and technology is usually required to ensure that risk mitigation strategies will truly be optimal and appropriate. In cases where the costs to mitigate risk are higher than the potential damage of the risk, organizations may consciously choose to accept the risk.

Risk control is the practice of implementing technology and policy in order to explicitly reduce the possibility of certain risk occurrences. Risk avoidance is the practice of avoiding the use of risky technology or business practices. For example, if one form of data storage is known to be vulnerable to malware, an organization could choose to use a different form of data storage.

Risk transfer assigns the risk to a different party, separate from the organization, to be accountable for the risk. Buying cybersecurity insurance policies is a way for organizations to transfer a portion or all risks of a particular type to a third party.

Organizations can also monitor and watch risk as another method of risk mitigation strategy. This strategy is often used for budgetary reasons or for situations where the magnitude of the risk is either undetermined or not fully understood.

Risk strategy is a continuously improving process, and organizations must maintain continuous awareness of their cybersecurity risk.

· countermeasures

Countermeasures are actions taken to minimize, mitigate, or eliminate threats to and vulnerabilities of computer systems. Countermeasures can take several forms depending on the nature and characteristics of the particular threats and how susceptible the system is to vulnerabilities.

Information technology (IT) controls are a type of countermeasure that focuses on actions that can be taken to mitigate or eliminate vulnerabilities, for example, using good programming practices or restricting queries to only specific inputs.

Technical countermeasures, also known as technical surveillance countermeasures (TSCMs), focus on the ability to identify or detect unauthorized electronic emanations as well as physical security vulnerabilities that put infrastructures (physical and electronic) at risk.

· recovery

Recovery is the process of returning operations to normal after an incident. Recovery efforts are determined by:

the response or remediation of the incident

how prepared the organization was for an incident in the first place.

If an incident is not handled properly, it could turn into a crisis. Recovery from a cybersecurity incident is critical to an organization. Recovery can determine whether an organization will survive an incident.

The recovery point objective (RPO) is the maximum time that can pass during an incident before the quantity of data lost surpasses the allowable level.

The recovery time objective (RTO) is the amount of time to recover from an incident before the organization begins to face dire consequences due to the disruption of service.

An organization should have a recovery plan in place before an incident and should be taking steps to be resilient to an attack. There should be an incident response plan (IRP) and a disaster recovery plan

(DRP). An organization should also have a business continuity plan (BCP). Organizations should also develop incident containment plans in order to make recovery from incidents easier and less expensive.

An organization should determine its most critical applications, personnel roles during a disaster, and an incident response team. It should also have network and hardware configuration documents, and should preplan where and how the recovery plan will be initiated. A business impact assessment (BIA) should be conducted prior to the DRP. All plans must be practiced, tested, reviewed, and periodically updated—especially after determining the lessons learned from incidents.

After recovery, there should be an analysis of the incident, including a review of the causes and the handling of the incident/crisis. Such an analysis helps to rectify issues so that the organization is better prepared. Expedient recovery is critical for an organization to increase its cybersecurity resilience. Since perfect protection from cybersecurity attacks is often elusive, recovery and resilience have gained increased importance in modern organizations.

Through your research, provide the methods used to provide the protections and defenses.

From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A ( I will upload this) and determine their applicability to the risks identified.

Risk Model

A risk model is a mathematical representation of risk. Strong risk models account for both positive and negative risks. Positive risks are opportunities for organizations to gain, while negative risks are potential for financial loss.

A risk model can be a collection of a wide range of risks that allow an organization to determine aggregate risk levels for the organization. Risk modeling allows organizations to use data to produce analytics that can help with risk-based decisions. In the past, organizations used risk modeling to primarily assess financial and other organizational risks. While risk can be represented and calculated in a variety of ways, risk models that allow risk to be represented in aggregate financial terms are most easily understood by organizational decision makers.

Cybersecurity risk modeling is relatively new. However, as organizations try to minimize cybersecurity incidents and loss, cybersecurity risk modeling has become common. With regard to cybersecurity risks, typical data used in risk modeling include vulnerability scans, audit data, system inventories, security policies, and controls. They can also include plans of actions and milestones (POAM) for risks that are currently being mitigated. A good risk model would also capture information on risk acceptance, transference, control, monitoring, avoidance, and mitigation to allow organizational leaders to determine if known risks are being handled appropriately.

In addition to these data sets, rich data sets obtained from the National Vulnerability Database (NVD) such as Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS), and other similar data sets can be helpful for organizational decision making. Such data sets can help bridge information gaps between various data sets and provide decision makers with additional insights. Sometimes data sets may not have complete information; for example, the vulnerability scan data may not have specific inventory data. Thus, combining the vulnerability scan data, the inventory list, and an enrichment data source, can "bridge the gap" to identify specific devices in the inventory that are vulnerable.

CVE data holds publicly known vulnerability information; it correlates the vulnerability to a CVE number. Thus, it allows the industry to have an identifier for specific vulnerabilities. CVSS provides a score for the risk level of CVE vulnerabilities. CWE provides information about the CVE and provides additional fields such as applicable platforms, common consequences, likelihood of exploitation, and potential mitigations. Organizations can then use these data sets and enrichment data to determine the probability of risk occurrence as well as its severity level. Furthermore, the organization can integrate risk intelligence and business intelligence to identify specific business unit and process risks. Thus, risk models are valuable tools for modern organizations.

The baseline should make up at least three of the 12 pages of the overall report.

When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company's overall network defense strategy.

Step 2: Determine a Network Defense Strategy

You've completed your initial assessment of the company's security with your baseline analysis. Now it's time to determine t