Assessing Information System Vulnerabilities and Risk|Legit essays

Posted: January 28th, 2023

Project 2 Scenario

Assessing Information System Vulnerabilities and Risk

You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you’re getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen’s office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There’s been a security breach at the Office of Personnel Management.”

We don’t know how this happened, but we need to make sure it doesn’t happen again, says Karen. You’ll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management.

At your desk, you open Karen’s email. She’s given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems.

Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report, or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.

Project 2 Scenario

Assessing Information System Vulnerabilities and Risk

You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you’re getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen’s office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There’s been a security breach at the Office of Personnel Management.”

We don’t know how this happened, but we need to make sure it doesn’t happen again, says Karen. You’ll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management.

At your desk, you open Karen’s email. She’s given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems.

Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report, or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.

Project 2 Instructions

The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls).

The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements in order to stay in step with ever-changing information system technologies.

The data breach at the US Office of Personnel Management (OPM) was one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some failures of security practices, such as lack of diligence with security controls and management of changes to the information systems infrastructure, were cited as contributors to the massive data breach in the OPM Office of the Inspector General’s (OIG)  Final Audit Report, which can be found in open-source searches.

Some of the findings in the report include:

· weak authentication mechanisms;

· lack of a plan for life-cycle management of the information systems;

· lack of a configuration management and change management plan;

· lack of inventory of systems, servers, databases, and network devices;

· lack of mature vulnerability scanning tools;

· lack of valid authorizations for many systems; and

· lack of plans of action to remedy the findings of previous audits.

The breach ultimately resulted in removal of OPM’s top leadership. The impact of the breach on the livelihoods of millions of people may never be fully known.

There is a critical need for security programs that can assess vulnerabilities and provide mitigations.

In this project, there are eight steps, including a lab, that will help you create your final deliverables. The deliverables for this project are as follows:

1. Security Assessment Report (SAR): This should be an eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

2. Risk Assessment Report (RAR): This report should be a five- to six-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

 

 

Step1: Enterprise Network Diagram

In this project, you will research and learn about types of networks and their secure constructs that may be used in an organization to accomplish the functions of the organization’s mission.

You will propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. You will discuss the security benefits of your chosen network design.

Read the following resources about some of the computing platforms available for networks and discuss how these platforms could be implemented in your organization:

Common Computing Platforms

Computing platforms have three main components: hardware, the operating system (OS), and applications. The hardware  is the physical equipment/machine that runs the OS and applications. It generally consists of the central processing unit (CPU) or processor, storage, and memory. The operating system (OS) communicates between the hardware and the applications  run by the end user.

Different platforms are used for traditional desktops and laptops and the new touchscreen phones and tablets. Common processors include Intel Core and AMD (for desktops) and ARM (modified by Apple and Qualcomm to make processors for phones). The most popular operating systems for desktops are Windows and Linux, and for phones, are iOS and Android.

Compatible applications are developed for specific systems by different companies, including Microsoft, Apple, Google, and Adobe.

The Hardware Cloud: Utility Computing and Its Cousins

Learning Objectives

1. Distinguish between SaaS and hardware clouds.

2. Provide examples of firms and uses of hardware clouds.

3. Understand the concepts of cloud computing, cloudbursting, and black swan events.

4. Understand the challenges and economics involved in shifting computing hardware to the cloud.

While SaaS provides the software  and hardware to replace an internal information system, sometimes a firm develops its own custom software but wants to pay someone else to run it for them. That’s where hardware clouds, utility computing, and related technologies come in. In this model, a firm replaces computing hardware that it might otherwise run on-site with a service provided by a third party online. While the term utility computing was fashionable a few years back (and old timers claim it shares a lineage with terms like hosted computing or even time sharing), now most in the industry have begun referring to this as an aspect of cloud computing, often referred to as hardware clouds. Computing hardware used in this scenario exists “in the cloud,” meaning somewhere on the Internet. The costs of systems operated in this manner look more like a utility bill—you only pay for the amount of processing, storage, and telecommunications used. Tech research firm Gartner has estimated that 80 percent of corporate tech spending goes toward data center maintenance. J. Rayport, “Cloud Computing Is No Pipe Dream,”  BusinessWeek, December 9, 2008. Hardware-focused cloud computing provides a way for firms to chip away at these costs.

Major players are spending billions building out huge data centers to take all kinds of computing out of the corporate data center and place it in the cloud. While cloud vendors typically host your software on their systems, many of these vendors also offer additional tools to help in creating and hosting apps in the cloud. Salesforce.com offers Force.com, which includes not only a hardware cloud but also several cloud-supporting tools, such as a programming environment (IDE) to write applications specifically tailored for Web-based delivery. Google’s App Engine offers developers several tools, including a database product called Big Table. And Microsoft offers a competing product—Windows Azure that runs the SQL Azure database. These efforts are often described by the phrase platform as a service  (PaaS) since the cloud vendor provides a more complete platform (e.g., hosting hardware, operating system, database, and other software), which clients use to build their own applications.

Another alternative is called infrastructure as a service (IaaS). This is a good alternative for firms that want even more control. In IaaS, clients can select their own operating systems, development environments, underlying applications like databases, or other software packages (i.e., clients, and not cloud vendors, get to pick the platform), while the cloud firm usually manages the infrastructure (providing hardware and networking). IaaS services are offered by a wide variety of firms, including Amazon, Rackspace, Oracle, Dell, HP, and IBM.

Project 2 – Assessing Information System Vulnerabilities and Risk

Security Assessment Report (SAR)

 

CST 610: Cyberspace and Cybersecurity Foundations

 

{Your Name}

[date]

 

Professor\– Section

University

 

 

 

 

 

 

 

SECURITY ASSESSMENT REPORT

TISTA Science & Technology CorporationScience and Technology

[Period of Assessment]

[Report Date]

 

SECURITY ASSESSMENT

 

1. Background

1.1 Purpose [Use the lead-in material from Project 2 “Start Here” and the project summary scenario to clearly focus the goal and purpose of the SAR]

1.2 Description of TISTA Science & Technology Corporation

1. Describe your company.

· Mission: To deliver the highest quality IT professional services and innovative solutions to the Federal, State, and Local government.

· TISTA Science & Technology Corporationa wide-range of services, including Application Engineering, Consulting, Cybersecurity, Data Science, Infrastructure, and Mobility support, in the Health, Defense, and Civilian sectors.

2. What is business sector and how does that effect your security?

· Science and Technology

·

3. How might the organizational structure of your company effect security?

1.3 Networks in TISTA Science & Technology Corporation

[Base the description of your network and the critical information systems you decide to include, on your work in Step 1.] Particularly as they apply to the company’s relational data base management system (RDBMS) here are areas and questions that you might include:

1. Provide network architecture diagrams for the local area network (LAN) and wide area network (WAN) for your company.

2. Indicate the critical information systems in these diagrams and explain their importance.

3. What external systems and users connect to your company?

4. Where is data at rest, in motion and in use?

5. Can you identify important system and network security boundaries and regions?

6. Discuss the security benefits and deficiencies of your chosen network design. (Include tables and diagrams as appropriate) [Your focus should be on the RDBMS and systems, connectivity, auditing, protection, such as encryption and access control, … related to the RDBMS applications]

 

2. Assessment Approach

[You have been asked whether the OPM breach could happen at your company. Describe the approach to your assessment based on the security posture of your company from the above description and the lab testing and comparing that to the threats encountered in the OPM breach.]

2.1 Approach

2.2 Review of the OPM Breach(s)

2.3 Relevance of OPM Breach(s) to [Your Company Name]

2.4 Completed or In Progress Assessments (i.e., simply identify your current and prior lab tests in this and prior classes and any prior SAR completed for this company. Do not include results here.)

2.5 Scope Covered in the Assessment (include why)

3. Assessment Results[footnoteRef:1] [1: For critical system(s), information, networks and interfaces to external systems and users.]

3.1 Insider Threats

 

Threat	Synopsis	Impact[footnoteRef:2] [2: Quantify or provide recent relevant examples or incidents of business, safety, health… impact.]

 

 

3.2 External Threats

 

Threat	Synopsis	Impact2	Impact Level (H,M,L)

 

 

3.3 Vulnerabilities[footnoteRef:3] [3: Include results from all lab testing (e.g., network monitoring and assessment and prior OS assessments and password cracking assessments. Provide details including tools in Synopsis and Lab Reports in Appendices.]

 

Vulnerability	Synopsis	Impact2	Impact Level (H,M,L)

 

 

4. Assessment Results

4.1 Rank Ordered Threats and Vulnerabilities (Most to Least Impact)

 

ID[footnoteRef:4] [4: ID: You may wish to label categories as S=System, N=Network, I=Interface, D=Data or Information and give number in each category (e.g., S1, S2, N1, D1) for unambiguous referencing.]	Impact Level (H,M,L)	Threat or Vulnerability1	Current Security Posture	Deficiencies in Current Posture

 

 

5. Notes and Comments

 

 

 

 

 

______________________________ _________________

Principle Assessor Date

[Enter your name and date as would be done in a real SAR.]

 

SUMMARY OF REFERENCES

Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)

APPENDICES

 

Place your lab report and screenshots here.

[The lab is to be treated as your specific testing and checking out of your company’s critical information systems and the topics you are writing about. It is not a theoretical exercise. Nor is it independent of and separate from our topic and scenario. Provide screenshots of the tools and results from your lab experiences, as well as answer any lab questions. Many students take the lab directions, eliminate everything but the section headings and questions and in each section write down what was asked for, what the results would show, how they relate to a topic in the main report, enter the screenshots obtained and point to or write out the specific key data result(s) within the screenshot.

 

Your specific insights, comparisons and results from the analysis of the lab data should be identified and used within the report and tables, above.

Note: A great tool for capturing your screenshots from the lab is MS SnipIt which is installed on MS Windows computers.]

 

Page 5 of 6

 

SOLUTION